init

.dockerignore

@@ -0,0 +1,22 @@
+Dockerfile
+.idea
+.git
+
+pipelines
+venv
+env
+test
+tests
+exemples
+docs
+
+pip-log.txt
+pip-delete-this-directory.txt
+.tox
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*,cover
+*.log

.gitignore

@@ -0,0 +1,84 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# IDE files
+.pydevproject
+.python-version
+.idea
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Cython debug symbols
+cython_debug/

CONTRIBUTING.md

@@ -0,0 +1,25 @@
+# Assemblyline contributing guide
+
+This guide covers the basics of how to contribute to the Assemblyline project.
+
+Python code should follow the PEP8 guidelines defined here: [PEP8 Guidelines](https://www.python.org/dev/peps/pep-0008/).
+
+## Tell us want you want to build/fix
+Before you start coding anything you should connect with the [Assemblyline community](https://groups.google.com/d/forum/cse-cst-assemblyline) to make sure no one else is working on the same thing and that whatever you are going to build still fits with the vision off the system.
+
+## Git workflow
+
+- Clone the repo to your own account
+- Checkout and pull the latest commits from the master branch
+- Make a branch
+- Work in any way you like and make sure your changes actually work
+- When you're satisfied with your changes, create a pull requests to the main assemblyline repo
+
+#### Transfer your service repo
+If you've worked on a new service that you want to be included in the default service selection you'll have to transfer the repo into our control.
+
+#### You are not allow to merge:
+
+Even if you try to merge in your pull request, you will be denied. Only a few people in our team are allowed to merge code into our repositories.
+
+We check for new pull requests every day and will merge them in once they have been approved by someone in our team.

Dockerfile

@@ -0,0 +1,22 @@
+ARG branch=latest
+FROM cccs/assemblyline-v4-service-base:$branch
+
+ENV SERVICE_PATH virustotal.VirusTotal
+
+USER root
+RUN pip install vt-py
+
+# Switch to assemblyline user
+USER assemblyline
+
+# Copy VirusTotalDynamic service code
+WORKDIR /opt/al_service
+COPY . .
+
+# Patch version in manifest
+ARG version=4.0.0.dev1
+USER root
+RUN sed -i -e "s/\$SERVICE_TAG/$version/g" service_manifest.yml
+
+# Switch to assemblyline user
+USER assemblyline

LICENSE

@@ -0,0 +1,25 @@
+MIT License
+
+Copyright (c) 2022 Canadian Centre for Cyber Security
+
+Copyright title to all 3rd party software distributed with Assemblyline (AL) is
+held by the respective copyright holders as noted in those files. Users are asked to
+read the 3rd Party Licenses referenced with those assets.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,32 @@
+# VirusTotal Service
+
+This Assemblyline This service checks (and optionally submits) files/URLs to VirusTotal for analysis.
+
+**NOTE**: This service **requires** you to have your own API key (Paid or Free). It is **not** preinstalled during a default installation.
+
+## Execution
+
+This service will actually submit the file to VirusTotal for analysis over the v3 REST API.
+
+Because the file leaves the Assemblyline infrastructure, if selected by the user, it will prompt the user and notify them that their file or metadata related to their file will leave our system.
+
+## Configuration
+----
+### Service Configuration
+|Name|Description|
+|:---:|:---|
+|api_key|Global VirusTotal API key for the system to use if the submitter doesn't provide their own|
+|proxy|Proxy to connect to VirusTotal with|
+|av_config|Configuration block that tells the service to ignore/remap certain AV verdicts from the File Report. See [Service Manifest](./service_manifest.yml) for more details.|
+
+### Submission Parameters
+|Name|Description|
+|:---:|:---|
+|api_key|Individual VirusTotal API key|
+|dynamic_submit|Instructs the service to submit to VirusTotal if there is no existing report about the submission|
+|relationships|A list of comma-separated relationships that we want to get about the submission|
+|download_evtx|Have the service download EVTX from sandbox analyses. (`deep_scan` required)|
+|download_pcap|Have the service download EVTX from sandbox analyses. (`deep_scan` required)|
+
+Note: For operations like `download_evtx` & `download_pcap`, the `deep_scan` flag is required as it entails more API calls to
+retrieve additional reports to get a full picture of the analysis done by VirusTotal.

pipelines/azure-build.yaml

@@ -0,0 +1,30 @@
+name: build
+
+trigger:
+  tags:
+    include: ["v*"]
+pr: none
+
+pool:
+  vmImage: "ubuntu-20.04"
+
+stages:
+  - stage: deploy
+    jobs:
+      - job: deploy
+        displayName: Deploy containers to dockerhub
+        variables:
+          - group: deployment-information
+        steps:
+          - task: Docker@2
+            displayName: Login to docker hub
+            inputs:
+              command: login
+              containerRegistry: dockerhub
+          - script: |
+              set -xv  # Echo commands before they are run
+              export TAG=${BUILD_SOURCEBRANCH#"refs/tags/v"}
+              if [[ "$TAG" == *stable* ]]; then export BUILD_TYPE=stable; else export BUILD_TYPE=latest; fi
+              docker build --build-arg version=$TAG --build-arg branch=$BUILD_TYPE -t cccs/assemblyline-service-virustotal:$TAG -t cccs/assemblyline-service-virustotal:$BUILD_TYPE .
+              docker push cccs/assemblyline-service-virustotal --all-tags
+            displayName: Deploy to Docker Hub

service_manifest.yml

@@ -0,0 +1,90 @@
+name: VirusTotal
+version: $SERVICE_TAG
+description: >
+  This service checks (and optionally submits) files/URLs to VirusTotal for analysis.
+
+accepts: .*
+rejects: empty|metadata/.*
+
+stage: CORE
+category: External
+
+file_required: true
+timeout: 600
+disable_cache: false
+
+enabled: false
+is_external: true
+licence_count: 0
+
+uses_metadata: true
+privileged: true
+
+config:
+  api_key: ""
+  proxy: ""
+  av_config:
+    term_blocklist: ["Antiy-AVL", "APEX", "Jiangmin", "not-a-virus"] # Ignore results based on presence of term in signature combination
+    revised_sig_score_map: # Remap scoring based on signature combination
+      TACHYON.Suspicious/XOX.Obfus.Gen.2: 100
+      # The following should be added to the system-wide safelist
+      # Ikarus.Trojan-Downloader.MSWord.Agent: 0
+      # Ikarus.Trojan-Downloader.VBA.Agent: 0
+      # NANOAV.Exploit.Xml.CVE-2017-0199.equmby: 0
+      # TACHYON.Suspicious/XOX.Obfus.Gen.3: 0
+      # Vir.IT eXplorer.Office.VBA_Macro_Heur: 0
+      # Vir.IT eXplorer.W97M/Downloader.AB: 0
+    revised_kw_score_map: # Remap scoring based on keyword in an AV result
+      adware: 100
+
+submission_params:
+  - default: ""
+    name: api_key
+    type: str
+    value: ""
+  - default: false
+    name: dynamic_submit
+    type: bool
+    value: false
+  - default: "contacted_ips,contacted_domains,contacted_urls,behaviours"
+    name: relationships
+    type: str
+    value: "contacted_ips,contacted_domains,contacted_urls,behaviours"
+  - default: false
+    name: download_evtx
+    type: bool
+    value: false
+  - default: false
+    name: download_pcap
+    type: bool
+    value: false
+
+heuristics:
+  - heur_id: 1
+    name: File is infected
+    score: 1000
+    filetype: "*"
+    description: Antivirus detection found.
+
+  - heur_id: 2
+    name: Network IOC Detected
+    score: 50
+    filetype: "*"
+    description: Network IOC detected
+    max_score: 1000
+    signature_score_map:
+      low: 50
+      medium: 300
+      high: 1000
+
+  - heur_id: 1000
+    name: Capability Found
+    score: 100
+    filetype: "*"
+    description: VT has tagged sample with capabilities
+
+docker_config:
+  image: ${REGISTRY}cccs/assemblyline-service-virustotal:$SERVICE_TAG
+  cpu_cores: 0.25
+  ram_mb: 1024
+  allow_internet_access: true