InsightConnect Marketplace

Threat Crowd

Back to Marketplace

Threat Crowd

v2.0.2

Threat Crowd is an open source search engine for threats. Using the Threat Crowd plugin for Rapid7 InsightConnect, users can search by domain, IP address, email address, and other information to discover threats

Tags: antivirus, domain, api


Actions
  • Address Lookup
  • AntiVirus Lookup
  • Domain Lookup
  • Email Lookup
  • Hash Lookup
  • Vote

Description

ThreatCrowd is an open source search engine for threats. Using the Threat Crowd plugin for Rapid7 InsightConnect, users can search by domain, IP address, email address, and other information to discover and enrich information about threats in real-time.

Key Features

  • Gather threat intelligence about MD5 or SHA1 hashes, IP addresses, antivirus software, domain names, and email addresses
  • Submit votes for malicious indicators

Requirements

This plugin does not contain any requirements.

Documentation

Setup

This plugin does not contain a connection.

Technical Details

Actions

Vote

This action is used to submit votes for malicious entities.

Input
Name Type Default Required Description Enum
entity string None True URL, Email or IP None
vote boolean None True Vote malicious None
Output
Name Type Required Description
status string True Status code, 200 is successful

Example Output:

{
  "status": "200"
}

Hash Lookup

This action is used to retrieve information about a MD5 or SHA1 hash.

Input
Name Type Default Required Description Enum
hash string None True Hash to search - MD5 and SHA1 supported None
Output
Name Type Required Description
domains []string False List of domains
found boolean True Whether search returned results
hashes []string False List of hashes
ips []string False List of IP addresses
permalink string False Permalink URL
references []string False List of references
scans []string False List of scans

Example output:


{
  "permalink": "https://www.threatcrowd.org/malware.php?md5=ec8c89aa5e521572c74e2dd02a4daf78",
  "ips": [
    "0.0.0.0"
  ],
  "references": [],
  "domains": [
    "ks.aoldaily.com"
  ],
  "found": true,
  "hashes": [
    "{'sha1': u'01f5c3905f2098650f16f50a1b26156586238bfe'}",
    "{'md5': u'ec8c89aa5e521572c74e2dd02a4daf78'}"
  ],
  "scans": [
    "Trojan/W32.Small.34304.EG",
    "Trojan.Win32.Cossta!O",
    "Trojan ( 001922ff1 )",
    "Trojan ( 001922ff1 )",
    "Trojan.Win32.Cossta.cqvyn",
    "APT1.A",
    "TSPY_COSSTA.DH",
    "WIN.Trojan.Cossta-4",
    "Trojan.Win32.Cossta.grt",
    "Trojan.Cossta!dfgiLGS/u08",
    "Trojan.Win32.A.Cossta.34304.A",
    "UnclassifiedMalware",
    "TR/Offend.4596108",
    "TSPY_COSSTA.DH",
    "Mal/Dloadr-BK",
    "Trojan/Cossta.rg",
    "Trojan/Win32.Cossta",
    "Win32.Troj.Cossta.(kcloud)",
    "Backdoor:Win32/Neunut.A",
    "Trojan/Win32.Cossta",
    "Trojan.Cossta",
    "Trojan.Win32.Cossta.abv",
    "W32/Cossta.WQS!tr",
    "Win32/Trojan.734"
  ]
}

If there is no match in the database, the action will return:


{
  "found": false
}

Address Lookup

This action is used to retrieve information about an IP address.

Input
Name Type Default Required Description Enum
domain string None True IP to search None
Output
Name Type Required Description
domains []string False List of domains
found boolean True Whether search returned results
hashes []string False List of hashes
malicious string False Category
permalink string False Permalink URL
references []string False List of references
resolutions []string False List of resolutions

Example output:


{
  "permalink": "https://www.threatcrowd.org/ip.php?ip=188.40.75.132",
  "malicious": "Malicious",
  "references": [],
  "domains": [
    "{u'last_resolved': u'2015-02-17', u'domain': u'tvgate.rocks'}",
    "{u'last_resolved': u'2015-02-17', u'domain': u'nice-mobiles.com'}",
    "{u'last_resolved': u'2015-02-17', u'domain': u'nauss-lab.com'}",
    "{u'last_resolved': u'2015-02-19', u'domain': u'www.fpupdate.info'}",
  ],
  "found": true,
  "hashes": [
    "e1d2543aba350a83c968872fbe957d85",
    "f3d6bb7addc88ad45f79c5199f8db2e0",
    "f78fcd4eaf3d9cd95116b6e6212ad327",
    "fa6fbd1dd2d58885772bd0b37633d5d7"
  ]
}

If there is no match in the database, the action will return:


{
  "found": false
}

AntiVirus Lookup

This action is used to retrieve information about known malicious antivirus software.

Input
Name Type Default Required Description Enum
antivirus string None True Antivirus to search None
Output
Name Type Required Description
found boolean True Whether search returned results
hashes []string False List of hashes
permalink string False Permalink URL
references []string False List of references

Example output:


{
  "found": true,
  "hashes": [
    "2e5948ccf01101dd41f84aa4b2c68b27",
    "581e047bf0d68696757221b9b4fcc3b0",
    "705d7d0374ced8959f5352f4f2c6cb3f",
    "a18b748564f67ead58ece5b679b8a8f6",
    "b66912f5befda0dd4442dedf6f5be14d"
  ],
  "references": [],
  "permalink": "https://www.threatcrowd.org/listMalware.php?antivirus=plugx"
}

If there is no match in the database, the action will return:


{
  "found": false
}

Domain Lookup

This action is used to retrieve information about an domain name.

Input
Name Type Default Required Description Enum
domain string None True Domain to search None
Output
Name Type Required Description
domains []string False List of domains
emails []string False List of emails
found boolean True Whether search returned results
hashes []string False List of hashes
malicious string False Category
permalink string False Permalink URL
references []string False List of references
subdomains []string False List of subdomains

Example output:


{
  "permalink": "https://www.threatcrowd.org/domain.php?domain=aoldaily.com",
  "references": [
    "httpblog.shadowserver.org201302",
    "httpsto-strategy.comsAppendix-D-Digital-FQDNs.pdf"
  ],
  "domains": [
    "{u'last_resolved': u'2017-11-09', u'ip_address': u'-'}",
    "{u'last_resolved': u'2014-04-01', u'ip_address': u'0.0.0.0'}",
    "{u'last_resolved': u'2018-05-04', u'ip_address': u'184.168.221.41'}",
    "{u'last_resolved': u'2018-05-05', u'ip_address': u'184.168.221.56'}",
  ],
  "found": true,
  "hashes": [],
  "malicious": "Malicious",
  "emails": [
    "user@example.com",
    "user@example.com"
  ],
  "subdomains": [
    "media.aoldaily.com",
    "asdfauto.aoldaily.com",
    "tw.aoldaily.com",
    "www.aoldaily.com"
  ]
}

If there is no match in the database, the action will return:


{
  "found": false
}

Email Lookup

This action is used to retrieve information about an email address.

Input
Name Type Default Required Description Enum
email string None True Email to search None
Output
Name Type Required Description
domains []string False List of domains
found boolean True Whether search returned results
permalink string False Permalink URL
references []string False List of references

Example output:


{
  "domains": [
    "aoldaily.com",
    "aunewsonline.com",
    "cnndaily.com",
    "usnewssite.com"
  ],
  "found": true,
  "permalink": "user@example.com",
  "references": []
}

If there is no match in the database, the action will return:


{
  "found": false
}

Triggers

This plugin does not contain any triggers.

Custom Output Types

This plugin does not contain any custom output types.

Troubleshooting

All lookup actions return a boolean variable called found that contains either true or false as a value. This variable can be used in automated decisions to check if ThreatCrowd has information on a host before trying to do something with it.

Version History

  • 2.0.2 - Updated help.md for the Hub
  • 2.0.1 - New spec and help.md format for the Hub
  • 2.0.0 - Rename "Antivirus Lookup" to "AntiVirus Lookup"
  • 1.0.0 - Fix locking bug where actions hang indefinitely | Update to v2 Python plugin architecture | Support web server mode
  • 0.1.1 - SSL bug fix in SDK
  • 0.1.0 - Initial plugin

Links

References

plugin_spec_version: v2
extension: plugin
products: ["insightconnect"]
name: threatcrowd
title: Threat Crowd
description: Threat Crowd is an open source search engine for threats. Using the Threat Crowd plugin for Rapid7 InsightConnect, users can search by domain, IP address, email address, and other information to discover threats
version: 2.0.2
vendor: rapid7
support: rapid7
status: []
resources:
  vendor_url: https://www.threatcrowd.org/
tags:
- antivirus
- domain
- api
hub_tags:
  use_cases: [threat_detection_and_response, data_enrichment]
  keywords: [antivirus, domain, api]
  features: []
actions:
  domain:
    title: Domain Lookup
    description: Seach a domain for malicious threats
    input:
      domain:
        title: Domain
        type: string
        description: Domain to search
        required: true
    output:
      domains:
        title: Domains
        description: List of domains
        type: '[]string'
        required: false
      hashes:
        title: Hashes
        description: List of hashes
        type: '[]string'
        required: false
      emails:
        title: Emails
        description: List of emails
        type: '[]string'
        required: false
      subdomains:
        title: Sub Domains
        description: List of subdomains
        type: '[]string'
        required: false
      references:
        title: References
        description: List of references
        type: '[]string'
        required: false
      malicious:
        title: Malicious
        description: Category
        type: string
        required: false
      permalink:
        title: Permalink
        description: Permalink URL
        type: string
        required: false
      found:
        title: Found
        description: Whether search returned results
        type: boolean
        required: true
  email:
    title: Email Lookup
    description: Seach a email for malicious threats
    input:
      email:
        title: Email
        type: string
        description: Email to search
        required: true
    output:
      domains:
        title: Domains
        description: List of domains
        type: '[]string'
        required: false
      references:
        title: References
        description: List of references
        type: '[]string'
        required: false
      permalink:
        title: Permalink
        description: Permalink URL
        type: string
        required: false
      found:
        title: Found
        description: Whether search returned results
        type: boolean
        required: true
  address:
    title: Address Lookup
    description: Seach an IP for malicious threats
    input:
      domain:
        title: Domain
        type: string
        description: IP to search
        required: true
    output:
      domains:
        title: Domains
        description: List of domains
        type: '[]string'
        required: false
      resolutions:
        title: Resolutions
        description: List of resolutions
        type: '[]string'
        required: false
      hashes:
        title: Hashes
        description: List of hashes
        type: '[]string'
        required: false
      references:
        title: References
        description: List of references
        type: '[]string'
        required: false
      malicious:
        title: Malicious
        description: Category
        type: string
        required: false
      permalink:
        title: Permalink
        description: Permalink URL
        type: string
        required: false
      found:
        title: Found
        description: Whether search returned results
        type: boolean
        required: true
  av:
    title: AntiVirus Lookup
    description: Seach for known malicious antiviruses
    input:
      antivirus:
        title: Antivirus
        type: string
        description: Antivirus to search
        required: true
    output:
      hashes:
        title: Hashes
        description: List of hashes
        type: '[]string'
        required: false
      references:
        title: References
        description: List of references
        type: '[]string'
        required: false
      permalink:
        title: Permalink
        description: Permalink URL
        type: string
        required: false
      found:
        title: Found
        description: Whether search returned results
        type: boolean
        required: true
  hash:
    title: Hash Lookup
    description: Seach a hash string for malicious threats
    input:
      hash:
        title: Hash
        type: string
        description: Hash to search - MD5 and SHA1 supported
        required: true
    output:
      scans:
        title: Scans
        description: List of scans
        type: '[]string'
        required: false
      hashes:
        title: Hashes
        description: List of hashes
        type: '[]string'
        required: false
      ips:
        title: IPs
        description: List of IP addresses
        type: '[]string'
        required: false
      domains:
        title: Domains
        description: List of domains
        type: '[]string'
        required: false
      references:
        title: References
        description: List of references
        type: '[]string'
        required: false
      permalink:
        title: Permalink
        description: Permalink URL
        type: string
        required: false
      found:
        title: Found
        description: Whether search returned results
        type: boolean
        required: true
  votes:
    title: Vote
    description: Submit votes for malicious entities
    input:
      vote:
        title: Vote
        description: Vote malicious
        type: boolean
        required: true
      entity:
        title: Entitiy
        description: URL, Email or IP
        type: string
        required: true
    output:
      status:
        title: Status
        description: Status code, 200 is successful
        type: string
        required: true
Other plugins
Ivanti Security Controls
Rapid7   |   v1.4.0
Plugin
Get
Fortinet FortiGate
Rapid7   |   v4.0.3
Plugin
Get
McAfee Advanced Threat Defense
Rapid7   |   v1.5.0
Plugin
Get
Base64
Rapid7   |   v1.1.5
Plugin
Get
Jira
Rapid7   |   v6.0.0
Plugin
Get