-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #377 from peasead/blog/mozin-about
PR for Mozi'n About Blog Post
- Loading branch information
Showing
5 changed files
with
491 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
# Mozi'n About | ||
|
||
## Abstract | ||
The Mozi botnet is an ongoing malware campaign targeting unsecured and vulnerable networking devices. This post will showcase the analyst journey of collecting, analyzing, and operationalizing threat data from the Mozi botnet. | ||
|
||
## URL | ||
https://www.elastic.co/blog/[tbd] | ||
|
||
## Usage | ||
|
||
To load the sample data, you need a local instance of Elasticsearch and Kibana. If you are using anything beyond a default local deployment, you'll need to modify `collection.sh` to match your deployment. | ||
|
||
``` | ||
git clone https://github.com/elastic/examples | ||
cd examples/blog/mozin-about | ||
sh clollection.sh | ||
``` | ||
Log into your Kibana instance to explore the data in the `indicators` Index Pattern. | ||
|
||
## Artifacts | ||
Artifacts and code snippets from the blog post. | ||
|
||
| Artifact | Description | Note | | ||
| - | - | - | | ||
| [Mozi Collection Script](./collection.sh) | Script to collect Mozi samples and send to Elasticsearch | | ||
| [Ingest Node Pipeline](./ingest-node-pipeline.json) | ThreatFox Ingest Node Pipeline | | ||
| [Index Settings](./index-settings.json) | Settings for the Indicators index | | ||
| [YARA Signature](./mozi-obfuscation-technique.yara) | Mozi obfuscation technique YARA signature | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
#!/bin/bash | ||
|
||
# Collect Mozi sample data | ||
curl -X POST https://threatfox-api.abuse.ch/api/v1/ -d '{ "query": "taginfo", "tag": "Mozi", "limit": 1000 }' > mozi-raw.json | ||
|
||
# Local Elasticsearch & Kibana | ||
ES_HOST='http://elastic:password@localhost:9200' | ||
KBN_HOST='http://elastic:password@localhost:5601' | ||
|
||
# Elastic Cloud | ||
# ES_HOST='https://elastic:changeme@abcdef0123456789abcdef0123456789.us-central1.gcp.cloud.es.io:9243' | ||
# KBN_HOST='https://elastic:changeme@0123456789abcdef01234567890abcdef.us-central1.gcp.cloud.es.io:9243' | ||
|
||
# Create the Threat Fox Ingest Pipeline | ||
curl -XPUT ${ES_HOST}/_ingest/pipeline/threatfox-enrichment -H 'Content-Type: application/json' [email protected] | ||
|
||
# Creates a new index called 'indicators' with the given settings | ||
curl -XPUT ${ES_HOST}/indicators -H 'Content-Type: application/json' [email protected] | ||
|
||
# Ingests raw data from the cURL response of Threat Fox in the file listed, then does a bulk upload to ES | ||
cat mozi-raw.json | jq -c -r '.data[]' | \ | ||
while read line; do | ||
echo '{"index":{}}'; | ||
echo $line; | ||
done | \ | ||
curl --silent -XPOST \ | ||
-H 'Content-Type: application/x-ndjson' \ | ||
--data-binary \ | ||
@- \ | ||
${ES_HOST}/indicators/_doc/_bulk | ||
|
||
# Create Kibana index pattern | ||
curl -XPOST -H 'kbn-xsrf: true' -H 'Content-Type: application/json' \ | ||
${KBN_HOST}/api/index_patterns/index_pattern -d' | ||
{ | ||
"override": false, | ||
"refresh_fields": true, | ||
"index_pattern": { | ||
"title": "indicators*", | ||
"timeFieldName": "event.ingested" | ||
} | ||
}' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,159 @@ | ||
{ | ||
"settings": { | ||
"number_of_shards": 1, | ||
"default_pipeline": "threatfox-enrichment" | ||
}, | ||
"mappings": { | ||
"properties": { | ||
"event": { | ||
"properties": { | ||
"category": { | ||
"type": "keyword" | ||
}, | ||
"id": { | ||
"type": "keyword" | ||
}, | ||
"ingested": { | ||
"type": "date" | ||
}, | ||
"kind": { | ||
"type": "keyword" | ||
}, | ||
"provider": { | ||
"type": "keyword" | ||
}, | ||
"reference": { | ||
"type": "keyword" | ||
}, | ||
"type": { | ||
"type": "keyword" | ||
} | ||
} | ||
}, | ||
"file": { | ||
"properties": { | ||
"hash": { | ||
"properties": { | ||
"sha256": { | ||
"type": "keyword" | ||
} | ||
} | ||
} | ||
} | ||
}, | ||
"related": { | ||
"properties": { | ||
"hash": { | ||
"type": "keyword" | ||
}, | ||
"ip": { | ||
"type": "ip" | ||
} | ||
} | ||
}, | ||
"tags": { | ||
"type": "keyword" | ||
}, | ||
"threat": { | ||
"properties": { | ||
"indicator": { | ||
"properties": { | ||
"confidence": { | ||
"type": "long" | ||
}, | ||
"description": { | ||
"type": "text" | ||
}, | ||
"first_seen": { | ||
"type": "date" | ||
}, | ||
"last_seen": { | ||
"type": "date" | ||
}, | ||
"geo": { | ||
"properties": { | ||
"city_name": { | ||
"type": "keyword", | ||
"ignore_above": 1024 | ||
}, | ||
"continent_name": { | ||
"type": "keyword", | ||
"ignore_above": 1024 | ||
}, | ||
"country_iso_code": { | ||
"type": "keyword", | ||
"ignore_above": 1024 | ||
}, | ||
"country_name": { | ||
"type": "keyword", | ||
"ignore_above": 1024 | ||
}, | ||
"location": { | ||
"type": "geo_point" | ||
}, | ||
"name": { | ||
"type": "keyword", | ||
"ignore_above": 1024 | ||
}, | ||
"region_iso_code": { | ||
"type": "keyword", | ||
"ignore_above": 1024 | ||
}, | ||
"region_name": { | ||
"type": "keyword", | ||
"ignore_above": 1024 | ||
}, | ||
"timezone": { | ||
"type": "keyword", | ||
"ignore_above": 1024 | ||
}, | ||
"asn": { | ||
"type": "long" | ||
}, | ||
"organization_name": { | ||
"type": "text", | ||
"fields": { | ||
"keyword": { | ||
"type": "keyword", | ||
"ignore_above": 256 | ||
} | ||
} | ||
} | ||
} | ||
}, | ||
"ip": { | ||
"type": "ip" | ||
}, | ||
"port": { | ||
"type": "long" | ||
}, | ||
"type": { | ||
"type": "keyword" | ||
} | ||
} | ||
}, | ||
"software": { | ||
"properties": { | ||
"name": { | ||
"type": "keyword" | ||
}, | ||
"reference": { | ||
"type": "keyword" | ||
}, | ||
"type": { | ||
"type": "keyword" | ||
} | ||
} | ||
}, | ||
"threatfox": { | ||
"properties": { | ||
"malware_printable": { | ||
"type": "keyword" | ||
} | ||
} | ||
} | ||
} | ||
} | ||
} | ||
} | ||
} |
Oops, something went wrong.