Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/ranguli/ioccheck
A tool for simplifying the process of researching IOCs.
https://github.com/ranguli/ioccheck
blueteam hacking hacktoberfest ioc security
Last synced: 21 days ago
JSON representation
A tool for simplifying the process of researching IOCs.
- Host: GitHub
- URL: https://github.com/ranguli/ioccheck
- Owner: ranguli
- License: mit
- Archived: true
- Created: 2021-03-13T03:54:22.000Z (almost 4 years ago)
- Default Branch: main
- Last Pushed: 2021-09-24T23:48:30.000Z (about 3 years ago)
- Last Synced: 2024-08-05T17:45:02.843Z (4 months ago)
- Topics: blueteam, hacking, hacktoberfest, ioc, security
- Language: Python
- Homepage:
- Size: 877 KB
- Stars: 25
- Watchers: 5
- Forks: 0
- Open Issues: 9
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - ranguli/ioccheck - A tool for simplifying the process of researching IOCs. (Python)
README
# ioccheck
[![Documentation Status](https://readthedocs.org/projects/ioccheck/badge/?version=latest)](https://ioccheck.readthedocs.io/en/latest/?badge=latest)
[![Tests](https://github.com/ranguli/ioccheck/actions/workflows/main.yml/badge.svg)](https://github.com/ranguli/ioccheck/actions/workflows/main.yml)
[![Maintainability](https://api.codeclimate.com/v1/badges/abf6cb8ead9e0269ab22/maintainability)](https://codeclimate.com/github/ranguli/ioccheck/maintainability)
[![PyPi Status](https://img.shields.io/pypi/v/ioccheck.svg)](https://pypi.org/project/ioccheck/)
[![codecov](https://codecov.io/gh/ranguli/ioccheck/branch/main/graph/badge.svg?token=pjjBiTgJFC)](https://codecov.io/gh/ranguli/ioccheck)A tool for simplifying the process of researching file hashes, IP addresses,
and other indicators of compromise (IOCs).## Features
* Look up hashes across multiple threat intelligence services, from a single command or a few lines of Python.
* Currenty supports the following services:
* [VirusTotal](https://virustotal.com)
* [MalwareBazaar](https://bazaar.abuse.ch/)
* [Shodan.io](https://shodan.io/)
* Planned support:
* [URLhaus](https://urlhaus.abuse.ch/)
* [OTX](https://otx.alienvault.com/)
* [InQuest Labs](https://labs.inquest.net/)
* [MalShare](https://www.malshare.com/)
* [Malpedia](https://malpedia.caad.fkie.fraunhofer.de/)
* [Maltiverse](https://maltiverse.com/)## Quickstart
```bash
pip install ioccheck
```You can also run the code directly
```bash
git clone https://github.com/ranguli/ioccheck && cd ioccheck
poetry install
```Populate `~/.config/ioccheck/credentials` with an entry for each service you have credentials for:
```
[virustotal]
api_key=YOUR_API_KEY_HERE[malwarebazaar]
api_key=YOUR_API_KEY_HERE[shodan]
api_key=YOUR_API_KEY_HERE[twitter]
consumer_key=YOUR_API_KEY_HERE
consumer_secret=YOUR_API_KEY_HERE
access_token=YOUR_API_KEY_HERE
access_secret=YOUR_API_KEY_HERE
```## Usage
```
➜ ioccheck 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0fChecking hash 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f.
[*] Hashing algorithm:
SHA256[*] VirusTotal URL:
https://virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/[*] VirusTotal detections:
61 engines (81%) detected this file.╒══════════════╤════════════╤═══════════════════════════════╕
│ Antivirus │ Detected │ Result │
╞══════════════╪════════════╪═══════════════════════════════╡
│ Malwarebytes │ No │ │
├──────────────┼────────────┼───────────────────────────────┤
│ Avast │ Yes │ EICAR Test-NOT virus!!! │
├──────────────┼────────────┼───────────────────────────────┤
│ ClamAV │ Yes │ Win.Test.EICAR_HDB-1 │
├──────────────┼────────────┼───────────────────────────────┤
│ Kaspersky │ Yes │ EICAR-Test-File │
├──────────────┼────────────┼───────────────────────────────┤
│ BitDefender │ Yes │ EICAR-Test-File (not a virus) │
├──────────────┼────────────┼───────────────────────────────┤
│ Paloalto │ No │ │
├──────────────┼────────────┼───────────────────────────────┤
│ TrendMicro │ Yes │ Eicar_test_file │
├──────────────┼────────────┼───────────────────────────────┤
│ FireEye │ Yes │ EICAR-Test-File (not a virus) │
├──────────────┼────────────┼───────────────────────────────┤
│ Sophos │ Yes │ EICAR-AV-Test │
├──────────────┼────────────┼───────────────────────────────┤
│ Microsoft │ Yes │ Virus:DOS/EICAR_Test_File │
├──────────────┼────────────┼───────────────────────────────┤
│ McAfee │ Yes │ EICAR test file │
├──────────────┼────────────┼───────────────────────────────┤
│ Fortinet │ Yes │ EICAR_TEST_FILE │
├──────────────┼────────────┼───────────────────────────────┤
│ AVG │ Yes │ EICAR Test-NOT virus!!! │
╘══════════════╧════════════╧═══════════════════════════════╛[*] VirusTotal reputation:
3392
```## Using the API
Creating a hash
```python
>>> from ioccheck import Hash
>>> from ioccheck.services import VirusTotal
>>> eicar = Hash("275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f")
>>> # What kind of hash is this?
>>> print(eicar.hash_type)
SHA256
```Looking up a hash
```python
>>> # With no arguments, check() tries all supported services. API keys grabbed from ~/.ioccheck by default.
>>> eicar.check()
>>> # Alternatively:
>>> eicar.check(services=VirusTotal, config_path=/foo/bar/.ioccheck)
```Researching a hash
```python
>>> # Check the VirusTotal report to see if Sophos detects our hash
>>> eicar.reports.virustotal.get_detections(engines=["Sophos"])
{'Sophos': {'category': 'malicious', 'engine_name': 'Sophos', 'engine_version': '1.0.2.0', 'result': 'EICAR-AV-Test', 'method': 'blacklist', 'engine_update': '20210314'}}
>>> # What is this hash known as?
>>> print(eicar.reports.virustotal.name)
'eicar.com-2224'
>>> # How many AV engines are detecting this hash?
>>> eicar.reports.virustotal.detection_count
60
``````
>>> # Just show me the VirusTotal API response!
>>> eicar.reports.virustotal.api_response```