Package Documentation
Storm Package: synapse-malwarebazaar
The following Commands are available from this package. This documentation is generated for version 1.4.0 of the package.
Storm Commands
This package implements the following Storm Commands.
malwarebazaar.certs
Ingest the Code Signing Certificate Blocklist (CSCB) that MalwareBazaar maintains.
Examples:
// Download up to 100 certificates from the blocklist.
malwarebazaar.blocklist --size 100 --yield --debug
Usage: malwarebazaar.certs [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
malwarebazaar.daily
Download a ZIP archive from MalwareBazaar containing the rollup of all the files that MalwareBazaar received that day.
Usage: malwarebazaar.daily [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
--date <date> : The day to pull the rollup for. (default: -1day)
--passwd <passwd> : A password to use to extract the zip archives that the samples come down in. (default: infected)
malwarebazaar.download
Download a sample from MalwareBazaar. Requires Synapse-FileParser to be available to extract the files.
Examples:
// Download all the files associated with the "todo" tag
file:bytes#todo | malwarebazaar.download --yield
Usage: malwarebazaar.download [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
--passwd <passwd> : A password to use to extract the zip archives that the samples come down in. (default: infected)
malwarebazaar.enrich
Enrich a file:bytes, hash:md5, hash:sha1, or hash:sha256 node using the MalwareBazaar API.
Examples:
// Enrich a single hash:sha1 node and yield the resulting nodes.
hash:sha1 | limit 1 | malwarebazaar.enrich --yield
// Enrich a set of file:bytes nodes
file:bytes#enrich | malwarebazaar.enrich --yield
Usage: malwarebazaar.enrich [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
--asof <asof> : This argument is deprecated and no longer has any effect. (default: -30days)
malwarebazaar.query
Query the MalwareBazaar API for samples associated with a particular search term. The MalwareBazaar API supports returning up to 1000 results.
Usage: malwarebazaar.query [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
--asof <asof> : This argument is deprecated and no longer has any effect. (default: -30days)
--tag <tag> : The MalwareBazaar tag to search on (TrickBot, Loki, android, mips).
--filetype <filetype> : The MalwareBazaar filetype to search on (exe, elf, zip, xls).
--signature <signature> : The MalwareBazaar signature to search on (RedLineStealer, AgentTesla, Quakbot).
--imphash <imphash> : The imphash to search MalwareBazaar for.
--issuer-cn <issuer_cn> : The Issuer Common Name of a signing certificate to search MalwareBazaar.
--subject-cn <subject_cn> : The Subject Common Name of a signing certificate to search MalwareBazaar.
--yara-rule <yara_rule> : The name of a yara rule to search MalwareBazaar for.
malwarebazaar.setup.tagprefix
Set the tag prefix used when recording MalwareBazaar data as tags.
The default tag prefix is "rep.malwarebazaar" if not specified.
Any tags provided by the MalwareBazaar API will be added within the given namespace.
For example, the item "foo" would result in "#rep.malwarebazaar.foo". Any
characters incompatible with tag names are replaced with "_".
Usage: malwarebazaar.setup.tagprefix [options] <tagname>
Options:
--help : Display the command usage.
Arguments:
<tagname> : The tag prefix to use.
Storm Modules
This package does not export any Storm APIs.