Skip to content

andreia-oca/malware-investigation-pipeline

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

50 Commits
docs
docs
 
 
scripts
scripts
 
 
src/mip
src/mip
 
 
tests
tests
 
 
.env.example
.env.example
 
 
.gitignore
.gitignore
 
 
.pylintrc
.pylintrc
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

MIP - Malware Investigation Pipeline

MIP automates forensic analysis of compromised QCOW2 disk images extracted from honeypots. It extracts artifacts, validates potential Indicators of Compromise (IOCs), and publishes confirmed findings to MISP for threat intelligence sharing.

🛠️ Installation

Clone the repository and install dependencies:

git clone https://github.com/andreia-oca/malware_investigation_pipeline.git -O mip
cd mip
pip install -r requirements.txt

To make the mip command available system-wide, install in editable mode:

pip install -e .

Now you can run the tool as a standalone CLI tool:

mip --help

Setup API keys

Currently, MIP uses VirusTotal for IOCs validation and MISP for threat intelligence sharing.

To enable them, you need to set the required API keys in the .env file:

VT_API_KEY=<your_virustotal_api_key>
MISP_API_KEY=<your_misp_api_key>
MISP_URL=<your_misp_instance_url>

🚀 Usage

To run it for an analysis session execute the following commands:

# Check configs and snapshots for the pipeline execution
mip --dry-run --start 2025-08-15 --end 2025-08-20 --min-size-mb 100
# Run the pipeline
mip --action full --start 2025-08-15 --end 2025-08-20 --min-size-mb 100

After the pipeline finishes, check the events in MISP - they are prefixed with [GENERATED][HONEYPOT].

Other useful commands:

# Run the full pipeline (extract → triage → validate) with default settings
mip --snapshots /path/to/snapshots --action full

# Only extract artifacts
mip --snapshots /path/to/snapshots --action extract

# Triage extracted snapshots
mip --snapshots /path/to/snapshots --action triage

# Validate suspicious artifacts
mip --snapshots /path/to/snapshots --action validate

# Publish confirmed IOCs to MISP
mip --snapshots /path/to/snapshots --action publish

# Customize minimum snapshot size (in mb)
mip --snapshots /path/to/snapshots --min-size-mb 100 --action full

# Filter snapshots by date range
mip --snapshots /path/to/snapshots --start 2025-05-01 --end 2025-05-30 --action full

# Check snapshots before executing the pipeline
mip --snapshots /path/to/snapshots --dry-run --start 2025-05-01 --end 2025-05-30

Future work

  • Load balance requests to VirusTotal to avoid hitting the rate limiter
  • Improve IOC extraction. Currently, only suspicious files created or downloaded into the honeypot are extracted. The pipeline can be improved to take into account command history, apache/nginx/network logs

About

MIP - a malware investigation framework for extracting IOCs from honeypots

Topics

forensics malware-analysis misp qcow2 cowrie honeypots dissect

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages