Skip to content

ChistaDev/Chista

Repository files navigation


Chista

Chista | Open Source Threat Intelligence Framework

v1.1


Chista Twitter Chista Linkedin

Chista is an Open Source Cyber Threat Intelligence (CTI) Framework designed to help users understand, predict and defend against cyber threats.

Chista has a sweet UI!

cli-demo

Enough? no... Also has a handsome CLI!

cli-demo

It helps its users understand cyber threats by using data collected from various sources. This data includes IOCs, data leaks, phishing campaigns, threat group activities and CTI sources. By analyzing this data, Chista helps users understand the existence, prevalence, trends and probability of cyber threats.


  • Collecting IOCs: IOCs are signatures used to identify and track cyber threats. Chista can collect IOCs from various sources and make them available to users.

  • Monitoring Data Leaks: Chista can identify accounts that have suffered a data breach by monitoring data leaks from various sources.

  • Monitoring Phishing Campaigns: Chista detects websites created for phishing purposes and provides users with a feed in this direction.

  • Monitoring Threat Groups Activities: Threat groups are organized groups that carry out cyber attacks. By monitoring threat group activity from various sources, Chista helps organizations understand and prepare for the activities of threat groups.

  • Detection of Blacklisted IPs: Chista provides users with a feed for IPs blacklisted by various lists.

  • Detailing Threat Groups: Chista brings together details of cybercrime groups, allowing users to get detailed information about threat groups.

  • Providing Resources: Chista provides resources that can be used for threat intelligence for the benefit of users interested in Cyber Threat Intelligence.

Watch the video below for an introduction to Chista. In this video, you will find information about the basics of Chista and how to use it:

Introduction to Chista

Chista Youtube Channel


In this document, you'll find usage & installation guide. You can check our detailed documentation about which includes developer documentation.

Table of Contents

Install Chista

Prerequisite

  • go1.21
  • Python 3.6+
    • It is needed for OpenSquat.
  • OpenSquat (Optional, increases Phishing & Impersonate module performance)
  • Node.js (Optional, needed for Chista Dashboard)
  • search.censys.io API ID and API KEY (Optional, increases Phishing & Impersonate module performance)
    • It's used in Phishing module and controlled in .ENV file with CENSYS_API_SECRET key. We'll see .ENV file in the Configuration section.
  • 7777 port should be available for API server
  • 7778 port should be available for Chista CLI tool (Optional, if you don't want to use CLI it's not necessary)
  • 3000 port should be available for dashboard application (Optional, if you don't want to use UI it's not necessary)
  • "google-chrome" executable file should present in $PATH
    • You need to install Google Chrome and it's executable should be found in your PATH (Environment Variables in Windows)

Configuration

The tool's configurations is controlled with .ENV file. The .ENV file should placed in root directory of the project. You can see an example .ENV file in below.

DUMP_MODE=true
API_ONLY=false
WHOIS_SERVER="whois.verisign-grs.com:43"
PY_PATH="C:\Users\<USERNAME>\AppData\Local\Programs\Python\Python37\python37.exe"
OPENSQUAT_PY_PATH="./3rd_party/opensquat"
CENSYS_API_ID="<API-ID>"
CENSYS_API_SECRET="<API-KEY>"
Configuration Default Value Details Mandatory/Optional
DUMP_MODE true If it's true, the API server logs the HTTP requests. It can be useful while debugging. Mandatory
API_ONLY false When it's false, the API server generates a WebSocket connection to the CLI tool. So, if you want to use just API part of the tool, you have to set API_ONLY=true Mandatory
WHOIS_SERVER whois.verisign-grs.com:43 It's used in whois checker, the tool queries to the given Whois Server. Mandatory
PY_PATH It's Python's installation path. Python used for OpenSquat. If you want to use OpenSquat, you have to provide your Python path. Optional
OPENSQUAT_PY_PATH ./3rd_party/opensquat OpenSquat folder's path. The Phishing module uses OpenSquat to generate extra typosquatting domains. Optional
CENSYS_API_ID search.censys.io API Key ID Optional
CENSYS_API_SECRET search.censys.io API Key Secret Optional

Basic Usage

You can use pre-built binaries or you can build the project and use. It's up to your choice!

Building & Running from source

1. Clone the repository

git clone https://github.com/Chista-Framework/Chista.git

2. Build & Run the API application

First, open a Command Prompt/Terminal. Then execute the following commands.

  • For Windows:
go build -o chista.exe
./chista.exe
  • For Linux:
go build -o chista
./chista

NOTE: If you cannot execute the command in Linux, you should give execute permission yourself on the file. You can use chmod +x chista. After running the API server, you'll see the following output.

time="2024-01-12T16:12:08+03:00" level=info msg="DUMP_MODE= true" func=github.com/Chista-Framework/Chista/logger.init.0 file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/logger/logger.go:54"
time="2024-01-12T16:12:08+03:00" level=error msg="WebSocket connection error while closing: Websocket Connection is nil but trying to send a WS message." func=github.com/Chista-Framework/Chista/helpers.SendMessageWS file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/helpers/helpers.go:230"
[GIN-debug] [WARNING] Creating an Engine instance with the Logger and Recovery middleware already attached.

[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
 - using env:   export GIN_MODE=release
 - using code:  gin.SetMode(gin.ReleaseMode)

[GIN-debug] GET    /api/v1/ioc_feed          --> github.com/Chista-Framework/Chista/controller.GetIocs (6 handlers)
[GIN-debug] GET    /api/v1/phishing          --> github.com/Chista-Framework/Chista/controller.GetPhishingDomains (6 handlers)
[GIN-debug] GET    /api/v1/impersonate       --> github.com/Chista-Framework/Chista/controller.GetImpersonatingDomains (6 handlers)
[GIN-debug] GET    /api/v1/leak              --> github.com/Chista-Framework/Chista/controller.GetLeaks (6 handlers)
[GIN-debug] GET    /api/v1/threat_profile    --> github.com/Chista-Framework/Chista/controller.GetThreatActorProfiles (6 handlers)
[GIN-debug] GET    /api/v1/blacklist         --> github.com/Chista-Framework/Chista/controller.CheckBlacklist (6 handlers)
[GIN-debug] GET    /api/v1/source            --> github.com/Chista-Framework/Chista/controller.GetSources (6 handlers)
[GIN-debug] GET    /api/v1/c2                --> github.com/Chista-Framework/Chista/controller.GetC2s (6 handlers)
[GIN-debug] GET    /api/v1/activities        --> github.com/Chista-Framework/Chista/controller.CheckActivities (6 handlers)
[GIN-debug] [WARNING] You trusted all proxies, this is NOT safe. We recommend you to set a value.
Please check https://pkg.go.dev/github.com/gin-gonic/gin#readme-don-t-trust-all-proxies for details.
[GIN-debug] Listening and serving HTTP on localhost:7777
time="2024-01-12T16:12:08+03:00" level=debug msg="Starting the Apt Profiles Data Check periodic function\n" func=github.com/Chista-Framework/Chista/helpers.RunPeriodicly.func1 file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/helpers/helpers.go:595"
time="2024-01-12T16:12:08+03:00" level=debug msg="Starting the Ransomware Profiles Data Check periodic function\n" func=github.com/Chista-Framework/Chista/helpers.RunPeriodicly.func1 file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/helpers/helpers.go:595"
time="2024-01-12T16:12:08+03:00" level=debug msg="Requesting source for ransom data." func=github.com/Chista-Framework/Chista/controller.GetRansomProfileData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/threat_profile.go:176"
time="2024-01-12T16:12:08+03:00" level=debug msg="Starting the Ransom Data Check periodic function\n" func=github.com/Chista-Framework/Chista/helpers.RunPeriodicly.func1 file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/helpers/helpers.go:595"
time="2024-01-12T16:12:08+03:00" level=debug msg="Requesting source for ransom data." func=github.com/Chista-Framework/Chista/controller.GetRansomwatchData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/activities.go:132"
time="2024-01-12T16:12:09+03:00" level=debug msg="Ransom data has been updated." func=github.com/Chista-Framework/Chista/controller.GetRansomProfileData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/threat_profile.go:212"
time="2024-01-12T16:12:09+03:00" level=info msg="Ransom data is up to date. No need to write to the file." func=github.com/Chista-Framework/Chista/controller.GetRansomwatchData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/activities.go:158"
time="2024-01-12T16:12:10+03:00" level=info msg="Apt profiles data is up to date. No need to write to the file." func=github.com/Chista-Framework/Chista/controller.getAPTData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/threat_profile.go:364"

3. Build & Run the CLI application

  • For Windows:
cd chista-cli
go build -o chista-cli.exe
  • For Linux:
cd chista-cli
go build -o chista-cli

After running the CLI application, you'll see the following output.

     _     _      _
 __ | |_  (_) ___| |_  __ _
/ _|| ' \ | |(_-<|  _|/ _` |
\__||_||_||_|/__/ \__|\__,_|
-----------------------------
Chista is a command-line tool that helps you perform various cyber threat intelligence tasks. You can use Chista to search for information about malicious activities, indicators of compromise, data leaks, phishing campaigns, and threat sources.
Chista also provides you with a blacklist of malicious domains and IP addresses that you can use to protect your network. With Chista, you can easily access and analyze data from various sources, such as VirusTotal, Shodan, Have I Been Pwned, and more.

To get started, simply run Chista with one of the subcommands: activities, blacklist, ioc, leak, phishing, or source. You can also use the -h or --help flag to get more information about each subcommand and its options.

Usage:
  Chista [command]

Available Commands:
  activities    Lists latest activities
  blacklist     Shows the blacklist sources.
  completion    Generate the autocompletion script for the specified shell
  help          Help about any command
  impersonate   Lists impersonating domains
  ioc           Lists IOC data
  leak          Lists leak infos
  phishing      Lists phishing domains
  source        Lists data related to parameters.
  threatProfile Lists latest threat profile

Flags:
  -h, --help     help for Chista
  -t, --toggle   Help message for toggle

Use "Chista [command] --help" for more information about a command.

Directly running the binaries

You can download the API Server & CLI binaries according to your OS from releases then just execute.

  • For Windows:
./chista.exe
./chista-cli.exe
  • For Linux:
./chista
./chista-cli

API Usage

Chista provides data feed to users via API. In order to use Chista on the API, the following command is executed in the main directory and the Web Socket is started on localhost.

go run main.go

The following message indicates that the Chista API is up and running

[GIN-debug] Listening and serving HTTP on localhost:7777

After this stage, data feed can be provided via API by sending a request to the relevant endpoint. Also, Swagger OpenAPI documentation is available on doc/openapi.json.

Endpoint Method Query Params Description
/api/v1/ioc_feed GET attacker, verbosity List all of the IOC data related with used query params.
/api/v1/leak GET email, verbosity List all of the leak info related with used query params.
/api/v1/phishing GET domain, verbosity List all of the latest phishing domains that related with the supplied query param.
/api/v1/phishing/monitor POST domain Add a domain to Phishing Monitor Module.
/api/v1/phishing/monitor GET - Fetches the Phishing Monitor Module results.
/api/v1/phishing/monitor DELETE domain Removes the given domain from monitor list.
/api/v1/impersonate GET domain, verbosity List all of the impersonating domains that related with the supplied query param.
/api/v1/activities GET ransom, list, verbosity List all of the latest activites of attacker related with the supplied query param.
/api/v1/source GET ransom, apt, forum, market, telegram, exploit, discord, verbosity List all of the data related with the supplied query param.
/api/v1/blacklist GET asset, verbosity Shows the blacklist sources that the supplied asset marked as “malicious”.
/api/v1/threat_profile GET apt, ransom, list, verbosity Brings together details of cybercrime groups, allowing users to get detailed information about threat groups

Read the Documentation for more details

CLI Usage

Chista can be run on the CLI according to user needs. In order to use Chista on the CLI, Web Socket must first be launched in the main directory.

./main.exe

The following message indicates that the Chista API is up and running

[GIN-debug] Listening and serving HTTP on localhost:7777

Then type the command to run the desired module in the chista-cli directory

./main.exe <module_name> <parameter> <value>

Sample IOC Module output

[+] IOC module started...
[+] Attacker: redline
[+] API Requester registered.
[+] Client connected

---------------------
[INFO] [ioc] Getting data for redline...
------------------- [IOC Datas] -------------------
[INFO] [ioc] Sha256hash: 7305e9a0ff144653b5a14bdc6cdde7cd0728d8c3a94a3f90dca9c707bf3693b1
[INFO] [ioc] Sha3384: 3f6130cec141fc1fa44aa07a975db231684caaa1d50d9abdda3661203f083863e6049e4ab7fefea27be95939e63d618e
[INFO] [ioc] Sha1Hash: 844346b4963f7ef5e856ddf78e5bc19da589d283
[INFO] [ioc] Md5Hash: 7267376bbda1404d51e00acab6660499
[INFO] [ioc] FirstSeen: 2023-04-04 13:53:22
[INFO] [ioc] LastSeen:
[INFO] [ioc] FileName: 7267376bbda1404d51e00acab6660499.bin
[INFO] [ioc] FileType: exe
[INFO] [ioc] Signature: Redline
[INFO] [ioc] Tags: [bin exe Redline]

Usage Examples

  • Phishing Module: Get the list of possible which domains. Exclude paypalc3.com and paypal-community.com, I know these are not phishing domains.
./main.exe phishing -d paypal.com -e paypalc3.com,paypal-community.com -v
  • Leak Module: Checks leak sources and gathers data if the supplied email leaked.
./main.exe leak --email info@chista.tld 

Contributing

You can create Pull Requests to contribute this project. Please check our Contributing to Chista CTI Framework document for more information about contributing.

Credits

We would like to thank all the individuals, developers, communities and the entire open source world for supporting the project ❤️

❤️ Project Leaders

Yusuf Yıldız 💪 Furkan Öztürk 💪 Resul Bozburun

❤️ Front-End Developer

Furkan Fırat

❤️ Project Graphic Designer

Yakuphan Devrez