OrangeCyberDefense Sandbox (P2A) P2A Sandbox Doc Reference

P2A Sandbox Events and Operations Documentation

The P2A (Antivirus Analysis Platform) sandbox environment generates events to capture various activities within a controlled analysis environment. These events help in analyzing the behavior of files and processes. Each event is associated with specific operations that provide insights into the actions performed by the analyzed entity.

P2A Sandbox Event Search Documentation

In the P2A Sandbox GUI, you can use the event search functionality to efficiently locate specific events within your analysis results. This feature enables you to filter events based on various criteria, making it easier to pinpoint relevant information.

Usage Parameters

The event search functionality allows you to use logical operators and expressions to create custom queries. Here are the key parameters:

  • [ Symbol : & ]: Represents the logical AND operator. Use it to narrow down your search by combining multiple criteria. For example, searching for events that match both "P2AMemoryEvent" and "PROTECT" operations: P2AMemoryEvent&PROTECT.
  • [ Symbol : | ]: Represents the logical OR operator. Utilize it to broaden your search by including events that match any of the specified criteria. For example, searching for events of type "P2AFileEvent" or "P2AMemoryEvent": P2AFileEvent|P2AMemoryEvent.
  • All Events: To retrieve all available events in your analysis results, you can use the expression *all*.

Use Case: Searching for Memory Protection Events

Let's consider a practical use case where you want to investigate events related to memory protection in your analysis results.

Suppose you are analyzing a potentially malicious binary, and you suspect that it attempts to modify memory protection settings. To focus on memory protection events, follow these steps:

  1. Access the P2A Sandbox GUI and open the analysis result for your binary.
  2. In the event search bar, enter the following query:
    P2AMemoryEvent&PROTECT
  3. Click the "Search" button.

The search results will now display only those events that match the criteria "P2AMemoryEvent" with the "PROTECT" operation. You can further investigate these events to gain insights into the binary's memory protection behavior.

This use case demonstrates how event search can help you efficiently locate and focus on specific types of events within your analysis results, making your analysis process more effective.

  • Events list

      1. P2AFileEvent

      Operations:

    • OPEN: Signifies the opening of a file.
    • READ: Indicates read operations on a file.
    • WRITE: Represents write operations on a file.
    • DELETE: Signifies the deletion of a file.
    • RENAME: Denotes renaming operations on a file.
    • CREATE: Indicates the creation of a file.
    • CLOSE: Represents closing operations on a file.

      • 2. P2AProcessEvent

      Operations:

    • RUN: Signifies the running of a process.
    • STOP: Indicates the stopping of a process.
    • OPEN: Denotes opening operations on a process.
    • RESUME: Represents the resumption of a process.
    • CREATE: Signifies the creation of a new process.
    • KILL: Indicates killing or termination operations on a process.
    • SCHEDULE: Denotes scheduling operations for a process.

      • 3. P2AThreadEvent

      Operations:

    • RUN: Signifies the running of a thread.
    • STOP: Indicates the stopping of a thread.
    • OPEN: Denotes opening operations on a thread.
    • RESUME: Represents the resumption of a thread.
    • CREATE: Signifies the creation of a new thread.
    • KILL: Indicates killing or termination operations on a thread.
    • MODIFY: Denotes modification operations on a thread.

      • 4. P2ARegistryEvent

      Operations:

    • OPEN: Signifies the opening of a registry key.
    • READ: Indicates read operations on a registry key.
    • WRITE: Represents write operations on a registry key.
    • ENUM: Denotes the enumeration of registry keys.
    • DELETE: Signifies the deletion of a registry key.
    • CREATE: Indicates the creation of a registry key.

      • 5. P2AModuleEvent

      Operations:

    • LOAD: Indicates the loading of a module or library.
    • UNLOAD: Represents the unloading of a module or library.

      • 6. P2AMemoryEvent

      Operations:

    • READ: Denotes a read operation on memory.
    • WRITE: Represents a write operation to memory.
    • ALLOC: Indicates memory allocation.
    • FREE: Represents memory deallocation or freeing.
    • PROTECT: Denotes the protection of memory regions.
    • EXECUTE: Indicates the execution of code from memory.

      • 7. P2ANetworkEvent

      Operations:

    • CONNECT: Denotes the establishment of a network connection.
    • DISCONNECT: Represents the termination of a network connection.
    • SEND: Indicates the sending of data over the network.
    • RECV: Denotes the receiving of data from the network.
    • RESOLVE: Represents the resolution of a network address.
    • BIND: Indicates binding to a network address.
    • ACCEPT: Denotes accepting a network connection.

      • 8. P2ACryptoEvent

      Operations:

    • CRYPT: Denotes cryptographic operations.
    • DECRYPT: Represents cryptographic decryption operations.
    • SIGN: Indicates cryptographic signing operations.
    • HASH: Denotes cryptographic hashing operations.
    • VERIFY: Represents cryptographic verification operations.
    • KEYEXPORT: Indicates the export of cryptographic keys.
    • KEYIMPORT: Denotes the import of cryptographic keys.
    • KEYGEN: Represents cryptographic key generation operations.

      • 9. P2AServiceEvent

      Operations:

    • OPEN: Denotes the opening of a service.
    • CREATE: Represents the creation of a service.
    • RUN: Indicates the running of a service.
    • CONTROL: Denotes control operations on a service.
    • CHANGE: Represents changes made to a service.
    • DELETE: Indicates the deletion of a service.
    • QUERY: Denotes querying operations on a service.

      • 10. P2ATimeEvent

      Operations:

    • QUERY: Denotes querying time-related information.
    • DELAY: Represents a time delay event.
    • WAIT: Indicates waiting for a specific time or event.
    • TIMER: Denotes timer-related events.
    • CHANGE: Represents changes in the system's time.

      • 11. P2AMutexEvent, 12.P2ANamedPipesEvent, 13. P2ASemaphoreEvent, 14. P2AEventEvent

      Operations:

    • CREATE: Denotes the creation of mutex, named pipe, semaphore... objects.

      • 15. P2AHookModifyDataEvent

      Operations:

    • P2AHOOKMODIFYDATA: Signifies modifications to hooked data.

      • 16. P2ADebugStringEvent

      Operations:

    • OUTPUT_DEBUG_STRING: Indicates the output of debug strings.

      • 17. P2APrintEvent

      Operations:

    • PRINT: Signifies printing operations.