An open API service indexing awesome lists of open source software.

https://github.com/peopleworks/malwarebytesextractor

MalwareBytesExtractor is a C# .NET 9 console application that connects to the Malwarebytes Nebula API to extract and store security detection data—especially brute-force attacks—into a SQL Server or PostgreSQL database.
https://github.com/peopleworks/malwarebytesextractor

database malware-analysis net

Last synced: 3 months ago
JSON representation

MalwareBytesExtractor is a C# .NET 9 console application that connects to the Malwarebytes Nebula API to extract and store security detection data—especially brute-force attacks—into a SQL Server or PostgreSQL database.

Awesome Lists containing this project

README

          

![MalwareBytesExtractor Logo](logo.png)

# MalwareBytesExtractor

**MalwareBytesExtractor** is a C# .NET 9 console application that connects to the [Malwarebytes Nebula API](https://api.malwarebytes.com/nebula/v1/docs), retrieves detailed security detections (especially brute-force and RDP intrusion attempts), enriches the data with IP geolocation, and stores it in either **SQL Server** or **PostgreSQL**. It also includes optional tools for generating **HTML dashboards** and populating **AI demo prompts** for [PeopleWorks GPT](https://peopleworksgpt.com).

---

## 🚀 Features

- ✅ OAuth2 authentication with Malwarebytes Nebula
- ✅ Retrieves and paginates **1 year of detection history**
- ✅ Filters and highlights **Remote Intrusion** (RDP, Brute Force)
- ✅ Enriches detections with **source country** via ip-api.com
- ✅ Stores results in **SQL Server** or **PostgreSQL**
- ✅ Structured logs using **Serilog**
- ✅ Generates **interactive dashboards** in HTML with ECharts
- ✅ Fills `Prompts` with sample AI queries

---

## ⚙️ Configuration

Set your values in the `appsettings.json`:

```json
{
"Database": {
"Provider": "SqlServer", // or "PostgreSql"
"ConnectionStrings": {
"SqlServer": "Server=.;Database=SecurityIT;Trusted_Connection=True;",
"PostgreSql": "Host=localhost;Database=SecurityIT;Username=postgres;Password=yourpassword"
}
},
"Malwarebytes": {
"ClientId": "your-client-id",
"ClientSecret": "your-client-secret",
"AccountId": ""
}
}
````

---

## 🏁 How to Use

### 🔹 Basic Extraction

```bash
dotnet run --project MalwareBytesExtractor
```

### 🔹 With optional arguments

| Option | Description |
| -------------------- | ------------------------------------------ |
| `--generate-html` | Generates an interactive HTML dashboard |
| `--populate-prompts` | Fills the `Prompts` table for AI demos |
| `--from=YYYY-MM-DD` | Start date (optional, default: 1 year ago) |
| `--to=YYYY-MM-DD` | End date (optional, default: today) |

Example:

```bash
dotnet run --project MalwareBytesExtractor --generate-html --populate-prompts --from=2025-01-01 --to=2025-07-01
```

---

## 🧩 Data Model

### MalwareDetection Table

| Field | Description |
| ------------- | ------------------------------------- |
| Id | Unique GUID |
| Hostname | Name of machine |
| IpAddress | Public IP of device or attacker |
| Username | Targeted or logged-in user |
| DetectionName | Example: `RDP Intrusion Detection` |
| DetectionType | e.g., `RID`, `InboundConnection` |
| Category | Malwarebytes category |
| Severity | Integer level |
| ActionTaken | Quarantine / Block / None |
| CreatedAt | Date of creation |
| FirstSeen | First time seen (nullable) |
| LastSeen | Last time seen (nullable) |
| SourceCountry | ISO Country (e.g. `FR`) |
| SourceJson | Original API response (for reference) |

---

## 🌍 IP Geolocation

* Powered by [ip-api.com](http://ip-api.com)
* Free & authentication-free (great for open-source)
* Country detection helps enrich reports for AI

---

## 📊 Dashboard Output (optional)

Run with `--generate-html` and an interactive file like `dashboard.html` will be created, with:

* Bar chart of top threat types
* Line chart of detections over time
* Map of source countries (when available)
* Tooltips and filtering

---

## 🧠 AI Prompt Seeding (optional)

Run with `--populate-prompts` to populate the table:

`Prompts` with questions like:

* "Show me all brute-force attacks from Germany"
* "List detections by machine and severity"
* "What are the most common attack types this year?"

This improves PeopleWorks GPT’s ability to offer useful examples to users.

---

## 🧠 Integration with PeopleWorks GPT

This app feeds data that can be used by [PeopleWorks GPT](https://peopleworksgpt.com) to answer natural language queries like:

> “How many RDP intrusions happened in Q1 2025?”

> “What countries have the most attacks?”

> “Show the trend of detections per machine over time.”

---

## 📁 Project Structure

* `Program.cs` – CLI interface and orchestration
* `Services/NebulaService.cs` – API interaction & pagination
* `Services/DetectionFilter.cs` – detection type filters
* `Services/GeoService.cs` – enriches with country
* `Services/DbWriter.cs` – inserts into selected DB
* `Services/HtmlDashboardGenerator.cs` – generates dashboard
* `Services/PromptSeeder.cs` – adds demo prompts
* `Models/MalwareDetection.cs` – main data class
* `appsettings.json` – config file

---

## 📄 License

This project is licensed under the **MIT License**. See the [LICENSE](LICENSE) file for details.

---

Made with ❤️ by [PeopleWorks](https://peopleworksgpt.com) to empower AI in cybersecurity.

```