From fb6781ef6fa19c189794795be0cddb94c9614c24 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 6 Jan 2020 15:22:32 +0100 Subject: [PATCH] chg: [doc] public API url added https://www.misp-project.org/tai/ --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index da34c88..721072e 100644 --- a/README.md +++ b/README.md @@ -31,10 +31,12 @@ By the default, the server is listening on TCP port 8889. The API is simple and can be queried on the `/query` entry point by POSTing a simple querty in JSON format. The query format can be composed of a `name` as key or `uuid` as key. The output format is a JSON in the [MISP standard galaxy format](https://www.misp-standard.org/rfc/misp-standard-galaxy-format.txt). +A public API is available at the following location `https://www.misp-project.org/tai/` and can be queried to gather the latest information about threat-actors. + ## Example to query a threat-actor by name ~~~ -curl --silent -d '{"name":"APT34"}' -H "Content-Type: application/json" -X POST http://localhost:8889/query | jq . +curl --silent -d '{"name":"APT34"}' -H "Content-Type: application/json" -X POST https://www.misp-project.org/tai/query | jq . [ { "description": "Since at least 2014, an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran. The group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries. Repeated targeting of Middle Eastern financial, energy and government organizations leads FireEye to assess that those sectors are a primary concern of APT34. The use of infrastructure tied to Iranian operations, timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government.", @@ -78,7 +80,7 @@ curl --silent -d '{"name":"APT34"}' -H "Content-Type: application/json" -X POST ## Example to query a threat-actor by UUID ~~~ -curl --silent -d '{"uuid":"0286e80e-b0ed-464f-ad62-beec8536d0cb"}' -H "Content-Type: application/json" -X POST http://localhost:8889/query | jq . +curl --silent -d '{"uuid":"0286e80e-b0ed-464f-ad62-beec8536d0cb"}' -H "Content-Type: application/json" -X POST https://www.misp-project.org/tai/query | jq . { "description": "We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies. The determination of this China-based adversary is truly impressive: they are like a dog with a bone.\nHURRICANE PANDA’s preferred initial vector of compromise and persistence is a China Chopper webshell – a tiny and easily obfuscated 70 byte text file that consists of an ‘eval()’ command, which is then used to provide full command execution and file upload/download capabilities to the attackers. This script is typically uploaded to a web server via a SQL injection or WebDAV vulnerability, which is often trivial to uncover in a company with a large external web presence.\nOnce inside, the adversary immediately moves on to execution of a credential theft tool such as Mimikatz (repacked to avoid AV detection). If they are lucky to have caught an administrator who might be logged into that web server at the time, they will have gained domain administrator credentials and can now roam your network at will via ‘net use’ and ‘wmic’ commands executed through the webshell terminal.", "meta": {