From 6944a409807779971b6dfc44a345b06bdec517dc Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 1 Jun 2021 12:22:26 +0200 Subject: [PATCH] chg: [doc] some more examples --- README.md | 120 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 120 insertions(+) diff --git a/README.md b/README.md index d430c73..3584a3d 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,126 @@ Searching for all the known items in CyCAT about the MITRE ATT&CK T1216 returns ] ~~~ +### Fetch item by UUID + +~~~ +curl -X 'GET' \ + 'https://api.cycat.org/lookup/4cd29327-685a-460e-9dac-c3ab96e549dc' \ + -H 'accept: application/json' +~~~ + +~~~json +{ + "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", + "raw": "author: oscd.community, Natalia Shornikova\ndate: 2020/10/14\ndescription: Detects Execution via SyncInvoke in CL_Invocation.ps1 module\ndetection:\n condition: selection\n selection:\n EventID: 4104\n ScriptBlockText|contains|all:\n - CL_Invocation.ps1\n - SyncInvoke\nfalsepositives:\n- Unknown\nid: 4cd29327-685a-460e-9dac-c3ab96e549dc\nlevel: high\nlogsource:\n product: windows\n service: powershell\nmodified: 2021/05/21\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml\n- https://twitter.com/bohops/status/948061991012327424\nstatus: experimental\ntags:\n- attack.defense_evasion\n- attack.t1216\ntitle: Execution via CL_Invocation.ps1\n", + "sigma:id": "4cd29327-685a-460e-9dac-c3ab96e549dc", + "title": "Execution via CL_Invocation.ps1", + "_cycat_type": "Item" +} +~~~ + +### Fetch relationships of an UUID + +~~~ +curl -X 'GET' \ + 'https://api.cycat.org/relationships/fbd29c89-18ba-4c2d-b792-51c0adee049f' \ + -H 'accept: application/json' +~~~ + +~~~json +[ + "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "b21c3b2d-02e6-45b1-980b-e69051040839", + "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "cb69b20d-56d0-41ab-8440-4a4b251614d4", + "2dc2b567-8821-49f9-9045-8740f3d0b958", + "692074ae-bb62-4a5e-a735-02cb6bde458c", + "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "837f9164-50af-4ac0-8219-379d8a74cefc", + "df8b2a25-8bdf-4856-953c-a04372b1c161", + "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", + "e85cae1a-bce3-4ac4-b36b-b00acac0567b", + "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "b76b2d94-60e4-4107-a903-4a3a7622fb3b", + "3433a9e8-1c47-4320-b9bf-ed449061d1c3", + "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "cf23bf4a-e003-4116-bbae-1ea6c558d565", + "13cd9151-83b7-410d-9f98-25d0f0d1d80d", + "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "ef67e13e-5598-4adc-bdb2-998225874fa9", + "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "9efb1ea7-c37b-4595-9640-b7680cd84279", + "c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "03342581-f790-4f03-ba41-e82e67392e23", + "4b57c098-f043-4da2-83ef-7588a6d426bc", + "db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c", + "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "2a70812b-f1ef-44db-8578-a496a227aef2", + "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "f5352566-1a64-49ac-8f7f-97e1d1a03300", + "b17a1a56-e99c-403c-8948-561df0cffe81", + "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "04fd5427-79c7-44ea-ae13-11b24778ff1c", + "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "970a3432-3237-47ad-bcca-7d8cbb217736", + "b18eae87-b469-4e14-b454-b171b416bc18", + "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "b4d80f8b-d2b9-4448-8844-4bef777ed676", + "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "648f995e-9c3a-41e4-aeee-98bb41037426", + "90ac9266-68ce-46f2-b24f-5eb3b2a8ea38", + "8dbadf80-468c-4a62-b817-4e4d8b606887", + "f232fa7a-025c-4d43-abc7-318e81a73d65", + "2e34237d-8574-43f6-aace-ae2915de8597" +] +~~~ + +### Full-text search on CyCAT backend + +~~~ +curl -X 'GET' \ + 'https://api.cycat.org/search/APT33' \ + -H 'accept: application/json' +~~~ + +Will return all the UUIDs matching the keyword queried. Then the returned UUIDs can be used to find relationships and corresponding items. + +~~~ +[ + "db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c", + "fbd29c89-18ba-4c2d-b792-51c0adee049f", + "4f69ec6d-cb6b-42af-b8e2-920a2aa4be10", + "2a70812b-f1ef-44db-8578-a496a227aef2", + "2a70812b-f1ef-44db-8578-a496a227aef2", + "8dbadf80-468c-4a62-b817-4e4d8b606887", + "fab34d66-5668-460a-bc0f-250b9417cdbf", + "e85cae1a-bce3-4ac4-b36b-b00acac0567b", + "5de6335d-e128-4bc0-87e2-4db4950d210f", + "08d5b8a4-e752-48f3-ac6d-944807146ce7", + "15dd8386-f11a-485a-b719-440c0a47dee6", + "ab603f29-9c10-4fb0-9fa3-e123fad11a31", + "cfdb02f2-a767-4abb-b04c-333a02cdd7e2", + "0c5bc5c8-5136-413a-bc5a-e13333271f49", + "f9aa9004-8811-4091-a471-38f81dbcadc4", + "5086a6e0-53b2-4d96-9eb3-a0237da2e591", + "8a789016-5f8d-4cd9-ba96-ba253db42fd8", + "f29b7c5e-2439-42ad-a86f-9f8984fafae3", + "1acd0c6c-7aff-462e-94ff-7544b1692740", + "accd848b-b8f4-46ba-a408-9063b35cfbf2", + "2894aee2-e0ec-417a-811e-74a68ab967b2", + "05252643-093b-4070-b62f-d5836683a9fa", + "b18eae87-b469-4e14-b454-b171b416bc18", + "588fb91d-59c6-4667-b299-94676d48b17b", + "036bd099-fe80-46c2-9c4c-e5c6df8dcdee", + "d29eb927-d53d-4af2-b6ce-17b3a1b34fe7" +] +~~~ ## Crawler