Package Documentation

Storm Package: synapse-malwarebazaar

The following Commands are available from this package. This documentation is generated for version 2.0.0 of the package.

Storm Commands

This package implements the following Storm Commands.

malwarebazaar.certs

Ingest the Code Signing Certificate Blocklist (CSCB) that MalwareBazaar maintains.

Examples:
  // Download up to 100 certificates from the blocklist.
  malwarebazaar.blocklist --size 100 --yield --debug


Usage: malwarebazaar.certs [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --yield                     : Yield the newly created nodes.
  --config <config>           : Override the default config with the provided name.

malwarebazaar.config.add

Add a Synapse-MalwareBazaar configuration.

The proxy argument can be set to one of the following values:
  true: Use the Cortex configured proxy if set.
  false: Do not use the Cortex configured proxy if set.
  <str>: A proxy URL to use.

Examples:

  // Add a global configuration
  malwarebazaar.config.add global_config apikey1234

  // Add a configuration for the current user
  malwarebazaar.config.add my_config apikey5678


Usage: malwarebazaar.config.add [options] <name> <apikey>

Options:

  --help                      : Display the command usage.
  --ssl-noverify              : Do not perform SSL/TLS verification.
  --proxy <proxy>             : Configure the proxy usage. (default: True)
  --tag-prefix <tag_prefix>   : The tag prefix to use when recording data from MalwareBazaar. (default:
                                rep.malwarebazaar)
  --scope <scope>             : Set the scope on the configuration. (default: global, choices: global, self, unscoped)

Arguments:

  <name>                      : A unique name for the configuration.
  <apikey>                    : The API key string.

malwarebazaar.config.del

Delete a Synapse-MalwareBazaar configuration.

Examples:

  // Delete the "fooconfig" configuration
  malwarebazaar.config.del fooconfig


Usage: malwarebazaar.config.del [options] <name>

Options:

  --help                      : Display the command usage.

Arguments:

  <name>                      : The name of the configuration.

malwarebazaar.config.list

Display the list of Synapse-MalwareBazaar configurations you have access to.


Usage: malwarebazaar.config.list [options]

Options:

  --help                      : Display the command usage.

malwarebazaar.config.migrate

Migrate options for all Synapse-MalwareBazaar configurations.

The proxy argument can be set to one of the following values:
  true: Use the Cortex configured proxy if set.
  false: Do not use the Cortex configured proxy if set.
  <str>: A proxy URL to use.

Examples:

  // Migrate the tag prefix for all configurations
  malwarebazaar.config.migrate --tag-prefix my.tagpref


Usage: malwarebazaar.config.migrate [options]

Options:

  --help                      : Display the command usage.
  --ssl-verify <ssl_verify>   : Set whether to verify the SSL certificate of the server. (default: None)
  --proxy <proxy>             : Configure the proxy usage. (default: None)
  --tag-prefix <tag_prefix>   : The tag prefix to use when recording data from MalwareBazaar. (default: None)

malwarebazaar.config.show

Show the details of a configuration.

Examples:

  // Show the in-use configuration for the current user
  malwarebazaar.config.show

  // Show a configuration by name
  malwarebazaar.config.show myconfig


Usage: malwarebazaar.config.show [options] <name>

Options:

  --help                      : Display the command usage.

Arguments:

  [name]                      : The name of the configuration.

malwarebazaar.config.update

Update the configuration of a defined Synapse-MalwareBazaar configuration.

The proxy argument can be set to one of the following values:
  true: Use the Cortex configured proxy if set.
  false: Do not use the Cortex configured proxy if set.
  <str>: A proxy URL to use.

Examples:

  // Set the permission level for user "myuser" to "admin" on the "fooconfig"
  // configuration
  malwarebazaar.config.update fooconfig --perm user myuser admin

  // Set the permission level for the "all" role to "deny" on the
  // "fooconfig" configuration
  malwarebazaar.config.update fooconfig --perm role all deny

  // Do not verify the SSL certificate when connecting to "fooconfig"
  malwarebazaar.config.update fooconfig --ssl-verify (false)

  // Change the name of the "fooconfig" configuration to "barconfig"
  malwarebazaar.config.update fooconfig --name barconfig


Usage: malwarebazaar.config.update [options] <config>

Options:

  --help                      : Display the command usage.
  --apikey <apikey>           : The API key string. (default: None)
  --perm <perm>               : Set the permission level for a user or role on this configuration.
                                Arguments to this option are ``scope``, ``name``, ``level``:
                                  <scope>: The scope for the permission, either "user" or "role".
                                  <name>: The user/role name depending on scope.
                                  <level>: The $lib.auth.easyperm.level, or None to remove the permission.
                                 (default: None)
  --ssl-verify <ssl_verify>   : Set whether to verify the SSL certificate of the server. (default: None)
  --proxy <proxy>             : Configure the proxy usage. (default: None)
  --tag-prefix <tag_prefix>   : The tag prefix to use when recording data from MalwareBazaar. (default: None)
  --name <name>               : Rename the configuration. (default: None)

Arguments:

  <config>                    : The name of the configuration to modify.

malwarebazaar.daily

Download a ZIP archive from MalwareBazaar containing the rollup of all the files that MalwareBazaar received that day.


Usage: malwarebazaar.daily [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --yield                     : Yield the newly created nodes.
  --config <config>           : Override the default config with the provided name.
  --date <date>               : The day to pull the rollup for. (default: -1day)
  --passwd <passwd>           : A password to use to extract the zip archives that the samples come down in. (default:
                                infected)

malwarebazaar.download

Download a sample from MalwareBazaar. Requires Synapse-FileParser to be available to extract the files.

Examples:

  // Download all the files associated with the "todo" tag
  file:bytes#todo | malwarebazaar.download --yield


Usage: malwarebazaar.download [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --yield                     : Yield the newly created nodes.
  --config <config>           : Override the default config with the provided name.
  --passwd <passwd>           : A password to use to extract the zip archives that the samples come down in. (default:
                                infected)

malwarebazaar.enrich

Enrich a file:bytes, hash:md5, hash:sha1, or hash:sha256 node using the MalwareBazaar API.

Examples:

  // Enrich a single hash:sha1 node and yield the resulting nodes.
  hash:sha1 | limit 1 | malwarebazaar.enrich --yield

  // Enrich a set of file:bytes nodes
  file:bytes#enrich | malwarebazaar.enrich --yield


Usage: malwarebazaar.enrich [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --yield                     : Yield the newly created nodes.
  --config <config>           : Override the default config with the provided name.

malwarebazaar.query

Query the MalwareBazaar API for samples associated with a particular search term. The MalwareBazaar API supports returning up to 1000 results.


Usage: malwarebazaar.query [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --yield                     : Yield the newly created nodes.
  --config <config>           : Override the default config with the provided name.
  --tag <tag>                 : The MalwareBazaar tag to search on (TrickBot, Loki, android, mips).
  --filetype <filetype>       : The MalwareBazaar filetype to search on (exe, elf, zip, xls).
  --signature <signature>     : The MalwareBazaar signature to search on (RedLineStealer, AgentTesla, Quakbot).
  --imphash <imphash>         : The imphash to search MalwareBazaar for.
  --issuer-cn <issuer_cn>     : The Issuer Common Name of a signing certificate to search MalwareBazaar.
  --subject-cn <subject_cn>   : The Subject Common Name of a signing certificate to search MalwareBazaar.
  --yara-rule <yara_rule>     : The name of a yara rule to search MalwareBazaar for.

Storm Modules

This package does not export any Storm APIs.