Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details

All Projects → 0x4D31 → sqhunter

0x4D31 / sqhunter

Licence: MIT license

A simple threat hunting tool based on osquery, Salt Open and Cymon API

Programming Languages

139335 projects - #7 most used programming language

Labels

security saltstack threat-hunting threatintel osquery security-tools threat-intelligence

Projects that are alternatives of or similar to sqhunter

Python 3 Wrapper for the BinaryEdge API https://www.binaryedge.io/

Stars: ✭ 16 (-75%)

Mutual labels: threat-hunting, threatintel, threat-intelligence

Extract and aggregate threat intelligence.

Stars: ✭ 439 (+585.94%)

Mutual labels: threat-hunting, threatintel, threat-intelligence

StalkPhish - The Phishing kits stalker, harvesting phishing kits for investigations.

Stars: ✭ 256 (+300%)

Mutual labels: threat-hunting, threatintel, threat-intelligence

YAFRA is a semi-automated framework for analyzing and representing reports about IT Security incidents.

Stars: ✭ 22 (-65.62%)

Mutual labels: threat-hunting, threatintel, threat-intelligence

ThreatIntelligence

Tracking APT IOCs

Stars: ✭ 23 (-64.06%)

Mutual labels: threat-hunting, threatintel, threat-intelligence

Repositório criado com intuito de reunir informações, fontes(websites/portais) e tricks de OSINT dentro do contexto Brasil.

Stars: ✭ 508 (+693.75%)

Mutual labels: threat-hunting, threatintel, threat-intelligence

Connect your mail client/infrastructure to MISP in order to create events based on the information contained within mails.

Stars: ✭ 61 (-4.69%)

Mutual labels: threat-hunting, threatintel, threat-intelligence

Threat research and reporting from IronNet's Threat Research Teams

Stars: ✭ 36 (-43.75%)

Mutual labels: threat-hunting, threatintel, threat-intelligence

censys-recon-ng

recon-ng modules for Censys

Stars: ✭ 29 (-54.69%)

Mutual labels: threat-hunting, threatintel, threat-intelligence

Bringing you the best of the worst files on the Internet.

Stars: ✭ 69 (+7.81%)

Mutual labels: threat-hunting, threatintel, threat-intelligence

MISP (core software) - Open Source Threat Intelligence and Sharing Platform

Stars: ✭ 3,485 (+5345.31%)

Mutual labels: threat-hunting, threatintel, threat-intelligence

🚌 The missing link to connect open-source threat intelligence tools.

Stars: ✭ 139 (+117.19%)

Mutual labels: threat-hunting, threatintel, threat-intelligence

Utilities for Sysmon

Stars: ✭ 903 (+1310.94%)

Mutual labels: threat-hunting, threatintel, threat-intelligence

PatrowlHears - Vulnerability Intelligence Center / Exploits

Stars: ✭ 89 (+39.06%)

Mutual labels: threat-hunting, threatintel, threat-intelligence

Intel Owl: analyze files, domains, IPs in multiple ways from a single API at scale

Stars: ✭ 2,114 (+3203.13%)

Mutual labels: threat-hunting, threatintel, threat-intelligence

Don't Just Search OSINT. Sweep It.

Stars: ✭ 225 (+251.56%)

Mutual labels: threat-hunting, threat-intelligence

Personal compilation of APT malware from whitepaper releases, documents and own research

Stars: ✭ 219 (+242.19%)

Mutual labels: threat-hunting, threat-intelligence

#ThreatHunting #DFIR #Malware #Detection Mind Maps

Stars: ✭ 224 (+250%)

Mutual labels: threat-hunting, threat-intelligence

Archive of publicly available threat INTel reports (mostly APT Reports but not limited to).

Stars: ✭ 252 (+293.75%)

Mutual labels: threat-hunting, threat-intelligence

Phishingkithunter

Find phishing kits which use your brand/organization's files and image.

Stars: ✭ 177 (+176.56%)

Mutual labels: threat-hunting, threat-intelligence

View All Similar Projects ➔

sqhunter

Threat hunter based on osquery, Salt Open and Cymon API

Description

You need to run sqhunter on your salt-master server.

Features

query open network sockets and check them against threat intelligence sources
issue ad-hoc or distributed queries using salt and osqueryi, without the need for osqueryd's tls plugin

Requirements

Salt Open (salt-master, salt-minion)¹
Python 2.7
salt (you may need to install gcc, gcc-c++, python dev)
cymon
netaddr

Usage

open_sockets

[root@localhost ~]# python sqhunter.py -oS -t '*'

               __                __           
   _________ _/ /_  __  ______  / /____  _____
  / ___/ __ `/ __ \/ / / / __ \/ __/ _ \/ ___/
 (__  ) /_/ / / / / /_/ / / / / /_/  __/ /    
/____/\__, /_/ /_/\__,_/_/ /_/\__/\___/_/     
        /_/                                   
 threat hunter based on osquery and salt open  
==============================================


[+] Alert - Host: 10.10.10.55

    + Process and network socket info:
        - pid: 15003
        - name: telnet
        - cmdline: telnet 98.131.172.1 80
        - local_address: 10.10.10.55
        - local_port: 47722
        - remote_address: 98.131.172.1
        - remote_port: 80
        - protocol: 6

    + Threat reports:
        - title: Malware activity reported by IBM X-Force Exchange
          date: 2015-09-21T09:04:10Z
          details_url: https://exchange.xforce.ibmcloud.com/ip/98.131.172.1
          tag: malware
        - title: Malware reported by cleanmx-malware
          date: 2015-02-24T15:26:00Z
          details_url: http://www.virustotal.com/latest-report.html?resource=5bc647742434f743114d3397b2cf74b0
          tag: malware
        - title: Malicious activity reported by urlquery.net
          date: 2015-02-23T21:39:53Z
          details_url: http://urlquery.net/report.php?id=1424725884093
          tag: malicious activity

[+] Alert - Host: 10.10.10.56

    + Process and network socket info:
        - pid: 14448
        - name: telnet
        - cmdline: telnet 103.31.186.29 80
        - local_address: 10.10.10.56
        - local_port: 59115
        - remote_address: 103.31.186.29
        - remote_port: 80
        - protocol: 6

    + Threat reports:
        - title: Malicious activity reported by urlquery.net
          date: 2017-03-31T10:56:25Z
          details_url: http://urlquery.net/report.php?id=1490956880695
          tag: malicious activity

custom query

[root@localhost ~]# python sqhunter.py -q "select * from last where username = 'root' and time > ((select unix_time from time) - 3600);" -p 10.10.10.55

               __                __           
   _________ _/ /_  __  ______  / /____  _____
  / ___/ __ `/ __ \/ / / / __ \/ __/ _ \/ ___/
 (__  ) /_/ / / / / /_/ / / / / /_/  __/ /    
/____/\__, /_/ /_/\__,_/_/ /_/\__/\___/_/     
        /_/                                   
 threat hunter based on osquery and salt open  
==============================================

{
    "10.10.10.55": {
        "data": [
            {
                "host": "10.10.3.6", 
                "pid": "15889", 
                "time": "1498591524", 
                "tty": "pts/0", 
                "type": "7", 
                "username": "root"
            }
        ], 
        "result": true
    }
}

queries from the default query packs

[root@localhost ~]# python sqhunter.py -qP crontab -p 10.10.10.55

               __                __           
   _________ _/ /_  __  ______  / /____  _____
  / ___/ __ `/ __ \/ / / / __ \/ __/ _ \/ ___/
 (__  ) /_/ / / / / /_/ / / / / /_/  __/ /    
/____/\__, /_/ /_/\__,_/_/ /_/\__/\___/_/     
        /_/                                   
 threat hunter based on osquery and salt open  
==============================================

{
    "10.10.10.55": {
        "data": [
            {
                "command": "root run-parts /etc/cron.hourly", 
                "day_of_month": "*", 
                "day_of_week": "*", 
                "event": "", 
                "hour": "*", 
                "minute": "01", 
                "month": "*", 
                "path": "/etc/cron.d/0hourly"
            }
        ], 
        "result": true
    }
}

TODO:

Slack integration
Query scheduling
Differential results
OTX DirectConnect API
Clean up the code and add some error handling
Documentation
More features to add..

[1] Salt in 10 Minutes: https://docs.saltstack.com/en/latest/topics/tutorials/walkthrough.html

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].

Stars: ✭ 64

Visit Git Page 🔗Visit User Page 🔗Visit Issues Page (0) 🔗