Skip to main content

Group-IB Threat Intelligence

This Integration is part of the Group-IB Threat Intelligence Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Pack helps to integrate Group-IB Threat Intelligence and get incidents directly into Cortex XSOAR. The list of included collections: Compromised Accounts, Compromised Cards, Brand Protection Phishing, Brand Protection Phishing Kit, OSI Git Leak, OSI Public Leak, Targeted Malware. This integration was integrated and tested with version 1.0 of Group-IB Threat Intelligence

Configure Group-IB Threat Intelligence in Cortex#

ParameterDescriptionRequired
GIB TI URLThe FQDN/IP the integration should connect to.True
UsernameThe API Key and Username required to authenticate to the service.True
Trust any certificate (not secure)Whether to allow connections without verifying SSL certificates validity.False
Use system proxy settingsWhether to use XSOAR system proxy settings to connect to the API.False
Colletions to fetchType(s) of incidents to fetch from the third party API.False
Incidents first fetchDate to start fetching incidents from.False
Number of requests per collectionA number of requests per collection that integration sends in one faetch iteration (each request picks up to 200 incidents). If you face some runtime errors, lower the value.False

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

gibtia-get-compromised-account-info#


Command performs Group IB event lookup in compromised/account collection with provided ID.

Base Command#

gibtia-get-compromised-account-info

Input#

Argument NameDescriptionRequired
idGIB event id.
e.g.: 253b9a136f0d574149fc43691eaf7ae27aff141a.
Required

Context Output#

PathTypeDescription
GIBTIA.CompromisedAccount.client.ipv4.asnStringVictim IP address
GIBTIA.CompromisedAccount.client.ipv4.countryNameStringCountry name
GIBTIA.CompromisedAccount.client.ipv4.ipStringVictim IP address
GIBTIA.CompromisedAccount.client.ipv4.regionStringRegion name
GIBTIA.CompromisedAccount.cnc.domainStringEvent CNC domain
GIBTIA.CompromisedAccount.cnc.urlStringCNC URL
GIBTIA.CompromisedAccount.cnc.ipv4.ipStringCNC IP address
GIBTIA.CompromisedAccount.dateCompromisedDateDate of compromise
GIBTIA.CompromisedAccount.dateDetectedDateDate of detection
GIBTIA.CompromisedAccount.dropEmail.emailStringEmail where compromised data were sent to
GIBTIA.CompromisedAccount.dropEmail.domainStringEmail domain
GIBTIA.CompromisedAccount.loginStringCompromised login
GIBTIA.CompromisedAccount.passwordStringCompromised password
GIBTIA.CompromisedAccount.malware.nameStringMalware name
GIBTIA.CompromisedAccount.malware.idStringGroup IB malware ID
GIBTIA.CompromisedAccount.person.nameStringCard owner name
GIBTIA.CompromisedAccount.person.emailStringCard owner e-mail
GIBTIA.CompromisedAccount.portalLinkStringLink to GIB incident
GIBTIA.CompromisedAccount.threatActor.nameStringAssociated threat actor
GIBTIA.CompromisedAccount.threatActor.isAPTBooleanIs threat actor APT group
GIBTIA.CompromisedAccount.threatActor.idStringThreat actor GIB ID
GIBTIA.CompromisedAccount.idStringGroup IB incident ID
GIBTIA.CompromisedAccount.evaluation.severityStringEvent severity

Command Example#

!gibtia-get-compromised-account-info id=253b9a136f0d574149fc43691eaf7ae27aff141a

Context Example#

{
"DBotScore": [
{
"Indicator": "http://some.ru",
"Score": 3,
"Type": "url",
"Vendor": "GIB TI&A"
},
{
"Indicator": "some.ru",
"Score": 3,
"Type": "domain",
"Vendor": "GIB TI&A"
},
{
"Indicator": "11.11.11.11",
"Score": 3,
"Type": "ip",
"Vendor": "GIB TI&A"
}
],
"Domain": {
"Malicious": {
"Description": null,
"Vendor": "GIB TI&A"
},
"Name": "some.ru"
},
"GIBTIA": {
"CompromisedAccount": {
"botId": null,
"client": {
"ipv4": {
"asn": null,
"city": null,
"countryCode": null,
"countryName": null,
"ip": "0.0.0.0",
"provider": null,
"region": null
}
},
"cnc": {
"cnc": "http://some.ru",
"domain": "some.ru",
"ipv4": {
"asn": "AS1111",
"city": "Moscow",
"countryCode": "RU",
"countryName": "Russian Federation",
"ip": "11.11.11.11",
"provider": "some.ru",
"region": "Moscow"
},
"ipv6": null,
"url": "http://some.ru"
},
"company": null,
"companyId": -1,
"dateCompromised": null,
"dateDetected": "2020-02-22T01:21:03+00:00",
"device": null,
"domain": "some.ru",
"dropEmail": {
"domain": null,
"email": "",
"ipv4": {
"asn": null,
"city": null,
"countryCode": null,
"countryName": null,
"ip": null,
"provider": null,
"region": null
}
},
"evaluation": {
"admiraltyCode": "A2",
"credibility": 80,
"reliability": 100,
"severity": "red",
"tlp": "red",
"ttl": 90
},
"favouriteForCompanies": [],
"hideForCompanies": [],
"id": "253b9a136f0d574149fc43691eaf7ae27aff141a",
"login": "some.ru",
"malware": {
"id": "411ac9df6c5515922a56e30013e8b8b366eeec80",
"name": "PredatorStealer",
"stixGuid": "2f7650f4-bc72-2068-d1a5-467b688975d8"
},
"oldId": "396792583",
"password": "@some@",
"person": {
"address": null,
"birthday": null,
"city": null,
"countryCode": null,
"email": null,
"name": null,
"passport": null,
"phone": null,
"state": null,
"taxNumber": null,
"zip": null
},
"port": null,
"portalLink": "https://bt.group-ib.com/cd/accounts?searchValue=id:253b9a136f0d574149fc43691eaf7ae27aff141a",
"silentInsert": 0,
"sourceLink": "",
"sourceType": "Botnet",
"stixGuid": "8abb3aa9-e351-f837-d61a-856901c3dc9d",
"threatActor": null
}
},
"IP": {
"ASN": "AS11111",
"Address": "11.11.11.11",
"Geo": {
"Country": "Russian Federation",
"Description": "Moscow City"
},
"Malicious": {
"Description": null,
"Vendor": "GIB TI&A"
}
},
"URL": {
"Data": "http://some.ru",
"Malicious": {
"Description": null,
"Vendor": "GIB TI&A"
}
}
}

Human Readable Output#

Feed from compromised/account with ID 253b9a136f0d574149fc43691eaf7ae27aff141a#

client ipv4 ipcnc cnccnc domaincnc ipv4 asncnc ipv4 citycnc ipv4 countryCodecnc ipv4 countryNamecnc ipv4 ipcnc ipv4 providercnc ipv4 regioncnc urlcompanyIddateDetecteddomainevaluation admiraltyCodeevaluation credibilityevaluation reliabilityevaluation severityevaluation tlpevaluation ttlidloginmalware idmalware namemalware stixGuidoldIdpasswordportalLinksilentInsertsourceTypestixGuid
0.0.0.0http://some.rusome.ruAS1111MoscowRURussian Federation11.11.11.11some.ruMoscowhttp://some.ru-12020-02-22T01:21:03+00:00some.ruA280100redred90253b9a136f0d574149fc43691eaf7ae27aff141asome.ru411ac9df6c5515922a56e30013e8b8b366eeec80PredatorStealer2f7650f4-bc72-2068-d1a5-467b688975d8396792583@some@https://bt.group-ib.com/cd/accounts?searchValue=id:253b9a136f0d574149fc43691eaf7ae27aff141a0Botnet8abb3aa9-e351-f837-d61a-856901c3dc9d

URL indicator#

gibidseverityvalue
253b9a136f0d574149fc43691eaf7ae27aff141aredhttp://some.ru

Domain indicator#

gibidseverityvalue
253b9a136f0d574149fc43691eaf7ae27aff141aredsome.ru

IP indicator#

asngeocountrygeolocationgibidseverityvalue
AS1111Russian FederationMoscow253b9a136f0d574149fc43691eaf7ae27aff141ared11.11.11.11

gibtia-get-compromised-card-info#


Command performs Group IB event lookup in compromised/card collection with provided ID.

Base Command#

gibtia-get-compromised-card-info

Input#

Argument NameDescriptionRequired
idGIB event id.
e.g.: ecda6f4dc85596f447314ce01e2152db9c9d3cbc.
Required

Context Output#

PathTypeDescription
GIBTIA.CompromisedCard.cardInfo.cvvStringCompromised card CVV
GIBTIA.CompromisedCard.cardInfo.issuer.issuerStringCard issuer
GIBTIA.CompromisedCard.cardInfo.numberStringCompromised card number
GIBTIA.CompromisedCard.cardInfo.systemStringPayment system
GIBTIA.CompromisedCard.cardInfo.typeStringInternal issuer card type
GIBTIA.CompromisedCard.cardInfo.validThruStringCard expiration date
GIBTIA.CompromisedCard.client.ipv4.asnStringCompromised client ASN
GIBTIA.CompromisedCard.client.ipv4.countryNameStringCountry name
GIBTIA.CompromisedCard.client.ipv4.ipStringVictim IP address
GIBTIA.CompromisedCard.client.ipv4.regionStringRegion name
GIBTIA.CompromisedCard.dateCompromisedDateDate of compromise
GIBTIA.CompromisedCard.dateDetectedDateDate detected
GIBTIA.CompromisedCard.malware.nameStringRelated malware name
GIBTIA.CompromisedCard.malware.idStringRelated GIB malware ID
GIBTIA.CompromisedCard.portalLinkStringLink to GIB incident
GIBTIA.CompromisedCard.threatActor.nameStringAssociated threat actor
GIBTIA.CompromisedCard.threatActor.isAPTBooleanIs threat actor APT group
GIBTIA.CompromisedCard.threatActor.idStringThreat actor GIB ID
GIBTIA.CompromisedCard.idStringGroup IB incident ID
GIBTIA.CompromisedCard.sourceTypeStringInformation source
GIBTIA.CompromisedCard.evaluation.severityStringEvent severity

Command Example#

!gibtia-get-compromised-card-info id=ecda6f4dc85596f447314ce01e2152db9c9d3cbc

Context Example#

{
"DBotScore": [
{
"Indicator": "some.ru",
"Score": 3,
"Type": "domain",
"Vendor": "GIB TI&A"
},
{
"Indicator": "11.11.11.11",
"Score": 3,
"Type": "ip",
"Vendor": "GIB TI&A"
}
],
"Domain": {
"Malicious": {
"Description": null,
"Vendor": "GIB TI&A"
},
"Name": "some.ru"
},
"GIBTIA": {
"CompromisedCard": {
"baseName": "United States",
"cardInfo": {
"cvv": null,
"dump": null,
"issuer": {
"countryCode": "US",
"countryName": "UNITED STATES",
"issuer": "SOME BANK"
},
"number": "XXXXXXXXXXXXXXXX",
"system": "VISA",
"type": "CLASSIC",
"validThru": "01/2021"
},
"client": {
"ipv4": {
"asn": null,
"city": null,
"countryCode": null,
"countryName": null,
"ip": null,
"provider": null,
"region": null
}
},
"cnc": {
"cnc": "some.ru",
"domain": "some.ru",
"ipv4": {
"asn": null,
"city": "Some",
"countryCode": "US",
"countryName": "United States",
"ip": "11.11.11.11",
"provider": "Some",
"region": "Some"
},
"ipv6": null,
"url": null
},
"company": null,
"companyId": -1,
"dateCompromised": "2020-02-22T12:21:00+00:00",
"dateDetected": "2020-01-11T10:12:49+00:00",
"evaluation": {
"admiraltyCode": "A2",
"credibility": 80,
"reliability": 90,
"severity": "red",
"tlp": "red",
"ttl": 90
},
"externalId": "26579",
"favouriteForCompanies": [],
"hideForCompanies": [],
"id": "ecda6f4dc85596f447314ce01e2152db9c9d3cbc",
"ignoreForCompanies": [],
"isDump": false,
"isExpired": false,
"isIgnore": false,
"isMasked": true,
"malware": {
"id": "53013c863116aae720581ff2aa2b4f92d3cb2bd7",
"name": "mandarincc",
"stixGuid": "8c843ab8-f019-e455-c78b-47ee80f3bb0c"
},
"oldId": "396798216",
"owner": {
"address": null,
"birthday": null,
"city": "Some",
"countryCode": "US",
"email": null,
"name": "Some Person",
"passport": null,
"phone": "111111",
"state": "Some",
"taxNumber": null,
"zip": null
},
"portalLink": "https://bt.group-ib.com/cd/cards?searchValue=id:ecda6f4dc85596f447314ce01e2152db9c9d3cbc",
"price": {
"currency": "USD",
"value": "1"
},
"serviceCode": null,
"silentInsert": 1,
"sourceLink": "",
"sourceType": "Card shop",
"stixGuid": "00eccda0-aae6-c111-6080-c51f857450bf",
"threatActor": null,
"track": []
}
},
"IP": {
"Address": "11.11.11.11",
"Geo": {
"Country": "United States",
"Description": "Some"
},
"Malicious": {
"Description": null,
"Vendor": "GIB TI&A"
}
}
}

Human Readable Output#

Feed from compromised/card with ID ecda6f4dc85596f447314ce01e2152db9c9d3cbc#

baseNamecardInfo issuer countryCodecardInfo issuer countryNamecardInfo issuer issuercardInfo numbercardInfo systemcardInfo typecardInfo validThrucnc cnccnc domaincnc ipv4 citycnc ipv4 countryCodecnc ipv4 countryNamecnc ipv4 ipcnc ipv4 providercnc ipv4 regioncompanyIddateCompromiseddateDetectedevaluation admiraltyCodeevaluation credibilityevaluation reliabilityevaluation severityevaluation tlpevaluation ttlexternalIdidisDumpisExpiredisIgnoreisMaskedmalware idmalware namemalware stixGuidoldIdowner cityowner countryCodeowner nameowner phoneowner stateportalLinkprice currencyprice valuesilentInsertsourceTypestixGuid
United StatesUSUNITED STATESSOME BANKXXXXXXXXXXXXXXXXVISACLASSIC01/2021some.rusome.ruSomeUSUnited States11.11.11.11SomeSome-12020-02-22T12:21:00+00:002020-01-11T10:12:49+00:00A28090redred9026579ecda6f4dc85596f447314ce01e2152db9c9d3cbcfalsefalsefalsetrue53013c863116aae720581ff2aa2b4f92d3cb2bd7mandarincc8c843ab8-f019-e455-c78b-47ee80f3bb0c396798216SomeUSSome Person111111Somehttps://bt.group-ib.com/cd/cards?searchValue=id:ecda6f4dc85596f447314ce01e2152db9c9d3cbcUSD11Card shop00eccda0-aae6-c111-6080-c51f857450bf

Domain indicator#

gibidseverityvalue
ecda6f4dc85596f447314ce01e2152db9c9d3cbcredsome.ru

IP indicator#

geocountrygeolocationgibidseverityvalue
United StatesSomeecda6f4dc85596f447314ce01e2152db9c9d3cbcred11.11.11.11

gibtia-get-compromised-breached-info#


Command performs Group IB event lookup in compromised/breached collection with provided ID.

Base Command#

gibtia-get-compromised-breached-info

Input#

Argument NameDescriptionRequired
idGIB event id.
e.g.: 6fd344f340f4bdc08548cb36ded62bdf.
Required

Context Output#

PathTypeDescription
GIBTIA.DataBreach.emailStringList of breached emails
GIBTIA.DataBreach.leakNameStringName of the leak
GIBTIA.DataBreach.passwordStringList of breached passwords
GIBTIA.DataBreach.uploadTimeDateDate of breached data upload
GIBTIA.DataBreach.idStringGroup IB incident ID
GIBTIA.DataBreach.evaluation.severityStringEvent severity

Command Example#

!gibtia-get-compromised-breached-info id=277c4112d348c91f6dabe9467f0d18ba

Context Example#

{
"GIBTIA": {
"DataBreach": {
"addInfo": {
"address": [
""
],
},
"description": "",
"downloadLinkList": [],
"email": [
"some@gmail.com"
],
"evaluation": {
"admiraltyCode": "C3",
"credibility": 50,
"reliability": 50,
"severity": "green",
"tlp": "amber",
"ttl": null
},
"id": "277c4112d348c91f6dabe9467f0d18ba",
"leakName": "some.com",
"leakPublished": "",
"password": [
"AC91C480FDE9D7ACB8AC4B78310EB2TD",
"1390DDDFA28AE085D23518A035703112"
],
"reaperMessageId": "",
"taName": [],
"uploadTime": "2021-06-12T03:02:00"
}
}
}

Human Readable Output#

Feed from compromised/breached with ID 277c4112d348c91f6dabe9467f0d18ba#

addInfoemailevaluationidleakNamepassworduploadTime
address:
some@gmail.comadmiraltyCode: C3
credibility: 50
reliability: 50
severity: green
tlp: amber
ttl: null
277c4112d348c91f6dabe9467f0d18basome.comAC91C480FDE9D7ACB8AC4B78310EB2TD,
1390DDDFA28AE085D23518A035703112
2021-06-12T03:02:00

gibtia-get-compromised-mule-info#


Command performs Group IB event lookup in compromised/mule collection with provided ID.

Base Command#

gibtia-get-compromised-mule-info

Input#

Argument NameDescriptionRequired
idGIB event id.
e.g.: 50a3b4abbfca5dcbec9c8b3a110598f61ba93r33.
Required

Context Output#

PathTypeDescription
GIBTIA.CompromisedMule.accountStringAccount number (card/phone), which was used by threat actor to cash out
GIBTIA.CompromisedMule.cnc.ipv4.asnStringCNC ASN
GIBTIA.CompromisedMule.cnc.ipv4.countryNameStringCountry name
GIBTIA.CompromisedMule.cnc.ipv4.ipStringVictim IP address
GIBTIA.CompromisedMule.cnc.ipv4.regionStringRegion name
GIBTIA.CompromisedMule.cnc.urlStringCNC URL
GIBTIA.CompromisedMule.cnc.domainStringCNC domain
GIBTIA.CompromisedMule.dateAddDateDate of detection
GIBTIA.CompromisedMule.malware.nameStringMalware name
GIBTIA.CompromisedMule.portalLinkStringLink to GIB incident
GIBTIA.CompromisedMule.threatActor.nameStringAssociated threat actor
GIBTIA.CompromisedMule.threatActor.idStringThreat actor GIB ID
GIBTIA.CompromisedMule.threatActor.isAPTBooleanIs threat actor APT group
GIBTIA.CompromisedMule.idStringGroup IB incident ID
GIBTIA.CompromisedMule.sourceTypeStringInformation source
GIBTIA.CompromisedMule.evaluation.severityStringEvent severity

Command Example#

!gibtia-get-compromised-mule-info id=50a3b4abbfca5dcbec9c8b3a110598f61ba90a99

Context Example#

{
"DBotScore": [
{
"Indicator": "http://some.ru",
"Score": 3,
"Type": "url",
"Vendor": "GIB TI&A"
},
{
"Indicator": "some.ru",
"Score": 3,
"Type": "domain",
"Vendor": "GIB TI&A"
},
{
"Indicator": "11.11.11.11",
"Score": 3,
"Type": "ip",
"Vendor": "GIB TI&A"
}
],
"Domain": {
"Malicious": {
"Description": null,
"Vendor": "GIB TI&A"
},
"Name": "some"
},
"GIBTIA": {
"CompromisedMule": {
"account": "XXXXXXXXXXXXXXXX",
"cnc": {
"cnc": "http://some.ru",
"domain": "some.ru",
"ipv4": {
"asn": null,
"city": null,
"countryCode": null,
"countryName": null,
"ip": "11.11.11.11",
"provider": null,
"region": null
},
"ipv6": null,
"url": "http://some.ru"
},
"dateAdd": "2020-02-21T13:02:00+00:00",
"dateIncident": null,
"evaluation": {
"admiraltyCode": "A2",
"credibility": 80,
"reliability": 100,
"severity": "red",
"tlp": "amber",
"ttl": 30
},
"favouriteForCompanies": [],
"fraudId": null,
"hash": "some",
"hideForCompanies": [],
"id": "50a3b4abbfca5dcbec9c8b3a110598f61ba90a99",
"info": null,
"malware": {
"id": "5a2b741f8593f88178623848573abc899f9157d4",
"name": "Anubis",
"stixGuid": "7d837524-7b01-ddc9-a357-46e7136a9852"
},
"oldId": "392993084",
"organization": {
"bic": null,
"bicRu": null,
"bsb": null,
"iban": null,
"name": "Some",
"swift": null
},
"person": {
"address": null,
"birthday": null,
"city": null,
"countryCode": null,
"email": null,
"name": null,
"passport": null,
"phone": null,
"state": null,
"taxNumber": null,
"zip": null
},
"portalLink": "https://bt.group-ib.com/cd/mules?searchValue=id:50a3b4abbfca5dcbec9c8b3a110598f61ba90a99",
"sourceType": "Botnet",
"stixGuid": "2da6b164-9a12-6db5-4346-2a80a4e03255",
"threatActor": null,
"type": "Person"
}
},
"IP": {
"Address": "11.11.11.11",
"Malicious": {
"Description": null,
"Vendor": "GIB TI&A"
}
},
"URL": {
"Data": "http://some.ru",
"Malicious": {
"Description": null,
"Vendor": "GIB TI&A"
}
}
}

Human Readable Output#

Feed from compromised/mule with ID 50a3b4abbfca5dcbec9c8b3a110598f61ba90a99#

accountcnc cnccnc domaincnc ipv4 ipcnc urldateAddevaluation admiraltyCodeevaluation credibilityevaluation reliabilityevaluation severityevaluation tlpevaluation ttlhashidmalware idmalware namemalware stixGuidoldIdorganization nameportalLinksourceTypestixGuidtype
1111111111111111http://some.rusome11.11.11.11http://some.ru2020-02-21T13:02:00+00:00A280100redamber30some50a3b4abbfca5dcbec9c8b3a110598f61ba90a995a2b741f8593f88178623848573abc899f9157d4Anubis7d837524-7b01-ddc9-a357-46e7136a9852392993084Somehttps://bt.group-ib.com/cd/mules?searchValue=id:50a3b4abbfca5dcbec9c8b3a110598f61ba90a99Botnet2da6b164-9a12-6db5-4346-2a80a4e03255Person

URL indicator#

gibidseverityvalue
50a3b4abbfca5dcbec9c8b3a110598f61ba90a99redhttp://some.ru

Domain indicator#

gibidseverityvalue
50a3b4abbfca5dcbec9c8b3a110598f61ba90a99redsome

IP indicator#

gibidseverityvalue
50a3b4abbfca5dcbec9c8b3a110598f61ba90a99red11.11.11.11

gibtia-get-compromised-imei-info#


Command performs Group IB event lookup in compromised/imei collection with provided ID.

Base Command#

gibtia-get-compromised-imei-info

Input#

Argument NameDescriptionRequired
idGIB event id.
e.g.: 0c1426048474df19ada9d0089ef8b3efce906556.
Required

Context Output#

PathTypeDescription
GIBTIA.CompromisedIMEI.client.ipv4.asnStringCompromised client ASN
GIBTIA.CompromisedIMEI.client.ipv4.countryNameStringCountry name
GIBTIA.CompromisedIMEI.client.ipv4.ipStringVictim IP address
GIBTIA.CompromisedIMEI.client.ipv4.regionStringRegion name
GIBTIA.CompromisedIMEI.cnc.domainStringCNC URL
GIBTIA.CompromisedIMEI.cnc.ipv4.asnStringCNC ASN
GIBTIA.CompromisedIMEI.cnc.ipv4.countryNameStringCNC IP country name
GIBTIA.CompromisedIMEI.cnc.ipv4.ipStringCNC IP address
GIBTIA.CompromisedIMEI.cnc.ipv4.regionStringCNC region name
GIBTIA.CompromisedIMEI.dateCompromisedDateDate compromised
GIBTIA.CompromisedIMEI.dateDetectedDateDate detected
GIBTIA.CompromisedIMEI.device.imeiStringCompromised IMEI
GIBTIA.CompromisedIMEI.device.modelStringCompromised device model
GIBTIA.CompromisedIMEI.malware.nameStringAssociated malware
GIBTIA.CompromisedIMEI.threatActor.idStringAssociated threat actor ID
GIBTIA.CompromisedIMEI.threatActor.nameStringAssociated threat actor
GIBTIA.CompromisedIMEI.threatActor.isAPTBooleanIs threat actor APT group
GIBTIA.CompromisedIMEI.idStringGroup IB incident ID
GIBTIA.CompromisedIMEI.evaluation.severityStringEvent severity

Command Example#

!gibtia-get-compromised-imei-info id=0c1426048474df19ada9d0089ef8b3efce906556

Context Example#

{
"DBotScore": [
{
"Indicator": "http://some.ru",
"Score": 3,
"Type": "url",
"Vendor": "GIB TI&A"
},
{
"Indicator": "some.ru",
"Score": 3,
"Type": "domain",
"Vendor": "GIB TI&A"
},
{
"Indicator": "11.11.11.11",
"Score": 3,
"Type": "ip",
"Vendor": "GIB TI&A"
}
],
"Domain": {
"Malicious": {
"Description": null,
"Vendor": "GIB TI&A"
},
"Name": "some.ru"
},
"GIBTIA": {
"CompromisedIMEI": {
"client": {
"ipv4": {
"asn": "AS11111",
"city": null,
"countryCode": "NL",
"countryName": "Netherlands",
"ip": "11.11.11.11",
"provider": "Some Company",
"region": null
}
},
"cnc": {
"cnc": "http://some.ru",
"domain": "some.ru",
"ipv4": {
"asn": "AS11111",
"city": null,
"countryCode": "FR",
"countryName": "France",
"ip": "11.11.11.11",
"provider": "Some",
"region": null
},
"ipv6": null,
"url": "http://some.ru"
},
"dateCompromised": null,
"dateDetected": "2020-02-11T03:12:43+00:00",
"device": {
"iccid": "~",
"imei": "Some",
"imsi": "~",
"model": "Nexus S/2.3.7 ($$$Flexnet v.5.5)",
"os": null
},
"evaluation": {
"admiraltyCode": "A2",
"credibility": 80,
"reliability": 100,
"severity": "red",
"tlp": "red",
"ttl": 30
},
"favouriteForCompanies": [],
"hideForCompanies": [],
"id": "0c1426048474df19ada9d0089ef8b3efce906556",
"malware": {
"id": "8790a290230b3b4c059c2516a6adace1eac16066",
"name": "FlexNet",
"stixGuid": "b51140c2-a88b-a95c-f5b0-1c5d1855ffde"
},
"oldId": "396766002",
"operator": {
"countryCode": null,
"name": null,
"number": "~"
},
"portalLink": "https://bt.group-ib.com/cd/imei?searchValue=id:0c1426048474df19ada9d0089ef8b3efce906556",
"sourceType": "Botnet",
"stixGuid": "9cff66e9-c2b3-26ca-771a-c9e4d501c453",
"threatActor": null
}
},
"IP": {
"ASN": "AS11111",
"Address": "11.11.11.11",
"Geo": {
"Country": "France"
},
"Malicious": {
"Description": null,
"Vendor": "GIB TI&A"
}
},
"URL": {
"Data": "http://some.ru",
"Malicious": {
"Description": null,
"Vendor": "GIB TI&A"
}
}
}

Human Readable Output#

Feed from compromised/imei with ID 0c1426048474df19ada9d0089ef8b3efce906556#

client ipv4 asnclient ipv4 countryCodeclient ipv4 countryNameclient ipv4 ipclient ipv4 providercnc cnccnc domaincnc ipv4 asncnc ipv4 countryCodecnc ipv4 countryNamecnc ipv4 ipcnc ipv4 providercnc urldateDetecteddevice icciddevice imeidevice imsidevice modelevaluation admiraltyCodeevaluation credibilityevaluation reliabilityevaluation severityevaluation tlpevaluation ttlidmalware idmalware namemalware stixGuidoldIdoperator numberportalLinksourceTypestixGuid
AS11111NLNetherlands11.11.11.11Some Companyhttp://some.rusome.ruAS11111FRFrance11.11.11.11Somehttp://some.ru2020-02-11T03:12:43+00:00~Some~Nexus S/2.3.7 ($$$Flexnet v.5.5)A280100redred300c1426048474df19ada9d0089ef8b3efce9065568790a290230b3b4c059c2516a6adace1eac16066FlexNetb51140c2-a88b-a95c-f5b0-1c5d1855ffde396766002~https://bt.group-ib.com/cd/imei?searchValue=id:0c1426048474df19ada9d0089ef8b3efce906556Botnet9cff66e9-c2b3-26ca-771a-c9e4d501c453

URL indicator#

gibidseverityvalue
0c1426048474df19ada9d0089ef8b3efce906556redhttp://some.ru

Domain indicator#

gibidseverityvalue
0c1426048474df19ada9d0089ef8b3efce906556redsome.ru

IP indicator#

asngeocountrygibidseverityvalue
AS11111France0c1426048474df19ada9d0089ef8b3efce906556red11.11.11.11

gibtia-get-osi-git-leak-info#


Command performs Group IB event lookup in osi/git_leak collection with provided ID.

Base Command#

gibtia-get-osi-git-leak-info

Input#

Argument NameDescriptionRequired
idGIB event id.
e.g.: f201c253ac71f7d78db39fa111a2af9d7ee7a3f7.
Required

Context Output#

PathTypeDescription
GIBTIA.GitLeak.dateDetectedDateLeak detection date
GIBTIA.GitLeak.matchesTypeStringList of matches type
GIBTIA.GitLeak.nameStringGIT filename
GIBTIA.GitLeak.repositoryStringGIT repository
GIBTIA.GitLeak.revisions.fileStringLeaked file link
GIBTIA.GitLeak.revisions.fileDiffStringLeaked file diff
GIBTIA.GitLeak.revisions.info.authorNameStringRevision author
GIBTIA.GitLeak.revisions.info.authorEmailStringAuthor name
GIBTIA.GitLeak.revisions.info.dateCreatedDateRevision creation date
GIBTIA.GitLeak.sourceStringSource(github/gitlab/etc.)
GIBTIA.GitLeak.evaluation.severityStringEvent severity

Command Example#

!gibtia-get-osi-git-leak-info id=ead0d8ae9f2347789941ebacde88ad2e3b1ef691

Context Example#

{
"GIBTIA": {
"GitLeak": {
"companyId": [
40,
1872,
2060,
2248,
2522,
2692
],
"dateDetected": "2020-03-12T01:12:00+00:00",
"dateUpdated": "2020-02-11T01:12:00+00:00",
"evaluation": {
"admiraltyCode": "A6",
"credibility": 100,
"reliability": 100,
"severity": "green",
"tlp": "amber",
"ttl": 30
},
"file": "https://bt.group-ib.com/api/v2/osi/git_leak/ead0d8ae9f2347789941ebacde88ad2e3b1ef691/file/bWFpbi0zOTFkYjVkNWYxN2FiNmNiYmJmN2MzNWQxZjRkMDc2Y2I0YzgzMGYwOTdiMmE5ZWRkZDJkZjdiMDY1MDcwOWE3",
"fileId": "391db5d5f17ab6cbbbf7c35d1f4d076cb4c830f097b2a9eddd2df7b0650709a7",
"id": "ead0d8ae9f2347789941ebacde88ad2e3b1ef691",
"matchesType": [
"commonKeywords",
"keyword"
],
"matchesTypeCount": {
"card": 0,
"cisco": 0,
"commonKeywords": 1,
"domain": 0,
"dsn": 0,
"email": 0,
"google": 0,
"ip": 0,
"keyword": 1,
"login": 0,
"metasploit": 0,
"nmap": 0,
"pgp": 0,
"sha": 0,
"slackAPI": 0,
"ssh": 0
},
"name": "some",
"repository": "some.ru",
"revisions": [
{
"bind": [
{
"bindBy": "cert",
"companyId": [
2692
],
"data": "cert",
"type": "keyword"
}
],
"companyId": [
2692
],
"data": {
"commonKeywords": {
"password": [
"password"
]
}
},
"file": "https://bt.group-ib.com/api/v2/osi/git_leak/ead0d8ae9f2347789941ebacde88ad2e3b1ef691/file/cmV2aXNpb24tZmlsZS0zOTFkYjVkNWYxN2FiNmNiYmJmN2MzNWQxZjRkMDc2Y2I0YzgzMGYwOTdiMmE5ZWRkZDJkZjdiMDY1MDcwOWE3",
"fileDiff": "https://bt.group-ib.com/api/v2/osi/git_leak/ead0d8ae9f2347789941ebacde88ad2e3b1ef691/file/cmV2aXNpb24tZmlsZURpZmYtMzkxZGI1ZDVmMTdhYjZjYmJiZjdjMzVkMWY0ZDA3NmNiNGM4MzBmMDk3YjJhOWVkZGQyZGY3YjA2NTA3MDlhNw==",
"fileDiffId": "a2187ee179076a22e550e8f7fbc51840e87aba260431ab9cb2d4e0192ad4134c",
"fileId": "391db5d5f17ab6cbbbf7c35d1f4d076cb4c830f097b2a9eddd2df7b0650709a7",
"hash": "Some",
"info": {
"authorEmail": "some@gmail.ru",
"authorName": "some",
"dateCreated": "2020-01-03T11:17:52+00:00",
"timestamp": 1617794272
},
"parentFileId": "ead0d8ae9f2347789941ebacde88ad2e3b1ef691"
}
],
"source": "github"
}
}
}

Human Readable Output#

Feed from osi/git_leak with ID ead0d8ae9f2347789941ebacde88ad2e3b1ef691#

companyIddateDetecteddateUpdatedevaluation admiraltyCodeevaluation credibilityevaluation reliabilityevaluation severityevaluation tlpevaluation ttlfilefileIdidmatchesTypematchesTypeCount cardmatchesTypeCount ciscomatchesTypeCount commonKeywordsmatchesTypeCount domainmatchesTypeCount dsnmatchesTypeCount emailmatchesTypeCount googlematchesTypeCount ipmatchesTypeCount keywordmatchesTypeCount loginmatchesTypeCount metasploitmatchesTypeCount nmapmatchesTypeCount pgpmatchesTypeCount shamatchesTypeCount slackAPImatchesTypeCount sshnamerepositorysource
40,
1872,
2060,
2248,
2522,
2692
2020-03-12T01:12:00+00:002020-02-11T01:12:00+00:00A6100100greenamber30https://bt.group-ib.com/api/v2/osi/git_leak/ead0d8ae9f2347789941ebacde88ad2e3b1ef691/file/bWFpbi0zOTFkYjVkNWYxN2FiNmNiYmJmN2MzNWQxZjRkMDc2Y2I0YzgzMGYwOTdiMmE5ZWRkZDJkZjdiMDY1MDcwOWE3391db5d5f17ab6cbbbf7c35d1f4d076cb4c830f097b2a9eddd2df7b0650709a7ead0d8ae9f2347789941ebacde88ad2e3b1ef691commonKeywords,
keyword
0010000010000000somesome.rugithub

revisions table#

bindcompanyIddatafilefileDifffileDiffIdfileIdhashinfoparentFileId
{'bindBy': 'cert', 'companyId': [2692], 'data': 'cert', 'type': 'keyword'}2692commonKeywords: {"password": ["password"]}https://bt.group-ib.com/api/v2/osi/git_leak/ead0d8ae9f2347789941ebacde88ad2e3b1ef691/file/cmV2aXNpb24tZmlsZS0zOTFkYjVkNWYxN2FiNmNiYmJmN2MzNWQxZjRkMDc2Y2I0YzgzMGYwOTdiMmE5ZWRkZDJkZjdiMDY1MDcwOWE3https://bt.group-ib.com/api/v2/osi/git_leak/ead0d8ae9f2347789941ebacde88ad2e3b1ef691/file/cmV2aXNpb24tZmlsZURpZmYtMzkxZGI1ZDVmMTdhYjZjYmJiZjdjMzVkMWY0ZDA3NmNiNGM4MzBmMDk3YjJhOWVkZGQyZGY3YjA2NTA3MDlhNw==a2187ee179076a22e550e8f7fbc51840e87aba260431ab9cb2d4e0192ad4134c391db5d5f17ab6cbbbf7c35d1f4d076cb4c830f097b2a9eddd2df7b0650709a7SomeauthorEmail: some@gmail.ru
authorName: some
dateCreated: 2020-01-03T11:17:52+00:00
timestamp: 1617794272
ead0d8ae9f2347789941ebacde88ad2e3b1ef691

gibtia-get-osi-public-leak-info#


Command performs Group IB event lookup in osi/public_leak collection with provided ID.

Base Command#

gibtia-get-osi-public-leak-info

Input#

Argument NameDescriptionRequired
idGIB event id.
e.g.: a9a5b5cb9b971a2a037e3a0a30654185ea148095.
Required

Context Output#

PathTypeDescription
GIBTIA.PublicLeak.createdDateLeak event detection date
GIBTIA.PublicLeak.dataStringLeaked data
GIBTIA.PublicLeak.hashStringLeak data hash
GIBTIA.PublicLeak.linkList.authorStringLeak entry author
GIBTIA.PublicLeak.linkList.dateDetectedDateLeak detection date
GIBTIA.PublicLeak.linkList.datePublishedDateLeak publish date
GIBTIA.PublicLeak.linkList.hashStringLeak hash
GIBTIA.PublicLeak.linkList.linkStringLeak link
GIBTIA.PublicLeak.linkList.sourceStringLeak source
GIBTIA.PublicLeak.matchesStringMatches
GIBTIA.PublicLeak.portalLinkStringGroup IB portal link
GIBTIA.PublicLeak.evaluation.severityStringEvent severity

Command Example#

!gibtia-get-osi-public-leak-info id=a09f2354e52d5fa0a8697c8df0b4ed99cc956273

Context Example#

{
"GIBTIA": {
"PublicLeak": {
"bind": [],
"created": "2020-02-02T13:52:01+03:00",
"data": "Big chunk of data",
"displayOptions": null,
"evaluation": {
"admiraltyCode": "C3",
"credibility": 50,
"reliability": 50,
"severity": "green",
"tlp": "amber",
"ttl": 30
},
"hash": "a11f2354e52d5fa0a8697c8df0b4ed99cc956211",
"id": "a11f2354e52d5fa0a8697c8df0b4ed99cc956211",
"language": "java",
"linkList": [
{
"author": "",
"dateDetected": "2021-04-01T14:57:01+03:00",
"datePublished": "2021-04-01T14:50:45+03:00",
"hash": "5d9657dbdf59487a6031820add2cacbe54e86814",
"itemSource": "api",
"link": "https://some.ru",
"sequenceUpdate": null,
"size": 709,
"source": "some.ru",
"status": 1,
"title": ""
}
],
"matches": [],
"oldId": null,
"portalLink": "https://bt.group-ib.com/osi/public_leak?searchValue=id:a09f2354e52d5fa0a8697c8df0b4ed99cc956273",
"size": "709 B",
"updated": "2021-04-01T14:57:01+03:00",
"useful": 1
}
}
}

Human Readable Output#

Feed from osi/public_leak with ID a11f2354e52d5fa0a8697c8df0b4ed99cc956211#

createddataevaluation admiraltyCodeevaluation credibilityevaluation reliabilityevaluation severityevaluation tlpevaluation ttlhashidlanguageportalLinksizeupdateduseful
2020-02-02T13:52:01+03:00Big chunk of dataC35050greenamber30a11f2354e52d5fa0a8697c8df0b4ed99cc956211a11f2354e52d5fa0a8697c8df0b4ed99cc956211javahttps://bt.group-ib.com/osi/public_leak?searchValue=id:a09f2354e52d5fa0a8697c8df0b4ed99cc956273709 B2021-04-01T14:57:01+03:001

linkList table#

dateDetecteddatePublishedhashitemSourcelinksizesourcestatus
2021-04-01T14:57:01+03:002021-04-01T14:50:45+03:005d9657dbdf59487a6031820add2cacbe54e86814apihttps://some.ru709some.ru1

gibtia-get-osi-vulnerability-info#


Command performs Group IB event lookup in osi/vulnerability collection with provided ID.

Base Command#

gibtia-get-osi-vulnerability-info

Input#

Argument NameDescriptionRequired
idGIB event id.

e.g.: CVE-2021-27152.
Required

Context Output#

PathTypeDescription
GIBTIA.OSIVulnerability.affectedSoftware.nameStringAffected software name
GIBTIA.OSIVulnerability.affectedSoftware.operatorStringAffected software version operator( ex. le=less or equal)
GIBTIA.OSIVulnerability.affectedSoftware.versionStringAffected software version
GIBTIA.OSIVulnerability.bulletinFamilyStringBulletin family
GIBTIA.OSIVulnerability.cvss.scoreStringCVSS score
GIBTIA.OSIVulnerability.cvss.vectorStringCVSS vector
GIBTIA.OSIVulnerability.dateLastSeenDateDate last seen
GIBTIA.OSIVulnerability.datePublishedDateDate published
GIBTIA.OSIVulnerability.descriptionStringVulnerability description
GIBTIA.OSIVulnerability.idStringVulnerability ID
GIBTIA.OSIVulnerability.reporterStringVulnerability reporter
GIBTIA.OSIVulnerability.titleStringVulnerability title
GIBTIA.OSIVulnerability.evaluation.severityStringEvent severity

Command Example#

!gibtia-get-osi-vulnerability-info id=CVE-2021-27152

Context Example#

{
"CVE": {
"CVSS": 7.5,
"Description": "Description",
"ID": "CVE-2021-27152",
"Modified": "2021-02-11T14:35:24+03:00",
"Published": "2021-02-10T19:15:00+03:00"
},
"DBotScore": {
"Indicator": "CVE-2021-27152",
"Score": 0,
"Type": "cve",
"Vendor": null
},
"GIBTIA": {
"OSIVulnerability": {
"affectedSoftware": [],
"bulletinFamily": "NVD",
"cveList": [],
"cvss": {
"score": 7.5,
"vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"
},
"dateLastSeen": "2021-02-11T14:35:24+03:00",
"dateModified": "2021-02-11T00:45:00+03:00",
"datePublished": "2021-02-10T19:15:00+03:00",
"description": "Description",
"displayOptions": {
"favouriteForCompanies": [],
"hideForCompanies": [],
"isFavourite": false,
"isHidden": false
},
"evaluation": {
"admiraltyCode": "A1",
"credibility": 100,
"reliability": 100,
"severity": "red",
"tlp": "green",
"ttl": 30
},
"exploitCount": 0,
"exploitList": [],
"extCvss": {
"base": 9.8,
"environmental": 0,
"exploitability": 3.9,
"impact": 5.9,
"mImpact": 0,
"overall": 9.8,
"temporal": 0,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"extDescription": "Big description",
"href": "https://some.ru",
"id": "CVE-2021-27152",
"lastseen": "2021-02-11T14:35:24+03:00",
"modified": "2021-02-11T00:45:00+03:00",
"portalLink": "https://bt.group-ib.com/osi/vulnerabilities?searchValue=id:CVE-2021-27152",
"provider": "some.ru",
"published": "2021-02-10T19:15:00+03:00",
"references": [
"https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#httpd-hardcoded-credentials",
"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27152"
],
"reporter": "some.ru",
"softwareMixed": [
{
"arch": [],
"hardware": "",
"hardwareVendor": "",
"hardwareVersion": "",
"os": "some_firmware",
"osVendor": "some",
"osVersion": "some",
"rel": [],
"softwareFileName": "",
"softwareName": [],
"softwareType": [],
"softwareVersion": [],
"softwareVersionString": "",
"vendor": "some",
"versionOperator": ""
}
],
"threats": [],
"threatsList": [],
"timeLineData": [],
"title": "CVE-2021-27152",
"type": "cve"
}
}
}

Human Readable Output#

Feed from osi/vulnerability with ID CVE-2021-27152#

bulletinFamilycvss scorecvss vectordateLastSeendateModifieddatePublisheddescriptiondisplayOptions isFavouritedisplayOptions isHiddenevaluation admiraltyCodeevaluation credibilityevaluation reliabilityevaluation severityevaluation tlpevaluation ttlexploitCountextCvss baseextCvss environmentalextCvss exploitabilityextCvss impactextCvss mImpactextCvss overallextCvss temporalextCvss vectorextDescriptionhrefidlastseenmodifiedportalLinkproviderpublishedreferencesreportertitletype
NVD7.5AV:N/AC:L/Au:N/C:P/I:P/A:P2021-02-11T14:35:24+03:002021-02-11T00:45:00+03:002021-02-10T19:15:00+03:00DescriptionfalsefalseA1100100redgreen3009.80.03.95.90.09.80.0CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HBig descriptionhttps://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27152CVE-2021-271522021-02-11T14:35:24+03:002021-02-11T00:45:00+03:00https://bt.group-ib.com/osi/vulnerabilities?searchValue=id:CVE-2021-27152some.ru2021-02-10T19:15:00+03:00https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#httpd-hardcoded-credentials,
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27152
some.ruCVE-2021-27152cve

softwareMixed table#

ososVendorosVersionvendor
some_firmwaresomesomesome

gibtia-get-phishing-kit-info#


Command performs Group IB event lookup in bp/phishing_kit and attacks/phishing_kit collections with provided ID.

Base Command#

gibtia-get-phishing-kit-info

Input#

Argument NameDescriptionRequired
idGIB event id.
e.g.: 044f3f2cb599228c1882884eb77eb073f68a25f2.
Optional

Context Output#

PathTypeDescription
GIBTIA.PhishingKit.dateDetectedDatePhishing kit detection date
GIBTIA.PhishingKit.dateFirstSeenDatePhishing kit first seen date
GIBTIA.PhishingKit.dateLastSeenDatePhishing kit last seen date
GIBTIA.PhishingKit.downloadedFrom.fileNameStringPhishing kit filename
GIBTIA.PhishingKit.downloadedFrom.domainStringPhishing kit domain
GIBTIA.PhishingKit.downloadedFrom.dateDateDownloading date
GIBTIA.PhishingKit.downloadedFrom.urlStringURL where phishing kit were downloaded from
GIBTIA.PhishingKit.hashStringMD5 phishing kit hash
GIBTIA.PhishingKit.portalLinkStringLink to kit on GIB TI&A
GIBTIA.PhishingKit.targetBrandStringPhishing kit target brand
GIBTIA.PhishingKit.emailsStringEmails found in phishing kit
GIBTIA.PhishingKit.idStringGIB event ID
GIBTIA.PhishingKit.evaluation.severityStringEvent severity

Command Example#

!gibtia-get-phishing-kit-info id=044f3f2cb599228c1882884eb77eb073f68a25f2

Context Example#

{
"GIBTIA": {
"PhishingKit": {
"company": [],
"companyId": [
-1
],
"dateDetected": "2021-01-21T10:10:41+00:00",
"dateFirstSeen": "2021-01-21T10:10:41+00:00",
"dateLastSeen": "2021-01-21T10:12:17+00:00",
"downloadedFrom": [
{
"date": "2021-01-21 10:10:41",
"domain": "some.ru",
"fileName": "some.zip",
"url": "https://some.ru"
}
],
"emails": [],
"evaluation": {
"admiraltyCode": "B2",
"credibility": 70,
"reliability": 80,
"severity": "orange",
"tlp": "amber",
"ttl": 30
},
"favouriteForCompanies": [],
"hash": "8d7ea805fe20d6d77f57e2f0cadd17b1",
"hideForCompanies": [],
"id": "044f3f2cb599228c1882884eb77eb073f68a25f2",
"login": "Some",
"oldId": "396793696",
"path": "https://tap.group-ib.com/api/api/v2/web/attacks/phishing_kit/044f3f2cb599228c1882884eb77eb073f68a25f2/file/95b61a1df152012abb79c3951ed98680e0bd917bbcf1d440e76b66a120292c76",
"portalLink": "https://bt.group-ib.com/attacks/phishing_kit?searchValue=id:044f3f2cb599228c1882884eb77eb073f68a25f2",
"source": [
"some"
],
"targetBrand": [],
"tsFirstSeen": null,
"tsLastSeen": null,
"variables": [
{
"filePath": "some.ru",
"type": "DB",
"value": "host: localhost"
}
]
}
}
}

Human Readable Output#

Feed from attack/phishing_kit with ID 044f3f2cb599228c1882884eb77eb073f68a25f2#

companyIddateDetecteddateFirstSeendateLastSeenevaluation admiraltyCodeevaluation credibilityevaluation reliabilityevaluation severityevaluation tlpevaluation ttlhashidloginoldIdpathportalLinksource
-12021-01-21T10:10:41+00:002021-01-21T10:10:41+00:002021-01-21T10:12:17+00:00B27080orangeamber308d7ea805fe20d6d77f57e2f0cadd17b1044f3f2cb599228c1882884eb77eb073f68a25f2some396793696https://tap.group-ib.com/api/api/v2/web/attacks/phishing_kit/044f3f2cb599228c1882884eb77eb073f68a25f2/file/95b61a1df152012abb79c3951ed98680e0bd917bbcf1d440e76b66a120292c76https://bt.group-ib.com/attacks/phishing_kit?searchValue=id:044f3f2cb599228c1882884eb77eb073f68a25f2some

downloadedFrom table#

datedomainfileNameurl
2021-01-21 10:10:41some.rusome.ruhttps://some.ru

variables table#

filePathtypevalue
some.ruDBhost: localhost

gibtia-get-phishing-info#


Command performs Group IB event lookup in bp/phishing and attacks/phishing collections with provided ID.

Base Command#

gibtia-get-phishing-info

Input#

Argument NameDescriptionRequired
idGIB event id.
e.g.: fce7f92d0b64946cf890842d083953649b259952.
Required

Context Output#

PathTypeDescription
GIBTIA.Phishing.dateDetectedDateDate of phishing detection
GIBTIA.Phishing.dateBlockedUnknownPhishing resource block date
GIBTIA.Phishing.idStringGIB incident ID
GIBTIA.Phishing.ipv4.asnStringPhishing resource ASN
GIBTIA.Phishing.ipv4.countryNameStringPhishing resource country name
GIBTIA.Phishing.ipv4.ipStringPhishing resource IP address
GIBTIA.Phishing.ipv4.regionStringPhishing resource region name
GIBTIA.Phishing.phishingDomain.domainStringPhishing domain
GIBTIA.Phishing.phishingDomain.dateRegisteredDatePhishing domain creation date
GIBTIA.Phishing.phishingDomain.registrarStringPhishing domain registrar name
GIBTIA.Phishing.phishingDomain.titleStringPhishing domain title
GIBTIA.Phishing.targetBrandStringPhishing target name
GIBTIA.Phishing.targetCategoryStringPhishing target category (financial, government, etc.)
GIBTIA.Phishing.targetDomainStringPhishing target domain
GIBTIA.Phishing.statusStringCurrent status of phishing incident (blocked, in response, etc.)
GIBTIA.Phishing.urlStringPhishing URL
GIBTIA.Phishing.evaluation.severityStringEvent severity

Command Example#

!gibtia-get-phishing-info id=fce7f92d0b64946cf890842d083953649b259952

Context Example#

{
"DBotScore": [
{
"Indicator": "https://some.ru",
"Score": 3,
"Type": "url",
"Vendor": "GIB TI&A"
},
{
"Indicator": "some.ru",
"Score": 3,
"Type": "domain",
"Vendor": "GIB TI&A"
},
{
"Indicator": "11.11.11.11",
"Score": 3,
"Type": "ip",
"Vendor": "GIB TI&A"
}
],
"Domain": {
"Malicious": {
"Description": null,
"Vendor": "GIB TI&A"
},
"Name": "some.ru",
"Registrar": {
"AbuseEmail": null,
"AbusePhone": null,
"Name": "Some"
},
"WHOIS": {
"Registrar": {
"AbuseEmail": null,
"AbusePhone": null,
"Name": "Some"
}
}
},
"GIBTIA": {
"Phishing": {
"company": [],
"companyId": [
2008
],
"dateBlocked": "2021-01-25T22:58:10+00:00",
"dateDetected": "2021-01-21T11:21:34+00:00",
"evaluation": {
"admiraltyCode": "A2",
"credibility": 80,
"reliability": 90,
"severity": "red",
"tlp": "amber",
"ttl": 30
},
"favouriteForCompanies": [],
"hideForCompanies": [],
"history": [
{
"date": "2021-01-21T11:20:50+00:00",
"field": "Detected",
"reason": "In response",
"reporter": "Group-IB Intelligence",
"value": "In response"
}
],
"id": "fce7f92d0b64946cf890842d083953649b259952",
"ipv4": {
"asn": null,
"city": "Some",
"countryCode": "CA",
"countryName": "Canada",
"ip": "11.11.11.11",
"provider": "Some",
"region": "NA"
},
"objective": "Login harvest",
"oldId": "396798526",
"phishingDomain": {
"dateRegistered": "2021-01-20 13:41:30",
"domain": "some.ru",
"local": "some.ru",
"registrar": "Some",
"title": ""
},
"portalLink": "https://bt.group-ib.com/attacks/phishing?searchValue=id:fce7f92d0b64946cf890842d083953649b259952",
"status": "Responding completed",
"stixGuid": "4812358a-1de0-ab32-05e4-d91842d369e2",
"targetBrand": "Some",
"targetCategory": "Finance > Banking",
"targetCountryName": null,
"targetDomain": "some.ru",
"type": "Phishing",
"url": "https://some.ru"
}
},
"IP": {
"Address": "11.11.11.11",
"Geo": {
"Country": "Canada",
"Description": "NA"
},
"Malicious": {
"Description": null,
"Vendor": "GIB TI&A"
}
},
"URL": {
"Data": "https://some.ru",
"Malicious": {
"Description": null,
"Vendor": "GIB TI&A"
}
}
}

Human Readable Output#

Feed from attacks/phishing with ID fce7f92d0b64946cf890842d083953649b259952#

companyIddateBlockeddateDetectedevaluation admiraltyCodeevaluation credibilityevaluation reliabilityevaluation severityevaluation tlpevaluation ttlidipv4 cityipv4 countryCodeipv4 countryNameipv4 ipipv4 provideripv4 regionobjectiveoldIdphishingDomain dateRegisteredphishingDomain domainphishingDomain localphishingDomain registrarportalLinkstatusstixGuidtargetBrandtargetCategorytargetDomaintypeurl
20082021-01-25T22:58:10+00:002021-01-21T11:21:34+00:00A28090redamber30fce7f92d0b64946cf890842d083953649b259952SomeCACanada11.11.11.11SomeNALogin harvest3967985262021-01-20 13:41:30some.rusome.ruSomehttps://bt.group-ib.com/attacks/phishing?searchValue=id:fce7f92d0b64946cf890842d083953649b259952Responding completed4812358a-1de0-ab32-05e4-d91842d369e2SomeFinance > Bankingsome.ruPhishinghttps://some.ru

history table#

datefieldreasonreportervalue
2021-01-21T11:20:50+00:00DetectedIn responseGroup-IB IntelligenceIn response

URL indicator#

gibidseverityvalue
fce7f92d0b64946cf890842d083953649b259952redhttps://some.ru

Domain indicator#

creationdategibidgibphishingtitlegibtargetbrandgibtargetcategorygibtargetdomainregistrarnameseverityvalue
2021-01-20T13:41:30Zfce7f92d0b64946cf890842d083953649b259952SomeFinance > Bankingsome.ruSomeredsome.ru

IP indicator#

geocountrygeolocationgibidseverityvalue
CanadaNAfce7f92d0b64946cf890842d083953649b259952red11.11.11.11

gibtia-get-attacks-ddos-info#


Command performs Group IB event lookup in attacks/ddos collection with provided ID.

Base Command#

gibtia-get-attacks-ddos-info

Input#

Argument NameDescriptionRequired
idGIB event id.
e.g.: 26a05baa4025edff367b058b13c6b43e820538a5.
Required

Context Output#

PathTypeDescription
GIBTIA.AttacksDDoS.cnc.urlStringCNC URL
GIBTIA.AttacksDDoS.cnc.domainStringCNC domain
GIBTIA.AttacksDDoS.cnc.ipv4.asnStringCNC ASN
GIBTIA.AttacksDDoS.cnc.ipv4.countryNameStringCNC IP country name
GIBTIA.AttacksDDoS.cnc.ipv4.ipStringCNC IP address
GIBTIA.AttacksDDoS.cnc.ipv4.regionStringCNC region name
GIBTIA.AttacksDDoS.target.ipv4.asnStringDDoS target ASN
GIBTIA.AttacksDDoS.target.ipv4.countryNameStringDDoS target country name
GIBTIA.AttacksDDoS.target.ipv4.ipStringDDoS target IP address
GIBTIA.AttacksDDoS.target.ipv4.regionStringDDoS target region name
GIBTIA.AttacksDDoS.target.categoryStringDDoS target category
GIBTIA.AttacksDDoS.target.domainStringDDoS target domain
GIBTIA.AttacksDDoS.threatActor.idStringAssociated threat actor ID
GIBTIA.AttacksDDoS.threatActor.nameStringAssociated threat actor
GIBTIA.AttacksDdos.threatActor.isAPTBooleanIs threat actor APT
GIBTIA.AttacksDDoS.idStringGIB incident ID
GIBTIA.AttacksDDoS.evaluation.severityStringEvent severity

Command Example#

!gibtia-get-attacks-ddos-info id=26a05baa4025edff367b058b13c6b43e820538a5

Context Example#

{
"DBotScore": [
{
"Indicator": "some.ru",
"Score": 3,
"Type": "domain",
"Vendor": "GIB TI&A"
},
{
"Indicator": "11.11.11.11",
"Score": 3,
"Type": "ip",
"Vendor": "GIB TI&A"
}
],
"Domain": {
"Malicious": {
"Description": null,
"Vendor": "GIB TI&A"
},
"Name": "some.ru"
},
"GIBTIA": {
"AttacksDDoS": {
"cnc": {
"cnc": "some.ru",
"domain": "some.ru",
"ipv4": {
"asn": "AS11111",
"city": "Some",
"countryCode": "US",
"countryName": "United States",
"ip": "11.11.11.11",
"provider": "Some",
"region": "Some"
},
"ipv6": null,
"url": null
},
"company": null,
"companyId": -1,
"dateBegin": "2021-01-16T02:58:53+00:00",
"dateEnd": "2021-01-16T02:58:55+00:00",
"dateReg": "2021-01-16",
"evaluation": {
"admiraltyCode": "A2",
"credibility": 90,
"reliability": 90,
"severity": "red",
"tlp": "green",
"ttl": 30
},
"favouriteForCompanies": [],
"hideForCompanies": [],
"id": "26a05baa4025edff367b058b13c6b43e820538a5",
"malware": null,
"messageLink": null,
"oldId": "394657345",
"portalLink": "https://bt.group-ib.com/attacks/ddos?searchValue=id:26a05baa4025edff367b058b13c6b43e820538a5",
"protocol": "udp",
"source": "honeypot_logs:1",
"stixGuid": "ea05c117-2cca-b3cd-f033-a8e16e5db3c2",
"target": {
"category": null,
"domain": null,
"domainsCount": 0,
"ipv4": {
"asn": "AS11111",
"city": "Some",
"countryCode": "US",
"countryName": "United States",
"ip": "11.11.11.11",
"provider": "Some",
"region": "Some"
},
"port": 55843,
"url": null
},
"threatActor": null,
"type": "DNS Reflection"
}
},
"IP": {
"ASN": "AS11111",
"Address": "11.11.11.11",
"Geo": {
"Country": "United States",
"Description": "Some"
},
"Malicious": {
"Description": null,
"Vendor": "GIB TI&A"
}
}
}

Human Readable Output#

Feed from attacks/ddos with ID 26a05baa4025edff367b058b13c6b43e820538a5#

cnc cnccnc domaincnc ipv4 asncnc ipv4 citycnc ipv4 countryCodecnc ipv4 countryNamecnc ipv4 ipcnc ipv4 providercnc ipv4 regioncompanyIddateBegindateEnddateRegevaluation admiraltyCodeevaluation credibilityevaluation reliabilityevaluation severityevaluation tlpevaluation ttlidoldIdportalLinkprotocolsourcestixGuidtarget domainsCounttarget ipv4 asntarget ipv4 citytarget ipv4 countryCodetarget ipv4 countryNametarget ipv4 iptarget ipv4 providertarget ipv4 regiontarget porttype
some.rusome.ruAS11111SomeUSUnited States11.11.11.11SomeSome-12021-01-16T02:58:53+00:002021-01-16T02:58:55+00:002021-01-16A29090redgreen3026a05baa4025edff367b058b13c6b43e820538a5394657345https://bt.group-ib.com/attacks/ddos?searchValue=id:26a05baa4025edff367b058b13c6b43e820538a5udphoneypot_logs:1ea05c117-2cca-b3cd-f033-a8e16e5db3c20AS11111SomeUSUnited States11.11.11.11SomeSome55843DNS Reflection

Domain indicator#

gibidseverityvalue
26a05baa4025edff367b058b13c6b43e820538a5redsome.ru

IP indicator#

asngeocountrygeolocationgibidseverityvalue
AS11111United StatesSome26a05baa4025edff367b058b13c6b43e820538a5red11.11.11.11

gibtia-get-attacks-deface-info#


Command performs Group IB event lookup in attacks/deface collection with provided ID.

Base Command#

gibtia-get-attacks-deface-info

Input#

Argument NameDescriptionRequired
idGIB event id.
e.g.: 6009637a1135cd001ef46e21.
Required

Context Output#

PathTypeDescription
GIBTIA.AttacksDeface.dateDateDate of deface
GIBTIA.AttacksDeface.idStringGIB incident ID
GIBTIA.AttacksDeface.targetIp.asnStringVictim ASN
GIBTIA.AttacksDeface.targetIp.countryNameStringVictim country name
GIBTIA.AttacksDeface.targetIp.regionStringVictim IP region name
GIBTIA.AttacksDeface.threatActor.idStringAssociated threat actor ID
GIBTIA.AttacksDeface.threatActor.nameStringAssociated threat actor
GIBTIA.AttacksDeface.threatActor.isAPTBooleanIs threat actor APT
GIBTIA.AttacksDeface.urlStringURL of compromised resource
GIBTIA.AttacksDeface.evaluation.severityStringEvent severity

Command Example#

!gibtia-get-attacks-deface-info id=6009637a1135cd001ef46e21

Context Example#

{
"DBotScore": [
{
"Indicator": "http://some.ru",
"Score": 2,
"Type": "url",
"Vendor": "GIB TI&A"
},
{
"Indicator": "some.ru",
"Score": 2,
"Type": "domain",
"Vendor": "GIB TI&A"
},
{
"Indicator": "11.11.11.11",
"Score": 2,
"Type": "ip",
"Vendor": "GIB TI&A"
}
],
"Domain": {
"Name": "some.ru"
},
"GIBTIA": {
"AttacksDeface": {
"contacts": [],
"date": "2021-01-21T02:22:18+00:00",
"evaluation": {
"admiraltyCode": "B2",
"credibility": 80,
"reliability": 80,
"severity": "orange",
"tlp": "amber",
"ttl": 30
},
"id": "6009637a1135cd001ef46e21",
"mirrorLink": "https://some.ru/id:-6009637a1135cd001ef46e21:",
"portalLink": "https://bt.group-ib.com/attacks/deface?searchValue=id:6009637a1135cd001ef46e21",
"providerDomain": "some.ru",
"siteUrl": "http://some.ru",
"source": "some.ru",
"targetDomain": "some.ru",
"targetDomainProvider": null,
"targetIp": {
"asn": null,
"city": "",
"countryCode": null,
"countryName": "Indonesia",
"ip": "11.11.11.11",
"provider": null,
"region": null
},
"threatActor": {
"country": null,
"id": "d7ff75c35f93dce6f5410bba9a6c206bdff66555",
"isAPT": false,
"name": "FRK48",
"stixGuid": null
},
"tsCreate": "2021-01-21T11:19:52+00:00",
"url": "http://some.ru"
}
},
"IP": {
"Address": "11.11.11.11",
"Geo": {
"Country": "Indonesia"
}
},
"URL": {
"Data": "http://some.ru"
}
}

Human Readable Output#

Feed from attacks/deface with ID 6009637a1135cd001ef46e21#

dateevaluation admiraltyCodeevaluation credibilityevaluation reliabilityevaluation severityevaluation tlpevaluation ttlidmirrorLinkportalLinkproviderDomainsiteUrlsourcetargetDomaintargetIp countryNametargetIp ipthreatActor idthreatActor isAPTthreatActor nametsCreateurl
2021-01-21T02:22:18+00:00B28080orangeamber306009637a1135cd001ef46e21https://some.ru/id:-6009637a1135cd001ef46e21:https://bt.group-ib.com/attacks/deface?searchValue=id:6009637a1135cd001ef46e21some.ruhttp://some.rusome.rusome.ruIndonesia11.11.11.11d7ff75c35f93dce6f5410bba9a6c206bdff66555falseFRK482021-01-21T11:19:52+00:00http://some.ru

URL indicator#

gibidseverityvalue
6009637a1135cd001ef46e21orangehttp://some.ru

Domain indicator#

gibidseverityvalue
6009637a1135cd001ef46e21orangesome.ru

IP indicator#

geocountrygibidseverityvalue
Indonesia6009637a1135cd001ef46e21orange11.11.11.11

gibtia-get-threat-info#


Command performs Group IB event lookup in hi/threat (or in apt/threat if the APT flag is true) collection with provided ID.

Base Command#

gibtia-get-threat-info

Input#

Argument NameDescriptionRequired
idGIB event id.
e.g.: 1b09d389d016121afbffe481a14b30ea995876e4.
Required
isAPTIs threat APT. Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
GIBTIA.Threat.contacts.accountStringThreat accounts found in this threat action.
GIBTIA.Threat.contacts.flagStringIs account fake or not
GIBTIA.Threat.contacts.serviceStringAccount service
GIBTIA.Threat.contacts.typeStringType of account(social_network/email/wallet etc.)
GIBTIA.Threat.countriesStringAffected countries
GIBTIA.Threat.createdAtDateThreat report creation date
GIBTIA.Threat.cveList.nameStringList of abused CVE
GIBTIA.Threat.dateFirstSeenDateAttack first seen date
GIBTIA.Threat.dateLastSeenDateAttack last seen date
GIBTIA.Threat.datePublishedDateDate published
GIBTIA.Threat.descriptionStringThreat description
GIBTIA.Threat.forumsAccounts.urlStringRelated forum URL
GIBTIA.Threat.forumsAccounts.nicknameStringRelated forums account
GIBTIA.Threat.forumsAccounts.registeredAtDateRelated forums account registration date
GIBTIA.Threat.forumsAccounts.messageCountNumberRelated forums messages count
GIBTIA.Threat.idStringGIB internal threat ID
GIBTIA.Threat.indicatorsStringCan be either network or file indicators
GIBTIA.Threat.langsStringLanguages actors related
GIBTIA.Threat.malwareList.nameStringRelated Malware Name
GIBTIA.Threat.malwareList.idStringRelated malware GIB internal ID
GIBTIA.Threat.mitreMatrix.attackPatternIdStringMITRE attack pattern ID
GIBTIA.Threat.mitreMatrix.attackTacticStringMITRE attack tactic name
GIBTIA.Threat.mitreMatrix.attackTypeStringMITRE attack type
GIBTIA.Threat.mitreMatrix.idStringMITRE attack id
GIBTIA.Threat.regionsStringRegions affected by attack
GIBTIA.Threat.reportNumberStringGIB report number
GIBTIA.Threat.sectorsStringAffected sectors
GIBTIA.Threat.shortDescriptionStringShort description
GIBTIA.Threat.titleStringThreat title
GIBTIA.Threat.targetedCompanyStringTargeted company name
GIBTIA.Threat.ThreatActor.nameStringThreat actor name
GIBTIA.Threat.ThreatActor.idStringThreat actor ID
GIBTIA.Threat.ThreatActor.isAPTBooleanIs threat actor APT group
GIBTIA.Threat.sourcesStringSources links
GIBTIA.Threat.evaluation.severityStringEvent severity

Command Example#

!gibtia-get-threat-info id=1b09d389d016121afbffe481a14b30ea995876e4 isAPT=true

Context Example#

{
"DBotScore": [
{
"Indicator": "some.ru",
"Score": 2,
"Type": "domain",
"Vendor": "GIB TI&A"
},
{
"Indicator": "some.ru",
"Score": 2,
"Type": "domain",
"Vendor": "GIB TI&A"
},
{
"Indicator": "https://some.ru",
"Score": 2,
"Type": "url",
"Vendor": "GIB TI&A"
},
{
"Indicator": "https://some.ru",
"Score": 2,
"Type": "url",
"Vendor": "GIB TI&A"
},
{
"Indicator": "8397ea747d2ab50da4f876a36d673211",
"Score": 2,
"Type": "file",
"Vendor": "GIB TI&A"
},
{
"Indicator": "5d43baf1c9e9e3a939e5defd8f8fbd2d",
"Score": 2,
"Type": "file",
"Vendor": "GIB TI&A"
}
],
"Domain": [
{
"Name": "some.ru"
},
{
"Name": "some.ru"
}
],
"File": [
{
"MD5": "8397ea747d2ab50da4f876a36d673211",
"Name": "some.ru",
"SHA1": "48a6d5141e25b6c63ad8da20b954b56afe589011",
"SHA256": "89b5e248c222ebf2cb3b525d3650259e01cf7d8fff5e4aa15ccd7512b1e63951"
},
{
"MD5": "5d43baf1c9e9e3a939e5defd8f8fbd2d",
"Name": "5d43baf1c9e9e3a939e5defd8f8fbd2d",
"SHA1": "d5ff73c043f3bb75dd749636307500b60a436510",
"SHA256": "867c8b49d29ae1f6e4a7cd31b6fe7e278753a1ba03d4be338ed11fd1efc7dd16"
}
],
"GIBTIA": {
"Threat": {
"companyId": [],
"contacts": [],
"countries": [],
"createdAt": "2021-01-15T16:53:20+03:00",
"cveList": [],
"dateFirstSeen": "2021-01-15",
"dateLastSeen": "2021-01-15",
"datePublished": "2021-01-15",
"deleted": false,
"description": "Big description",
"evaluation": {
"admiraltyCode": "B1",
"credibility": 100,
"reliability": 80,
"severity": "orange",
"tlp": "amber",
"ttl": null
},
"expertise": [],
"files": [
{
"hash": "fa5b6b2f074ba6eb58f8b093f0e92cb8ff44b655dc8e9ce93f850e71474e4e11",
"mime": "image/png",
"name": "fa5b6b2f074ba6eb58f8b093f0e92cb8ff44b655dc8e9ce93f850e71474e4e11",
"size": 284731
},
{
"hash": "a6851a6b91759d00afce8e65c0e5087429812b8c49d39631793d8b6bdeb08711",
"mime": "image/png",
"name": "a6851a6b91759d00afce8e65c0e5087429812b8c49d39631793d8b6bdeb08711",
"size": 129240
},
{
"hash": "644f5b8e38f55b82f811240af7c4abdaf8c8bc18b359f8f169074ba881d93b1d",
"mime": "image/png",
"name": "644f5b8e38f55b82f811240af7c4abdaf8c8bc18b359f8f169074ba881d93b1d",
"size": 556552
},
{
"hash": "623102f6cf9d2e6c978898117b7b5b85035b3d5e67c4ee266879868c9eb24dd2",
"mime": "image/png",
"name": "623102f6cf9d2e6c978898117b7b5b85035b3d5e67c4ee266879868c9eb24dd2",
"size": 209254
}
],
"forumsAccounts": [],
"id": "1b09d389d016121afbffe481a14b30ea995876e4",
"isPublished": true,
"isTailored": false,
"labels": [],
"langs": [
"en",
"ru"
],
"malwareList": [],
"mitreMatrix": [
{
"attackPatternId": "attack-pattern--45242287-2964-4a3e-9373-159fad4d8195",
"attackTactic": "establish-&-maintain-infrastructure",
"attackType": "pre_attack_tactics",
"id": "PRE-T1105",
"params": {
"data": ""
}
},
],
"oldId": "4c01c2d4-5ebb-44d8-9e91-be89231b0eb3",
"oldObjectData": null,
"regions": [],
"relatedThreatActors": [],
"reportNumber": "CP-2501-1653",
"sectors": [
"financial-services",
"finance"
],
"shortDescription": null,
"shortTitle": null,
"sources": [],
"stixGuid": null,
"targetedCompany": [],
"targetedPartnersAndClients": [],
"techSeqUpdate": null,
"threatActor": {
"country": "KP",
"id": "5e9f20fdcf5876b5772b3d09b432f4080711ac5f",
"isAPT": true,
"name": "Lazarus",
"stixGuid": null
},
"title": "Lazarus launches new attack with cryptocurrency trading platforms",
"toolList": [],
"type": "threat",
"updatedAt": "2021-04-02T14:08:03+03:00"
}
},
"URL": [
{
"Data": "https://some.ru"
},
{
"Data": "https://some.ru"
}
]
}

Human Readable Output#

Feed from threat with ID 1b09d389d016121afbffe481a14b30ea995876e4#

createdAtdateFirstSeendateLastSeendatePublisheddeleteddescriptionevaluation admiraltyCodeevaluation credibilityevaluation reliabilityevaluation severityevaluation tlpidisPublishedisTailoredlangsoldIdreportNumbersectorsthreatActor countrythreatActor idthreatActor isAPTthreatActor nametitletypeupdatedAt
2021-01-15T16:53:20+03:002021-01-152021-01-152021-01-15falseBig descriptionB110080orangeamber1b09d389d016121afbffe481a14b30ea995876e4truefalseen,
ru
4c01c2d4-5ebb-44d8-9e91-be89231b0eb3CP-2501-1653financial-services,
finance
KP5e9f20fdcf5876b5772b3d09b432f4080711ac5ftrueLazarusLazarus launches new attack with cryptocurrency trading platformsthreat2021-04-02T14:08:03+03:00

files table#

hashmimenamesize
fa5b6b2f074ba6eb58f8b093f0e92cb8ff44b655dc8e9ce93f850e71474e4e11image/pngfa5b6b2f074ba6eb58f8b093f0e92cb8ff44b655dc8e9ce93f850e71474e4e11284731
a6851a6b91759d00afce8e65c0e5087429812b8c49d39631793d8b6bdeb08711image/pnga6851a6b91759d00afce8e65c0e5087429812b8c49d39631793d8b6bdeb08711129240
644f5b8e38f55b82f811240af7c4abdaf8c8bc18b359f8f169074ba881d93b1dimage/png644f5b8e38f55b82f811240af7c4abdaf8c8bc18b359f8f169074ba881d93b1d556552
623102f6cf9d2e6c978898117b7b5b85035b3d5e67c4ee266879868c9eb24dd2image/png623102f6cf9d2e6c978898117b7b5b85035b3d5e67c4ee266879868c9eb24dd2209254

mitreMatrix table#

attackPatternIdattackTacticattackTypeidparams
attack-pattern--45242287-2964-4a3e-9373-159fad4d8195establish-&-maintain-infrastructurepre_attack_tacticsPRE-T1105data:

indicatorRelationships table#

sourceIdtargetId
9f3a2a244570a38e772a35d7c9171eed92bec6f712cad1ca535a92a2ed306c0edf3025e7d9776693

indicators table#

deletedidlangsparamsseqUpdatetype
false9f3a2a244570a38e772a35d7c9171eed12bec6f7enhashes: {"md4": "", "md5": "8397ea747d2ab50da4f876a36d631272", "md6": "", "ripemd160": "", "sha1": "48a6d5141e25b6c63ad8da20b954b56afe512031", "sha224": "", "sha256": "89b5e248c222ebf2cb3b525d3650259e01cf7d8fff5e1aa15ccd7512b1e63957", "sha384": "", "sha512": "", "whirlpool": ""}
name: some.ru
size: null
16107188499162file
false8b96c56cbc980c1e3362060ffa953e65281fb1dfendomain: some.ru
ipv4:
ipv6:
ssl:
url: https://some.ru
16107188498393network
false42a9929807fd954918f9bb603135754be7a6e11cenhashes: {"md4": "", "md5": "5d43baf1c9e9e3a939e5defd8f3fbd1d", "md6": "", "ripemd120": "", "sha1": "d5ff73c043f3bb75dd749636307500b60a336150", "sha224": "", "sha256": "867c8b49d29ae1f6e4a7cd31b6fe7e278753a1ba03d4be338ed11fd1efc3dd12", "sha384": "", "sha512": "", "whirlpool": ""}
name: 5d43baf1c9e9e3a939e5defd8f8fbd1d
size: null
16107188498634file
false12cad1ca535a92a2ed306c0edf3025e7d9776612endomain: some.ru
ipv4:
ipv6:
ssl:
url: https://some.ru
16107188498908network

gibtia-get-threat-actor-info#


Command performs Group IB event lookup in hi/threat_actor (or in apt/threat_actor if the APT flag is true) collection with provided ID.

Base Command#

gibtia-get-threat-actor-info

Input#

Argument NameDescriptionRequired
idGIB internal threatActor ID.
e.g.: 0d4496592ac3a0f5511cd62ef29887f48d9cb545.
Required
isAPTIs threat actor APT group. Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
GIBTIA.ThreatActor.aliasesStringThreat actor aliases
GIBTIA.ThreatActor.countryStringThreat actor country
GIBTIA.ThreatActor.createdAtDateThreat actor record creation time
GIBTIA.ThreatActor.descriptionStringThreat actor description
GIBTIA.ThreatActor.goalsStringThreat actor goals sectors(financial, diplomatic, etc.)
GIBTIA.ThreatActor.idStringThreat actor id
GIBTIA.ThreatActor.isAPTBooleanThreat actor is APT
GIBTIA.ThreatActor.labelsStringGIB internal threat actor labels(hacker, nation-state, etc.)
GIBTIA.ThreatActor.langsStringThreat actor communication language
GIBTIA.ThreatActor.nameStringThreat actor name
GIBTIA.ThreatActor.rolesStringThreat actor roles
GIBTIA.ThreatActor.stat.countriesStringThreat actor countries activity found in
GIBTIA.ThreatActor.stat.dateFirstSeenDateDate first seen
GIBTIA.ThreatActor.stat.dateLastSeenDateDate last seen
GIBTIA.ThreatActor.stat.regionsStringThreat actor activity regions
GIBTIA.ThreatActor.stat.reports.datePublishedDateRelated threat report publishing date
GIBTIA.ThreatActor.stat.reports.idStringRelated threat report id
GIBTIA.ThreatActor.stat.reports.name.enStringRelated threat report language
GIBTIA.ThreatActor.stat.sectorsStringSectors attacked by threat actor

Command Example#

!gibtia-get-threat-actor-info id=0d4496592ac3a0f5511cd62ef29887f48d9cb545 isAPT=true

Context Example#

{
"GIBTIA": {
"ThreatActor": {
"aliases": [
"SectorC08"
],
"country": "RU",
"createdAt": "2018-09-26T16:59:50+03:00",
"deleted": false,
"description": "Big description",
"files": [],
"goals": [
"Information"
],
"id": "0d4496592ac3a0f5511cd62ef29887f48d9cb545",
"isAPT": true,
"isPublished": true,
"labels": [
"spy"
],
"langs": [
"en"
],
"name": "Gamaredon",
"oldId": null,
"oldObjectData": null,
"roles": [
"agent"
],
"spokenOnLangs": [
"ru"
],
"stat": {
"countries": [
"US"
],
"dateFirstSeen": "2013-06-01",
"dateLastSeen": "2021-03-19",
"regions": [
"asia"
],
"reports": [
{
"datePublished": "2021-02-04",
"id": "59dec5947c5adac898445e3958b1d05e1c260459",
"name": {
"en": "Template injection attacks from the Gamaredon group continued: protocol topics"
}
}
],
"sectors": [
"non-profit"
]
},
"stixGuid": "63d0e4d4-9f55-4fa2-87af-b6c91ded80e0",
"techSeqUpdate": null,
"updatedAt": "2021-04-08T22:09:07+03:00"
}
}
}

Human Readable Output#

Feed from threat_actor with ID 0d4496592ac3a0f5511cd62ef29887f48d9cb545#

aliasescountrycreatedAtdeleteddescriptiongoalsidisAPTisPublishedlabelslangsnamerolesspokenOnLangsstat countriesstat dateFirstSeenstat dateLastSeenstat regionsstat sectorsstixGuidupdatedAt
SectorC08RU2018-09-26T16:59:50+03:00falseBig descriptionInformation0d4496592ac3a0f5511cd62ef29887f48d9cb545truetruespyenGamaredonagentruUS2013-06-012021-03-19asianon-profit63d0e4d4-9f55-4fa2-87af-b6c91ded80e02021-04-08T22:09:07+03:00

stat reports table#

datePublishedidname
2021-02-0459dec5947c5adac898445e3958b1d05e1c260459en: Template injection attacks from the Gamaredon group continued: protocol topics

gibtia-get-suspicious-ip-tor-node-info#


Command performs Group IB event lookup in suspicious_ip/tor_node collection with provided ID.

Base Command#

gibtia-get-suspicious-ip-tor-node-info

Input#

Argument NameDescriptionRequired
idGIB event id.
e.g.: 109.70.100.46.
Required

Context Output#

PathTypeDescription
GIBTIA.SuspiciousIPTorNode.ipv4.asnStringTor node ASN
GIBTIA.SuspiciousIPTorNode.ipv4.countryNameStringTor node IP country name
GIBTIA.SuspiciousIPTorNode.ipv4.ipStringTor node IP address
GIBTIA.SuspiciousIPTorNode.ipv4.regionStringTor node IP region name
GIBTIA.SuspiciousIPTorNode.idStringGIB id
GIBTIA.SuspiciousIPTorNode.evaluation.severityStringEvent severity

Command Example#

!gibtia-get-suspicious-ip-tor-node-info id=109.70.100.46

Context Example#

{
"DBotScore": {
"Indicator": "11.11.11.11",
"Score": 1,
"Type": "ip",
"Vendor": "GIB TI&A"
},
"GIBTIA": {
"SuspiciousIPTorNode": {
"dateFirstSeen": "2020-09-03T14:15:25+00:00",
"dateLastSeen": "2021-04-25T03:15:29+00:00",
"evaluation": {
"admiraltyCode": "A1",
"credibility": 90,
"reliability": 90,
"severity": "green",
"tlp": "green",
"ttl": 30
},
"id": "11.11.11.11",
"ipv4": {
"asn": null,
"city": null,
"countryCode": null,
"countryName": null,
"ip": "11.11.11.11",
"provider": null,
"region": null
},
"nodes": [],
"portalLink": "https://bt.group-ib.com/suspicious/tor?searchValue=id:11.11.1.1",
"source": "some.ru"
}
},
"IP": {
"Address": "11.11.11.11"
}
}

Human Readable Output#

Feed from suspicious_ip/tor_node with ID 11.11.11.11#

dateFirstSeendateLastSeenevaluation admiraltyCodeevaluation credibilityevaluation reliabilityevaluation severityevaluation tlpevaluation ttlidipv4 ipportalLinksource
2020-09-03T14:15:25+00:002021-04-25T03:15:29+00:00A19090greengreen3011.11.11.1111.11.11.11https://bt.group-ib.com/suspicious/tor?searchValue=id:11.11.11.11some.ru

IP indicator#

gibidseverityvalue
11.11.11.11green11.11.11.11

gibtia-get-suspicious-ip-open-proxy-info#


Command performs Group IB event lookup in suspicious_ip/open_proxy collection with provided ID.

Base Command#

gibtia-get-suspicious-ip-open-proxy-info

Input#

Argument NameDescriptionRequired
idGIB event id.
e.g.: cc6a2856da2806b03839f81aa214f22dbcfd7369.
Required

Context Output#

PathTypeDescription
GIBTIA.SuspiciousIPOpenProxy.ipv4.asnStringProxy ASN
GIBTIA.SuspiciousIPOpenProxy.ipv4.countryNameStringProxy IP country name
GIBTIA.SuspiciousIPOpenProxy.ipv4.ipStringProxy IP address
GIBTIA.SuspiciousIPOpenProxy.ipv4.regionStringProxy IP region name
GIBTIA.SuspiciousIPOpenProxy.ipv4.portNumberProxy port
GIBTIA.SuspiciousIPOpenProxy.ipv4.sourceStringInformation source
GIBTIA.SuspiciousIPOpenProxy.ipv4.anonymousStringProxy anonymous level
GIBTIA.SuspiciousIPOpenProxy.idStringGIB event ID
GIBTIA.SuspiciousIPOpenProxy.evaluation.severityStringEvent severity

Command Example#

!gibtia-get-suspicious-ip-open-proxy-info id=cc6a2856da2806b03839f81aa214f22dbcfd7369

Context Example#

{
"DBotScore": {
"Indicator": "11.11.11.11",
"Score": 1,
"Type": "ip",
"Vendor": "GIB TI&A"
},
"GIBTIA": {
"SuspiciousIPOpenProxy": {
"anonymous": "11.11.11.11",
"dateDetected": "2021-01-21T11:01:02+00:00",
"dateFirstSeen": "2020-03-19T23:01:01+00:00",
"evaluation": {
"admiraltyCode": "C3",
"credibility": 50,
"reliability": 50,
"severity": "green",
"tlp": "white",
"ttl": 15
},
"favouriteForCompanies": [],
"hideForCompanies": [],
"id": "cc6a2856da2806b03839f81aa214f22dbcfd7369",
"ipv4": {
"asn": null,
"city": null,
"countryCode": "CZ",
"countryName": "Czech Republic",
"ip": "11.11.11.11",
"provider": "Some",
"region": null
},
"oldId": "241549215",
"port": 80,
"portalLink": "https://bt.group-ib.com/suspicious/proxies?searchValue=id:cc6a2856da2806b03839f81aa214f22dbcfd7369",
"source": "some.ru",
"stixGuid": "c30604ac-94d5-b514-f1d1-7230ec13c739",
"type": "http"
}
},
"IP": {
"Address": "11.11.11.11",
"Geo": {
"Country": "Czech Republic"
}
}
}

Human Readable Output#

Feed from suspicious_ip/open_proxy with ID cc6a2856da2806b03839f81aa214f22dbcfd7369#

anonymousdateDetecteddateFirstSeenevaluation admiraltyCodeevaluation credibilityevaluation reliabilityevaluation severityevaluation tlpevaluation ttlidipv4 countryCodeipv4 countryNameipv4 ipipv4 provideroldIdportportalLinksourcestixGuidtype
11.11.11.112021-01-21T11:01:02+00:002020-03-19T23:01:01+00:00C35050greenwhite15cc6a2856da2806b03839f81aa214f22dbcfd7369CZCzech Republic11.11.11.11Some24154921580https://bt.group-ib.com/suspicious/proxies?searchValue=id:cc6a2856da2806b03839f81aa214f22dbcfd7369some.ruc30604ac-94d5-b514-f1d1-7230ec13c739http

IP indicator#

geocountrygibidgibproxyanonymousgibproxyportseveritysourcevalue
Czech Republiccc6a2856da2806b03839f81aa214f22dbcfd736911.11.11.1180greensome.ru11.11.11.11

gibtia-get-suspicious-ip-socks-proxy-info#


Command performs Group IB event lookup in suspicious_ip/socks_proxy collection with provided ID.

Base Command#

gibtia-get-suspicious-ip-socks-proxy-info

Input#

Argument NameDescriptionRequired
idGIB event id.
e.g.: 02e385600dfc5bf9b3b3656df8e0e20f5fc5c86e.
Required

Context Output#

PathTypeDescription
GIBTIA.SuspiciousIPSocksProxy.ipv4.asnStringProxy IP ASN
GIBTIA.SuspiciousIPSocksProxy.ipv4.countryNameStringProxy IP country name
GIBTIA.SuspiciousIPSocksProxy.ipv4.ipStringProxy IP address
GIBTIA.SuspiciousIPSocksProxy.ipv4.regionStringProxy IP region name
GIBTIA.SuspiciousIPSocksProxy.idStringGIB ID
GIBTIA.SuspiciousIPSocksProxy.evaluation.severityStringEvent severity

Command Example#

!gibtia-get-suspicious-ip-socks-proxy-info id=02e385600dfc5bf9b3b3656df8e0e20f5fc5c86e

Context Example#

{
"DBotScore": {
"Indicator": "11.11.11.11",
"Score": 1,
"Type": "ip",
"Vendor": "GIB TI&A"
},
"GIBTIA": {
"SuspiciousIPSocksProxy": {
"dateDetected": "2021-01-19T07:41:11+00:00",
"dateFirstSeen": "2021-01-19T07:41:11+00:00",
"dateLastSeen": "2021-02-23T20:58:51+00:00",
"evaluation": {
"admiraltyCode": "A1",
"credibility": 100,
"reliability": 90,
"severity": "green",
"tlp": "amber",
"ttl": 2
},
"favouriteForCompanies": [],
"hideForCompanies": [],
"id": "02e385600dfc5bf9b3b3656df8e0e20f5fc5c86e",
"ipv4": {
"asn": "AS11111",
"city": null,
"countryCode": "LB",
"countryName": "Lebanon",
"ip": "11.11.11.11",
"provider": "Some",
"region": null
},
"oldId": "395880626",
"portalLink": "https://bt.group-ib.com/suspicious/socks?searchValue=id:02e385600dfc5bf9b3b3656df8e0e20f5fc5c86e",
"source": "some.ru",
"stixGuid": "78cd5f78-e542-bf2c-fc40-e2a41b36dd97"
}
},
"IP": {
"ASN": "AS11111",
"Address": "11.11.11.11",
"Geo": {
"Country": "Lebanon"
}
}
}

Human Readable Output#

Feed from suspicious_ip/socks_proxy with ID 02e385600dfc5bf9b3b3656df8e0e20f5fc5c86e#

dateDetecteddateFirstSeendateLastSeenevaluation admiraltyCodeevaluation credibilityevaluation reliabilityevaluation severityevaluation tlpevaluation ttlidipv4 asnipv4 countryCodeipv4 countryNameipv4 ipipv4 provideroldIdportalLinksourcestixGuid
2021-01-19T07:41:11+00:002021-01-19T07:41:11+00:002021-02-23T20:58:51+00:00A110090greenamber202e385600dfc5bf9b3b3656df8e0e20f5fc5c86eAS11111LBLebanon11.11.11.11Some395880626https://bt.group-ib.com/suspicious/socks?searchValue=id:02e385600dfc5bf9b3b3656df8e0e20f5fc5c86eawmproxy.com78cd5f78-e542-bf2c-fc40-e2a41b36dd97

IP indicator#

asngeocountrygibidseverityvalue
AS11111Lebanon02e385600dfc5bf9b3b3656df8e0e20f5fc5c86egreen11.11.11.11

gibtia-get-malware-targeted-malware-info#


Command performs Group IB event lookup in malware/targeted_malware collection with provided ID.

Base Command#

gibtia-get-malware-targeted-malware-info

Input#

Argument NameDescriptionRequired
idGIB event id.
e.g.: 5bbd38acf0b9e4f04123af494d485f6c49221e98.
Required

Context Output#

PathTypeDescription
GIBTIA.TargetedMalware.dateDateDate malware detected
GIBTIA.TargetedMalware.fileNameStringMalware file name
GIBTIA.TargetedMalware.fileTypeStringMalware file type
GIBTIA.TargetedMalware.idStringGIB internal incident ID
GIBTIA.TargetedMalware.injectDumpStringInject dump
GIBTIA.TargetedMalware.injectMd5StringMD5 hash of injection dump
GIBTIA.TargetedMalware.malware.nameStringGIB internal malware ID
GIBTIA.TargetedMalware.md5StringMD5 hash of malware file
GIBTIA.TargetedMalware.sha1StringSHA1 hash of malware file
GIBTIA.TargetedMalware.sha256StringSHA256 hash of malware file
GIBTIA.TargetedMalware.sizeNumberMalware size in bytes
GIBTIA.TargetedMalware.sourceStringMalware source
GIBTIA.TargetedMalware.portalLinkStringGIB portal incident link
GIBTIA.TargetedMalware.threatActor.nameStringRelated threat actor
GIBTIA.TargetedMalware.threatActor.idStringGIB internal threat actor ID
GIBTIA.TargetedMalware.threatActor.isAPTBooleanIs threat actor APT
GIBTIA.TargetedMalware.evaluation.severityStringEvent severity

Command Example#

!gibtia-get-malware-targeted-malware-info id=5bbd38acf0b9e4f04123af494d485f6c49221e98

Context Example#

{
"DBotScore": {
"Indicator": "11702f92313f5f3413d129809ca4f11d",
"Score": 3,
"Type": "file",
"Vendor": "GIB TI&A"
},
"File": {
"MD5": "11702f92313f5f3413d129809ca4f11d",
"Malicious": {
"Description": null,
"Vendor": "GIB TI&A"
},
"Name": "some.txt",
"SHA1": "93fce6228be5557c69d8eeeab5a5a2a643e7d411",
"SHA256": "630c88ca1d583f05283707740da5b1f4423807cd80cab108821157ad341b5011",
"Size": 208978
},
"GIBTIA": {
"TargetedMalware": {
"company": [
"some"
],
"companyId": [
-1,
38
],
"date": "2021-01-21T06:49:12+00:00",
"dateAnalyzeEnded": "2021-01-21T09:53:23+00:00",
"dateAnalyzeStarted": "2021-01-21T09:49:12+00:00",
"evaluation": {
"admiraltyCode": "A1",
"credibility": 100,
"reliability": 100,
"severity": "red",
"tlp": "red",
"ttl": null
},
"favouriteForCompanies": [],
"fileName": "some.txt",
"fileType": "data",
"fileVersion": null,
"hasReport": true,
"hideForCompanies": [],
"id": "5bbd38acf0b9e4f04123af494d485f6c49221e98",
"injectDump": "Big dump",
"injectMd5": "973cca2a0f04ced4cdb8128624d18de1",
"malware": {
"id": "b69fc9d439d2fd41e98a7e3c60b9a55340012eb6",
"name": "Cobalt Strike",
"stixGuid": null
},
"md5": "11702f92313f5f3413d129809ca4f11d",
"oldId": "396793259",
"portalLink": "https://bt.group-ib.com/targeted_malware/Cobalt Strike/sample/5bbd38acf0b9e4f04123af494d485f6c49221e98/show",
"sha1": "93fce6228be5557c69d8eeeab5a5a2a643e7d110",
"sha256": "630c88ca1d583f05283707740da5b1f4423807cd80cab108821157ad341b1001",
"size": 208978,
"source": "Sandbox service",
"stixGuid": "937a940c-8b51-0fd8-c16f-973529bc4dd7",
"threatActor": null
}
}
}

Human Readable Output#

Feed from malware/targeted_malware with ID 5bbd38acf0b9e4f04123af494d485f6c49221e98#

companycompanyIddatedateAnalyzeEndeddateAnalyzeStartedevaluation admiraltyCodeevaluation credibilityevaluation reliabilityevaluation severityevaluation tlpfileNamefileTypehasReportidinjectDumpinjectMd5malware idmalware namemd5oldIdportalLinksha1sha256sizesourcestixGuid
some-1,
38
2021-01-21T06:49:12+00:002021-01-21T09:53:23+00:002021-01-21T09:49:12+00:00A1100100redredsome.txtdatatrue5bbd38acf0b9e4f04123af494d485f6c49221e98Big dump973cca2a0f04ced4cdb8128624d18de1b69fc9d439d2fd41e98a7e3c60b9a55340012eb6Cobalt Strike11702f92313f5f3413d129809ca4f11d396793259https://bt.group-ib.com/targeted_malware/Cobalt Strike/sample/5bbd38acf0b9e4f04123af494d485f6c49221e98/show93fce6228be5557c69d8eeeab5a5a2a643e7d110630c88ca1d583f05283707740da5b1f4423807cd80cab108821157ad341b1001208978Sandbox service937a940c-8b51-0fd8-c16f-973529bc4dd7

File indicator#

filetypegibfilenamegibidmd5severitysha1sha256sizevalue
datasome.txt5bbd38acf0b9e4f04123af494d485f6c49221e9811702f92313f5f3413d129809ca4f11dred93fce6228be5557c69d8eeeab5a5a2a643e7d110630c88ca1d583f05283707740da5b1f4423807cd80cab108821157ad341b100120897811702f92313f5f3413d129809ca4f11d

gibtia-get-malware-cnc-info#


Command performs Group IB event lookup in malware/cnc collection by provided ID.

Base Command#

gibtia-get-malware-cnc-info

Input#

Argument NameDescriptionRequired
idGIB event id.
e.g.: aeed277396e27e375d030a91533aa232444d0089.
Required

Context Output#

PathTypeDescription
GIBTIA.MalwareCNC.dateDetectedDateDate CNC detected
GIBTIA.MalwareCNC.dateLastSeenDateDate CNC last seen
GIBTIA.MalwareCNC.urlStringCNC URL
GIBTIA.MalwareCNC.domainStringCNC domain
GIBTIA.MalwareCNC.ipv4.asnStringCNC ASN
GIBTIA.MalwareCNC.ipv4.countryNameStringCNC IP country name
GIBTIA.MalwareCNC.ipv4.ipStringCNC IP address
GIBTIA.MalwareCNC.ipv4.regionStringCNC region name
GIBTIA.MalwareCNC.malwareList.nameStringAssociated malware
GIBTIA.MalwareCNC.threatActor.idStringAssociated threat actor ID
GIBTIA.MalwareCNC.threatActor.nameStringAssociated threat actor
GIBTIA.MalwareCNC.threatActor.isAPTBooleanIs APT or not
GIBTIA.MalwareCNC.idStringGIB event ID

Command Example#

!gibtia-get-malware-cnc-info id=aeed277396e27e375d030a91533aa232444d0089

Context Example#

{
"DBotScore": [
{
"Indicator": "https://some.ru",
"Score": 0,
"Type": "url",
"Vendor": "GIB TI&A"
},
{
"Indicator": "some.ru",
"Score": 0,
"Type": "domain",
"Vendor": "GIB TI&A"
},
{
"Indicator": "11.11.11.11",
"Score": 0,
"Type": "ip",
"Vendor": "GIB TI&A"
}
],
"Domain": {
"Name": "some.ru"
},
"GIBTIA": {
"MalwareCNC": {
"cnc": "https://some.ru",
"dateDetected": "2021-04-25T13:37:23+00:00",
"dateLastSeen": "2021-04-25T13:37:23+00:00",
"domain": "some.ru",
"favouriteForCompanies": [],
"file": [],
"hideForCompanies": [],
"id": "aeed277396e27e375d030a91533aa232444d0089",
"ipv4": [
{
"asn": "AS1111",
"city": null,
"countryCode": "US",
"countryName": "United States",
"ip": "11.11.11.11",
"provider": "Some",
"region": null
}
],
"ipv6": [],
"malwareList": [
{
"id": "e99c294ffe7b79655d6ef1f32add638d8a2d4b24",
"name": "JS Sniffer - Poter",
"stixGuid": "1ac5a303-ef6f-2d6a-ad20-a39196815a1a"
}
],
"oldId": "211146923",
"platform": null,
"ssl": [],
"stixGuid": "417b2644-1105-d65b-4b67-a78e82f59b65",
"threatActor": null,
"url": "https://some.ru",
"vtAll": null,
"vtDetected": null
}
},
"IP": {
"ASN": "AS1111",
"Address": "11.11.11.11",
"Geo": {
"Country": "United States"
}
},
"URL": {
"Data": "https://some.ru"
}
}

Human Readable Output#

Feed from malware/cnc with ID aeed277396e27e375d030a91533aa232444d0089#

cncdateDetecteddateLastSeendomainidoldIdstixGuidurl
https://some.ru2021-04-25T13:37:23+00:002021-04-25T13:37:23+00:00some.ruaeed277396e27e375d030a91533aa232444d0089211146923417b2644-1105-d65b-4b67-a78e82f59b65https://some.ru

ipv4 table#

asncountryCodecountryNameipprovider
AS1111USUnited States11.11.11.11Some

malwareList table#

idnamestixGuid
e99c294ffe7b79655d6ef1f32add638d8a2d4b24JS Sniffer - Poter1ac5a303-ef6f-2d6a-ad20-a39196815a1a

URL indicator#

gibidvalue
aeed277396e27e375d030a91533aa232444d0089https://some.ru

Domain indicator#

gibidvalue
aeed277396e27e375d030a91533aa232444d0089some.ru

IP indicator#

asngeocountrygibidvalue
AS1111United Statesaeed277396e27e375d030a91533aa232444d008911.11.11.11

gibtia-get-available-collections#


Returns list of available collections.

Base Command#

gibtia-get-available-collections

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
GIBTIA.OtherInfo.collectionsStringList of availiable collections

Command Example#

!gibtia-get-available-collections

Context Example#

{
"GIBTIA": {
"OtherInfo": {
"collections": [
"compromised/account",
"compromised/card",
"bp/phishing",
"bp/phishing_kit",
"osi/git_leak",
"osi/public_leak",
"malware/targeted_malware",
"compromised/mule",
"compromised/imei",
"attacks/ddos",
"attacks/deface",
"attacks/phishing",
"attacks/phishing_kit",
"apt/threat",
"hi/threat",
"suspicious_ip/tor_node",
"suspicious_ip/open_proxy",
"suspicious_ip/socks_proxy",
"malware/cnc",
"osi/vulnerability",
"hi/threat_actor",
"apt/threat_actor"
]
}
}
}

Human Readable Output#

Available collections#

collections
compromised/account,
compromised/card,
bp/phishing,
bp/phishing_kit,
osi/git_leak,
osi/public_leak,
malware/targeted_malware,
compromised/mule,
compromised/imei,
attacks/ddos,
attacks/deface,
attacks/phishing,
attacks/phishing_kit,
apt/threat,
hi/threat,
suspicious_ip/tor_node,
suspicious_ip/open_proxy,
suspicious_ip/socks_proxy,
malware/cnc,
osi/vulnerability,
hi/threat_actor,
apt/threat_actor

gibtia-global-search#


Command performs global Group IB search

Base Command#

gibtia-global-search

Input#

Argument NameDescriptionRequired
queryQuery you want to search.
e.g.: 8.8.8.8.
Required

Context Output#

PathTypeDescription
apiPathStringName of collection in which found matches
countNumberCount of feeds matching this query
GIBLinkStringLink to GIB TI&A interface

Command Example#

!gibtia-global-search query=100.100.100.100

Context Example#

{
"GIBTIA": {
"search": {
"global": [
{
"GIBLink": null,
"apiPath": "compromised/account",
"count": 14,
"query": "compromised/account?q=100.100.100.100"
},
{
"GIBLink": "https://bt.group-ib.com/attacks/phishing?searchValue=100.100.100.100&q=100.100.100.100",
"apiPath": "attacks/phishing",
"count": 1,
"query": "attacks/phishing?q=100.100.100.100"
},
{
"GIBLink": null,
"apiPath": "bp/phishing",
"count": 1,
"query": "bp/phishing?q=100.100.100.100"
},
{
"GIBLink": "https://bt.group-ib.com/osi/git_leaks?searchValue=100.100.100.100&q=100.100.100.100",
"apiPath": "osi/git_leak",
"count": 5,
"query": "osi/git_leak?q=100.100.100.100"
},
{
"GIBLink": "https://bt.group-ib.com/osi/public_leak?searchValue=100.100.100.100&q=100.100.100.100",
"apiPath": "osi/public_leak",
"count": 23,
"query": "osi/public_leak?q=100.100.100.100"
}
]
}
}
}

Human Readable Output#

Search results#

apiPathcountGIBLink
compromised/account14
attacks/phishing1https://bt.group-ib.com/attacks/phishing?searchValue=100.100.100.100&q=100.100.100.100
bp/phishing1
osi/git_leak5https://bt.group-ib.com/osi/git_leaks?searchValue=100.100.100.100&q=100.100.100.100
osi/public_leak23https://bt.group-ib.com/osi/public_leak?searchValue=100.100.100.100&q=100.100.100.100

gibtia-local-search#


Command performs Group IB search in selected collection.

Base Command#

gibtia-local-search

Input#

Argument NameDescriptionRequired
collection_nameCollection you want to search. Possible values are: compromised/account, compromised/card, compromised/mule, compromised/imei, attacks/ddos, attacks/deface, attacks/phishing, attacks/phishing_kit, bp/phishing, bp/phishing_kit, hi/threat, hi/threat_actor, apt/threat, apt/threat_actor, osi/git_leak, osi/vulnerability, osi/public_leak, suspicious_ip/tor_node, suspicious_ip/open_proxy, suspicious_ip/socks_proxy, malware/cnc, malware/targeted_malware.Required
queryQuery you want to search.
e.g.: 8.8.8.8.
Required
date_fromStart date of search session.Optional
date_toEnd date of search session.Optional

Context Output#

PathTypeDescription
idStringId of a feed that matches a query
additional_infoStringAdditional info about feed

Command Example#

!gibtia-local-search collection_name=attacks/phishing query=100.100.100.100

Context Example#

{
"GIBTIA": {
"search": {
"local": {
"additional_info": "phishingDomain_domain: some.ru",
"id": "8bd7e5cef2290b0c3f04bf283586406dceffe25d"
}
}
}
}

Human Readable Output#

Search results#

idadditional_info
8bd7e5cef2290b0c3f04bf283586406dceffe25dphishingDomain_domain: some.ru