雷雨服务API客户端
thunderstormA的Python项目详细描述
雷暴
此模块允许您与THOR雷雨API(也称为THOR服务)进行交互。在
在服务模式下运行THOR(--service)将启动本地restfulapi服务。这个API允许提交样本并以JSON格式返回结果。该服务运行多线程,专为高性能的样本处理而设计。在
这个存储库包含一个名为thunderstormAPI的Python模块和一个名为thunderstorm-cli的示例Python命令行API客户机实现。在
安装
pip install thunderstormAPI
(注意:在Debian上使用pip3 install thunderstormAPI)
雷暴CLI
雷雨命令行界面(CLI)是一个预先编写的工具,用于实现Python模块。在
用法
^{pr2}$示例
服务器
在服务器上,您可以按如下方式在服务模式下运行THOR
./thor-linux-64 --server --server-host 10.0.0.14 --threadcount 40
请参阅我们的githubrepository,以获取帮助您安装THOR雷雨的脚本。在
客户
在10.0.0.14上获取正在运行的THOR雷雨服务的信息
./thunderstorm-cli --info -t 10.0.0.14
结果
[INFO ] Using THOR Thunderstorm service on host 127.0.0.1 port 8081 without SSL/TLS
{
"allowed_samples_per_hour": 0,
"sigma_version": "0.17.0-383-gd73447c1",
"signature_version": "2020/08/13-125157",
"thor_timestamp": "2020-08-17 07:04:36",
"thor_version": "10.6.0",
"yara_version": "4.0.2"
}
向运行在10.0.0.4上的THOR雷雨服务提交一个样本
./thunderstorm-cli --scan -t 10.0.0.14 -f ./samples/webshell.txt
结果
[INFO ] Using THOR Thunderstorm service on host 10.0.0.14 port 8080 without SSL/TLS
[INFO ] Thunderstorm service stats UPTIME: 00h:45m:57s SCANNED_SAMPLES: 60 AVG_SCAN_TIME: 33ms
[INFO ] Submitting file ./samples/webshell.txt for scanning ...
[WARNI] Match found in FILE: ./samples/webshell.txt MATCH: {'level': 'Alert', 'module': 'Filescan', 'message': 'Malware file found', 'score': 140, 'context': {'ext': '', 'file': './samples/webshell.txt', 'firstBytes': '3c3f70687020406576616c28245f4745545b636d / <?php @eval($_GET[cm', 'md5': '6f70c1a517db1818e0234ba63185e6e9', 'sha1': '2f13649ccd9de947fd28616d73cc1387674a2df0', 'sha256': '5906cb00cbe1c108ff4a0e17f1c76606c57364467352ce4f986271e40bd5c1cc', 'size': 58, 'type': 'PHP'}, 'matches': [{'matched': ['php @eval($_POST['], 'reason': 'China Chopper Webshells - PHP and ASPX', 'ref': 'https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-china-chopper-report.pdf', 'ruledate': '2015-03-10', 'rulename': 'ChinaChopper_Generic', 'subscore': 75, 'tags': ['CHINA', 'GEN', 'T1100', 'WEBSHELL']}, {'matched': ['<?php', '$_GET[', 'eval('], 'reason': 'Detects suspiciously small PHP file that receives a parameter and runs a eval statement', 'ref': 'https://github.com/qiyeboy/kill_webshell_detect', 'ruledate': '2020-07-31', 'rulename': 'SUSP_WEBSHELL_PHP_Tiny_Indicators_Jul20', 'subscore': 65, 'tags': ['FILE', 'SUSP', 'T1100', 'T1136', 'WEBSHELL']}]}
将目录中的所有样本(递归地)提交给运行在10.0.0.14上的THOR雷雨服务
./thunderstorm-cli --scan -t 10.0.0.14 -d ./samples/
结果
[INFO ] Using THOR Thunderstorm service on host 10.0.0.14 port 8080 without SSL/TLS
[INFO ] Thunderstorm service stats UPTIME: 00h:59m:15s SCANNED_SAMPLES: 64 AVG_SCAN_TIME: 34ms
[INFO ] Submitting samples from ./samples/ using 12 threads
[INFO ] Scanning path: ./samples/ with 3 elements
[WARNI] Match found in FILE: ./samples/test-mimi.txt MATCH: {'level': 'Warning', 'module': 'Filescan', 'message': 'Possibly Dangerous file found', 'score': 205, 'context': {'ext': '', 'file': './samples/test-mimi.txt', 'firstBytes': '6c6f676f6e70617373776f7264733a3a0a73656b / logonpasswords::\nsek', 'md5': 'bf9d9616e86267d5d5ba48ad1161e2aa', 'sha1': '00d0289f25119fe4695e82aa09e18aa53b5606e2', 'sha256': '7579e064c44fb1782cf59485e7b812e72e30f1160d687e20976739d3f40cb748', 'size': 83, 'type': 'UNKNOWN'}, 'matches': [{'matched': [' -ma lsass.exe'], 'reason': 'Detects commands often used in malicious scripts', 'ref': 'https://twitter.com/SBousseaden/status/1272863752677965824', 'ruledate': '2020-06-16', 'rulename': 'SUSP_LSASS_Memory_Dump_CmdLine_Jun20_2', 'subscore': 70, 'tags': ['HKTL', 'SUSP', 'T1003', 'T1136']}, {'matched': ['-ma lsass.exe'], 'reason': 'Procdump - Batch file invocation', 'ref': '-', 'ruledate': '2013-01-01', 'rulename': 'HKTL_Procdump_BAT', 'subscore': 70, 'tags': ['APT', 'HKTL', 'T1136']}, {'matched': [' -ma ', ' lsass.exe'], 'reason': 'Detects suspicious post exploitation strings and command lines often used by attackers', 'ref': 'https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html', 'ruledate': '2019-08-28', 'rulename': 'SUSP_PostExploitation_Cmds_Aug19_1', 'subscore': 65, 'tags': ['SUSP', 'T1136']}]}
[WARNI] Match found in FILE: ./samples/webshell.txt MATCH: {'level': 'Alert', 'module': 'Filescan', 'message': 'Malware file found', 'score': 140, 'context': {'ext': '', 'file': './samples/webshell.txt', 'firstBytes': '3c3f70687020406576616c28245f4745545b636d / <?php @eval($_GET[cm', 'md5': '6f70c1a517db1818e0234ba63185e6e9', 'sha1': '2f13649ccd9de947fd28616d73cc1387674a2df0', 'sha256': '5906cb00cbe1c108ff4a0e17f1c76606c57364467352ce4f986271e40bd5c1cc', 'size': 58, 'type': 'PHP'}, 'matches': [{'matched': ['php @eval($_POST['], 'reason': 'China Chopper Webshells - PHP and ASPX', 'ref': 'https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-china-chopper-report.pdf', 'ruledate': '2015-03-10', 'rulename': 'ChinaChopper_Generic', 'subscore': 75, 'tags': ['CHINA', 'GEN', 'T1100', 'WEBSHELL']}, {'matched': ['<?php', '$_GET[', 'eval('], 'reason': 'Detects suspiciously small PHP file that receives a parameter and runs a eval statement', 'ref': 'https://github.com/qiyeboy/kill_webshell_detect', 'ruledate': '2020-07-31', 'rulename': 'SUSP_WEBSHELL_PHP_Tiny_Indicators_Jul20', 'subscore': 65, 'tags': ['FILE', 'SUSP', 'T1100', 'T1136', 'WEBSHELL']}]}
[WARNI] Match found in FILE: ./samples/sekurlsa.log MATCH: {'level': 'Alert', 'module': 'Filescan', 'message': 'Malware file found', 'score': 325, 'context': {'ext': '', 'file': './samples/sekurlsa.log', 'firstBytes': "5573696e67202773656b75726c73612e6c6f6727 / Using 'sekurlsa.log'", 'md5': '619e7ad14b5a64481958ac5248dd832f', 'sha1': '886817e0fbc813c711616e2d1ace7c819cfd5b55', 'sha256': '0c66a723033b367e3700e83054f521a853bd6764b24924ce66c5df81d8ff32f3', 'size': 1362, 'type': 'Mimikatz Logfile'}, 'matches': [{'matched': ['* Username : ', '* Password : ', 'credman :'], 'reason': 'Detects credential dump strings from APT case', 'ref': 'White Amflora', 'ruledate': '2016-05-02', 'rulename': 'CustomerCase_C2_Credential_Dump', 'subscore': 100, 'tags': ['APT', 'CLIENT', 'HKTL', 'T1003', 'T1136']}, {'matched': ['SID :', '* NTLM :', 'Authentication Id :', 'wdigest :'], 'reason': 'Detects a log file generated by malicious hack tool mimikatz', 'ref': '-', 'ruledate': '2015-03-31', 'rulename': 'Mimikatz_Logfile', 'subscore': 80, 'tags': ['HKTL', 'T1003', 'T1075', 'T1097', 'T1136', 'T1178']}, {'matched': ['* Password : (null)', 'mimikatz # sekurlsa::logonpasswords', '* NTLM : ', '* Username : ', 'Logon Server : ', '] CredentialKeys'], 'reason': 'Detects keyword combo known from Mimikatz log files', 'ref': 'https://github.com/gentilkiwi/mimikatz/wiki/module-~-standard#log', 'ruledate': '2019-02-26', 'rulename': 'SUSP_Mimikatz_LogFile_Keywords', 'subscore': 75, 'tags': ['SUSP', 'T1003', 'T1075', 'T1097', 'T1136', 'T1178']}, {'matched': ['Authentication Id :', 'SID :', 'tspkg :', 'kerberos :', '* Username :', 'credman :'], 'reason': 'Detects a log file of password dumper mimikatz', 'ref': '-', 'ruledate': '2014-12-22', 'rulename': 'Mimikatz_Log_Output', 'subscore': 70, 'tags': ['APT', 'T1003', 'T1075', 'T1097', 'T1136', 'T1178']}]}
提交目录中的所有示例并仅提交*.exe和*.dll文件。在
./thunderstorm-cli --scan -t 10.0.0.14 -d ./samples/ --include *.exe --include *.dll
提交目录中的所有示例并排除文件。在
./thunderstorm-cli --scan -t 10.0.0.14 -d ./samples/ --exclude *.evtx
提交目录中的所有示例,并只发送在过去一小时内更改或修改的文件。在
./thunderstorm-cli --scan -t 10.0.0.14 -d ./samples/ --lookback 3600
提交目录中的所有示例并使用HTTPS发送文件。在
./thunderstorm-cli --scan -t 10.0.0.14 -d ./samples/ --ssl
提交目录中的所有示例并使用异步模式发送文件。(快速提交,无结果响应)
./thunderstorm-cli --scan -t 10.0.0.14 -d ./samples/ --asyn
提交目录中的所有示例并设置自定义源值。在
./thunderstorm-cli --scan -t 10.0.0.14 -d ./samples/ --source sample_collector_1
Python模块
Python模块的2个助手函数是:
get_info()获取常规信息(版本、许可证信息)get_status()从服务中获取状态信息(已处理的示例、错误、运行时)
Python模块的两个主要功能是:
scan(sample)提交一个样本进行远程扫描scan_multi(sample_list)提交样本列表(多线程)
init()
__init__方法接受以下参数:
host:运行THOR雷雨服务的主机port:THOR雷雨服务侦听的端口source:自定义源标识符(默认为主机名)use_ssl:使用SSL进行传输verify_ssl:验证SSL/TLS服务器证书
扫描()
scan方法接受以下参数:
filelist:绝对文件路径列表asyn:异步模式,只提交,不等待扫描结果(服务器只返回提交回执)trace:比调试和显示请求和响应更详细
扫描multi()
scan_multi方法接受以下参数:
filelist:绝对文件路径列表num_threads:线程数asyn:异步模式,只提交,不等待扫描结果(服务器只返回提交回执)trace:比调试更详细,并显示每个请求和响应
示例
获取信息
fromthunderstormAPI.thunderstormimportThunderstormAPIthorapi=ThunderstormAPI(host='thunderstorm.local')thorapi.get_info()
退货
{"allowed_samples_per_hour":0,"license_expiration_date":"2021/01/30","sigma_version":"0.18.1","signature_version":"2020/08/31-164212","thor_timestamp":"2020-09-03 07:39:30","thor_version":"10.6.0","threads":40,"yara_version":"4.0.2"}
获取状态
fromthunderstormAPI.thunderstormimportThunderstormAPIthorapi=ThunderstormAPI(host='thunderstorm.local')thorapi.get_status()
退货
{"avg_scan_time_ms":494,"avg_total_time_ms":495,"denied_request_proportion":0,"denied_requests":0,"queued_async_requests":70854,"quota_wait_time_ms":0,"quota_waits":0,"scanned_samples":109230,"uptime_s":1419}
提交单个文件
fromthunderstormAPI.thunderstormimportThunderstormAPIthorapi=ThunderstormAPI(host='thunderstorm.local')thorapi.scan('./samples/webshell.txt')
退货
^{pr21}$提交样品清单
fromthunderstormAPI.thunderstormimportThunderstormAPISAMPLES='./samples'samples=[path.join(SAMPLE_DIR,f)forfinlistdir(SAMPLE_DIR)]thorapi=ThunderstormAPI(host='thunderstorm.local')thorapi.scan_multi(samples)
退货
[[{"level":"Alert","module":"Filescan","message":"Malware file found","score":140,"context":{"ext":"","file":"./samples/webshell.txt","firstBytes":"3c3f70687020406576616c28245f4745545b636d / <?php @eval($_GET[cm","md5":"6f70c1a517db1818e0234ba63185e6e9","sha1":"2f13649ccd9de947fd28616d73cc1387674a2df0","sha256":"5906cb00cbe1c108ff4a0e17f1c76606c57364467352ce4f986271e40bd5c1cc","size":58,"type":"PHP"},"matches":[{"matched":["php @eval($_POST["],"reason":"China Chopper Webshells - PHP and ASPX","ref":"https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-china-chopper-report.pdf","ruledate":"2015-03-10","rulename":"ChinaChopper_Generic","subscore":75,"tags":["CHINA","GEN","T1100","WEBSHELL"]},{"matched":["<?php","$_GET[","eval("],"reason":"Detects suspiciously small PHP file that receives a parameter and runs a eval statement","ref":"https://github.com/qiyeboy/kill_webshell_detect","ruledate":"2020-07-31","rulename":"SUSP_WEBSHELL_PHP_Tiny_Indicators_Jul20","subscore":65,"tags":["FILE","SUSP","T1100","T1136","WEBSHELL"]}]}],[{"level":"Alert","module":"Filescan","message":"Malware file found","score":325,"context":{"ext":"","file":"./samples/sekurlsa.log","firstBytes":"5573696e67202773656b75726c73612e6c6f6727 / Using 'sekurlsa.log'","md5":"619e7ad14b5a64481958ac5248dd832f","sha1":"886817e0fbc813c711616e2d1ace7c819cfd5b55","sha256":"0c66a723033b367e3700e83054f521a853bd6764b24924ce66c5df81d8ff32f3","size":1362,"type":"Mimikatz Logfile"},"matches":[{"matched":["* Username : ","* Password : ","credman :"],"reason":"Detects credential dump strings from APT case","ref":"White Amflora","ruledate":"2016-05-02","rulename":"CustomerCase_C2_Credential_Dump","subscore":100,"tags":["APT","CLIENT","HKTL","T1003","T1136"]},{"matched":["SID :","* NTLM :","Authentication Id :","wdigest :"],"reason":"Detects a log file generated by malicious hack tool mimikatz","ref":"-","ruledate":"2015-03-31","rulename":"Mimikatz_Logfile","subscore":80,"tags":["HKTL","T1003","T1075","T1097","T1136","T1178"]},{"matched":["* Password : (null)","mimikatz # sekurlsa::logonpasswords","* NTLM : ","* Username : ","Logon Server : ","] CredentialKeys"],"reason":"Detects keyword combo known from Mimikatz log files","ref":"https://github.com/gentilkiwi/mimikatz/wiki/module-~-standard#log","ruledate":"2019-02-26","rulename":"SUSP_Mimikatz_LogFile_Keywords","subscore":75,"tags":["SUSP","T1003","T1075","T1097","T1136","T1178"]},{"matched":["Authentication Id :","SID :","tspkg :","kerberos :","* Username :","credman :"],"reason":"Detects a log file of password dumper mimikatz","ref":"-","ruledate":"2014-12-22","rulename":"Mimikatz_Log_Output","subscore":70,"tags":["APT","T1003","T1075","T1097","T1136","T1178"]}]}],[{"level":"Warning","module":"Filescan","message":"Possibly Dangerous file found","score":205,"context":{"ext":"","file":"./samples/test-mimi.txt","firstBytes":"6c6f676f6e70617373776f7264733a3a0a73656b / logonpasswords::\nsek","md5":"bf9d9616e86267d5d5ba48ad1161e2aa","sha1":"00d0289f25119fe4695e82aa09e18aa53b5606e2","sha256":"7579e064c44fb1782cf59485e7b812e72e30f1160d687e20976739d3f40cb748","size":83,"type":"UNKNOWN"},"matches":[{"matched":[" -ma lsass.exe"],"reason":"Detects commands often used in malicious scripts","ref":"https://twitter.com/SBousseaden/status/1272863752677965824","ruledate":"2020-06-16","rulename":"SUSP_LSASS_Memory_Dump_CmdLine_Jun20_2","subscore":70,"tags":["HKTL","SUSP","T1003","T1136"]},{"matched":["-ma lsass.exe"],"reason":"Procdump - Batch file invocation","ref":"-","ruledate":"2013-01-01","rulename":"HKTL_Procdump_BAT","subscore":70,"tags":["APT","HKTL","T1136"]},{"matched":[" -ma "," lsass.exe"],"reason":"Detects suspicious post exploitation strings and command lines often used by attackers","ref":"https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html","ruledate":"2019-08-28","rulename":"SUSP_PostExploitation_Cmds_Aug19_1","subscore":65,"tags":["SUSP","T1136"]}]}]]
提交样本列表(异步)
以同步模式提交样本,其优点是速度更快示例提交并避免服务过载,但不向提交客户端返回扫描结果。在
fromthunderstormAPI.thunderstormimportThunderstormAPISAMPLES='/software/set1'samples=[path.join(SAMPLE_DIR,f)forfinlistdir(SAMPLE_DIR)]thorapi=ThunderstormAPI(host='thunderstorm.local')thorapi.scan_multi(samples,asyn=True)
[{"file":"/software/set1/DVD Maker/sonicsptransform.ax","id":360715},{"file":"/software/set1/DVD Maker/directshowtap.ax","id":360711},{"file":"/software/set1/DVD Maker/bod_r.TTF","id":360716},{"file":"/software/set1/DVD Maker/rtstreamsink.ax","id":360717},{"file":"/software/set1/DVD Maker/rtstreamsource.ax","id":360709},{"file":"/software/set1/DVD Maker/PipeTran.dll","id":360708},{"file":"/software/set1/DVD Maker/soniccolorconverter.ax","id":360707},{"file":"/software/set1/DVD Maker/WMM2CLIP.dll","id":360714},{"file":"/software/set1/DVD Maker/DVDMaker.exe","id":360718},{"file":"/software/set1/DVD Maker/audiodepthconverter.ax","id":360706},{"file":"/software/set1/DVD Maker/Pipeline.dll","id":360713},{"file":"/software/set1/DVD Maker/offset.ax","id":360710},{"file":"/software/set1/DVD Maker/SecretST.TTF","id":360712},{"file":"/software/set1/DVD Maker/fieldswitch.ax","id":360705},{"file":"/software/set1/DVD Maker/Eurosti.TTF","id":360704}]
- 项目
标签:
欢迎加入QQ群-->: 979659372
