User Guide

Synapse-ReversingLabs User Guide

Synapse-ReversingLabs adds new Storm commands to allow you to query the ReversingLabs API using your existing API key.

Getting Started

Check with your Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal use API key:

> reversinglabs.setup.apikey --self myapikey
Setting ReversingLabs API key for the current user.

Setting your personal API endpoint

To configure what URL to issue queries to:

> reversinglabs.setup.endpoint --self myapikey
Setting ReversingLabs API Endpoint for the current user.

Setting the tag prefix

To configure the base tag to use when tagging samples:

> reversinglabs.setup.tagprefix "rep.revlabs"
Setting ReversingLabs tag prefix to rep.revlabs.

To set the base tag, the permission globals.set.reversinglabs:tag:prefix must be set on your user/role. Contact your Admin to enable these permissions.

Downloading files from ReversingLabs

Download the bytes for just a hash:sha256 node into the configured Axon:

> hash:sha256=f27c4270b9b9291f465ba5962c36ce38f438377acff300b5c82b3b145f0c9e94 | reversinglabs.a1000.download --yield
file:bytes=sha256:f27c4270b9b9291f465ba5962c36ce38f438377acff300b5c82b3b145f0c9e94
        .created = 2024/04/17 17:15:26.989
        :md5 = 6e51db99647450387e583ecb67de7f6e
        :sha1 = a1833c32d5f61d6ef9d1bb0133585112069d770e
        :sha256 = f27c4270b9b9291f465ba5962c36ce38f438377acff300b5c82b3b145f0c9e94
        :sha512 = c39b856abbdbf6f322190f338672b1e7c68db02562e918ef9446287e9d564ea53a55746469c83d751148558fdb9f5ccbf365e3f4b6815cb907f056a704382e72

Download the bytes for a file:bytes, and any extracted files, into the configured Axon. You must have the Synapse-FileParser service installed.

> file:bytes=a3f2c60aa5af9d903a31ec3c1d02eeeb895c02fcf3094a049a3bdf3aa3d714c8 | reversinglabs.a1000.download --all --yield
fileparser parsing sha256: 8f959def7e40976ccea714271523f7a78c848fb40b925f6affc0ec8a54168b86
WARNING: Unable to determine mime type.
WARNING: Unable to determine mime type.
file:bytes=sha256:a3f2c60aa5af9d903a31ec3c1d02eeeb895c02fcf3094a049a3bdf3aa3d714c8
        .created = 2024/04/17 17:15:27.029
        :md5 = 9e33143916f648ec338f209eb0bd4789
        :sha1 = 2aa3803869edee7fa1ab7cf96d992ccfecc89e7b
        :sha256 = a3f2c60aa5af9d903a31ec3c1d02eeeb895c02fcf3094a049a3bdf3aa3d714c8
        :sha512 = a57499328b44719a5690779c3b2ad8ee7b9e87dbe838d950c1dbb7c1ca5c3228ae8e4936fcec144abaa5b67ee4b6bcfde00d256fed905a2d52824851d6c60864

Enriching Hashes Using ReversingLabs

Ingest the report for an already processed hash:

> hash:sha1=ffb0b1ff2451733a44d4d6c22f751ced5d9a7f1c | reversinglabs.a1000.enrich --yield
WARNING: The form it:av:sig is deprecated or using a deprecated type and will be removed in 3.0.0
WARNING: The form it:av:filehit is deprecated or using a deprecated type and will be removed in 3.0.0
WARNING: The property it:av:filehit:sig is deprecated or using a deprecated type and will be removed in 3.0.0
file:bytes=sha256:521687de405b2616b1bb690519e993a9fb714cecd488c168a146ff4bbf719f87
        .created = 2024/04/17 17:15:33.514
        :md5 = c1d31b2af2f8ce75364b3952f0b0aa0b
        :sha1 = ffb0b1ff2451733a44d4d6c22f751ced5d9a7f1c
        :sha256 = 521687de405b2616b1bb690519e993a9fb714cecd488c168a146ff4bbf719f87
        :sha512 = 8c86f7b8de24539ac7f9384a6953054921900e00ef6442c4b313bee47522adefe5fc82d91c385939936c751dd0b94e77212a213ccfba3b130120799d71bcd9c8
        :size = 181904
        #rep.revlabs.ticloud.email_mime_trojan_generic = (2017/09/24 22:17:15.000, 2022/03/01 15:47:17.000)
        #rep.revlabs.ticloud.suspicious
        #rep.revlabs.ticore.malicious = (2022/03/28 18:10:50.895, 2022/03/28 18:10:50.896)

To pull the reports for an already processed set of hash:sha512 nodes using ReversingLabs and download any extracted files (and process them using Synapse-FileParser):

> hash:sha512#to.do | reversinglabs.a1000.enrich --yield --download
fileparser parsing sha256: 29e8ebc4263b09f2e13058ad488ee1c46d99855f51737ed94d85de6668c055f2
WARNING: Unable to determine mime type.
WARNING: Unable to determine mime type.
WARNING: Unable to determine mime type.
WARNING: Unable to determine mime type.
WARNING: Unable to determine mime type.
WARNING: Unable to determine mime type.
WARNING: Unable to determine mime type.
WARNING: Unable to determine mime type.
WARNING: Unable to determine mime type.
WARNING: The form it:av:sig is deprecated or using a deprecated type and will be removed in 3.0.0
WARNING: The form it:av:filehit is deprecated or using a deprecated type and will be removed in 3.0.0
WARNING: The property it:av:filehit:sig is deprecated or using a deprecated type and will be removed in 3.0.0
file:bytes=sha256:0be25e2e8485fe2a5a2ab9daf3542c3ef210bfe51bb6fbd310f8732bd3478019
        .created = 2024/04/17 17:15:41.916
        :md5 = 1903253a41c71413753c2d689caf1a4e
        :mime:pe:imphash = 06b515d008221b2a486a6bf4d0151082
        :sha1 = 45663679b2cda492370bdc3f0d4d9b116cdb5575
        :sha256 = 0be25e2e8485fe2a5a2ab9daf3542c3ef210bfe51bb6fbd310f8732bd3478019
        :sha512 = 446f15c5f86ab99d1d393b1d6ad1829873605687b19a9921ea8eaa5c12b0c297e024d5a9a5a628ea927d864a84c0be882be007176d6c5dd807167bd437381610
        :size = 396800
        #rep.revlabs.ticloud.malicious
        #rep.revlabs.ticloud.win32_backdoor_cypress = (2018/04/19 15:43:25.000, 2021/12/01 14:55:21.000)
        #rep.revlabs.ticore.malicious = (2022/03/28 18:29:35.467, 2022/03/28 18:29:35.468)

Pivot to the first five it:mitre:attack:technique nodes used by the file:

> hash:sha512#to.do -> file:bytes:sha512 -(uses)> it:mitre:attack:technique | limit 5
it:mitre:attack:technique=T1573
        .created = 2024/04/17 17:15:49.433
        :name = encrypted channel
it:mitre:attack:technique=T1105
        .created = 2024/04/17 17:15:49.355
        :name = ingress tool transfer
it:mitre:attack:technique=T1082
        .created = 2024/04/17 17:15:48.259
        :desc = An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
        :name = system information discovery
it:mitre:attack:technique=T1112
        .created = 2024/04/17 17:15:48.075
        :desc = Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution.
        :name = modify registry
it:mitre:attack:technique=T1106
        .created = 2024/04/17 17:15:48.332
        :desc = Adversary tools may directly use the Windows application programming interface (API) to execute binaries. Functions such as the Windows API CreateProcess will allow programs and scripts to start other processes with proper path and argument parameters.
        :name = execution through api

Submitting Files for Analysis

Submit a set of hash:sha256 nodes that exist in the configured Axon to ReversingLabs for analysis, and wait on receiving results:

> hash:sha256#relabs.todo | reversinglabs.a1000.submit  --yield
WARNING: ReversingLabs: The configured Axon does not contain bytes for 0014d9642748e7c56a70f18e7a8de205201a1f0e6b4426603e35f8c359c553f1

Upload a set of hash:sha256 that exists in the configured Axon to ReversingLabs for background processing without cloud analysis:

> hash:sha256#myfiles | reversinglabs.a1000.submit --background
WARNING: ReversingLabs: The configured Axon does not contain bytes for 0014d9642748e7c56a70f18e7a8de205201a1f0e6b4426603e35f8c359c553f1
hash:sha256=0014d9642748e7c56a70f18e7a8de205201a1f0e6b4426603e35f8c359c553f1
        .created = 2024/04/17 17:16:21.525
        #myfiles
        #relabs.todo

Submit a file:bytes that exists in the configured Axon for background processing, specifying which cloud sandboxes to run the sample on and to submit the file to the AV scanners:

> file:bytes=0014d9642748e7c56a70f18e7a8de205201a1f0e6b4426603e35f8c359c553f1 | reversinglabs.a1000.submit --background --scanners --sandboxes rl_cloud_sandbox
WARNING: ReversingLabs: The configured Axon does not contain bytes for 0014d9642748e7c56a70f18e7a8de205201a1f0e6b4426603e35f8c359c553f1
file:bytes=sha256:0014d9642748e7c56a70f18e7a8de205201a1f0e6b4426603e35f8c359c553f1
        .created = 2024/04/17 17:16:23.055
        :sha256 = 0014d9642748e7c56a70f18e7a8de205201a1f0e6b4426603e35f8c359c553f1

Retrieve all the sandbox executions results for a file:bytes:

> file:bytes=0014d9642748e7c56a70f18e7a8de205201a1f0e6b4426603e35f8c359c553f1  <- * | limit 5

Use of meta:source nodes

Synapse-ReversingLabs uses a meta:source node and -(seen)> light weight edges to track nodes observed from the ReversingLabs API.

> meta:source=1f25f2b2643e175e859ac6068a3dee10
meta:source=1f25f2b2643e175e859ac6068a3dee10
        .created = 2024/04/17 17:15:26.971
        :name = reversinglabs api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-ReversingLabs. The following example shows how to filter the results of a query to include only results observed by Synapse-ReversingLabs:

> #cool.tag.lift +{ <(seen)- meta:source=1f25f2b2643e175e859ac6068a3dee10 }