Skip to content

Commit

Permalink
Merge pull request #377 from peasead/blog/mozin-about
Browse files Browse the repository at this point in the history
PR for Mozi'n About Blog Post
  • Loading branch information
chandlergibb authored Jul 1, 2021
2 parents 5c0320c + ef1cbf7 commit 17f0b1d
Show file tree
Hide file tree
Showing 5 changed files with 491 additions and 0 deletions.
28 changes: 28 additions & 0 deletions blog/mozin-about/README.MD
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# Mozi'n About

## Abstract
The Mozi botnet is an ongoing malware campaign targeting unsecured and vulnerable networking devices. This post will showcase the analyst journey of collecting, analyzing, and operationalizing threat data from the Mozi botnet.

## URL
https://www.elastic.co/blog/[tbd]

## Usage

To load the sample data, you need a local instance of Elasticsearch and Kibana. If you are using anything beyond a default local deployment, you'll need to modify `collection.sh` to match your deployment.

```
git clone https://github.com/elastic/examples
cd examples/blog/mozin-about
sh clollection.sh
```
Log into your Kibana instance to explore the data in the `indicators` Index Pattern.

## Artifacts
Artifacts and code snippets from the blog post.

| Artifact | Description | Note |
| - | - | - |
| [Mozi Collection Script](./collection.sh) | Script to collect Mozi samples and send to Elasticsearch |
| [Ingest Node Pipeline](./ingest-node-pipeline.json) | ThreatFox Ingest Node Pipeline |
| [Index Settings](./index-settings.json) | Settings for the Indicators index |
| [YARA Signature](./mozi-obfuscation-technique.yara) | Mozi obfuscation technique YARA signature |
42 changes: 42 additions & 0 deletions blog/mozin-about/collection.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
#!/bin/bash

# Collect Mozi sample data
curl -X POST https://threatfox-api.abuse.ch/api/v1/ -d '{ "query": "taginfo", "tag": "Mozi", "limit": 1000 }' > mozi-raw.json

# Local Elasticsearch & Kibana
ES_HOST='http://elastic:password@localhost:9200'
KBN_HOST='http://elastic:password@localhost:5601'

# Elastic Cloud
# ES_HOST='https://elastic:changeme@abcdef0123456789abcdef0123456789.us-central1.gcp.cloud.es.io:9243'
# KBN_HOST='https://elastic:changeme@0123456789abcdef01234567890abcdef.us-central1.gcp.cloud.es.io:9243'

# Create the Threat Fox Ingest Pipeline
curl -XPUT ${ES_HOST}/_ingest/pipeline/threatfox-enrichment -H 'Content-Type: application/json' [email protected]

# Creates a new index called 'indicators' with the given settings
curl -XPUT ${ES_HOST}/indicators -H 'Content-Type: application/json' [email protected]

# Ingests raw data from the cURL response of Threat Fox in the file listed, then does a bulk upload to ES
cat mozi-raw.json | jq -c -r '.data[]' | \
while read line; do
echo '{"index":{}}';
echo $line;
done | \
curl --silent -XPOST \
-H 'Content-Type: application/x-ndjson' \
--data-binary \
@- \
${ES_HOST}/indicators/_doc/_bulk

# Create Kibana index pattern
curl -XPOST -H 'kbn-xsrf: true' -H 'Content-Type: application/json' \
${KBN_HOST}/api/index_patterns/index_pattern -d'
{
"override": false,
"refresh_fields": true,
"index_pattern": {
"title": "indicators*",
"timeFieldName": "event.ingested"
}
}'
159 changes: 159 additions & 0 deletions blog/mozin-about/index-settings.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,159 @@
{
"settings": {
"number_of_shards": 1,
"default_pipeline": "threatfox-enrichment"
},
"mappings": {
"properties": {
"event": {
"properties": {
"category": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"ingested": {
"type": "date"
},
"kind": {
"type": "keyword"
},
"provider": {
"type": "keyword"
},
"reference": {
"type": "keyword"
},
"type": {
"type": "keyword"
}
}
},
"file": {
"properties": {
"hash": {
"properties": {
"sha256": {
"type": "keyword"
}
}
}
}
},
"related": {
"properties": {
"hash": {
"type": "keyword"
},
"ip": {
"type": "ip"
}
}
},
"tags": {
"type": "keyword"
},
"threat": {
"properties": {
"indicator": {
"properties": {
"confidence": {
"type": "long"
},
"description": {
"type": "text"
},
"first_seen": {
"type": "date"
},
"last_seen": {
"type": "date"
},
"geo": {
"properties": {
"city_name": {
"type": "keyword",
"ignore_above": 1024
},
"continent_name": {
"type": "keyword",
"ignore_above": 1024
},
"country_iso_code": {
"type": "keyword",
"ignore_above": 1024
},
"country_name": {
"type": "keyword",
"ignore_above": 1024
},
"location": {
"type": "geo_point"
},
"name": {
"type": "keyword",
"ignore_above": 1024
},
"region_iso_code": {
"type": "keyword",
"ignore_above": 1024
},
"region_name": {
"type": "keyword",
"ignore_above": 1024
},
"timezone": {
"type": "keyword",
"ignore_above": 1024
},
"asn": {
"type": "long"
},
"organization_name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"ip": {
"type": "ip"
},
"port": {
"type": "long"
},
"type": {
"type": "keyword"
}
}
},
"software": {
"properties": {
"name": {
"type": "keyword"
},
"reference": {
"type": "keyword"
},
"type": {
"type": "keyword"
}
}
},
"threatfox": {
"properties": {
"malware_printable": {
"type": "keyword"
}
}
}
}
}
}
}
}
Loading

0 comments on commit 17f0b1d

Please sign in to comment.