Skip to content
This repository was archived by the owner on Jan 10, 2025. It is now read-only.

PR for Mozi'n About Blog Post #377

Merged
chandlergibb merged 32 commits into from
Jul 1, 2021
Merged

PR for Mozi'n About Blog Post #377

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
32 commits
Select commit Hold shift + click to select a range
2edb3ec
initial commit
peasead Jun 29, 2021
461c3d1
sane folder name
peasead Jun 29, 2021
ff3d423
created artifact shells
peasead Jun 29, 2021
cab5834
Create mozi-obfuscation-technique.yara
peasead Jun 29, 2021
6fcbc8e
Update README.MD
peasead Jun 29, 2021
6f436eb
Update README.MD
peasead Jun 29, 2021
87b164d
Update README.MD
peasead Jun 29, 2021
6f00eda
Create pipeline.json for Elasticsearch ingest
dcode Jun 30, 2021
1708c65
Update README.MD
peasead Jun 30, 2021
0dcc04f
Merge pull request #1 from dcode/patch-1
peasead Jun 30, 2021
3b66969
Rename pipeline.json to ingest-node-pipeline.json
peasead Jun 30, 2021
0404ed4
Delete ingest-pipeline.yml
peasead Jun 30, 2021
2de0ddc
Update README.MD
peasead Jun 30, 2021
fa32ea9
Update README.MD
peasead Jun 30, 2021
cf0222d
Update ingest-node-pipeline.json
peasead Jul 1, 2021
af152ab
Updates ingest pipeline and index creation
dcode Jul 1, 2021
82a4fc3
Merge pull request #2 from dcode/blog/mozin-about
peasead Jul 1, 2021
8203c3a
Update send-data.sh
peasead Jul 1, 2021
f8dc136
Delete collection-script.sh
peasead Jul 1, 2021
c35e4b2
Rename send-data.sh to collection.sh
peasead Jul 1, 2021
94e99c8
Update README.MD
peasead Jul 1, 2021
1fd1cd4
Update collection.sh
peasead Jul 1, 2021
ea1a21f
updates
peasead Jul 1, 2021
23c1aab
Delete mozi-raw.json
peasead Jul 1, 2021
0933aeb
Create matching Kibana index pattern by API
dcode Jul 1, 2021
c659733
Merge pull request #3 from dcode/blog/mozin-about
peasead Jul 1, 2021
3d345e5
Merge pull request #5 from peasead/master
peasead Jul 1, 2021
fa42beb
Update README.MD
peasead Jul 1, 2021
8568556
Fix yara syntax
dcode Jul 1, 2021
eb79c3e
Fix spacing
dcode Jul 1, 2021
3fd6f96
Merge pull request #6 from dcode/blog/mozin-about
peasead Jul 1, 2021
ef1cbf7
Update mozi-obfuscation-technique.yara
peasead Jul 1, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions blog/mozin-about/README.MD
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# Mozi'n About

## Abstract
The Mozi botnet is an ongoing malware campaign targeting unsecured and vulnerable networking devices. This post will showcase the analyst journey of collecting, analyzing, and operationalizing threat data from the Mozi botnet.

## URL
https://www.elastic.co/blog/[tbd]

## Usage

To load the sample data, you need a local instance of Elasticsearch and Kibana. If you are using anything beyond a default local deployment, you'll need to modify `collection.sh` to match your deployment.

```
git clone https://github.com/elastic/examples
cd examples/blog/mozin-about
sh clollection.sh
```
Log into your Kibana instance to explore the data in the `indicators` Index Pattern.

## Artifacts
Artifacts and code snippets from the blog post.

| Artifact | Description | Note |
| - | - | - |
| [Mozi Collection Script](./collection.sh) | Script to collect Mozi samples and send to Elasticsearch |
| [Ingest Node Pipeline](./ingest-node-pipeline.json) | ThreatFox Ingest Node Pipeline |
| [Index Settings](./index-settings.json) | Settings for the Indicators index |
| [YARA Signature](./mozi-obfuscation-technique.yara) | Mozi obfuscation technique YARA signature |
42 changes: 42 additions & 0 deletions blog/mozin-about/collection.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
#!/bin/bash

# Collect Mozi sample data
curl -X POST https://threatfox-api.abuse.ch/api/v1/ -d '{ "query": "taginfo", "tag": "Mozi", "limit": 1000 }' > mozi-raw.json

# Local Elasticsearch & Kibana
ES_HOST='http://elastic:password@localhost:9200'
KBN_HOST='http://elastic:password@localhost:5601'

# Elastic Cloud
# ES_HOST='https://elastic:changeme@abcdef0123456789abcdef0123456789.us-central1.gcp.cloud.es.io:9243'
# KBN_HOST='https://elastic:changeme@0123456789abcdef01234567890abcdef.us-central1.gcp.cloud.es.io:9243'

# Create the Threat Fox Ingest Pipeline
curl -XPUT ${ES_HOST}/_ingest/pipeline/threatfox-enrichment -H 'Content-Type: application/json' -d@ingest-node-pipeline.json

# Creates a new index called 'indicators' with the given settings
curl -XPUT ${ES_HOST}/indicators -H 'Content-Type: application/json' -d@index-settings.json

# Ingests raw data from the cURL response of Threat Fox in the file listed, then does a bulk upload to ES
cat mozi-raw.json | jq -c -r '.data[]' | \
while read line; do
echo '{"index":{}}';
echo $line;
done | \
curl --silent -XPOST \
-H 'Content-Type: application/x-ndjson' \
--data-binary \
@- \
${ES_HOST}/indicators/_doc/_bulk

# Create Kibana index pattern
curl -XPOST -H 'kbn-xsrf: true' -H 'Content-Type: application/json' \
${KBN_HOST}/api/index_patterns/index_pattern -d'
{
"override": false,
"refresh_fields": true,
"index_pattern": {
"title": "indicators*",
"timeFieldName": "event.ingested"
}
}'
159 changes: 159 additions & 0 deletions blog/mozin-about/index-settings.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,159 @@
{
"settings": {
"number_of_shards": 1,
"default_pipeline": "threatfox-enrichment"
},
"mappings": {
"properties": {
"event": {
"properties": {
"category": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"ingested": {
"type": "date"
},
"kind": {
"type": "keyword"
},
"provider": {
"type": "keyword"
},
"reference": {
"type": "keyword"
},
"type": {
"type": "keyword"
}
}
},
"file": {
"properties": {
"hash": {
"properties": {
"sha256": {
"type": "keyword"
}
}
}
}
},
"related": {
"properties": {
"hash": {
"type": "keyword"
},
"ip": {
"type": "ip"
}
}
},
"tags": {
"type": "keyword"
},
"threat": {
"properties": {
"indicator": {
"properties": {
"confidence": {
"type": "long"
},
"description": {
"type": "text"
},
"first_seen": {
"type": "date"
},
"last_seen": {
"type": "date"
},
"geo": {
"properties": {
"city_name": {
"type": "keyword",
"ignore_above": 1024
},
"continent_name": {
"type": "keyword",
"ignore_above": 1024
},
"country_iso_code": {
"type": "keyword",
"ignore_above": 1024
},
"country_name": {
"type": "keyword",
"ignore_above": 1024
},
"location": {
"type": "geo_point"
},
"name": {
"type": "keyword",
"ignore_above": 1024
},
"region_iso_code": {
"type": "keyword",
"ignore_above": 1024
},
"region_name": {
"type": "keyword",
"ignore_above": 1024
},
"timezone": {
"type": "keyword",
"ignore_above": 1024
},
"asn": {
"type": "long"
},
"organization_name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"ip": {
"type": "ip"
},
"port": {
"type": "long"
},
"type": {
"type": "keyword"
}
}
},
"software": {
"properties": {
"name": {
"type": "keyword"
},
"reference": {
"type": "keyword"
},
"type": {
"type": "keyword"
}
}
},
"threatfox": {
"properties": {
"malware_printable": {
"type": "keyword"
}
}
}
}
}
}
}
}
Loading