The Wayback Machine - https://web.archive.org/web/20201228032227/https://github.com/RandomRhythm/Vendor-Threat-Triage-Lookup
Skip to content

/ Vendor-Threat-Triage-Lookup

Lookup file hashes, domain names and IP addresses using various vendors to assist with triaging potential threats.

6 stars 2 forks
Star
Watch
master
1 branch 0 tags
Go to file
Code
Clone

Use Git or checkout with SVN using the web URL.

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
Misc
 
 
cache
 
 
tld
 
 
DDNS.dat
 
 
Import_GEOIP.vbs
 
 
Import_Tranco.vbs
 
 
README.md
 
 
VTTL.vbs
 
 
VTTL_GUI.exe
 
 
VendorList.txt
 
 
cc.dat
 
 
default.db
 
 
generics.alias
 
 
vttl.ini
 
 

README.md

Vendor Threat Triage Lookup (VTTL)

VTTL utilizes various vendors to lookup intelligence for threat triage.

VTTL Performs lookups for file hashes, IP addresses and domain names. Results are output to a CSV file. Supported vendor lookups include the following:

  • VirusTotal
  • AlienVault OTX
  • ThreatGRID
  • Emerging Threats ET Intelligence
  • Malshare
  • Cb Response
  • ThreatGRID
  • ThreatCrowd
  • ThreatIntelligenceAggregator (TIA)
  • RiskIQ
  • Collective Intelligence Framework (CIF)
  • Seclytics
  • Pulsedive
  • Quad9
  • ZEN RBL
  • cbl.abuseat.org
  • Zen DBL
  • SURBL
  • SORBS
  • Barracuda

Additional checks:

  • Reverse DNS
  • Reverse IP (lookup to document sample of associated domains)
  • Whois (often provided via APIs already listed)
    • ARIN (Must enable in INI)
    • RIPE (Must enable in INI)
  • Website category (from web proxy vendors)
  • Dynamic DNS
  • Tranco List
    • Requires SQLite database (included in default.db)
  • Geolocation (often provided via APIs already listed)
  • Registration date of domains
  • Sinkhole checks

Combine hash lookups with tool output from (requires MD5 hash values):

  • Sysinternals Sigcheck
  • Sysinternals Autorunsc
  • Cisco AMP for Networks
  • EnCase
  • CrowdStrike Falcon
  • Rhythm-CB-Scripts Hash Dump (Cb Response scripts)

Additional features:

  • Attempts to find the common name and type from VirusTotal detections
  • Scores antimalware detections into categories
    • Malware Score
    • Generic Score
    • PUA Score
    • Hacker Tool Score
    • Adjusted Malicious Score
  • Cache results to SQLite and files on disk
  • Whitelist known hashes
  • Blacklist known hashes
  • Track digital signatures (signatures can be provided via combine input or the VirusTotal API)
  • Track file path/vendor combination (file paths and vendor/company provided via combine input)
  • Exclude domain/subdomain/IP lookups
  • Detection name watchlist
  • URL watchlist (supports regex)
  • Keyword watchlist
  • IP/Domain watchlist

Tests:

  • dbltest.com - spamhaus.org DBL
  • test.surbl.org
  • 127.0.0.2 - SORBS, CBL abuseat, Barrucda, Spamhaus, ZEN RBL

Check out the wiki for more information.

About

Lookup file hashes, domain names and IP addresses using various vendors to assist with triaging potential threats.

Topics

virustotal threat-triage geoip whois-lookup sinkhole malware-research intelligence rbl dbl hashes seclytics threatgrid quad9 api domain-name ip-address-lookup query emerging threats otx

Resources

Readme

Releases

No releases published

Packages

No packages published

Languages

You can’t perform that action at this time.