FAQ
- Why did we create CyberCX Digger?
- How does CyberCX Digger work?
- Is this just a Yara / IOC scanner?
- What do I do if I need help or support?
- Will CyberCX Digger collect my information?
- How do I suggest features?
- How can I contribute?
Australian organisations and government agencies have been responding to a significant increase in cyber incidents in 2020, as described in the Prime Minister's announcement in June, which raised awareness of the issue.
Various advisories have been published by the Australian Cyber Security Centre (ACSC) which describe specific tactics, techniques and procedures (TTPs). However through CyberCX’s work, we recognise that a significant challenge facing organisations is often a lack of technical capability and forensic knowledge required to leverage this valuable threat intelligence in actionable ways, to detect and respond to sophisticated attackers on their systems.
We developed CyberCX Digger in partnership with the Velociraptor project, to help overcome this challenge and further CyberCX's mission of protecting the communities we live in.
As a proud Australian cyber security company, we want CyberCX Digger to contribute to the improvement of Australia's national cyber security capabilities by providing a simple, powerful and free scanning tool.
CyberCX Digger uses specific detection queries, leveraging Yara signatures and other methods, to detect a range of known attacker activities or Indicators of Compromise (IOCs), encoded in the powerful Velociraptor Query Language (VQL).
Scans can be performed in two ways; on an individual system or across a network.
The single CyberCX Digger executable can be run from any drive, including a removable drive or network share. It requires no installation and has no external dependencies. It makes no configuration changes to the system and should have negligible impact on the system.
CyberCX Digger can also be simultaneously run across hundreds or thousands of networked endpoints by deploying Velociraptor and importing the CyberCX Digger artefact pack.
For individual scans, an HTML report is produced which lists any findings and provides explanations of what they mean, with accompanying recommendations on next steps for further investigation.
A single finding does not mean that a system is compromised. Further investigation is often necessary to determine if the results are indeed malicious, or are false positives.
CyberCX Digger will also collect suspicious files by adding them to a ZIP file withinin the same directory as the executable. Digger will not directly remove, modify or change any files on the system, other than the evidence copies and HTML report it creates. Digger will not collect or transmit any data outside of your network, nor will it 'call home'; no network connection is required to scan a system using the tool.
It’s both, and more.
CyberCX Digger (and Velociraptor, upon which it's implemented) does use Yara signatures, but it also provides more advanced detections through the Velociraptor Query Language (VQL). Digger leverages VQL to parse different source data and detect malicious activities through several techniques, including Yara scans for known malware components.
If CyberCX Digger returns findings, we recommend that you perform the investigations steps described in the wiki page for each finding, to determine whether the finding is indeed malicious or a false positive.
If you have followed the recommended investigation steps, but still believe that your network may be compromised, you may contact the CyberCX Digital Forensic & Incident Response team through digger@cybercx.com.au
Please note that while we will endeavour to help if you believe that your network is compromised, CyberCX provides no guarantees of what degree of response or support we may provide.
CyberCX Digger's privacy features include:
- It will not collect any information from your systems
- Full transparency through free and open source software
- Single executable, which requires no installation and has no external dependencies
- No registration, licenses or dongles required
- No collection or transmission of data outside your network
- No ‘calling home’ and no external network connections required to run a scan.
We welcome all feedback to help improve future versions. Please submit all issues and feature requests through our CCX Labs GitHub site at https://github.com/CCXLabs/CCXDigger
The effectiveness of CyberCX Digger depends upon the threat intelligence it leverages to detect attacker activities. This intelligence has been kindly contributed voluntarily by our clients and through our government and industry relationships.
We warmly welcome any contributions to the project, and will credit all contributors (or not, if you prefer). Your contribution will help protect Australia from sophisticated and persistent cyber threats.
Please email threat intelligence submissions to digger@cybercx.com.au.
Submissions will be reviewed by specialists and considered for inclusion in future releases. Please note that any threat intelligence submitted will not automatically be included in future releases, for various reasons, such as duplication and specificity. We may request further contextual information to validate any threat intelligence submitted.
Threat intelligence may include any information that can be used to identify the presence or actions of threat actors. Examples includes:
- Indicators of Compromise (IOCs) such as malicious IP addresses and hostnames, or malware components such as file names, directory paths, execution settings, modules, etc.
- Information about the behaviour of threat actors, often referred to as tactics, techniques and procedures (TTPs).
- Specific indicators such as Yara rules which can identify malicious data.
