slash-31/gti-sample-scripts

``` # VirusTotal IOC Extractor A Python utility for extracting all IOCs (Indicators of Compromise) associated with a threat actor from the VirusTotal API. ## 概述 This script connects to the VirusTotal API and fetches all available IOCs (Files, IPs, URLs, and Domains) for a specified threat actor. It handles pagination to ensure all results are collected, even when they exceed the API's per-request limit of 40 items. Key features: - Extracts all types of IOCs (Files, IPs, URLs, and Domains) - Handles pagination automatically to retrieve all available data - Implements robust retry logic with exponential backoff for API failures - Saves progress incrementally to prevent data loss - Generates summary statistics for each IOC type - Combines all results into a single, well-structured JSON file ## 环境要求 - Python 3.6+ - `requests` library - A valid VirusTotal API key ## 安装 1. Clone this repository: ``` git clone https://gitlab.com/your-username/virustotal-ioc-extractor.git cd virustotal-ioc-extractor ``` 2. Install the required dependencies: ``` pip install -r requirements.txt ``` ## 用法 Basic usage: ``` python vt_ioc_extractor.py --api-key YOUR_API_KEY ``` ### 命令行选项 | Option | Description | Default | |--------|-------------|---------| | `--api-key` | Your VirusTotal API key (required) | None | | `--threat-id` | UUID of the threat actor to analyze | 09b06892-9738-5c53-b704-368d5ac8dd62 | | `--max-retries` | Maximum number of retry attempts for API calls | 5 | | `--retry-delay` | Initial delay in seconds between retries (will increase exponentially) | 5 | ### 示例 ``` python vt_ioc_extractor.py --api-key abc123 --threat-id 09b06892-9738-5c53-b704-368d5ac8dd62 --max-retries 3 ``` ## 输出 The script creates a directory named `output` and saves the collected data to a JSON file with the following structure: ```json { "files": [ ... array of file IOCs ... ], "ips": [ ... array of IP IOCs ... ], "urls": [ ... array of URL IOCs ... ], "domains": [ ... array of domain IOCs ... ], "summary": { "files": 123, "ips": 45, "urls": 67, "domains": 89 } } ``` 文件名格式为 `threat-actor-{UUID}.json`。 ## API 速率限制 VirusTotal API 根据您的订阅级别设有速率限制。该脚本包含带有指数退避的重试逻辑来处理速率限制问题。如果您遇到持续的速率限制问题，请考虑： - 增加 `--retry-delay` 参数 - 如果可用，使用高级版 (Premium) API 密钥 - 在非高峰时段运行脚本 ## 错误处理 该脚本实现了多项保护措施： - 遇到临时故障时，使用指数退避重试 API 调用 - 每处理完一种实体类型后保存进度 - 如果执行中途失败，尝试保存部分结果 ## 贡献指南 欢迎贡献代码！请随时提交 Pull Request。 1. Fork 本仓库 2. 创建您的功能分支 (`git checkout -b feature/amazing-feature`) 3. 提交您的更改 (`git commit -m 'Add some amazing feature'`) 4. 推送到分支 (`git push origin feature/amazing-feature`) 5. 打开一个 Pull Request ## 许可证 本项目根据 MIT 许可证授权 - 详见 LICENSE 文件。 ## 致谢 - [VirusTotal](https://www.virustotal.com/) 提供 API - [Requests](https://docs.python-requests.org/) 库用于简化 HTTP 请求 ## 免责声明 本工具仅供合法的安全研究和威胁情报目的使用。使用 API 时，请务必遵守 VirusTotal 的服务条款。 ``` You can add this README.md file to your repository when you publish it to GitLab. It provides comprehensive information about your script, how to use it, and what to expect from it. Consider also adding a simple requirements.txt file with `requests>=2.25.1` to make installation easier for users. ```

标签：API 交互, Ask搜索, DAST, ESC4, GitLab, Google Threat Intelligence, GTI, IOC 提取, IP 地址, JSON 输出, OSINT, Python, Python 脚本, requests 库, URL, VirusTotal, 分页处理, 命令控制, 域名, 威胁情报, 威胁行为者, 开发者工具, 恶意软件分析, 指数退避, 指标获取, 数字取证, 数据采集, 文件哈希, 无后门, 漏洞探测, 自动化脚本, 赛博安全, 逆向工具, 重试机制