Metadata-Version: 2.1
Name: thunderstormAPI
Version: 0.1.1
Summary: THOR Thunderstorm Service API Client
Home-page: https://github.com/NextronSystems/thunderstormAPI
Author: Florian Roth
Author-email: florian.roth@nextron-systems.com
License: UNKNOWN
Description: # ThunderstormAPI
        
        This module allows you to interact with THOR Thunderstorm API, which is also known as THOR Service. 
        
        Running THOR in service mode (--service) starts a local RESTful API service. This API allows to submit samples and returns results in JSON format. The service runs multi-threaded and is designed for high performance samples processing.  
        
        This repository contains a Python module named `thunderstormAPI` and an example Python command line API client implementation named `thunderstorm-cli`. 
        
        # Installation
        
        ```
        pip install thunderstormAPI
        ```
        
        (Note: use `pip3 install thunderstormAPI` on Debian)
        
        ## Thunderstorm CLI 
        
        The Thunderstorm command line interface (CLI) is a pre-written tool that implements the Python module. 
        
        ### Usage
        
        ```commandline
        usage: thunderstorm-cli [-h] [-t host] [-p port] [--ssl] [--strict_ssl strict-ssl] [-o source] [--status] [--info] [--result] [-r sample-id] [-s] [-f sample]
                                [-d sample-dir] [-e EXCLUDE [EXCLUDE ...]] [-i INCLUDE [INCLUDE ...]] [-l lookback] [-n threads] [-m minimum-level] [--asyn]
                                [-ps proxy-url] [-pu proxy-user] [-pp proxy-pass] [--debug] [--trace]
        
        THOR-Thunderstorm-CLI
        
        optional arguments:
          -h, --help            show this help message and exit
          -t host, --thor_host host
                                THOR service host
          -p port, --thor_port port
                                THOR service port
          --ssl                 Use TLS/SSL (HTTPS)
          --strict_ssl strict-ssl
                                Use strict TLS/SSL (deny self-signed SSL certificates)
          -o source, --source source
                                Source identifier (used in Thunderstorm server log)
          --debug               Debug output
          --trace               Trace output
        
        =======================================================================
        Info:
          --status              Get status information from the service (processed samples, errors, runtime)
          --info                Get general information (versions, license info)
          --result              Get information on a certain sample id
          -r sample-id, --id sample-id
                                Sample ID returned in asynchronous result
        
        =======================================================================
        Scan:
          -s, --scan            Transmit sample file to get it scanned
          -f sample, --file sample
                                Sample file
          -d sample-dir, --dir sample-dir
                                Sample directory
          -e EXCLUDE [EXCLUDE ...], --exclude EXCLUDE [EXCLUDE ...]
                                Exclude pattern (can be used multiple times)
          -i INCLUDE [INCLUDE ...], --include INCLUDE [INCLUDE ...]
                                Include pattern (can be used multiple times)
          -l lookback, --lookback lookback
                                Only submit files created or modified within the last X seconds
          -n threads, --threads threads
                                Number of threads
          -m minimum-level, --min_level minimum-level
                                Minimum level to report (Debug=1, Info=2, Notice=3, Error=4, Warning=5, Alert=6)
          --asyn                Asynchronous transmission (server just returns a send receipt and not a result, which allows a much fast transmission)
        
        =======================================================================
        Proxy:
          -ps proxy-url, --proxy proxy-url
                                proxy URL (e.g. https://my.proxy.net:8080)
          -pu proxy-user, --proxy_user proxy-user
                                proxy user
          -pp proxy-pass, --proxy_pass proxy-pass
                                proxy password
        ```
        
        ### Examples
        
        #### Server
        
        On a server you would run THOR in service mode as follows
        ```bash
        ./thor-linux-64 --server --server-host 10.0.0.14 --threadcount 40
        ```
        
        See our github [repository](https://github.com/NextronSystems/nextron-helper-scripts/tree/master/thunderstorm) for scripts that help you with the installation of THOR Thunderstorm. 
        
        #### Client
        
        Get information on a running THOR Thunderstorm service on `10.0.0.14`
        
        ```bash
        ./thunderstorm-cli --info -t 10.0.0.14
        ```
        
        Result 
        ```
        [INFO ] Using THOR Thunderstorm service on host 127.0.0.1 port 8081 without SSL/TLS
        {
            "allowed_samples_per_hour": 0,
            "sigma_version": "0.17.0-383-gd73447c1",
            "signature_version": "2020/08/13-125157",
            "thor_timestamp": "2020-08-17 07:04:36",
            "thor_version": "10.6.0",
            "yara_version": "4.0.2"
        }
        ```
        
        Submit a single sample to THOR Thunderstorm service running on `10.0.0.4`
        
        ```bash
        ./thunderstorm-cli --scan -t 10.0.0.14 -f ./samples/webshell.txt
        ```
        
        Result
        ```
        [INFO ] Using THOR Thunderstorm service on host 10.0.0.14 port 8080 without SSL/TLS
        [INFO ] Thunderstorm service stats UPTIME: 00h:45m:57s SCANNED_SAMPLES: 60 AVG_SCAN_TIME: 33ms
        [INFO ] Submitting file ./samples/webshell.txt for scanning ...
        [WARNI] Match found in FILE: ./samples/webshell.txt MATCH: {'level': 'Alert', 'module': 'Filescan', 'message': 'Malware file found', 'score': 140, 'context': {'ext': '', 'file': './samples/webshell.txt', 'firstBytes': '3c3f70687020406576616c28245f4745545b636d / <?php @eval($_GET[cm', 'md5': '6f70c1a517db1818e0234ba63185e6e9', 'sha1': '2f13649ccd9de947fd28616d73cc1387674a2df0', 'sha256': '5906cb00cbe1c108ff4a0e17f1c76606c57364467352ce4f986271e40bd5c1cc', 'size': 58, 'type': 'PHP'}, 'matches': [{'matched': ['php @eval($_POST['], 'reason': 'China Chopper Webshells - PHP and ASPX', 'ref': 'https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-china-chopper-report.pdf', 'ruledate': '2015-03-10', 'rulename': 'ChinaChopper_Generic', 'subscore': 75, 'tags': ['CHINA', 'GEN', 'T1100', 'WEBSHELL']}, {'matched': ['<?php', '$_GET[', 'eval('], 'reason': 'Detects suspiciously small PHP file that receives a parameter and runs a eval statement', 'ref': 'https://github.com/qiyeboy/kill_webshell_detect', 'ruledate': '2020-07-31', 'rulename': 'SUSP_WEBSHELL_PHP_Tiny_Indicators_Jul20', 'subscore': 65, 'tags': ['FILE', 'SUSP', 'T1100', 'T1136', 'WEBSHELL']}]}
        ```
        
        Submit all samples within a directory (recursively) to THOR Thunderstorm service running on `10.0.0.14`
        
        ```bash
        ./thunderstorm-cli --scan -t 10.0.0.14 -d ./samples/
        ```
        
        Result
        ```
        [INFO ] Using THOR Thunderstorm service on host 10.0.0.14 port 8080 without SSL/TLS
        [INFO ] Thunderstorm service stats UPTIME: 00h:59m:15s SCANNED_SAMPLES: 64 AVG_SCAN_TIME: 34ms
        [INFO ] Submitting samples from ./samples/ using 12 threads
        [INFO ] Scanning path: ./samples/ with 3 elements
        [WARNI] Match found in FILE: ./samples/test-mimi.txt MATCH: {'level': 'Warning', 'module': 'Filescan', 'message': 'Possibly Dangerous file found', 'score': 205, 'context': {'ext': '', 'file': './samples/test-mimi.txt', 'firstBytes': '6c6f676f6e70617373776f7264733a3a0a73656b / logonpasswords::\nsek', 'md5': 'bf9d9616e86267d5d5ba48ad1161e2aa', 'sha1': '00d0289f25119fe4695e82aa09e18aa53b5606e2', 'sha256': '7579e064c44fb1782cf59485e7b812e72e30f1160d687e20976739d3f40cb748', 'size': 83, 'type': 'UNKNOWN'}, 'matches': [{'matched': [' -ma lsass.exe'], 'reason': 'Detects commands often used in malicious scripts', 'ref': 'https://twitter.com/SBousseaden/status/1272863752677965824', 'ruledate': '2020-06-16', 'rulename': 'SUSP_LSASS_Memory_Dump_CmdLine_Jun20_2', 'subscore': 70, 'tags': ['HKTL', 'SUSP', 'T1003', 'T1136']}, {'matched': ['-ma lsass.exe'], 'reason': 'Procdump - Batch file invocation', 'ref': '-', 'ruledate': '2013-01-01', 'rulename': 'HKTL_Procdump_BAT', 'subscore': 70, 'tags': ['APT', 'HKTL', 'T1136']}, {'matched': [' -ma ', ' lsass.exe'], 'reason': 'Detects suspicious post exploitation strings and command lines often used by attackers', 'ref': 'https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html', 'ruledate': '2019-08-28', 'rulename': 'SUSP_PostExploitation_Cmds_Aug19_1', 'subscore': 65, 'tags': ['SUSP', 'T1136']}]}
        [WARNI] Match found in FILE: ./samples/webshell.txt MATCH: {'level': 'Alert', 'module': 'Filescan', 'message': 'Malware file found', 'score': 140, 'context': {'ext': '', 'file': './samples/webshell.txt', 'firstBytes': '3c3f70687020406576616c28245f4745545b636d / <?php @eval($_GET[cm', 'md5': '6f70c1a517db1818e0234ba63185e6e9', 'sha1': '2f13649ccd9de947fd28616d73cc1387674a2df0', 'sha256': '5906cb00cbe1c108ff4a0e17f1c76606c57364467352ce4f986271e40bd5c1cc', 'size': 58, 'type': 'PHP'}, 'matches': [{'matched': ['php @eval($_POST['], 'reason': 'China Chopper Webshells - PHP and ASPX', 'ref': 'https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-china-chopper-report.pdf', 'ruledate': '2015-03-10', 'rulename': 'ChinaChopper_Generic', 'subscore': 75, 'tags': ['CHINA', 'GEN', 'T1100', 'WEBSHELL']}, {'matched': ['<?php', '$_GET[', 'eval('], 'reason': 'Detects suspiciously small PHP file that receives a parameter and runs a eval statement', 'ref': 'https://github.com/qiyeboy/kill_webshell_detect', 'ruledate': '2020-07-31', 'rulename': 'SUSP_WEBSHELL_PHP_Tiny_Indicators_Jul20', 'subscore': 65, 'tags': ['FILE', 'SUSP', 'T1100', 'T1136', 'WEBSHELL']}]}
        [WARNI] Match found in FILE: ./samples/sekurlsa.log MATCH: {'level': 'Alert', 'module': 'Filescan', 'message': 'Malware file found', 'score': 325, 'context': {'ext': '', 'file': './samples/sekurlsa.log', 'firstBytes': "5573696e67202773656b75726c73612e6c6f6727 / Using 'sekurlsa.log'", 'md5': '619e7ad14b5a64481958ac5248dd832f', 'sha1': '886817e0fbc813c711616e2d1ace7c819cfd5b55', 'sha256': '0c66a723033b367e3700e83054f521a853bd6764b24924ce66c5df81d8ff32f3', 'size': 1362, 'type': 'Mimikatz Logfile'}, 'matches': [{'matched': ['* Username : ', '* Password : ', 'credman :'], 'reason': 'Detects credential dump strings from APT case', 'ref': 'White Amflora', 'ruledate': '2016-05-02', 'rulename': 'CustomerCase_C2_Credential_Dump', 'subscore': 100, 'tags': ['APT', 'CLIENT', 'HKTL', 'T1003', 'T1136']}, {'matched': ['SID               :', '* NTLM     :', 'Authentication Id :', 'wdigest :'], 'reason': 'Detects a log file generated by malicious hack tool mimikatz', 'ref': '-', 'ruledate': '2015-03-31', 'rulename': 'Mimikatz_Logfile', 'subscore': 80, 'tags': ['HKTL', 'T1003', 'T1075', 'T1097', 'T1136', 'T1178']}, {'matched': ['* Password : (null)', 'mimikatz # sekurlsa::logonpasswords', '* NTLM     : ', '* Username : ', 'Logon Server      : ', '] CredentialKeys'], 'reason': 'Detects keyword combo known from Mimikatz log files', 'ref': 'https://github.com/gentilkiwi/mimikatz/wiki/module-~-standard#log', 'ruledate': '2019-02-26', 'rulename': 'SUSP_Mimikatz_LogFile_Keywords', 'subscore': 75, 'tags': ['SUSP', 'T1003', 'T1075', 'T1097', 'T1136', 'T1178']}, {'matched': ['Authentication Id :', 'SID               :', 'tspkg :', 'kerberos :', '* Username :', 'credman :'], 'reason': 'Detects a log file of password dumper mimikatz', 'ref': '-', 'ruledate': '2014-12-22', 'rulename': 'Mimikatz_Log_Output', 'subscore': 70, 'tags': ['APT', 'T1003', 'T1075', 'T1097', 'T1136', 'T1178']}]}
        ```
        
        Submit all samples within a directory and submit only `*.exe` and `*.dll` files.
        
        ```bash
        ./thunderstorm-cli --scan -t 10.0.0.14 -d ./samples/ --include *.exe --include *.dll
        ```
        
        Submit all samples within a directory and exclude files.
        
        ```bash
        ./thunderstorm-cli --scan -t 10.0.0.14 -d ./samples/ --exclude *.evtx
        ```
        
        Submit all samples within a directory and send only files that have been changed or modified within the last hour. 
        
        ```bash
        ./thunderstorm-cli --scan -t 10.0.0.14 -d ./samples/ --lookback 3600
        ```
        
        Submit all samples within a directory and send the files using HTTPS.
        
        ```bash
        ./thunderstorm-cli --scan -t 10.0.0.14 -d ./samples/ --ssl
        ```
        
        Submit all samples within a directory and send the files using asynchronous mode. (fast submission, no result response)
        
        ```bash
        ./thunderstorm-cli --scan -t 10.0.0.14 -d ./samples/ --asyn
        ```
        
        Submit all samples within a directory and set a custom source value. 
        
        ```bash
        ./thunderstorm-cli --scan -t 10.0.0.14 -d ./samples/ --source sample_collector_1
        ```
        
        ## Python Module
        
        The 2 helper functions of the Python module are:
        
        - `get_info()` gets general information (versions, license info)
        - `get_status()` gets status information from the service (processed samples, errors, runtime)
        
        The 2 main functions of the Python module are:
        
        - `scan(sample)` submits a sample for remote scanning
        - `scan_multi(sample_list)` submits a list of samples (multi-threaded)
        
        ### __init__()
        
        The `__init__` method accepts the following parameters:
        
        - `host`: host on which the THOR Thunderstorm service runs
        - `port`: port on which the THOR Thunderstorm service listens
        - `source`: custom source identifier (which is the hostname by default)
        - `use_ssl`: use SSL for the transmission
        - `verify_ssl`: verify the SSL/TLS server certificate
        
        ### scan()
        
        The `scan` method accepts the following parameters:
        
        - `filelist`: list of absolute file paths
        - `asyn`: asynchronous mode, just submit, don't wait for scan result (server returns only a submission receipt)
        - `trace`: be more verbose than debug and show request and response
        
        ### scan_multi()
        
        The `scan_multi` method accepts the following parameters:
        
        - `filelist`: list of absolute file paths
        - `num_threads`: number of threads
        - `asyn`: asynchronous mode, just submit, don't wait for scan result (server returns only a submission receipt)
        - `trace`: be more verbose than debug and show each request and response
        
        ## Examples
        
        ### Get Info 
        
        ```python 
        from thunderstormAPI.thunderstorm import ThunderstormAPI
        
        thorapi = ThunderstormAPI(host='thunderstorm.local')
        thorapi.get_info()
        ```
        
        Returns
        ```json
        {
            "allowed_samples_per_hour": 0,
            "license_expiration_date": "2021/01/30",
            "sigma_version": "0.18.1",
            "signature_version": "2020/08/31-164212",
            "thor_timestamp": "2020-09-03 07:39:30",
            "thor_version": "10.6.0",
            "threads": 40,
            "yara_version": "4.0.2"
        }
        ```
        
        ### Get Status 
        
        ```python 
        from thunderstormAPI.thunderstorm import ThunderstormAPI
        
        thorapi = ThunderstormAPI(host='thunderstorm.local')
        thorapi.get_status()
        ```
        
        Returns
        ```json
        {
            "avg_scan_time_ms": 494,
            "avg_total_time_ms": 495,
            "denied_request_proportion": 0,
            "denied_requests": 0,
            "queued_async_requests": 70854,
            "quota_wait_time_ms": 0,
            "quota_waits": 0,
            "scanned_samples": 109230,
            "uptime_s": 1419
        }
        ```
        
        ### Submit Single File
        
        ```python 
        from thunderstormAPI.thunderstorm import ThunderstormAPI
        
        thorapi = ThunderstormAPI(host='thunderstorm.local')
        thorapi.scan('./samples/webshell.txt')
        ```
        
        Returns
        ```json
        [
            {
                "level": "Alert",
                "module": "Filescan",
                "message": "Malware file found",
                "score": 140,
                "context": {
                    "ext": "",
                    "file": "./samples/webshell.txt",
                    "firstBytes": "3c3f70687020406576616c28245f4745545b636d / <?php @eval($_GET[cm",
                    "md5": "6f70c1a517db1818e0234ba63185e6e9",
                    "sha1": "2f13649ccd9de947fd28616d73cc1387674a2df0",
                    "sha256": "5906cb00cbe1c108ff4a0e17f1c76606c57364467352ce4f986271e40bd5c1cc",
                    "size": 58,
                    "type": "PHP"
                },
                "matches": [
                    {
                        "matched": [
                            "php @eval($_POST["
                        ],
                        "reason": "China Chopper Webshells - PHP and ASPX",
                        "ref": "https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-china-chopper-report.pdf",
                        "ruledate": "2015-03-10",
                        "rulename": "ChinaChopper_Generic",
                        "subscore": 75,
                        "tags": [
                            "CHINA",
                            "GEN",
                            "T1100",
                            "WEBSHELL"
                        ]
                    },
                    {
                        "matched": [
                            "<?php",
                            "$_GET[",
                            "eval("
                        ],
                        "reason": "Detects suspiciously small PHP file that receives a parameter and runs a eval statement",
                        "ref": "https://github.com/qiyeboy/kill_webshell_detect",
                        "ruledate": "2020-07-31",
                        "rulename": "SUSP_WEBSHELL_PHP_Tiny_Indicators_Jul20",
                        "subscore": 65,
                        "tags": [
                            "FILE",
                            "SUSP",
                            "T1100",
                            "T1136",
                            "WEBSHELL"
                        ]
                    }
                ]
            }
        ]
        ```
        
        ### Submit a List of Samples
        
        ```python 
        from thunderstormAPI.thunderstorm import ThunderstormAPI
        
        SAMPLES = './samples'
        samples = [path.join(SAMPLE_DIR, f) for f in listdir(SAMPLE_DIR)]
        
        thorapi = ThunderstormAPI(host='thunderstorm.local')
        
        thorapi.scan_multi(samples)
        ```
        
        Returns
        ```json
        [
            [
                {
                    "level": "Alert",
                    "module": "Filescan",
                    "message": "Malware file found",
                    "score": 140,
                    "context": {
                        "ext": "",
                        "file": "./samples/webshell.txt",
                        "firstBytes": "3c3f70687020406576616c28245f4745545b636d / <?php @eval($_GET[cm",
                        "md5": "6f70c1a517db1818e0234ba63185e6e9",
                        "sha1": "2f13649ccd9de947fd28616d73cc1387674a2df0",
                        "sha256": "5906cb00cbe1c108ff4a0e17f1c76606c57364467352ce4f986271e40bd5c1cc",
                        "size": 58,
                        "type": "PHP"
                    },
                    "matches": [
                        {
                            "matched": [
                                "php @eval($_POST["
                            ],
                            "reason": "China Chopper Webshells - PHP and ASPX",
                            "ref": "https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-china-chopper-report.pdf",
                            "ruledate": "2015-03-10",
                            "rulename": "ChinaChopper_Generic",
                            "subscore": 75,
                            "tags": [
                                "CHINA",
                                "GEN",
                                "T1100",
                                "WEBSHELL"
                            ]
                        },
                        {
                            "matched": [
                                "<?php",
                                "$_GET[",
                                "eval("
                            ],
                            "reason": "Detects suspiciously small PHP file that receives a parameter and runs a eval statement",
                            "ref": "https://github.com/qiyeboy/kill_webshell_detect",
                            "ruledate": "2020-07-31",
                            "rulename": "SUSP_WEBSHELL_PHP_Tiny_Indicators_Jul20",
                            "subscore": 65,
                            "tags": [
                                "FILE",
                                "SUSP",
                                "T1100",
                                "T1136",
                                "WEBSHELL"
                            ]
                        }
                    ]
                }
            ],
            [
                {
                    "level": "Alert",
                    "module": "Filescan",
                    "message": "Malware file found",
                    "score": 325,
                    "context": {
                        "ext": "",
                        "file": "./samples/sekurlsa.log",
                        "firstBytes": "5573696e67202773656b75726c73612e6c6f6727 / Using 'sekurlsa.log'",
                        "md5": "619e7ad14b5a64481958ac5248dd832f",
                        "sha1": "886817e0fbc813c711616e2d1ace7c819cfd5b55",
                        "sha256": "0c66a723033b367e3700e83054f521a853bd6764b24924ce66c5df81d8ff32f3",
                        "size": 1362,
                        "type": "Mimikatz Logfile"
                    },
                    "matches": [
                        {
                            "matched": [
                                "* Username : ",
                                "* Password : ",
                                "credman :"
                            ],
                            "reason": "Detects credential dump strings from APT case",
                            "ref": "White Amflora",
                            "ruledate": "2016-05-02",
                            "rulename": "CustomerCase_C2_Credential_Dump",
                            "subscore": 100,
                            "tags": [
                                "APT",
                                "CLIENT",
                                "HKTL",
                                "T1003",
                                "T1136"
                            ]
                        },
                        {
                            "matched": [
                                "SID               :",
                                "* NTLM     :",
                                "Authentication Id :",
                                "wdigest :"
                            ],
                            "reason": "Detects a log file generated by malicious hack tool mimikatz",
                            "ref": "-",
                            "ruledate": "2015-03-31",
                            "rulename": "Mimikatz_Logfile",
                            "subscore": 80,
                            "tags": [
                                "HKTL",
                                "T1003",
                                "T1075",
                                "T1097",
                                "T1136",
                                "T1178"
                            ]
                        },
                        {
                            "matched": [
                                "* Password : (null)",
                                "mimikatz # sekurlsa::logonpasswords",
                                "* NTLM     : ",
                                "* Username : ",
                                "Logon Server      : ",
                                "] CredentialKeys"
                            ],
                            "reason": "Detects keyword combo known from Mimikatz log files",
                            "ref": "https://github.com/gentilkiwi/mimikatz/wiki/module-~-standard#log",
                            "ruledate": "2019-02-26",
                            "rulename": "SUSP_Mimikatz_LogFile_Keywords",
                            "subscore": 75,
                            "tags": [
                                "SUSP",
                                "T1003",
                                "T1075",
                                "T1097",
                                "T1136",
                                "T1178"
                            ]
                        },
                        {
                            "matched": [
                                "Authentication Id :",
                                "SID               :",
                                "tspkg :",
                                "kerberos :",
                                "* Username :",
                                "credman :"
                            ],
                            "reason": "Detects a log file of password dumper mimikatz",
                            "ref": "-",
                            "ruledate": "2014-12-22",
                            "rulename": "Mimikatz_Log_Output",
                            "subscore": 70,
                            "tags": [
                                "APT",
                                "T1003",
                                "T1075",
                                "T1097",
                                "T1136",
                                "T1178"
                            ]
                        }
                    ]
                }
            ],
            [
                {
                    "level": "Warning",
                    "module": "Filescan",
                    "message": "Possibly Dangerous file found",
                    "score": 205,
                    "context": {
                        "ext": "",
                        "file": "./samples/test-mimi.txt",
                        "firstBytes": "6c6f676f6e70617373776f7264733a3a0a73656b / logonpasswords::\nsek",
                        "md5": "bf9d9616e86267d5d5ba48ad1161e2aa",
                        "sha1": "00d0289f25119fe4695e82aa09e18aa53b5606e2",
                        "sha256": "7579e064c44fb1782cf59485e7b812e72e30f1160d687e20976739d3f40cb748",
                        "size": 83,
                        "type": "UNKNOWN"
                    },
                    "matches": [
                        {
                            "matched": [
                                " -ma lsass.exe"
                            ],
                            "reason": "Detects commands often used in malicious scripts",
                            "ref": "https://twitter.com/SBousseaden/status/1272863752677965824",
                            "ruledate": "2020-06-16",
                            "rulename": "SUSP_LSASS_Memory_Dump_CmdLine_Jun20_2",
                            "subscore": 70,
                            "tags": [
                                "HKTL",
                                "SUSP",
                                "T1003",
                                "T1136"
                            ]
                        },
                        {
                            "matched": [
                                "-ma lsass.exe"
                            ],
                            "reason": "Procdump - Batch file invocation",
                            "ref": "-",
                            "ruledate": "2013-01-01",
                            "rulename": "HKTL_Procdump_BAT",
                            "subscore": 70,
                            "tags": [
                                "APT",
                                "HKTL",
                                "T1136"
                            ]
                        },
                        {
                            "matched": [
                                " -ma ",
                                " lsass.exe"
                            ],
                            "reason": "Detects suspicious post exploitation strings and command lines often used by attackers",
                            "ref": "https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html",
                            "ruledate": "2019-08-28",
                            "rulename": "SUSP_PostExploitation_Cmds_Aug19_1",
                            "subscore": 65,
                            "tags": [
                                "SUSP",
                                "T1136"
                            ]
                        }
                    ]
                }
            ]
        ]
        ```
        
        ### Submit a List of Samples (Asynchronous)
        
        Submit samples in asnychronous mode, which has the advantage of faster samples submission and avoiding service overload but doesn't return a scan result to the submitting client. 
        
        ```python 
        from thunderstormAPI.thunderstorm import ThunderstormAPI
        
        SAMPLES = '/software/set1'
        samples = [path.join(SAMPLE_DIR, f) for f in listdir(SAMPLE_DIR)]
        
        thorapi = ThunderstormAPI(host='thunderstorm.local')
        
        thorapi.scan_multi(samples, asyn=True)
        ```
        
        ```json
        [
            {
                "file": "/software/set1/DVD Maker/sonicsptransform.ax",
                "id": 360715
            },
            {
                "file": "/software/set1/DVD Maker/directshowtap.ax",
                "id": 360711
            },
            {
                "file": "/software/set1/DVD Maker/bod_r.TTF",
                "id": 360716
            },
            {
                "file": "/software/set1/DVD Maker/rtstreamsink.ax",
                "id": 360717
            },
            {
                "file": "/software/set1/DVD Maker/rtstreamsource.ax",
                "id": 360709
            },
            {
                "file": "/software/set1/DVD Maker/PipeTran.dll",
                "id": 360708
            },
            {
                "file": "/software/set1/DVD Maker/soniccolorconverter.ax",
                "id": 360707
            },
            {
                "file": "/software/set1/DVD Maker/WMM2CLIP.dll",
                "id": 360714
            },
            {
                "file": "/software/set1/DVD Maker/DVDMaker.exe",
                "id": 360718
            },
            {
                "file": "/software/set1/DVD Maker/audiodepthconverter.ax",
                "id": 360706
            },
            {
                "file": "/software/set1/DVD Maker/Pipeline.dll",
                "id": 360713
            },
            {
                "file": "/software/set1/DVD Maker/offset.ax",
                "id": 360710
            },
            {
                "file": "/software/set1/DVD Maker/SecretST.TTF",
                "id": 360712
            },
            {
                "file": "/software/set1/DVD Maker/fieldswitch.ax",
                "id": 360705
            },
            {
                "file": "/software/set1/DVD Maker/Eurosti.TTF",
                "id": 360704
            }
        ]
        ```
Platform: UNKNOWN
Classifier: Programming Language :: Python :: 3
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Operating System :: OS Independent
Requires-Python: ~=3.5
Description-Content-Type: text/markdown
