Package Documentation
Storm Package: synapse-malwarebazaar
The following Commands are available from this package. This documentation is generated for version 2.0.0 of the package.
Storm Commands
This package implements the following Storm Commands.
malwarebazaar.certs
Ingest the Code Signing Certificate Blocklist (CSCB) that MalwareBazaar maintains.
Examples:
// Download up to 100 certificates from the blocklist.
malwarebazaar.blocklist --size 100 --yield --debug
Usage: malwarebazaar.certs [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
--config <config> : Override the default config with the provided name.
malwarebazaar.config.add
Add a Synapse-MalwareBazaar configuration.
The proxy argument can be set to one of the following values:
true: Use the Cortex configured proxy if set.
false: Do not use the Cortex configured proxy if set.
<str>: A proxy URL to use.
Examples:
// Add a global configuration
malwarebazaar.config.add global_config apikey1234
// Add a configuration for the current user
malwarebazaar.config.add my_config apikey5678
Usage: malwarebazaar.config.add [options] <name> <apikey>
Options:
--help : Display the command usage.
--ssl-noverify : Do not perform SSL/TLS verification.
--proxy <proxy> : Configure the proxy usage. (default: True)
--tag-prefix <tag_prefix> : The tag prefix to use when recording data from MalwareBazaar. (default:
rep.malwarebazaar)
--scope <scope> : Set the scope on the configuration. (default: global, choices: global, self, unscoped)
Arguments:
<name> : A unique name for the configuration.
<apikey> : The API key string.
malwarebazaar.config.del
Delete a Synapse-MalwareBazaar configuration.
Examples:
// Delete the "fooconfig" configuration
malwarebazaar.config.del fooconfig
Usage: malwarebazaar.config.del [options] <name>
Options:
--help : Display the command usage.
Arguments:
<name> : The name of the configuration.
malwarebazaar.config.list
Display the list of Synapse-MalwareBazaar configurations you have access to.
Usage: malwarebazaar.config.list [options]
Options:
--help : Display the command usage.
malwarebazaar.config.migrate
Migrate options for all Synapse-MalwareBazaar configurations.
The proxy argument can be set to one of the following values:
true: Use the Cortex configured proxy if set.
false: Do not use the Cortex configured proxy if set.
<str>: A proxy URL to use.
Examples:
// Migrate the tag prefix for all configurations
malwarebazaar.config.migrate --tag-prefix my.tagpref
Usage: malwarebazaar.config.migrate [options]
Options:
--help : Display the command usage.
--ssl-verify <ssl_verify> : Set whether to verify the SSL certificate of the server. (default: None)
--proxy <proxy> : Configure the proxy usage. (default: None)
--tag-prefix <tag_prefix> : The tag prefix to use when recording data from MalwareBazaar. (default: None)
malwarebazaar.config.show
Show the details of a configuration.
Examples:
// Show the in-use configuration for the current user
malwarebazaar.config.show
// Show a configuration by name
malwarebazaar.config.show myconfig
Usage: malwarebazaar.config.show [options] <name>
Options:
--help : Display the command usage.
Arguments:
[name] : The name of the configuration.
malwarebazaar.config.update
Update the configuration of a defined Synapse-MalwareBazaar configuration.
The proxy argument can be set to one of the following values:
true: Use the Cortex configured proxy if set.
false: Do not use the Cortex configured proxy if set.
<str>: A proxy URL to use.
Examples:
// Set the permission level for user "myuser" to "admin" on the "fooconfig"
// configuration
malwarebazaar.config.update fooconfig --perm user myuser admin
// Set the permission level for the "all" role to "deny" on the
// "fooconfig" configuration
malwarebazaar.config.update fooconfig --perm role all deny
// Do not verify the SSL certificate when connecting to "fooconfig"
malwarebazaar.config.update fooconfig --ssl-verify (false)
// Change the name of the "fooconfig" configuration to "barconfig"
malwarebazaar.config.update fooconfig --name barconfig
Usage: malwarebazaar.config.update [options] <config>
Options:
--help : Display the command usage.
--apikey <apikey> : The API key string. (default: None)
--perm <perm> : Set the permission level for a user or role on this configuration.
Arguments to this option are ``scope``, ``name``, ``level``:
<scope>: The scope for the permission, either "user" or "role".
<name>: The user/role name depending on scope.
<level>: The $lib.auth.easyperm.level, or None to remove the permission.
(default: None)
--ssl-verify <ssl_verify> : Set whether to verify the SSL certificate of the server. (default: None)
--proxy <proxy> : Configure the proxy usage. (default: None)
--tag-prefix <tag_prefix> : The tag prefix to use when recording data from MalwareBazaar. (default: None)
--name <name> : Rename the configuration. (default: None)
Arguments:
<config> : The name of the configuration to modify.
malwarebazaar.daily
Download a ZIP archive from MalwareBazaar containing the rollup of all the files that MalwareBazaar received that day.
Usage: malwarebazaar.daily [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
--config <config> : Override the default config with the provided name.
--date <date> : The day to pull the rollup for. (default: -1day)
--passwd <passwd> : A password to use to extract the zip archives that the samples come down in. (default:
infected)
malwarebazaar.download
Download a sample from MalwareBazaar. Requires Synapse-FileParser to be available to extract the files.
Examples:
// Download all the files associated with the "todo" tag
file:bytes#todo | malwarebazaar.download --yield
Usage: malwarebazaar.download [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
--config <config> : Override the default config with the provided name.
--passwd <passwd> : A password to use to extract the zip archives that the samples come down in. (default:
infected)
malwarebazaar.enrich
Enrich a file:bytes, hash:md5, hash:sha1, or hash:sha256 node using the MalwareBazaar API.
Examples:
// Enrich a single hash:sha1 node and yield the resulting nodes.
hash:sha1 | limit 1 | malwarebazaar.enrich --yield
// Enrich a set of file:bytes nodes
file:bytes#enrich | malwarebazaar.enrich --yield
Usage: malwarebazaar.enrich [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
--config <config> : Override the default config with the provided name.
malwarebazaar.query
Query the MalwareBazaar API for samples associated with a particular search term. The MalwareBazaar API supports returning up to 1000 results.
Usage: malwarebazaar.query [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
--config <config> : Override the default config with the provided name.
--tag <tag> : The MalwareBazaar tag to search on (TrickBot, Loki, android, mips).
--filetype <filetype> : The MalwareBazaar filetype to search on (exe, elf, zip, xls).
--signature <signature> : The MalwareBazaar signature to search on (RedLineStealer, AgentTesla, Quakbot).
--imphash <imphash> : The imphash to search MalwareBazaar for.
--issuer-cn <issuer_cn> : The Issuer Common Name of a signing certificate to search MalwareBazaar.
--subject-cn <subject_cn> : The Subject Common Name of a signing certificate to search MalwareBazaar.
--yara-rule <yara_rule> : The name of a yara rule to search MalwareBazaar for.
Storm Modules
This package does not export any Storm APIs.