Skip to content
/ Vendor-Threat-Triage-Lookup Public

Lookup file hashes, domain names and IP addresses using various vendors to assist with triaging potential threats.

License

GPL-3.0 license
29 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

RandomRhythm/Vendor-Threat-Triage-Lookup

BranchesTags

Repository files navigation

Vendor Threat Triage Lookup (VTTL)

VTTL utilizes various vendors to lookup intelligence for threat triage.

VTTL Domain/IP Address mode

VTTL Performs lookups for file hashes, IP addresses and domain names. Results are output to a CSV file. Supported vendor lookups include the following:

  • VirusTotal
  • AlienVault OTX
  • ThreatGRID
  • Emerging Threats ET Intelligence
  • Malshare
  • Carbon Black EDR/Hosted EDR (formally Cb Response)
  • Carbon Black Enterprise EDR (formally ThreatHunter)
  • ThreatGRID
  • ThreatCrowd
  • ThreatIntelligenceAggregator (TIA)
  • RiskIQ
  • Collective Intelligence Framework (CIF)
  • Shodan InternetDB
  • SecLytics
  • Pulsedive
  • Quad9
  • ZEN RBL
  • cbl.abuseat.org
  • Zen DBL
  • SURBL
  • SORBS
  • Barracuda

Additional checks:

  • Over 40 preconfigured threat intel feeds
  • Reverse DNS
  • Reverse IP (lookup to document sample of associated domains)
  • Whois (often provided via APIs already listed)
    • ARIN Web API
    • RIPE Web API
    • Sysinternals Whois (external command line tool)
    • NirSoft WhosIP (external command line tool)
  • Website category (from web proxy vendors)
  • Dynamic DNS
  • Tranco List
    • Requires SQLite database (included in default.db)
  • Geolocation (often provided via APIs already listed)
  • Registration date of domains
  • Sinkhole checks

Combine hash lookups with tool output from:

  • Sysinternals Sigcheck
  • Sysinternals Autorunsc
  • Cisco AMP for Networks
  • EnCase
  • CrowdStrike Falcon
  • Rhythm-CB-Scripts Hash Dump (Cb Response scripts)

Additional features:

  • Attempts to find the common name and type from VirusTotal detections
  • Scores antimalware detections into categories
    • Malware Score
    • Generic Score
    • PUA Score
    • Hacker Tool Score
    • Adjusted Malicious Score
  • Cache results to SQLite and files on disk
  • Whitelist known hashes
  • Blacklist known hashes
  • Track digital signatures (signatures can be provided via combine input or the VirusTotal API)
  • Track file path/vendor combination (file paths and vendor/company provided via combine input)
  • Exclude domain/subdomain/IP lookups
  • Detection name watchlist
  • URL watchlist (supports regex)
  • Keyword watchlist
  • IP/Domain watchlist

Tests:

  • dbltest.com - spamhaus.org DBL
  • test.surbl.org
  • 127.0.0.2 - SORBS, CBL abuseat, Barrucda, Spamhaus, ZEN RBL

Check out the wiki for more information.

About

Lookup file hashes, domain names and IP addresses using various vendors to assist with triaging potential threats.

Topics

api intelligence query shodan geoip threat-hunting malware-research hashes domain-name threatgrid sinkhole rbl whois-lookup threats virustotal otx ip-address-lookup dbl emerging seclytics

Resources

Readme

License

GPL-3.0 license
Activity

Stars

29 stars

Watchers

3 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages