Package Documentation

Storm Package: synapse-malwarebazaar

The following Commands are available from this package. This documentation is generated for version 1.2.0 of the package.

Storm Commands

This package implements the following Storm Commands.

malwarebazaar.certs

Ingest the Code Signing Certificate Blocklist (CSCB) that MalwareBazaar maintains.

Examples:
  // Download up to 100 certificates from the blocklist.
  malwarebazaar.blocklist --size 100 --yield --debug


Usage: malwarebazaar.certs [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --yield                     : Yield the newly created nodes.

malwarebazaar.daily

Download a ZIP archive from MalwareBazaar containing the rollup of all the files that MalwareBazaar received that day.


Usage: malwarebazaar.daily [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --yield                     : Yield the newly created nodes.
  --date <date>               : The day to pull the rollup for. (default: -1day)
  --passwd <passwd>           : A password to use to extract the zip archives that the samples come down in. (default: infected)

malwarebazaar.download

Download a sample from MalwareBazaar. Requires Synapse-FileParser to be available to extract the files.

Examples:

  // Download all the files associated with the "todo" tag
  file:bytes#todo | malwarebazaar.download --yield


Usage: malwarebazaar.download [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --yield                     : Yield the newly created nodes.
  --passwd <passwd>           : A password to use to extract the zip archives that the samples come down in. (default: infected)

malwarebazaar.enrich

Enrich a file:bytes, hash:md5, hash:sha1, or hash:sha256 node using the MalwareBazaar API.

Examples:

  // Enrich a single hash:sha1 node and yield the resulting nodes.
  hash:sha1 | limit 1 | malwarebazaar.enrich --yield

  // Enrich a set of file:bytes nodes
  file:bytes#enrich | malwarebazaar.enrich --yield


Usage: malwarebazaar.enrich [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --yield                     : Yield the newly created nodes.
  --asof <asof>               : This argument is deprecated and no longer has any effect. (default: -30days)

malwarebazaar.query

Query the MalwareBazaar API for samples associated with a particular search term. The MalwareBazaar API supports returning up to 1000 results.


Usage: malwarebazaar.query [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --yield                     : Yield the newly created nodes.
  --asof <asof>               : This argument is deprecated and no longer has any effect. (default: -30days)
  --tag <tag>                 : The MalwareBazaar tag to search on (TrickBot, Loki, android, mips).
  --filetype <filetype>       : The MalwareBazaar filetype to search on (exe, elf, zip, xls).
  --signature <signature>     : The MalwareBazaar signature to search on (RedLineStealer, AgentTesla, Quakbot).
  --imphash <imphash>         : The imphash to search MalwareBazaar for.
  --issuer-cn <issuer_cn>     : The Issuer Common Name of a signing certificate to search MalwareBazaar.
  --subject-cn <subject_cn>   : The Subject Common Name of a signing certificate to search MalwareBazaar.

malwarebazaar.setup.tagprefix

Set the tag prefix used when recording MalwareBazaar data as tags.
The default tag prefix is "rep.malwarebazaar" if not specified.

Any tags provided by the MalwareBazaar API will be added within the given namespace.
For example, the item "foo" would result in "#rep.malwarebazaar.foo".  Any
characters incompatible with tag names are replaced with "_".


Usage: malwarebazaar.setup.tagprefix [options] <tagname>

Options:

  --help                      : Display the command usage.

Arguments:

  <tagname>                   : The tag prefix to use.

Storm Modules

This package does not export any Storm APIs.