Zeek Intelligence Framework
To quote Zeek’s Intelligence Framework documentation, “The goals of Zeek’s Intelligence Framework are to consume intelligence data, make it available for matching, and provide infrastructure to improve performance and memory utilization. Data in the Intelligence Framework is an atomic piece of intelligence such as an IP address or an e-mail address. This atomic data will be packed with metadata such as a freeform source field, a freeform descriptive field, and a URL which might lead to more information about the specific item.” Zeek intelligence indicator types include IP addresses, URLs, file names, hashes, email addresses, and more.
Malcolm doesn’t come bundled with intelligence files from any particular feed, but they can be easily included into a local instance. On startup, Malcolm’s ghcr.io/idaholab/malcolm/zeek
container enumerates the subdirectories under ./zeek/intel
(which is bind mounted into the container’s runtime) and configures Zeek so those intelligence files will be automatically included in its local policy. Subdirectories under ./zeek/intel
that contain their own __load__.zeek
file will be @load
-ed as-is, while subdirectories containing “loose” intelligence files will be loaded automatically with a redef Intel::read_files
directive.
Note that Malcolm does not manage updates for these intelligence files. Users use the update mechanism suggested by the feeds’ maintainers to keep intelligence files up to date, or use a TAXII, MISP, Google, or Mandiant feed as described below.
Adding and deleting intelligence files under this directory will take effect upon restarting Malcolm. Alternately, users can use the ZEEK_INTEL_REFRESH_CRON_EXPRESSION
environment variable containing a cron expression to specify the interval at which the intel files should be refreshed. This can also be done manually without restarting Malcolm by running the following command from the Malcolm installation directory:
docker compose exec --user $(id -u) zeek /usr/local/bin/docker_entrypoint.sh true
As multiple instances of this container may be running in a Malcolm deployment (i.e., a zeek-live
container for monitoring local network interfaces and a zeek
container for scanning uploaded PCAPs), only the non-live container is responsible for creating and managing the Zeek intel files, which are then shared and used by both types of container instances.
Additional settings governing Malcolm’s behavior when pulling from threat intelligence feeds may be specified during Malcolm configuration (see the end-to-end Malcolm installation example). The global ZEEK_INTEL_FEED_SINCE
value can be overridden per-feed by adding a since
value to the corresponding configuration YAML file described below.
For a public example of Zeek intelligence files, see Critical Path Security’s repository, which aggregates data from various other threat feeds into Zeek’s format.
STIX™ and TAXII™
In addition to loading Zeek intelligence files on startup, Malcolm will automatically generate a Zeek intelligence file for all Structured Threat Information Expression (STIX™) v2.0/v2.1 JSON files found under ./zeek/intel/STIX
.
Additionally, if a YAML file named taxii.yaml
is found in ./zeek/intel/STIX
, that file will be read and processed as a list of TAXII™ 2.0/2.1 feeds. This file should minimally include:
- type: taxii
version: 2.1
url: https://example.com/taxii/api2/
collection: "*"
These other parameters can also optionally be provided:
username: guest
password: guest
Alternatively, if a text file named .stix_input.txt
is found in ./zeek/intel/STIX
, that file will be read and processed as described above. The feeds are specified one per line, according to the following format (the username and password are optional):
taxii|version|discovery_url|collection_name|username|password
For example:
taxii|2.0|http://example.org/taxii/|IP Blocklist|guest|guest
taxii|2.1|https://example.com/taxii/api2/|URL Blocklist
…
Malcolm will attempt to query the TAXII feed(s) for indicator
STIX objects and convert them to the Zeek intelligence format as described above. There are publicly available TAXII 2.x-compatible services provided by a number of organizations including Anomali Labs and MITRE; or users may choose from several open-source offerings to roll their own TAXII 2 server (e.g., oasis-open/cti-taxii-server, freetaxii/server, StephenOTT/TAXII-Server, etc.).
Note that only indicators of cyber-observable objects matched with the equals (=
) comparison operator against a single value can be expressed as Zeek intelligence items. More complex STIX indicators will be silently ignored.
Malcolm uses the stix2 and taxii2-client Python libraries to access STIX™/TAXII™ threat intelligence feeds.
MISP
In addition to loading Zeek intelligence files on startup, Malcolm will automatically generate a Zeek intelligence file for all Malware Information Sharing Platform (MISP) JSON files found under ./zeek/intel/MISP
.
Additionally, if a YAML file named misp.yaml
is found in ./zeek/intel/MISP
, that file will be read and processed as a list of MISP feed URLs. This file should minimally include:
- type: misp
url: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
These other parameters can also optionally be provided:
auth_key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Alternatively, if a special file named .misp_input.txt
is found in ./zeek/intel/MISP
, that file will be read and processed as described above. The feeds are specified one per line, according to the following format (the authentication key is optional):
For example:
misp|https://example.com/data/feed-osint/manifest.json|df97338db644c64fbfd90f3e03ba8870
misp|https://example.com/doc/misp/|
misp|https://example.com/attributes|a943f5ff506ee6198e996333e0b672b1
misp|https://example.com/events|a943f5ff506ee6198e996333e0b672b1
…
Malcolm will attempt to connect to the MISP feed(s) and retrieve Attribute
objects of MISP events and convert them to the Zeek intelligence format as described above. There are publicly available MISP feeds and communities, or users may run their own MISP instance.
Upon Malcolm connects to the URLs for the MISP feeds in .misp_input.txt
, it will attempt to determine the format of the data served and process it accordingly. This could be presented as:
Note that only a subset of MISP attribute types can be expressed with the Zeek intelligence indicator types. MISP attributes with other types will be silently ignored.
Malcolm uses the MISP/PyMISP Python library to access MISP threat intelligence feeds.
Google Threat Intelligence
If a YAML file named google.yaml
is found in ./zeek/intel/Google
, that file will be read and processed as parameters for the Google Threat Intelligence service. This file should minimally include:
- type: google
api_key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
The collection_type
parameter may be optionally provided, consisting of a comma-separated list of the values supported by the Google Threat Intelligence collections API.
collection_type: campaign,threat-actor,malware-family
Additionally, the filters
parameter may be optionally provided, consisting of filters as supported by the Google Threat Intelligence collections API. See these examples of filtering syntax. Note: filtering by collection type should be done with the collection_type
parameter described above and not as part of filters
.
filters: 'motivation:espionage targeted_industry:government targeted_region:US'
Filter values that contain spaces should be enclosed in quotation marks:
filters: 'targeted_industry:"Energy & Utilities"'
While there is no comprehensive list of possible values for these filters, here are some examples:
source_region
and targeted_region
- Country codes may specified using the ISO code 2 standard.
motivation
- Attack / Destruction
- Espionage
- Financial Gain
- Hacktivism
- Influence
- Surveillance
- Unknown
targeted_industry
- Academia - University
- Activists
- Aerospace
- Agriculture
- Automotive
- Bank
- Biomedical
- Casino
- Chemical
- Citizens
- Civil Aviation
- Civil society
- Construction
- Country
- Cryptocurrency
- Defense
- Education
- Electric
- Electronic
- Energy
- Entertainment
- Finance
- Food
- Game
- Government, Administration
- Health
- Higher education
- High tech
- Hospitality
- Industrial
- Infrastructure
- Intelligence
- Investment
- IT
- IT - Security
- Journalist
- Legal
- Logistic
- Manufacturing
- News - Media
- NGO
- Oil and Gas
- Opposition
- Payment
- Pharmacy
- Political party
- Private sector
- Religion
- Research - Innovation
- Retail
- Security Service
- Separatists
- Technology
- Telecoms
- Think Tanks
- Transport
- Travel
- Water
capability
- Access logical volumes
- Access raw disk
- Access virtual disk
- Active Directory Trust Enumeration
- Acts as a watchdog to maintain the in-memory persistence of another process or processes
- Adds to local root certificate
- Adds user account
- Allocates memory
- Allocates process memory
- Alter thread
- Anti-AV: AhnLab
- Anti-AV: Avast
- Anti-AV: AVG
- Anti-AV: BitDefender
- Anti-AV capabilities
- Anti-AV: eScan
- Anti-AV: Kaspersky
- Anti-AV: McAfee
- Anti-AV: NOD32
- Anti-AV: Norton
- Anti-AV: Qihoo
- Anti-AV: Sophos
- Anti-AV: Symantec
- Anti-AV: Trend Micro
- Anti-AV: Windows Defender
- Anti-AV: Windows Firewall
- Anti-debug capabilities
- Anti-debug: IDA
- Anti-debug: Ollydbg
- Anti-debug: Windbg
- Anti-forensic capabilities
- Anti-VM capabilities
- Anti-VM: Hyper-V
- Anti-VM: Parallels
- Anti-VM: QEMU
- Anti-VM: Sandboxie
- Anti-VM: Time-based methods
- Anti-VM: User activity
- Anti-VM: VirtualBox
- Anti-VM: VirtualPC
- Anti-VM: VMware
- Anti-VM: VMware I/O port
- Anti-VM: WINE
- Anti-VM: Xen
- Attaches user process memory
- Automated data capture
- Binary control capabilities
- Boots the system in safe mode
- Brute-force IEC-104 IOA
- Bypass Mark-of-the-Web (MOTW)
- Bypass security controls Capabilities
- Bypass Windows UAC
- Calculates Adler-32 hashes
- Calculates bcrypt hashes
- Calculates djb2 hashes
- Calculates FNV-1a hashes
- Calculates FNV hashes
- Calculates hashes
- Calculates hashes using CRC32
- Calculates hashes using CRC32B
- Calculates Luhn checksums
- Calculates MD4 hashes
- Calculates MD5 hashes
- Calculates MurmurHash2 hashes
- Calculates MurmurHash3 hashes
- Calculates RSHash hashes
- Calculates SHA-1 hashes
- Calculates SHA-224 hashes
- Calculates SHA-256 hashes
- Calculates SHA-512 hashes
- Calculates Tiger hashes
- Can mine data via WMI
- Capable of bruteforcing
- Capable of Collecting ICS Program
- Capable of collecting locally stored email
- Capable of creating local user accounts
- Capable of DDOSing hosts
- Capable of manipulating the clipboard
- Capable of modifying file permissions on Linux
- Capable of modifying file permissions on Windows
- Capable of privilege escalation via access token impersonation
- Capture Active Directory data
- Capture ATM dispenser service provider information
- Capture audio
- Capture battery information
- Capture BIOS information
- Capture browser bookmarks
- Capture browser cookies
- Capture browser history
- Capture certificate-based credentials
- Capture clipboard contents
- Capture cookies
- Capture CPU information
- Capture credentials
- Capture credentials stored by Chrome
- Capture credentials stored by FileZilla
- Capture credentials stored by Firefox
- Capture credentials stored by Internet Explorer
- Capture credentials stored by Microsoft Credential Manager
- Capture credentials stored by Microsoft Edge browser
- Capture credentials stored by Microsoft Outlook
- Capture credentials stored by Mozilla Thunderbird
- Capture credentials stored by Opera
- Capture credentials stored by OSX Keychain
- Capture credentials stored by password manager solutions
- Capture credentials stored by Pidgin
- Capture credentials stored by Windows registry
- Capture credentials stored by WINSCP
- Capture credentials via DCSync
- Capture cryptocurrency wallet files
- Capture disk information
- Capture domain information
- Capture email credentials
- Capture email messages or contents
- Capture file and directory listings
- Capture files and their contents
- Capture files that contain credentials
- Capture firmware information
- Capture FTP credentials
- Capture Group Policy Object data
- Capture host files
- Capture hostname
- Capture HTTP-based credentials
- Capture Internet cache
- Capture keyboard layout
- Capture keystrokes
- Capture LSASS memory
- Capture MAC address
- Capture memory
- Capture memory status
- Capture microphone audio
- Capture network configuration
- Capture network connection state
- Capture network interfaces
- Capture network packet capture (PCAP) data
- Capture Network Share information
- Capture network traffic
- Capture OPC Information
- Capture operating system information
- Capture Password File
- Capture payment card data
- Capture POP3 credentials
- Capture private certificates
- Capture proxy information
- Capture session information
- Capture Skype credentials
- Capture smart card data
- Capture SQL data
- Capture stored contacts
- Capture stored email contacts
- Capture system information
- Capture system language
- Capture system locale information
- Capture system network information
- Capture TCP network connection state
- Capture token information
- Capture Two Factor Autentication (2FA) codes
- Capture UDP network connection state
- Capture video
- Capture video with camera
- Capture web-based data
- Capture WiFi credentials
- Capture Windows registry data
- Change directories
- Check directory existence
- Checks HTTP response status code
- Closes windows
- Collect image files
- Collects physical location
- Collect video files
- Command and Control via the MQTT Pub/Sub Protocol Capability
- Command line capabilities
- Communiates using SSH
- Communicates bidirectionally with a web service
- Communicates using a binary protocol
- Communicates using a dead drop resolver
- Communicates using a fallback channel
- Communicates using a proxy
- Communicates using a remote graphical interface
- Communicates using a reverse shell
- Communicates using CODESYS
- Communicates using DNS
- Communicates using DNS A records
- Communicates using DNS null records
- Communicates using DNS TXT records
- Communicates using domain fronting
- Communicates using domain masquerading
- Communicates using Exchange Web Services (EWS)
- Communicates using FTP
- Communicates using GTP.
- Communicates using HTTP
- Communicates using HTTP/2
- Communicates using HTTPS
- Communicates using ICMP
- Communicates using IEC 60870-5-104
- Communicates using IMAP
- Communicates using IRC
- Communicates using KCP
- Communicates using MIME
- Communicates using MODBUS
- Communicates using MQTT
- Communicates using multi-stage channels
- Communicates using OPC
- Communicates using OSCAR
- Communicates using pipes
- Communicates using POP3
- Communicates using raw sockets
- Communicates using RDP
- Communicates using RPC
- Communicates using SCTP
- Communicates using SFTP
- Communicates using SMB
- Communicates using SMB Bruteforce
- Communicates using SMTP
- Communicates using SSL
- Communicates using TCP
- Communicates using the Remote Frame Buffer Protocol (as used by VNC)
- Communicates using the Tox protocol
- Communicates using TLS
- Communicates using Tor
- Communicates using UDP
- Communicates using UDT
- Communicates using UPnP
- Communicates using USB
- Communicates via the Socket.IO WebSocket Library for NodeJS
- Communicates via the Websocket protocol
- Communicate using DNS over UDP
- Communicate via VMCI socket
- Communications capabilities
- Compiles a .NET assembly from source code
- Compresses using gzip
- Compresses using ZIP
- Compression capabilities
- Configuration capabilities
- Configuration update
- Connects to a named pipe
- Connect to a socket
- Connect to TCP socket
- Constructs mutex
- Copy files
- Create a named pipe
- Create a service
- Create a socket
- Create directories
- Create files
- Create or drop a polymorhpic file
- Creates HTTP Server
- Creates processes
- Creates processes in suspended state
- Creates shorcut
- Creates user accounts
- Creates Windows regisry keys or values
- Create TCP socket
- Create thread
- Create UDP socket
- Create Windows registry key
- Create Windows registry key value
- Credential theft by Prompt
- Cryptocurrency mining capabilities
- Data theft capabilities
- Data theft (exfiltration) capabilities
- Decodes Base64
- Decodes custom Base64 alphabet
- Decodes hex data
- Decodes URL (Percent)
- Decodes using JSON
- Decoding capabilities
- Decompression Capabilities
- Decrypt Internet Explorer credentials
- Decryption capabilities
- Decrypts using 3DES
- Decrypts using AES
- Decrypts using RC4
- Decrypts using RSA
- Decrypts using XOR
- Delete a service
- Delete directories
- Delete email
- Delete files
- Deletes clipboard content
- Deletes user account
- Deletes Volume Shadow Copy files
- Deletes Windows registry keys
- Deletes Windows registry keys or values
- Deletes Windows registry values
- Deltes Widnows Backup Catalog
- Denial of Service
- Determines public IP address of host
- Directory manipulation
- Download files
- Downloads configuration data
- Driver Capabilities
- Dumps process memory
- Email capabilities
- Emnumerates Local Account
- Encodes communications using Base64
- Encodes communications using BasE91
- Encodes communications using custom Base64 alphabet
- Encodes communications using Hex
- Encodes using Base32
- Encodes using Base64
- Encodes using custom Base64 alphabet
- Encodes using Hex
- Encodes using JSON
- Encoding capabilities
- Encoding capabilities for network communications
- Encryption capabilities
- Encryption capabilities for network communications
- Encrypt or decrypt files
- Encrypts data with 3DES
- Encrypts data with a custom RC4 algorithm
- Encrypts data with AES
- Encrypts data with AES-128
- Encrypts data with AES-256
- Encrypts data with Blowfish
- Encrypts data with Camellia
- Encrypts data with CAST-128
- Encrypts data with ChaCha
- Encrypts data with Curve25519
- Encrypts data with DES
- Encrypts data with ElGamal
- Encrypts data with HC-128
- Encrypts data with Microsoft DPAPI
- Encrypts data with RC2
- Encrypts data with RC4
- Encrypts data with RC5
- Encrypts data with RC6
- Encrypts data with Rijndael
- Encrypts data with RSA
- Encrypts data with Salsa20
- Encrypts data with SEAL
- Encrypts data with Sosemanuk
- Encrypts data with TEA
- Encrypts data with Twofish
- Encrypts data with XChaCha20
- Encrypts data with XOR
- Encrypts data with XTEA
- Encrypts network communications with 3DES
- Encrypts network communications with AES
- Encrypts network communications with AES-256
- Encrypts network communications with DES
- Encrypts network communications with RC4
- Encrypts network communications with RSA
- Encrypts network communications with XOR
- Enumerate current user
- Enumerates applications
- Enumerates Domain Accounts
- Enumerates Email Accounts
- Enumerates groups
- Enumerates hardware
- Enumerates local groups
- Enumerates security applications
- Enumerates windows
- Enumerate users
- Event Log Access
- Event Log Capabilities
- Execute files
- Executes by Windows API
- Executes commands from the command line
- Executes using a scheduled task
- Executes using msxsl
- Executes via DLL loading
- Executes via mshta
- Executes via .NET assembly loading
- Execution capabilities
- Exfiltrates data in an automated way
- Exfiltrates data over alternate protocol
- Exfiltrates data over C2 channel
- Exfiltrates data over USB
- Exfiltrates data over web service
- Exfiltrates data to cloud storage
- Extracts HTTP body
- File manipulation
- Filters netowrk traffic
- Find files
- Find process by name
- Find process with process identifier (PID)
- Finds a process
- Finds file resources
- Finds location of a window
- Finds location of Windows taskbar
- Fixed or removable drive manipulation
- Gets common file path
- Gets environmental variable value
- Gets file attribute
- Gets mutex handle
- Gets window text
- GPP Credential Theft
- Hidden File System
- Hides a file
- Hides processes
- Hides thread
- Hides windows
- Hides Windows taskbar
- HTTP body capabilities
- HTTP header capabilities
- HTTP request capabilities
- HTTP response capabilities
- Impersonates user accounts
- Injects content into web pages
- Injects into RDP processes
- Installs Driver
- Internet Explorer manipulation
- Keylog via application hook
- Keylog via polling
- Kill thread
- Lateral Movement capabilities
- Lateral movement via admin network shares
- Lateral movement via SMB
- Launch Internet Explorer
- List directories
- Listens on a port and acts as a proxy
- Listens on a port and transmits commands
- Listens on a port or socket
- Listens on a port to receive commands
- List Explorer process information
- List files
- List file sizes
- List file versions
- List process modules
- List process threads
- List RDP process information
- List registry entries
- Lists drives
- List services
- Lists processes
- Lists processes for security applications
- Load code or plugins
- Loads data from a PE resource
- Loads or downloads C#
- Loads or downloads data
- Loads or downloads Java
- Loads or downloads JavaScript
- Loads or downloads Lua source code or bytecode
- Loads or downloads MSIL or CIL
- Loads or downloads plugins
- Loads or downloads PowerShell
- Loads or downloads Python code
- Loads or downloads shellcode
- Loads or downloads Visual Basic Scripts
- Locks a workstation
- Locks files
- Locks mutex
- Log manipulation
- Logs off user account
- Manipulates file attribute
- Manipulates GUI windows
- Manipulates process memory
- Maximizes windows
- Mines phone calls
- Mines SMS messages
- Minimizes windows
- Modifies file and injects code
- Modifies file permissions
- Modifies running processes
- Modify a service
- Modify files
- Modify process privileges
- Move files
- Moves laterally via exploit
- Mutex capabilities
- Network-based DoS capabilities
- Obfuscation capabilities
- Obtains configuration data at runtime
- Obtains configuration data at runtime from a downloaded file
- Obtains configuration data at runtime from a separate file
- Obtains configuration data at runtime from the command line
- Obtains configuration data at runtime from the registry
- Obtains or sets configuration data during install
- Opens CD-ROM drive
- Opens files
- Opens the clipboard
- Open Windows registry key
- Overwrite or wipe file data by emptying Recycle Bin
- Overwrite or wipe file data by emptying Recycle Bin quietly
- Overwrite or wipe Internet cache
- Overwriting capabilities
- Password Cracks
- Password Sprays
- Performs anti-disassembly obfucscation
- Performs CD-ROM operations
- Performs GUI operations
- Performs keyboard operations
- Performs mouse operations
- Performs network traffic operations
- Performs operations using the Windows taskbar
- Performs process injection
- Performs reflective process injection
- Persistence capabilities
- Persistence via launchd process
- Persistence via load order
- Persistence via Microsoft IIS
- Persistence via Network Logon Script
- Persistence via screensaver
- Persistence via shortcut
- Persistence via Systemd services
- Persistence via SysV init scripts
- Persistence via Windows registry Run key
- Persistence via Winlogon
- Persistence via WMI
- Persists as a Windows service
- Persists via Active Setup registry key
- Persists via a scheduled task
- Persists via bash profile
- Persists via bashrc
- Persists via boot sector
- Persists via cron
- Persists via DLL side-loading
- Persists via Microsoft COM
- Persists via the Windows registry
- Persists via the Windows Startup folder
- Persists via Windows BITS jobs
- Persists within browser extension
- Persist via Microsoft IIS Plug-in (ISAPI Filter)
- Persist via OSX plist Launch Agent
- Point-of-Sale targeting or manipulation
- Powers off a monitor
- Privilege escalation capabilities
- Privilege escalation via access token
- Privilege escalation via access token duplication
- Privilege escalation via DLL search order hijacking
- Process Doppelganging
- Process Hollowing
- Process Hooking
- Process injection of DLLs
- Process injection of PEs
- Process injection through APC
- Process injection through Proc memory
- Process injection through ptrace system calls
- Process injection via threads
- Process manipulation
- Process Parent PID Spoofing
- Psuedo random number generation capabilities
- Query service information
- Query service status
- Query Windows registry
- Query Windows registry key
- Query Windows registry key values
- Read a file through a named pipe
- Read files
- Reads configuration data from the registry
- Reads configuration from an external file
- Reads HTTP header
- Reads log files
- Reads memory
- Reads process memory
- Reads the clipboard
- Receive data
- Registers Driver
- Rename files
- Replace process
- Replaces the clipboard contents
- Report current configuration
- Resets user account password
- Resizes Volume Shadow Copy files
- Resolves Windows program files directory
- Resource manipulation
- Restarts the system
- Resume thread
- Run as service
- Scan for Microsoft SQL Server
- Scanning capabilities
- Scans Admin Shares
- Scans ARP
- Scans for Elasticsearch servers
- Scans for OPC servers
- Scans for SSDP devices
- Scans SMB
- Screen capture
- Search capabilities
- Search via regular expression
- Self-delete
- Self-uninstall
- Self-update
- Send data
- Send email
- Service manipulation
- Sets environmental variable
- Sets file attribute
- Sets HTTP header
- Set socket configuration
- Sets Wallpaper
- Shuts down the system
- Simulates ctrl+alt+del
- Sleep
- Sleep Time Execution
- Specialized C2 capabilities
- Spoof process
- Spreads via removeable media
- Start a service
- Starts Driver
- Stop a service
- Stored Data Manipulation
- Suspend thread
- Swaps buttons on the mouse
- Tampers with Linux firewall
- Tampers with Linux Firewall IP Tables
- Tampers with Windows eventlog
- Tampers with Windows firewall
- Tampers with Windows processes
- Tampers with Windows process mitigation policy
- Tampers with Windows recovery features
- Tampers with Windows safe mode
- TCP Scan
- Terminates processes
- Timestomping capabilities
- Tries to lock mutex
- Tunnels network traffic
- Unlocks mutex
- Updates beacon interval
- Upload directory contents
- Upload files
- User account manipulation
- User account password capabilities
- User prompt manipulation
- Uses Amazon as part of C2
- Uses Amazon AWS S3 as part of C2
- Uses AOL Instant Messenger as part of C2
- Uses apLib compression
- Uses apLib decompression
- Uses Baidu as part of C2
- Uses Daum as part of C2
- Uses Discord as part of C2
- Uses DropBox as part of C2
- Uses environmental variables
- Uses Facebook as part of C2
- Uses Fotolog as part of C2
- Uses Geocities for C2
- Uses GitHub as part of C2
- Uses Google as part of C2
- Uses Google Code as part of C2
- Uses Google Docs as part of C2
- Uses Google Drive as part of C2
- Uses Google Mail as part of C2
- Uses Google Plus as part of C2
- Uses gzip decompression
- Uses hard-coded configuration data
- Uses IBM community as part of C2
- Uses Imgur as part of C2
- Uses Linear Congruential Generator (LCG) algorithm in Delphi
- Uses LinkedIn as part of C2
- Uses LZ compression
- Uses LZNT1 compression
- Uses LZNT1 decompression
- Uses LZO compression
- Uses Mersenne Twister PRNG algorithm
- Uses Microsoft as part of C2
- Uses Microsoft Graph API as Command and Control (C&C)
- Uses Microsoft MSDN as part of C2
- Uses Microsoft OneDrive as part of C2
- Uses Microsoft TechNet as part of C2
- Uses Naver email service for C2
- Uses Netvigator Email as part of C2
- Uses Ngrok as part of C&C
- Uses PAQ compression
- Uses Pastebin as part of C2
- Uses pCloud as part of C2
- Uses QuickLZ decompression
- Uses RedHat OpenShift as part of C2
- Uses Slack as a part of C2
- Uses Stack Overflow as part of C2
- Uses Statcounter for C2
- Uses Steam gaming platform as part of C2
- Uses steganography
- Uses Telegram as part of C2
- Uses transactional NTFS
- Uses Tumblr as part of C2
- Uses Twitter as part of C2
- Uses VMware web services for C2
- Uses WMIC to execute a command
- Uses WMI to execute a command
- Uses wscript to execute a command
- Uses Yahoo as part of C2
- Uses Yahoo Babelfish as part of C2
- Uses Yahoo Groups as part of C2
- Uses Yandex as part of C2
- Uses zlib compression
- Uses zlib decompression
- Volume Shadow Copy Capabilities
- Windows registry capabilities
- Wipes or overwrites disks
- Wipes or overwrites files
- Wipes or overwrites itself
- Wipes or overwrites logs
- Wipes or overwrites the Master Boot Record (MBR)
- Wipes or overwrites the Volume Boot Record (VBR)
- Wiping ICS Specific Files
- Write a file through a named pipe
- Writes memory
- Writes to log files
- Writes to the clipboard
- Writes Windows registry keys
- Writes Windows registry keys or values
- Writes Windows registry values
operating_system
- Android
- BSD
- FreeBSD
- ios
- Linux
- Mac
- Unix
- VMkernel
- Windows
malware_role
- Archiver
- ATM Malware
- Backdoor
- Backdoor - Botnet
- Backdoor - Webshell
- Bootkit
- Builder
- Controller
- Credential Stealer
- Cryptocurrency Miner
- Data Miner
- Disruption Tool
- Downloader
- Dropper
- Dropper - Memory Only
- File Infector
- Framework
- Installer
- Keylogger
- Lateral Movement Tool
- Launcher
- Lightweight Backdoor
- Point-of-Sale Malware
- Privilege Escalation Tool
- Ransomware
- Reconnaissance Tool
- Remote Control and Administration Tool
- Remote Exploitation Tool
- Rootkit
- Screen Capture Tool
- Sniffer
- Spambot
- Tunneler
- Uploader
- Utility
Malcolm uses the VirusTotal/vt-py Python library to access Google Threat Intelligence feeds.
Mandiant
If a YAML file named mandiant.yaml
is found in ./zeek/intel/Mandiant
, that file will be read and processed as parameters for the Mandiant Threat Intelligence service. This file should minimally include:
- type: mandiant
api_key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
secret_key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
These other parameters can also optionally be provided:
bearer_token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
api_base_url: https://api.intelligence.mandiant.com
minimum_mscore: 60
exclude_osint: False
include_campaigns: False
include_category: True
include_misp: True
include_reports: False
include_threat_rating: False
Malcolm uses the google/mandiant-ti-client Python library to access Mandiant threat intelligence feeds.
Disclaimer
Neither Malcolm’s development team nor its funding sources endorse any commercial product or service, nor do they attest to the suitability or effectiveness of these products and services for any particular use case. Any reference to specific commercial products, processes, or services by trademark, manufacturer, or otherwise should not be interpreted as an endorsement, recommendation, or preference.