User Guide
Synapse-Group-IB User Guide
Synapse-Group-IB adds new Storm commands to allow you to query the Group-IB TI API using your existing API credentials.
Getting Started
Check with your Admin to enable permissions and find out if you need personal API credentials.
Examples
Setting your personal API credentials
To set-up personal use API credentials for Group-IB Threat Intelligence:
> groupib.ti.setup.apikey --self mylogin myapikey
Setting Group-IB TI credentials for the current user.
Search using inbound nodes
Search for threat actors using an inet:fqdn node:
> [ inet:fqdn=anydeskupdate.com ] | groupib.ti.threat.actors.search --yield
WARNING: Group-IB API returned HTTP code: -1 - Exception occurred during request: CannotOverwriteExistingCassetteException: Can't overwrite existing cassette ('/home/docs/checkouts/readthedocs.org/user_builds/vertex-storm-packages/checkouts/latest/packages/synapse-group-ib/docs/mocks/userguide-threat-actors-search.yaml') in your current record mode (<RecordMode.ONCE: 'once'>).
No match for the request (<Request (GET) https://tap.group-ib.com/api/v2/common/threat_actor?limit=10&q=domain:+%22anydeskupdate.com%22>) was found.
Found 2 similar requests with 1 different matcher(s) :
1 - (<Request (GET) https://tap.group-ib.com/api/v2/hi/threat_actor?limit=10&q=domain%3A+%22anydeskupdate.com%22>).
Matchers succeeded : ['method', 'scheme', 'host', 'port', 'query']
Matchers failed :
path - assertion failure :
/api/v2/common/threat_actor != /api/v2/hi/threat_actor
2 - (<Request (GET) https://tap.group-ib.com/api/v2/apt/threat_actor?limit=10&q=domain%3A+%22anydeskupdate.com%22>).
Matchers succeeded : ['method', 'scheme', 'host', 'port', 'query']
Matchers failed :
path - assertion failure :
/api/v2/common/threat_actor != /api/v2/apt/threat_actor
Search using a query string
The Group-IB TI API also allows using Lucene query syntax to perform a search. For example, to search for malware configs by malware name:
> groupib.ti.malware.configs.search --query 'malware: "Cobalt Strike"' --size 1 --yield
it:sec:c2:config=c586b1de29d04ebd5ed4514ba54a500f
.created = 2024/04/26 15:56:05.966
.seen = ('2023/05/22 07:15:59.000', '2023/05/22 07:15:59.001')
:family = cobalt strike
:file = sha256:9a89ebe9de5711806e0a75919f30971d2df30bbc2b56525f4d92d99931d53e30
:raw = {
"func": 0,
"Spawnto_x86": "%windir%\\syswow64\\runonce.exe",
"DNS_strategy": 0,
"PublicKey_MD5": "357c86281a2ff4b7249b9170acc48a96",
"Unknown-36": "QmV1ZHRLZ3FubG0wUnV2ZitWWXh1dz09AAAAAAAAAAA=",
"smbFrameHeader": "AAWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
"DNS_strategy_fail_seconds": -1,
"HostHeader": "Host: staos.microsoft.com\r\n",
"Proxy_AccessType": "2 (use IE settings)",
"SpawnTo": "AAAAAAAAAAAAAAAAAAAAAA==",
"Unknown-71": 0,
"Unknown-72": 0,
"Unknown-73": 0,
"bUsesCookies": "True",
"Spawnto_x64": "%windir%\\sysnative\\runonce.exe",
"Watermark": 100000,
"bProcInject_MinAllocSize": 18700,
"bProcInject_StartRWX": "True",
"binary.http-get.server.output": "AAAABAAAAAEAAAbjAAAAAgAABuMAAAACAAACXAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==",
"HttpGet_Verb": "GET",
"version": "4",
"DNS_strategy_fail_x": -1,
"UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.36",
"tcpFrameHeader": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
"KillDate": "0",
"HttpPost_Verb": "POST",
"HttpPostChunk": 0,
"textSectionEnd (0 if !sleep_mask)": 1,
"BeaconType": "8 (HTTPS)",
"HttpGet_Metadata": [
"Accept-Encoding: gzip, deflate",
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Upgrade-Insecure-Requests: 1",
"ANID=",
"__Secure-3PAPISID=noskin;",
";CONSENT=YES+CN.zh-CN+20210917-09-0",
"Cookie"
],
"ProcInject_PrependAppend_x86": "AAAABJCQkJAAAAAEkJCQkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==",
"ProcInject_AllocationMethod": "VirtualAllocEx",
"ProcInject_PrependAppend_x64": "AAAABJCQkJAAAAAEkJCQkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==",
"Jitter": 37,
"SleepTime": 30000,
"bStageCleanup": "True",
"DNS_strategy_rotate_seconds": -1,
"MaxGetSize": 2101282,
"CryptoScheme": 0,
"Port": 443,
"PublicKey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3xa1GioeOfHbj0SafCB8qyR0hPQs3Te4HcNG/AsJAGeNGMRz18dl0j7fwYN+u/z9soX0oN7aBkqN8LB2ecrmkB1cd6mAvjZpIwbKhQGHesz9JBueFL2Wods1MmW1KWrceHuw1nX25C+rt3sBsOdDdEPn0MJgdvTI20y86xrGm9wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==",
"obfuscate_section": "ANACABLJAwAA0AMAaKIEAACwBADQ0AQAAOAEAHLvBAAAAAAAAAAAAA==",
"ProcInject_Execute": [
"CreateThread",
"SetThreadContext",
"NtQueueApcThread-s",
"RtlCreateUserThread",
"7",
"16"
],
"ProcInject_Stub": "BOChG+WRR6jXPSs+n+qDLA==",
"bProcInject_UseRWX": "True",
"HttpPost_Metadata": [
"Content-Type: text/plain;charset=UTF-8",
"Referer: http://www.10086.cn/",
"Accept: */*",
"__formid",
"adv_url=DsIQFPt",
"commend_flag=HysZPJ",
"is_stock=YdlTgqbVTyCh",
"aid_=522005705&accver=1&showtype=embed&ua="
],
"bCFGCaution": "True",
"C2Server": "res-ghesh.imoba.com.cn,/",
"HttpPostUri": "/web-Center/commonservice/ipLocation.do"
}
:servers = ['8 (https)://res-ghesh.imoba.com.cn:443/']
#rep.groupib.cobalt_strike
Additional information on the search syntax can be found in the Group-IB TI Searching and Filtering documentation.
Use of meta:source nodes
Synapse-Group-IB uses a meta:source node and -(seen)> light
weight edges to track nodes observed from the Group-IB API.
> meta:source=25fed133fa8944e403bfffe5ce31d975
meta:source=25fed133fa8944e403bfffe5ce31d975
.created = 2024/04/26 15:56:04.453
:name = group-ib ti api
Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Group-IB. The following example shows how to filter the results of a query to include only results observed by Synapse-Group-IB:
> it:sec:c2:config +{ <(seen)- meta:source=25fed133fa8944e403bfffe5ce31d975 } | limit 1
it:sec:c2:config=c586b1de29d04ebd5ed4514ba54a500f
.created = 2024/04/26 15:56:05.966
.seen = ('2023/05/22 07:15:59.000', '2023/05/22 07:15:59.001')
:family = cobalt strike
:file = sha256:9a89ebe9de5711806e0a75919f30971d2df30bbc2b56525f4d92d99931d53e30
:raw = {
"func": 0,
"Spawnto_x86": "%windir%\\syswow64\\runonce.exe",
"DNS_strategy": 0,
"PublicKey_MD5": "357c86281a2ff4b7249b9170acc48a96",
"Unknown-36": "QmV1ZHRLZ3FubG0wUnV2ZitWWXh1dz09AAAAAAAAAAA=",
"smbFrameHeader": "AAWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
"DNS_strategy_fail_seconds": -1,
"HostHeader": "Host: staos.microsoft.com\r\n",
"Proxy_AccessType": "2 (use IE settings)",
"SpawnTo": "AAAAAAAAAAAAAAAAAAAAAA==",
"Unknown-71": 0,
"Unknown-72": 0,
"Unknown-73": 0,
"bUsesCookies": "True",
"Spawnto_x64": "%windir%\\sysnative\\runonce.exe",
"Watermark": 100000,
"bProcInject_MinAllocSize": 18700,
"bProcInject_StartRWX": "True",
"binary.http-get.server.output": "AAAABAAAAAEAAAbjAAAAAgAABuMAAAACAAACXAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==",
"HttpGet_Verb": "GET",
"version": "4",
"DNS_strategy_fail_x": -1,
"UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.36",
"tcpFrameHeader": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
"KillDate": "0",
"HttpPost_Verb": "POST",
"HttpPostChunk": 0,
"textSectionEnd (0 if !sleep_mask)": 1,
"BeaconType": "8 (HTTPS)",
"HttpGet_Metadata": [
"Accept-Encoding: gzip, deflate",
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Upgrade-Insecure-Requests: 1",
"ANID=",
"__Secure-3PAPISID=noskin;",
";CONSENT=YES+CN.zh-CN+20210917-09-0",
"Cookie"
],
"ProcInject_PrependAppend_x86": "AAAABJCQkJAAAAAEkJCQkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==",
"ProcInject_AllocationMethod": "VirtualAllocEx",
"ProcInject_PrependAppend_x64": "AAAABJCQkJAAAAAEkJCQkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==",
"Jitter": 37,
"SleepTime": 30000,
"bStageCleanup": "True",
"DNS_strategy_rotate_seconds": -1,
"MaxGetSize": 2101282,
"CryptoScheme": 0,
"Port": 443,
"PublicKey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3xa1GioeOfHbj0SafCB8qyR0hPQs3Te4HcNG/AsJAGeNGMRz18dl0j7fwYN+u/z9soX0oN7aBkqN8LB2ecrmkB1cd6mAvjZpIwbKhQGHesz9JBueFL2Wods1MmW1KWrceHuw1nX25C+rt3sBsOdDdEPn0MJgdvTI20y86xrGm9wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==",
"obfuscate_section": "ANACABLJAwAA0AMAaKIEAACwBADQ0AQAAOAEAHLvBAAAAAAAAAAAAA==",
"ProcInject_Execute": [
"CreateThread",
"SetThreadContext",
"NtQueueApcThread-s",
"RtlCreateUserThread",
"7",
"16"
],
"ProcInject_Stub": "BOChG+WRR6jXPSs+n+qDLA==",
"bProcInject_UseRWX": "True",
"HttpPost_Metadata": [
"Content-Type: text/plain;charset=UTF-8",
"Referer: http://www.10086.cn/",
"Accept: */*",
"__formid",
"adv_url=DsIQFPt",
"commend_flag=HysZPJ",
"is_stock=YdlTgqbVTyCh",
"aid_=522005705&accver=1&showtype=embed&ua="
],
"bCFGCaution": "True",
"C2Server": "res-ghesh.imoba.com.cn,/",
"HttpPostUri": "/web-Center/commonservice/ipLocation.do"
}
:servers = ['8 (https)://res-ghesh.imoba.com.cn:443/']
#rep.groupib.cobalt_strike