Since writing part 1 (Here), I’ve been looking into how to expand on the script.
I had a thought… if I’m a user and have gotten to the point I’m running this script, I may need more information than if it’s just there. This made me add the Hybrid-Analysis API and Actors API from CrowdStrike.
This means you would need to add the read access to actors, however you get a lot more information.
Since the Hybrid-Analysis API is free, it’s worth doing regardless. I did add a check though so if the user doesn’t add the script moves on.
Here is an example of the output:
The script runs the same however, there is more to it. Let’s break it down:
The start of the script still queries MalQuery using a list of IOCs from a txt file.
The difference this time is that if the “Malware family” was found, it will pull that information and show the associated Actors.
Here we try and query each $family CS returned. We then query each using a foreach loop and see if there are any Actors associated using the Actors API. This API only returns Actor IDs, so we pass them into $actids.
The next part is to query the Actors API with the given IDs to find out more information and make it look pretty.
If non are returned, flag it to the user, else return the information in a nice format:
If it is populated, we query the API as a test to find out the user ($who):
We already have the hashes, so can reuse them ($hashbrowns). We can then filter each SHA256 hash and query HA. I also added a way to generate a VirusTotal link and populate the table with it. This is because we all love VirusTotal.
Once finished, we display:
I will keep working on this, but if you have any feedback or would like me to expand on anything, do reach out.