{"id":46931,"date":"2022-06-01T18:00:00","date_gmt":"2022-06-01T18:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=115350"},"modified":"2022-06-01T18:00:00","modified_gmt":"2022-06-01T18:00:00","slug":"using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/","title":{"rendered":"Using Python to unearth a goldmine of threat intelligence from leaked chat logs"},"content":{"rendered":"<p>Dealing with a great amount of data can be time consuming, thus using Python can be very powerful to help analysts sort information and extract the most relevant data for their investigation. The open-source tools library, <a href=\"https:\/\/github.com\/microsoft\/msticpy\">MSTICPy<\/a>, for example, is a Python tool dedicated to threat intelligence. It aims to help threat analysts acquire, enrich, analyze, and visualize data.<\/p>\n<p>This blog provides a workflow for deeper data analysis and visualization using Python, as well as for extraction and analysis of indicators of compromise (IOCs) using MSTICPy. Data sets from the February 2022 leak of data from the <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/05\/09\/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself\/\">ransomware-as-a-service (RaaS)<\/a> coordinated operation called \u201cConti\u201d is used as case study.<\/p>\n<p>An <a href=\"https:\/\/github.com\/microsoft\/msticpy\/blob\/main\/docs\/notebooks\/ContiLeaksAnalysis.ipynb\" target=\"_blank\" rel=\"noreferrer noopener\">interactive Jupyter notebook<\/a> with related data is also available for analysts interested to do further data exploration.<\/p>\n<p>This research aims to provide a view into research methodology that may help other analysts apply Python to threat intelligence. Analysts can reuse the code and continue to explore the extracted information. Additionally, it offers an out-of-the-box methodology for analyzing chat logs, extracting IOCs, and improving threat intelligence and defense process using Python.<\/p>\n<h2 id=\"python\">Using Python to analyze the Conti network<\/h2>\n<p>On February 28, 2022, a Twitter account named @ContiLeaks (allegedly a Ukrainian researcher) began posting leaked Conti data on Twitter. The leaked data sets, which were posted in a span of several months, consisted of chat logs, source codes, and backend applications.<\/p>\n<p>For this research, we focused our analysis on the chat logs, which revealed crucial information about the Conti group\u2019s operating methods, infrastructure, and organizational structure.<\/p>\n<h3>Compiling and translating chat logs<\/h3>\n<p>The leaked chat logs are written in the Russian language. To make the analysis more accessible, we adopted the methodology <a href=\"https:\/\/medium.com\/@arnozobec\/analyzing-conti-leaks-without-speaking-russian-only-methodology-f5aecc594d1b\">published here<\/a> and translated the logs to English.<\/p>\n<p>The chat logs revealed that the Conti group uses the messaging application Jabber to communicate among members. Since raw Jabber logs are saved using a file per day, they can be compiled in one JSON file so they can easily be manipulated with Python. Once the data is merged, they can be translated using the deep translator library. After the logs are translated and loaded into a new file, it\u2019s then possible to load the data into a dataframe for manipulation and exploration:<\/p>\n<pre class=\"wp-block-preformatted\">df = pd.read_json(codecs.open('translated_Log2.json', 'r', 'utf-8'))<\/pre>\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"265\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-1-translated-logs.png\" alt=\"A screenshot of a table of chat messages translated from Russian to English. The table includes details when the message was sent, who it was from, to whom it was sent, the original text in Russian, and the translated English version.\" class=\"wp-image-115356\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-1-translated-logs.png 800w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-1-translated-logs-300x99.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-1-translated-logs-768x254.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\"><figcaption>Figure 1. Translated logs<\/figcaption><\/figure>\n<p>Russian slang words not properly translated by the automated process can be translated by creating a dictionary. A dictionary off a list proposed <a href=\"https:\/\/twitter.com\/seadev3\/status\/1498783071969099777?s=20&amp;t=Z2KJgYrjiUMCQ5Phif3ZbA\">here<\/a> was used in this case to correctly translate the slang:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"800\" height=\"320\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/06\/fig-2-translating-slang.png\" alt=\"A screenshot of Python code that creates a dictionary which can be used to translate Russian slang words. It features a list of Russian slang words and their English translation.\" class=\"wp-image-115494\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/06\/fig-2-translating-slang.png 800w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/06\/fig-2-translating-slang-300x120.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/06\/fig-2-translating-slang-768x307.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\"><figcaption>Figure 2. Translating slang<\/figcaption><\/figure>\n<h3>Analyzing the chat activity timeline<\/h3>\n<p>One way to get insights from chat logs is to see its timeline and check the number of discussions per day. The <a href=\"https:\/\/bokeh.org\/\">Bokeh<\/a> library can be used to build an interactive diagram and explore the loaded dataframe.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"662\" height=\"731\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-3-python-code-for-exploring-discussions.png\" alt=\"A screenshot of Python code for exploring data using the Bokeh library. It shows code for filtering results, creating diagrams, and adding hover tools.\" class=\"wp-image-115362\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-3-python-code-for-exploring-discussions.png 662w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-3-python-code-for-exploring-discussions-272x300.png 272w\" sizes=\"auto, (max-width: 662px) 100vw, 662px\"><figcaption>Figure 3. Python code for exploring discussions<\/figcaption><\/figure>\n<p>Using the data from Conti chat logs generates the following diagram, which shows the volume of Jabber discussions over time:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"800\" height=\"437\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-4-volume-of-discussions-over-time.png\" alt=\"A line graph that shows a volume of discussions within the Conti group from March 2021 to March 2022. The data shows several peaks in activity, mostly concentrated from September to December 2021.\" class=\"wp-image-115365\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-4-volume-of-discussions-over-time.png 800w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-4-volume-of-discussions-over-time-300x164.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-4-volume-of-discussions-over-time-768x420.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\"><figcaption>Figure 4. Volume of discussions over time<\/figcaption><\/figure>\n<p>Visualizing the data as a timeline shows some peaks of activity that align to certain events. In the case of the Conti leaks, for example:<\/p>\n<ul>\n<li>July 7, 2021 (615 discussions): Ransomware attack by REvil against software company Kaseya<\/li>\n<li>August 27, 2021 (1,289 discussions): The playbook of a specific Conti affiliate was leaked<\/li>\n<li>August 31, 2021 (1,156 discussions): FBI CISA advisory on <a href=\"https:\/\/www.cisa.gov\/uscert\/ncas\/current-activity\/2021\/08\/31\/fbi-cisa-advisory-ransomware-awareness-holidays-and-weekends\">ransomware and labor day<\/a><\/li>\n<li>August 10, 2021 (853 discussions): Ransomware attack by <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/cookware-giant-meyer-discloses-cyberattack-that-impacted-employees\/\">Conti against Meyer Corporation<\/a><\/li>\n<\/ul>\n<p>It\u2019s interesting that no peak in chat activity was observed within the Conti group after the first leak, which could indicate that the breach was ignored or not known by the group at that time.<\/p>\n<h3>Analyzing the level of user activity<\/h3>\n<p>When analyzing chat logs, identifying the number of users and analyzing the most active ones can provide insight into the size of the group and roles of users within it. Using Python, the list of users can be extracted and saved in a text file:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"660\" height=\"228\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-5-extracting-list-of-users.png\" alt=\"A screenshot of Python code that extracts the list of users from the Conti chat logs. It also shows code to remove duplicates from the list, concatenate the dataframe, and save the list to a text file. \" class=\"wp-image-115368\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-5-extracting-list-of-users.png 660w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-5-extracting-list-of-users-300x104.png 300w\" sizes=\"auto, (max-width: 660px) 100vw, 660px\"><figcaption>Figure 5. Extracting list of users<\/figcaption><\/figure>\n<p>Running the script above using the Conti chat logs yielded a list of 346 unique accounts. This list can then be used to create a graph and show which users sent the most messages.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"661\" height=\"60\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-6-creating-a-graph-for-users-with-most-messages.png\" alt=\"A screenshot of Python code that creates a graph to show the list of users from the Conti chat logs with the most messages.\" class=\"wp-image-115371\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-6-creating-a-graph-for-users-with-most-messages.png 661w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-6-creating-a-graph-for-users-with-most-messages-300x27.png 300w\" sizes=\"auto, (max-width: 661px) 100vw, 661px\"><figcaption>Figure 6. Creating a graph for users with most messages<\/figcaption><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"800\" height=\"433\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-7-most-active-users-in-the-Conti-chat-logs.png\" alt=\"A bar chart that compares the users from the Conti chat logs based on the number of messages they sent. The bar shows that the most active user sent as many as more than eight thousand messages. \" class=\"wp-image-115374\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-7-most-active-users-in-the-Conti-chat-logs.png 800w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-7-most-active-users-in-the-Conti-chat-logs-300x162.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-7-most-active-users-in-the-Conti-chat-logs-768x416.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\"><figcaption>Figure 7. Most active users in the Conti chat logs<\/figcaption><\/figure>\n<p>Based on the graph, the users named <em>defender<\/em>, <em>stern<\/em>, <em>driver<\/em>, <em>bio<\/em>, and <em>mango<\/em> have the largest number of discussions. <a href=\"https:\/\/research.checkpoint.com\/2022\/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of\/\">Checkpoint<\/a> &nbsp;published extensive research on the structure of the organization and correlated the user discussions with several roles and services like human resources, coders, crypters, offensive team, SysAdmins, and more.<\/p>\n<h3>Mapping the users\u2019 connections<\/h3>\n<p>Another way to analyze chat log data is to visualize the users\u2019 connection. This can be done by creating a dynamic network graph that can highlight the connections between users. The <a href=\"https:\/\/en.wikipedia.org\/wiki\/Barnes%E2%80%93Hut_simulation\">Barnes Hut algorithm<\/a> and the Pyvis library can be used to visualize this data.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"568\" height=\"788\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-8-creation-of-a-dynamic-graph.png\" alt=\"A screenshot of Python code that creates a dynamic network graph of the Conti chat log data using the Barnes Hut algorithm and Pyvis library.\" class=\"wp-image-115377\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-8-creation-of-a-dynamic-graph.png 568w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-8-creation-of-a-dynamic-graph-216x300.png 216w\" sizes=\"auto, (max-width: 568px) 100vw, 568px\"><figcaption>Figure 8. Creation a dynamic graph<\/figcaption><\/figure>\n<p>Dynamic visualization shows a graphical overview of the network and allows zooming into the network to closely analyze the connections within. Bigger points represent the most active users, and it\u2019s possible to highlight a user to analyze their connections. Additionally, the hovering tool shows which other users a specific user had conversations with.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"800\" height=\"621\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-9-Conti-user-network-overview.png\" alt=\"A screenshot of a dynamic visualization showing a graphical overview of the Conti network. It shows users as points in the graph, all connected by lines that represent conversations between them.\" class=\"wp-image-115380\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-9-Conti-user-network-overview.png 800w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-9-Conti-user-network-overview-300x233.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-9-Conti-user-network-overview-768x596.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\"><figcaption>Figure 9. Conti user network overview<\/figcaption><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"800\" height=\"269\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-10-connections-to-user-Stern.png\" alt=\"A screenshot of a list of connections to the user named &quot;Stern&quot; from the Conti network. The graphical overview of the entire Conti network is shown on the background of the list. \" class=\"wp-image-115383\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-10-connections-to-user-Stern.png 800w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-10-connections-to-user-Stern-300x101.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-10-connections-to-user-Stern-768x258.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\"><figcaption>Figure 10. Connections to user \u2018Stern\u2019<\/figcaption><\/figure>\n<h3>Searching for other topics of interest<\/h3>\n<p>Since reading data sets can be time-consuming, a simple search engine can be built to search for specific strings in the chat logs or to filter for topics of interest. For the Conti leak data, examples of these include Bitcoin, usernames, malware names, exploits, and CVEs, to name a few.<\/p>\n<p>The following code snippet provides a simple search engine using the <a href=\"https:\/\/github.com\/kootenpv\/textsearch\">TextSearch library<\/a>:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"532\" height=\"789\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-11-search-engine-using-Python.png\" alt=\"A screenshot of Python code that creates a search engine using the TextSearch library from Github. The code presents configuration options for the search engine widget and filters for search results.\" class=\"wp-image-115386\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-11-search-engine-using-Python.png 532w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-11-search-engine-using-Python-202x300.png 202w\" sizes=\"auto, (max-width: 532px) 100vw, 532px\"><figcaption>Figure 11. Search engine using Python<\/figcaption><\/figure>\n<h2 id=\"msticpy\">Using MSTICPy to extract and analyze IOCs<\/h2>\n<p>Besides processing chat logs to analyze user activity and connections, Python can also be used to extract and analyze threat intelligence. This section shows how the MSTICPy library can be used to extract IOCs and how it can be used for additional threat hunting and intelligence.<\/p>\n<h3>Extracting IOCs<\/h3>\n<p>MSTICPy is a Python library used for threat investigation and threat hunting. The library can connect to several threat intelligence providers, as well as Microsoft tools like Microsoft Sentinel. It can be used to query logs and to enrich data. It\u2019s particularly convenient for analyzing IOCs and adding more threat contextualization.<\/p>\n<p>After installing MSTICPy, the first thing to do is to initialize the notebook. This allows the loading of several modules that can be used to extract and enrich the data. External resources like VirusTotal or OTX can also be added by configuring <em>msticpyconfig.yaml<\/em> and adding the API keys. <\/p>\n<p>The IoCExtract module from MSTICPy offers a convenient way to extract IOCs using predefined regex. The code automatically extracts IOCs such as DNS, URLs, IP addresses, and hashes and then reports them in a new dataframe.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"598\" height=\"168\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-12-Passing-the-dataframe-to-the-module-for-extraction.png\" alt=\"A screenshot of Python code that prepares the dataframe for IOC extraction. It presents code to remove &quot;None&quot; value from the dataframe, as well as to initiate the IOC extractor.\" class=\"wp-image-115389\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-12-Passing-the-dataframe-to-the-module-for-extraction.png 598w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-12-Passing-the-dataframe-to-the-module-for-extraction-300x84.png 300w\" sizes=\"auto, (max-width: 598px) 100vw, 598px\"><figcaption>Figure 12. Passing the dataframe to the module for extraction<\/figcaption><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"800\" height=\"340\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-13-sample-of-extracted-IOCs.png\" alt=\"A screenshot of a sample table listing down IOC patterns found in the Conti chat logs. It includes the following data fields: IOC type, observable, source index, and input.\" class=\"wp-image-115392\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-13-sample-of-extracted-IOCs.png 800w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-13-sample-of-extracted-IOCs-300x128.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-13-sample-of-extracted-IOCs-768x326.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\"><figcaption>Figure 13. Sample of extracted IOCs<\/figcaption><\/figure>\n<p>A regex can be added to filter specific IOCs from those extracted by the IOC extraction module by default. For example, the regex below extracts Bitcoin addresses from the Conti chat logs:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"598\" height=\"282\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-14-extracting-bitcoin-addresses-and-adding-regex.png\" alt=\"A screenshot of Python code that adds a regex in the IOCExtract module of MSTICPy. This specific regex extracts Bitcoin addresses from the Conti chat logs.\" class=\"wp-image-115395\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-14-extracting-bitcoin-addresses-and-adding-regex.png 598w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-14-extracting-bitcoin-addresses-and-adding-regex-300x141.png 300w\" sizes=\"auto, (max-width: 598px) 100vw, 598px\"><figcaption>Figure 14. Extracting Bitcoin addresses and adding regex<\/figcaption><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"800\" height=\"368\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-15-sample-of-extracted-Bitcoin-addresses.png\" alt=\"A screenshot of a table showing the Bitcoin addresses extracted from the Conti chat logs. The table includes the following data fields: IOCtype, observable, source index, and input.\" class=\"wp-image-115398\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-15-sample-of-extracted-Bitcoin-addresses.png 800w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-15-sample-of-extracted-Bitcoin-addresses-300x138.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-15-sample-of-extracted-Bitcoin-addresses-768x353.png 768w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-15-sample-of-extracted-Bitcoin-addresses-539x249.png 539w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-15-sample-of-extracted-Bitcoin-addresses-465x215.png 465w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\"><figcaption>Figure 15. Sample of extracted Bitcoin addresses<\/figcaption><\/figure>\n<p>After extracting IOCs, the dataframe can be cleaned to remove false positives as well as duplicate data. The final dataframe from the processed Conti chat logs contains the following unique IOC count, (these IOCs require additional analysis as not all of them are considered malicious):<\/p>\n<figure class=\"wp-block-table\">\n<table>\n<tbody>\n<tr>\n<td><strong>URL<\/strong><\/td>\n<td><strong>DNS<\/strong><\/td>\n<td><strong>IPV4<\/strong><\/td>\n<td><strong>Bitcoin<\/strong><\/td>\n<td><strong>MD5<\/strong><\/td>\n<td><strong>SHA-256<\/strong><\/td>\n<\/tr>\n<tr>\n<td><strong>1,137<\/strong><\/td>\n<td>474<\/td>\n<td>317<\/td>\n<td>175<\/td>\n<td>106<\/td>\n<td>16<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h3>Investigating UP addresses<\/h3>\n<p>&nbsp;The threat intel lookup module <em>TILookup<\/em> in MSTICPy can be used to get more information on IOCs such as IP addresses. In the case of the Conti leak, 317 unique IP addresses were identified. Not all these IOCs are malicious but can reveal more relevant information.<\/p>\n<p>The configuration file can be specified to <a href=\"https:\/\/msticpy.readthedocs.io\/en\/latest\/data_acquisition\/TIProviders.html\">load the TILookup module<\/a>, along with other threat intelligence providers such as VirusTotal, GreyNoise, and OTX.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"598\" height=\"282\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-16-threat-intel-provider-within-msticpy.png\" alt=\"A screenshot of Python code that loads the threat intel lookup module in MSTICPy. It also presents code that loads other threat intelligence providers such as VirusTotal, GreyNoise, and OTX, and filters the IOCs by type.\" class=\"wp-image-115401\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-16-threat-intel-provider-within-msticpy.png 598w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-16-threat-intel-provider-within-msticpy-300x141.png 300w\" sizes=\"auto, (max-width: 598px) 100vw, 598px\"><figcaption>Figure 16. Threat intel provider within MSTICPy<\/figcaption><\/figure>\n<p>Running the module generates a new dataframe with more context for every IP address provided.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"800\" height=\"221\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-17-sample-of-ip-addresses-enriched-with-additional-info.png\" alt=\"A screenshot of a table generated from running the threat intel lookup module. The table presents a list of IP addresses extracted from the Conti chat logs with related threat intelligence data.\" class=\"wp-image-115404\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-17-sample-of-ip-addresses-enriched-with-additional-info.png 800w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-17-sample-of-ip-addresses-enriched-with-additional-info-300x83.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-17-sample-of-ip-addresses-enriched-with-additional-info-768x212.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\"><figcaption>Figure 17. Sample of IP addresses enriched with additional info<\/figcaption><\/figure>\n<p>The module also allows to request information for a single observable.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"598\" height=\"54\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-18-extracting-information-for-a-single-observable.png\" alt=\"A screenshot of Python code that extracts threat intelligence data on a single observable through the threat intel lookup module of MSTICPy.\" class=\"wp-image-115407\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-18-extracting-information-for-a-single-observable.png 598w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-18-extracting-information-for-a-single-observable-300x27.png 300w\" sizes=\"auto, (max-width: 598px) 100vw, 598px\"><figcaption>Figure 18. Extracting information for a single observable<\/figcaption><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"800\" height=\"170\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-19-additional-threat-context-for-one-ip-address.png\" alt=\"A screenshot of the table generated from running the threat intel lookup module. It shows threat intelligence data from GreyNoise, OTX, and VirusTotal on a particular IP address.\" class=\"wp-image-115410\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-19-additional-threat-context-for-one-ip-address.png 800w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-19-additional-threat-context-for-one-ip-address-300x64.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-19-additional-threat-context-for-one-ip-address-768x163.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\"><figcaption>Figure 19. Additional threat context for one IP address<\/figcaption><\/figure>\n<p>The browser provided by MSTICPy can also be used to explore the IOCs previously enriched. The <a href=\"https:\/\/github.com\/microsoft\/msticpy\/blob\/main\/docs\/notebooks\/ContiLeaksAnalysis.ipynb\" target=\"_blank\" rel=\"noreferrer noopener\">interactive Jupyter notebook<\/a> includes this view of the IOCs.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"800\" height=\"701\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-20-ioc-browser-provided-by-msticpy.png\" alt=\"A screenshot of the browser provided by MSTICPy that can be used to explore IOCs extracted from the Conti chat logs. The browser shows threat intelligence details related to a selected IP address.\" class=\"wp-image-115413\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-20-ioc-browser-provided-by-msticpy.png 800w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-20-ioc-browser-provided-by-msticpy-300x263.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-20-ioc-browser-provided-by-msticpy-768x673.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\"><figcaption>Figure 20. IOC browser provided by MSTICPy<\/figcaption><\/figure>\n<p>In addition, MSTICPy has an embedded <a href=\"https:\/\/msticpy.readthedocs.io\/en\/latest\/data_acquisition\/GeoIPLookups.html\">module that looks up the geolocation of IP addresses<\/a> using <a href=\"https:\/\/www.maxmind.com\/en\/home\">Maxmind<\/a>, which can be used to create a map of the IP addresses previously extracted.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"660\" height=\"311\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-21-generating-the-ip-geolocation-map.png\" alt=\"A screenshot of Python code that looks up the geolocation of IP addresses. It also presents code that creates a map using the generated geolocation data. \" class=\"wp-image-115416\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-21-generating-the-ip-geolocation-map.png 660w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-21-generating-the-ip-geolocation-map-300x141.png 300w\" sizes=\"auto, (max-width: 660px) 100vw, 660px\"><figcaption>Figure 21. Generating the IP geolocation map<\/figcaption><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"800\" height=\"477\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-22-geolocation-of-ips-extracted-from-the-conti-leaks.png\" alt=\"A world map with the geolocation of all IPs extracted from the Conti leaks marked with red pins. The image shows that the location of IPs are concentrated in Europe and the US.\" class=\"wp-image-115419\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-22-geolocation-of-ips-extracted-from-the-conti-leaks.png 800w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-22-geolocation-of-ips-extracted-from-the-conti-leaks-300x179.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-22-geolocation-of-ips-extracted-from-the-conti-leaks-768x458.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\"><figcaption>Figure 22. Geolocation of IPs extracted from the Conti leaks<\/figcaption><\/figure>\n<h3>Investigating URLs<\/h3>\n<p>Extracted URLs from IOC lists can provide details about targets, tools used to exchange information, and the infrastructure used to deploy attacks. A total of 1,137 unique URLs were extracted from the Conti leak dataset, but not all of them are usable for threat intelligence. The following code snippet shows how to filter for URLs.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"660\" height=\"102\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-23-filtering-the-iocs-for-urls.png\" alt=\"A screenshot of Python code that filters for URLs among the IOC list.\" class=\"wp-image-115422\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-23-filtering-the-iocs-for-urls.png 660w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-23-filtering-the-iocs-for-urls-300x46.png 300w\" sizes=\"auto, (max-width: 660px) 100vw, 660px\"><figcaption>Figure 23. Filtering the IOCs for URLs<\/figcaption><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"800\" height=\"306\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-24-sample-of-urls-extracted.png\" alt=\"A screenshot of the table generated by filtering URLs from the IOC list. The table includes the following data fields: IOC type, observable, source index, and input.\" class=\"wp-image-115425\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-24-sample-of-urls-extracted.png 800w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-24-sample-of-urls-extracted-300x115.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-24-sample-of-urls-extracted-768x294.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\"><figcaption>Figure 24. Sample of URLs extracted<\/figcaption><\/figure>\n<p>A filter can be created to get details on executables, DLLs, ZIP files, and other files related to the extracted URLs. This can provide interesting insights and can be extracted for further research.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"660\" height=\"60\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-25-filtering-URLs-for-specific-file-formats.png\" alt=\"A screenshot of Python code that filters for specific file types related to extracted URLs. The code searches for URLs with .exe, .dll, .jpg, .zip, .7z, .rar, and .png files.\" class=\"wp-image-115428\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-25-filtering-URLs-for-specific-file-formats.png 660w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-25-filtering-URLs-for-specific-file-formats-300x27.png 300w\" sizes=\"auto, (max-width: 660px) 100vw, 660px\"><figcaption>Figure 25. Filtering URLs for specific file formats<\/figcaption><\/figure>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"423\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-26-sample-of-urls-delivering-extracted-file-1024x423.png\" alt=\"A screenshot of a table generated from filtering for URLs related to specific file formats. The table features the following data fields: IOC type, observable, source index, and input.\" class=\"wp-image-115431\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-26-sample-of-urls-delivering-extracted-file-1024x423.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-26-sample-of-urls-delivering-extracted-file-300x124.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-26-sample-of-urls-delivering-extracted-file-768x318.png 768w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-26-sample-of-urls-delivering-extracted-file-1536x635.png 1536w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-26-sample-of-urls-delivering-extracted-file.png 1560w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><figcaption>Figure 26. Sample of URLs delivering extracted file<\/figcaption><\/figure>\n<p>Using the same technique for filtering, .onion URLs can also be identified from the URL list. This proved particularly useful in this case, since the Conti group used the Tor network for some of their infrastructure.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"800\" height=\"381\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-27-sample-of-extracted-onion-urls.png\" alt=\"A screenshot of a table generated by filtering for .onion URLs from the Conti chat log IOCs. The table presents the following data fields: IOC type, observable, source index, and input.\" class=\"wp-image-115434\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-27-sample-of-extracted-onion-urls.png 800w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-27-sample-of-extracted-onion-urls-300x143.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-27-sample-of-extracted-onion-urls-768x366.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\"><figcaption>Figure 27. Sample of extracted .onion URLs<\/figcaption><\/figure>\n<h3>Pivoting extracted IOCs using VirusTotal<\/h3>\n<p>The use of the pivot function within the MSTICPy library allows enrichment of data and discovery of additional infrastructure and IOC. This is particularly useful for threat intelligence and threat actor tracking. The next sections demonstrate the use of the VirusTotal module <em>VTlookupV3<\/em> in MSTICPy to obtain intelligence about an IP address extracted from the Conti leak dataset that was used to deliver additional malware.<\/p>\n<p>The following code initiates the <em>VTlookupV3 <\/em>in MSTICPy:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"660\" height=\"186\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-28-configuring-the-virustotal-module-in-msticpy.png\" alt=\"A screenshot of Python code that initiates the VirusTotal module in MSTICPy.\" class=\"wp-image-115437\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-28-configuring-the-virustotal-module-in-msticpy.png 660w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-28-configuring-the-virustotal-module-in-msticpy-300x85.png 300w\" sizes=\"auto, (max-width: 660px) 100vw, 660px\"><figcaption>Figure 28. Configuring the VirusTotal module in MSTICPy<\/figcaption><\/figure>\n<p>The VirusTotal module can be used to get data related to a particular IOC. The code below searches for files downloaded from a particular IP address from the Conti leak dataset:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"660\" height=\"102\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-29-getting-files-downloaded-from-one-ip-address.png\" alt=\"A screenshot of Python code that uses the VirusTotal module in MSTICPy to look up files downloaded from a specific IP address.\" class=\"wp-image-115440\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-29-getting-files-downloaded-from-one-ip-address.png 660w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-29-getting-files-downloaded-from-one-ip-address-300x46.png 300w\" sizes=\"auto, (max-width: 660px) 100vw, 660px\"><figcaption>Figure 29. Getting files downloaded from one IP address<\/figcaption><\/figure>\n<p>The results show that the IP address 109[.]230[.]199[.]73 delivers several strains of malware.<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"469\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-30-hashes-related-to-ip-109-230-199-73-1024x469.png\" alt=\"A screenshot of a table generated from extracting the hashes of files downloaded from a specific IP address.\" class=\"wp-image-115443\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-30-hashes-related-to-ip-109-230-199-73-1024x469.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-30-hashes-related-to-ip-109-230-199-73-300x137.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-30-hashes-related-to-ip-109-230-199-73-768x352.png 768w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-30-hashes-related-to-ip-109-230-199-73.png 1457w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><figcaption>Figure 30. Hashes related to IP&nbsp;109[.]230[.]199[.]73<\/figcaption><\/figure>\n<p>The VirusTotal module can then be used to pivot and extract more information about these hashes. The table below shows information about the first hash on the list:<strong><\/strong><\/p>\n<figure class=\"wp-block-table\">\n<table>\n<tbody>\n<tr>\n<td><strong>&nbsp;<\/strong><\/td>\n<td>Attributes<strong><\/strong><\/td>\n<\/tr>\n<tr>\n<td><strong>authentihash<\/strong><\/td>\n<td>0d10a35c1bed8d5a4516a2e704d43f10d47ffd2aabd9ce9e04fb3446f62168bf<\/td>\n<\/tr>\n<tr>\n<td><strong>creation_date<\/strong><\/td>\n<td>1624910154<\/td>\n<\/tr>\n<tr>\n<td><strong>crowdsourced_ids_results<\/strong><\/td>\n<td>[{[TRUNCATED]\u2019alert_context\u2019: [{\u2018dest_ip\u2019: \u20188.8.8.8\u2019, \u2018dest_port\u2019: 53}, {\u2018dest_ip\u2019: \u2018193.204.114.232\u2019, \u2018dest_port\u2019: 123}], \u2018rule_url\u2019: \u2018https:\/\/www.snort.org\/downloads\/#rule-downloads\u2019, \u2018rule_source\u2019: \u2018Snort registered user ruleset\u2019, \u2018rule_id\u2019: \u20181:527\u2019}, {\u2018rule_category\u2019: \u2018not-suspicious\u2019, \u2018alert_severity\u2019: \u2018low\u2019, \u2018rule_msg\u2019: \u2018TAG_LOG_PKT\u2019, \u2018rule_raw\u2019: \u2018alert ( gid:2; sid:1; rev:1; msg:\u201dTAG_LOG_PKT\u201d; metadata:rule-type preproc; classtype:not-suspicious; )\u2019, \u2018alert_context\u2019: [{\u2018dest_ip\u2019: \u2018107.181.161.197\u2019, \u2018dest_port\u2019: 443}], \u2018rule_url\u2019: \u2018https:\/\/www.snort.org\/downloads\/#rule-downloads\u2019, \u2018rule_source\u2019: \u2018Snort registered user ruleset\u2019, \u2018rule_id\u2019: \u20182:1\u2019}]<\/td>\n<\/tr>\n<tr>\n<td><strong>crowdsourced_ids_stats<\/strong><\/td>\n<td>{\u2018info\u2019: 0, \u2018high\u2019: 0, \u2018medium\u2019: 2, \u2018low\u2019: 1}<\/td>\n<\/tr>\n<tr>\n<td><strong>downloadable<\/strong><\/td>\n<td>TRUE<\/td>\n<\/tr>\n<tr>\n<td><strong>exiftool<\/strong><\/td>\n<td>{\u2018MIMEType\u2019: \u2018application\/octet-stream\u2019, \u2018Subsystem\u2019: \u2018Windows GUI\u2019, \u2018MachineType\u2019: \u2018AMD AMD64\u2019, \u2018TimeStamp\u2019: \u20182021:06:28 19:55:54+00:00\u2019, \u2018FileType\u2019: \u2018Win64 DLL\u2019, \u2018PEType\u2019: \u2018PE32+\u2019, \u2018CodeSize\u2019: \u2018115712\u2019, \u2018LinkerVersion\u2019: \u201814.16\u2019, \u2018ImageFileCharacteristics\u2019: \u2018Executable, Large address aware, DLL\u2019, \u2018FileTypeExtension\u2019: \u2018dll\u2019, \u2018InitializedDataSize\u2019: \u201869632\u2019, \u2018SubsystemVersion\u2019: \u20186.0\u2019, \u2018ImageVersion\u2019: \u20180.0\u2019, \u2018OSVersion\u2019: \u20186.0\u2019, \u2018EntryPoint\u2019: \u20180x139c4\u2019, \u2018UninitializedDataSize\u2019: \u20180\u2019}<\/td>\n<\/tr>\n<tr>\n<td><strong>first_submission_date<\/strong><\/td>\n<td>1624917754<\/td>\n<\/tr>\n<tr>\n<td><strong>last_analysis_date<\/strong><\/td>\n<td>16365918529<\/td>\n<\/tr>\n<tr>\n<td><strong>last_analysis_results<\/strong><\/td>\n<td>{ [TRUNCATED] \u201820211110\u2019}, \u2018Tencent\u2019: {\u2018category\u2019: \u2018undetected\u2019, \u2018engine_name\u2019: \u2018Tencent\u2019, \u2018engine_version\u2019: \u20181.0.0.1\u2019, \u2018result\u2019: None, \u2018method\u2019: \u2018blacklist\u2019, \u2018engine_update\u2019: \u201820211111\u2019}, \u2018Ad-Aware\u2019: {\u2018category\u2019: \u2018malicious\u2019, Edition\u2019: {\u2018category\u2019: \u2018malicious\u2019, \u2018engine_name\u2019: \u2018McAfee-GW-Edition\u2019, \u2018engine_version\u2019: \u2018v2019.1.2+3728\u2019, \u2018result\u2019: \u2018RDN\/CobaltStrike\u2019, \u2018method\u2019: \u2018blacklist\u2019, \u2018engine_update\u2019: \u201820211110\u2019}, \u2018Trapmine\u2019: {\u2018category\u2019: \u2018type-unsupported\u2019, \u2018engine_name\u2019: \u2018Trapmine\u2019, \u2018engine_version\u2019: \u20183.5.0.1023\u2019, \u2018result\u2019: None, \u2018method\u2019: \u2018blacklist\u2019, \u2018engine_update\u2019: \u201820200727\u2019}, \u2018CMC\u2019: {\u2018category\u2019: \u2018undetected\u2019, \u2018engine_name\u2019: \u2018CMC\u2019, \u2018engine_version\u2019: \u20182.10.2019.1\u2019, \u2018result\u2019: None, \u2018method\u2019: \u2018blacklist\u2019, \u2018engine_update\u2019: \u201820211026\u2019}, \u2018Sophos\u2019: {\u2018category\u2019: \u2018malicious\u2019, \u2018engine_name\u2019: \u2018Sophos\u2019, \u2018engine_version\u2019: \u20181.4.1.0\u2019, \u2018result\u2019:<\/td>\n<\/tr>\n<tr>\n<td><strong>last_analysis_stats<\/strong><\/td>\n<td>{\u2018harmless\u2019: 0, \u2018type-unsupported\u2019: 6, \u2018suspicious\u2019: 0, \u2018confirmed-timeout\u2019: 1, \u2018timeout\u2019: 0, \u2018failure\u2019: 0, \u2018malicious\u2019: 47, \u2018undetected\u2019: 19}<\/td>\n<\/tr>\n<tr>\n<td><strong>last_modification_date<\/strong><\/td>\n<td>1646895757<\/td>\n<\/tr>\n<tr>\n<td><strong>last_submission_date<\/strong><\/td>\n<td>1624917754<\/td>\n<\/tr>\n<tr>\n<td><strong>magic<\/strong><\/td>\n<td>PE32+ executable for MS Windows (DLL) (GUI) Mono\/.Net assembly<\/td>\n<\/tr>\n<tr>\n<td><strong>md5<\/strong><\/td>\n<td>55646b7df1d306b0414d4c8b3043c283<\/td>\n<\/tr>\n<tr>\n<td><strong>meaningful_name<\/strong><\/td>\n<td>197.dll<\/td>\n<\/tr>\n<tr>\n<td><strong>names<\/strong><\/td>\n<td>[197.dll, iduD2A1.tmp]<\/td>\n<\/tr>\n<tr>\n<td><strong>pe_info<\/strong><\/td>\n<td>[TRUNCATED] {\u2018exports\u2019: [\u2018StartW\u2019, \u20187c908697e85da103e304d57e0193d4cf\u2019}, {\u2018name\u2019: \u2018.rsrc\u2019, \u2018chi2\u2019: 51663.55, \u2018virtual_address\u2019: 196608, \u2018entropy\u2019: 5.81, \u2018raw_size\u2019: 1536, \u2018flags\u2019: \u2018r\u2019, \u2018virtual_size\u2019: 1128, \u2018md5\u2019:, \u2018GetStringTypeW\u2019, \u2018RtlUnwindEx\u2019, \u2018GetOEMCP\u2019, \u2018TerminateProcess\u2019, \u2018GetModuleHandleExW\u2019, \u2018IsValidCodePage\u2019, \u2018WriteFile\u2019, \u2018CreateFileW\u2019, \u2018FindClose\u2019, \u2018TlsGetValue\u2019, \u2018GetFileType\u2019, \u2018TlsSetValue\u2019, \u2018HeapAlloc\u2019, \u2018GetCurrentThreadId\u2019, \u2018SetLastError\u2019, \u2018LeaveCriticalSection\u2019]}], \u2018entry_point\u2019: 80324}<\/td>\n<\/tr>\n<tr>\n<td><strong>popular_threat_classification<\/strong><\/td>\n<td>{\u2018suggested_threat_label\u2019: \u2018trojan.bulz\/shelma\u2019, \u2018popular_threat_category\u2019: [{\u2018count\u2019: 22, \u2018value\u2019: \u2018trojan\u2019}, {\u2018count\u2019: 6, \u2018value\u2019: \u2018downloader\u2019}, {\u2018count\u2019: 2, \u2018value\u2019: \u2018dropper\u2019}], \u2018popular_threat_name\u2019: [{\u2018count\u2019: 6, \u2018value\u2019: \u2018bulz\u2019}, {\u2018count\u2019: 6, \u2018value\u2019: \u2018shelma\u2019}, {\u2018count\u2019: 3, \u2018value\u2019: \u2018cobaltstrike\u2019}]}<\/td>\n<\/tr>\n<tr>\n<td><strong>reputation<\/strong><\/td>\n<td>0<\/td>\n<\/tr>\n<tr>\n<td><strong>sandbox_verdicts<\/strong><\/td>\n<td>{\u2018Zenbox\u2019: {\u2018category\u2019: \u2018malicious\u2019, \u2018sandbox_name\u2019: \u2018Zenbox\u2019, \u2018malware_classification\u2019: [\u2018MALWARE\u2019, \u2018TROJAN\u2019, \u2018EVADER\u2019]}, \u2018C2AE\u2019: {\u2018category\u2019: \u2018undetected\u2019, \u2018sandbox_name\u2019: \u2018C2AE\u2019, \u2018malware_classification\u2019: [\u2018UNKNOWN_VERDICT\u2019]}, \u2018Yomi Hunter\u2019: {\u2018category\u2019: \u2018malicious\u2019, \u2018sandbox_name\u2019: \u2018Yomi Hunter\u2019, \u2018malware_classification\u2019: [\u2018MALWARE\u2019]}, \u2018Lastline\u2019: {\u2018category\u2019: \u2018malicious\u2019, \u2018sandbox_name\u2019: \u2018Lastline\u2019, \u2018malware_classification\u2019: [\u2018MALWARE\u2019]}}<\/td>\n<\/tr>\n<tr>\n<td><strong>sha1<\/strong><\/td>\n<td>ddf0214fbf92240bc60480a37c9c803e3ad06321<\/td>\n<\/tr>\n<tr>\n<td><strong>sha256<\/strong><\/td>\n<td>cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58<\/td>\n<\/tr>\n<tr>\n<td><strong>sigma_analysis_stats<\/strong><\/td>\n<td>{\u2018high\u2019: 0, \u2018medium\u2019: 1, \u2018critical\u2019: 1, \u2018low\u2019: 0}<\/td>\n<\/tr>\n<tr>\n<td><strong>sigma_analysis_summary<\/strong><\/td>\n<td>{\u2018Sigma Integrated Rule Set (GitHub)\u2019: {\u2018high\u2019: 0, \u2018medium\u2019: 0, \u2018critical\u2019: 1, \u2018low\u2019: 0}, \u2018SOC Prime Threat Detection Marketplace\u2019: {\u2018high\u2019: 0, \u2018medium\u2019: 1, \u2018critical\u2019: 0, \u2018low\u2019: 0}}<\/td>\n<\/tr>\n<tr>\n<td><strong>size<\/strong><\/td>\n<td>181248<\/td>\n<\/tr>\n<tr>\n<td><strong>ssdeep<\/strong><\/td>\n<td>3072:fck3rwbtOsN4X1JmKSol6LZVZgBPruYgr3Ig\/XZO9:fck3rwblqPgokNgBPr9gA<\/td>\n<\/tr>\n<tr>\n<td><strong>tags<\/strong><\/td>\n<td>[assembly, invalid-rich-pe-linker-version, detect-debug-environment, long-sleeps, 64bits, pedll]<\/td>\n<\/tr>\n<tr>\n<td><strong>times_submitted<\/strong><\/td>\n<td>1<\/td>\n<\/tr>\n<tr>\n<td><strong>tlsh<\/strong><\/td>\n<td>T110049E14B2A914FBEE6A82B984935611B07174624338DFEF03A4C375DE0E7E15A3EF25<\/td>\n<\/tr>\n<tr>\n<td><strong>total_votes<\/strong><\/td>\n<td>{\u2018harmless\u2019: 0, \u2018malicious\u2019: 0}<\/td>\n<\/tr>\n<tr>\n<td><strong>trid<\/strong><\/td>\n<td>[{\u2018file_type\u2019: \u2018Win64 Executable (generic)\u2019, \u2018probability\u2019: 48.7}, {\u2018file_type\u2019: \u2018Win16 NE executable (generic)\u2019, \u2018probability\u2019: 23.3}, {\u2018file_type\u2019: \u2018OS\/2 Executable (generic)\u2019, \u2018probability\u2019: 9.3}, {\u2018file_type\u2019: \u2018Generic Win\/DOS Executable\u2019, \u2018probability\u2019: 9.2}, {\u2018file_type\u2019: \u2018DOS Executable Generic\u2019, \u2018probability\u2019: 9.2}]<\/td>\n<\/tr>\n<tr>\n<td><strong>type_description<\/strong><\/td>\n<td>Win32 DLL<\/td>\n<\/tr>\n<tr>\n<td><strong>type_extension<\/strong><\/td>\n<td>dll<\/td>\n<\/tr>\n<tr>\n<td><strong>type_tag<\/strong><\/td>\n<td>pedll<\/td>\n<\/tr>\n<tr>\n<td><strong>unique_sources<\/strong><\/td>\n<td>1<\/td>\n<\/tr>\n<tr>\n<td><strong>Vhash<\/strong><\/td>\n<td>115076651d155d15555az43=z55<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>The results indicate that the hash is a Cobalt Strike loader, which means that Conti affiliates also use the penetration testing tool as part of their infrastructure during their operation.<\/p>\n<p>In addition, the VirusTotal module can also provide details such as detection rate, type, description, and other information related to the hashes. The code snippet below generates the list of domains to which the hashes connect to.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"660\" height=\"38\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-31-getting-contacted-domains.png\" alt=\"A screenshot of Python code that generates the list of domains specific hashes connect to using the VirusTotal module. \" class=\"wp-image-115446\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-31-getting-contacted-domains.png 660w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-31-getting-contacted-domains-300x17.png 300w\" sizes=\"auto, (max-width: 660px) 100vw, 660px\"><figcaption>Figure 31. Getting contacted domains<\/figcaption><\/figure>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"645\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-32-additional-domains-retrieved-from-previously-extracted-hashes-1024x645.png\" alt=\"A screenshot of a table generated from extracting domains to which certain hashes connected to using the VirusTotal module. \" class=\"wp-image-115449\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-32-additional-domains-retrieved-from-previously-extracted-hashes-1024x645.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-32-additional-domains-retrieved-from-previously-extracted-hashes-300x189.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-32-additional-domains-retrieved-from-previously-extracted-hashes-768x484.png 768w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-32-additional-domains-retrieved-from-previously-extracted-hashes.png 1500w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><figcaption>Figure 32. Additional domains retrieved from previously extracted hashes<\/figcaption><\/figure>\n<p>Doing this kind of analysis on the Conti leak data or similar data sets can lead to the discovery of possibly related domains that were not in the initial data sets.<\/p>\n<h2>Conclusion<\/h2>\n<p>This blog outlines how Python can be used to find valuable threat intelligence from data sets such as chat logs. It also presents details on how processing data using the MSTICPy library can be useful for enriching and hunting within environments, as well as collecting additional threat context. The <a href=\"https:\/\/github.com\/microsoft\/msticpy\/blob\/main\/docs\/notebooks\/ContiLeaksAnalysis.ipynb\" target=\"_blank\" rel=\"noreferrer noopener\">interactive notebook <\/a>provides additional code snippets that can also be used to continue log exploration.<\/p>\n<p>The types of information extracted in this blog provides insights into the various elements of the criminal ecosystem that were coordinating their activities. Threat intelligence from research like this informs products and services like <a href=\"https:\/\/www.microsoft.com\/microsoft-365\/security\/microsoft-365-defender\">Microsoft 365 Defender<\/a>, translating knowledge into real-world protection for customers. More importantly, the methodology described in this blog can be adapted to specific threat intelligence services, and the broader community is invited to use it for further analysis, enrichment of data, and intelligence sharing for the benefit of all.<\/p>\n<p><em><strong>Thomas Roccia<br \/><\/strong>Microsoft 365 Defender Research Team<\/em><\/p>\n<h2>References<\/h2>\n<ul>\n<li>https:\/\/krebsonsecurity.com\/2022\/03\/conti-ransomware-group-diaries-part-i-evasion\/<\/li>\n<li>https:\/\/research.checkpoint.com\/2022\/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of\/<\/li>\n<li>https:\/\/therecord.media\/conti-leaks-the-panama-papers-of-ransomware\/<\/li>\n<li>https:\/\/www.breachquest.com\/conti-leaks-insight-into-a-ransomware-unicorn\/<\/li>\n<li>https:\/\/www.forescout.com\/resources\/analysis-of-conti-leaks\/<\/li>\n<li>https:\/\/github.com\/Res260\/conti_202202_leak_procedures<\/li>\n<li>https:\/\/readme.security\/the-conti-leaks-first-rumble-of-the-ukraine-earthquake-thats-rattling-the-cybercrime-underground-7abb23b0fb04<\/li>\n<li>https:\/\/medium.com\/@arnozobec\/analyzing-conti-leaks-without-speaking-russian-only-methodology-f5aecc594d1b<\/li>\n<li>https:\/\/github.com\/soufianetahiri\/ContiLeaks\/blob\/main\/cobaltsrike_lolbins<\/li>\n<li>https:\/\/twitter.com\/TheDFIRReport\/status\/1498656118746365952<\/li>\n<li>https:\/\/www.clearskysec.com\/wp-content\/uploads\/2021\/02\/Conti-Ransomware.pdf<\/li>\n<li>https:\/\/blog.bushidotoken.net\/2022\/04\/lessons-from-conti-leaks.html<\/li>\n<li>https:\/\/www.trellix.com\/en-au\/about\/newsroom\/stories\/threat-labs\/conti-leaks-examining-the-panama-papers-of-ransomware.html<\/li>\n<li>https:\/\/msticpy.readthedocs.io\/en\/latest\/getting_started\/Introduction.html<\/li>\n<\/ul>\n<p> READ MORE <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/06\/01\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Dealing with a great amount of data can be time consuming, thus using Python can be very powerful to help analysts sort information and extract the most relevant data for their investigation. The open-source tools library, MSTICpy, for example, is a Python tool dedicated to threat intelligence. It aims to help threat analysts acquire, enrich, analyze, and visualize data.<br \/>\nThe post Using Python to unearth a goldmine of threat intelligence from leaked chat logs appeared first on Microsoft Security Blog. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":46932,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[10037,347,7221,10038,1970,3909],"class_list":["post-46931","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-secure","tag-conti","tag-cybersecurity","tag-microsoft-security-intelligence","tag-msticpy","tag-python","tag-threat-intelligence"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Using Python to unearth a goldmine of threat intelligence from leaked chat logs 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Using Python to unearth a goldmine of threat intelligence from leaked chat logs 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-06-01T18:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-1-translated-logs.png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Using Python to unearth a goldmine of threat intelligence from leaked chat logs\",\"datePublished\":\"2022-06-01T18:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/\"},\"wordCount\":2678,\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/06\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs.png\",\"keywords\":[\"Conti\",\"Cybersecurity\",\"Microsoft security intelligence\",\"MSTICPy\",\"python\",\"threat intelligence\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/\",\"name\":\"Using Python to unearth a goldmine of threat intelligence from leaked chat logs 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/06\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs.png\",\"datePublished\":\"2022-06-01T18:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/#primaryimage\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/06\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs.png\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/06\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs.png\",\"width\":800,\"height\":265},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.threatshub.org\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Conti\",\"item\":\"https:\/\/www.threatshub.org\/blog\/tag\/conti\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Using Python to unearth a goldmine of threat intelligence from leaked chat logs\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Using Python to unearth a goldmine of threat intelligence from leaked chat logs 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/","og_locale":"en_US","og_type":"article","og_title":"Using Python to unearth a goldmine of threat intelligence from leaked chat logs 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-06-01T18:00:00+00:00","og_image":[{"url":"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/fig-1-translated-logs.png","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Using Python to unearth a goldmine of threat intelligence from leaked chat logs","datePublished":"2022-06-01T18:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/"},"wordCount":2678,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/06\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs.png","keywords":["Conti","Cybersecurity","Microsoft security intelligence","MSTICPy","python","threat intelligence"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/","url":"https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/","name":"Using Python to unearth a goldmine of threat intelligence from leaked chat logs 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/06\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs.png","datePublished":"2022-06-01T18:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/06\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/06\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs.png","width":800,"height":265},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/using-python-to-unearth-a-goldmine-of-threat-intelligence-from-leaked-chat-logs\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Conti","item":"https:\/\/www.threatshub.org\/blog\/tag\/conti\/"},{"@type":"ListItem","position":3,"name":"Using Python to unearth a goldmine of threat intelligence from leaked chat logs"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/46931","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=46931"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/46931\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/46932"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=46931"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=46931"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=46931"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}