Zeek Intelligence Framework

Zeek Intelligence Framework

To quote Zeek’s Intelligence Framework documentation, “The goals of Zeek’s Intelligence Framework are to consume intelligence data, make it available for matching, and provide infrastructure to improve performance and memory utilization. Data in the Intelligence Framework is an atomic piece of intelligence such as an IP address or an e-mail address. This atomic data will be packed with metadata such as a freeform source field, a freeform descriptive field, and a URL which might lead to more information about the specific item.” Zeek intelligence indicator types include IP addresses, URLs, file names, hashes, email addresses, and more.

Malcolm doesn’t come bundled with intelligence files from any particular feed, but they can be easily included into a local instance. On startup, Malcolm’s ghcr.io/idaholab/malcolm/zeek container enumerates the subdirectories under ./zeek/intel (which is bind mounted into the container’s runtime) and configures Zeek so those intelligence files will be automatically included in its local policy. Subdirectories under ./zeek/intel that contain their own __load__.zeek file will be @load-ed as-is, while subdirectories containing “loose” intelligence files will be loaded automatically with a redef Intel::read_files directive.

Note that Malcolm does not manage updates for these intelligence files. Users use the update mechanism suggested by the feeds’ maintainers to keep intelligence files up to date, or use a TAXII, MISP, Google, or Mandiant feed as described below.

Adding and deleting intelligence files under this directory will take effect upon restarting Malcolm. Alternately, users can use the ZEEK_INTEL_REFRESH_CRON_EXPRESSION environment variable containing a cron expression to specify the interval at which the intel files should be refreshed. This can also be done manually without restarting Malcolm by running the following command from the Malcolm installation directory:

docker compose exec --user $(id -u) zeek /usr/local/bin/docker_entrypoint.sh true

As multiple instances of this container may be running in a Malcolm deployment (i.e., a zeek-live container for monitoring local network interfaces and a zeek container for scanning uploaded PCAPs), only the non-live container is responsible for creating and managing the Zeek intel files, which are then shared and used by both types of container instances.

Additional settings governing Malcolm’s behavior when pulling from threat intelligence feeds may be specified during Malcolm configuration (see the end-to-end Malcolm installation example). The global ZEEK_INTEL_FEED_SINCE value can be overridden per-feed by adding a since value to the corresponding configuration YAML file described below.

For a public example of Zeek intelligence files, see Critical Path Security’s repository, which aggregates data from various other threat feeds into Zeek’s format.

STIX™ and TAXII™

In addition to loading Zeek intelligence files on startup, Malcolm will automatically generate a Zeek intelligence file for all Structured Threat Information Expression (STIX™) v2.0/v2.1 JSON files found under ./zeek/intel/STIX.

Additionally, if a YAML file named taxii.yaml is found in ./zeek/intel/STIX, that file will be read and processed as a list of TAXII™ 2.0/2.1 feeds. This file should minimally include:

- type: taxii
  version: 2.1
  url: https://example.com/taxii/api2/
  collection: "*"

These other parameters can also optionally be provided:

  username: guest
  password: guest

Alternatively, if a text file named .stix_input.txt is found in ./zeek/intel/STIX, that file will be read and processed as described above. The feeds are specified one per line, according to the following format (the username and password are optional):

taxii|version|discovery_url|collection_name|username|password

For example:

taxii|2.0|http://example.org/taxii/|IP Blocklist|guest|guest
taxii|2.1|https://example.com/taxii/api2/|URL Blocklist
…

Malcolm will attempt to query the TAXII feed(s) for indicator STIX objects and convert them to the Zeek intelligence format as described above. There are publicly available TAXII 2.x-compatible services provided by a number of organizations including Anomali Labs and MITRE; or users may choose from several open-source offerings to roll their own TAXII 2 server (e.g., oasis-open/cti-taxii-server, freetaxii/server, StephenOTT/TAXII-Server, etc.).

Note that only indicators of cyber-observable objects matched with the equals (=) comparison operator against a single value can be expressed as Zeek intelligence items. More complex STIX indicators will be silently ignored.

Malcolm uses the stix2 and taxii2-client Python libraries to access STIX™/TAXII™ threat intelligence feeds.

MISP

In addition to loading Zeek intelligence files on startup, Malcolm will automatically generate a Zeek intelligence file for all Malware Information Sharing Platform (MISP) JSON files found under ./zeek/intel/MISP.

Additionally, if a YAML file named misp.yaml is found in ./zeek/intel/MISP, that file will be read and processed as a list of MISP feed URLs. This file should minimally include:

- type: misp
  url: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

These other parameters can also optionally be provided:

  auth_key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Alternatively, if a special file named .misp_input.txt is found in ./zeek/intel/MISP, that file will be read and processed as described above. The feeds are specified one per line, according to the following format (the authentication key is optional):

misp|misp_url|auth_key

For example:

misp|https://example.com/data/feed-osint/manifest.json|df97338db644c64fbfd90f3e03ba8870
misp|https://example.com/doc/misp/|
misp|https://example.com/attributes|a943f5ff506ee6198e996333e0b672b1
misp|https://example.com/events|a943f5ff506ee6198e996333e0b672b1
…

Malcolm will attempt to connect to the MISP feed(s) and retrieve Attribute objects of MISP events and convert them to the Zeek intelligence format as described above. There are publicly available MISP feeds and communities, or users may run their own MISP instance.

Upon Malcolm connects to the URLs for the MISP feeds in .misp_input.txt, it will attempt to determine the format of the data served and process it accordingly. This could be presented as:

a manifest JSON file
a directory listing containing a file named manifest.json
a directory listing of JSON files without a manifest.json file
a list of Events returned for a request via the MISP Automation API made to a MISP platform’s /events endpoint
a list of Attributes returned for a request via the MISP Automation API made to a MISP platform’s /attributes endpoint

Note that only a subset of MISP attribute types can be expressed with the Zeek intelligence indicator types. MISP attributes with other types will be silently ignored.

Malcolm uses the MISP/PyMISP Python library to access MISP threat intelligence feeds.

Google Threat Intelligence

If a YAML file named google.yaml is found in ./zeek/intel/Google, that file will be read and processed as parameters for the Google Threat Intelligence service. This file should minimally include:

- type: google
  api_key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

The collection_type parameter may be optionally provided, consisting of a comma-separated list of the values supported by the Google Threat Intelligence collections API.

  collection_type: campaign,threat-actor,malware-family

Additionally, the filters parameter may be optionally provided, consisting of filters as supported by the Google Threat Intelligence collections API. See these examples of filtering syntax. Note: filtering by collection type should be done with the collection_type parameter described above and not as part of filters.

  filters: 'motivation:espionage targeted_industry:government targeted_region:US'

Filter values that contain spaces should be enclosed in quotation marks:

  filters: 'targeted_industry:"Energy & Utilities"'

While there is no comprehensive list of possible values for these filters, here are some examples:

source_region and targeted_region

Country codes may specified using the ISO code 2 standard.

motivation

Attack / Destruction
Espionage
Financial Gain
Hacktivism
Influence
Surveillance
Unknown

targeted_industry

Academia - University
Activists
Aerospace
Agriculture
Automotive
Bank
Biomedical
Casino
Chemical
Citizens
Civil Aviation
Civil society
Construction
Country
Cryptocurrency
Defense
Education
Electric
Electronic
Energy
Entertainment
Finance
Food
Game
Government, Administration
Health
Higher education
High tech
Hospitality
Industrial
Infrastructure
Intelligence
Investment
IT
IT - Security
Journalist
Legal
Logistic
Manufacturing
News - Media
NGO
Oil and Gas
Opposition
Payment
Pharmacy
Political party
Private sector
Religion
Research - Innovation
Retail
Security Service
Separatists
Technology
Telecoms
Think Tanks
Transport
Travel
Water

capability

Access logical volumes
Access raw disk
Access virtual disk
Active Directory Trust Enumeration
Acts as a watchdog to maintain the in-memory persistence of another process or processes
Adds to local root certificate
Adds user account
Allocates memory
Allocates process memory
Alter thread
Anti-AV: AhnLab
Anti-AV: Avast
Anti-AV: AVG
Anti-AV: BitDefender
Anti-AV capabilities
Anti-AV: eScan
Anti-AV: Kaspersky
Anti-AV: McAfee
Anti-AV: NOD32
Anti-AV: Norton
Anti-AV: Qihoo
Anti-AV: Sophos
Anti-AV: Symantec
Anti-AV: Trend Micro
Anti-AV: Windows Defender
Anti-AV: Windows Firewall
Anti-debug capabilities
Anti-debug: IDA
Anti-debug: Ollydbg
Anti-debug: Windbg
Anti-forensic capabilities
Anti-VM capabilities
Anti-VM: Hyper-V
Anti-VM: Parallels
Anti-VM: QEMU
Anti-VM: Sandboxie
Anti-VM: Time-based methods
Anti-VM: User activity
Anti-VM: VirtualBox
Anti-VM: VirtualPC
Anti-VM: VMware
Anti-VM: VMware I/O port
Anti-VM: WINE
Anti-VM: Xen
Attaches user process memory
Automated data capture
Binary control capabilities
Boots the system in safe mode
Brute-force IEC-104 IOA
Bypass Mark-of-the-Web (MOTW)
Bypass security controls Capabilities
Bypass Windows UAC
Calculates Adler-32 hashes
Calculates bcrypt hashes
Calculates djb2 hashes
Calculates FNV-1a hashes
Calculates FNV hashes
Calculates hashes
Calculates hashes using CRC32
Calculates hashes using CRC32B
Calculates Luhn checksums
Calculates MD4 hashes
Calculates MD5 hashes
Calculates MurmurHash2 hashes
Calculates MurmurHash3 hashes
Calculates RSHash hashes
Calculates SHA-1 hashes
Calculates SHA-224 hashes
Calculates SHA-256 hashes
Calculates SHA-512 hashes
Calculates Tiger hashes
Can mine data via WMI
Capable of bruteforcing
Capable of Collecting ICS Program
Capable of collecting locally stored email
Capable of creating local user accounts
Capable of DDOSing hosts
Capable of manipulating the clipboard
Capable of modifying file permissions on Linux
Capable of modifying file permissions on Windows
Capable of privilege escalation via access token impersonation
Capture Active Directory data
Capture ATM dispenser service provider information
Capture audio
Capture battery information
Capture BIOS information
Capture browser bookmarks
Capture browser cookies
Capture browser history
Capture certificate-based credentials
Capture clipboard contents
Capture cookies
Capture CPU information
Capture credentials
Capture credentials stored by Chrome
Capture credentials stored by FileZilla
Capture credentials stored by Firefox
Capture credentials stored by Internet Explorer
Capture credentials stored by Microsoft Credential Manager
Capture credentials stored by Microsoft Edge browser
Capture credentials stored by Microsoft Outlook
Capture credentials stored by Mozilla Thunderbird
Capture credentials stored by Opera
Capture credentials stored by OSX Keychain
Capture credentials stored by password manager solutions
Capture credentials stored by Pidgin
Capture credentials stored by Windows registry
Capture credentials stored by WINSCP
Capture credentials via DCSync
Capture cryptocurrency wallet files
Capture disk information
Capture domain information
Capture email credentials
Capture email messages or contents
Capture file and directory listings
Capture files and their contents
Capture files that contain credentials
Capture firmware information
Capture FTP credentials
Capture Group Policy Object data
Capture host files
Capture hostname
Capture HTTP-based credentials
Capture Internet cache
Capture keyboard layout
Capture keystrokes
Capture LSASS memory
Capture MAC address
Capture memory
Capture memory status
Capture microphone audio
Capture network configuration
Capture network connection state
Capture network interfaces
Capture network packet capture (PCAP) data
Capture Network Share information
Capture network traffic
Capture OPC Information
Capture operating system information
Capture Password File
Capture payment card data
Capture POP3 credentials
Capture private certificates
Capture proxy information
Capture session information
Capture Skype credentials
Capture smart card data
Capture SQL data
Capture stored contacts
Capture stored email contacts
Capture system information
Capture system language
Capture system locale information
Capture system network information
Capture TCP network connection state
Capture token information
Capture Two Factor Autentication (2FA) codes
Capture UDP network connection state
Capture video
Capture video with camera
Capture web-based data
Capture WiFi credentials
Capture Windows registry data
Change directories
Check directory existence
Checks HTTP response status code
Closes windows
Collect image files
Collects physical location
Collect video files
Command and Control via the MQTT Pub/Sub Protocol Capability
Command line capabilities
Communiates using SSH
Communicates bidirectionally with a web service
Communicates using a binary protocol
Communicates using a dead drop resolver
Communicates using a fallback channel
Communicates using a proxy
Communicates using a remote graphical interface
Communicates using a reverse shell
Communicates using CODESYS
Communicates using DNS
Communicates using DNS A records
Communicates using DNS null records
Communicates using DNS TXT records
Communicates using domain fronting
Communicates using domain masquerading
Communicates using Exchange Web Services (EWS)
Communicates using FTP
Communicates using GTP.
Communicates using HTTP
Communicates using HTTP/2
Communicates using HTTPS
Communicates using ICMP
Communicates using IEC 60870-5-104
Communicates using IMAP
Communicates using IRC
Communicates using KCP
Communicates using MIME
Communicates using MODBUS
Communicates using MQTT
Communicates using multi-stage channels
Communicates using OPC
Communicates using OSCAR
Communicates using pipes
Communicates using POP3
Communicates using raw sockets
Communicates using RDP
Communicates using RPC
Communicates using SCTP
Communicates using SFTP
Communicates using SMB
Communicates using SMB Bruteforce
Communicates using SMTP
Communicates using SSL
Communicates using TCP
Communicates using the Remote Frame Buffer Protocol (as used by VNC)
Communicates using the Tox protocol
Communicates using TLS
Communicates using Tor
Communicates using UDP
Communicates using UDT
Communicates using UPnP
Communicates using USB
Communicates via the Socket.IO WebSocket Library for NodeJS
Communicates via the Websocket protocol
Communicate using DNS over UDP
Communicate via VMCI socket
Communications capabilities
Compiles a .NET assembly from source code
Compresses using gzip
Compresses using ZIP
Compression capabilities
Configuration capabilities
Configuration update
Connects to a named pipe
Connect to a socket
Connect to TCP socket
Constructs mutex
Copy files
Create a named pipe
Create a service
Create a socket
Create directories
Create files
Create or drop a polymorhpic file
Creates HTTP Server
Creates processes
Creates processes in suspended state
Creates shorcut
Creates user accounts
Creates Windows regisry keys or values
Create TCP socket
Create thread
Create UDP socket
Create Windows registry key
Create Windows registry key value
Credential theft by Prompt
Cryptocurrency mining capabilities
Data theft capabilities
Data theft (exfiltration) capabilities
Decodes Base64
Decodes custom Base64 alphabet
Decodes hex data
Decodes URL (Percent)
Decodes using JSON
Decoding capabilities
Decompression Capabilities
Decrypt Internet Explorer credentials
Decryption capabilities
Decrypts using 3DES
Decrypts using AES
Decrypts using RC4
Decrypts using RSA
Decrypts using XOR
Delete a service
Delete directories
Delete email
Delete files
Deletes clipboard content
Deletes user account
Deletes Volume Shadow Copy files
Deletes Windows registry keys
Deletes Windows registry keys or values
Deletes Windows registry values
Deltes Widnows Backup Catalog
Denial of Service
Determines public IP address of host
Directory manipulation
Download files
Downloads configuration data
Driver Capabilities
Dumps process memory
Email capabilities
Emnumerates Local Account
Encodes communications using Base64
Encodes communications using BasE91
Encodes communications using custom Base64 alphabet
Encodes communications using Hex
Encodes using Base32
Encodes using Base64
Encodes using custom Base64 alphabet
Encodes using Hex
Encodes using JSON
Encoding capabilities
Encoding capabilities for network communications
Encryption capabilities
Encryption capabilities for network communications
Encrypt or decrypt files
Encrypts data with 3DES
Encrypts data with a custom RC4 algorithm
Encrypts data with AES
Encrypts data with AES-128
Encrypts data with AES-256
Encrypts data with Blowfish
Encrypts data with Camellia
Encrypts data with CAST-128
Encrypts data with ChaCha
Encrypts data with Curve25519
Encrypts data with DES
Encrypts data with ElGamal
Encrypts data with HC-128
Encrypts data with Microsoft DPAPI
Encrypts data with RC2
Encrypts data with RC4
Encrypts data with RC5
Encrypts data with RC6
Encrypts data with Rijndael
Encrypts data with RSA
Encrypts data with Salsa20
Encrypts data with SEAL
Encrypts data with Sosemanuk
Encrypts data with TEA
Encrypts data with Twofish
Encrypts data with XChaCha20
Encrypts data with XOR
Encrypts data with XTEA
Encrypts network communications with 3DES
Encrypts network communications with AES
Encrypts network communications with AES-256
Encrypts network communications with DES
Encrypts network communications with RC4
Encrypts network communications with RSA
Encrypts network communications with XOR
Enumerate current user
Enumerates applications
Enumerates Domain Accounts
Enumerates Email Accounts
Enumerates groups
Enumerates hardware
Enumerates local groups
Enumerates security applications
Enumerates windows
Enumerate users
Event Log Access
Event Log Capabilities
Execute files
Executes by Windows API
Executes commands from the command line
Executes using a scheduled task
Executes using msxsl
Executes via DLL loading
Executes via mshta
Executes via .NET assembly loading
Execution capabilities
Exfiltrates data in an automated way
Exfiltrates data over alternate protocol
Exfiltrates data over C2 channel
Exfiltrates data over USB
Exfiltrates data over web service
Exfiltrates data to cloud storage
Extracts HTTP body
File manipulation
Filters netowrk traffic
Find files
Find process by name
Find process with process identifier (PID)
Finds a process
Finds file resources
Finds location of a window
Finds location of Windows taskbar
Fixed or removable drive manipulation
Gets common file path
Gets environmental variable value
Gets file attribute
Gets mutex handle
Gets window text
GPP Credential Theft
Hidden File System
Hides a file
Hides processes
Hides thread
Hides windows
Hides Windows taskbar
HTTP body capabilities
HTTP header capabilities
HTTP request capabilities
HTTP response capabilities
Impersonates user accounts
Injects content into web pages
Injects into RDP processes
Installs Driver
Internet Explorer manipulation
Keylog via application hook
Keylog via polling
Kill thread
Lateral Movement capabilities
Lateral movement via admin network shares
Lateral movement via SMB
Launch Internet Explorer
List directories
Listens on a port and acts as a proxy
Listens on a port and transmits commands
Listens on a port or socket
Listens on a port to receive commands
List Explorer process information
List files
List file sizes
List file versions
List process modules
List process threads
List RDP process information
List registry entries
Lists drives
List services
Lists processes
Lists processes for security applications
Load code or plugins
Loads data from a PE resource
Loads or downloads C#
Loads or downloads data
Loads or downloads Java
Loads or downloads JavaScript
Loads or downloads Lua source code or bytecode
Loads or downloads MSIL or CIL
Loads or downloads plugins
Loads or downloads PowerShell
Loads or downloads Python code
Loads or downloads shellcode
Loads or downloads Visual Basic Scripts
Locks a workstation
Locks files
Locks mutex
Log manipulation
Logs off user account
Manipulates file attribute
Manipulates GUI windows
Manipulates process memory
Maximizes windows
Mines phone calls
Mines SMS messages
Minimizes windows
Modifies file and injects code
Modifies file permissions
Modifies running processes
Modify a service
Modify files
Modify process privileges
Move files
Moves laterally via exploit
Mutex capabilities
Network-based DoS capabilities
Obfuscation capabilities
Obtains configuration data at runtime
Obtains configuration data at runtime from a downloaded file
Obtains configuration data at runtime from a separate file
Obtains configuration data at runtime from the command line
Obtains configuration data at runtime from the registry
Obtains or sets configuration data during install
Opens CD-ROM drive
Opens files
Opens the clipboard
Open Windows registry key
Overwrite or wipe file data by emptying Recycle Bin
Overwrite or wipe file data by emptying Recycle Bin quietly
Overwrite or wipe Internet cache
Overwriting capabilities
Password Cracks
Password Sprays
Performs anti-disassembly obfucscation
Performs CD-ROM operations
Performs GUI operations
Performs keyboard operations
Performs mouse operations
Performs network traffic operations
Performs operations using the Windows taskbar
Performs process injection
Performs reflective process injection
Persistence capabilities
Persistence via launchd process
Persistence via load order
Persistence via Microsoft IIS
Persistence via Network Logon Script
Persistence via screensaver
Persistence via shortcut
Persistence via Systemd services
Persistence via SysV init scripts
Persistence via Windows registry Run key
Persistence via Winlogon
Persistence via WMI
Persists as a Windows service
Persists via Active Setup registry key
Persists via a scheduled task
Persists via bash profile
Persists via bashrc
Persists via boot sector
Persists via cron
Persists via DLL side-loading
Persists via Microsoft COM
Persists via the Windows registry
Persists via the Windows Startup folder
Persists via Windows BITS jobs
Persists within browser extension
Persist via Microsoft IIS Plug-in (ISAPI Filter)
Persist via OSX plist Launch Agent
Point-of-Sale targeting or manipulation
Powers off a monitor
Privilege escalation capabilities
Privilege escalation via access token
Privilege escalation via access token duplication
Privilege escalation via DLL search order hijacking
Process Doppelganging
Process Hollowing
Process Hooking
Process injection of DLLs
Process injection of PEs
Process injection through APC
Process injection through Proc memory
Process injection through ptrace system calls
Process injection via threads
Process manipulation
Process Parent PID Spoofing
Psuedo random number generation capabilities
Query service information
Query service status
Query Windows registry
Query Windows registry key
Query Windows registry key values
Read a file through a named pipe
Read files
Reads configuration data from the registry
Reads configuration from an external file
Reads HTTP header
Reads log files
Reads memory
Reads process memory
Reads the clipboard
Receive data
Registers Driver
Rename files
Replace process
Replaces the clipboard contents
Report current configuration
Resets user account password
Resizes Volume Shadow Copy files
Resolves Windows program files directory
Resource manipulation
Restarts the system
Resume thread
Run as service
Scan for Microsoft SQL Server
Scanning capabilities
Scans Admin Shares
Scans ARP
Scans for Elasticsearch servers
Scans for OPC servers
Scans for SSDP devices
Scans SMB
Screen capture
Search capabilities
Search via regular expression
Self-delete
Self-uninstall
Self-update
Send data
Send email
Service manipulation
Sets environmental variable
Sets file attribute
Sets HTTP header
Set socket configuration
Sets Wallpaper
Shuts down the system
Simulates ctrl+alt+del
Sleep
Sleep Time Execution
Specialized C2 capabilities
Spoof process
Spreads via removeable media
Start a service
Starts Driver
Stop a service
Stored Data Manipulation
Suspend thread
Swaps buttons on the mouse
Tampers with Linux firewall
Tampers with Linux Firewall IP Tables
Tampers with Windows eventlog
Tampers with Windows firewall
Tampers with Windows processes
Tampers with Windows process mitigation policy
Tampers with Windows recovery features
Tampers with Windows safe mode
TCP Scan
Terminates processes
Timestomping capabilities
Tries to lock mutex
Tunnels network traffic
Unlocks mutex
Updates beacon interval
Upload directory contents
Upload files
User account manipulation
User account password capabilities
User prompt manipulation
Uses Amazon as part of C2
Uses Amazon AWS S3 as part of C2
Uses AOL Instant Messenger as part of C2
Uses apLib compression
Uses apLib decompression
Uses Baidu as part of C2
Uses Daum as part of C2
Uses Discord as part of C2
Uses DropBox as part of C2
Uses environmental variables
Uses Facebook as part of C2
Uses Fotolog as part of C2
Uses Geocities for C2
Uses GitHub as part of C2
Uses Google as part of C2
Uses Google Code as part of C2
Uses Google Docs as part of C2
Uses Google Drive as part of C2
Uses Google Mail as part of C2
Uses Google Plus as part of C2
Uses gzip decompression
Uses hard-coded configuration data
Uses IBM community as part of C2
Uses Imgur as part of C2
Uses Linear Congruential Generator (LCG) algorithm in Delphi
Uses LinkedIn as part of C2
Uses LZ compression
Uses LZNT1 compression
Uses LZNT1 decompression
Uses LZO compression
Uses Mersenne Twister PRNG algorithm
Uses Microsoft as part of C2
Uses Microsoft Graph API as Command and Control (C&C)
Uses Microsoft MSDN as part of C2
Uses Microsoft OneDrive as part of C2
Uses Microsoft TechNet as part of C2
Uses Naver email service for C2
Uses Netvigator Email as part of C2
Uses Ngrok as part of C&C
Uses PAQ compression
Uses Pastebin as part of C2
Uses pCloud as part of C2
Uses QuickLZ decompression
Uses RedHat OpenShift as part of C2
Uses Slack as a part of C2
Uses Stack Overflow as part of C2
Uses Statcounter for C2
Uses Steam gaming platform as part of C2
Uses steganography
Uses Telegram as part of C2
Uses transactional NTFS
Uses Tumblr as part of C2
Uses Twitter as part of C2
Uses VMware web services for C2
Uses WMIC to execute a command
Uses WMI to execute a command
Uses wscript to execute a command
Uses Yahoo as part of C2
Uses Yahoo Babelfish as part of C2
Uses Yahoo Groups as part of C2
Uses Yandex as part of C2
Uses zlib compression
Uses zlib decompression
Volume Shadow Copy Capabilities
Windows registry capabilities
Wipes or overwrites disks
Wipes or overwrites files
Wipes or overwrites itself
Wipes or overwrites logs
Wipes or overwrites the Master Boot Record (MBR)
Wipes or overwrites the Volume Boot Record (VBR)
Wiping ICS Specific Files
Write a file through a named pipe
Writes memory
Writes to log files
Writes to the clipboard
Writes Windows registry keys
Writes Windows registry keys or values
Writes Windows registry values

operating_system

Android
BSD
FreeBSD
ios
Linux
Mac
Unix
VMkernel
Windows

malware_role

Archiver
ATM Malware
Backdoor
Backdoor - Botnet
Backdoor - Webshell
Bootkit
Builder
Controller
Credential Stealer
Cryptocurrency Miner
Data Miner
Disruption Tool
Downloader
Dropper
Dropper - Memory Only
File Infector
Framework
Installer
Keylogger
Lateral Movement Tool
Launcher
Lightweight Backdoor
Point-of-Sale Malware
Privilege Escalation Tool
Ransomware
Reconnaissance Tool
Remote Control and Administration Tool
Remote Exploitation Tool
Rootkit
Screen Capture Tool
Sniffer
Spambot
Tunneler
Uploader
Utility

Malcolm uses the VirusTotal/vt-py Python library to access Google Threat Intelligence feeds.

Mandiant

If a YAML file named mandiant.yaml is found in ./zeek/intel/Mandiant, that file will be read and processed as parameters for the Mandiant Threat Intelligence service. This file should minimally include:

- type: mandiant
  api_key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  secret_key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

These other parameters can also optionally be provided:

  bearer_token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  api_base_url: https://api.intelligence.mandiant.com
  minimum_mscore: 60
  exclude_osint: False
  include_campaigns: False
  include_category: True
  include_misp: True
  include_reports: False
  include_threat_rating: False

Malcolm uses the google/mandiant-ti-client Python library to access Mandiant threat intelligence feeds.

Disclaimer

Neither Malcolm’s development team nor its funding sources endorse any commercial product or service, nor do they attest to the suitability or effectiveness of these products and services for any particular use case. Any reference to specific commercial products, processes, or services by trademark, manufacturer, or otherwise should not be interpreted as an endorsement, recommendation, or preference.