Skip to main content

Blueliv ThreatContext

This Integration is part of the Blueliv ThreatContext Pack.#

The Threat Context module provides SOC, Incident Response and Threat Intelligence teams with continuously updated and intuitive information around threat actors, campaigns, malware indicators, attack patterns, tools, signatures and CVEs.

Configure Blueliv ThreatContext on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Blueliv ThreatContext.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlServer URL (e.g. https://demisto.blueliv.com/api/v2 )False
credentialsUsernameFalse
unsecureTrust any certificate (not secure)False
  1. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

blueliv-authenticate#


Authenticate and get the API token

Base Command#

blueliv-authenticate

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
BluelivThreatContext.tokenstringAuthentication token

Command Example#

!blueliv-authenticate

Context Example#

{}

Human Readable Output#

981bfb934723091e606c0e35998217bdcafc8697d1a6d0911ff5b2fedb5a16c

blueliv-tc-malware#


Gets information about malware by ID

Base Command#

blueliv-tc-malware

Input#

Argument NameDescriptionRequired
hash_idInternal Blueliv's malware hash IDOptional
hashMalware file hash to search forOptional

Context Output#

PathTypeDescription
BluelivThreatContext.malware.hash.sha256UnknownFile SHA256
BluelivThreatContext.malware.hash.sha1UnknownFile SHA1
BluelivThreatContext.malware.hash.md5UnknownFile MD5
BluelivThreatContext.malware.typeUnknownMalware Type
BluelivThreatContext.malware.hasCandCunknownIf there is a C&C associated
BluelivThreatContext.malware.memoryUnknownMalware memory
BluelivThreatContext.malware.procMemoryUnknownMalware proc memory
BluelivThreatContext.malware.analysisStatusUnknownMalware analysis status
BluelivThreatContext.malware.droppedUnknownMalware dropped
BluelivThreatContext.malware.buffersUnknownMalware buffers
BluelivThreatContext.malware.hasNetworkUnknownIf the malware has Network informations
BluelivThreatContext.malware.riskUnknownMalware associated risk
BluelivThreatContext.malware.campaignsUnknownMalware related campaigns
BluelivThreatContext.malware.campaignIdsUnknownMalware related campaigns internal IDs
BluelivThreatContext.malware.signaturesUnknownMalware signatures
BluelivThreatContext.malware.sigantureIdsUnknownMalware sigantures internal IDs
BluelivThreatContext.malware.threatActorsUnknownMalware threat actors
BluelivThreatContext.malware.threatActorIdsUnknownMalware threat actors internal IDs
BluelivThreatContext.malware.sourcesUnknownMalware sources
BluelivThreatContext.malware.sourceIdsUnknownMalware sources internal IDs
BluelivThreatContext.malware.tagsUnknownMalware tags
BluelivThreatContext.malware.tagIdsUnknownMalware tags internal IDs
BluelivThreatContext.malware.crimeServersUnknownMalware related crime servers
BluelivThreatContext.malware.crimeServerIdsUnknownMalware crime servers internal IDs
BluelivThreatContext.malware.fqdnsUnknownMalware FQDNs
BluelivThreatContext.malware.fqdnIdsUnknownMalware FQDNs internal IDs
BluelivThreatContext.malware.typesUnknownMalware types
BluelivThreatContext.malware.typeIdsUnknownMalware types internal IDs
BluelivThreatContext.malware.sparksUnknownMalware sparks
BluelivThreatContext.malware.sparkIdsUnknownMalware sparks internal IDs
BluelivThreatContext.malware.ipsUnknownMalware IPs
BluelivThreatContext.malware.ipIdsUnknownMalware IPs internal IDs

Command Example#

!blueliv-tc-malware hash=ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1

Context Example#

{
"malware": {
"analysisStatus": "FINISHED_SUCCESSFULLY",
"buffers": false,
"campaignIds": "",
"campaigns": 0,
"crimeServers": 0,
"crimeserverIds": "",
"dropped": false,
"fileType": "PE",
"fqdnIds": "",
"fqdns": 0,
"hasCandC": false,
"hasNetwork": true,
"hash": {
"md5": "36a40cc55e2ffe7d44d007c6e37afd7f",
"sha1": "5c0be68316ce77584a7b966ff40e7d61a8a98055",
"sha256": "ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1"
},
"ipIds": "92269700,100333500,",
"ips": 2,
"memory": false,
"procMemory": false,
"risk": 7,
"signatureIds": "",
"signatures": 0,
"sourceIds": "1958672,",
"sources": 1,
"sparkIds": "",
"sparks": 0,
"tagIds": "",
"tags": 0,
"threatActorIds": "",
"threatActors": 0,
"typeIds": "62,",
"types": 1
},
"threatContext": {
"hasResults": "true"
}
}

Human Readable Output#

Blueliv Malware file info#

analysis_dateanalysis_delivered_dateanalysis_signaturesanalysis_statusat_afapibehaviorsbufferscerberuscreated_atcreated_at_afapidroppedfile_typefirst_seenhas_c_and_chas_networkhas_other_urlshashidioaioc_linklast_risk_scoringlast_seenlinksmalfindmalicious_categorymd5memorymetadatanumber_propertiespcappriority_at_afapiproc_memorypropertiesreportrisksamplescans_linkseen_at_analyzersha1sha256sha512slugs_tagssources_representationsubtypetargettlptypetypes_namesupdated_atupdated_at_afapiuuidversionvt_matches
2020-06-15T16:30:22.770000Z2020-06-15T16:22:00.220000ZSignature severity - Informative,
Detected dead hosts,
Detects the presence of a Debugger,
Clipboard access capabilities,
Creates Mutants,
Detected cryptographic algorithm,
Has the ability to retrieve keyboard strokes,
Has the ability to reboot/shutdown the Operating System,
Detected Packer,
Detected PE anomalies,
Reads configuration files,
Loads Visual Basic Runtime environment,
Detected injected process,
Signature severity - Suspicious,
Allocates memory with Read-Write-Execute permissions,
Attempts to delay the analysis task,
Clipboard modification capabilities,
Spawns processes,
Classified by Blueliv,
Allocates memory with write/execute permissions in a remote process,
Machine Learning scoring,
Detected Keylogger,
Detected Autorun Persistence,
Writes data to a remote process,
Detected RunPE injection technique,
VirusTotal matches,
Signature severity - Malicious
FINISHED_SUCCESSFULLYtruefalse0.96452020-06-15T16:27:20.074884Z2020-06-15T16:21:38.209000ZfalsePE2020-06-15T16:21:38.209000Zfalsetruefalsead53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade159770710ip: 25.20.116.113,
103.143.173.25,
192.168.56.102
url: ...
host: 25.20.116.113,
103.143.173.25
path: {"pdb_path": [], "filepaths": {"file_read": ["C:\Users\desktop.ini", "C:\Users\Administrator\Documents\desktop.ini"], "dll_loaded": ["kernel32", "gdi32.dll", "kernel32.dll", "UxTheme.dll", "oleaut32.dll", "C:\Windows\system32\ole32.dll", "NTDLL.DLL", "dwmapi.dll", "ntdll.dll", "C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll", "USER32.DLL", "C:\Windows\system32\uxtheme.dll", "ntmarta.dll", "C:\Windows\system32\MSCTF.dll", "KERNEL32.DLL", "C:\ogxses\bin\monitor-x86.dll", "KERNELBASE.DLL", "API-MS-Win-Core-LocalRegistry-L1-1-0.dll", "user32", "OLEAUT32.DLL", "advapi32.dll", "comctl32", "ole32.dll", "IMM32.dll", "C:\Windows\system32\notepad.exe", "EXPLORER.EXE", "C:\Windows\system32\xmllite.dll", "OLEAUT32.dll", "SHELL32.dll", "DUser.dll", "comctl32.dll", "C:\Windows\system32\DUser.dll", "User32.dll", "USER32", "ADVAPI32.dll", "rpcrt4.dll", "SETUPAPI.dll", "user32.dll", "OLEACC.dll"], "file_moved": [], "file_copied": ["C:\Users\Administrator\Documents\MSDCSC\msdcsc.exe", "C:\Users\Administrator\AppData\Local\Temp\sXPFvH.exe"], "file_exists": ["C:\Windows\System32\oleaccrc.dll", "C:\Users\Administrator\Documents\MSDCSC", "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\cversions.1.db", "C:\", "C:\Users\Administrator\AppData\Roaming", "C:\Users\desktop.ini", "C:\Users\Administrator\Documents\MSDCSC\", "C:\Users\Administrator\Documents\MSDCSC\rEj9MRKQ3Kzp\msdcsc.exe", "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000026.db", "C:\Users\Administrator\AppData\Local\Temp\sXPFvH.exe", "C:\Users\Administrator\Documents\MSDCSC\rEj9MRKQ3Kzp.dcp", "C:\Users\Administrator", "C:\Users\Administrator\Documents", "C:\Users", "C:\Users\Administrator\AppData\Local\Temp\notepad", "C:\Users\Administrator\AppData\Roaming\dclogs\", "C:\Users\Administrator\Documents\desktop.ini", "C:\Users\Administrator\Documents\MSDCSC\msdcsc.exe", "C:\Users\Administrator\AppData\Local\Temp\rEj9MRKQ3Kzp.dcp", "C:\Users\Administrator\AppData\Roaming\dclogs"], "file_opened": ["C:\Windows\System32\oleaccrc.dll", "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\cversions.1.db", "C:\", "C:\Users\desktop.ini", "C:\Users\Administrator\Documents\desktop.ini", "C:\Users\Administrator", "C:\Users", "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000026.db", "C:\Users\Administrator\Documents\MSDCSC\msdcsc.exe", "C:\Users\Administrator\AppData\Local\Temp\sXPFvH.exe"], "file_created": ["C:\Windows\System32\oleaccrc.dll", "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\cversions.1.db", "C:\", "C:\Users\desktop.ini", "C:\Users\Administrator\Documents\desktop.ini", "C:\Users\Administrator", "C:\Users", "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000026.db", "C:\Users\Administrator\Documents\MSDCSC\msdcsc.exe", "C:\Users\Administrator\AppData\Local\Temp\sXPFvH.exe"], "file_deleted": [], "file_written": [], "directory_created": ["C:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches", "C:\Users\Administrator\Documents\MSDCSC", "C:\Users\Administrator\AppData\Roaming\dclogs"], "directory_queried": ["C:\Users\Administrator", "C:\Users\Administrator\Documents", "C:\Users"], "directory_removed": [], "directory_enumerated": []}}
yara: {"url": [], "misc": {"misc": ["dbgdetect_funcs_ig"], "crypto": ["RIPEMD160_Constants", "SHA1_Constants", "DES_Long", "MD5_Constants", "VC8_Random", "RijnDael_AES_LONG", "Delphi_Random", "BASE64_table", "CRC32_table", "RijnDael_AES_CHAR", "MD5_API"], "packer": ["MinGW_1", "borland_delphi"]}, "memory": ["darkcomet_memory_1", "darkcomet_memory_3", "darkcomet_memory_2", "darkcomet_memory_4"], "generic": [], "pre_analysis": []}
email:
mutex: DCPERSFWBP,
DC_MUTEX-K5CAEA3,
Local\MSCTF.Asm.MutexDefault1
ports: {"tcp": [], "udp": [], "tcp_dead": [80, 957]}
domain:
regkeys: {"regkey_read": ["HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\21082CA9", "HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\lfOutPrecision", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\StatusBar", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\lfOrientation", "HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\lfUnderline", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Notepad\DefaultFonts\iPointSize", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction", "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ldap\UseOldHostResolutionOrder", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName", "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\IDConfigDB\CurrentConfig", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\iMarginTop", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\fSaveWindowPositions", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\iMarginBottom", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\iMarginLeft", "HKEY_CURRENT_USER\Software\DC3_FEXEC\{e29ac6c0-7037-11de-816d-806e6f6e6963-4234460882}", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt", "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\IDConfigDB\CurrentDockInfo\DockingState", "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\IDConfigDB\Hardware Profiles\0001\HwProfileGuid", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32\(Default)", "HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\lfClipPrecision", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Notepad\DefaultFonts\lfFaceName", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\lfCharSet", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0ad25834-bdda-11e5-8e00-806e6f6e6963}\Generation", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0ad25835-bdda-11e5-8e00-806e6f6e6963}\Generation", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\fMLE_is_broken", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\lfFaceName", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\lfItalic", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DevicePath", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\lfWeight", "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\IDConfigDB\Hardware Profiles\0001\FriendlyName", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\lfStrikeOut", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\lfPitchAndFamily", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\iPointSize", "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\iMarginRight", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\lfQuality", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\szTrailer", "HKEY_LOCAL_MACHINE\SYSTEM\Setup\OOBEInProgress", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\iWindowPosX", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\iWindowPosY", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0ad25835-bdda-11e5-8e00-806e6f6e6963}\Data", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\fWrap", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState", "HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0ad25838-bdda-11e5-8e00-806e6f6e6963}\Data", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt", "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\es-ES", "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ldap\LdapClientIntegrity", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0ad25834-bdda-11e5-8e00-806e6f6e6963}\Data", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt", "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\es-ES", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\szHeader", "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ldap\UseHostnameAsAlias", "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\iWindowPosDY", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\iWindowPosDX", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0ad25838-bdda-11e5-8e00-806e6f6e6963}\Generation", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\lfEscapement", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate"], "regkey_opened": ["HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\Software\DC2_USERS", "HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses", "HKEY_CLASSES_ROOT\Folder", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows", "HKEY_CLASSES_ROOT\Directory", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\", "HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions", "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume", "HKEY_CURRENT_USER\Software\Borland\Locales", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0ad25838-bdda-11e5-8e00-806e6f6e6963}\", "HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\(Default)", "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer", "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\IDConfigDB\Hardware Profiles\0001", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder", "HKEY_LOCAL_MACHINE\System\Setup", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace", "HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder", "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale", "HKEY_CURRENT_USER\Software\DC3_FEXEC", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{70FAF614-E0B1-11D3-8F5C-00C04F9CF4AC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum", "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids", "HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\", "HKEY_LOCAL_MACHINE\Software\Microsoft\Notepad\DefaultFonts", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CLASSES_ROOT\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid", "HKEY_LOCAL_MACHINE\Software\Microsoft\DirectUI", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid", "HKEY_CURRENT_USER\Keyboard Layout\Toggle", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows", "HKEY_CURRENT_USER\Software\Microsoft\Notepad", "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes", "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\IDConfigDB", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler", "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\IDConfigDB\CurrentDockInfo", "HKEY_LOCAL_MACHINE\Software\Borland\Locales", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum", "HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\notepad.exe", "HKEY_CURRENT_USER\Software\Borland\Delphi\Locales", "HKEY_CLASSES_ROOT\AllFilesystemObjects", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0ad25835-bdda-11e5-8e00-806e6f6e6963}\", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0ad25834-bdda-11e5-8e00-806e6f6e6963}\", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\(Default)", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace"], "regkey_created": ["HKEY_CURRENT_USER\Software", "HKEY_CURRENT_USER\Software\DC3_FEXEC", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"], "regkey_deleted": [], "regkey_written": ["HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit"], "regkey_enumerated": ["HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys"]}
metadata: {"crc32": {"original": "B7CACEE9", "unpacked": {}}, "names": {"title": [], "author": [], "country": [], "creator": [], "subject": [], "locality": [], "producer": [], "common_name": [], "company_name": null, "organization": [], "product_name": null, "internal_name": null, "private_build": null, "special_build": null, "legal_copyright": null, "legal_trademarks": null, "original_filename": null, "organizational_unit": []}, "ssdeep": {"original": "12288:f9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hPA:JZ1xuVVjfFoynPaVBUR8f+kN10EBO", "unpacked": {}}, "file_type": {"original": "PE32 executable (GUI) Intel 80386, for MS Windows", "unpacked": {}}, "pe_imphash": "e5b4359a3773764a372173074ae9b6bd", "postal_code": null, "pe_timestamp": "2012-06-07 17:59:53", "signing_date": "", "peid_signatures": []}
registry:
connections: {"tcp": [], "udp": [], "tcp_dead": ["25.20.116.113:957", "103.143.173.25:80"]}
certificates:
process_name: msdcsc.exe,
sXPFvH.exe,
notepad.exe
attack_patterns: {'id': 'T1022', 'name': 'Data Encrypted'},
{'id': 'T1056', 'name': 'Input Capture'},
{'id': 'T1529', 'name': 'System Shutdown/Reboot'},
{'id': 'T1027', 'name': 'Obfuscated Files or Information'},
{'id': 'T1045', 'name': 'Software Packing'},
{'id': 'T1055', 'name': 'Process Injection'},
{'id': 'T1497', 'name': 'Virtualization/Sandbox Evasion'},
{'id': 'T1115', 'name': 'Clipboard Data'},
{'id': 'T1060', 'name': 'Registry Run Keys / Startup Folder'},
{'id': 'T1093', 'name': 'Process Hollowing'}
https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/ioc/2020-06-15T16:48:42.527191Z2020-06-15T18:25:32Zself: https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/false236a40cc55e2ffe7d44d007c6e37afd7ffalse0https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/pcap/3falsehttps://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/report/7.0https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/sample/https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/enrichment/scans/false5c0be68316ce77584a7b966ff40e7d61a8a98055ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1e7ebf12d5dc0900faafa73d090b62c1ce583858606217d935981bf3d51dbd6e63eefd67b103913240173b2bafbcaac689d83828654ecf054cb7a30766c4a3cc6virustotalAPIDARKCOMETfalsewhiteMalwareDARKCOMET2020-06-15T17:12:28.893118Z2020-06-15T16:30:33.293000Znonedarkkomet,
fynloski,
genmalicious

blueliv-tc-indicator-ip#


Gets information about an IP

Base Command#

blueliv-tc-indicator-ip

Input#

Argument NameDescriptionRequired
IP_idInternal Blueliv's IP IDRequired
IPIP to searchOptional

Context Output#

PathTypeDescription
BluelivThreatContext.indicator.lastSeenUnknownIndicator last seen
BluelivThreatContext.indicator.riskUnknownIndicator risk
BluelivThreatContext.indicator.latitudeUnknownIndicator latitude
BluelivThreatContext.indicator.longitudeUnknownIndicator longitude
BluelivThreatContext.indicator.countryIdUnknownIndicator countryes internal IDs
BluelivThreatContext.indicator.campaignsUnknownIndicator campaigns
BluelivThreatContext.indicator.campaignIdsUnknownIndicator campaigns internal IDs
BluelivThreatContext.indicator.signaturesUnknownIndicator signatures
BluelivThreatContext.indicator.signatureIdsUnknownIndicator signatures internal IDs
BluelivThreatContext.indicator.threatActorsUnknownIndicator threat actors
BluelivThreatContext.indicator.threatActorIdsUnknownIndicator threat actors internal IDs
BluelivThreatContext.indicator.tagsUnknownIndicator tags
BluelivThreatContext.indicator.tagIdsUnknownIndicator tags internal IDs
BluelivThreatContext.indicator.fqdnsUnknownIndicator FQDNs
BluelivThreatContext.indicator.fqdnIdsUnknownIndicator FQDNs internal IDs
BluelivThreatContext.indicator.sparksUnknownIndicator sparks
BluelivThreatContext.indicator.sparkIdsUnknownIndicator sparks internal IDs
BluelivThreatContext.indicator.botsUnknownIndicator bots
BluelivThreatContext.indicator.botIdsUnknownIndicator bots internal IDs

Command Example#

!blueliv-tc-indicator-ip IP="103.76.228.28"

Context Example#

{
"indicator": {
"botIds": "",
"bots": 0,
"campaignIds": "",
"campaigns": 0,
"countryId": "103",
"fqdnIds": "",
"fqdns": 0,
"lastSeen": "2020-06-15T18:25:00Z",
"latitude": "20.0",
"longitude": "77.0",
"risk": "4.0",
"signatureIds": "",
"signatures": 0,
"sparkIds": "",
"sparks": 0,
"tagIds": "",
"tags": 0,
"threatActorIds": "",
"threatActors": 0
},
"threatContext": {
"hasResults": "true"
}
}

Human Readable Output#

Blueliv IP info#

addressasn_numberasn_ownerat_afapicreated_atcreated_at_afapifirst_seenhistory_linkidioc_linklast_risk_scoringlast_seenlatitudelinkslongitudepassive_dns_linkriskslugs_tagstlptypeupdated_atupdated_at_afapivirus_total_linkwhois_link
103.76.228.28394695PDRfalse2019-05-03T09:57:46.834135Z2019-04-11T04:12:09.830000Zhttps://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/history/70236228https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/ioc/2020-06-15T15:17:47.624936Z2020-06-15T18:25:00Z20.0self: https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/77.0https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/enrichment/passive-dns/4.0amberIP2020-06-15T16:44:49.623167Zhttps://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/enrichment/virus-total/https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/enrichment/whois/

blueliv-tc-cve#


Gets information about CVE

Base Command#

blueliv-tc-cve

Input#

Argument NameDescriptionRequired
CVECVE to searchOptional
CVE_idInternal Blueliv's CVE IDOptional

Context Output#

PathTypeDescription
BluelivThreatContext.cve.nameUnknownCVE name
BluelivThreatContext.cve.descriptionUnknownCVE description
BluelivThreatContext.cve.updatedAtUnknownCVE updated at
BluelivThreatContext.cve.scoreUnknownCVE score
BluelivThreatContext.cve.attackPatternsUnknownCVE attack patterns
BluelivThreatContext.cve.attackPatternIdsUnknownCVE attackp patterns internal IDs
BluelivThreatContext.cve.signaturesUnknownCVE signatures
BluelivThreatContext.cve.signatureIdsUnknownCVE signatures internal IDs
BluelivThreatContext.cve.tagsUnknownCVE tags
BluelivThreatContext.cve.tagIdsUnknownCVE tags internal IDs
BluelivThreatContext.cve.crimeServersUnknownCVE Crime servers
BluelivThreatContext.cve.crimeServerIdsUnknownCVE crime servers internal IDs
BluelivThreatContext.cve.sparksUnknownCVE sparks
BluelivThreatContext.cve.sparkIdsUnknownCVE sparks internal IDs
BluelivThreatContext.cve.malwareUnknownCVE malware
BluelivThreatContext.cve.malwareIdsUnknownCVE malwares internal IDs
BluelivThreatContext.cve.exploitsUnknownCVE exploits
BluelivThreatContext.cve.platformsUnknownCVE platforms

Command Example#

!blueliv-tc-cve CVE="CVE-2020-8794"

Context Example#

{}

Human Readable Output#

{"apiId": "THIAPP", "url": "/api/v1/cve/CVE-2020-8794/relationships/attack-pattern/", "requestType": "GET"}

blueliv-tc-indicator-fqdn#


Gets information about FQDN

Base Command#

blueliv-tc-indicator-fqdn

Input#

Argument NameDescriptionRequired
FQDN_idInternal Blueliv's FQDN idOptional
FQDNFQDN to searchOptional

Context Output#

PathTypeDescription
BluelivThreatContext.indicator.lastSeenUnknownIndicator last seen
BluelivThreatContext.indicator.riskUnknownIndicator risk
BluelivThreatContext.indicator.campaignsUnknownIndicator campaigns
BluelivThreatContext.indicator.campaignIdsUnknownIndicator campaigns internal IDs
BluelivThreatContext.indicator.signaturesUnknownIndicator signatures
BluelivThreatContext.indicator.signatureIdsUnknownIndicator signatures internal IDs
BluelivThreatContext.indicator.threatActorsUnknownIndicator threat actors
BluelivThreatContext.indicator.threatActorIdsUnknownIndicator threat actors internal IDs
BluelivThreatContext.indicator.tagsUnknownIndicator tags
BluelivThreatContext.indicator.tagIdsUnknownIndicator tags internal IDs
BluelivThreatContext.indicator.crimeServersUnknownIndicator crime servers
BluelivThreatContext.indicator.crimeServerIdsUnknownIndicator crime servers internal IDs
BluelivThreatContext.indicator.sparksUnknownIndicator sparks
BluelivThreatContext.indicator.sparkIdsUnknownIndicator sparks internal IDs
BluelivThreatContext.indicator.ipsUnknownIndicator IPs
BluelivThreatContext.indicator.ipIdsUnknownIndicator IPs internal IDs

Command Example#

!blueliv-tc-indicator-fqdn FQDN="self-repair.r53-2.services.mozilla.com"

Context Example#

{
"indicator": {
"campaignIds": "",
"campaigns": 0,
"crimeServerIds": "",
"crimeServers": 0,
"ipIds": "",
"ips": 0,
"lastSeen": "2018-08-07T22:40:47.580489Z",
"risk": "2.5",
"signatureIds": "",
"signatures": 0,
"sparkIds": "",
"sparks": 0,
"tagids": "",
"tags": 0,
"threatActorIds": "",
"threatActors": 0
},
"threatContext": {
"hasResults": "true"
}
}

Human Readable Output#

Blueliv FQDN info#

active_dns_linkcreated_atdomainfirst_seenhistory_linkidioc_linklast_risk_scoringlast_seenlinkspassive_dns_linkriskslugs_tagstlptypeupdated_atvirus_total_linkwhois_link
https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/enrichment/dns/2018-08-07T22:40:47.580640Zanad.ir2018-08-07T22:40:47.580479Zhttps://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/history/5783871https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/ioc/2020-06-15T17:25:37.498738Z2018-08-07T22:40:47.580489Zself: https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/enrichment/passive-dns/2.5whiteFQDN2020-06-15T17:25:37.499246Zhttps://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/enrichment/virus-total/https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/enrichment/whois/

blueliv-tc-indicator-cs#


Gets information about a Crime Server

Base Command#

blueliv-tc-indicator-cs

Input#

Argument NameDescriptionRequired
CS_idInternal Blueliv's Crime Server idRequired
CSThe name of the Crime Server to searchOptional

Context Output#

PathTypeDescription
BluelivThreatContext.indicator.lastSeenUnknownIndicator lastSeen
BluelivThreatContext.indicator.statusUnknownIndicator status
BluelivThreatContext.indicator.riskUnknownIndicator risk
BluelivThreatContext.indicator.isFalsePositiveUnknownIndicator is a false positive
BluelivThreatContext.indicator.crimeServerUrlUnknownIndicator crime server URL
BluelivThreatContext.indicator.creditCardsCountUnknownIndicator credit cards count
BluelivThreatContext.indicator.credentialsCountUnknownIndicator credentials count
BluelivThreatContext.indicator.botsCountUnknownIndicator bots count
BluelivThreatContext.indicator.fqdnIdUnknownIndicator FQDNs internal IDs
BluelivThreatContext.indicator.malwareUnknownIndicator malware
BluelivThreatContext.indicator.malwareIdsUnknownIndicator malwares internal IDs
BluelivThreatContext.indicator.tagsUnknownIndicator tags
BluelivThreatContext.indicator.tagIdsUnknownIndicator tags internal IDs
BluelivThreatContext.indicator.sparksUnknownIndicator sparks
BluelivThreatContext.indicator.sparkIdsUnknownIndicator sparks internal IDs

Command Example#

!blueliv-tc-indicator-cs CS_id=6626263

Context Example#

{
"indicator": {
"botsCount": "0",
"credentialsCount": "0",
"creditCardsCount": "0",
"crimeServerUrl": "http://saveback.xyz/asdfgh35546fhwJYGvdfgsadsg/login.php",
"fqdnId": "9633658",
"isFalsePositive": "False",
"lastSeen": "2020-06-15T16:46:06.170000Z",
"malware": 0,
"malwareIds": "",
"risk": "4.0",
"sourceIds": "642676,",
"sources": 1,
"sparkIds": "",
"sparks": 0,
"status": "online",
"tagIds": "",
"tags": 0
},
"threatContext": {
"hasResults": "true"
}
}

Human Readable Output#

Blueliv Crime Server info#

at_feedat_free_feedbots_countconfidencecreated_atcreated_at_afapicredentials_countcredit_cards_countcrime_server_urlfalse_positive_modification_timefirst_seenidioc_linkis_false_positivelast_log_timestamplast_risk_scoringlast_seenlinksmain_typeriskscans_linkservice_scansslugs_tagsstatussubtype_nametarget_statustlptypeupdated_atupdated_at_afapi
truetrue012020-06-15T17:02:40.327300Z2020-06-15T16:46:06.119000Z00http://saveback.xyz/asdfgh35546fhwJYGvdfgsadsg/login.php2020-06-15T17:02:38.524874Z2020-06-15T16:44:25Z6626263https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/ioc/false2020-06-15T17:14:36.146566Z2020-06-15T16:46:06.170000Zself: https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/c_and_c4.0https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/enrichment/scans/onlineANUBISamberCrimeServer2020-06-15T17:14:36.149943Z2020-06-15T16:46:06.170000Z

blueliv-tc-threat-actor#


Gets information about a Threat Actor

Base Command#

blueliv-tc-threat-actor

Input#

Argument NameDescriptionRequired
threatActorThreat Actor to searchOptional
threatActor_idInternal Blueliv's Threat Actor idOptional

Context Output#

PathTypeDescription
BluelivThreatContext.threatActor.nameUnknownThreat actor name
BluelivThreatContext.threatActor.descriptionUnknownThreat actor description
BluelivThreatContext.threatActor.objectiveUnknownThreat actor objective
BluelivThreatContext.threatActor.sophisticationUnknownThreat actor sophistication
BluelivThreatContext.threatActor.lastSeenUnknownThreat actor last seen
BluelivThreatContext.threatActor.activeUnknownThreat actor active
BluelivThreatContext.threatActor.milestonesUnknownThreat actor milestones
BluelivThreatContext.threatActor.milestoneIdsUnknownThreat actor milestones internal IDs
BluelivThreatContext.threatActor.toolsUnknownThreat actor tools
BluelivThreatContext.threatActor.toolIdsUnknownThreat actor tools internal IDs
BluelivThreatContext.threatActor.campaignsUnknownThreat actor campaigns
BluelivThreatContext.threatActor.campaignIdsUnknownThreat actor campaigns internal IDs
BluelivThreatContext.threatActor.signaturesUnknownThreat actor signatures
BluelivThreatContext.threatActor.signatureIdsUnknownThreat actor signatures internal IDs
BluelivThreatContext.threatActor.onlineServicesUnknownThreat actor online services
BluelivThreatContext.threatActor.onlineServiceIdsUnknownThreat actor online services internal IDs
BluelivThreatContext.threatActor.malwareUnknownThreat actor malware
BluelivThreatContext.threatActor.malwareIdsUnknownThreat actor malwares internal IDs
BluelivThreatContext.threatActor.threatTypesUnknownThreat actor threat types
BluelivThreatContext.threatActor.threatTypeIdsUnknownThreat actor threat types internal IDs
BluelivThreatContext.threatActor.fqdnsUnknownThreat actor FQDNs
BluelivThreatContext.threatActor.fqdnIdsUnknownThreat actor FQDNs internal IDs
BluelivThreatContext.threatActor.attackPatternsUnknownThreat actor attack patterns
BluelivThreatContext.threatActor.attackPatternIdsUnknownThreat actor attack patterns internal IDs
BluelivThreatContext.threatActor.ipsUnknownThreat actor IPs
BluelivThreatContext.threatActor.ipIdsUnknownThreat actor IPs internal IDs
BluelivThreatContext.threatActor.targetsUnknownThreat actor targets
BluelivThreatContext.threatActor.targetIdsUnknownThreat actor targets internal IDs

Command Example#

!blueliv-tc-threat-actor threatActor=Vendetta

Context Example#

{
"threatAactor": {
"onlineServices": 0,
"threatTypes": 0
},
"threatActor": {
"active": "True",
"attackPatternIds": "511,529,603,613,703,705,735,",
"attackPatterns": 7,
"campaignIds": "",
"campaigns": 0,
"description": "<h5>Key Points</h5>\n\n<ul>\n\t<li>\n\t<p>Vendetta is a threat actor based on Italy or Turkey discovered in April 2020&nbsp;that seeks to steal targeted business intelligence.</p>\n\t</li>\n\t<li>\n\t<p>Vendetta targeted enterprises located in North America, Eastern Europe, Asia, and Oceania regions.</p>\n\t</li>\n\t<li>The threat actor uses social engineering techniques to infect the victims with a RAT.</li>\n</ul>\n\n<h5>Assessment</h5>\n\n<p>Vendetta is a Threat Actor that became active on April 2020, and was discovered by&nbsp;360 Baize Lab. The name comes from a PDB path found in one of the samples:</p>\n\n<div style=\"background:#eeeeee; border:1px solid #cccccc; padding:5px 10px\">C:\\Users\\<strong>Vendetta</strong>\\source\\repos\\{project name}\\*\\obj\\Debug\\{project name}.pdb</div>\n\n<p>Based on some information found on the samples themselves, and the tools used, 360 Baize Labs speculates that the actor is of European origin, either from Turkey or from Italy. Some of their malware samples contain the text &quot;Developers from Italy&quot; which indicates the threat actor may be Italian, but these also contain&nbsp;Turkish names in variables&nbsp;like RoboSky suggest they could actually be from Turkey.</p>\n\n<p>Vendetta targeted its victims with highly convincing spearphishing emails, impersonating entities such as&nbsp;Australian Government Department of Health,&nbsp;Austrian Federal Ministry of the Interior (BMI), or the&nbsp;Mexican health department. The emails contained a malicious attachment called pdf.exe,&nbsp;trying to trick the victim into opening the executable file thinking it is a pdf file, which ultimately installed the <a href=\"https://thiapp2.blueliv.net/#/ui/intelligence/tools/details/136\">NanoCore</a> and <a href=\"https://thiapp2.blueliv.net/#/ui/intelligence/tools/details/193\">RemcosRAT</a> malware.</p>",
"fqdnIds": "9607329,",
"fqdns": 1,
"ips": 1,
"lastSeen": "2020-06-10T00:00:00Z",
"malware": 56,
"malwareIds": "55048892,55954618,56069689,56081184,56101608,56174304,56435633,56482393,56528142,56528442,56660508,56822336,56834251,56895357,56906597,56921822,56963320,57023523,57143218,57500808,57531883,57577157,57992940,58151119,59402651,59402653,59402654,59402655,59402656,59406230,59406231,59406232,59406233,59406234,59406235,59406236,59421287,59421291,59421298,59421308,59421351,59421352,59421389,59421399,59421403,59421435,59421463,59421467,59421471,59421474,59421499,59421511,59421557,59421568,59421605,59468951,",
"milestoneIds": "",
"milestones": 0,
"name": "Vendetta",
"objective": "<p>This threat actor appears to be focused on stealing information from the target by using remote access trojans to infect organizations.</p>",
"onlineServiceIds": "",
"signatureIds": "",
"signatures": 0,
"sophistication": "intermediate",
"targetIds": "13,14,36,46,62,98,120,154,163,186,188,220,225,227,254,257,259,268,293,301,1164,",
"targets": 21,
"threatTypeIds": "",
"toolIds": "136,193,",
"tools": 2
},
"threatActor,ipIds": "96161121,",
"threatContext": {
"hasResults": "true"
}
}

Human Readable Output#

Blueliv Threat Actor info#

activealiasescountry_namecreated_atdescriptionfirst_seenidioc_linklast_seenlinksmodus_operandinameobjectivereferencessophisticationtlptypetypesupdated_atuuid
trueVendettaItaly2020-06-10T11:23:22.584500Z
Key Points




  • Vendetta is a threat actor based on Italy or Turkey discovered in April 2020┬áthat seeks to steal targeted business intelligence.




  • Vendetta targeted enterprises located in North America, Eastern Europe, Asia, and Oceania regions.



  • The threat actor uses social engineering techniques to infect the victims with a RAT.



Assessment


Vendetta is a Threat Actor that became active on April 2020, and was discovered by 360 Baize Lab. The name comes from a PDB path found in one of the samples:



C:\Users\Vendetta\source\repos{project name}*\obj\Debug{project name}.pdb


Based on some information found on the samples themselves, and the tools used, 360 Baize Labs speculates that the actor is of European origin, either from Turkey or from Italy. Some of their malware samples contain the text "Developers from Italy" which indicates the threat actor may be Italian, but these also contain Turkish names in variables like RoboSky suggest they could actually be from Turkey.



Vendetta targeted its victims with highly convincing spearphishing emails, impersonating entities such as Australian Government Department of Health, Austrian Federal Ministry of the Interior (BMI), or the Mexican health department. The emails contained a malicious attachment called pdf.exe, trying to trick the victim into opening the executable file thinking it is a pdf file, which ultimately installed the NanoCore and RemcosRAT malware.

2020-04-01T00:00:00Z232https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/ioc/2020-06-10T00:00:00Zself: https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/

Vendetta uses well designed phishing campaigns to target businesses and individuals. The phishing emails contain a malicious payload that, once unleashed, will install a RAT in the infected computer.

Vendetta

This threat actor appears to be focused on stealing information from the target by using remote access trojans to infect organizations.

{'link': 'https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/', 'title': 'Vendetta-new threat actor from Europe'}intermediatewhiteThreatActorhacker2020-06-10T12:29:16.463528Z

blueliv-tc-campaign#


Gets information about a Campaign

Base Command#

blueliv-tc-campaign

Input#

Argument NameDescriptionRequired
campaignName of the Campaign to search forOptional
campaign_idBlueliv's internal Campaign idOptional

Context Output#

PathTypeDescription
BluelivThreatContext.campaign.nameUnknownCampaign name
BluelivThreatContext.campaign.descriptionUnknownCampaign description
BluelivThreatContext.campaign.lastSeenUnknownCampaign last seen
BluelivThreatContext.campaign.botnetsUnknownCampaign botnets
BluelivThreatContext.campaign.botnetIdsUnknownCampaign botnets internal IDs
BluelivThreatContext.campaign.signaturesUnknownCampaign signatures
BluelivThreatContext.campaign.signatureIdsUnknownCampaign signatures internal IDs
BluelivThreatContext.campaign.ipsUnknownCampaign IPs
BluelivThreatContext.campaign.ipIdsUnknownCampaign IPs internal IDs
BluelivThreatContext.campaign.malwareUnknownCampaign malware
BluelivThreatContext.campaign.malwareIdsUnknownCampaign malwares internal IDs
BluelivThreatContext.campaign.attackPatternsUnknownCampaign attack patterns
BluelivThreatContext.campaign.attackPatternIdsUnknownCampaign attack patterns internal IDs
BluelivThreatContext.campaign.toolsUnknownCampaign tools
BluelivThreatContext.campaign.toolIdsUnknownCampaign tools internal IDs
BluelivThreatContext.campaign.fqdnsUnknownCampaign FQDNs
BluelivThreatContext.campaign.fqdnIdsUnknownCampaign FQDNs internal IDs
BluelivThreatContext.campaign.threatActorIdUnknownCampaign threat actors internal IDs

Command Example#

!blueliv-tc-campaign campaign_id=152

Context Example#

{
"campaign": {
"attackPatternIds": "",
"attackPatterns": 0,
"botnetIds": "",
"botnets": 0,
"description": "<p>A distribution campaign for the GRANDOREIRO banking Trojan. Through spam emails they got users to visit fake websites. The topic is usually electronic invoices, but recently they have used topics related to the coronavirus pandemic.</p>\n\n<p>There are different types of downloaders: VBS scripts, MSI files, executable downloaders.&nbsp;These downloaders contain an encoded URL that allows them to download an ISO file, usually hosted by a public service such as DROPBOX or GITHUB.</p>\n\n<p>This ISO file is actually a text file, which contains BASE64. Once decoded, a ZIP file containing GRANDOREIRO is obtained.</p>\n\n<p>Sometimes a password is required to extract the GRANDOREIRO trojan from the ZIP file. This prevents analyzing its content without analysing the downloader first.</p>",
"fqdnIds": "138612,9322638,9394712,9549083,9549084,9549097,9549098,9549099,",
"fqdns": 8,
"ips": 0,
"lastSeen": "2020-05-28T00:00:00Z",
"malware": 9,
"malwareIds": "55800558,55800615,58635752,58635753,58635754,58635755,58635756,58635757,58635758,",
"name": "2020 Grandoreiro campaign against banks in LATAM, Portugal and Spain",
"signatureIds": "",
"signatures": 0,
"threatActorId": "226",
"toolIds": "673,",
"tools": 1
},
"campaign,ipIds": "",
"threatContext": {
"hasResults": "true"
}
}

Human Readable Output#

Blueliv Campaign info#

created_atdescriptionfirst_seenidioc_linklast_seenlinksnametlptypeupdated_atuuid
2020-05-28T21:24:11.307288Z

A distribution campaign for the GRANDOREIRO banking Trojan. Through spam emails they got users to visit fake websites. The topic is usually electronic invoices, but recently they have used topics related to the coronavirus pandemic.



There are different types of downloaders: VBS scripts, MSI files, executable downloaders. These downloaders contain an encoded URL that allows them to download an ISO file, usually hosted by a public service such as DROPBOX or GITHUB.



This ISO file is actually a text file, which contains BASE64. Once decoded, a ZIP file containing GRANDOREIRO is obtained.



Sometimes a password is required to extract the GRANDOREIRO trojan from the ZIP file. This prevents analyzing its content without analysing the downloader first.

2020-04-16T00:00:00Z152https://tctrustoylo.blueliv.com/api/v1/campaign/152/ioc/2020-05-28T00:00:00Zself: https://tctrustoylo.blueliv.com/api/v1/campaign/152/2020 Grandoreiro campaign against banks in LATAM, Portugal and SpainwhiteCampaign2020-05-28T23:58:36.883515Z

blueliv-tc-attack-pattern#


Gets information about a Attack Pattern

Base Command#

blueliv-tc-attack-pattern

Input#

Argument NameDescriptionRequired
attackPatternThe Attack Pattern's name to search forOptional
attackPatternIdInteranl Blueliv's ID for the Attack PatternOptional

Context Output#

PathTypeDescription
BluelivThreatContext.attackPattern.nameUnknownAttack pattern name
BluelivThreatContext.attackPattern.descriptionUnknownAttack pattern description
BluelivThreatContext.attackPattern.updatedAtUnknownAttack pattern updated at
BluelivThreatContext.attackPattern.severityUnknownAttack pattern severity
BluelivThreatContext.attackPattern.signaturesUnknownAttack pattern signatures
BluelivThreatContext.attackPattern.signatureIdsUnknownAttack pattern signatures internal IDs
BluelivThreatContext.attackPattern.campaignsUnknownAttack pattern campaigns
BluelivThreatContext.attackPattern.campaignIdsUnknownAttack pattern campaigns internal IDs
BluelivThreatContext.attackPattern.threatActorsUnknownAttack pattern threat actors
BluelivThreatContext.attackPattern.threatActorIdsUnknownAttack pattern threat actors internal IDs
BluelivThreatContext.attackPattern.cvesUnknownAttack pattern CVEs
BluelivThreatContext.attackPattern.cveIdsUnknownAttack pattern CVEs internal IDs

Command Example#

!blueliv-tc-attack-pattern attackPattern="Account Discovery"

Context Example#

{
"attackPattern": {
"campaignIds": "95,81,82,83,3,",
"campaigns": 5,
"cveIds": "",
"cves": 0,
"description": "Adversaries may attempt to get a listing of local system or domain accounts. \n\n### Windows\n\nExample commands that can acquire this information are <code>net user</code>, <code>net group <groupname></code>, and <code>net localgroup <groupname></code> using the [Net](https://attack.mitre.org/software/S0039) utility or through use of [dsquery](https://attack.mitre.org/software/S0105). If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) may apply.\n\n### Mac\n\nOn Mac, groups can be enumerated through the <code>groups</code> and <code>id</code> commands. In mac specifically, <code>dscl . list /Groups</code> and <code>dscacheutil -q group</code> can also be used to enumerate groups and users.\n\n### Linux\n\nOn Linux, local users can be enumerated through the use of the <code>/etc/passwd</code> file which is world readable. In mac, this same file is only used in single-user mode in addition to the <code>/etc/master.passwd</code> file.\n\nAlso, groups can be enumerated through the <code>groups</code> and <code>id</code> commands.",
"name": "Account Discovery",
"serverity": "Medium",
"signatureIds": "",
"signatures": 0,
"threatActorIds": "1,34,62,21,131,56,89,191,47,8,81,10,50,28,37,194,228,190,",
"threatActors": 18,
"updatedAt": "2018-12-24T23:00:02.352102Z"
},
"threatContext": {
"hasResults": "true"
}
}

Human Readable Output#

Blueliv Attack Pattern info#

attack_phasesattacker_skills_or_knowledge_requiredcapec_idcreated_atdescriptionidlinksnameprerequisitespurposesreferencesrelated_vulnerabilitiesrelated_weaknessesseveritysolutions_and_mitigationstlptypeupdated_atuuid
2018-12-24T23:00:02.352087ZAdversaries may attempt to get a listing of local system or domain accounts.

### Windows

Example commands that can acquire this information are net user, net group <groupname>, and net localgroup <groupname> using the Net utility or through use of dsquery. If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, System Owner/User Discovery may apply.

### Mac

On Mac, groups can be enumerated through the groups and id commands. In mac specifically, dscl . list /Groups and dscacheutil -q group can also be used to enumerate groups and users.

### Linux

On Linux, local users can be enumerated through the use of the /etc/passwd file which is world readable. In mac, this same file is only used in single-user mode in addition to the /etc/master.passwd file.

Also, groups can be enumerated through the groups and id commands.
686self: https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/Account DiscoveryMediumwhiteAttackPattern2018-12-24T23:00:02.352102Z72b74d71-8169-42aa-92e0-e7b04b9f5a08

blueliv-tc-tool#


Gets information about a Tool

Base Command#

blueliv-tc-tool

Input#

Argument NameDescriptionRequired
toolTool's name to search forOptional
tool_idInternal Blueliv's id of the toolOptional

Context Output#

PathTypeDescription
BluelivThreatContext.tool.nameUnknownTool Name
BluelivThreatContext.tool.descriptionUnknownTool description
BluelivThreatContext.tool.lastSeenUnknownTool last seen
BluelivThreatContext.tool.campaignsUnknownTool campaigns
BluelivThreatContext.tool.campaignIdsUnknownTool campaigns internal IDs
BluelivThreatContext.tool.signaturesUnknownTool signatures
BluelivThreatContext.tool.signatureIdsUnknownTool signatures internal IDs
BluelivThreatContext.tool.threatActorsUnknownTool threat actors
BluelivThreatContext.tool.threatActorIdsUnknownTool threat actors internal IDs

Command Example#

!blueliv-tc-tool tool=ACEHASH

Context Example#

{
"threatContext": {
"hasResults": "true"
},
"tool": {
"campaignIds": "",
"campaigns": 0,
"description": "<p>ACEHASH is a credential theft/password hash dumping utility. The code may be based in Mimikatz and appears to be publicly available.</p>",
"lastSeen": "2019-12-01T00:00:00Z",
"name": "ACEHASH",
"signatureIds": "",
"signatures": 0,
"threatActorIds": "194,",
"threatActors": 1
}
}

Human Readable Output#

Blueliv Tool info#

created_atdescriptiondiscovery_datefirst_seenidlast_seenlinksnamereferencestargeted_platformstlptypeupdated_atuuidversion
2020-02-26T14:35:55.698486Z

ACEHASH is a credential theft/password hash dumping utility. The code may be based in Mimikatz and appears to be publicly available.

2012-12-01T00:00:00Z5322019-12-01T00:00:00Zself: https://tctrustoylo.blueliv.com/api/v1/tool/532/ACEHASH{'link': 'https://content.fireeye.com/apt-41/rpt-apt41', 'title': 'Double Dragon: APT41, a dual espionage and cyber crime operation'}whiteTool2020-02-26T14:35:55.698549Z

blueliv-tc-signature#


Gets information about a Signature

Base Command#

blueliv-tc-signature

Input#

Argument NameDescriptionRequired
signatureSignature's name to search forOptional
signature_idInternal Blueliv's ID for the signatureOptional

Context Output#

PathTypeDescription
BluelivThreatContext.signature.nameUnknownSignature name
BluelivThreatContext.signature.updatedAtUnknownSignature updated at
BluelivThreatContext.signature.ipIdsUnknownSignature IPs internal IDs
BluelivThreatContext.signature.malwareUnknownSignature malware
BluelivThreatContext.signature.malwareIdsUnknownSignature malwares internal IDs
BluelivThreatContext.signature.scoreUnknownSignature score

Command Example#

!blueliv-tc-signature signature_id=84458

Context Example#

{
"signature": {
"malware": 0,
"malwareIds": "",
"name": "ET TROJAN DonotGroup Staging Domain in DNS Query (sid 2030333)",
"type": "snort",
"updatedAt": "2020-06-15T02:11:21.962364Z"
},
"threatContext": {
"hasResults": "true"
}
}

Human Readable Output#

Blueliv Signature info#

created_atidlinksnamereferencessidsignaturestatustlptypeupdated_atversion
2020-06-15T02:11:21.962302Z84458self: https://tctrustoylo.blueliv.com/api/v1/signature/84458/ET TROJAN DonotGroup Staging Domain in DNS Query (sid 2030333)2030333alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DonotGroup Staging Domain in DNS Query"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0c|yourcontents|03|xyz|00|"; distance:0; fast_pattern; metadata: former_category MALWARE; classtype:trojan-activity; sid:2030333; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2020_06_12, updated_at 2020_06_12;)enabledwhitesnort2020-06-15T02:11:21.962364Z2