weslambert/velociraptor_gimphash_notebook Secret

## velociraptor_gimphash_notebook
// Gimphash Generation and MalwareBazaar Lookup - @weslambert
//
// Description:
//
//   - Leverages the built-in YARA functionality to identify Golang-based binaries
//   - Generates a Gimphash for each binary (https://github.com/NextronSystems/gimphash)
//   - Queries MalwarBazaar for the Gimphash (https://bazaar.abuse.ch/api/#gimphash)
//
// References:
//
//   Velociraptor Gimphash artifact -- https://docs.velociraptor.app/exchange/artifacts/pages/exchange.server.enrichment.gimphash/
//   Velociraptor MalwareBazaar artifact -- https://docs.velociraptor.app/exchange/artifacts/pages/server.enrichment.malwarebazaar/
//   YARA rule for detecting Golang binaries -- https://raw.githubusercontent.com/SentineLabs/AlphaGolang/main/0.identify_go_binaries.yara

// Golang binary identification
LET PathGlob <= '''C:\Users\Admin\Downloads\*.exe'''
LET GoBins = SELECT FullPath
             FROM Artifact.Generic.Detection.Yara.Glob(
                    PathGlob=PathGlob,
                    YaraUrl='https://raw.githubusercontent.com/SentineLabs/AlphaGolang/main/0.identify_go_binaries.yara')

// All of the Giphashes created from go_gimphash
LET Hashes = SELECT * FROM foreach(
    row=GoBins,
    query={
        SELECT File, Gimphash
        FROM Artifact.Exchange.Server.Enrichment.Gimphash(File=FullPath)})

//Query MalwareBazaar for each Gimphash
SELECT * FROM foreach(row=Hashes,query=
    { SELECT
        File, Gimphash, { SELECT * FROM Artifact.Exchange.Server.Enrichment.MalwareBazaar(Hash=Gimphash,HashType="Gimphash")} AS `MalwareBazaar Results` FROM scope() WHERE `MalwareBazaar Results`._Content.query_status="ok"
    })
	// Gimphash Generation and MalwareBazaar Lookup - @weslambert
	//
	// Description:
	//
	// - Leverages the built-in YARA functionality to identify Golang-based binaries
	// - Generates a Gimphash for each binary (https://github.com/NextronSystems/gimphash)
	// - Queries MalwarBazaar for the Gimphash (https://bazaar.abuse.ch/api/#gimphash)
	//
	// References:
	//
	// Velociraptor Gimphash artifact -- https://docs.velociraptor.app/exchange/artifacts/pages/exchange.server.enrichment.gimphash/
	// Velociraptor MalwareBazaar artifact -- https://docs.velociraptor.app/exchange/artifacts/pages/server.enrichment.malwarebazaar/
	// YARA rule for detecting Golang binaries -- https://raw.githubusercontent.com/SentineLabs/AlphaGolang/main/0.identify_go_binaries.yara

	// Golang binary identification
	LET PathGlob <= '''C:\Users\Admin\Downloads\*.exe'''
	LET GoBins = SELECT FullPath
	FROM Artifact.Generic.Detection.Yara.Glob(
	PathGlob=PathGlob,
	YaraUrl='https://raw.githubusercontent.com/SentineLabs/AlphaGolang/main/0.identify_go_binaries.yara')

	// All of the Giphashes created from go_gimphash
	LET Hashes = SELECT * FROM foreach(
	row=GoBins,
	query={
	SELECT File, Gimphash
	FROM Artifact.Exchange.Server.Enrichment.Gimphash(File=FullPath)})

	//Query MalwareBazaar for each Gimphash
	SELECT * FROM foreach(row=Hashes,query=
	{ SELECT
	File, Gimphash, { SELECT * FROM Artifact.Exchange.Server.Enrichment.MalwareBazaar(Hash=Gimphash,HashType="Gimphash")} AS `MalwareBazaar Results` FROM scope() WHERE `MalwareBazaar Results`._Content.query_status="ok"
	})