You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+8Lines changed: 8 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -123,6 +123,14 @@ For further Information see the [license file](https://misp.github.io/misp-modul
123
123
*[Real-time Blackhost Lists Lookup](https://misp.github.io/misp-modules/expansion/#real-time-blackhost-lists-lookup) - Module to check an IPv4 address against known RBLs.
124
124
*[Recorded Future Enrich](https://misp.github.io/misp-modules/expansion/#recorded-future-enrich) - Module to enrich attributes with threat intelligence from Recorded Future.
125
125
*[Reverse DNS](https://misp.github.io/misp-modules/expansion/#reverse-dns) - Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes.
126
+
*[RST Cloud Cobalt Strike Beacon](https://misp.github.io/misp-modules/expansion/#rst-cloud-cobalt-strike-beacon) - Scan a target for Cobalt Strike beacon configurations via RST Scan API.
127
+
*[RST Cloud Favicon](https://misp.github.io/misp-modules/expansion/#rst-cloud-favicon) - Fetch favicon image and hashes for Shodan/Netlas/Censys/FOFA pivoting via RST Scan API.
128
+
*[RST Cloud HTML Fetcher](https://misp.github.io/misp-modules/expansion/#rst-cloud-html-fetcher) - Fetch rendered HTML body or extracted JavaScript via RST Scan API.
129
+
*[RST Cloud IoC Lookup](https://misp.github.io/misp-modules/expansion/#rst-cloud-ioc-lookup) - Enrich indicators with RST Cloud threat intelligence.
130
+
*[RST Cloud Noise Control](https://misp.github.io/misp-modules/expansion/#rst-cloud-noise-control) - Check whether an indicator is known-good or noisy via RST Noise Control.
131
+
*[RST Cloud Screenshot](https://misp.github.io/misp-modules/expansion/#rst-cloud-screenshot) - Capture a page screenshot via RST Scan API.
132
+
*[RST Cloud SSL Certificate](https://misp.github.io/misp-modules/expansion/#rst-cloud-ssl-certificate) - Fetch TLS certificate as an x509 MISP object via RST Scan API.
133
+
*[RST Cloud Whois](https://misp.github.io/misp-modules/expansion/#rst-cloud-whois) - Retrieve parsed WHOIS for a domain via RST Cloud.
>Probes the target for Cobalt Strike beacon configurations via RST Scan GET /scan/cs-beacon. On a hit, returns file MISP object(s) with pivotable SHA-256 hashes tagged to the Cobalt Strike galaxy.
2130
+
2131
+
- **config**:
2132
+
> - api_key
2133
+
> - base_url
2134
+
> - port
2135
+
> - timeout
2136
+
2137
+
- **input**:
2138
+
>IP, URL, domain, or hostname attribute (optional port via config).
2139
+
2140
+
- **output**:
2141
+
>file MISP object(s) with beacon hashes and Cobalt Strike galaxy tag.
>Retrieves the favicon image and cryptographic hashes via RST Scan GET /scan/favicon. Returns a file MISP object with MD5/SHA-1/SHA-256 and a standalone Murmur3 favicon-hash attribute for Shodan/FOFA-style pivoting.
2161
+
2162
+
- **config**:
2163
+
> - api_key
2164
+
> - base_url
2165
+
> - timeout
2166
+
2167
+
- **input**:
2168
+
>URL, domain, hostname, or IP attribute.
2169
+
2170
+
- **output**:
2171
+
>file MISP object, favicon-hash attribute, and resolved favicon URL.
2172
+
2173
+
- **references**:
2174
+
>https://api.rstcloud.net/
2175
+
2176
+
- **requirements**:
2177
+
> - rstapi>=1.2.0 (PyPI)
2178
+
> - An RST Cloud API key
2179
+
2180
+
-----
2181
+
2182
+
#### [RST Cloud HTML Fetcher](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rst_html.py)
2183
+
2184
+
<img src=../logos/rstcloud.png height=60>
2185
+
2186
+
Fetch rendered HTML body or extracted JavaScript for a URL/IP target via RST Scan API.
>Fetches the rendered HTML body or extracted JavaScript from the target via RST Scan. Returns a file MISP object with the page attached and pivotable content hashes. Configurable mode: body (default) or js.
2191
+
2192
+
- **config**:
2193
+
> - api_key
2194
+
> - base_url
2195
+
> - mode
2196
+
> - port
2197
+
> - timeout
2198
+
2199
+
- **input**:
2200
+
>URL, domain, hostname, or IP attribute (optional port via config).
2201
+
2202
+
- **output**:
2203
+
>file MISP object (page.html or page.js) with hashes and HTTP metadata.
2204
+
2205
+
- **references**:
2206
+
>https://api.rstcloud.net/
2207
+
2208
+
- **requirements**:
2209
+
> - rstapi>=1.2.0 (PyPI)
2210
+
> - An RST Cloud API key
2211
+
2212
+
-----
2213
+
2214
+
#### [RST Cloud IoC Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rst_ioc.py)
2215
+
2216
+
<img src=../logos/rstcloud.png height=60>
2217
+
2218
+
Enrich indicators with RST Cloud threat intelligence.
>Queries RST Cloud GET /ioc for threat scores, attribution, geo/ASN, DNS, WHOIS, TTPs, CVEs, and related indicators. Returns a structured rst-ioc MISP object with galaxy tags and optional pivotable related hashes/IPs. When misp_url and misp_key are configured, also writes score/threat tags onto the enriched attribute via the MISP API.
2223
+
2224
+
- **config**:
2225
+
> - api_key
2226
+
> - base_url
2227
+
> - misp_url
2228
+
> - misp_key
2229
+
> - misp_verifycert
2230
+
2231
+
- **input**:
2232
+
>IP, domain, hostname, URL, or hash attribute (incl. host|port composites).
2233
+
2234
+
- **output**:
2235
+
>rst-ioc MISP object, galaxy/score tags, and optional related attributes.
2236
+
2237
+
- **references**:
2238
+
>https://api.rstcloud.net/
2239
+
>https://github.com/MISP/misp-objects/pull/526
2240
+
2241
+
- **requirements**:
2242
+
> - rstapi>=1.2.0 (PyPI)
2243
+
> - An RST Cloud API key
2244
+
> - rst-ioc object template installed on MISP ([misp-objects #526](https://github.com/MISP/misp-objects/pull/526))
>Queries RST Cloud GET /benign/lookup for benign/noisy verdicts. Returns an rst-noise MISP object with false-positive risk tags. When misp_url and misp_key are configured, also annotates the source attribute in place (tags, comment, to_ids, false-positive sightings).
2257
+
2258
+
- **config**:
2259
+
> - api_key
2260
+
> - base_url
2261
+
> - misp_url
2262
+
> - misp_key
2263
+
> - misp_verifycert
2264
+
2265
+
- **input**:
2266
+
>IP, domain, hostname, URL, or hash attribute (incl. host|port composites).
2267
+
2268
+
- **output**:
2269
+
>rst-noise MISP object with verdict, category, and risk/noise tags.
2270
+
2271
+
- **references**:
2272
+
>https://api.rstcloud.net/
2273
+
>https://github.com/MISP/misp-taxonomies/pull/335
2274
+
2275
+
- **requirements**:
2276
+
> - rstapi>=1.2.0 (PyPI)
2277
+
> - An RST Cloud API key
2278
+
> - rst-noise object template on MISP ([misp-objects #526](https://github.com/MISP/misp-objects/pull/526))
2279
+
> - rstcloud taxonomy on MISP ([misp-taxonomies #335](https://github.com/MISP/misp-taxonomies/pull/335))
>Connects to the target service and retrieves the TLS certificate via RST Scan GET /scan/ssl/certificate. Returns an x509 MISP object with pivotable fingerprints (SHA-1/256/MD5), subject, issuer, and validity dates.
2324
+
2325
+
- **config**:
2326
+
> - api_key
2327
+
> - base_url
2328
+
> - port
2329
+
> - timeout
2330
+
2331
+
- **input**:
2332
+
>IP, hostname, or domain attribute (optional port via config or composite).
2333
+
2334
+
- **output**:
2335
+
>x509 MISP object referencing the enriched attribute.
>Queries RST Cloud GET /whois for parsed domain registration data. Returns a standard whois MISP object (registrar, registrant, dates, nameservers) linked back to the enriched attribute.
2355
+
2356
+
- **config**:
2357
+
> - api_key
2358
+
> - base_url
2359
+
2360
+
- **input**:
2361
+
>Domain or hostname attribute.
2362
+
2363
+
- **output**:
2364
+
>whois MISP object with registration and nameserver fields.
Copy file name to clipboardExpand all lines: documentation/mkdocs/index.md
+8Lines changed: 8 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -91,6 +91,14 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj
91
91
*[RandomcoinDB Lookup](https://misp.github.io/misp-modules/expansion/#randomcoindb-lookup) - Module to access the ransomcoinDB (see https://ransomcoindb.concinnity-risks.com)
92
92
*[r7_akb](https://misp.github.io/misp-modules/expansion/#r7_akb) - Enrich CVEs via AttackerKB and return structured MISP events. Handles rate limits, regex CVE detection, and markdown cleanup.
93
93
*[Real-time Blackhost Lists Lookup](https://misp.github.io/misp-modules/expansion/#real-time-blackhost-lists-lookup) - Module to check an IPv4 address against known RBLs.
94
+
*[RST Cloud Cobalt Strike Beacon](https://misp.github.io/misp-modules/expansion/#rst-cloud-cobalt-strike-beacon) - Scan a target for Cobalt Strike beacon configurations via RST Scan API.
95
+
*[RST Cloud Favicon](https://misp.github.io/misp-modules/expansion/#rst-cloud-favicon) - Fetch favicon image and hashes for Shodan/Netlas/Censys/FOFA pivoting via RST Scan API.
96
+
*[RST Cloud HTML Fetcher](https://misp.github.io/misp-modules/expansion/#rst-cloud-html-fetcher) - Fetch rendered HTML body or extracted JavaScript via RST Scan API.
97
+
*[RST Cloud IoC Lookup](https://misp.github.io/misp-modules/expansion/#rst-cloud-ioc-lookup) - Enrich indicators with RST Cloud threat intelligence.
98
+
*[RST Cloud Noise Control](https://misp.github.io/misp-modules/expansion/#rst-cloud-noise-control) - Check whether an indicator is known-good or noisy via RST Noise Control.
99
+
*[RST Cloud Screenshot](https://misp.github.io/misp-modules/expansion/#rst-cloud-screenshot) - Capture a page screenshot via RST Scan API.
100
+
*[RST Cloud SSL Certificate](https://misp.github.io/misp-modules/expansion/#rst-cloud-ssl-certificate) - Fetch TLS certificate as an x509 MISP object via RST Scan API.
101
+
*[RST Cloud Whois](https://misp.github.io/misp-modules/expansion/#rst-cloud-whois) - Retrieve parsed WHOIS for a domain via RST Cloud.
94
102
*[Recorded Future Enrich](https://misp.github.io/misp-modules/expansion/#recorded-future-enrich) - Module to enrich attributes with threat intelligence from Recorded Future.
95
103
*[ReversingLabs Enrichment](https://misp.github.io/misp-modules/expansion/#reversinglabs-enrichment) - Module to enrich file hashes, domains, IPs and URLs with ReversingLabs Spectra Analyze threat intelligence.
96
104
*[Reverse DNS](https://misp.github.io/misp-modules/expansion/#reverse-dns) - Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes.
0 commit comments