Commands¶
Index
Config Management Commands¶
config_add¶
Add a section or option to the config or change the existing value of something in the config. DON’T FORGET TO SAVE CHANGES!
positional (required) arguments:
section The section that will contain the specified option. Can be a
new section or existing
option The option name that is being set or updated. Can be a new
option or existing
value The value to be set
optional arguments:
-h, --help show this help message and exit
config_dump¶
Dump the config into a plaintext file in the threatshell directory. If the plaintext file is detected on the next run of threatshell, it will be loaded and the existing encrypted config file will be overwritten with the newly encrypted file
optional arguments:
-h, --help show this help message and exit
-s, --screen Dump the config to screen for viewing only
config_remove¶
Remove a section and/or option from the config
positional arguments:
section The section that will contain the specified option. Must be an
existing section
option The option name that is removed. Must be an existing option
optional arguments:
-h, --help show this help message and exit
config_save¶
Save all config changes. Even changes via a dumped config. Note that saving a modified dump file will require a restart of threatshell to take effect.
Tag Management Commands¶
add_tags¶
Add new tags to the current session
positional arguments:
tags One or more space delimited tags to be added
optional arguments:
-h, --help show this help message and exit
list_tags¶
List all of the tags for the current session
remove_tags¶
Remove one or more tags from the current session
positional arguments:
tags One or more space delimited tags to be added
optional arguments:
-h, --help show this help message and exit
-a, --all Remove all tags
Geo Location Commands¶
geo¶
Use MaxMind geolocation to find a given list of IPs and/or domains
positional arguments:
indicator(s) One or more IPs and/or domains (space delimited)
geo_asn¶
Use MaxMind geolocation to find the ASN information of a given domain or IP address
positional arguments:
indicator(s) One or more IPs and/or domains (space delimited)
geo_country¶
Use geolocation to find the country hosting a given domain name or IP address.
positional arguments:
target The target domain or IP to geolocate
optional arguments:
-h, --help show this help message and exit
-cc, --country_code Use country code instead of name
geo_update¶
Update (or install) the MaxMind geolocation database
OpenDNS Commands¶
Investigate API¶
odns_category¶
Look up category information for a given domain from OpenDNS
positional arguments:
indicator Specify the domain(s) to query for. Can be a space
delimited list of domains
optional arguments:
-h, --help show this help message and exit
-b, --use_batch Use the batch lookup rather than a request per domain
odns_co_occurs¶
Look up co-occurring domains for a given domain from OpenDNS
positional arguments:
indicator Specify the domain(s) to query for. Can be a space delimited
list of domains
optional arguments:
-h, --help show this help message and exit
odns_dns_info¶
Look up DNS info for a given domain or IP from OpenDNS
positional arguments:
indicator Specify the domain(s)/IP(s) to query for. Can be a
space delimited list of domains
optional arguments:
-h, --help show this help message and exit
-rt {a,ns,mx,txt,cname}, --record_type {a,ns,mx,txt,cname}
Specify the type of DNS record to look up info for
-irt {a,ns}, --ip_record_type {a,ns}
Specify the type of DNS records for IP lookup info
odns_mal_doms¶
Look up the latest malicious domains for a given IP address or a space delimited list of IP addresses
positional arguments:
indicator Specify the name server(s) to query for. Can be a space
delimited list of emails
optional arguments:
-h, --help show this help message and exit
odns_mal_index¶
Look up malicious status of domain from OpenDNS
positional arguments:
indicator Specify the domain(s) to query for. Can be a space
delimited list of domains
optional arguments:
-h, --help show this help message and exit
-b, --use_batch Use the batch lookup rather than a request per domain
odns_security_info¶
Look up OpenDNS secure graph security feature rankings
positional arguments:
indicator Specify the domain(s) to query for. Can be a space delimited
list of domains
optional arguments:
-h, --help show this help message and exit
odns_whois¶
Look up whois information for a given domain from OpenDNS
positional arguments:
indicator Specify the domain to query for
optional arguments:
-h, --help show this help message and exit
-t, --history Look up historical whois for the given domain
-l LIMIT, --limit LIMIT
Set the limit of history entries to be returned
odns_whois_email¶
Look up whois information from a given email or space delimited list of emails from OpenDNS
positional arguments:
indicator Specify the email(s) to query for. Can be a space
delimited list of emails
optional arguments:
-h, --help show this help message and exit
-l LIMIT, --limit LIMIT
Set the limit of entries to be returned
odns_whois_ns¶
Look up whois information from a given name server or space delimited list of name servers from OpenDNS
positional arguments:
indicator Specify the name server(s) to query for. Can be a
space delimited list of emails
optional arguments:
-h, --help show this help message and exit
-l LIMIT, --limit LIMIT
Set the limit of entries to be returned
PassiveTotal Commands¶
pt_account¶
Get information about your PassiveTotal account
pt_add_tags¶
Add tags to the associated query value
positional arguments:
query Add tags to this indicator
optional arguments:
-h, --help show this help message and exit
-t TAGS [TAGS ...], --tags TAGS [TAGS ...]
The tags to be added
pt_ahist¶
Get historical information about your PassiveTotal account
pt_check_ddns¶
Check PassiveTotal to see if domain is on dynamic DNS
positional arguments:
domains Domain(s) to check
optional arguments:
-h, --help show this help message and exit
pt_check_monitor¶
Check if you are monitoring a given domain/IP
positional arguments:
queries Domain(s) and/or IP(s) to check monitoring status of
optional arguments:
-h, --help show this help message and exit
pt_check_sinkhole¶
Check if the given IP is a sinkhole
positional arguments:
queries IP(s) to check sinkhole status of
optional arguments:
-h, --help show this help message and exit
pt_class¶
Get the PassiveTotal threat classification for a domain
positional arguments:
queries domain(s) to classify
optional arguments:
-h, --help show this help message and exit
pt_compromised¶
Check PassiveTotal to see if domain was ever compromised
positional arguments:
queries Domain(s) and/or IP(s) to check history of
optional arguments:
-h, --help show this help message and exit
pt_domain_enrich¶
Get domain enrichment metadata from PassiveTotal
positional arguments:
domains specify one or more domains to get enrichment for
optional arguments:
-h, --help show this help message and exit
pt_get_ssl_cert¶
Get the SSL certificate for the given sha1
positional arguments:
queries One or more sha1 hashes to get ssl certs for
optional arguments:
-h, --help show this help message and exit
pt_get_tags¶
Get tags for the associated query value
positional arguments:
query Get tags for this indicator
optional arguments:
-h, --help show this help message and exit
pt_host_components¶
Get detailed information about a host
positional arguments:
queries The domain(s) to get component information for
optional arguments:
-h, --help show this help message and exit
pt_host_trackers¶
Get tracking codes for a domain or IP
positional arguments:
queries The domain or IP to get tracking codes for
optional arguments:
-h, --help show this help message and exit
pt_ip_enrich¶
Get IP enrichment metadata from PassiveTotal
positional arguments:
ips specify one or more ips to get enrichment for
optional arguments:
-h, --help show this help message and exit
pt_malware_enrich¶
Get malware enrichment metadata from PassiveTotal
positional arguments:
query specify one or more ips to get enrichment for
optional arguments:
-h, --help show this help message and exit
pt_notifications¶
Get notifications posted to your PassiveTotal account
optional arguments:
-h, --help show this help message and exit
-t TYPE, --type TYPE Specify the notification type to retrieve
pt_org_info¶
Get information about your account’s organization
pt_org_teamstream¶
Get the teamstream for your account’s organization
optional arguments:
-h, --help show this help message and exit
-s {web,api}, --source {web,api}
Source of the action
-dt MM-DD-YYYY HH:MM:SS
Datetime to be used as a filter
-t TYPE, --type TYPE Type of tagstream event to retrieve. Choose from any
of the following: search, classify, tag, watch
-f FOCUS, --focus FOCUS
Specify a specific value that was used as the
focus of the tagstream
pt_osint_enrich¶
Get OSInt enrichment metadata from PassiveTotal
positional arguments:
query specify one or more indicators to get enrichment for
optional arguments:
-h, --help show this help message and exit
pt_pdns¶
Get passive DNS data from PassiveTotal
positional arguments:
domains One or more domains to query for
optional arguments:
-h, --help show this help message and exit
-d {next,previous}, --direction {next,previous}
Pagination direction
-p PAGE, --page PAGE Page ID to request
-s SOURCES [SOURCES ...], --sources SOURCES [SOURCES ...]
select one or more sources to process with
-b yyyy-mm-dd, --start yyyy-mm-dd
only show data starting on given date
-e yyyy-mm-dd, --end yyyy-mm-dd
only show data up to given date
pt_rm_tags¶
Remove tags for the associated query value
positional arguments:
query Add tags to this indicator
optional arguments:
-h, --help show this help message and exit
-t TAGS [TAGS ...], --tags TAGS [TAGS ...]
The tags to be removed
pt_search_ssl¶
Search SSL Cert fields for particular values
positional arguments:
query The value of the field to search with
optional arguments:
-h, --help show this help message and exit
-f FIELD, --field FIELD
The field to search. Valid choices are -
issuerSurname, subjectOrganizationName,
issuerCountry, issuerOrganizationUnitName,
fingerprint, subjectOrganizationUnitName,
serialNumber, subjectEmailAddress, subjectCountry,
issuerGivenName, subjectCommonName,
issuerCommonName, issuerStateOrProvinceName,
issuerProvince, subjectStateOrProvinceName,
sha1, sslVersion, subjectStreetAddress,
subjectSerialNumber, issuerOrganizationName,
subjectSurname, subjectLocalityName,
issuerStreetAddress, issuerLocalityName,
subjectGivenName, subjectProvince,
issuerSerialNumber, issuerEmailAddress
pt_search_tags¶
Search tags for the associated query value
positional arguments:
queries Add tags to this indicator
optional arguments:
-h, --help show this help message and exit
pt_set_class¶
Set the classification for a domain/IP
positional arguments:
query The domain or IP to classify
optional arguments:
-h, --help show this help message and exit
-c CLASS, --classification CLASS
Classification for the given indicator. Choose
from one of the following: malicious,
suspicious, non-malicious, unknown
pt_set_compromised¶
Set the compromised status for a domain/IP
positional arguments:
query The domain or IP to set compromised status for
optional arguments:
-h, --help show this help message and exit
-s STATUS, --status STATUS
Classification for the given indicator. Can be
true/false or t/f for short
pt_set_ddns¶
Set the dynamic DNS status for a domain
positional arguments:
query The domain to set dynamic DNS status for
optional arguments:
-h, --help show this help message and exit
-s STATUS, --status STATUS
Status for the given indicator. Can be true/false or
t/f for short
pt_set_monitor¶
Set the monitoring status for a domain/IP
positional arguments:
query The domain or IP to set monitor status for
optional arguments:
-h, --help show this help message and exit
-s STATUS, --status STATUS
Classification for the given indicator. Can be
true/false or t/f for short
pt_set_sinkhole¶
Set the sinkhole status for an IP
positional arguments:
query The IP to set sinkhole status for
optional arguments:
-h, --help show this help message and exit
-s STATUS, --status STATUS
Classification for the given indicator. Can be
true/false or t/f for short
pt_source_config¶
Get details and configurations for intel sources
positional arguments:
sources Name of intel source(s) to pull back (defaults to all)
optional arguments:
-h, --help show this help message and exit
pt_ssl_history¶
Get the SSL Cert history for a given IP or domain
positional arguments:
queries The domain or IP to get cert history for
optional arguments:
-h, --help show this help message and exit
pt_subdom_enrich¶
Get Subdomain enrichment metadata from PassiveTotal
positional arguments:
query specify one or more domains to get enrichment for
optional arguments:
-h, --help show this help message and exit
pt_tracker_search¶
Get hosts matching a specific tracking ID
positional arguments:
query The value to use for the search
optional arguments:
-h, --help show this help message and exit
--type TRACKER The type of tracker to use for the search. Allowed choices
are the following - YandexMetricaCounterId, ClickyId,
GoogleAnalyticsAccountNumber, GoogleAnalyticsTrackingId,
NewRelicId, MixpanelId
pt_unique_pdns¶
Get deduplicated passive DNS data from PassiveTotal
positional arguments:
domains One or more domains to query for
optional arguments:
-h, --help show this help message and exit
-d {next,previous}, --direction {next,previous}
Pagination direction
-p PAGE, --page PAGE Page ID to request
-s SOURCES [SOURCES ...], --sources SOURCES [SOURCES ...]
select one or more sources to process with
-b yyyy--mm-dd, --start yyyy-mm-dd
only show data starting on given date
-e yyyy-mm-dd, --end yyyy-mm-dd
only show data up to given date
pt_whois¶
Get whois data from PassiveTotal
positional arguments:
queries specify one or more domains/ips to get whois
data for
optional arguments:
-h, --help show this help message and exit
-c, --compact_record compress the whois record into deduplicated format
pt_whois_search¶
Search fields in Whois data from PassiveTotal
positional arguments:
queries specify one or more domains to get whois data for
optional arguments:
-h, --help show this help message and exit
-f FIELD, --field FIELD
Whois field to execute search on. Searchable fields
can any of the following: name, domain, email,
organization, address, phone, nameserver
ThreatQuotient Commands¶
tqadd¶
Add an indicator to ThreatQ
positional arguments:
indicator Specify the indicator to be added
optional arguments:
-h, --help show this help message and exit
-c, --class_type indicator class
choices: {network, host}
-t , --type indicator type
choices:
{
SHA-512, Email Address, String, Filepath, URL, SHA-256,
Email Attachment, URL Path, Email Subject, Fuzzy Hash,
Filename, SHA-384, IP Address, CIDR Block, Mutex, SHA-1,
Registry Key, FQDN, User-agent, X-Mailer, MD5
}
-s, --status indicator status
choices:
{
CSIRT_Review, FPC, Review, Active, Indirect, Expired, Non-malicious
}
tqcs¶
Change indicator status in ThreatQ
positional arguments:
indicator_id Specify the indicator ID to change the status of
optional arguments:
-h, --help show this help message and exit
--class_type {network,host}
indicator class
--status indicator status to set indicator to
choices:
{
CSIRT_Review, FPC, Review, Active, Indirect, Expired, Non-malicious
}
tq_search¶
Search ThreatQ for an indicator
positional arguments:
indicator Specify the indicator to query for
optional arguments:
-h, --help show this help message and exit
tqstatus¶
List available ThreatQ indicator statuses
tqtypes¶
List available ThreatQ indicator types
Shadow Server Commands¶
ss_asnum_prefix¶
Look up ASN prefix information for an ASN number from Shadow Server ASN
ss_asorigin¶
Look up ASN origin information about the given domain or IP from Shadow Server
positional arguments:
indicator Specify the domain(s)/IP(s) to query for. Can be a space
delimited list of domains and/or IPs
optional arguments:
-h, --help show this help message and exit
ss_aspeers¶
Look up ASN peer information about a given domain or IP from Shadow Server
positional arguments:
indicator Specify the domain(s)/IP(s) to query for. Can be a space
delimited list of domains and/or IPs
optional arguments:
-h, --help show this help message and exit
Cymru Commands¶
cymru_asinfo¶
Look up ASN information about a given domain or IP from Cymru
positional arguments:
indicator Specify the domain(s)/IP(s) to query for. Can be a space
delimited list of domains and/or IPs
optional arguments:
-h, --help show this help message and exit
cymru_asnum_info¶
Look up ASN information about a given ASN number from Cymru
positional arguments:
indicator Specify the number(s) to query for. Can be a space delimited
list of ASN numbers
optional arguments:
-h, --help show this help message and exit