User Guide

Synapse-Group-IB User Guide

Synapse-Group-IB adds new Storm commands to allow you to query the Group-IB TI API using your existing API credentials.

Getting Started

Check with your Admin to enable permissions and find out if you need personal API credentials.

Examples

Setting your personal API credentials

To set-up personal use API credentials for Group-IB Threat Intelligence:

> groupib.ti.setup.apikey --self mylogin myapikey
Setting Group-IB TI credentials for the current user.

Search using inbound nodes

Search for threat actors using an inet:fqdn node:

> [ inet:fqdn=anydeskupdate.com ] | groupib.ti.threat.actors.search --yield
WARNING: Group-IB API returned HTTP code: -1 - Exception occurred during request: CannotOverwriteExistingCassetteException: Can't overwrite existing cassette ('/home/docs/checkouts/readthedocs.org/user_builds/vertex-storm-packages/checkouts/latest/packages/synapse-group-ib/docs/mocks/userguide-threat-actors-search.yaml') in your current record mode (<RecordMode.ONCE: 'once'>).
No match for the request (<Request (GET) https://tap.group-ib.com/api/v2/common/threat_actor?limit=10&q=domain:+%22anydeskupdate.com%22>) was found.
Found 2 similar requests with 1 different matcher(s) :

1 - (<Request (GET) https://tap.group-ib.com/api/v2/hi/threat_actor?limit=10&q=domain%3A+%22anydeskupdate.com%22>).
Matchers succeeded : ['method', 'scheme', 'host', 'port', 'query']
Matchers failed :
path - assertion failure :
/api/v2/common/threat_actor != /api/v2/hi/threat_actor

2 - (<Request (GET) https://tap.group-ib.com/api/v2/apt/threat_actor?limit=10&q=domain%3A+%22anydeskupdate.com%22>).
Matchers succeeded : ['method', 'scheme', 'host', 'port', 'query']
Matchers failed :
path - assertion failure :
/api/v2/common/threat_actor != /api/v2/apt/threat_actor

Search using a query string

The Group-IB TI API also allows using Lucene query syntax to perform a search. For example, to search for malware configs by malware name:

> groupib.ti.malware.configs.search --query 'malware: "Cobalt Strike"' --size 1 --yield
it:sec:c2:config=c586b1de29d04ebd5ed4514ba54a500f
        .created = 2024/12/20 18:03:39.054
        .seen = ('2023/05/22 07:15:59.000', '2023/05/22 07:15:59.001')
        :family = cobalt strike
        :file = sha256:9a89ebe9de5711806e0a75919f30971d2df30bbc2b56525f4d92d99931d53e30
        :raw = {'func': 0, 'Spawnto_x86': '%windir%\\syswow64\\runonce.exe', 'DNS_strategy': 0, 'PublicKey_MD5': '357c86281a2ff4b7249b9170acc48a96', 'Unknown-36': 'QmV1ZHRLZ3FubG0wUnV2ZitWWXh1dz09AAAAAAAAAAA=', 'smbFrameHeader': 'AAWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=', 'DNS_strategy_fail_seconds': -1, 'HostHeader': 'Host: staos.microsoft.com\r\n', 'Proxy_AccessType': '2 (use IE settings)', 'SpawnTo': 'AAAAAAAAAAAAAAAAAAAAAA==', 'Unknown-71': 0, 'Unknown-72': 0, 'Unknown-73': 0, 'bUsesCookies': 'True', 'Spawnto_x64': '%windir%\\sysnative\\runonce.exe', 'Watermark': 100000, 'bProcInject_MinAllocSize': 18700, 'bProcInject_StartRWX': 'True', 'binary.http-get.server.output': 'AAAABAAAAAEAAAbjAAAAAgAABuMAAAACAAACXAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==', 'HttpGet_Verb': 'GET', 'version': '4', 'DNS_strategy_fail_x': -1, 'UserAgent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.36', 'tcpFrameHeader': 'AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=', 'KillDate': '0', 'HttpPost_Verb': 'POST', 'HttpPostChunk': 0, 'textSectionEnd (0 if !sleep_mask)': 1, 'BeaconType': '8 (HTTPS)', 'HttpGet_Metadata': ('Accept-Encoding: gzip, deflate', 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9', 'Upgrade-Insecure-Requests: 1', 'ANID=', '__Secure-3PAPISID=noskin;', ';CONSENT=YES+CN.zh-CN+20210917-09-0', 'Cookie'), 'ProcInject_PrependAppend_x86': 'AAAABJCQkJAAAAAEkJCQkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==', 'ProcInject_AllocationMethod': 'VirtualAllocEx', 'ProcInject_PrependAppend_x64': 'AAAABJCQkJAAAAAEkJCQkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==', 'Jitter': 37, 'SleepTime': 30000, 'bStageCleanup': 'True', 'DNS_strategy_rotate_seconds': -1, 'MaxGetSize': 2101282, 'CryptoScheme': 0, 'Port': 443, 'PublicKey': 'MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3xa1GioeOfHbj0SafCB8qyR0hPQs3Te4HcNG/AsJAGeNGMRz18dl0j7fwYN+u/z9soX0oN7aBkqN8LB2ecrmkB1cd6mAvjZpIwbKhQGHesz9JBueFL2Wods1MmW1KWrceHuw1nX25C+rt3sBsOdDdEPn0MJgdvTI20y86xrGm9wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==', 'obfuscate_section': 'ANACABLJAwAA0AMAaKIEAACwBADQ0AQAAOAEAHLvBAAAAAAAAAAAAA==', 'ProcInject_Execute': ('CreateThread', 'SetThreadContext', 'NtQueueApcThread-s', 'RtlCreateUserThread', '7', '16'), 'ProcInject_Stub': 'BOChG+WRR6jXPSs+n+qDLA==', 'bProcInject_UseRWX': 'True', 'HttpPost_Metadata': ('Content-Type: text/plain;charset=UTF-8', 'Referer: http://www.10086.cn/', 'Accept: */*', '__formid', 'adv_url=DsIQFPt', 'commend_flag=HysZPJ', 'is_stock=YdlTgqbVTyCh', 'aid_=522005705&accver=1&showtype=embed&ua='), 'bCFGCaution': 'True', 'C2Server': 'res-ghesh.imoba.com.cn,/', 'HttpPostUri': '/web-Center/commonservice/ipLocation.do'}
        :servers = ['8 (https)://res-ghesh.imoba.com.cn:443/']
        #rep.groupib.cobalt_strike

Additional information on the search syntax can be found in the Group-IB TI Searching and Filtering documentation.

Use of meta:source nodes

Synapse-Group-IB uses a meta:source node and -(seen)> light weight edges to track nodes observed from the Group-IB API.

> meta:source=25fed133fa8944e403bfffe5ce31d975
meta:source=25fed133fa8944e403bfffe5ce31d975
        .created = 2024/12/20 18:03:37.494
        :name = group-ib ti api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Group-IB. The following example shows how to filter the results of a query to include only results observed by Synapse-Group-IB:

> it:sec:c2:config  +{ <(seen)- meta:source=25fed133fa8944e403bfffe5ce31d975 } | limit 1
it:sec:c2:config=c586b1de29d04ebd5ed4514ba54a500f
        .created = 2024/12/20 18:03:39.054
        .seen = ('2023/05/22 07:15:59.000', '2023/05/22 07:15:59.001')
        :family = cobalt strike
        :file = sha256:9a89ebe9de5711806e0a75919f30971d2df30bbc2b56525f4d92d99931d53e30
        :raw = {'func': 0, 'Spawnto_x86': '%windir%\\syswow64\\runonce.exe', 'DNS_strategy': 0, 'PublicKey_MD5': '357c86281a2ff4b7249b9170acc48a96', 'Unknown-36': 'QmV1ZHRLZ3FubG0wUnV2ZitWWXh1dz09AAAAAAAAAAA=', 'smbFrameHeader': 'AAWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=', 'DNS_strategy_fail_seconds': -1, 'HostHeader': 'Host: staos.microsoft.com\r\n', 'Proxy_AccessType': '2 (use IE settings)', 'SpawnTo': 'AAAAAAAAAAAAAAAAAAAAAA==', 'Unknown-71': 0, 'Unknown-72': 0, 'Unknown-73': 0, 'bUsesCookies': 'True', 'Spawnto_x64': '%windir%\\sysnative\\runonce.exe', 'Watermark': 100000, 'bProcInject_MinAllocSize': 18700, 'bProcInject_StartRWX': 'True', 'binary.http-get.server.output': 'AAAABAAAAAEAAAbjAAAAAgAABuMAAAACAAACXAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==', 'HttpGet_Verb': 'GET', 'version': '4', 'DNS_strategy_fail_x': -1, 'UserAgent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.36', 'tcpFrameHeader': 'AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=', 'KillDate': '0', 'HttpPost_Verb': 'POST', 'HttpPostChunk': 0, 'textSectionEnd (0 if !sleep_mask)': 1, 'BeaconType': '8 (HTTPS)', 'HttpGet_Metadata': ('Accept-Encoding: gzip, deflate', 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9', 'Upgrade-Insecure-Requests: 1', 'ANID=', '__Secure-3PAPISID=noskin;', ';CONSENT=YES+CN.zh-CN+20210917-09-0', 'Cookie'), 'ProcInject_PrependAppend_x86': 'AAAABJCQkJAAAAAEkJCQkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==', 'ProcInject_AllocationMethod': 'VirtualAllocEx', 'ProcInject_PrependAppend_x64': 'AAAABJCQkJAAAAAEkJCQkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==', 'Jitter': 37, 'SleepTime': 30000, 'bStageCleanup': 'True', 'DNS_strategy_rotate_seconds': -1, 'MaxGetSize': 2101282, 'CryptoScheme': 0, 'Port': 443, 'PublicKey': 'MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3xa1GioeOfHbj0SafCB8qyR0hPQs3Te4HcNG/AsJAGeNGMRz18dl0j7fwYN+u/z9soX0oN7aBkqN8LB2ecrmkB1cd6mAvjZpIwbKhQGHesz9JBueFL2Wods1MmW1KWrceHuw1nX25C+rt3sBsOdDdEPn0MJgdvTI20y86xrGm9wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==', 'obfuscate_section': 'ANACABLJAwAA0AMAaKIEAACwBADQ0AQAAOAEAHLvBAAAAAAAAAAAAA==', 'ProcInject_Execute': ('CreateThread', 'SetThreadContext', 'NtQueueApcThread-s', 'RtlCreateUserThread', '7', '16'), 'ProcInject_Stub': 'BOChG+WRR6jXPSs+n+qDLA==', 'bProcInject_UseRWX': 'True', 'HttpPost_Metadata': ('Content-Type: text/plain;charset=UTF-8', 'Referer: http://www.10086.cn/', 'Accept: */*', '__formid', 'adv_url=DsIQFPt', 'commend_flag=HysZPJ', 'is_stock=YdlTgqbVTyCh', 'aid_=522005705&accver=1&showtype=embed&ua='), 'bCFGCaution': 'True', 'C2Server': 'res-ghesh.imoba.com.cn,/', 'HttpPostUri': '/web-Center/commonservice/ipLocation.do'}
        :servers = ['8 (https)://res-ghesh.imoba.com.cn:443/']
        #rep.groupib.cobalt_strike