search

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform
https://thehive-project.org
GNU Affero General Public License v3.0
3.3k stars 609 forks source link

Upload encrypted ZIP (file observable) #210

Open bullerdude opened 7 years ago

bullerdude commented 7 years ago

Request Type

Feature Request

Work Environment

The Hive v2.11

Problem Description

It is currently not possible to upload malware samples stored within ZIP files encrypted with the password 'infected' and for it to be auto-extracted for storage.

Possible Solutions

Ideally, The Hive should support uploading malware samples contained in ZIP files (as per normal malware safe handling procedures) and have it auto-extracted and stored as a file observable.

This would complement the equivalent download function, which is already possible on The Hive,

SHSauler commented 7 years ago

Extracting the sample on TheHive would be highly unwise in my opinion. And it's not something other commercial tools do either. A dedicated malware area with increased protection might be required for storage of samples.

Many sandboxes support the detonation of zipped malware, like WildFire or Cuckoo. Custom Cortex Analyzers could be employed to integrate those.

One problem arising from storing zipped samples is getting the hashes without sandbox detonation. For this a dedicated highly isolated hashing machine could be used. You push the sample via Cortex to the hashing machine and receive the hashes back. For example the Cortex FileInfo analyzer could be employed on that dedicated machine with slight modifications. A complication arises from the common practise of having several files pertaining to one malware in one zip file.

juanpablobr commented 7 years ago

My two cents, we use Viper to unzip password protected files.