Package Documentation
Storm Package: synapse-hyas
The following Commands are available from this package. This documentation is generated for version 0.3.0 of the package.
Storm Commands
This package implements the following Storm Commands.
hyas.c2.attribution
Ingest C2 attribution data from HYAS.
This command will query the HYAS API using the FQDN, IPv4, SHA-256, or email from the inbound node.
If a file:bytes node is provided the :sha256 property will be used.
The command will yield inet:http:request and/or inet:email:message nodes depending on
whether an HTTP beacon or email beacon is present in the record.
An it:sec:c2:config node will also be created using the C2 URL. The cookies will be added to the
headers property using "id" as a placeholder for the name.
Examples:
// Query using an IPv4 and pivot to the inet:http:request
inet:ipv4#my.ip | hyas.c2.attribution --yield
// Filter results using a date interval
inet:ipv4#my.ip | hyas.c2.attribution --date (2023-03, 2023-04)
Usage: hyas.c2.attribution [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
--date <date> : Filter results by datetime.
hyas.dns.dynamic
Ingest dynamic DNS information from HYAS.
This command takes inet:fqdn, inet:ipv4, or inet:email nodes as input
and queries the HYAS API to retrieve A records and domain creator data.
inet:dns:a nodes are tagged with rep.hyas.dynamic_dns and inet:dns:dynreg nodes
are created to record the domain creator information.
Examples:
// Get dynamic DNS data about an FQDN and yield inet:dns:dynreg nodes
inet:fqdn#test | hyas.dns.dynamic --yield
// Pivot from inet:dns:dynreg to the inet:dns:a nodes
inet:email#test | hyad.dns.dynamic --yield | :fqdn -> inet:dns:a:fqdn
Usage: hyas.dns.dynamic [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
hyas.dns.passive
Ingest passive DNS information from HYAS.
This command takes inet:fqdn or inet:ipv4 nodes as input and queries
the HYAS API to retrieve A and AAAA records.
If available in the response, the inet:ipv4/inet:ipv6 nodes will also
have their :asn and :latlong props set.
Examples:
// Get pDNS information about an IP and yield the created inet:dns:a nodes
inet:ipv4=89.117.139.137 | hyas.dns.passive --yield
// Get pDNS information about an FQDN and yield the created inet:dns:a nodes
inet:fqdn=vertex.link | hyas.dns.passive --yield
Usage: hyas.dns.passive [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
hyas.setup.apikey
Manage the HYAS API key.
Examples
// Set a global HYAS API key
hyas.setup.apikey abcd1234
// Set a HYAS API key for the current user
hyas.setup.apikey --self abcd1234
// Display the API key scope of the current key
hyas.setup.apikey --show-scope
// Display the current API key
hyas.setup.apikey --show-apikey
// Remove the current global API key
hyas.setup.apikey --remove
// Remove the per-user API key for the current user
hyas.setup.apikey --self --remove
Usage: hyas.setup.apikey [options] <apikey>
Options:
--help : Display the command usage.
--self : Set or remove the key as a user variable. If not used, the key is set globally.
--show-scope : Display the API key scope in use (global vs self).
--show-apikey : Display the API key value (requires admin perms or a "self" scope key).
--remove : Remove the configured API key. May be used with --self.
Arguments:
[apikey] : The API key string.
hyas.setup.tagprefix
Set the tag prefix used when recording HYAS data as tags.
The default tag prefix is "rep.hyas" if not specified.
Any tags provided by the HYAS API will be added within the given namespace.
For example, the item "sinkhole" would result in "#rep.hyas.sinkhole". Any
characters incompatible with tag names are replaced with "_".
Usage: hyas.setup.tagprefix [options] <tagname>
Options:
--help : Display the command usage.
Arguments:
<tagname> : The tag prefix to use.
hyas.ssl.certs
Ingest SSL certificates from HYAS.
This command will query the HYAS API using the FQDN, IPv4, or SHA-1 from the inbound node.
If a file:bytes or crypto:x509:cert node is provided the :sha1 property will be used.
The command will yield an inet:ssl:cert node for each result record.
The associated crypto:x509:cert node will be created using Synapse-FileParser and the raw PEM
certificate, however if the service is not available the raw fields in the JSON response will be used.
Examples:
// Enrich an inet:ipv4 node and yield the inet:ssl:cert node
inet:ipv4#myip | hyas.ssl.certs --yield
// Enrich an inet:fqdn node and filter by issued date
inet:fqdn=vertex.link | hyas.ssl.certs --issued (2020, 2022)
Usage: hyas.ssl.certs [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
--expires <expires> : Filter results by expiration date.
--issued <issued> : Filter results by issue date.
--issuer <issuer> : Filter results by issuer common name.
--subject <subject> : Filter results by subject organization.
hyas.whois
Query WHOIS information by domain from HYAS.
This command takes inet:fqdn nodes as input and queries the HYAS API
to create inet:whois:rec and inet:whois:contact nodes.
Examples:
// Get WHOIS information about a domain and yield the created inet:whois:rec nodes
inet:fqdn=vertex.link | hyas.whois --yield
Usage: hyas.whois [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
--city <city> : The city of the registrant.
--country <country> : The country of the registrant.
--name <name> : The contact name (registrant, admin, technical, or abuse contact).
--email <email> : The email of the registrant.
--phone <phone> : The phone number of the registrant in e164 format.
--nameserver <nameserver> : The nameserver domain.
Storm Modules
This package does not export any Storm APIs.