MalwareBazaar.psm1
|
Function Get-MalwareBazaarSampleHash { <# .SYNOPSIS Query malware by hash .DESCRIPTION You can check if a particular malware sample is known to MalwareBazaar by query the API for the corresponding hash .PARAMETER Hash Specify a MD5, SHA1 or SHA256 hash .EXAMPLE Get-MalwareBazaarSampleHash -Hash '7de2c1bf58bce09eecc70476747d88a26163c3d6bb1d85235c24a558d1f16754' -Verbose .LINK https://bazaar.abuse.ch/api/#query_hash #> [CmdletBinding()] Param( [Parameter(Mandatory)] [string]$Hash ) Begin{} Process { $Scriptname = (Get-Variable -Name MyInvocation -Scope 0 -ValueOnly).MyCommand Write-Verbose -Message "[$Scriptname] Build Splatting" $HT = @{ Method = 'Post' UseBasicParsing = [switch]::Present Uri = 'https://mb-api.abuse.ch/api/v1/' Body = @{ query = 'get_info' hash = $Hash } ErrorAction = 'Stop' Verbose = $false } try { Write-Verbose -Message "[$Scriptname] Querying Rest api..." [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $r = Invoke-RestMethod @HT if ($r.query_status -eq 'ok') { $r.Data } else { throw "Failed to query because $($r.query_status)" } } catch { throw $_ } } End{} } Function Get-MalwareBazaarSampleTag { <# .SYNOPSIS Query malware by tag .DESCRIPTION You can get a list of malware samples (max 1'000) associated with a specific tag by query the API .PARAMETER Tag Tag you want to get malware samples for .EXAMPLE Get-MalwareBazaarSampleTag -Tag TrickBot -Limit 50 .LINK https://bazaar.abuse.ch/api/#taginfo #> [CmdletBinding()] Param( [Parameter(Mandatory)] [string]$Tag, [Parameter()] [ValidateRange(1,1000)] [int32]$Limit=100 ) Begin{} Process { $Scriptname = (Get-Variable -Name MyInvocation -Scope 0 -ValueOnly).MyCommand Write-Verbose -Message "[$Scriptname] Build Splatting" $HT = @{ Method = 'Post' UseBasicParsing = [switch]::Present Uri = 'https://mb-api.abuse.ch/api/v1/' Body = @{ query = 'get_taginfo' tag = $Tag limit = $Limit } ErrorAction = 'Stop' Verbose = $false } try { Write-Verbose -Message "[$Scriptname] Querying Rest api..." [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $r = Invoke-RestMethod @HT if ($r.query_status -eq 'ok') { $r.Data } else { throw "Failed to query because $($r.query_status)" } } catch { throw $_ } } End{} } Function Get-MalwareBazaarSampleSignature { <# .SYNOPSIS Query malware by signature .DESCRIPTION You can get a list of recent malware samples (max 1'000) associated with a specific signature by query the API .PARAMETER Signature Signature you want to get malware samples for .EXAMPLE Get-MalwareBazaarSampleSignature -Signature TrickBot -Limit 50 .LINK https://bazaar.abuse.ch/api/#siginfo #> [CmdletBinding()] Param( [Parameter(Mandatory)] [string]$Signature, [Parameter()] [ValidateRange(1,1000)] [int32]$Limit=100 ) Begin{} Process { $Scriptname = (Get-Variable -Name MyInvocation -Scope 0 -ValueOnly).MyCommand Write-Verbose -Message "[$Scriptname] Build Splatting" $HT = @{ Method = 'Post' UseBasicParsing = [switch]::Present Uri = 'https://mb-api.abuse.ch/api/v1/' Body = @{ query = 'get_siginfo' signature = $Signature limit = $Limit } ErrorAction = 'Stop' Verbose = $false } try { Write-Verbose -Message "[$Scriptname] Querying Rest api..." [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $r = Invoke-RestMethod @HT if ($r.query_status -eq 'ok') { $r.Data } else { throw "Failed to query because $($r.query_status)" } } catch { throw $_ } } End{} } Function Get-MalwareBazaarSampleFileType { <# .SYNOPSIS Query malware by filetype .DESCRIPTION You can get a list of recent malware samples (max 1'000) having a specific filetype by query the API .PARAMETER FileType FileType you want to get malware samples for .EXAMPLE Get-MalwareBazaarSampleFileType -FileType elf -Limit 50 .LINK https://bazaar.abuse.ch/api/#filetype #> [CmdletBinding()] Param( [Parameter(Mandatory)] [string]$FileType, [Parameter()] [ValidateRange(1,1000)] [int32]$Limit=100 ) Begin{} Process { $Scriptname = (Get-Variable -Name MyInvocation -Scope 0 -ValueOnly).MyCommand Write-Verbose -Message "[$Scriptname] Build Splatting" $HT = @{ Method = 'Post' UseBasicParsing = [switch]::Present Uri = 'https://mb-api.abuse.ch/api/v1/' Body = @{ query = 'get_file_type' file_type = $FileType limit = $Limit } ErrorAction = 'Stop' Verbose = $false } try { Write-Verbose -Message "[$Scriptname] Querying Rest api..." [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $r = Invoke-RestMethod @HT if ($r.query_status -eq 'ok') { $r.Data } else { throw "Failed to query because $($r.query_status)" } } catch { throw $_ } } End{} } Function Get-MalwareBazaarSampleClamAVSignature { <# .SYNOPSIS Query malware by ClamAV signature .DESCRIPTION You can get a list of recent malware samples (max 1'000) associated with a specific ClamAV signature by query the API .PARAMETER Signature ClamAV signature you want to get malware samples for .EXAMPLE Get-MalwareBazaarSampleClamAVSignature -Signature 'Doc.Downloader.Emotet-7580152-0' -Limit 50 .LINK https://bazaar.abuse.ch/api/#clamav #> [CmdletBinding()] Param( [Parameter(Mandatory)] [string]$Signature, [Parameter()] [ValidateRange(1,1000)] [int32]$Limit=100 ) Begin{} Process { $Scriptname = (Get-Variable -Name MyInvocation -Scope 0 -ValueOnly).MyCommand Write-Verbose -Message "[$Scriptname] Build Splatting" $HT = @{ Method = 'Post' UseBasicParsing = [switch]::Present Uri = 'https://mb-api.abuse.ch/api/v1/' Body = @{ query = 'get_clamavinfo' clamav = $Signature limit = $Limit } ErrorAction = 'Stop' Verbose = $false } try { Write-Verbose -Message "[$Scriptname] Querying Rest api..." [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $r = Invoke-RestMethod @HT if ($r.query_status -eq 'ok') { $r.Data } else { throw "Failed to query because $($r.query_status)" } } catch { throw $_ } } End{} } Function Get-MalwareBazaarSampleImpHash { <# .SYNOPSIS Query malware by imphash .DESCRIPTION You can get a list of malware samples (max 1'000) associated with a specific imphash by query the API .PARAMETER Hash imphash you want to get malware samples for .EXAMPLE Get-MalwareBazaarSampleImpHash -Hash '45d579faec0eaf279c0841b2233727cf' -Limit 50 .LINK https://bazaar.abuse.ch/api/#imphash #> [CmdletBinding()] Param( [Parameter(Mandatory)] [string]$Hash, [Parameter()] [ValidateRange(1,1000)] [int32]$Limit=100 ) Begin{} Process { $Scriptname = (Get-Variable -Name MyInvocation -Scope 0 -ValueOnly).MyCommand Write-Verbose -Message "[$Scriptname] Build Splatting" $HT = @{ Method = 'Post' UseBasicParsing = [switch]::Present Uri = 'https://mb-api.abuse.ch/api/v1/' Body = @{ query = 'get_imphash' imphash = $Hash limit = $Limit } ErrorAction = 'Stop' Verbose = $false } try { Write-Verbose -Message "[$Scriptname] Querying Rest api..." [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $r = Invoke-RestMethod @HT if ($r.query_status -eq 'ok') { $r.Data } else { throw "Failed to query because $($r.query_status)" } } catch { throw $_ } } End{} } Function Get-MalwareBazaarSampleTLSH { <# .SYNOPSIS Query malware by TLSH .DESCRIPTION You can get a list of malware samples (max 1'000) associated with a specific TLSH hash by query the API .PARAMETER Hash TLSH hash you want to get malware samples for .EXAMPLE Get-MalwareBazaarSampleTLSH -Hash '4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4FBC789AA020A31B05ED12350' -Limit 50 .LINK https://bazaar.abuse.ch/api/#tlsh #> [CmdletBinding()] Param( [Parameter(Mandatory)] [string]$Hash, [Parameter()] [ValidateRange(1,1000)] [int32]$Limit=100 ) Begin{} Process { $Scriptname = (Get-Variable -Name MyInvocation -Scope 0 -ValueOnly).MyCommand Write-Verbose -Message "[$Scriptname] Build Splatting" $HT = @{ Method = 'Post' UseBasicParsing = [switch]::Present Uri = 'https://mb-api.abuse.ch/api/v1/' Body = @{ query = 'get_tlsh' tlsh = $Hash limit = $Limit } ErrorAction = 'Stop' Verbose = $false } try { Write-Verbose -Message "[$Scriptname] Querying Rest api..." [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $r = Invoke-RestMethod @HT if ($r.query_status -eq 'ok') { $r.Data } else { throw "Failed to query because $($r.query_status)" } } catch { throw $_ } } End{} } Function Get-MalwareBazaarSampleTelfhash { <# .SYNOPSIS Query malware by telfhash .DESCRIPTION You can get a list of malware samples (max 1'000) associated with a specific telfhash hash by query the API .PARAMETER Hash telfhash hash you want to get malware samples for .EXAMPLE Get-MalwareBazaarSampleTelfhash -Hash 'ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037a00463e93033abe466069c7a' -Limit 50 .LINK https://bazaar.abuse.ch/api/#telfhash #> [CmdletBinding()] Param( [Parameter(Mandatory)] [string]$Hash, [Parameter()] [ValidateRange(1,1000)] [int32]$Limit=100 ) Begin{} Process { $Scriptname = (Get-Variable -Name MyInvocation -Scope 0 -ValueOnly).MyCommand Write-Verbose -Message "[$Scriptname] Build Splatting" $HT = @{ Method = 'Post' UseBasicParsing = [switch]::Present Uri = 'https://mb-api.abuse.ch/api/v1/' Body = @{ query = 'get_telfhash' telfhash = $Hash limit = $Limit } ErrorAction = 'Stop' Verbose = $false } try { Write-Verbose -Message "[$Scriptname] Querying Rest api..." [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $r = Invoke-RestMethod @HT if ($r.query_status -eq 'ok') { $r.Data } else { throw "Failed to query because $($r.query_status)" } } catch { throw $_ } } End{} } Function Get-MalwareBazaarSampleIconDhash { <# .SYNOPSIS Query malware by icon's dhash .DESCRIPTION You can get a list of malware samples (PE executables only, max 1'000) that are having a specific icon using the icon's dhash. .PARAMETER Hash The icon's dhash you want to get malware samples for .EXAMPLE Get-MalwareBazaarSampleIconDhash -Hash '48b9b2b0e8c18c90' -Limit 50 .LINK https://bazaar.abuse.ch/api/#dhash_icon #> [CmdletBinding()] Param( [Parameter(Mandatory)] [string]$Hash, [Parameter()] [ValidateRange(1,1000)] [int32]$Limit=100 ) Begin{} Process { $Scriptname = (Get-Variable -Name MyInvocation -Scope 0 -ValueOnly).MyCommand Write-Verbose -Message "[$Scriptname] Build Splatting" $HT = @{ Method = 'Post' UseBasicParsing = [switch]::Present Uri = 'https://mb-api.abuse.ch/api/v1/' Body = @{ query = 'get_dhash_icon' dhash_icon = $Hash limit = $Limit } ErrorAction = 'Stop' Verbose = $false } try { Write-Verbose -Message "[$Scriptname] Querying Rest api..." [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $r = Invoke-RestMethod @HT if ($r.query_status -eq 'ok') { $r.Data } else { throw "Failed to query because $($r.query_status)" } } catch { throw $_ } } End{} } Function Get-MalwareBazaarSampleYaraRule { <# .SYNOPSIS Query malware by yara rule name .DESCRIPTION You can get a list of malware samples (max 1'000) associated with a specific YARA rule by query the API .PARAMETER RuleName Name of the YARA rule (rule_name) you want to get malware samples for .EXAMPLE Get-MalwareBazaarSampleYaraRule -RuleName 'win_remcos_g0' -Limit 50 .LINK https://bazaar.abuse.ch/api/#yarainfo #> [CmdletBinding()] Param( [Parameter(Mandatory)] [Alias('Name')] [string]$RuleName, [Parameter()] [ValidateRange(1,1000)] [int32]$Limit=100 ) Begin{} Process { $Scriptname = (Get-Variable -Name MyInvocation -Scope 0 -ValueOnly).MyCommand Write-Verbose -Message "[$Scriptname] Build Splatting" $HT = @{ Method = 'Post' UseBasicParsing = [switch]::Present Uri = 'https://mb-api.abuse.ch/api/v1/' Body = @{ query = 'get_yarainfo' yara_rule = $RuleName limit = $Limit } ErrorAction = 'Stop' Verbose = $false } try { Write-Verbose -Message "[$Scriptname] Querying Rest api..." [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $r = Invoke-RestMethod @HT if ($r.query_status -eq 'ok') { $r.Data } else { throw "Failed to query because $($r.query_status)" } } catch { throw $_ } } End{} } Function Get-MalwareBazaarSampleCodeSigningCertificate { <# .SYNOPSIS Query malware by code signing certificate .DESCRIPTION You can get a list of malware samples (max 100) that are using code signing certificate issued by a certain Certificate Authority (Issuer CN) by query the API You can get a list of malware samples (max 100) that are signed with a code signing certificate that matches a certain Subject Common Name (CN) by query the API .PARAMETER Issuer Exact Issuer Common Name (CN) of the certificate authority that issued the certificate .PARAMETER Subject Exact Subject Common Name (CN) of the code signing certificate .EXAMPLE Get-MalwareBazaarSampleCodeSigningCertificate -Issuer 'Sectigo RSA Code Signing CA' .EXAMPLE Get-MalwareBazaarSampleCodeSigningCertificate -Subject 'Ekitai Data Inc.' .LINK https://bazaar.abuse.ch/api/#issuer_cn https://bazaar.abuse.ch/api/#subject_cn #> [CmdletBinding(DefaultParameterSetName='ICN')] Param( [Parameter(ParameterSetName='ICN',Mandatory)] [string]$Issuer, [Parameter(ParameterSetName='SCN',Mandatory)] [string]$Subject ) Begin{} Process { $Scriptname = (Get-Variable -Name MyInvocation -Scope 0 -ValueOnly).MyCommand $HT = @{ Method = 'Post' UseBasicParsing = [switch]::Present Uri = 'https://mb-api.abuse.ch/api/v1/' Body = @{ query = 'add' } ErrorAction = 'Stop' Verbose = $false } Write-Verbose -Message "[$Scriptname] Build Splatting" Switch ($PSCmdlet.ParameterSetName) { 'ICN' { $HT['Body']['query']='get_issuerinfo' $HT['Body'].Add('issuer_cn',"$($Issuer)") break } 'SCN' { $HT['Body']['query']='get_subjectinfo' $HT['Body'].Add('subject_cn',"$($Subject)") break } default {} } try { Write-Verbose -Message "[$Scriptname] Querying Rest api..." [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $r = Invoke-RestMethod @HT if ($r.query_status -eq 'ok') { $r.Data } else { throw "Failed to query because $($r.query_status)" } } catch { throw $_ } } End{} } Function Get-MalwareBazaarSampleCodeSigningCertificateBlockList { <# .SYNOPSIS Query Code Signing Certificate Blocklist (CSCB) .DESCRIPTION You can dump the content of the MalwareBazaar Code Signing Certificate Blocklist (CSCB) .EXAMPLE Get-MalwareBazaarSampleCodeSigningCertificateBlockList .LINK https://bazaar.abuse.ch/api/#cscb #> [CmdletBinding()] Param() Begin{} Process { $Scriptname = (Get-Variable -Name MyInvocation -Scope 0 -ValueOnly).MyCommand Write-Verbose -Message "[$Scriptname] Build Splatting" $HT = @{ Method = 'Post' UseBasicParsing = [switch]::Present Uri = 'https://mb-api.abuse.ch/api/v1/' Body = @{ query = 'get_cscb' } ErrorAction = 'Stop' Verbose = $false } try { Write-Verbose -Message "[$Scriptname] Querying Rest api..." [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $r = Invoke-RestMethod @HT if ($r.query_status -eq 'ok') { $r.Data } else { throw "Failed to query because $($r.query_status)" } } catch { throw $_ } } End{} } Function Get-MalwareBazaarSampleRecent { <# .SYNOPSIS Query latest malware samples (recent additions) .DESCRIPTION You can retrieve a list of malware samples added to MalwareBazaar within the last 60 minutes .PARAMETER By Specify a selector, either 'time' (last 60 minutes) or 'limit' (lastest 100 additions) .EXAMPLE Get-MalwareBazaarSampleRecent -By 'Limit' .EXAMPLE Get-MalwareBazaarSampleRecent -By 'Time' .LINK https://bazaar.abuse.ch/api/#latest_additions #> [CmdletBinding()] Param( [Parameter()] [ValidateSet('Time','Limit','100')] [Alias('Selector')] [string]$By = 'Limit' ) Begin{} Process { $Scriptname = (Get-Variable -Name MyInvocation -Scope 0 -ValueOnly).MyCommand Write-Verbose -Message "[$Scriptname] Build Splatting" if ($By -eq 'Limit') { $By = '100' } $HT = @{ Method = 'Post' UseBasicParsing = [switch]::Present Uri = 'https://mb-api.abuse.ch/api/v1/' Body = @{ query = 'get_recent' selector = $By } ErrorAction = 'Stop' Verbose = $false } try { Write-Verbose -Message "[$Scriptname] Querying Rest api..." [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $r = Invoke-RestMethod @HT if ($r.query_status -eq 'ok') { $r.Data } else { throw "Failed to query because $($r.query_status)" } } catch { throw $_ } } End{} } |