Flashpoint
Use the Flashpoint integration to access intelligence reports, technical data, and uniquely sourced conversations from illicit threat communities.
Configure Flashpoint on Cortex XSOAR#
Navigate to Settings > Integrations > Servers & Services.
Search for Flashpoint.
Click Add instance to create and configure a new integration instance.
Parameter Description Example Name A meaningful name for the integration instance. Flashpoint_instance_1 URL The URL to the Flashpoint server, including the scheme. https://fp.tools API Key Your Flashpoint API key. N/A Trust any certificate (not secure) When selected, certificates are not checked. N/A Use system proxy settings Runs the integration instance using the proxy server (HTTP or HTTPS) that you defined in the server configuration. https://proxyserver.com Click Test to validate the new instance.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
Get the reputation of an IP#
Returns the reputation of an IP. The IP is considered malicious if there’s at least one IOC event in the Flashpoint database matching the IP indicator. The IP address is considered suspicious if it matches with any one of the torrent’s peer IP address or forum visit’s peer IP address.
Base Command#
ip
Input#
| Argument Name | Description | Required |
|---|---|---|
| ip | The IP to check whether it is malicious or suspicious. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| DBotScore.Indicator | string | The indicator that was tested. |
| DBotScore.Score | number | The indicator score. |
| DBotScore.Type | string | The indicator type. |
| DBotScore.Vendor | string | The vendor used to calculate the score. |
| IP.Address | string | The IP address. |
| IP.Malicious.Description | string | The description of the malicious IP. |
| IP.Malicious.Vendor | string | The vendor of the malicious IP. |
| IP.Relationships.EntityA | String | The source of the relationship. |
| IP.Relationships.EntityB | String | The destination of the relationship. |
| IP.Relationships.Relationship | String | The name of the relationship. |
| IP.Relationships.EntityAType | String | The type of the source of the relationship. |
| IP.Relationships.EntityBType | String | The type of the destination of the relationship. |
| Flashpoint.IP.Event.Href | string | The list of the reference link of the indicator. |
| Flashpoint.IP.Event.Address | string | The IP address of the indicator. |
| Flashpoint.IP.Event.EventDetails | Unknown | The event details in which the indicator is observed. |
| Flashpoint.IP.Event.Category | string | The category of the indicator. |
| Flashpoint.IP.Event.Fpid | string | The FPID of the indicator. |
| Flashpoint.IP.Event.Timestamp | string | The time at which the indicator is observed. |
| Flashpoint.IP.Event.Type | string | The type of the indicator. |
| Flashpoint.IP.Event.Uuid | string | The UUID of the indicator. |
| Flashpoint.IP.Event.Comment | string | The comment which was provided when the indicator was observed. |
Command Example#
Context Example#
Human Readable Output#
Flashpoint IP address reputation for 210.122.7.129#
Reputation: Malicious
Events in which this IOC observed#
| Date Observed (UTC) | Name | Tags |
|---|---|---|
| Feb 12, 2018 21:46 | Lazarus Resurfaces, Targets Global Banks and Bitcoin Users | source:OSINT |
All events and details (fp-tools): https://fp.tools/home/search/iocs?group=indicator&ioc_type=ip-dst%2Cip-src&ioc_value=210.122.7.129
Get the reputation of a domain#
Returns the reputation of a domain. The domain is considered malicious if there’s at least one IOC event in the Flashpoint database matching the domain indicator.
Base Command#
domain
Input#
| Argument Name | Description | Required |
|---|---|---|
| domain | The domain name to check. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| DBotScore.Indicator | string | The indicator that was tested. |
| DBotScore.Score | number | The indicator score. |
| DBotScore.Type | string | The indicator type. |
| DBotScore.Vendor | string | The vendor used to calculate the score. |
| Flashpoint.Domain.Event.Href | string | A list of reference links for the indicator. |
| Flashpoint.Domain.Event.Domain | string | The domain of the indicator. |
| Flashpoint.Domain.Event.EventDetails | unknown | The event details in which the indicator is observed. |
| Flashpoint.Domain.Event.Category | string | The category of the indicator. |
| Flashpoint.Domain.Event.Fpid | string | The FPID of the indicator. |
| Flashpoint.Domain.Event.Timestamp | string | The time at which the indicator is observed. |
| Flashpoint.Domain.Event.Type | string | The type of the indicator. |
| Flashpoint.Domain.Event.Uuid | string | The UUID of the indicator. |
| Flashpoint.Domain.Event.Comment | string | The comment that was provided when the indicator was observed. |
| Domain.Malicious.Description | string | The description of the malicious indicator. |
| Domain.Malicious.Vendor | string | The vendor of the malicious indicator. |
| Domain.Name | string | The name of the domain. |
| Domain.Relationships.EntityA | String | The source of the relationship. |
| Domain.Relationships.EntityB | String | The destination of the relationship. |
| Domain.Relationships.Relationship | String | The name of the relationship. |
| Domain.Relationships.EntityAType | String | The type of the source of the relationship. |
| Domain.Relationships.EntityBType | String | The type of the destination of the relationship. |
Command Example#
Context Example#
Human Readable Output#
Flashpoint Domain reputation for subaat.com#
Reputation: Malicious
Events in which this IOC observed#
| Date Observed (UTC) | Name | Tags |
|---|---|---|
| Sep 25, 2019 19:51 | Gorgon Group actor profile | misp-galaxy:mitre-enterprise-attack-attack-pattern=“Spearphishing Attachment - T1193”, misp-galaxy:mitre-enterprise-attack-attack-pattern=“Scripting - T1064”, misp-galaxy:mitre-enterprise-attack-attack-pattern=“Command-Line Interface - T1059”, misp-galaxy:mitre-enterprise-attack-attack-pattern=“System Information Discovery - T1082”, misp-galaxy:mitre-enterprise-attack-attack-pattern=“Remote Services - T1021”, misp-galaxy:mitre-enterprise-attack-attack-pattern=“Exfiltration Over Command and Control Channel - T1041”, os:Windows, source:phishing, type:RAT, malware🐀Quasar, malware:banker:Lokibot, filename: njrat.exe, file_name: excel.exe |
All events and details (fp-tools): https://fp.tools/home/search/iocs?group=indicator&ioc_type=domain&ioc_value=subaat.com
Get the reputation of the filename#
Returns the reputation of the filename. The filename is considered malicious if there’s at least one IOC event in the Flashpoint database matching the filename indicator.
Base Command#
filename
Input#
| Argument Name | Description | Required |
|---|---|---|
| filename | The filename to check. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| DBotScore.Indicator | string | The indicator that was tested. |
| DBotScore.Score | number | The indicator score. |
| DBotScore.Type | string | The indicator type. |
| DBotScore.Vendor | string | The vendor used to calculate the score. |
| Flashpoint.Filename.Event.Href | string | A list of reference links for the indicator. |
| Flashpoint.Filename.Event.Filename | string | The filename of the indicator. |
| Flashpoint.Filename.Event.EventDetails | unknown | The event details in which the indicator is observed. |
| Flashpoint.Filename.Event.Category | string | The category of the indicator. |
| Flashpoint.Filename.Event.Fpid | string | The FPID of the indicator. |
| Flashpoint.Filename.Event.Timestamp | string | The time at which the indicator is observed. |
| Flashpoint.Filename.Event.Type | string | The type of the indicator. |
| Flashpoint.Filename.Event.Uuid | string | The UUID of the indicator. |
| Flashpoint.Filename.Event.Comment | string | The comment which was provided when the indicator was observed. |
Command Example#
Context Example#
Human Readable Output#
Flashpoint Filename reputation for .locked#
Reputation: Malicious
Events in which this IOC observed#
| Date Observed (UTC) | Name | Tags |
|---|---|---|
| Oct 24, 2019 16:30 | LockerGoga | malware:ransomware:lockergoga, report:lKyimEX1TWS8x6AtdiJ_vA, report:jEteM4YxQZCdm4macbE3vQ, report:w0fL5MgoQ_Wih8XyB6Lowg, report:7t-BsuFKTL-HJWbid8nupg |
All events and details (fp-tools): https://fp.tools/home/search/iocs?group=indicator&ioc_type=filename&ioc_value=.locked
Get the reputation of the URL#
Returns the reputation of the URL. The URL is considered malicious if there’s at least one IOC event in the Flashpoint database matching the URL indicator.
Base Command#
url
Input#
| Argument Name | Description | Required |
|---|---|---|
| url | The URL to check. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| DBotScore.Indicator | string | The indicator that was tested. |
| DBotScore.Score | number | The indicator score. |
| DBotScore.Type | string | The indicator type. |
| DBotScore.Vendor | string | The vendor used to calculate the score. |
| Flashpoint.Url.Event.Href | string | A list of reference links for the indicator. |
| Flashpoint.Url.Event.Url | string | The URL of the indicator. |
| Flashpoint.Url.Event.EventDetails | unknown | The event details in which the indicator is observed. |
| Flashpoint.Url.Event.Category | string | The category of the indicator. |
| Flashpoint.Url.Event.Fpid | string | The FPID of the indicator. |
| Flashpoint.Url.Event.Timestamp | string | The time at which the indicator is observed. |
| Flashpoint.Url.Event.Type | string | The type of the indicator. |
| Flashpoint.Url.Event.Uuid | string | The UUID of the indicator. |
| Flashpoint.Url.Event.Comment | string | The comment which was provided when the indicator was observed. |
| URL.Malicious.Description | string | The description of the malicious URL. |
| URL.Malicious.Vendor | string | The vendor of the malicious URL. |
| URL.Relationships.EntityA | String | The source of the relationship. |
| URL.Relationships.EntityB | String | The destination of the relationship. |
| URL.Relationships.Relationship | String | The name of the relationship. |
| URL.Relationships.EntityAType | String | The type of the source of the relationship. |
| URL.Relationships.EntityBType | String | The type of the destination of the relationship. |
Command Example#
Context Example#
Human Readable Output#
Flashpoint URL reputation for 92.63.197.153/krabaldento.exe#
Reputation: Malicious
Events in which this IOC observed#
| Date Observed (UTC) | Name | Tags |
|---|---|---|
| Oct 24, 2019 16:30 | GandCrab 2019 | malware:ransomware:GandCrab, report:lKyimEX1TWS8x6AtdiJ_vA, report:7t-BsuFKTL-HJWbid8nupg |
All events and details (fp-tools): https://fp.tools/home/search/iocs?group=indicator&ioc_type=url&ioc_value=92.63.197.153/krabaldento.exe
Get the reputation of the file-hash#
Returns the reputation of the file-hash. The file-hash is considered malicious if there’s at least one IOC event in the Flashpoint database matching the file-hash indicator.
Base Command#
file
Input#
| Argument Name | Description | Required |
|---|---|---|
| file | A list of hashes of the file to query. Supports MD5, SHA1, and SHA256. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| DBotScore.Indicator | string | The indicator that was tested. |
| DBotScore.Score | number | The indicator score. |
| DBotScore.Type | string | The indicator type. |
| DBotScore.Vendor | string | The vendor used to calculate the score. |
| Flashpoint.File.Event.Href | string | A list of reference links for the indicator. |
| Flashpoint.File.Event.MD5 | string | The MD5 file hash of the indicator. |
| Flashpoint.File.Event.SHA1 | string | The SHA1 file hash of the indicator. |
| Flashpoint.File.Event.SHA256 | string | The SHA256 file hash of the indicator. |
| Flashpoint.File.Event.EventDetails | unknown | The event details in which the indicator observed. |
| Flashpoint.File.Event.Category | string | The category of the indicator. |
| Flashpoint.File.Event.Fpid | string | The FPID of the indicator. |
| Flashpoint.File.Event.Timestamp | string | The time at which the indicator is observed. |
| Flashpoint.File.Event.Type | string | The type of the indicator. |
| Flashpoint.File.Event.Uuid | string | The UUID of the indicator. |
| Flashpoint.File.Event.Comment | string | The comment which was provided when the indicator was observed. |
| File.Malicious.Description | string | The description of the malicious file. |
| File.Malicious.Vendor | string | The vendor of the malicious file. |
| File.MD5 | string | The MD5 hash of the file. |
| File.SHA1 | string | The SHA1 hash of the file. |
| File.SHA256 | string | The SHA256 hash of the file. |
| File.Relationships.EntityA | String | The source of the relationship. |
| File.Relationships.EntityB | String | The destination of the relationship. |
| File.Relationships.Relationship | String | The name of the relationship. |
| File.Relationships.EntityAType | String | The type of the source of the relationship. |
| File.Relationships.EntityBType | String | The type of the destination of the relationship. |
Command Example#
Context Example#
Human Readable Output#
Flashpoint File reputation for ab09761ad832efb9359fac985d1a2ab74f8a8d182d7b71188a121b850b80dfe5#
Reputation: Malicious
Events in which this IOC observed#
| Date Observed (UTC) | Name | Tags |
|---|---|---|
| Dec 19, 2019 06:01 | Gandcrab | source:VirusTotal, type:Ransomware, gandcrab, malware:GandCrab, os:Windows |
| Jul 17, 2019 18:02 | win_ransomware_generic | source:VirusTotal, type:Ransomware, win_ransomware_generic, os:Windows |
All events and details (fp-tools): https://fp.tools/home/search/iocs?group=indicator&ioc_type=md5%2Csha1%2Csha256%2Csha512&ioc_value=ab09761ad832efb9359fac985d1a2ab74f8a8d182d7b71188a121b850b80dfe5
Get the reputation of an Email#
Returns the reputation of an email. The email is considered malicious if there’s at least one IOC event in Flashpoint database matching the email indicator.
Base Command#
email
Input#
| Argument Name | Description | Required |
|---|---|---|
| The email to check. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| DBotScore.Indicator | string | The indicator that was tested. |
| DBotScore.Score | number | The indicator score. |
| DBotScore.Type | string | The indicator type. |
| DBotScore.Vendor | string | The vendor used to calculate the score. |
| Flashpoint.Email.Event.Href | string | The list of the reference links of the indicator. |
| Flashpoint.Email.Event.EventDetails | unknown | The event details in which the indicator is observed. |
| Flashpoint.Email.Event.Category | string | The category of the indicator. |
| Flashpoint.Email.Event.Fpid | string | The FPID of the indicator. |
| Flashpoint.Email.Event.Timestamp | string | The time at which the indicator is observed. |
| Flashpoint.Email.Event.Type | string | The type of the indicator. |
| Flashpoint.Email.Event.Uuid | string | The UUID of the indicator. |
| Flashpoint.Email.Event.Comment | string | The comment which was provided when the indicator was observed. |
| Account.Email.Malicious.Description | string | The description of the malicious email account. |
| Account.Email.Malicious.Vendor | string | The vendor of the malicious email. |
| Account.Email.Name | string | The name of the indicator. |
Command Example#
Context Example#
Human Readable Output#
Flashpoint Email reputation for qicifomuejijika@o2.pl#
Reputation: Malicious
Events in which this IOC observed#
| Date Observed (UTC) | Name | Tags |
|---|---|---|
| Oct 24, 2019 16:30 | LockerGoga | malware:ransomware:lockergoga, report:lKyimEX1TWS8x6AtdiJ_vA, report:jEteM4YxQZCdm4macbE3vQ, report:w0fL5MgoQ_Wih8XyB6Lowg, report:7t-BsuFKTL-HJWbid8nupg |
All events and details (fp-tools): https://fp.tools/home/search/iocs?group=indicator&ioc_type=email-dst%2Cemail-src%2Cemail-src-display-name%2Cemail-subject&ioc_value=qicifomuejijika%40o2.pl
Search for intelligence reports#
Returns a list of intelligence reports based on a keyword or text.
Base Command#
flashpoint-search-intelligence-reports
Input#
| Argument Name | Description | Required |
|---|---|---|
| report_search | Search for a report using a keyword or text. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Flashpoint.Report | Unknown | Display a list of reports based on a specified search query or keyword. |
Command Example#
Context Example#
Human Readable Output#
Flashpoint Intelligence reports related to search: isis#
Top 5 reports:
ISIS Media Rebuilds Following Sweeping Suspensions Summary: Despite Telegram?s aggressive and sustained targeting of jihadists on its platform, ISIS?s official media and supportive groups are beginning to rebuild on Telegram.
Telegram Targets ISIS Propaganda in Largest Platform Purge Summary: Between November 22 and 24, 2019, Telegram removed more than 7,000 jihadist channnels and bots from its platform?in the largest purge of ISIS propaganda in Telegram?s history. The takedown drastically impacted ISIS propaganda dissemination, knocking out critical channels and groups, many of which had operated uninterrupted for years.
Global Spotlight - Iran: Key Developments ThisWeek Summary: N/A
Dropbox Account Disseminates Far-Right Extremist Content Summary: Flashpoint analysts have identified a Dropbox account called ?NS Library? belonging to a far-right extremist containing over 200 white supremacist publications and guides?including neo-Nazi literature and propaganda, instruction manuals for making homemade weapons, survival guides, attackers? manifestos, and workout manuals, among other content.
ISIS Activity Continues Unabated Following al-Baghdadi’s Death Summary: On October 26, 2019, ISIS?s former leader Abu Bakr al-Baghdadi killed himself in the midst of a US military operation. Less than a week later, ISIS confirmed al-Baghdadi?s death, and announced that Abu Ibrahim al-Hashimi al-Qurashi is the group?s new leader. Link to Report-search on Flashpoint platform: https://fp.tools/home/search/reports?query=isis
Get a single report#
Returns a single report by its ID.
Base Command#
flashpoint-get-single-intelligence-report
Input#
| Argument Name | Description | Required |
|---|---|---|
| report_id | Search report by report ID. The report ID can be known from the output context path Flashpoint.Report.ReportId of the report-search command or some other investigation. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Flashpoint.Report.NotifiedAt | string | The notification date of the report. |
| Flashpoint.Report.PlatformUrl | string | The platform URL of the report. It helps to redirect the Flashpoint platform. |
| Flashpoint.Report.PostedAt | number | The posted date of the report. |
| Flashpoint.Report.Summary | string | The summary of the report. |
| Flashpoint.Report.Title | string | The title of the report. |
| Flashpoint.Report.UpdatedAt | string | The last update date of the report. |
| Flashpoint.Report.ReportId | string | The unique ID of the report. |
Command Example#
Context Example#
Human Readable Output#
Flashpoint Intelligence Report details#
Below are the details found:#
| Title | Date Published (UTC) | Summary | Tags |
|---|---|---|---|
| ISIS Supporters Warn of the Risks Associated with Exif Data | Sep 23, 2019 20:27 | On September 17, 2019, multiple pro-ISIS Telegram groups disseminated a message warning of the dangers of exposed exif data?a type of metadata showing GPS coordinates, time, and date the image was taken and the make and model of the device used?that is typically captured from images taken by a phone or camera, unless the security settings are properly configured. | Intelligence Report, Law Enforcement & Military, Physical Threats, Jihadist, Propaganda, Terrorism, Global |
Get related reports#
Returns related reports for a given report ID.
Base Command#
flashpoint-get-related-reports
Input#
| Argument Name | Description | Required |
|---|---|---|
| report_id | Search reports by the report ID. The report ID can be known from the output context path Flashpoint.Report.ReportId of report-search command or some other investigation. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Flashpoint.Report | Unknown | Display a list of related reports based on the report FPID. |
Command Example#
Context Example#
Human Readable Output#
Flashpoint Intelligence related reports:#
Top 5 related reports:
Neo-Nazi Telegram Channel Incites Violence, Spreads Extremist Content Summary: In August 2019, militant white supremacist channel ?Stack the Bodies to God? appeared on Telegram, inciting violence and providing a large quantity of informational resources?including extremist publications, tactical manuals, survival guides, guerrilla warfare tactics, instructions for making homemade explosives, weapons, and ricin, and internet security tips.
Atomwaffen Division Resumes Recruitment Activity Summary: On September 30, 2019, the admin of ?The_Bowlcast? Telegram channel promoted the launch of the militant, white supremacist group ?Atomwaffen Division?s? (AWD) latest website and new video dubbed ?Nuclear Congress 2019,? which subtlely discusses the need for AWD to accomplish its goals?alluding to the need for new financing and recruitment.
“Vorherrschaft Division” (VSD): A Nascent Militant White Supremacy Group Summary: On June 14, 2019, a militant white supremacy group called ?Vorherrschaft Division? (VSD) announced its creation in its Telegram channel “Vorherrschaft division propaganda posting.”
“Boogaloo”: Accelerationists’ Latest Call to Action Summary: The term ?boogaloo? (also known as ?the boogaloo? and ?big igloo?) is the latest term used by accelerationists?advocates of hastening the collapse of society through violence?to describe an armed revolution against society to rebuild a white-ethno state.
Far-Right Prepares for “Meme War 2020” Summary: Members of the far-right community are preparing for what they call ?meme war 2020??content spread via social media focused on left-leaning targets?in the lead up to the 2020 U.S. presidential election. Link to the given Report on Flashpoint platform: https://fp.tools/home/intelligence/reports/report/tiPqg51OQpOTsoFyTaYa_w#detail
Get a single event's details#
Returns the details of a single event.
Base Command#
flashpoint-get-single-event
Input#
| Argument Name | Description | Required |
|---|---|---|
| event_id | The UUID or FPID that identifies a particular event. The event ID can be fetched from the output context path Flashpoint.Event.EventId get-events command or indicator reputation command response or some other investigation. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Flashpoint.Event.ObservedTime | string | The date the event was triggered. |
| Flashpoint.Event.EventCreatorEmail | string | The event creator of the email. |
| Flashpoint.Event.Href | Unknown | Display the event reference. |
| Flashpoint.Event.Tags | Unknown | Display the event tags. |
| Flashpoint.Event.EventId | string | Display the event ID (event FPID). |
| Flashpoint.Event.Name | string | The name of the event. |
Command Example#
Context Example#
Human Readable Output#
Flashpoint Event details#
Below are the detail found:#
| Observed time (UTC) | Name | Tags |
|---|---|---|
| Jun 18, 2019 22:08 | CryptingService_4c0d570ecdf23529c91b8decf27107db5c5e9430_2019-06-17T03:01:03.000Z | source:CryptingService2 |
Get all event details#
Returns all the details of an event.
Base Command#
flashpoint-get-events
Input#
| Argument Name | Description | Required |
|---|---|---|
| time_period | Search events based on a specified time period. | Optional |
| report_fpid | Search events by the report's FPID. A user can get a report's FPID from the output of the report-search or related-reports commands and use it in this command to get events for a specific Flashpoint report. | Optional |
| limit | Specify the maximum number of records to display. | Optional |
| attack_ids | Comma-separated values, attack_ids can be found in the event's information or on the Flashpoint platform using filtering events by attack IDs. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Flashpoint.Event | Unknown | Display a list of multiple events. |
Command Example#
Context Example#
Human Readable Output#
Flashpoint Events#
Below are the detail found:#
| Observed time (UTC) | Name | Tags |
|---|---|---|
| Dec 11, 2019 10:16 | CryptingService_4273f08ae5f229f6301e7e0cc9e9005cebc4da20_2019-12-11T03:01:01.000Z | source:CryptingService2 |
| Dec 11, 2019 09:00 | NetWire | source:VirusTotal, T1060, netwire, T1056, os:Windows, type:RAT, malware:NetWire, T1082, T1116, T1113, misp-galaxy:mitre-enterprise-attack-attack-pattern=“Registry Run Keys / Start Folder - T1060”, misp-galaxy:mitre-enterprise-attack-attack-pattern=“Input Capture - T1056”, misp-galaxy:mitre-enterprise-attack-attack-pattern=“System Information Discovery - T1082”, misp-galaxy:mitre-enterprise-attack-attack-pattern=“Code Signing - T1116”, misp-galaxy:mitre-enterprise-attack-attack-pattern=“Screen Capture - T1113” |
| Dec 11, 2019 08:00 | CyberGate | source:VirusTotal, os:Windows, type:RAT, cybergate, malware:CyberGate |
| Dec 11, 2019 07:04 | ROKRAT_Nov17_1 | source:VirusTotal, T1057, T1105, T1063, os:Windows, target:SouthKorea, T1003, T1012, T1082, rokrat_nov17_1, malware:Rokrat, T1071, exfil:C2, T1102, T1041, T1056, type:RAT, T1497, T1113, misp-galaxy:mitre-enterprise-attack-attack-pattern=“Process Discovery - T1057”, misp-galaxy:mitre-enterprise-attack-attack-pattern=“Remote File Copy - T1105”, misp-galaxy:mitre-enterprise-attack-attack-pattern=“Security Software Discovery - T1063”, misp-galaxy:mitre-enterprise-attack-attack-pattern=“Credential Dumping - T1003”, misp-galaxy:mitre-enterprise-attack-attack-pattern=“Query Registry - T1012”, misp-galaxy:mitre-enterprise-attack-attack-pattern=“System Information Discovery - T1082”, misp-galaxy:mitre-enterprise-attack-attack-pattern=“Standard Application Layer Protocol - T1071”, misp-galaxy:mitre-enterprise-attack-attack-pattern=“Web Service - T1102”, misp-galaxy:mitre-enterprise-attack-attack-pattern=“Exfiltration Over Command and Control Channel - T1041”, misp-galaxy:mitre-enterprise-attack-attack-pattern=“Input Capture - T1056”, misp-galaxy:mitre-enterprise-attack-attack-pattern=“Screen Capture - T1113” |
| Dec 11, 2019 07:04 | Sodinokibi_Unreachable_After_MZ_Check | source:VirusTotal, sodinokibi_unreachable_after_mz_check |
| Dec 11, 2019 07:04 | MegaCortex_Load_Dinkum_CLib | source:VirusTotal, megacortex_load_dinkum_clib, malware:MegaCortex, type:Ransomware, os:Windows |
| Dec 11, 2019 07:04 | Command_Line_Options | source:VirusTotal, command_line_options |
| Dec 11, 2019 06:17 | CryptingService_74dd32ce57900738cba4d945e4619289ff040a9e_2019-12-11T03:01:01.000Z | source:CryptingService2 |
| Dec 11, 2019 06:03 | Gandcrab | source:VirusTotal, type:Ransomware, gandcrab, malware:GandCrab, os:Windows |
| Dec 11, 2019 06:00 | botox_lampeduza_amaterasu_output5E0600 | source:VirusTotal, botox_lampeduza_amaterasu_output5e0600 |
| Dec 11, 2019 04:17 | CryptingService_e2f163c72837c6b4386ef9158d017418ab149b13_2019-12-11T03:01:01.000Z | source:CryptingService2 |
| Dec 11, 2019 04:16 | CryptingService_2c13004c346bf79bbec61f6a65fb5b11d5c6f557_2019-12-11T02:01:02.000Z | source:CryptingService2 |
| Dec 11, 2019 04:16 | CryptingService_5eda60cd7c1d4e5dd4fc5e0d3746bd4879de3959_2019-12-11T03:01:01.000Z | source:CryptingService2 |
| Dec 11, 2019 04:16 | CryptingService_981ad08f56f265e9e7209e09e3842d8a6b7f7563_2019-12-11T03:01:01.000Z | source:CryptingService2 |
| Dec 11, 2019 04:16 | CryptingService_7dbfe923559cbb91031dbe2b616c16f5aa40233f_2019-12-11T02:01:02.000Z | source:CryptingService2 |
| Dec 11, 2019 04:00 | cobalt_beacon | source:VirusTotal, cobalt_beacon |
| Dec 10, 2019 19:00 | Loki | source:VirusTotal, type:Stealer, malware:Loki, loki, os:Windows |
| Dec 10, 2019 19:00 | crime_alina_pos_3 | source:VirusTotal, crime_alina_pos_3, type:POS, malware:Alina |
| Dec 10, 2019 19:00 | Kovter | source:VirusTotal, actor:KovCoreG, kovter, os:Windows, type:Trojan, malware:Kovter |
| Dec 10, 2019 17:24 | zeroclear Oilrig | origin:Iran, actor:APT34, malware:ransomware:zeroclear |
All events and details (fp-tools): https://fp.tools/home/search/iocs
Get any type of indicator#
Returns any type of indicator by searching common terms.
Base Command#
flashpoint-common-lookup
Input#
| Argument Name | Description | Required |
|---|---|---|
| indicator | Specify the indicator value such as domain, IP, email, URL etc. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| DBotScore.Indicator | string | The indicator that was tested. |
| DBotScore.Score | number | The indicator score. |
| DBotScore.Type | string | The indicator type. |
| DBotScore.Vendor | string | The vendor used to calculate the score. |
Command Example#
Context Example#
Human Readable Output#
Flashpoint reputation for mondns.myftp.biz#
Reputation: Malicious
Events in which this IOC observed#
| Date Observed (UTC) | Name | Tags |
|---|---|---|
| Oct 11, 2019 15:30 | ModiRAT | misp-galaxy:mitre-enterprise-attack-attack-pattern=“Deobfuscate/Decode Files or Information - T1140”, misp-galaxy:mitre-enterprise-attack-attack-pattern=“System Owner/User Discovery - T1033”, misp-galaxy:mitre-enterprise-attack-attack-pattern=“System Information Discovery - T1082”, misp-galaxy:mitre-enterprise-attack-attack-pattern=“Screen Capture - T1113”, misp-galaxy:mitre-enterprise-attack-attack-pattern=“Custom Command and Control Protocol - T1094”, misp-galaxy:mitre-enterprise-attack-attack-pattern=“Data Encoding - T1132”, misp-galaxy:mitre-enterprise-attack-attack-pattern=“Uncommonly Used Port - T1065”, malware:ModiRAT, type:RAT, os:Windows, report:FQmMHh1rR_WuGd_PNVv-bQ |
Get forum details#
Returns the details of the forum.
Base Command#
flashpoint-get-forum-details
Input#
| Argument Name | Description | Required |
|---|---|---|
| forum_id | Specifies the forum ID for which the details are to be fetched. The forum ID can be known from the context path Flashpoint.Forum.ForumId or Flashpoint.Forum.Post.Forum.id of flashpoint-search-forum-posts command or some other investigation. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Flashpoint.Forum.Description | string | The detailed information of the supplied forum ID. |
| Flashpoint.Forum.Hostname | string | The host details of the supplied forum ID. |
| Flashpoint.Forum.Name | string | The name of the forum. |
| Flashpoint.Forum.Stats | Unknown | The displayed statistical information such as the number of posts, rooms, threads and users details. |
| Flashpoint.Forum.Tags | Unknown | The displayed list of tags which include ID, name, parent_tag, and UUID. |
| Flashpoint.Forum.ForumId | string | The forum’s unique ID. |
Command Example#
Context Example#
Human Readable Output#
Flashpoint Forum details#
Below are the details found:#
| Name | Hostname | Tags |
|---|---|---|
| 0hack | bbs.0hack.com | Chinese, Cyber Threat, Hacking, Language |
Get the details of a room#
Returns the details of a room.
Base Command#
flashpoint-get-forum-room-details
Input#
| Argument Name | Description | Required |
|---|---|---|
| room_id | Specify the room ID which is used to retrieve the room information in the forum. The room ID can be known from the context path Flashpoint.Forum.Post.Room.id of flashpoint-search-forum-posts command or some other investigation. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Flashpoint.Forum.Room.Forum | Unknown | Display all forum details such as forum name, hostname, platform URL, stats and tags etc. |
| Flashpoint.Forum.Room.Title | string | The room title. A user can use the same title in the forum search command. |
| Flashpoint.Forum.Room.Url | string | The room's URL. |
| Flashpoint.Forum.Room.RoomId | string | The unique ID of the forum room. |
Command Example#
Context Example#
Human Readable Output#
Flashpoint Room details#
Below are the detail found:#
| Forum Name | Title | URL |
|---|---|---|
| Crdpro | Bank Carding | forumdisplay.php?f=70&s=6e25902255e1b57bfe37dd2749dafd66 |
Get the user's details#
Gets details on the user.
Base Command#
flashpoint-get-forum-user-details
Input#
| Argument Name | Description | Required |
|---|---|---|
| user_id | Specify a user's ID which is used to retrieve the user’s information. The user ID can be known from the context path Flashpoint.Forum.Post.User.id of flashpoint-search-forum-posts command or some other investigation. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Flashpoint.Forum.User.Forum | Unknown | Display all of the forum's details like ID, hostname, description, stats, tags etc. |
| Flashpoint.Forum.User.Name | string | The name of the user. |
| Flashpoint.Forum.User.PlatformUrl | string | The platform URL of the user which is redirected to the Flashpoint platform. |
| Flashpoint.Forum.User.Url | string | The URL of the user. |
| Flashpoint.Forum.User.UserId | string | Unique ID of a forum user. |
Command Example#
Context Example#
Human Readable Output#
Flashpoint User details#
Below are the detail found:#
| Forum Name | Name | URL |
|---|---|---|
| Crdpro | IllWillPub | http://www.crdpro.su/member.php?s=9f099a0eebc5f7c79e36fc688af2f697&u=50678 |
Get the details of a post#
Returns the details of a post.
Base Command#
flashpoint-get-forum-post-details
Input#
| Argument Name | Description | Required |
|---|---|---|
| post_id | Specify the post ID which gives post information embed in the forum, room, user etc. The post ID can be known from the context path Flashpoint.Forum.Post.PostId of flashpoint-search-forum-posts command or some other investigation. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Flashpoint.Forum.Post.Forum | Unknown | Display all forum details of a post such as ID, hostname, stats, description, tags etc. |
| Flashpoint.Forum.Post.Room | Unknown | Display the room details of a post such as room title, ID, URL, platform URL etc. |
| Flashpoint.Forum.Post.User | Unknown | Display a user's details of a post such as a user's ID, name, URL, platform URL etc. |
| Flashpoint.Forum.Post.PlatformUrl | string | The platform URL a user can redirect to the Flashpoint platform. |
| Flashpoint.Forum.Post.PublishedAt | Unknown | The published date of the post. |
| Flashpoint.Forum.Post.Url | Unknown | The URL display of the post. |
| Flashpoint.Forum.Post.PostId | string | The unique ID of the forum post. |
Command Example#
Context Example#
Human Readable Output#
Flashpoint Post details#
Below are the detail found:#
| Published at | Forum Name | Room Title | Author Name | Thread Title | URL | Platform url |
|---|---|---|---|---|---|---|
| 2019-12-10T01:17:00+00:00 | Ord-UA | Форум | Дубовик | ДСНС на чолі з Бочковським і К…. | 2014/10/22/dsns-na-choli-z-bochkovskim-i-k/?lpage=1&page=580 | https://fp.tools/home/ddw/forums/threads/M3NorvmYVoG6rVFHnP3T9w?id=PDo1xGiKXDebHGc8fZme6g |
Search forum sites#
Searches the forum sites using a keyword. The search will return in-site content such as name, title, description etc.
Base Command#
flashpoint-search-forum-sites
Input#
| Argument Name | Description | Required |
|---|---|---|
| site_search | Search by site keyword or text. This keyword is used for search information in forum sites. This keyword or text is known by fp user. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Flashpoint.Forum.Site | Unknown | The list of forum site details based on the search keyword. |
Command Example#
Context Example#
Human Readable Output#
Flashpoint Forum sites related to search: 0hack#
Top 10 sites:
Below are the detail found:#
| Name | Hostname | Description |
|---|---|---|
| 0hack | bbs.0hack.com | 0hack (零黑联盟) is a Chinese-language hacker training forum. The forum appears to be affiliated with 非凡安全网, 803389.com. |
Search forum posts#
Searches the forum posts using a keyword.
Base Command#
flashpoint-search-forum-posts
Input#
| Argument Name | Description | Required |
|---|---|---|
| post_search | Search a post by keyword or text which is used for search information in forum posts. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Flashpoint.Forum.Post | Unknown | Display a list of forum posts based on the specified search keyword. |
Command Example#
Context Example#
Human Readable Output#
Flashpoint Forum posts related to search: The Courtyard Café#
Top 10 posts:
Below are the detail found:#
| Forum Name | Thread Title | Room Title | Author Name | Platform URL |
|---|---|---|---|---|
| The Sammyboy Times | Fleeting Pleasures… | The Courtyard Café | glockman | https://fp.tools/home/ddw/foru… |
| The Sammyboy Times | smoke on the water, fire in th… | The Courtyard Café | syed putra | https://fp.tools/home/ddw/foru… |
| The Sammyboy Times | [Singapore] - French girl kena… | The Courtyard Café | laksaboy | https://fp.tools/home/ddw/foru… |
| The Sammyboy Times | smoke on the water, fire in th… | The Courtyard Café | laksaboy | https://fp.tools/home/ddw/foru… |
| The Sammyboy Times | smoke on the water, fire in th… | The Courtyard Café | Leongsam | https://fp.tools/home/ddw/foru… |
| The Sammyboy Times | smoke on the water, fire in th… | The Courtyard Café | rambo22 | https://fp.tools/home/ddw/foru… |
| The Sammyboy Times | Fleeting Pleasures… | The Courtyard Café | nightsafari | https://fp.tools/home/ddw/foru… |
| The Sammyboy Times | [Singapore] - French girl kena… | The Courtyard Café | nightsafari | https://fp.tools/home/ddw/foru… |
| The Sammyboy Times | [Singapore] - French girl kena… | The Courtyard Café | nightsafari | https://fp.tools/home/ddw/foru… |
| The Sammyboy Times | HTHT… | The Courtyard Café | Claire | https://fp.tools/home/ddw/foru… |
Follow this link to forum post-search on Flashpoint platform.