GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → jaegeral → osint_to_timesketch

jaegeral / osint_to_timesketch

Licence: MIT license
Virustotal Data to Timesketch

Programming Languages

python
139335 projects - #7 most used programming language

Labels

dfirthreatintelvirustotaltimesketch

Projects that are alternatives of or similar to osint to timesketch

Threatpinchlookup
Documentation and Sharing Repository for ThreatPinch Lookup Chrome & Firefox Extension
Stars: ✭ 257 (+1613.33%)
Mutual labels:  dfir, threatintel, virustotal
Malware Feed
Bringing you the best of the worst files on the Internet.
Stars: ✭ 69 (+360%)
Mutual labels:  threatintel, virustotal
Threatingestor
Extract and aggregate threat intelligence.
Stars: ✭ 439 (+2826.67%)
Mutual labels:  dfir, threatintel
Yeti
Your Everyday Threat Intelligence
Stars: ✭ 1,037 (+6813.33%)
Mutual labels:  dfir, threatintel
Python Iocextract
Defanged Indicator of Compromise (IOC) Extractor.
Stars: ✭ 300 (+1900%)
Mutual labels:  dfir, threatintel
Malice
VirusTotal Wanna Be - Now with 100% more Hipster
Stars: ✭ 1,253 (+8253.33%)
Mutual labels:  dfir, virustotal
dnslog
Minimalistic DNS logging tool
Stars: ✭ 40 (+166.67%)
Mutual labels:  dfir
VirusTotalScanner
Scan suspicious applications with over 60 different anti-viruses with a mere two clicks and five seconds!
Stars: ✭ 18 (+20%)
Mutual labels:  virustotal
INDXRipper
Carve file metadata from NTFS index ($I30) attributes
Stars: ✭ 32 (+113.33%)
Mutual labels:  dfir
cif-v5
The FASTEST way to consume threat intel.
Stars: ✭ 53 (+253.33%)
Mutual labels:  threatintel
Evilize
Parses Windows event logs files based on SANS Poster
Stars: ✭ 24 (+60%)
Mutual labels:  dfir
Docker-Templates
Docker configurations for TheHive, Cortex and 3rd party tools
Stars: ✭ 71 (+373.33%)
Mutual labels:  dfir
CDIR
CDIR (Cyber Defense Institute Incident Response) Collector - live collection tool based on oss tool/library
Stars: ✭ 122 (+713.33%)
Mutual labels:  dfir
awesome-malware-analysis
Defund the Police.
Stars: ✭ 9,181 (+61106.67%)
Mutual labels:  threatintel
uac
UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.
Stars: ✭ 260 (+1633.33%)
Mutual labels:  dfir
censys-recon-ng
recon-ng modules for Censys
Stars: ✭ 29 (+93.33%)
Mutual labels:  threatintel
DFIR-O365RC
PowerShell module for Office 365 and Azure log collection
Stars: ✭ 158 (+953.33%)
Mutual labels:  dfir
MurMurHash
This little tool is to calculate a MurmurHash value of a favicon to hunt phishing websites on the Shodan platform.
Stars: ✭ 79 (+426.67%)
Mutual labels:  threatintel
awesome-intelligence-writing
Awesome collection of great and useful resources concerning intelligence writing such as manuals/guides, standards, books, and articles
Stars: ✭ 285 (+1800%)
Mutual labels:  threatintel
ad-privileged-audit
Provides various Windows Server Active Directory (AD) security-focused reports.
Stars: ✭ 42 (+180%)
Mutual labels:  dfir
View All Similar Projects ➔

osint_timesketch

OSINT Data to Timesketch

idea

Idea of that script is to get a list of domains / ips and pull timeline relevant infos from VT and other OSINT sources. The output should be already timesketchable.

WARNING

This project should be considered early aplha, everything might be completly broken. Run the script on your own risk.

Using that script with high critical indicators might burn your indicators because the script is querying external meaning internet hosted services. Thus those running those services could potentially see your queries.

Sources

already implemented

  • Virustotal (files)
  • Virustotal (passive DNS)
  • CIRCL passive SSL

planned

  • CIRCL passive DNS
  • CIRCL passive SSL calculate first seen date based on isci (https://notary.icsi.berkeley.edu/)
    • first_seen: the day our data providers first saw the certificate (relative to 1/1/1970)

usage

modify the config file

cp config_sample.cfg config.cfg

paste your md5 hashes, ips, domains to the input.txt file run the script:

python vt_lookup.py

see the output in output.csv Copy output csv and add it to your timesketch instance.

Happy digging

sample data

See sample folder.

Future features

In the future it would be nice to also include data from First submitted, first seen in the wild from VT, but that is not yet explosed via API

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].