Blueliv ThreatContext

The Threat Context module provides SOC, Incident Response and Threat Intelligence teams with continuously updated and intuitive information around threat actors, campaigns, malware indicators, attack patterns, tools, signatures and CVEs. This integration was integrated and tested with version xx of Blueliv ThreatContext

Configure Blueliv ThreatContext on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Blueliv ThreatContext.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlServer URL (e.g. https://demisto.blueliv.com/api/v2 )False
credentialsUsernameFalse
unsecureTrust any certificate (not secure)False
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

blueliv-authenticate


Authenticate and get the API token

Base Command

blueliv-authenticate

Input

There are no input arguments for this command.

Context Output

PathTypeDescription
tokenstringAuthentication token

Command Example

!blueliv-authenticate

Context Example

{}

Human Readable Output

981bfb934723091e606c0e35998217bdcafc8697d1a6d0911ff5b2fedb5a16c

blueliv-tc-malware


Gets information about malware by ID

Base Command

blueliv-tc-malware

Input

Argument NameDescriptionRequired
hash_idInternal Blueliv's malware hash IDOptional
hashMalware file hash to search forOptional

Context Output

PathTypeDescription
malware.hash.sha256UnknownFile SHA256
malware.hash.sha1UnknownFile SHA1
malware.hash.md5UnknownFile MD5
malware.typeUnknownMalware Type
malware.hasCandCunknownIf there is a C&C associated
malware.memoryUnknownMalware memory
malware.procMemoryUnknownMalware proc memory
malware.analysisStatusUnknownMalware analysis status
malware.droppedUnknownMalware dropped
malware.buffersUnknownMalware buffers
malware.hasNetworkUnknownIf the malware has Network informations
malware.riskUnknownMalware associated risk
malware.campaignsUnknownMalware related campaigns
malware.campaignIdsUnknownMalware related campaigns internal IDs
malware.signaturesUnknownMalware signatures
malware.sigantureIdsUnknownMalware sigantures internal IDs
malware.threatActorsUnknownMalware threat actors
malware.threatActorIdsUnknownMalware threat actors internal IDs
malware.sourcesUnknownMalware sources
malware.sourceIdsUnknownMalware sources internal IDs
malware.tagsUnknownMalware tags
malware.tagIdsUnknownMalware tags internal IDs
malware.crimeServersUnknownMalware related crime servers
malware.crimeServerIdsUnknownMalware crime servers internal IDs
malware.fqdnsUnknownMalware FQDNs
malware.fqdnIdsUnknownMalware FQDNs internal IDs
malware.typesUnknownMalware types
malware.typeIdsUnknownMalware types internal IDs
malware.sparksUnknownMalware sparks
malware.sparkIdsUnknownMalware sparks internal IDs
malware.ipsUnknownMalware IPs
malware.ipIdsUnknownMalware IPs internal IDs

Command Example

!blueliv-tc-malware hash=ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1

Context Example

{
"malware": {
"analysisStatus": "FINISHED_SUCCESSFULLY",
"buffers": false,
"campaignIds": "",
"campaigns": 0,
"crimeServers": 0,
"crimeserverIds": "",
"dropped": false,
"fileType": "PE",
"fqdnIds": "",
"fqdns": 0,
"hasCandC": false,
"hasNetwork": true,
"hash": {
"md5": "36a40cc55e2ffe7d44d007c6e37afd7f",
"sha1": "5c0be68316ce77584a7b966ff40e7d61a8a98055",
"sha256": "ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1"
},
"ipIds": "92269700,100333500,",
"ips": 2,
"memory": false,
"procMemory": false,
"risk": 7,
"signatureIds": "",
"signatures": 0,
"sourceIds": "1958672,",
"sources": 1,
"sparkIds": "",
"sparks": 0,
"tagIds": "",
"tags": 0,
"threatActorIds": "",
"threatActors": 0,
"typeIds": "62,",
"types": 1
},
"threatContext": {
"hasResults": "true"
}
}

Human Readable Output

Blueliv Malware file info

analysis_dateanalysis_delivered_dateanalysis_signaturesanalysis_statusat_afapibehaviorsbufferscerberuscreated_atcreated_at_afapidroppedfile_typefirst_seenhas_c_and_chas_networkhas_other_urlshashidioaioc_linklast_risk_scoringlast_seenlinksmalfindmalicious_categorymd5memorymetadatanumber_propertiespcappriority_at_afapiproc_memorypropertiesreportrisksamplescans_linkseen_at_analyzersha1sha256sha512slugs_tagssources_representationsubtypetargettlptypetypes_namesupdated_atupdated_at_afapiuuidversionvt_matches
2020-06-15T16:30:22.770000Z2020-06-15T16:22:00.220000ZSignature severity - Informative,
Detected dead hosts,
Detects the presence of a Debugger,
Clipboard access capabilities,
Creates Mutants,
Detected cryptographic algorithm,
Has the ability to retrieve keyboard strokes,
Has the ability to reboot/shutdown the Operating System,
Detected Packer,
Detected PE anomalies,
Reads configuration files,
Loads Visual Basic Runtime environment,
Detected injected process,
Signature severity - Suspicious,
Allocates memory with Read-Write-Execute permissions,
Attempts to delay the analysis task,
Clipboard modification capabilities,
Spawns processes,
Classified by Blueliv,
Allocates memory with write/execute permissions in a remote process,
Machine Learning scoring,
Detected Keylogger,
Detected Autorun Persistence,
Writes data to a remote process,
Detected RunPE injection technique,
VirusTotal matches,
Signature severity - Malicious
FINISHED_SUCCESSFULLYtruefalse0.96452020-06-15T16:27:20.074884Z2020-06-15T16:21:38.209000ZfalsePE2020-06-15T16:21:38.209000Zfalsetruefalsead53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade159770710ip: 25.20.116.113,
103.143.173.25,
192.168.56.102
url: ...
host: 25.20.116.113,
103.143.173.25
path: {"pdb_path": [], "filepaths": {"file_read": ["C:\Users\desktop.ini", "C:\Users\Administrator\Documents\desktop.ini"], "dll_loaded": ["kernel32", "gdi32.dll", "kernel32.dll", "UxTheme.dll", "oleaut32.dll", "C:\Windows\system32\ole32.dll", "NTDLL.DLL", "dwmapi.dll", "ntdll.dll", "C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll", "USER32.DLL", "C:\Windows\system32\uxtheme.dll", "ntmarta.dll", "C:\Windows\system32\MSCTF.dll", "KERNEL32.DLL", "C:\ogxses\bin\monitor-x86.dll", "KERNELBASE.DLL", "API-MS-Win-Core-LocalRegistry-L1-1-0.dll", "user32", "OLEAUT32.DLL", "advapi32.dll", "comctl32", "ole32.dll", "IMM32.dll", "C:\Windows\system32\notepad.exe", "EXPLORER.EXE", "C:\Windows\system32\xmllite.dll", "OLEAUT32.dll", "SHELL32.dll", "DUser.dll", "comctl32.dll", "C:\Windows\system32\DUser.dll", "User32.dll", "USER32", "ADVAPI32.dll", "rpcrt4.dll", "SETUPAPI.dll", "user32.dll", "OLEACC.dll"], "file_moved": [], "file_copied": ["C:\Users\Administrator\Documents\MSDCSC\msdcsc.exe", "C:\Users\Administrator\AppData\Local\Temp\sXPFvH.exe"], "file_exists": ["C:\Windows\System32\oleaccrc.dll", "C:\Users\Administrator\Documents\MSDCSC", "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\cversions.1.db", "C:\", "C:\Users\Administrator\AppData\Roaming", "C:\Users\desktop.ini", "C:\Users\Administrator\Documents\MSDCSC\", "C:\Users\Administrator\Documents\MSDCSC\rEj9MRKQ3Kzp\msdcsc.exe", "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000026.db", "C:\Users\Administrator\AppData\Local\Temp\sXPFvH.exe", "C:\Users\Administrator\Documents\MSDCSC\rEj9MRKQ3Kzp.dcp", "C:\Users\Administrator", "C:\Users\Administrator\Documents", "C:\Users", "C:\Users\Administrator\AppData\Local\Temp\notepad", "C:\Users\Administrator\AppData\Roaming\dclogs\", "C:\Users\Administrator\Documents\desktop.ini", "C:\Users\Administrator\Documents\MSDCSC\msdcsc.exe", "C:\Users\Administrator\AppData\Local\Temp\rEj9MRKQ3Kzp.dcp", "C:\Users\Administrator\AppData\Roaming\dclogs"], "file_opened": ["C:\Windows\System32\oleaccrc.dll", "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\cversions.1.db", "C:\", "C:\Users\desktop.ini", "C:\Users\Administrator\Documents\desktop.ini", "C:\Users\Administrator", "C:\Users", "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000026.db", "C:\Users\Administrator\Documents\MSDCSC\msdcsc.exe", "C:\Users\Administrator\AppData\Local\Temp\sXPFvH.exe"], "file_created": ["C:\Windows\System32\oleaccrc.dll", "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\cversions.1.db", "C:\", "C:\Users\desktop.ini", "C:\Users\Administrator\Documents\desktop.ini", "C:\Users\Administrator", "C:\Users", "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000026.db", "C:\Users\Administrator\Documents\MSDCSC\msdcsc.exe", "C:\Users\Administrator\AppData\Local\Temp\sXPFvH.exe"], "file_deleted": [], "file_written": [], "directory_created": ["C:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches", "C:\Users\Administrator\Documents\MSDCSC", "C:\Users\Administrator\AppData\Roaming\dclogs"], "directory_queried": ["C:\Users\Administrator", "C:\Users\Administrator\Documents", "C:\Users"], "directory_removed": [], "directory_enumerated": []}}
yara: {"url": [], "misc": {"misc": ["dbgdetect_funcs_ig"], "crypto": ["RIPEMD160_Constants", "SHA1_Constants", "DES_Long", "MD5_Constants", "VC8_Random", "RijnDael_AES_LONG", "Delphi_Random", "BASE64_table", "CRC32_table", "RijnDael_AES_CHAR", "MD5_API"], "packer": ["MinGW_1", "borland_delphi"]}, "memory": ["darkcomet_memory_1", "darkcomet_memory_3", "darkcomet_memory_2", "darkcomet_memory_4"], "generic": [], "pre_analysis": []}
email:
mutex: DCPERSFWBP,
DC_MUTEX-K5CAEA3,
Local\MSCTF.Asm.MutexDefault1
ports: {"tcp": [], "udp": [], "tcp_dead": [80, 957]}
domain:
regkeys: {"regkey_read": ["HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\21082CA9", "HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\lfOutPrecision", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\StatusBar", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\lfOrientation", "HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\lfUnderline", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Notepad\DefaultFonts\iPointSize", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction", "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ldap\UseOldHostResolutionOrder", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName", "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\IDConfigDB\CurrentConfig", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\iMarginTop", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\fSaveWindowPositions", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\iMarginBottom", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\iMarginLeft", "HKEY_CURRENT_USER\Software\DC3_FEXEC\{e29ac6c0-7037-11de-816d-806e6f6e6963-4234460882}", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt", "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\IDConfigDB\CurrentDockInfo\DockingState", "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\IDConfigDB\Hardware Profiles\0001\HwProfileGuid", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32\(Default)", "HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\lfClipPrecision", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Notepad\DefaultFonts\lfFaceName", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\lfCharSet", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0ad25834-bdda-11e5-8e00-806e6f6e6963}\Generation", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0ad25835-bdda-11e5-8e00-806e6f6e6963}\Generation", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\fMLE_is_broken", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\lfFaceName", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\lfItalic", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DevicePath", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\lfWeight", "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\IDConfigDB\Hardware Profiles\0001\FriendlyName", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\lfStrikeOut", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\lfPitchAndFamily", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\iPointSize", "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\iMarginRight", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\lfQuality", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\szTrailer", "HKEY_LOCAL_MACHINE\SYSTEM\Setup\OOBEInProgress", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\iWindowPosX", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\iWindowPosY", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0ad25835-bdda-11e5-8e00-806e6f6e6963}\Data", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\fWrap", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState", "HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0ad25838-bdda-11e5-8e00-806e6f6e6963}\Data", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt", "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\es-ES", "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ldap\LdapClientIntegrity", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0ad25834-bdda-11e5-8e00-806e6f6e6963}\Data", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt", "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\es-ES", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\szHeader", "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ldap\UseHostnameAsAlias", "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\iWindowPosDY", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\iWindowPosDX", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0ad25838-bdda-11e5-8e00-806e6f6e6963}\Generation", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations", "HKEY_CURRENT_USER\Software\Microsoft\Notepad\lfEscapement", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate"], "regkey_opened": ["HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\Software\DC2_USERS", "HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses", "HKEY_CLASSES_ROOT\Folder", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows", "HKEY_CLASSES_ROOT\Directory", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\", "HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions", "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume", "HKEY_CURRENT_USER\Software\Borland\Locales", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0ad25838-bdda-11e5-8e00-806e6f6e6963}\", "HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\(Default)", "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer", "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\IDConfigDB\Hardware Profiles\0001", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder", "HKEY_LOCAL_MACHINE\System\Setup", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace", "HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder", "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale", "HKEY_CURRENT_USER\Software\DC3_FEXEC", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{70FAF614-E0B1-11D3-8F5C-00C04F9CF4AC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum", "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids", "HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\", "HKEY_LOCAL_MACHINE\Software\Microsoft\Notepad\DefaultFonts", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CLASSES_ROOT\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid", "HKEY_LOCAL_MACHINE\Software\Microsoft\DirectUI", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid", "HKEY_CURRENT_USER\Keyboard Layout\Toggle", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows", "HKEY_CURRENT_USER\Software\Microsoft\Notepad", "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes", "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\IDConfigDB", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler", "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\IDConfigDB\CurrentDockInfo", "HKEY_LOCAL_MACHINE\Software\Borland\Locales", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum", "HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\notepad.exe", "HKEY_CURRENT_USER\Software\Borland\Delphi\Locales", "HKEY_CLASSES_ROOT\AllFilesystemObjects", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0ad25835-bdda-11e5-8e00-806e6f6e6963}\", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0ad25834-bdda-11e5-8e00-806e6f6e6963}\", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\(Default)", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace"], "regkey_created": ["HKEY_CURRENT_USER\Software", "HKEY_CURRENT_USER\Software\DC3_FEXEC", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"], "regkey_deleted": [], "regkey_written": ["HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit"], "regkey_enumerated": ["HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys"]}
metadata: {"crc32": {"original": "B7CACEE9", "unpacked": {}}, "names": {"title": [], "author": [], "country": [], "creator": [], "subject": [], "locality": [], "producer": [], "common_name": [], "company_name": null, "organization": [], "product_name": null, "internal_name": null, "private_build": null, "special_build": null, "legal_copyright": null, "legal_trademarks": null, "original_filename": null, "organizational_unit": []}, "ssdeep": {"original": "12288:f9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hPA:JZ1xuVVjfFoynPaVBUR8f+kN10EBO", "unpacked": {}}, "file_type": {"original": "PE32 executable (GUI) Intel 80386, for MS Windows", "unpacked": {}}, "pe_imphash": "e5b4359a3773764a372173074ae9b6bd", "postal_code": null, "pe_timestamp": "2012-06-07 17:59:53", "signing_date": "", "peid_signatures": []}
registry:
connections: {"tcp": [], "udp": [], "tcp_dead": ["25.20.116.113:957", "103.143.173.25:80"]}
certificates:
process_name: msdcsc.exe,
sXPFvH.exe,
notepad.exe
attack_patterns: {'id': 'T1022', 'name': 'Data Encrypted'},
{'id': 'T1056', 'name': 'Input Capture'},
{'id': 'T1529', 'name': 'System Shutdown/Reboot'},
{'id': 'T1027', 'name': 'Obfuscated Files or Information'},
{'id': 'T1045', 'name': 'Software Packing'},
{'id': 'T1055', 'name': 'Process Injection'},
{'id': 'T1497', 'name': 'Virtualization/Sandbox Evasion'},
{'id': 'T1115', 'name': 'Clipboard Data'},
{'id': 'T1060', 'name': 'Registry Run Keys / Startup Folder'},
{'id': 'T1093', 'name': 'Process Hollowing'}
https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/ioc/2020-06-15T16:48:42.527191Z2020-06-15T18:25:32Zself: https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/false236a40cc55e2ffe7d44d007c6e37afd7ffalse0https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/pcap/3falsehttps://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/report/7.0https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/sample/https://tctrustoylo.blueliv.com/api/v1/malware/ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1/enrichment/scans/false5c0be68316ce77584a7b966ff40e7d61a8a98055ad53660b6d7e8d2ed14bd59b39e1f265148e3c6818a494cce906e749976bade1e7ebf12d5dc0900faafa73d090b62c1ce583858606217d935981bf3d51dbd6e63eefd67b103913240173b2bafbcaac689d83828654ecf054cb7a30766c4a3cc6virustotalAPIDARKCOMETfalsewhiteMalwareDARKCOMET2020-06-15T17:12:28.893118Z2020-06-15T16:30:33.293000Znonedarkkomet,
fynloski,
genmalicious

blueliv-tc-indicator-ip


Gets information about an IP

Base Command

blueliv-tc-indicator-ip

Input

Argument NameDescriptionRequired
IP_idInternal Blueliv's IP IDRequired
IPIP to searchOptional

Context Output

PathTypeDescription
indicator.lastSeenUnknownIndicator last seen
indicator.riskUnknownIndicator risk
indicator.latitudeUnknownIndicator latitude
indicator.longitudeUnknownIndicator longitude
indicator.countryIdUnknownIndicator countryes internal IDs
indicator.campaignsUnknownIndicator campaigns
indicator.campaignIdsUnknownIndicator campaigns internal IDs
indicator.signaturesUnknownIndicator signatures
indicator.signatureIdsUnknownIndicator signatures internal IDs
indicator.threatActorsUnknownIndicator threat actors
indicator.threatActorIdsUnknownIndicator threat actors internal IDs
indicator.tagsUnknownIndicator tags
indicator.tagIdsUnknownIndicator tags internal IDs
indicator.fqdnsUnknownIndicator FQDNs
indicator.fqdnIdsUnknownIndicator FQDNs internal IDs
indicator.sparksUnknownIndicator sparks
indicator.sparkIdsUnknownIndicator sparks internal IDs
indicator.botsUnknownIndicator bots
indicator.botIdsUnknownIndicator bots internal IDs

Command Example

!blueliv-tc-indicator-ip IP="103.76.228.28"

Context Example

{
"indicator": {
"botIds": "",
"bots": 0,
"campaignIds": "",
"campaigns": 0,
"countryId": "103",
"fqdnIds": "",
"fqdns": 0,
"lastSeen": "2020-06-15T18:25:00Z",
"latitude": "20.0",
"longitude": "77.0",
"risk": "4.0",
"signatureIds": "",
"signatures": 0,
"sparkIds": "",
"sparks": 0,
"tagIds": "",
"tags": 0,
"threatActorIds": "",
"threatActors": 0
},
"threatContext": {
"hasResults": "true"
}
}

Human Readable Output

Blueliv IP info

addressasn_numberasn_ownerat_afapicreated_atcreated_at_afapifirst_seenhistory_linkidioc_linklast_risk_scoringlast_seenlatitudelinkslongitudepassive_dns_linkriskslugs_tagstlptypeupdated_atupdated_at_afapivirus_total_linkwhois_link
103.76.228.28394695PDRfalse2019-05-03T09:57:46.834135Z2019-04-11T04:12:09.830000Zhttps://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/history/70236228https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/ioc/2020-06-15T15:17:47.624936Z2020-06-15T18:25:00Z20.0self: https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/77.0https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/enrichment/passive-dns/4.0amberIP2020-06-15T16:44:49.623167Zhttps://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/enrichment/virus-total/https://tctrustoylo.blueliv.com/api/v1/ip/103.76.228.28/enrichment/whois/

blueliv-tc-cve


Gets information about CVE

Base Command

blueliv-tc-cve

Input

Argument NameDescriptionRequired
CVECVE to searchOptional
CVE_idInternal Blueliv's CVE IDOptional

Context Output

PathTypeDescription
cve.nameUnknownCVE name
cve.descriptionUnknownCVE description
cve.updatedAtUnknownCVE updated at
cve.scoreUnknownCVE score
cve.attackPatternsUnknownCVE attack patterns
cve.attackPatternIdsUnknownCVE attackp patterns internal IDs
cve.signaturesUnknownCVE signatures
cve.signatureIdsUnknownCVE signatures internal IDs
cve.tagsUnknownCVE tags
cve.tagIdsUnknownCVE tags internal IDs
cve.crimeServersUnknownCVE Crime servers
cve.crimeServerIdsUnknownCVE crime servers internal IDs
cve.sparksUnknownCVE sparks
cve.sparkIdsUnknownCVE sparks internal IDs
cve.malwareUnknownCVE malware
cve.malwareIdsUnknownCVE malwares internal IDs
cve.exploitsUnknownCVE exploits
cve.platformsUnknownCVE platforms

Command Example

!blueliv-tc-cve CVE="CVE-2020-8794"

Context Example

{}

Human Readable Output

{"apiId": "THIAPP", "url": "/api/v1/cve/CVE-2020-8794/relationships/attack-pattern/", "requestType": "GET"}

blueliv-tc-indicator-fqdn


Gets information about FQDN

Base Command

blueliv-tc-indicator-fqdn

Input

Argument NameDescriptionRequired
FQDN_idInternal Blueliv's FQDN idOptional
FQDNFQDN to searchOptional

Context Output

PathTypeDescription
indicator.lastSeenUnknownIndicator last seen
indicator.riskUnknownIndicator risk
indicator.campaignsUnknownIndicator campaigns
indicator.campaignIdsUnknownIndicator campaigns internal IDs
indicator.signaturesUnknownIndicator signatures
indicator.signatureIdsUnknownIndicator signatures internal IDs
indicator.threatActorsUnknownIndicator threat actors
indicator.threatActorIdsUnknownIndicator threat actors internal IDs
indicator.tagsUnknownIndicator tags
indicator.tagIdsUnknownIndicator tags internal IDs
indicator.crimeServersUnknownIndicator crime servers
indicator.crimeServerIdsUnknownIndicator crime servers internal IDs
indicator.sparksUnknownIndicator sparks
indicator.sparkIdsUnknownIndicator sparks internal IDs
indicator.ipsUnknownIndicator IPs
indicator.ipIdsUnknownIndicator IPs internal IDs

Command Example

!blueliv-tc-indicator-fqdn FQDN="self-repair.r53-2.services.mozilla.com"

Context Example

{
"indicator": {
"campaignIds": "",
"campaigns": 0,
"crimeServerIds": "",
"crimeServers": 0,
"ipIds": "",
"ips": 0,
"lastSeen": "2018-08-07T22:40:47.580489Z",
"risk": "2.5",
"signatureIds": "",
"signatures": 0,
"sparkIds": "",
"sparks": 0,
"tagids": "",
"tags": 0,
"threatActorIds": "",
"threatActors": 0
},
"threatContext": {
"hasResults": "true"
}
}

Human Readable Output

Blueliv FQDN info

active_dns_linkcreated_atdomainfirst_seenhistory_linkidioc_linklast_risk_scoringlast_seenlinkspassive_dns_linkriskslugs_tagstlptypeupdated_atvirus_total_linkwhois_link
https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/enrichment/dns/2018-08-07T22:40:47.580640Zanad.ir2018-08-07T22:40:47.580479Zhttps://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/history/5783871https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/ioc/2020-06-15T17:25:37.498738Z2018-08-07T22:40:47.580489Zself: https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/enrichment/passive-dns/2.5whiteFQDN2020-06-15T17:25:37.499246Zhttps://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/enrichment/virus-total/https://tctrustoylo.blueliv.com/api/v1/fqdn/anad.ir/enrichment/whois/

blueliv-tc-indicator-cs


Gets information about a Crime Server

Base Command

blueliv-tc-indicator-cs

Input

Argument NameDescriptionRequired
CS_idInternal Blueliv's Crime Server idRequired
CSThe name of the Crime Server to searchOptional

Context Output

PathTypeDescription
indicator.lastSeenUnknownIndicator lastSeen
indicator.statusUnknownIndicator status
indicator.riskUnknownIndicator risk
indicator.isFalsePositiveUnknownIndicator is a false positive
indicator.crimeServerUrlUnknownIndicator crime server URL
indicator.creditCardsCountUnknownIndicator credit cards count
indicator.credentialsCountUnknownIndicator credentials count
indicator.botsCountUnknownIndicator bots count
indicator.fqdnIdUnknownIndicator FQDNs internal IDs
indicator.malwareUnknownIndicator malware
indicator.malwareIdsUnknownIndicator malwares internal IDs
indicator.tagsUnknownIndicator tags
indicator.tagIdsUnknownIndicator tags internal IDs
indicator.sparksUnknownIndicator sparks
indicator.sparkIdsUnknownIndicator sparks internal IDs

Command Example

!blueliv-tc-indicator-cs CS_id=6626263

Context Example

{
"indicator": {
"botsCount": "0",
"credentialsCount": "0",
"creditCardsCount": "0",
"crimeServerUrl": "http://saveback.xyz/asdfgh35546fhwJYGvdfgsadsg/login.php",
"fqdnId": "9633658",
"isFalsePositive": "False",
"lastSeen": "2020-06-15T16:46:06.170000Z",
"malware": 0,
"malwareIds": "",
"risk": "4.0",
"sourceIds": "642676,",
"sources": 1,
"sparkIds": "",
"sparks": 0,
"status": "online",
"tagIds": "",
"tags": 0
},
"threatContext": {
"hasResults": "true"
}
}

Human Readable Output

Blueliv Crime Server info

at_feedat_free_feedbots_countconfidencecreated_atcreated_at_afapicredentials_countcredit_cards_countcrime_server_urlfalse_positive_modification_timefirst_seenidioc_linkis_false_positivelast_log_timestamplast_risk_scoringlast_seenlinksmain_typeriskscans_linkservice_scansslugs_tagsstatussubtype_nametarget_statustlptypeupdated_atupdated_at_afapi
truetrue012020-06-15T17:02:40.327300Z2020-06-15T16:46:06.119000Z00http://saveback.xyz/asdfgh35546fhwJYGvdfgsadsg/login.php2020-06-15T17:02:38.524874Z2020-06-15T16:44:25Z6626263https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/ioc/false2020-06-15T17:14:36.146566Z2020-06-15T16:46:06.170000Zself: https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/c_and_c4.0https://tctrustoylo.blueliv.com/api/v1/crime-server/6626263/enrichment/scans/onlineANUBISamberCrimeServer2020-06-15T17:14:36.149943Z2020-06-15T16:46:06.170000Z

blueliv-tc-threat-actor


Gets information about a Threat Actor

Base Command

blueliv-tc-threat-actor

Input

Argument NameDescriptionRequired
threatActorThreat Actor to searchOptional
threatActor_idInternal Blueliv's Threat Actor idOptional

Context Output

PathTypeDescription
threatActor.nameUnknownThreat actor name
threatActor.descriptionUnknownThreat actor description
threatActor.objectiveUnknownThreat actor objective
threatActor.sophisticationUnknownThreat actor sophistication
threatActor.lastSeenUnknownThreat actor last seen
threatActor.activeUnknownThreat actor active
threatActor.milestonesUnknownThreat actor milestones
threatActor.milestoneIdsUnknownThreat actor milestones internal IDs
threatActor.toolsUnknownThreat actor tools
threatActor.toolIdsUnknownThreat actor tools internal IDs
threatActor.campaignsUnknownThreat actor campaigns
threatActor.campaignIdsUnknownThreat actor campaigns internal IDs
threatActor.signaturesUnknownThreat actor signatures
threatActor.signatureIdsUnknownThreat actor signatures internal IDs
threatActor.onlineServicesUnknownThreat actor online services
threatActor.onlineServiceIdsUnknownThreat actor online services internal IDs
threatActor.malwareUnknownThreat actor malware
threatActor.malwareIdsUnknownThreat actor malwares internal IDs
threatActor.threatTypesUnknownThreat actor threat types
threatActor.threatTypeIdsUnknownThreat actor threat types internal IDs
threatActor.fqdnsUnknownThreat actor FQDNs
threatActor.fqdnIdsUnknownThreat actor FQDNs internal IDs
threatActor.attackPatternsUnknownThreat actor attack patterns
threatActor.attackPatternIdsUnknownThreat actor attack patterns internal IDs
threatActor.ipsUnknownThreat actor IPs
threatActor.ipIdsUnknownThreat actor IPs internal IDs
threatActor.targetsUnknownThreat actor targets
threatActor.targetIdsUnknownThreat actor targets internal IDs

Command Example

!blueliv-tc-threat-actor threatActor=Vendetta

Context Example

{
"threatAactor": {
"onlineServices": 0,
"threatTypes": 0
},
"threatActor": {
"active": "True",
"attackPatternIds": "511,529,603,613,703,705,735,",
"attackPatterns": 7,
"campaignIds": "",
"campaigns": 0,
"description": "<h5>Key Points</h5>\n\n<ul>\n\t<li>\n\t<p>Vendetta is a threat actor based on Italy or Turkey discovered in April 2020&nbsp;that seeks to steal targeted business intelligence.</p>\n\t</li>\n\t<li>\n\t<p>Vendetta targeted enterprises located in North America, Eastern Europe, Asia, and Oceania regions.</p>\n\t</li>\n\t<li>The threat actor uses social engineering techniques to infect the victims with a RAT.</li>\n</ul>\n\n<h5>Assessment</h5>\n\n<p>Vendetta is a Threat Actor that became active on April 2020, and was discovered by&nbsp;360 Baize Lab. The name comes from a PDB path found in one of the samples:</p>\n\n<div style=\"background:#eeeeee; border:1px solid #cccccc; padding:5px 10px\">C:\\Users\\<strong>Vendetta</strong>\\source\\repos\\{project name}\\*\\obj\\Debug\\{project name}.pdb</div>\n\n<p>Based on some information found on the samples themselves, and the tools used, 360 Baize Labs speculates that the actor is of European origin, either from Turkey or from Italy. Some of their malware samples contain the text &quot;Developers from Italy&quot; which indicates the threat actor may be Italian, but these also contain&nbsp;Turkish names in variables&nbsp;like RoboSky suggest they could actually be from Turkey.</p>\n\n<p>Vendetta targeted its victims with highly convincing spearphishing emails, impersonating entities such as&nbsp;Australian Government Department of Health,&nbsp;Austrian Federal Ministry of the Interior (BMI), or the&nbsp;Mexican health department. The emails contained a malicious attachment called pdf.exe,&nbsp;trying to trick the victim into opening the executable file thinking it is a pdf file, which ultimately installed the <a href=\"https://thiapp2.blueliv.net/#/ui/intelligence/tools/details/136\">NanoCore</a> and <a href=\"https://thiapp2.blueliv.net/#/ui/intelligence/tools/details/193\">RemcosRAT</a> malware.</p>",
"fqdnIds": "9607329,",
"fqdns": 1,
"ips": 1,
"lastSeen": "2020-06-10T00:00:00Z",
"malware": 56,
"malwareIds": "55048892,55954618,56069689,56081184,56101608,56174304,56435633,56482393,56528142,56528442,56660508,56822336,56834251,56895357,56906597,56921822,56963320,57023523,57143218,57500808,57531883,57577157,57992940,58151119,59402651,59402653,59402654,59402655,59402656,59406230,59406231,59406232,59406233,59406234,59406235,59406236,59421287,59421291,59421298,59421308,59421351,59421352,59421389,59421399,59421403,59421435,59421463,59421467,59421471,59421474,59421499,59421511,59421557,59421568,59421605,59468951,",
"milestoneIds": "",
"milestones": 0,
"name": "Vendetta",
"objective": "<p>This threat actor appears to be focused on stealing information from the target by using remote access trojans to infect organizations.</p>",
"onlineServiceIds": "",
"signatureIds": "",
"signatures": 0,
"sophistication": "intermediate",
"targetIds": "13,14,36,46,62,98,120,154,163,186,188,220,225,227,254,257,259,268,293,301,1164,",
"targets": 21,
"threatTypeIds": "",
"toolIds": "136,193,",
"tools": 2
},
"threatActor,ipIds": "96161121,",
"threatContext": {
"hasResults": "true"
}
}

Human Readable Output

Blueliv Threat Actor info

activealiasescountry_namecreated_atdescriptionfirst_seenidioc_linklast_seenlinksmodus_operandinameobjectivereferencessophisticationtlptypetypesupdated_atuuid
trueVendettaItaly2020-06-10T11:23:22.584500Z
Key Points




  • Vendetta is a threat actor based on Italy or Turkey discovered in April 2020 that seeks to steal targeted business intelligence.




  • Vendetta targeted enterprises located in North America, Eastern Europe, Asia, and Oceania regions.



  • The threat actor uses social engineering techniques to infect the victims with a RAT.



Assessment


Vendetta is a Threat Actor that became active on April 2020, and was discovered by 360 Baize Lab. The name comes from a PDB path found in one of the samples:



C:\Users\Vendetta\source\repos{project name}*\obj\Debug{project name}.pdb


Based on some information found on the samples themselves, and the tools used, 360 Baize Labs speculates that the actor is of European origin, either from Turkey or from Italy. Some of their malware samples contain the text "Developers from Italy" which indicates the threat actor may be Italian, but these also contain Turkish names in variables like RoboSky suggest they could actually be from Turkey.



Vendetta targeted its victims with highly convincing spearphishing emails, impersonating entities such as Australian Government Department of Health, Austrian Federal Ministry of the Interior (BMI), or the Mexican health department. The emails contained a malicious attachment called pdf.exe, trying to trick the victim into opening the executable file thinking it is a pdf file, which ultimately installed the NanoCore and RemcosRAT malware.

2020-04-01T00:00:00Z232https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/ioc/2020-06-10T00:00:00Zself: https://tctrustoylo.blueliv.com/api/v1/threat-actor/232/

Vendetta uses well designed phishing campaigns to target businesses and individuals. The phishing emails contain a malicious payload that, once unleashed, will install a RAT in the infected computer.

Vendetta

This threat actor appears to be focused on stealing information from the target by using remote access trojans to infect organizations.

{'link': 'https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/', 'title': 'Vendetta-new threat actor from Europe'}intermediatewhiteThreatActorhacker2020-06-10T12:29:16.463528Z

blueliv-tc-campaign


Gets information about a Campaign

Base Command

blueliv-tc-campaign

Input

Argument NameDescriptionRequired
campaignName of the Campaign to search forOptional
campaign_idBlueliv's internal Campaign idOptional

Context Output

PathTypeDescription
campaign.nameUnknownCampaign name
campaign.descriptionUnknownCampaign description
campaign.lastSeenUnknownCampaign last seen
campaign.botnetsUnknownCampaign botnets
campaign.botnetIdsUnknownCampaign botnets internal IDs
campaign.signaturesUnknownCampaign signatures
campaign.signatureIdsUnknownCampaign signatures internal IDs
campaign.ipsUnknownCampaign IPs
campaign.ipIdsUnknownCampaign IPs internal IDs
campaign.malwareUnknownCampaign malware
campaign.malwareIdsUnknownCampaign malwares internal IDs
campaign.attackPatternsUnknownCampaign attack patterns
campaign.attackPatternIdsUnknownCampaign attack patterns internal IDs
campaign.toolsUnknownCampaign tools
campaign.toolIdsUnknownCampaign tools internal IDs
campaign.fqdnsUnknownCampaign FQDNs
campaign.fqdnIdsUnknownCampaign FQDNs internal IDs
campaign.threatActorIdUnknownCampaign threat actors internal IDs

Command Example

!blueliv-tc-campaign campaign_id=152

Context Example

{
"campaign": {
"attackPatternIds": "",
"attackPatterns": 0,
"botnetIds": "",
"botnets": 0,
"description": "<p>A distribution campaign for the GRANDOREIRO banking Trojan. Through spam emails they got users to visit fake websites. The topic is usually electronic invoices, but recently they have used topics related to the coronavirus pandemic.</p>\n\n<p>There are different types of downloaders: VBS scripts, MSI files, executable downloaders.&nbsp;These downloaders contain an encoded URL that allows them to download an ISO file, usually hosted by a public service such as DROPBOX or GITHUB.</p>\n\n<p>This ISO file is actually a text file, which contains BASE64. Once decoded, a ZIP file containing GRANDOREIRO is obtained.</p>\n\n<p>Sometimes a password is required to extract the GRANDOREIRO trojan from the ZIP file. This prevents analyzing its content without analysing the downloader first.</p>",
"fqdnIds": "138612,9322638,9394712,9549083,9549084,9549097,9549098,9549099,",
"fqdns": 8,
"ips": 0,
"lastSeen": "2020-05-28T00:00:00Z",
"malware": 9,
"malwareIds": "55800558,55800615,58635752,58635753,58635754,58635755,58635756,58635757,58635758,",
"name": "2020 Grandoreiro campaign against banks in LATAM, Portugal and Spain",
"signatureIds": "",
"signatures": 0,
"threatActorId": "226",
"toolIds": "673,",
"tools": 1
},
"campaign,ipIds": "",
"threatContext": {
"hasResults": "true"
}
}

Human Readable Output

Blueliv Campaign info

created_atdescriptionfirst_seenidioc_linklast_seenlinksnametlptypeupdated_atuuid
2020-05-28T21:24:11.307288Z

A distribution campaign for the GRANDOREIRO banking Trojan. Through spam emails they got users to visit fake websites. The topic is usually electronic invoices, but recently they have used topics related to the coronavirus pandemic.



There are different types of downloaders: VBS scripts, MSI files, executable downloaders. These downloaders contain an encoded URL that allows them to download an ISO file, usually hosted by a public service such as DROPBOX or GITHUB.



This ISO file is actually a text file, which contains BASE64. Once decoded, a ZIP file containing GRANDOREIRO is obtained.



Sometimes a password is required to extract the GRANDOREIRO trojan from the ZIP file. This prevents analyzing its content without analysing the downloader first.

2020-04-16T00:00:00Z152https://tctrustoylo.blueliv.com/api/v1/campaign/152/ioc/2020-05-28T00:00:00Zself: https://tctrustoylo.blueliv.com/api/v1/campaign/152/2020 Grandoreiro campaign against banks in LATAM, Portugal and SpainwhiteCampaign2020-05-28T23:58:36.883515Z

blueliv-tc-attack-pattern


Gets information about a Attack Pattern

Base Command

blueliv-tc-attack-pattern

Input

Argument NameDescriptionRequired
attackPatternThe Attack Pattern's name to search forOptional
attackPatternIdInteranl Blueliv's ID for the Attack PatternOptional

Context Output

PathTypeDescription
attackPattern.nameUnknownAttack pattern name
attackPattern.descriptionUnknownAttack pattern description
attackPattern.updatedAtUnknownAttack pattern updated at
attackPattern.severityUnknownAttack pattern severity
attackPattern.signaturesUnknownAttack pattern signatures
attackPattern.signatureIdsUnknownAttack pattern signatures internal IDs
attackPattern.campaignsUnknownAttack pattern campaigns
attackPattern.campaignIdsUnknownAttack pattern campaigns internal IDs
attackPattern.threatActorsUnknownAttack pattern threat actors
attackPattern.threatActorIdsUnknownAttack pattern threat actors internal IDs
attackPattern.cvesUnknownAttack pattern CVEs
attackPattern.cveIdsUnknownAttack pattern CVEs internal IDs

Command Example

!blueliv-tc-attack-pattern attackPattern="Account Discovery"

Context Example

{
"attackPattern": {
"campaignIds": "95,81,82,83,3,",
"campaigns": 5,
"cveIds": "",
"cves": 0,
"description": "Adversaries may attempt to get a listing of local system or domain accounts. \n\n### Windows\n\nExample commands that can acquire this information are <code>net user</code>, <code>net group <groupname></code>, and <code>net localgroup <groupname></code> using the [Net](https://attack.mitre.org/software/S0039) utility or through use of [dsquery](https://attack.mitre.org/software/S0105). If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) may apply.\n\n### Mac\n\nOn Mac, groups can be enumerated through the <code>groups</code> and <code>id</code> commands. In mac specifically, <code>dscl . list /Groups</code> and <code>dscacheutil -q group</code> can also be used to enumerate groups and users.\n\n### Linux\n\nOn Linux, local users can be enumerated through the use of the <code>/etc/passwd</code> file which is world readable. In mac, this same file is only used in single-user mode in addition to the <code>/etc/master.passwd</code> file.\n\nAlso, groups can be enumerated through the <code>groups</code> and <code>id</code> commands.",
"name": "Account Discovery",
"serverity": "Medium",
"signatureIds": "",
"signatures": 0,
"threatActorIds": "1,34,62,21,131,56,89,191,47,8,81,10,50,28,37,194,228,190,",
"threatActors": 18,
"updatedAt": "2018-12-24T23:00:02.352102Z"
},
"threatContext": {
"hasResults": "true"
}
}

Human Readable Output

Blueliv Attack Pattern info

attack_phasesattacker_skills_or_knowledge_requiredcapec_idcreated_atdescriptionidlinksnameprerequisitespurposesreferencesrelated_vulnerabilitiesrelated_weaknessesseveritysolutions_and_mitigationstlptypeupdated_atuuid
2018-12-24T23:00:02.352087ZAdversaries may attempt to get a listing of local system or domain accounts.

### Windows

Example commands that can acquire this information are net user, net group <groupname>, and net localgroup <groupname> using the Net utility or through use of dsquery. If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, System Owner/User Discovery may apply.

### Mac

On Mac, groups can be enumerated through the groups and id commands. In mac specifically, dscl . list /Groups and dscacheutil -q group can also be used to enumerate groups and users.

### Linux

On Linux, local users can be enumerated through the use of the /etc/passwd file which is world readable. In mac, this same file is only used in single-user mode in addition to the /etc/master.passwd file.

Also, groups can be enumerated through the groups and id commands.
686self: https://tctrustoylo.blueliv.com/api/v1/attack-pattern/686/Account DiscoveryMediumwhiteAttackPattern2018-12-24T23:00:02.352102Z72b74d71-8169-42aa-92e0-e7b04b9f5a08

blueliv-tc-tool


Gets information about a Tool

Base Command

blueliv-tc-tool

Input

Argument NameDescriptionRequired
toolTool's name to search forOptional
tool_idInternal Blueliv's id of the toolOptional

Context Output

PathTypeDescription
tool.NameUnknownTool Name
tool.descriptionUnknownTool description
tool.lastSeenUnknownTool last seen
tool.campaignsUnknownTool campaigns
tool.campaignIdsUnknownTool campaigns internal IDs
tool.signaturesUnknownTool signatures
tool.signatureIdsUnknownTool signatures internal IDs
tool.threatActorsUnknownTool threat actors
tool.threatActorIdsUnknownTool threat actors internal IDs

Command Example

!blueliv-tc-tool tool=ACEHASH

Context Example

{
"threatContext": {
"hasResults": "true"
},
"tool": {
"campaignIds": "",
"campaigns": 0,
"description": "<p>ACEHASH is a credential theft/password hash dumping utility. The code may be based in Mimikatz and appears to be publicly available.</p>",
"lastSeen": "2019-12-01T00:00:00Z",
"name": "ACEHASH",
"signatureIds": "",
"signatures": 0,
"threatActorIds": "194,",
"threatActors": 1
}
}

Human Readable Output

Blueliv Tool info

created_atdescriptiondiscovery_datefirst_seenidlast_seenlinksnamereferencestargeted_platformstlptypeupdated_atuuidversion
2020-02-26T14:35:55.698486Z

ACEHASH is a credential theft/password hash dumping utility. The code may be based in Mimikatz and appears to be publicly available.

2012-12-01T00:00:00Z5322019-12-01T00:00:00Zself: https://tctrustoylo.blueliv.com/api/v1/tool/532/ACEHASH{'link': 'https://content.fireeye.com/apt-41/rpt-apt41', 'title': 'Double Dragon: APT41, a dual espionage and cyber crime operation'}whiteTool2020-02-26T14:35:55.698549Z

blueliv-tc-signature


Gets information about a Signature

Base Command

blueliv-tc-signature

Input

Argument NameDescriptionRequired
signatureSignature's name to search forOptional
signature_idInternal Blueliv's ID for the signatureOptional

Context Output

PathTypeDescription
signature.nameUnknownSignature name
signature.updatedAtUnknownSignature updated at
signature.ipIdsUnknownSignature IPs internal IDs
signature.malwareUnknownSignature malware
signature.malwareIdsUnknownSignature malwares internal IDs
signature.scoreUnknownSignature score

Command Example

!blueliv-tc-signature signature_id=84458

Context Example

{
"signature": {
"malware": 0,
"malwareIds": "",
"name": "ET TROJAN DonotGroup Staging Domain in DNS Query (sid 2030333)",
"type": "snort",
"updatedAt": "2020-06-15T02:11:21.962364Z"
},
"threatContext": {
"hasResults": "true"
}
}

Human Readable Output

Blueliv Signature info

created_atidlinksnamereferencessidsignaturestatustlptypeupdated_atversion
2020-06-15T02:11:21.962302Z84458self: https://tctrustoylo.blueliv.com/api/v1/signature/84458/ET TROJAN DonotGroup Staging Domain in DNS Query (sid 2030333)2030333alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DonotGroup Staging Domain in DNS Query"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0c|yourcontents|03|xyz|00|"; distance:0; fast_pattern; metadata: former_category MALWARE; classtype:trojan-activity; sid:2030333; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2020_06_12, updated_at 2020_06_12;)enabledwhitesnort2020-06-15T02:11:21.962364Z2