Cuckoo

整合版本:10.0

在 Google Security Operations 中設定 Cuckoo 整合

使用 CA 憑證設定 Cuckoo 整合

如有需要,您可以透過 CA 憑證檔案驗證連線。

開始之前,請確認您具備以下項目:

  • CA 憑證檔案
  • 最新版 Cuckoo 整合功能

如要設定與 CA 憑證的整合,請完成下列步驟:

  1. 將 CA 憑證檔案剖析為 Base64 字串。
  2. 開啟整合設定參數頁面。
  3. 將字串插入「CA Certificate File」欄位。
  4. 如要測試整合設定是否成功,請選取「驗證 SSL」核取方塊,然後按一下「測試」

在 Google SecOps 中設定 Cuckoo 整合

如需在 Google SecOps 中設定整合功能的詳細操作說明,請參閱「設定整合功能」。

整合參數

請使用下列參數設定整合:

參數顯示名稱 類型 預設值 為必填項目 說明
執行個體名稱 字串 不適用 您要設定整合的執行個體名稱。
說明 字串 不適用 執行個體的說明。
API 根目錄 字串 http://x.x.x.x:8090 Cuckoo 執行個體的位址。
網頁介面地址 字串 http://x.x.x.x:8000 Cuckoo 網頁版 UI 執行個體的位址。
警告門檻 整數 5.0 不適用
CA 憑證檔案 字串 不適用 不適用
驗證 SSL 核取方塊 已取消勾選 如果 Cuckoo 連線需要 SSL 驗證,請勾選這個核取方塊。
遠端執行 核取方塊 已取消勾選

勾選這個欄位,即可遠端執行設定的整合項目。

勾選後,系統會顯示選取遠端使用者 (服務專員) 的選項。

API 權杖 密碼 不適用 整合的 API 權杖。

動作

引爆檔案

說明

提交檔案進行分析並取得報告,又稱為非同步。

參數

參數顯示名稱 類型 預設值 為必填項目 說明
檔案路徑 字串 不適用 要提交的檔案路徑。

執行時間

這項操作會對所有實體執行。

動作執行結果

指令碼執行結果
指令碼結果名稱 價值選項 示例
max_score 不適用 不適用
JSON 結果
{
    "powershell8693919272434274241.ps1": {
        "info": {
            "category": "file",
            "added": 1547640117.991152,
            "monitor": "22c39cbb35f4d916477b47453673bc50bcd0df09",
            "package": "ps1",
            "started": 1547640190.471362,
            "route": "internet",
            "custom": null,
            "machine": {
                "status": "stopped",
                "shutdown_on": "2019-01-16 12:28:55",
                "started_on": "2019-01-16 12:03:16",
                "manager": "VirtualBox",
                "label": "win7x6427",
                "name": "win7x6427"
            },
            "ended": 1547641736.394026,
            "score": 6.6,
            "platform": "windows",
            "version": "2.0.6",
            "owner": null,
            "git": {
                "head": "03731c4c136532389e93239ac6c3ad38441f81a7",
                "fetch_head": "03731c4c136532389e93239ac6c3ad38441f81a7"
            },
            "options": "procmemdump=yes,route=internet",
            "id": 889621,
            "duration": 1545
        },
        "signatures":
        [{
            "families": [],
            "description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
            "name": "network_cnc_http",
            "markcount": 1,
            "references": [],
            "marks":
            [{
                "suspicious_features": "Connection to IP address",
                "type": "generic",
                "suspicious_request": "GET http://1.1.1.1:8080/"
            }],
            "severity": 2
        }, {
            "families": [],
            "description": "Connects to smtp.live.com, possibly for spamming or data exfiltration",
            "name": "smtp_live",
            "markcount": 1,
            "references": [],
            "marks":
            [{
                "category": "domain",
                "type": "ioc",
                "ioc": "smtp.live.com",
                "description": null
            }],
            "severity": 2
        }, {
            "families": [],
            "description": "Connects to smtp.mail.yahoo.com, possibly for spamming or data exfiltration",
            "name": "smtp_yahoo",
            "markcount": 1,
            "references": [],
            "marks":
            [{
                "category": "domain",
                "type": "ioc",
                "ioc": "smtp.mail.yahoo.com",
                "description": null
            }],
            "severity": 2
        }]
    }
}

引爆網址

說明

傳送網址進行分析並取得報告,又稱為非同步。

參數

不適用

執行時間

這項動作會對網址實體執行。

動作執行結果

指令碼執行結果
指令碼結果名稱 價值選項 示例
is_success True/False is_success:False
JSON 結果
[
    {
        "EntityResult": {
            "info": {
                "category": "url",
                "git": {
                    "head": "03731c4c136532389e93239ac6c3ad38441f81a7",
                    "fetch_head": "03731c4c136532389e93239ac6c3ad38441f81a7"
                },
                "monitor": "22c39cbb35f4d916477b47453673bc50bcd0df09",
                "package": "ie",
                "started": null,
                "route": "internet",
                "custom": null,
                "machine": {
                    "status": "stopped",
                    "shutdown_on": "2019-01-16 13:14:26",
                    "label": "win7x6412",
                    "manager": "VirtualBox",
                    "started_on": "2019-01-16 12:48:54",
                    "name": "win7x6412"
                },
                "ended": 1547644467.207864,
                "added": null,
                "id": 889669,
                "platform": null,
                "version": "2.0.6",
                "owner": null,
                "score": 4.4,
                "options": "procmemdump=yes,route=internet",
                "duration": null
            },
            "signatures": [{
                "families": [],
                "description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
                "name": "network_cnc_http",
                "markcount": 1,
                "references": [],
                "marks": [{
                    "suspicious_features": "Connection to IP address",
                    "type": "generic",
                    "suspicious_request": "GET http://1.1.1.1:8080/"
                }],
                "severity": 2
            }, {
                "families": [],
                "description": "Performs some HTTP requests",
                "name": "network_http",
                "markcount": 9,
                "references": [],
                "marks": [{
                    "category": "request",
                    "ioc": "GET http://crl.microsoft.com/pki/crl/products/WinPCA.crl",
                    "type": "ioc",
                    "description": null
                }, {
                    "category": "request",
                    "ioc": "GET http://www.microsoft.com/pki/crl/products/WinPCA.crl",
                    "type": "ioc",
                    "description": null
                }, {
                    "category": "request",
                    "ioc": "GET http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl",
                    "type": "ioc",
                    "description": null
                }],
                "severity": 2
            }, {
                "families": [],
                "description": "Communicates with host for which no DNS query was performed",
                "name": "nolookup_communication",
                "markcount": 11,
                "references": [],
                "marks": [{
                    "host": "1.1.1.1",
                    "type": "generic"
                }, {
                    "host": "1.1.1.1",
                    "type": "generic"
                }, {
                    "host": "1.1.1.1",
                    "type": "generic"
                }],
                "severity": 3
            }]},
        "Entity": "http://digi.ba/eng/#pgc-56-0-0"
    }
]
實體擴充

如果分數超過門檻,實體會標示為可疑 (True)。否則為 False。

補充資料欄位名稱 邏輯 - 適用時機
Cuckoo_Score 不適用
task_id 不適用

取得報告

說明

依 ID (也稱為非同步) 取得特定工作報告。

參數

參數顯示名稱 類型 預設值 為必填項目 說明
工作 ID 字串 不適用

工作 ID。

範例:10

執行時間

這項操作會對所有實體執行。

動作執行結果

指令碼執行結果
指令碼結果名稱 價值選項 示例
分數 不適用 不適用
JSON 結果
{
    "info": {
        "category": "file",
        "added": 1547640117.991152,
        "monitor": "22c39cbb35f4d916477b47453673bc50bcd0df09",
        "package": "ps1",
        "started": 1547640190.471362,
        "route": "internet",
        "custom": null,
        "machine": {
            "status": "stopped",
            "shutdown_on": "2019-01-16 12:28:55",
            "started_on": "2019-01-16 12:03:16",
            "manager": "VirtualBox",
            "label": "win7x6427",
            "name": "win7x6427"
        },
        "ended": 1547641736.394026,
        "score": 6.6,
        "platform": "windows",
        "version": "2.0.6",
        "owner": null,
        "git": {
            "head": "03731c4c136532389e93239ac6c3ad38441f81a7",
            "fetch_head": "03731c4c136532389e93239ac6c3ad38441f81a7"
        },
        "options": "procmemdump=yes,route=internet",
        "id": 889621,
        "duration": 1545
    },
    "signatures": [{
        "families": [],
        "description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
        "name": "network_cnc_http",
        "markcount": 1,
        "references": [],
        "marks": [{
            "suspicious_features": "Connection to IP address",
            "type": "generic",
            "suspicious_request": "GET http://1.1.1.1:8080/"
        }],
        "severity": 2
    }, {
        "families": [],
        "description": "Connects to smtp.live.com, possibly for spamming or data exfiltration",
        "name": "smtp_live",
        "markcount": 1,
        "references": [],
        "marks": [{
            "category": "domain",
            "type": "ioc",
            "ioc": "smtp.live.com",
            "description": null
        }],
        "severity": 2
    }, {
        "families": [],
        "description": "Connects to smtp.mail.yahoo.com, possibly for spamming or data exfiltration",
        "name": "smtp_yahoo",
        "markcount": 1,
        "references": [],
        "marks": [{
            "category": "domain",
            "type": "ioc",
            "ioc": "smtp.mail.yahoo.com",
            "description": null
        }],
        "severity": 2
    }]
}

乒乓

說明

測試連線。

參數

不適用

執行時間

這項操作會對所有實體執行。

動作執行結果

指令碼執行結果
指令碼結果名稱 價值選項 示例
is_success True/False is_success:False

還有其他問題嗎?向社群成員和 Google SecOps 專業人員尋求答案。