Ask questions with Gemini

To simplify search, Gemini in Threat Intelligence redefines search with natural language. With this feature, you can ask a natural language question instead of using keyword searches and quickly get AI-powered overviews of a topic.

When you perform a single term search, like for instance, "wannacry" , you get the Relevant adversary intelligence menu, where you can click on the "Ask a follow up" link:

Ask follow up

⚠️

Gemini in Threat Intelligence search currently only generates search summaries based on the Google Threat Intelligence reports, curated threat actor, curated malware, and campaign data.

Gemini search results

Suggested search queries

Use caseSuggested queries 
Get an overview of threat actors"What is lockbit?"
"What is Scattered Spider?"
Deep dive into specific questions"What is the log4j vulnerability aka Log4Shell?"
"What are the indicators of killnet?"
"How do I detect alphv?"
"What industries does APT29 target?"

📘

Tips on how to phrase your queries to get the most useful results:

  • Phrase queries in a question format.
  • Asking specific questions such as "how does APT29 move laterally?" typically generates better responses.
  • Keep questions concise and to the point. Avoid overly complex sentences or multiple questions in a single query.

Ask a question

📘

  • Generative AI is experimental. Information should be verified using the sources included in the citations.
  1. If you're enabled for Gemini in Threat Intelligence search From Google Threat Intelligence, go to https://advantage.mandiant.com/search.

  2. A search bar appears where you can enter your question.

  3. Enter your question in Ask a new question and then press Enter. The results and citations appear.

    • Some prepopulated examples are provided in case you're not sure how to start. For example, "How is Generative AI phishing used by threat actors?"
    • You can ask as many follow up questions as you'd like. The results are refreshed each time.
  4. Optional: Submit feedback on the question results.

📘

Search results let you click thumb up or thumb down to indicate its relevancy.
5. Optional: Click if you want to copy the search results to your clipboard.

QuestionGemini Search Output
What is the CVSS score of CVE-2024-21091?The CVSS score for CVE-2024-21091 is 6.5. [1] The CVSS vector for this vulnerability is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). [1] This means that the vulnerability has a low attack complexity, a local attack vector, a high confidentiality impact, and a none user interaction. The vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile Product Lifecycle Management for Process accessible data. [1]
How is Generative AI phishing used by Threat Actors?Generative AI phishing is a technique used by threat actors to create convincing lure material that increases the likelihood of successful compromises. [1]
Threat actors can leverage AI tools to generate more convincing lure content, improve the quality of their spear-phishing attacks, develop malware and tools, and increase the volume of successful intrusions. [2]
Generative AI tools have been used to create convincing deepfakes, sophisticated phishing emails that are used to access logins and steal identities, improved ways to infiltrate code, and more. [3]
Threat actors are likely leveraging images created with Generative Adversarial Network (GAN)-based services to generate profile pictures for false accounts to inflate support for a particular narrative. [4]
Using false personas online, espionage and financially motivated threat actors can establish relationships with potential targets and exploit this trust to further their malicious activity. [5]
What type of mitigation is available for CVE-2024-21334?For CVE-2024-21334, mitigation options include a patch and a workaround. [1][2]
What example of lures was used in BazarCall campaignsIn BazarCall campaigns, UNC3753 has used a variety of lures to entice potential victims. These lures have included:
- Freshworks-themed phishing emails
- MasterClass-themed phishing emails with PDF attachments
- Azure- and Oracle-themed phishing emails to deliver remote access software
- Duolingo-themed phishing emails with PDF attachments
- Curiosity Stream-themed phishing lures
Provide examples of Ransomware written in Golang
- Agenda is a Go-based ransomware that delivers customized attacks. [1]
- RANSOMHUB is a GoLang ransomware that encrypts data using ChaCha20, xChaCha20, or AES256 algorithms. [2]
- HIVE (also known as HIVELOCKER) was originally written in GoLang but was rewritten in Rust in early 2022. [3][4][5]
What is an affiliate?Definition of an Affiliate
In the context of cybercrime, an affiliate is an individual or group that collaborates with a ransomware actor to distribute and deploy ransomware. Affiliates play a crucial role in the ransomware attack process by communicating with victims, exfiltrating valuable data, and deploying ransomware. [2][4] They are also responsible for providing victims with a decryptor and support after the ransom is paid. [2]
Responsibilities of Affiliates
- Communicate with victims
- Exfiltrate valuable victim data
- Deploy ransomware
- Provide victims with a decryptor and support after ransom payment
- Avoid re-encryption of victim data
Techniques Used by Affiliates
- Hybrid extortion: Exfiltrating victim data and threatening to publish it to pressure victims into paying the ransom
- Affiliate-tracking cookies: Using images and iFrames to download tracking cookies onto victim systems [5]
What is an insider threat?Definition of Insider Threat
An insider threat refers to a cybersecurity risk posed by individuals within an organization who have authorized access to its systems and data. [4] These individuals may intentionally or negligently engage in activities that compromise the organization's security. [1]
Types of Insider Threats
Insider threats can be classified into two main types:
- Willful: Involves deliberate actions to breach company security. [1]
- Negligent: Occurs due to a lack of awareness or enforcement of company policies, leading to employee behavior that exposes the organization to threats. [1]
Motivations for Insider Threats
Individuals may become insider threats due to various motivations, including:
- Financial gain
- Disgruntled workplace experiences
- Coercion by national pride
Consequences of Insider Threats
Insider threats can have severe consequences for organizations, including:
- Fraud
- Theft of intellectual property
- Damage to the organization's reputation
- Legal and business consequences
Challenges in Identifying Insider Threats
Insider threats are challenging to identify because perpetrators have trusted access to company assets. [5] This makes it difficult to distinguish between legitimate and malicious activities.
Difference between password spraying vs credential stuffingPassword Spraying vs. Credential Stuffing
Password Spraying
- Involves using a single password against multiple usernames on a target system.
- Typically targets a specific organization or service.
- Relies on the assumption that users often reuse passwords across multiple accounts.
Credential Stuffing
- Involves using a large database of stolen credentials (username and password pairs) to attempt logins on multiple websites. [3]
- Targets a wide range of websites and services.
- Exploits the fact that many users reuse passwords across multiple accounts.
- Can be automated using tools and services available on underground forums. [2]
what is a rainbow table password attack?A rainbow table password attack is a technique used to crack password hashes by utilizing a precomputed table of possible hash values and their corresponding plaintext passwords. [2] This table is generated offline and can be used to quickly identify the plaintext password associated with a given hash value. Rainbow tables are particularly effective against weak passwords that are short, contain common words, or lack complexity.
The process of using a rainbow table to crack a password hash involves comparing the hash value to the precomputed table. [2] If a match is found, the corresponding plaintext password is revealed. This process is significantly faster than brute-force attacks, which attempt to guess the password by trying every possible combination.
Rainbow tables are often used by attackers to target systems that store password hashes in a vulnerable format. [1][5] By exploiting weaknesses in the hashing algorithm or the way passwords are stored, attackers can gain access to the password hashes and use rainbow tables to crack them.
what is the registry key SOFTWARE\Classes\cmdfile\shell\open\commandThe registry key SOFTWARE\Classes\cmdfile\shell\open\command is associated with the cmdfile file type in the Windows registry. When this key is present, it indicates that a web browser instance will be started and injected with the TURNEDUP payload. The malware will then update the configuration resource into the newly injected process. [2] This key is also used by the Kovter malware to write a copy of itself to the user's local appdata directory for persistence. [3] Additionally, this key can be used by attackers to hijack the Component Object Model (COM) in Windows. By registering a Windows binary as a COM class in the registry, attackers can execute code based on the COM class ID (CLSID). This technique is commonly used by malware to gain persistence and evade detection.
What protocols or services are typically assigned to port 21?Port 21 is typically assigned to the File Transfer Protocol (FTP). FTP is a protocol used for transferring files between computers over a network. It is a client-server protocol, meaning that one computer acts as the client and the other computer acts as the server. The client sends a request to the server to transfer a file, and the server responds by sending the file to the client. FTP is a very common protocol, and it is used by many different applications, including web browsers, email clients, and file sharing programs.
How many supply chain compromises were observed in 2022?In 2022, Mandiant identified 41 supply chain compromises. This number represents a decrease from the 71 supply chain compromises observed in 2023. Supply chain compromises remain a rare overall initial compromise vector. [2] However, they are attractive to malicious actors due to the decreased likelihood of detection and the efficiency gain of potentially infecting many victims through one compromise. [1]
Which threat actors have used cve-2021-44228 ?The following threat actors have exploited CVE-2021-44228:
- China-nexus threat actors, including UNC3500 and UNC2448
- Iran-nexus threat actors, including PHOSPHORUS
- North Korea-based threat actors
- Turkey-based threat actors
- Unknown threat actors
How do threat actors attempt to evade or defeat endpoint detection and response (EDR)?Threat actors employ various techniques to evade or defeat endpoint detection and response (EDR) solutions:
- Exploiting Security Solutions: Threat actors may bypass EDR solutions on supported devices by using "living off the land" binaries to execute arbitrary code, deploying malware that forces devices to reboot in "safe" mode, or delivering malicious payloads directly into memory. [1]
- Blending into the Noise: Threat actors may attempt to confuse investigators by blending their activity with more common nuisances, such as spam, or using malware frequently associated with cybercrime to support espionage and destructive activity. [2]
- Using Legitimate Tools: Threat actors commonly exfiltrate data to cloud hosting services or directly back to attacker-controlled hosts via legitimate remote access tools. [3]
- Manipulating Control Systems: Threat actors can bridge the gap between electronic and mechanical systems to physically impact critical operations by manipulating or disrupting control systems. [4]
- Operating from Blind Spots: Threat actors may evade detection by operating from devices in the victim environment's blind spots, such as servers running uncommon versions of Linux or network appliances running opaque operating systems. [5]