🦆 🦆 malware-exquacker 🦆 🦆

Implementing a battling of malducks to stream malware data captured from the Elastic Endpoint to Elastic Cloud as configuration data.

Our Inspiration

Malware can be 'fowl'
 But we can 'quack' its secrets
With our friend malduck

Our Goal

Build a solution that can execute in a container that can stream events from an Elasticsearch cluster that contains captured bytes from malware detected on the endpoint, process it using malduck with an ECS-friendly output, then store it in Elasticsearch (optionally, a different cluster)

Building

When you check out this repo, you need to check it out with the submodule. The submodule contains the Python modules used for detecting and extracting malware configuration data.

git clone --recurse-submodules https://github.com/elastic/malware-exquacker.git

Now that you have the repo cloned, we recommmend building and running with Docker. You can do this in one step.

Build quietly and run:

docker run --rm -it $(docker build -q .) --help

Successful execution will require a configuration, for instance the following .env file (which can be passed to docker):

INPUT_CLOUD_ID=security-cluster:id
INPUT_ELASTICSEARCH_APIKEY=XXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXX
INPUT_ELASTICSEARCH_INDEX=logs-endpoint.alerts-*
OUTPUT_CLOUD_ID=security-cluster:id
OUTPUT_ELASTICSEARCH_APIKEY=XXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXX

Then, you can run like so:

docker run --rm -it --env-file .env $(docker build -q .) --help

TODO

• Build and publish docker container for config extractor
• In entrypoint, update modules by env var, if set