https://github.com/peopleworks/malwarebytesextractor
MalwareBytesExtractor is a C# .NET 9 console application that connects to the Malwarebytes Nebula API to extract and store security detection data—especially brute-force attacks—into a SQL Server or PostgreSQL database.
https://github.com/peopleworks/malwarebytesextractor
database malware-analysis net
Last synced: 3 months ago
JSON representation
MalwareBytesExtractor is a C# .NET 9 console application that connects to the Malwarebytes Nebula API to extract and store security detection data—especially brute-force attacks—into a SQL Server or PostgreSQL database.
- Host: GitHub
- URL: https://github.com/peopleworks/malwarebytesextractor
- Owner: peopleworks
- Created: 2025-07-07T23:10:18.000Z (12 months ago)
- Default Branch: main
- Last Pushed: 2025-07-09T18:17:33.000Z (12 months ago)
- Last Synced: 2025-08-15T22:54:08.309Z (11 months ago)
- Topics: database, malware-analysis, net
- Language: C#
- Homepage: https://peopleworksgpt.com/
- Size: 1.28 MB
- Stars: 2
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README

# MalwareBytesExtractor
**MalwareBytesExtractor** is a C# .NET 9 console application that connects to the [Malwarebytes Nebula API](https://api.malwarebytes.com/nebula/v1/docs), retrieves detailed security detections (especially brute-force and RDP intrusion attempts), enriches the data with IP geolocation, and stores it in either **SQL Server** or **PostgreSQL**. It also includes optional tools for generating **HTML dashboards** and populating **AI demo prompts** for [PeopleWorks GPT](https://peopleworksgpt.com).
---
## 🚀 Features
- ✅ OAuth2 authentication with Malwarebytes Nebula
- ✅ Retrieves and paginates **1 year of detection history**
- ✅ Filters and highlights **Remote Intrusion** (RDP, Brute Force)
- ✅ Enriches detections with **source country** via ip-api.com
- ✅ Stores results in **SQL Server** or **PostgreSQL**
- ✅ Structured logs using **Serilog**
- ✅ Generates **interactive dashboards** in HTML with ECharts
- ✅ Fills `Prompts` with sample AI queries
---
## ⚙️ Configuration
Set your values in the `appsettings.json`:
```json
{
"Database": {
"Provider": "SqlServer", // or "PostgreSql"
"ConnectionStrings": {
"SqlServer": "Server=.;Database=SecurityIT;Trusted_Connection=True;",
"PostgreSql": "Host=localhost;Database=SecurityIT;Username=postgres;Password=yourpassword"
}
},
"Malwarebytes": {
"ClientId": "your-client-id",
"ClientSecret": "your-client-secret",
"AccountId": ""
}
}
````
---
## 🏁 How to Use
### 🔹 Basic Extraction
```bash
dotnet run --project MalwareBytesExtractor
```
### 🔹 With optional arguments
| Option | Description |
| -------------------- | ------------------------------------------ |
| `--generate-html` | Generates an interactive HTML dashboard |
| `--populate-prompts` | Fills the `Prompts` table for AI demos |
| `--from=YYYY-MM-DD` | Start date (optional, default: 1 year ago) |
| `--to=YYYY-MM-DD` | End date (optional, default: today) |
Example:
```bash
dotnet run --project MalwareBytesExtractor --generate-html --populate-prompts --from=2025-01-01 --to=2025-07-01
```
---
## 🧩 Data Model
### MalwareDetection Table
| Field | Description |
| ------------- | ------------------------------------- |
| Id | Unique GUID |
| Hostname | Name of machine |
| IpAddress | Public IP of device or attacker |
| Username | Targeted or logged-in user |
| DetectionName | Example: `RDP Intrusion Detection` |
| DetectionType | e.g., `RID`, `InboundConnection` |
| Category | Malwarebytes category |
| Severity | Integer level |
| ActionTaken | Quarantine / Block / None |
| CreatedAt | Date of creation |
| FirstSeen | First time seen (nullable) |
| LastSeen | Last time seen (nullable) |
| SourceCountry | ISO Country (e.g. `FR`) |
| SourceJson | Original API response (for reference) |
---
## 🌍 IP Geolocation
* Powered by [ip-api.com](http://ip-api.com)
* Free & authentication-free (great for open-source)
* Country detection helps enrich reports for AI
---
## 📊 Dashboard Output (optional)
Run with `--generate-html` and an interactive file like `dashboard.html` will be created, with:
* Bar chart of top threat types
* Line chart of detections over time
* Map of source countries (when available)
* Tooltips and filtering
---
## 🧠 AI Prompt Seeding (optional)
Run with `--populate-prompts` to populate the table:
`Prompts` with questions like:
* "Show me all brute-force attacks from Germany"
* "List detections by machine and severity"
* "What are the most common attack types this year?"
This improves PeopleWorks GPT’s ability to offer useful examples to users.
---
## 🧠 Integration with PeopleWorks GPT
This app feeds data that can be used by [PeopleWorks GPT](https://peopleworksgpt.com) to answer natural language queries like:
> “How many RDP intrusions happened in Q1 2025?”
> “What countries have the most attacks?”
> “Show the trend of detections per machine over time.”
---
## 📁 Project Structure
* `Program.cs` – CLI interface and orchestration
* `Services/NebulaService.cs` – API interaction & pagination
* `Services/DetectionFilter.cs` – detection type filters
* `Services/GeoService.cs` – enriches with country
* `Services/DbWriter.cs` – inserts into selected DB
* `Services/HtmlDashboardGenerator.cs` – generates dashboard
* `Services/PromptSeeder.cs` – adds demo prompts
* `Models/MalwareDetection.cs` – main data class
* `appsettings.json` – config file
---
## 📄 License
This project is licensed under the **MIT License**. See the [LICENSE](LICENSE) file for details.
---
Made with ❤️ by [PeopleWorks](https://peopleworksgpt.com) to empower AI in cybersecurity.
```