Merge branch 'release/3.3.8'

.github/workflows/build.yml

@@ -25,7 +25,7 @@ jobs:
         with:
           driver-opts: image=moby/buildkit:v0.12.0
           args: |
-            --namespace cortexneurons --path analyzers --registry_dockerhub ${{ secrets.REGISTRY_DOCKERHUB }} --registry_harbor ${{ secrets.REGISTRY_HARBOR }} ${{ (startsWith(github.ref, 'refs/tags') || github.event_name == 'schedule') && '--stable' || '' }}
+            --namespace cortexneurons --path analyzers --registry_dockerhub ${{ secrets.REGISTRY_DOCKERHUB }} ${{ (startsWith(github.ref, 'refs/tags') || github.event_name == 'schedule') && '--stable' || '' }}
 
   build_responders:
     name: Build Responders
@@ -40,7 +40,7 @@ jobs:
         with:
           driver-opts: image=moby/buildkit:v0.12.0
           args: |
-            --namespace cortexneurons --path responders --registry_dockerhub ${{ secrets.REGISTRY_DOCKERHUB }} --registry_harbor ${{ secrets.REGISTRY_HARBOR }} ${{ (startsWith(github.ref, 'refs/tags') || github.event_name == 'schedule') && '--stable' || '' }}
+            --namespace cortexneurons --path responders --registry_dockerhub ${{ secrets.REGISTRY_DOCKERHUB }} ${{ (startsWith(github.ref, 'refs/tags') || github.event_name == 'schedule') && '--stable' || '' }}
 
   build_catalog:
     name: Build Catalog

.gitignore

@@ -19,8 +19,9 @@ pyvenv.cfg
 share
 
 test-doc
+test_doc
 analyzers/*/input
 analyzers/*/output
 responders/*/input
 responders/*/output
-analyzers/*/cortexutils
+analyzers/*/cortexutils

analyzers/AbuseIPDB/abuseipdb.py

@@ -14,6 +14,8 @@ class AbuseIPDBAnalyzer(Analyzer):
     def extract_abuse_ipdb_category(category_number):
         # Reference: https://www.abuseipdb.com/categories
         mapping = {
+            "1": "DNS Compromise",
+            "2": "DNS Poisoning",
             "3": "Fraud Orders",
             "4": "DDOS Attack",
             "5": "FTP Brute-Force",
@@ -36,7 +38,7 @@ def extract_abuse_ipdb_category(category_number):
             "22": "SSH",
             "23": "IoT Targeted",
         }
-        return mapping.get(str(category_number), 'unknown category')
+        return mapping.get(str(category_number), 'Unknown Category')
 
     def run(self):
 
@@ -76,11 +78,38 @@ def run(self):
         except Exception as e:
             self.unexpectedError(e)
 
+
     def summary(self, raw):
-        taxonomies = []
+        taxonomies = []  # level, namespace, predicate, value
+
+        is_whitelisted = False
+        data = {}
+        if raw and 'values' in raw:
+            data = raw['values'][0]['data']
+        else:
+            return {'taxonomies': []}
+
+        if data.get('isWhitelisted', False):
+            is_whitelisted = True
+            taxonomies.append(self.build_taxonomy('info', 'AbuseIPDB', 'Is Whitelist', 'True'))
+
+        if data.get('isTor', False):
+            taxonomies.append(self.build_taxonomy('info', 'AbuseIPDB', 'Is Tor', 'True'))
 
-        if raw and 'values' in raw and raw['values'][0]['data']['totalReports'] > 0 :
-            taxonomies.append(self.build_taxonomy('malicious', 'AbuseIPDB', 'Records', raw['values'][0]['data']['totalReports']))
+        if 'usageType' in data:
+            taxonomies.append(self.build_taxonomy('info', 'AbuseIPDB', 'Usage Type', data['usageType']))
+
+        if 'abuseConfidenceScore' in data:
+            if data['abuseConfidenceScore'] > 0:
+                taxonomies.append(self.build_taxonomy('suspicious', 'AbuseIPDB', 'Abuse Confidence Score', data['abuseConfidenceScore']))
+            else:
+                taxonomies.append(self.build_taxonomy('safe', 'AbuseIPDB', 'Abuse Confidence Score', 0))
+
+        if data['totalReports'] > 0 :
+            if is_whitelisted:
+                taxonomies.append(self.build_taxonomy('info', 'AbuseIPDB', 'Records', data['totalReports']))
+            else:
+                taxonomies.append(self.build_taxonomy('malicious', 'AbuseIPDB', 'Records', data['totalReports']))
         else:
             taxonomies.append(self.build_taxonomy('safe', 'AbuseIPDB', 'Records', 0))
 

analyzers/Abuse_Finder/abusefinder.py

@@ -15,16 +15,16 @@
 class AbuseFinderAnalyzer(Analyzer):
 
     def summary(self, raw):
-
         taxonomies = []
-        if raw['abuse_finder'] and raw['abuse_finder'].get('abuse'):
-            for abuse in raw['abuse_finder']['abuse']:
-                taxonomies.append(self.build_taxonomy("info", "Abuse_Finder", "Address", abuse))
-        else:
-            taxonomies.append(self.build_taxonomy("info", "Abuse_Finder", "Address", "None"))
-            return {"taxonomies": taxonomies}
-
-        return {}
+        try:
+            if raw and raw['abuse_finder'].get('abuse'):
+                for abuse in raw['abuse_finder']['abuse']:
+                    taxonomies.append(self.build_taxonomy("info", "Abuse_Finder", "Address", abuse))
+            else:
+                taxonomies.append(self.build_taxonomy("info", "Abuse_Finder", "Address", "None"))
+        except:
+            pass
+        return {"taxonomies": taxonomies}
 
     def abuse(self):
         if self.data_type == "ip":

analyzers/Abuse_Finder/requirements.txt

@@ -1,3 +1,3 @@
 cortexutils
-abuse_finder
+abuse_finder>=0.3
 future

analyzers/AnyRun/AnyRun_Sandbox_Analysis.json

@@ -1,7 +1,7 @@
 {
   "name": "AnyRun_Sandbox_Analysis",
-  "version": "1.0",
-  "author": "Andrea Garavaglia, Davide Arcuri, LDO-CERT",
+  "version": "1.1",
+  "author": "Andrea Garavaglia, Davide Arcuri, LDO-CERT; Nate Olsen, WSECU",
   "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
   "license": "AGPL-V3",
   "description": "Any.Run Sandbox file analysis",
@@ -31,6 +31,102 @@
       "multi": false,
       "required": true,
       "defaultValue": true
+    },
+    {
+      "name": "env_bitness",
+      "description": "default OS bitness; 32 or 64",
+      "type": "number",
+      "multi": false,
+      "required": false,
+      "defaultValue": 32
+    },
+    {
+      "name": "env_version",
+      "description": "Which version of Windows do you want to use by default? allowed values: \"vista\", \"7\", \"8.1\", \"10\"",
+      "type": "string",
+      "multi": false,
+      "required": false,
+      "defaultValue": "7"
+    },
+    {
+      "name": "env_type",
+      "description": "How much do you want pre-installed in the runtime environment? allowed values: \"clean\", \"office\", \"complete\"",
+      "type": "string",
+      "multi": false,
+      "required": false,
+      "defaultValue": "complete"
+    },
+    {
+      "name": "opt_network_connect",
+      "description": "Do you want to disable networking? set false to disable",
+      "type": "boolean",
+      "multi": false,
+      "required": false,
+      "defaultValue": true
+    },
+    {
+      "name": "opt_network_fakenet",
+      "description": "FakeNet feature status; set true to enable.",
+      "type": "boolean",
+      "multi": false,
+      "required": false,
+      "defaultValue": false
+    },
+    {
+      "name": "opt_network_tor",
+      "description": "TOR using.",
+      "type": "Boolean",
+      "multi": false,
+      "required": false,
+      "defaultValue": false
+    },
+    {
+      "name": "opt_network_mitm",
+      "description": "HTTPS MITM proxy option.",
+      "type": "Boolean",
+      "multi": false,
+      "required": false,
+      "defaultValue": false
+    },
+    {
+      "name": "opt_network_geo",
+      "description": "Geo location option. Allowed values: \"fastest\", \"AU\", \"BR\", \"DE\", \"CH\", \"FR\", \"KR\", \"US\", \"RU\", \"GB\", \"IT\"",
+      "type": "String",
+      "multi": false,
+      "required": false,
+      "defaultValue": "fastest"
+    },
+    {
+      "name": "opt_kernel_heavyevasion",
+      "description": "Heavy evasion option.   Default value: false",
+      "type": "Boolean",
+      "multi": false,
+      "required": false,
+      "defaultValue": false
+    },
+    {
+      "name": "opt_timeout",
+      "description": "Timeout option. Size range: 10-660",
+      "type": "Number",
+      "multi": false,
+      "required": false,
+      "defaultValue": "60"
+    },
+    {
+      "name": "obj_ext_startfolder",
+      "description": "Start object from. Allowed values: \"desktop\", \"home\", \"downloads\", \"appdata\", \"temp\", \"windows\", \"root\"",
+      "type": "String",
+      "multi": false,
+      "required": false,
+      "defaultValue": "temp"
+    },
+    {
+      "name": "obj_ext_browser",
+      "description": "Choose which browser to use. Allowed values: \"Google Chrome\", \"Mozilla Firefox\", \"Opera\", \"Internet Explorer\"",
+      "type": "String",
+      "multi": false,
+      "required": false,
+      "defaultValue": "Internet Explorer"
     }
   ],
   "registration_required": true,

analyzers/AnyRun/README.md

@@ -12,4 +12,19 @@ You need a valid AnyRun API integration subscription to use the analyzer. Free p
 
 - Provide your API token as a value for the `token` parameter.
 - Define the privacy setting in `privacy_type` parameter.
-- Set `verify_ssl` parameter as false if you connection requires it
+- Set `verify_ssl` parameter as false if you connection requires it
+
+#### Optional Parameters
+AnyRun provides a number of parameters that can be modified to do additional/different analysis.
+- Set the "bitness" of your runtime environment with the `env_bitness` parameter.
+- Select which version of Windows to use by setting `env_version` parameter.
+- Select which products to install by default with `env_type` parameter.
+- Enable/disable networking with `opt_network_connect` parameter.
+- Enable/disable "FakeNet" with `opt_network_fakenet` parameter.
+- Enable/disable the TOR network with `opt_network_tor` parameter.
+- Enable/disable MITM for https connections with `opt_network_mitm` parameter.
+- Need a specific geolocation? use `opt_network_geo` parameter.
+- Need to analyze something with evasion tactics? `opt_kernel_heavyevasion`
+- Change the timeout settings with `opt_timeout` parameter.
+- Select which folder the analysis starts in with `obj_ext_startfolder` parameter.
+- Select which browser to use for analysis with `obj_ext_browser` parameter.

analyzers/AnyRun/anyrun_analyzer.py

@@ -16,6 +16,18 @@ def __init__(self):
         self.verify_ssl = self.get_param("config.verify_ssl", True, None)
         if not self.verify_ssl:
             requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+        self.env_bitness = self.get_param("config.env_bitness", None, None)
+        self.env_version = self.get_param("config.env_version", None, None)
+        self.env_type = self.get_param("config.env_type", None, None)
+        self.opt_network_connect = self.get_param("config.opt_network_connect", None, None)
+        self.opt_network_fakenet = self.get_param("config.opt_network_fakenet", None, None)
+        self.opt_network_tor = self.get_param("config.opt_network_tor", None, None)
+        self.opt_network_mitm = self.get_param("config.opt_network_mitm", None, None)
+        self.opt_network_geo = self.get_param("config.opt_network_geo", None, None)
+        self.opt_kernel_heavyevasion = self.get_param("config.opt_kernel_heavyevasion", None, None)
+        self.opt_timeout = self.get_param("config.opt_timeout", None, None)
+        self.obj_ext_startfolder = self.get_param("config.obj_ext_startfolder", None, None)
+        self.obj_ext_browser = self.get_param("config.obj_ext_browser", None, None)
 
     def summary(self, raw):
         taxonomies = []
@@ -50,7 +62,18 @@ def run(self):
                 while status_code in (None, 429) and tries <= 15:
                     with open(filepath, "rb") as sample:
                         files = {"file": (filename, sample)}
-                        data = {"opt_privacy_type": self.privacy_type}
+                        data = {"opt_privacy_type": self.privacy_type,
+                                "env_bitness": self.env_bitness,
+                                "env_version": self.env_version,
+                                "env_type": self.env_type,
+                                "opt_network_connect": self.opt_network_connect,
+                                "opt_network_fakenet": self.opt_network_fakenet,
+                                "opt_network_tor": self.opt_network_tor,
+                                "opt_network_mitm": self.opt_network_mitm,
+                                "opt_network_geo": self.opt_network_geo,
+                                "opt_kernel_heavyevasion": self.opt_kernel_heavyevasion,
+                                "opt_timeout": self.opt_timeout,
+                                "obj_ext_startfolder": self.obj_ext_startfolder }
                         response = requests.post(
                             "{0}/analysis".format(self.url),
                             files=files,
@@ -71,7 +94,20 @@ def run(self):
                         self.error(response.json()["message"])
             elif self.data_type == "url":
                 url = self.get_param("data", None, "Url is missing")
-                data = {"obj_type": "url", "obj_url": url, "opt_privacy_type": self.privacy_type}
+                data = {"obj_type": "url", 
+                        "obj_url": url, 
+                        "opt_privacy_type": self.privacy_type,
+                        "env_bitness": self.env_bitness,
+                        "env_version": self.env_version,
+                        "env_type": self.env_type,
+                        "opt_network_connect": self.opt_network_connect,
+                        "opt_network_fakenet": self.opt_network_fakenet,
+                        "opt_network_tor": self.opt_network_tor,
+                        "opt_network_mitm": self.opt_network_mitm,
+                        "opt_network_geo": self.opt_network_geo,
+                        "opt_kernel_heavyevasion": self.opt_kernel_heavyevasion,
+                        "opt_timeout": self.opt_timeout,
+                        "obj_ext_browser": self.obj_ext_browser }
                 while status_code in (None, 429) and tries <= 15:
                     response = requests.post(
                         "{0}/analysis".format(self.url),
@@ -130,4 +166,4 @@ def run(self):
 
 
 if __name__ == "__main__":
-    AnyRunAnalyzer().run()
+    AnyRunAnalyzer().run()

analyzers/BinalyzeAIR/README.md

@@ -0,0 +1,34 @@
+### What is Binalyze AIR?
+
+AIR is an "Automated Incident Response" platform that provides the complete feature set for:
+
+- Remotely collecting 300+ evidence types in minutes,
+- Capturing the "Forensic State" of an endpoint as a well-organized HTML/JSON report,
+- Performing triage on thousands of endpoints using YARA,
+- Integrating with SIEM/SOAR/EDR products for automating the response phase IR,
+- Enriching alerts for eliminating false positives,
+- Investigating pre-cursors generated by other security products.
+
+#### What does this integration do?
+
+This responder lets you start acquisition and isolation of an endpoint with Binalyze AIR. 
+
+##### Acquisition
+One of the core features of AIR is collecting evidence remotely. This feature is made possible by "Acquisition Profiles," a group of different evidence categories. With this integration, you can use following profiles:
+
+- Full,
+- Quick,
+- Memory (RAM + PageFile),
+- Event Logs,
+- Browsing History,
+- Compromise Assessment
+- And much more!
+
+##### Isolation
+
+Endpoint isolation works by terminating all connections of an endpoint and not allowing any new connections.
+When an endpoint is isolated, you can still perform tasks such as Acquisition.
+
+For more information, please refer to [Knowledge Base](https://kb.binalyze.com/)
+The program uses [Binalyze AIR API](https://www.binalyze.com)
+