Skip to content

Commit cc5ce93

Browse files
authored
Merge pull request #786 from k1r10n/main
Add RST Cloud modules and update dependencies
2 parents f369577 + cde2da8 commit cc5ce93

19 files changed

Lines changed: 2666 additions & 3 deletions

README.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -123,6 +123,14 @@ For further Information see the [license file](https://misp.github.io/misp-modul
123123
* [Real-time Blackhost Lists Lookup](https://misp.github.io/misp-modules/expansion/#real-time-blackhost-lists-lookup) - Module to check an IPv4 address against known RBLs.
124124
* [Recorded Future Enrich](https://misp.github.io/misp-modules/expansion/#recorded-future-enrich) - Module to enrich attributes with threat intelligence from Recorded Future.
125125
* [Reverse DNS](https://misp.github.io/misp-modules/expansion/#reverse-dns) - Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes.
126+
* [RST Cloud Cobalt Strike Beacon](https://misp.github.io/misp-modules/expansion/#rst-cloud-cobalt-strike-beacon) - Scan a target for Cobalt Strike beacon configurations via RST Scan API.
127+
* [RST Cloud Favicon](https://misp.github.io/misp-modules/expansion/#rst-cloud-favicon) - Fetch favicon image and hashes for Shodan/Netlas/Censys/FOFA pivoting via RST Scan API.
128+
* [RST Cloud HTML Fetcher](https://misp.github.io/misp-modules/expansion/#rst-cloud-html-fetcher) - Fetch rendered HTML body or extracted JavaScript via RST Scan API.
129+
* [RST Cloud IoC Lookup](https://misp.github.io/misp-modules/expansion/#rst-cloud-ioc-lookup) - Enrich indicators with RST Cloud threat intelligence.
130+
* [RST Cloud Noise Control](https://misp.github.io/misp-modules/expansion/#rst-cloud-noise-control) - Check whether an indicator is known-good or noisy via RST Noise Control.
131+
* [RST Cloud Screenshot](https://misp.github.io/misp-modules/expansion/#rst-cloud-screenshot) - Capture a page screenshot via RST Scan API.
132+
* [RST Cloud SSL Certificate](https://misp.github.io/misp-modules/expansion/#rst-cloud-ssl-certificate) - Fetch TLS certificate as an x509 MISP object via RST Scan API.
133+
* [RST Cloud Whois](https://misp.github.io/misp-modules/expansion/#rst-cloud-whois) - Retrieve parsed WHOIS for a domain via RST Cloud.
126134
* [ReversingLabs Spectra Analyze](https://misp.github.io/misp-modules/expansion/#reversinglabs-spectra-analyze) - Threat intelligence enrichment module
127135
* [SecurityTrails Lookup](https://misp.github.io/misp-modules/expansion/#securitytrails-lookup) - An expansion modules for SecurityTrails.
128136
* [Shodan Lookup](https://misp.github.io/misp-modules/expansion/#shodan-lookup) - Module to query on Shodan.

documentation/logos/rstcloud.png

27.7 KB
Loading

documentation/mkdocs/expansion.md

Lines changed: 254 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2118,6 +2118,260 @@ Module to check an IPv4 address against known RBLs.
21182118

21192119
-----
21202120

2121+
#### [RST Cloud Cobalt Strike Beacon](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rst_cs_beacon.py)
2122+
2123+
<img src=../logos/rstcloud.png height=60>
2124+
2125+
Scan a target IP[:port] for a Cobalt Strike beacon configuration via RST Scan API.
2126+
[[source code](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rst_cs_beacon.py)]
2127+
2128+
- **features**:
2129+
>Probes the target for Cobalt Strike beacon configurations via RST Scan GET /scan/cs-beacon. On a hit, returns file MISP object(s) with pivotable SHA-256 hashes tagged to the Cobalt Strike galaxy.
2130+
2131+
- **config**:
2132+
> - api_key
2133+
> - base_url
2134+
> - port
2135+
> - timeout
2136+
2137+
- **input**:
2138+
>IP, URL, domain, or hostname attribute (optional port via config).
2139+
2140+
- **output**:
2141+
>file MISP object(s) with beacon hashes and Cobalt Strike galaxy tag.
2142+
2143+
- **references**:
2144+
>https://api.rstcloud.net/
2145+
2146+
- **requirements**:
2147+
> - rstapi>=1.2.0 (PyPI)
2148+
> - An RST Cloud API key
2149+
2150+
-----
2151+
2152+
#### [RST Cloud Favicon](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rst_favicon.py)
2153+
2154+
<img src=../logos/rstcloud.png height=60>
2155+
2156+
Fetch a target's favicon (image + all hashes for Shodan/Netlas/Censys pivoting) via RST Scan API.
2157+
[[source code](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rst_favicon.py)]
2158+
2159+
- **features**:
2160+
>Retrieves the favicon image and cryptographic hashes via RST Scan GET /scan/favicon. Returns a file MISP object with MD5/SHA-1/SHA-256 and a standalone Murmur3 favicon-hash attribute for Shodan/FOFA-style pivoting.
2161+
2162+
- **config**:
2163+
> - api_key
2164+
> - base_url
2165+
> - timeout
2166+
2167+
- **input**:
2168+
>URL, domain, hostname, or IP attribute.
2169+
2170+
- **output**:
2171+
>file MISP object, favicon-hash attribute, and resolved favicon URL.
2172+
2173+
- **references**:
2174+
>https://api.rstcloud.net/
2175+
2176+
- **requirements**:
2177+
> - rstapi>=1.2.0 (PyPI)
2178+
> - An RST Cloud API key
2179+
2180+
-----
2181+
2182+
#### [RST Cloud HTML Fetcher](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rst_html.py)
2183+
2184+
<img src=../logos/rstcloud.png height=60>
2185+
2186+
Fetch rendered HTML body or extracted JavaScript for a URL/IP target via RST Scan API.
2187+
[[source code](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rst_html.py)]
2188+
2189+
- **features**:
2190+
>Fetches the rendered HTML body or extracted JavaScript from the target via RST Scan. Returns a file MISP object with the page attached and pivotable content hashes. Configurable mode: body (default) or js.
2191+
2192+
- **config**:
2193+
> - api_key
2194+
> - base_url
2195+
> - mode
2196+
> - port
2197+
> - timeout
2198+
2199+
- **input**:
2200+
>URL, domain, hostname, or IP attribute (optional port via config).
2201+
2202+
- **output**:
2203+
>file MISP object (page.html or page.js) with hashes and HTTP metadata.
2204+
2205+
- **references**:
2206+
>https://api.rstcloud.net/
2207+
2208+
- **requirements**:
2209+
> - rstapi>=1.2.0 (PyPI)
2210+
> - An RST Cloud API key
2211+
2212+
-----
2213+
2214+
#### [RST Cloud IoC Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rst_ioc.py)
2215+
2216+
<img src=../logos/rstcloud.png height=60>
2217+
2218+
Enrich indicators with RST Cloud threat intelligence.
2219+
[[source code](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rst_ioc.py)]
2220+
2221+
- **features**:
2222+
>Queries RST Cloud GET /ioc for threat scores, attribution, geo/ASN, DNS, WHOIS, TTPs, CVEs, and related indicators. Returns a structured rst-ioc MISP object with galaxy tags and optional pivotable related hashes/IPs. When misp_url and misp_key are configured, also writes score/threat tags onto the enriched attribute via the MISP API.
2223+
2224+
- **config**:
2225+
> - api_key
2226+
> - base_url
2227+
> - misp_url
2228+
> - misp_key
2229+
> - misp_verifycert
2230+
2231+
- **input**:
2232+
>IP, domain, hostname, URL, or hash attribute (incl. host|port composites).
2233+
2234+
- **output**:
2235+
>rst-ioc MISP object, galaxy/score tags, and optional related attributes.
2236+
2237+
- **references**:
2238+
>https://api.rstcloud.net/
2239+
>https://github.com/MISP/misp-objects/pull/526
2240+
2241+
- **requirements**:
2242+
> - rstapi>=1.2.0 (PyPI)
2243+
> - An RST Cloud API key
2244+
> - rst-ioc object template installed on MISP ([misp-objects #526](https://github.com/MISP/misp-objects/pull/526))
2245+
2246+
-----
2247+
2248+
#### [RST Cloud Noise Control](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rst_noise_control.py)
2249+
2250+
<img src=../logos/rstcloud.png height=60>
2251+
2252+
Check whether a value is known-good / noise via RST Noise Control.
2253+
[[source code](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rst_noise_control.py)]
2254+
2255+
- **features**:
2256+
>Queries RST Cloud GET /benign/lookup for benign/noisy verdicts. Returns an rst-noise MISP object with false-positive risk tags. When misp_url and misp_key are configured, also annotates the source attribute in place (tags, comment, to_ids, false-positive sightings).
2257+
2258+
- **config**:
2259+
> - api_key
2260+
> - base_url
2261+
> - misp_url
2262+
> - misp_key
2263+
> - misp_verifycert
2264+
2265+
- **input**:
2266+
>IP, domain, hostname, URL, or hash attribute (incl. host|port composites).
2267+
2268+
- **output**:
2269+
>rst-noise MISP object with verdict, category, and risk/noise tags.
2270+
2271+
- **references**:
2272+
>https://api.rstcloud.net/
2273+
>https://github.com/MISP/misp-taxonomies/pull/335
2274+
2275+
- **requirements**:
2276+
> - rstapi>=1.2.0 (PyPI)
2277+
> - An RST Cloud API key
2278+
> - rst-noise object template on MISP ([misp-objects #526](https://github.com/MISP/misp-objects/pull/526))
2279+
> - rstcloud taxonomy on MISP ([misp-taxonomies #335](https://github.com/MISP/misp-taxonomies/pull/335))
2280+
2281+
-----
2282+
2283+
#### [RST Cloud Screenshot](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rst_screenshot.py)
2284+
2285+
<img src=../logos/rstcloud.png height=60>
2286+
2287+
Capture a page screenshot of a URL/IP target via RST Scan API.
2288+
[[source code](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rst_screenshot.py)]
2289+
2290+
- **features**:
2291+
>Renders the target page and returns a PNG screenshot as an image MISP object (inline in MISP). Configurable frame: first, full (default), or last.
2292+
2293+
- **config**:
2294+
> - api_key
2295+
> - base_url
2296+
> - frame
2297+
> - port
2298+
> - timeout
2299+
2300+
- **input**:
2301+
>URL, domain, hostname, or IP attribute (optional port via config).
2302+
2303+
- **output**:
2304+
>image MISP object with PNG attachment linked to the enriched attribute.
2305+
2306+
- **references**:
2307+
>https://api.rstcloud.net/
2308+
2309+
- **requirements**:
2310+
> - rstapi>=1.2.0 (PyPI)
2311+
> - An RST Cloud API key
2312+
2313+
-----
2314+
2315+
#### [RST Cloud SSL Certificate](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rst_ssl.py)
2316+
2317+
<img src=../logos/rstcloud.png height=60>
2318+
2319+
Fetch the SSL certificate for an IP[:port] as an x509 object via RST Scan API.
2320+
[[source code](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rst_ssl.py)]
2321+
2322+
- **features**:
2323+
>Connects to the target service and retrieves the TLS certificate via RST Scan GET /scan/ssl/certificate. Returns an x509 MISP object with pivotable fingerprints (SHA-1/256/MD5), subject, issuer, and validity dates.
2324+
2325+
- **config**:
2326+
> - api_key
2327+
> - base_url
2328+
> - port
2329+
> - timeout
2330+
2331+
- **input**:
2332+
>IP, hostname, or domain attribute (optional port via config or composite).
2333+
2334+
- **output**:
2335+
>x509 MISP object referencing the enriched attribute.
2336+
2337+
- **references**:
2338+
>https://api.rstcloud.net/
2339+
2340+
- **requirements**:
2341+
> - rstapi>=1.2.0 (PyPI)
2342+
> - An RST Cloud API key
2343+
2344+
-----
2345+
2346+
#### [RST Cloud Whois](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rst_whois.py)
2347+
2348+
<img src=../logos/rstcloud.png height=60>
2349+
2350+
Retrieve parsed WHOIS information for a domain via RST Cloud.
2351+
[[source code](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rst_whois.py)]
2352+
2353+
- **features**:
2354+
>Queries RST Cloud GET /whois for parsed domain registration data. Returns a standard whois MISP object (registrar, registrant, dates, nameservers) linked back to the enriched attribute.
2355+
2356+
- **config**:
2357+
> - api_key
2358+
> - base_url
2359+
2360+
- **input**:
2361+
>Domain or hostname attribute.
2362+
2363+
- **output**:
2364+
>whois MISP object with registration and nameserver fields.
2365+
2366+
- **references**:
2367+
>https://api.rstcloud.net/
2368+
2369+
- **requirements**:
2370+
> - rstapi>=1.2.0 (PyPI)
2371+
> - An RST Cloud API key
2372+
2373+
-----
2374+
21212375
#### [Recorded Future Enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/recordedfuture.py)
21222376
21232377
<img src=../logos/recordedfuture.png height=60>

documentation/mkdocs/index.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -91,6 +91,14 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj
9191
* [RandomcoinDB Lookup](https://misp.github.io/misp-modules/expansion/#randomcoindb-lookup) - Module to access the ransomcoinDB (see https://ransomcoindb.concinnity-risks.com)
9292
* [r7_akb](https://misp.github.io/misp-modules/expansion/#r7_akb) - Enrich CVEs via AttackerKB and return structured MISP events. Handles rate limits, regex CVE detection, and markdown cleanup.
9393
* [Real-time Blackhost Lists Lookup](https://misp.github.io/misp-modules/expansion/#real-time-blackhost-lists-lookup) - Module to check an IPv4 address against known RBLs.
94+
* [RST Cloud Cobalt Strike Beacon](https://misp.github.io/misp-modules/expansion/#rst-cloud-cobalt-strike-beacon) - Scan a target for Cobalt Strike beacon configurations via RST Scan API.
95+
* [RST Cloud Favicon](https://misp.github.io/misp-modules/expansion/#rst-cloud-favicon) - Fetch favicon image and hashes for Shodan/Netlas/Censys/FOFA pivoting via RST Scan API.
96+
* [RST Cloud HTML Fetcher](https://misp.github.io/misp-modules/expansion/#rst-cloud-html-fetcher) - Fetch rendered HTML body or extracted JavaScript via RST Scan API.
97+
* [RST Cloud IoC Lookup](https://misp.github.io/misp-modules/expansion/#rst-cloud-ioc-lookup) - Enrich indicators with RST Cloud threat intelligence.
98+
* [RST Cloud Noise Control](https://misp.github.io/misp-modules/expansion/#rst-cloud-noise-control) - Check whether an indicator is known-good or noisy via RST Noise Control.
99+
* [RST Cloud Screenshot](https://misp.github.io/misp-modules/expansion/#rst-cloud-screenshot) - Capture a page screenshot via RST Scan API.
100+
* [RST Cloud SSL Certificate](https://misp.github.io/misp-modules/expansion/#rst-cloud-ssl-certificate) - Fetch TLS certificate as an x509 MISP object via RST Scan API.
101+
* [RST Cloud Whois](https://misp.github.io/misp-modules/expansion/#rst-cloud-whois) - Retrieve parsed WHOIS for a domain via RST Cloud.
94102
* [Recorded Future Enrich](https://misp.github.io/misp-modules/expansion/#recorded-future-enrich) - Module to enrich attributes with threat intelligence from Recorded Future.
95103
* [ReversingLabs Enrichment](https://misp.github.io/misp-modules/expansion/#reversinglabs-enrichment) - Module to enrich file hashes, domains, IPs and URLs with ReversingLabs Spectra Analyze threat intelligence.
96104
* [Reverse DNS](https://misp.github.io/misp-modules/expansion/#reverse-dns) - Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes.
Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
"""Shared RST Cloud helpers for expansion modules (not registered)."""
2+
3+
from .client import ( # noqa: F401
4+
apply_to_source_attribute,
5+
error,
6+
host_only,
7+
misp_event_with_source,
8+
new_enrichment_object,
9+
rst_kwargs,
10+
rst_resolver_from_config,
11+
scan_group,
12+
scan_kwargs,
13+
scan_target,
14+
standard_results,
15+
text_result,
16+
threat_tags,
17+
unwrap,
18+
value_from_request,
19+
)

0 commit comments

Comments
 (0)