User Guide

Synapse-Mandiant User Guide

Synapse-Mandiant adds new Storm commands to allow you to query the Mandiant Advantage API using your existing API key.

Getting Started

Check with your Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal use API key:

> mandiant.advantage.setup.apikey --self myapikey myapisecret
Setting Mandiant Advantage API key for the current user.

Controlling ingest options

Many commands will recursively ingest additional data based on the results. For example, mandiant.advantage.malware will also ingest associated reports, vulnerabilities, and indicators. Each of these ingests could then also further ingest indicators, vulnerabilities, etc.. By default, commands will limit the recursion to one additional level of enrichment, but more fine-grained control can be accomplished using the --opts argument.

Using mandiant.advantage.malware as as example, the --show-opts flag will print out the current set of defaults that will be used for that command.

> mandiant.advantage.malware --show-opts
actors:history=false
    Ingest the history for individual actors.
actors:indicators=false
    Ingest indicators associated with individual actors.
actors:reports=false
    Ingest reports associated with individual actors.
actors:vulns=false
    Ingest vulns associated with individual actors.
indicators:threat_score=60
    Minimum Threat Score to return in the results.
malware:indicators=true
    Ingest indicators associated with individual malware families.
malware:reports=true
    Ingest reports associated with individual malware families.
malware:vulns=true
    Ingest vulns associated with individual malware families.
malware:yara=true
    Ingest YARA rules associated with individual malware families.
recursion:max=4
    Set the maximum depth for recursive ingests.
reports:actors=false
    Ingest actors associated with individual reports.
reports:indicators=false
    Ingest indicators associated with individual reports.
reports:pdf=true
    Download the PDF for each report.
reports:pdf:fileparser=true
    Parse the PDF report using Synapse-FileParser.
reports:type:match=$lib.null
    Regex expression to match against report type for ingest (case-insensitive).
reports:vulns=false
    Ingest vulns associated with individual reports.
vulns:actors=false
    Ingest actors associated with individual vulns.
vulns:malware=false
    Ingest malware families associated with individual vulns.
vulns:reports=false
    Ingest reports associated with individual vulns.

If an --opts dictionary is passed in this will override the defaults, and then any individual command line arguments will take a higher precedence.

In the following example the --opts dictionary specifies that report indicators should be ingested, and a command line argument is used to specify certain report types to exclude.

> mandiant.advantage.malware --opts ({"reports:indicators": true}) --report-excludes "news analysis" --show-opts
actors:history=false
    Ingest the history for individual actors.
actors:indicators=false
    Ingest indicators associated with individual actors.
actors:reports=false
    Ingest reports associated with individual actors.
actors:vulns=false
    Ingest vulns associated with individual actors.
indicators:threat_score=60
    Minimum Threat Score to return in the results.
malware:indicators=true
    Ingest indicators associated with individual malware families.
malware:reports=true
    Ingest reports associated with individual malware families.
malware:vulns=true
    Ingest vulns associated with individual malware families.
malware:yara=true
    Ingest YARA rules associated with individual malware families.
recursion:max=4
    Set the maximum depth for recursive ingests.
reports:actors=false
    Ingest actors associated with individual reports.
reports:indicators=true
    Ingest indicators associated with individual reports.
reports:pdf=true
    Download the PDF for each report.
reports:pdf:fileparser=true
    Parse the PDF report using Synapse-FileParser.
reports:type:match=^(?!news analysis$)(.*)
    Regex expression to match against report type for ingest (case-insensitive).
reports:vulns=false
    Ingest vulns associated with individual reports.
vulns:actors=false
    Ingest actors associated with individual vulns.
vulns:malware=false
    Ingest malware families associated with individual vulns.
vulns:reports=false
    Ingest reports associated with individual vulns.

Finally, if the command supports a --full flag, this will override all other options by setting all of the recursive ingest flags to true. However, these ingests may still be limited by the maximum recursion depth (default : 4). Increasing this value should be done with care as it can cause a dramatic increase in data ingest volume.

Retrieve indicator details

Enrich nodes and yield the results:

> hash:md5#myhash | mandiant.advantage.indicators --yield
hash:md5=917216ed69bc4feda54d706e99cd9b59
        .created = 2024/12/20 18:08:29.445
        .seen = ('2022/08/22 15:46:10.000', '2023/09/08 15:57:04.000')
        :_mandiant:icscore = 95
        :_mandiant:threat:confidence = high
        :_mandiant:threat:score = 89
        :_mandiant:threat:severity = high
        :_mandiant:threat:severity:reasons = ['attributed']
        #myhash
        #rep.mandiant = (2022/08/22 15:46:10.000, 2023/09/08 15:57:04.000)
        #rep.mandiant.cargobay
        #rep.mandiant.malware
        #rep.mandiant.malware_downloader
        #rep.mandiant.unc3753

Pivot to malware associated with an indicator:

> hash:md5#myhash -> file:bytes -> # -> risk:tool:software:tag
risk:tool:software=5c137a4da9f8017be268c0672ce7df67
        .created = 2024/12/20 18:08:30.318
        :reporter = e961a43c0cee3fbcf7aeb4c567989be7
        :reporter:name = mandiant
        :soft:name = cargobay
        :tag = rep.mandiant.cargobay

Pivot to a threat cluster associated with an indicator:

> hash:md5#myhash -> file:bytes -> # -> risk:threat:tag
risk:threat=cdf3f90deae6492df07478c87194fcca
        .created = 2024/12/20 18:08:30.195
        :name = unc3753 (mandiant)
        :org:name = unc3753
        :reporter = e961a43c0cee3fbcf7aeb4c567989be7
        :reporter:name = mandiant
        :tag = rep.mandiant.unc3753

Ingest reports

If Synapse-FileParser is installed on the Cortex the downloaded PDF version of the report will be automatically parsed. The --opts argument can be used to disable this behavior.

Ingest reports within a timebox:

> mandiant.advantage.reports --time ("2022-05-15", "+30days") --size 5 --yield --opts ({"reports:pdf:fileparser": false})
media:news=f17e5417da45fe311833250214431640
        .created = 2024/12/20 18:08:31.596
        .seen = ('2022/06/13 21:39:36.462', '2022/06/13 21:39:36.463')
        :ext:id = 22-00014206
        :file = sha256:1e70dfcc05cd6462125d41258a3043fb43bcd4c46828897a95853ffacd354cd3
        :published = 2022/06/13 21:39:36.462
        :publisher:name = mandiant
        :summary = Threat Activity Alerts relay immediate observations of notable activities within the cyber threat environment. Activities continue to be monitored and may result in additional alerts or reports if anything significant occurs, or the issue warrants further analysis.
        :title = threat activity alert: alert: pro-russia hacktivist group 'noname057(16)' claims ddos attack against us dod contractor and uk security company
        :url = https://advantage.mandiant.com/reports/22-00014206
        :url:fqdn = advantage.mandiant.com
        #rep.mandiant.hacktivism
        #rep.mandiant.threat_activity_alert
media:news=2f89a16c7044c386c79ce2d09473b5e9
        .created = 2024/12/20 18:08:32.433
        .seen = ('2022/06/13 21:37:44.548', '2022/06/13 21:37:44.549')
        :ext:id = 22-00013906
        :file = sha256:09b1cda74283cfa9a9b1a371738ce960058bd01468e255a638472e34b311525b
        :published = 2022/06/13 21:37:44.548
        :publisher:name = mandiant
        :summary = Mandiant has identified what we assess with high confidence to be a pro-Russia website and Telegram channel by the name of "
                   Неме
                   Z
                   ида
                   " (English translation: Nemesis), which publishes and promotes personally identifiable information (PII) purportedly belonging to individuals working for or otherwise supporting the Ukrainian government.
                   Nemesis is run by the pro-Russia "hacktivist" group RaHDIt. We assess with moderate confidence that the "RaHDIt" group running Nemesis is the same group that claimed multiple defacements and website compromises targeting the Ukrainian government in early March 2022.
                   We do not currently attribute RaHDIt to a specific actor. However, we note that RaHDIt has claimed to cooperate with the hacktivist group Beregini; and we have identified cross-promotion between the respective Telegram channels belonging to RaHDIt and the "hacktivist" groups XakNet Team and KillNet.
        :title = 'nemesis' website claimed by 'hacktivist' group rahdit publishes personally identifiable information purportedly belonging to ukrainian government employees and supporters
        :url = https://advantage.mandiant.com/reports/22-00013906
        :url:fqdn = advantage.mandiant.com
        #rep.mandiant.event_coverage_implication
        #rep.mandiant.hacktivism
media:news=8ac4322a26a46f74c721755fba8b96c9
        .created = 2024/12/20 18:08:33.427
        .seen = ('2022/06/13 21:32:31.051', '2022/06/13 21:32:31.052')
        :ext:id = 22-00014205
        :file = sha256:f37a5b9a3667aa15e4edfddbd68ceae24b154390f95b2b0c907e83e08cb2a0b7
        :published = 2022/06/13 21:32:31.051
        :publisher:name = mandiant
        :summary = Threat Activity Alerts relay immediate observations of notable activities within the cyber threat environment. Activities continue to be monitored and may result in additional alerts or reports if anything significant occurs, or the issue warrants further analysis.
        :title = threat activity alert: pro-russian hacktivist groups 'killnet' and 'legion' declare war against poland
        :url = https://advantage.mandiant.com/reports/22-00014205
        :url:fqdn = advantage.mandiant.com
        #rep.mandiant.hacktivism
        #rep.mandiant.threat_activity_alert
media:news=4100c49c6820eaac885dae4b9451343a
        .created = 2024/12/20 18:08:34.336
        .seen = ('2022/06/13 21:18:23.373', '2022/06/13 21:18:23.374')
        :ext:id = 22-00014204
        :file = sha256:88127dc9de02fe59b40aec059059da4fa8c320ce3b1bebe42f4debdcea5f3807
        :published = 2022/06/13 21:18:23.373
        :publisher:name = mandiant
        :summary = Threat Activity Alerts relay immediate observations of notable activities within the cyber threat environment. Activities continue to be monitored and may result in additional alerts or reports if anything significant occurs, or the issue warrants further analysis.
        :title = threat activity alert: english-speaking actor “ddosecrets” leaks data from russian it company
        :url = https://advantage.mandiant.com/reports/22-00014204
        :url:fqdn = advantage.mandiant.com
        #rep.mandiant.hacktivism
        #rep.mandiant.threat_activity_alert
media:news=aa9a4e6ab4bde63b608ae87f1b38eaac
        .created = 2024/12/20 18:08:35.148
        .seen = ('2022/06/13 21:15:17.714', '2022/06/13 21:15:17.715')
        :ext:id = 22-00014203
        :file = sha256:af96a39bc385d61c99ed734328139f278a5523e13f10de7bf16ae41b968248c2
        :published = 2022/06/13 21:15:17.714
        :publisher:name = mandiant
        :summary = Threat Activity Alerts relay immediate observations of notable activities within the cyber threat environment. Activities continue to be monitored and may result in additional alerts or reports if anything significant occurs, or the issue warrants further analysis.
        :title = threat activity alert: english-speaking actor 'mont4na' advertises source code of and sqli vulnerability at multiple companies on breached.co
        :url = https://advantage.mandiant.com/reports/22-00014203
        :url:fqdn = advantage.mandiant.com
        #rep.mandiant.cyber_crime
        #rep.mandiant.threat_activity_alert

Reports can also be ingested by ID:

> mandiant.advantage.reports "21-00012833" --yield --opts ({"reports:pdf:fileparser": false})
media:news=0cfd0a6a7a2c361d1321a634b3adefaf
        .created = 2024/12/20 18:08:36.273
        .seen = ('2023/10/27 18:27:48.295', '2023/10/27 18:27:48.296')
        :ext:id = 21-00012833
        :file = sha256:450ccc197f5f4e9a186acfcf9bb14ef10bf5d0cea73258dcef4a9722bc34470e
        :published = 2023/10/27 18:27:48.295
        :publisher:name = mandiant
        :summary = An Improper Privilege Management vulnerability exists that, when exploited, allows a local attacker to bypass certain security mechanisms.
                   This vulnerability has been confirmed to be exploited in the wild, and non-weaponized and proof-of-concept code is publicly available.
                   Mandiant Intelligence considers this a Medium-risk vulnerability due to the potential for bypassing certain security mechanisms, offset by user interaction requirements and local access requirements.
                   Mitigation options include a patch and a workaround.
        :title = microsoft windows server 2019 print spooler improper privilege management vulnerability
        :url = https://advantage.mandiant.com/reports/21-00012833
        :url:fqdn = advantage.mandiant.com
        #rep.mandiant.cyber_physical
        #rep.mandiant.vulnerability
        #rep.mandiant.vulnerability_report

Report references are linked via a -(refs)> lightweight edge.

For example, to pivot to vulnerabilities and exploits:

> media:news#rep.mandiant.vulnerability_report -(refs)> risk:vuln
risk:vuln=bdfbc2a6dd05240a91b8ab2c151202ab
        .created = 2024/12/20 18:08:41.317
        :cve = cve-2021-1675
        :cvss:v2 = AV:L/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
        :cvss:v2_0:score = 6.0
        :cvss:v2_0:score:base = 7.2
        :cvss:v2_0:score:temporal = 6.0
        :cvss:v3 = AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
        :cvss:v3_0:score = 7.8
        :cvss:v3_0:score:base = 7.8
        :cwes = ['CWE-269']
        :desc = A vulnerability exists within the Print Spooler in Windows Server 2019 because of an improperly implemented check for the SeLoadDriverPrivilege privilege. This improper check allows a normal user to bypass security checks and add a driver to the vulnerable system.
        :exploited = true
        :mitigated = true
        :name = microsoft windows server 2019 print spooler improper privilege management vulnerability
        :reporter = e961a43c0cee3fbcf7aeb4c567989be7
        :reporter:name = mandiant
        :severity = medium
        :timeline:published = 2023/10/27 18:21:13.000
        :timeline:vendor:notified = 2021/06/07 00:00:00.000
        :type = improper_privilege_management
        #rep.mandiant.in_the_wild
> media:news#rep.mandiant.vulnerability_report -(refs)> media:news
media:news=536e0b43f0c8a5ce1037a23d3b06d075
        .created = 2024/12/20 18:08:40.838
        :published = 2021/06/27 00:00:00.000
        :title = this poc takes the form of a python script and a c# program capable of delivering a user-supplied payload to a vulnerable system.
        :url = https://github.com/cube0x0/CVE-2021-1675
        :url:fqdn = github.com
media:news=98f35977f921f8be295ded7f30f9c525
        .created = 2024/12/20 18:08:40.754
        :published = 2022/01/28 00:00:00.000
        :title = this poc will trigger this vulnerability to gain elevated privileges.
        :url = https://github.com/AndrewTrube/CVE-2021-1675
        :url:fqdn = github.com
media:news=b16d4c949575e0ba4c4aae5c16d2e71c
        .created = 2024/12/20 18:08:41.179
        :published = 2022/05/16 00:00:00.000
        :title = this exploit takes the form of a metasploit module capable of exploiting cve-2021-1675 and cve-2021-34527 with the ability to handle multiple pre-generated or custom payloads.
        :url = https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb
        :url:fqdn = raw.githubusercontent.com
media:news=bc74d88c71b2503f6e5e84ca7f89cafd
        .created = 2024/12/20 18:08:40.923
        :published = 2021/06/27 00:00:00.000
        :title = this poc takes the form of a powershell script capable of performing local privilege escalation to execute a user-supplied dll payload.
        :url = https://github.com/calebstewart/CVE-2021-1675
        :url:fqdn = github.com
media:news=5e11efcab3e635e8030fe1da56e087c9
        .created = 2024/12/20 18:08:41.094
        :published = 2022/05/25 00:00:00.000
        :title = this exploit takes the form of a metasploit module which can exploit this vulnerability in conjunction with cve-2021-34527.
        :url = https://packetstormsecurity.com/files/167261/cve_2021_1675_printnightmare.rb.txt
        :url:fqdn = packetstormsecurity.com
media:news=841237cd4a8afedb32d669baa8adb948
        .created = 2024/12/20 18:08:41.008
        :published = 2021/08/29 00:00:00.000
        :title = this exploit exists as a github repository containing a cobalt strike plugin which allows elevated privileges to be obtained.
        :url = https://github.com/mstxq17/CVE-2021-1675_RDL_LPE
        :url:fqdn = github.com

Use of meta:source nodes

Synapse-Mandiant uses a meta:source node and -(seen)> light weight edges to track nodes observed from the Mandiant Advantage API.

> meta:source=87af91df0f689c810822046e49af0db8
meta:source=87af91df0f689c810822046e49af0db8
        .created = 2024/12/20 18:08:29.751
        :name = mandiant api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Mandiant. The following example shows how to filter the results of a query to include only results observed by Synapse-Mandiant:

> ou:name=unc3753 -> risk:threat +{ <(seen)- meta:source=87af91df0f689c810822046e49af0db8 }
risk:threat=cdf3f90deae6492df07478c87194fcca
        .created = 2024/12/20 18:08:30.195
        :name = unc3753 (mandiant)
        :org:name = unc3753
        :reporter = e961a43c0cee3fbcf7aeb4c567989be7
        :reporter:name = mandiant
        :tag = rep.mandiant.unc3753