randomrhythm / vendor-threat-triage-lookup Goto Github PK

VTTL Performs lookups for file hashes, IP addresses and domain names. Results are output to a CSV file. Supported vendor lookups include the following:

• VirusTotal
• AlienVault OTX
• ThreatGRID
• Emerging Threats ET Intelligence
• Malshare
• Carbon Black EDR/Hosted EDR (formally Cb Response)
• Carbon Black Enterprise EDR (formally ThreatHunter)
• ThreatGRID
• ThreatCrowd
• ThreatIntelligenceAggregator (TIA)
• RiskIQ
• Collective Intelligence Framework (CIF)
• Shodan InternetDB
• SecLytics
• Pulsedive
• Quad9
• ZEN RBL
• cbl.abuseat.org
• Zen DBL
• SURBL
• SORBS
• Barracuda

Additional checks:

• Over 40 preconfigured threat intel feeds
• Reverse DNS
• Reverse IP (lookup to document sample of associated domains)
• Whois (often provided via APIs already listed)
  • ARIN Web API
  • RIPE Web API
  • Sysinternals Whois (external command line tool)
  • NirSoft WhosIP (external command line tool)
• Website category (from web proxy vendors)
• Dynamic DNS
• Tranco List
  • Requires SQLite database (included in default.db)
• Geolocation (often provided via APIs already listed)
  • https://freegeoip.app
  • Internal IP Geolocation Database (included in default.db)
    • IP to Country Lite or IP to Country from https://db-ip.com/db/
• Registration date of domains
• Sinkhole checks

Combine hash lookups with tool output from:

• Sysinternals Sigcheck
• Sysinternals Autorunsc
• Cisco AMP for Networks
• EnCase
• CrowdStrike Falcon
• Rhythm-CB-Scripts Hash Dump (Cb Response scripts)

Additional features:

• Attempts to find the common name and type from VirusTotal detections
• Scores antimalware detections into categories
  • Malware Score
  • Generic Score
  • PUA Score
  • Hacker Tool Score
  • Adjusted Malicious Score
• Cache results to SQLite and files on disk
• Whitelist known hashes
• Blacklist known hashes
• Track digital signatures (signatures can be provided via combine input or the VirusTotal API)
• Track file path/vendor combination (file paths and vendor/company provided via combine input)
• Exclude domain/subdomain/IP lookups
• Detection name watchlist
• URL watchlist (supports regex)
• Keyword watchlist
• IP/Domain watchlist

Tests:

• dbltest.com - spamhaus.org DBL
• test.surbl.org
• 127.0.0.2 - SORBS, CBL abuseat, Barrucda, Spamhaus, ZEN RBL

Check out the wiki for more information.