Package Documentation

Storm Package: synapse-vmray

The following Commands are available from this package. This documentation is generated for version 2.0.0 of the package.

Storm Commands

This package implements the following Storm Commands.

vmray.sample.iocs

Retrieve the IOCs from the VMRay IOC samples endpoint.

The IOCs that can be pulled back are files, filenames, mutexes, registry data, urls,
domains, IP addresses, emails, email addresses, and processes.

Can take as input a file:bytes/hash* node, or retrieve a sample directly by id using
the --id parameter

Examples:

  // Retrieve all the IOCs associated with all the files tagged with cno.tag
  file:bytes#cno.tag | vmray.sample.iocs --yield

  // Retrieve an IOC report for a specific VMRay sample ID, bypassing caching
  vmray.sample.iocs --id 95248 --yield --asof now | limit 10


Usage: vmray.sample.iocs [options]

Options:

  --help                      : Display the command usage.
  --id <id>                   : A VMRay sample ID to query for
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --yield                     : Yield the newly created nodes.
  --asof <asof>               : Specify the maximum age for a cached result. To disable caching, use --asof now.
                                (default: -30days)
  --severity <severity>       : Filter IOC results to one of VMRay's verdicts (malicious, suspicious, clean, or null)
  --type <type>               : Filter results by IOC type (files/mutexes/emails/etc), or return everything if not
                                specified.

vmray.sample.mitre

Retrieve the Mitre ATT&CK techniques for a given sample.

Can take as input a file:bytes/hash* node, or retrieve a sample directly by id using
the --id parameter

Examples:

  // Retrieve all the MITRE ATT&CK techniques associated with a set of binaries
  file:bytes#interesting.files | vmray.sample.mitre --yield

  // Retrieve all the MITRE ATT&CK techniques for a specific VMRay sample ID
  vmray.sample.mitre --id 280013


Usage: vmray.sample.mitre [options]

Options:

  --help                      : Display the command usage.
  --id <id>                   : A VMRay sample ID to query for
  --debug                     : Show verbose debug output.
  --yield                     : Yield the newly created nodes.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --asof <asof>               : Specify the maximum age for a cached result. To disable caching, use --asof now.
                                (default: -30days)

vmray.sample.submit

Submit the full bytes for a file to VMRay for analysis. The file must live in the configured Axon.

Examples:

    // Submit a single file to VMRay for analysis.
    file:bytes | vmray.sample.submit --size 1


Usage: vmray.sample.submit [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --passwd <passwd>           : A password to hand to VMRay for extracting an already encrypted or password-protected
                                archive or document.
  --archive-action <archive_action>: Tell VMRay how to deal with archive files. "sample" for treating as singular sample,
                                "compound_sample" to run multiple files as one sample, and "separate_samples" to treat
                                every file in an archive as a separate sample.
  --static-only               : Only run static analysis on the sample, not static and dynamic.

vmray.sample.vtis

Retrieve the VMRay Threat Identifiers for a given sample.

Can take as input a file:bytes/hash* node, or retrieve a sample directly by id using
the --id parameter

Examples:

  // Retrieve all the VMRay Threat Identifiers for a set of hashes
  hash:sha1#my.cool.tag | vmray.sample.vtis --yield

  // Retrieve the VMRay Threat identifiers for a specific sample ID
  vmray.sample.vtis --id 57293 --yield


Usage: vmray.sample.vtis [options]

Options:

  --help                      : Display the command usage.
  --id <id>                   : A VMRay sample ID to query for
  --debug                     : Show verbose debug output.
  --yield                     : Yield the newly created nodes.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --asof <asof>               : Specify the maximum age for a cached result. To disable caching, use --asof now.
                                (default: -30days)

vmray.setup.apikey

Set the VMRay API key.


Usage: vmray.setup.apikey [options] <apikey>

Options:

  --help                      : Display the command usage.
  --self                      : Set the key as a user variable. If not used, the key is set globally.

Arguments:

  <apikey>                    : The VMRay API key string.

vmray.setup.endpoint

Set which VMRay Cloud/On Premises to forward REST requests to.

Per their documentation, if you're Europe based, use "https://eu.cloud.vmray.com".
If you're US based, use "https://us.cloud.vmray.com".  If you use the On Premises
version of VMRay, consult your Administrator for the endpoint.


Usage: vmray.setup.endpoint [options] <endpoint>

Options:

  --help                      : Display the command usage.
  --self                      : Set the endpoint as a user variable. If not used, the key is set globally.

Arguments:

  <endpoint>                  : The VMRay API endpoint to use.

Storm Modules

This package does not export any Storm APIs.