~alienagain/simplecti

a very simple command-line CTI tool
c68f279f — paula 24 days ago
adding a readme
fea2df6d — paula 24 days ago
changing main location
b1699770 — paula 24 days ago
adding simle graph and fixing things

refs

master
browse  log 

clone

read-only
https://git.sr.ht/~alienagain/simplecti
read/write
git@git.sr.ht:~alienagain/simplecti

You can also use your local clone with git send-email.

#SimpleCTI

This is a tool for managing CTI content and enriching IoCs using a simple, terminal interface that doesn't require deploying graphical websites.

The tool is still unfinished and under development, and requires using a Linux based system as well as installing a few things, which are described in the "requirements" documents.

#How it works

Right now it's still under development, but you can test a few of the modules separatly by going through the folders in this repository. Right now, the available options are generating a simple relational graph, retrieving data from VT using a hash, and looking for key words on a document.

The service is meant to be deployed in a server or local, for that, before anything else, in the root directory execute:

uvicorn main:app --reload

#Looking for a key word on a web

curl http://127.0.0.1:8000/keyword/<mykeyword>

An example html document is provided, about Oyster Backdoor, so in this case for example:

http://127.0.0.1:8000/keyword/backdoor

Will return:

The key word was found in the article

I'd like to add a multiple word search, for what I made the logic to search on a document, and not a single variable. It's still under development.

#Getting quick info from VT

curl http://127.0.0.1:8000/enrich/<myhash>

For example:

http://127.0.0.1:8000/enrich/9601f3921c2cd270b6da0ba265c06bae94fd7d4dc512e8cb82718eaa24accc43

Will return a json of info:

{'label': 'trojankryplod/tedy',  'tags': [ 'executable', 'windows', 'win32', 'pe', 'peexe', 'simplecti_analysis'],  'meaninful_name': 'Setup.exe', 'imports': ' KERNEL32.dll USER32.dll ADVAPI32.dll SHELL32.dll'}

#Generate a graph for a campaign

In the /basic_template/data/campaigns/simple_graph location use:

python3 mymalware.py <document with tags> <name of the threat>

This will generate an html file with the name of the thrat with the graph. The graph right now onlu creates a spider in which the body is the main threat, I'm still developing a serious map.

#Support me

I'm a professional Threat analyst, but I'm doing this in my free time because I'm more confortable with the terminal than using graphical tools. If you are the same, and you thought the tool was useful (or you want to support the development of the tool so it becomes better) consider buying me a coffee or two. Coffee fuels my programming!