Skip to main content

Stairwell Inception

This Integration is part of the Stairwell Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

Use the Stairwell Inception integration to enrich data in XSOAR using Stairwell's knowledge and perform automated variant discovery.

Not a customer and interested in signing up? You can request access here.

Generate required API key#

Follow these steps for a self-deployed configuration.

  1. Access the Inception web UI and generate a API/CLI token here.
  2. Copy your API token for the integration configuration usage.

Configure Stairwell Inception in Cortex#

ParameterRequired
API KeyTrue
Use system proxy settingsFalse
Trust any certificate (not secure)False

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

inception-file-enrichment#


Enrich files using file hash (MD5, SHA1, SHA256) with Stairwell's knowledge.

Base Command#

inception-file-enrichment

Input#

Argument NameDescriptionRequired
fileHashFile hash (MD5, SHA1, SHA256) to lookup.Required

Context Output#

PathTypeDescription
Inception.File_DetailsDictRaw JSON output from API

Command Example#

!inception-file-enrichment fileHash=9fe1ac46f0cdebf03156a6232d771c14559f8daf

Context Example#

{
"inception": {
"file_details": {
"type": "file",
"id": "e7762f90024c5366807c7c145d3456f0ac3be086c0ec3557427d3c2c10a2052d",
"links": {
"self": "/api/v3/files/e7762f90024c5366807c7c145d3456f0ac3be086c0ec3557427d3c2c10a2052d"
},
"data": {
"attributes": {
"md5": "00ddbafe247c891eed36bd74f66f936b",
"sha1": "9fe1ac46f0cdebf03156a6232d771c14559f8daf",
"sha256": "e7762f90024c5366807c7c145d3456f0ac3be086c0ec3557427d3c2c10a2052d",
"size": 118024,
"creation_date": 1653722032,
"last_analysis_results": {
"ClamAV": {
"category": "undetected",
"engine_name": "ClamAV",
"result": "undetected"
},
"Engine2": {
"category": "malicious",
"engine_name": "Engine2",
"result": "Trojan/Win.Hermeticwiper"
}
},
"last_analysis_stats": {
"harmless": 1,
"malicious": 1
},
"names": [
"C:\\GimmeCreds.dll"
],
"meaningful_name": "C:\\GimmeCreds.dll",
"type_description": "EXE",
"crowdsourced_yara_results": [{
"rule_name": "wiper_HermeticWiper"
},
{
"rule_name": "MAL_HERMETIC_WIPER"
}
],
"inception": {
"environments": [{
"environment_id": {
"id": "AAAAAA-BBBBBB-CCCCCC-DDDDDDD"
}
}],
"assets": [{
"asset_id": {
"id": "DDDDDD-CCCCCC-BBBBBB-AAAAAAA"
},
"name": "WORKGROUP\\IDABEAR"
}]
},
"magic": "EXE",
"imphash": "fe4a2284122da348258c83ef437fbd7b",
"ssdeep": "1536:WBOoa7Nn54urilmw9BgjKu1sPPxaS4NOyqC:WBOoa7P4xlPwV16PkS4NVqC"
}
}
}
}
}

Human Readable Output#

Stairwell Inception#

MD5: 00ddbafe247c891eed36bd74f66f936b SHA256: e7762f90024c5366807c7c145d3456f0ac3be086c0ec3557427d3c2c10a2052d Seen Assets: 1 Matching YARA Intel: wiper_HermeticWiper,MAL_HERMETIC_WIPER

AV Scanning Results#

Engine NameResult
ClamAVundetected
Engine2Trojan/Win.Hermeticwiper

inception-variant-discovery#


Hunt for variants using a SHA256 across all files you have access to, including your environments and Stairwell's malware feeds.

Base Command#

inception-variant-discovery

Input#

Argument NameDescriptionRequired
sha256SHA256 of file to hunt for variants on.Required

Context Output#

PathTypeDescription
Inception.VariantsDictRaw JSON output from API

Command Example#

!inception-variant-discovery sha256=30e27357b7b773b226d4ee638e17b19b954226d197b0781822859269a5c22b4d

Context Example#

{
"inception": {
"variants": {
"name": "variants/30e27357b7b773b226d4ee638e17b19b954226d197b0781822859269a5c22b4d",
"variants": [{
"similarity": 1,
"sha256": "e1a00d8923bac6f863c262236f15eb60d80571f8b31e7220c4b2912fae7e9a14"
},
{
"similarity": 0.9875,
"sha256": "d2a00d8923bac6f863c262236f15eb60d80571f8b31e7220c4b2912fae7e9a12"
}
],
"variant_count": 2,
"original_object": "30e27357b7b773b226d4ee638e17b19b954226d197b0781822859269a5c22b4d"
}
}
}

Human Readable Output#

File Variants Discovered#

sha256similarity
e1a00d8923bac6f863c262236f15eb60d80571f8b31e7220c4b2912fae7e9a141
d2a00d8923bac6f863c262236f15eb60d80571f8b31e7220c4b2912fae7e9a120.9875