Victim Assets¶
Victim Assets are endpoints used to leverage a Victim and infiltrate a network.
Endpoint: /api/v3/victimAssets
Available Fields¶
You can retrieve a list of available fields for the /v3/victimAssets endpoint, including the field’s name, description, and accepted data type, by using the following query:
OPTIONS /v3/victimAssets
Hint
To view all fields, including read-only fields, include the ?show=readonly query parameter.
Alternatively, refer to the following tables for a list of available fields that can be included in the body of a POST or PUT request for the victimAssets object.
| Field | Description | Type | Required for Creation? | Updatable? | Example Value(s) |
|---|---|---|---|---|---|
| accountName | The account name associated with a Network Account or Social Network Victim Asset | String | TRUE* | TRUE | “@johnsmith” |
| address | The email address associated with a Email Address Victim Asset | String | TRUE* | TRUE | “jsmith@companyabc.com” |
| addressType | The type of Email Address Victim Asset | String | FALSE | TRUE | “Corporate email” |
| associatedGroups | A list of Groups associated to the Victim Asset | Group Object | FALSE | TRUE | {“data”: [{“id”: 12345}]}
{“data”: [{“name”: “Bad Adversary”, “type”: “Adversary”}]}
|
| networkType | The type of Network Account Victim Asset | String | FALSE | TRUE | “Company network” |
| phone | The phone number associated with a Phone Victim Asset | String | TRUE* | TRUE | “0123456789” |
| socialNetwork | The type of Social Account Victim Asset | String | FALSE | TRUE | “Twitter” |
| type | The type of Victim Asset being created | String | TRUE | FALSE | “Demo Community” |
| securityLabels | A list of Security Labels applied to the Victim | String | FALSE | TRUE | “EmailAddress”, “NetworkAccount”, “Phone”, “SocialNetwork”, or “WebSite” |
| victimId | The ID of the Victim to which the Victim Asset should be added | Integer | TRUE | FALSE | 1, 2, 3 |
| website | The website address associated with a Website Victim Asset | String | TRUE* | TRUE | “http://examplesite.com” |
Available values for the type field include:
EmailAddressNetworkAccountPhoneSocialNetworkWebSite
Note
*This field is required if creating a Victim Asset that matches the type listed in the Description column.
Hint
To associate an existing Group to a Victim Asset, use the Group’s ID when setting the associatedGroups field (e.g., {"data": [{"id": 12345}]}).
Create Victim Assets¶
The basic format for creating a Victim Asset is:
POST /v3/victimAssets
{
"type": "Victim Asset type goes here",
"victimId": 12345
//additional fields for the selected Victim Asset type
}
For example, the following query will create a Phone Victim Asset and add it to the Victim with ID 2:
POST /v3/victimAssets
{
"phone": "0123456789",
"type": "Phone",
"victimId": 2
}
JSON Response
{
"data": {
"id": 4,
"type": "Phone",
"victimId": 2,
"phone": "0123456789"
},
"message": "Created",
"status": "Success"
}
Refer to the Available Fields section for a list of available fields that can be included in the body of a POST request for the victimAssets object.
Retrieve Victim Assets¶
Retrieve All Victim Assets¶
To retrieve all Victim Assets, use the following query:
GET /v3/victimAssets
JSON Response
{
"data": [
{
"id": 4,
"type": "Phone",
"victimId": 2,
"phone": "0123456789"
},
{
"id": 3,
"type": "WebSite",
"victimId": 2,
"website": "somewebsite.com"
},
{
"id": 2,
"type": "EmailAddress",
"victimId": 2,
"address": "[email protected]",
"addressType": "Corporate email"
},
{
"id": 1,
"type": "EmailAddress",
"victimId": 1,
"address": "[email protected]"
}
],
"status": "Success"
}
Retrieve a Single Victim Asset¶
To retrieve a specific Victim, use a query in the following format:
GET /v3/victimAssets/{victimAssetId}
For example, the following query will return information about the Victim Asset with ID 3:
GET /v3/victimAssets/3
JSON Response
{
"data": {
"id": 3,
"type": "WebSite",
"victimId": 2,
"website": "somewebsite.com"
},
"status": "Success"
}
Request Additional Fields¶
To request additional fields not automatically included with each returned object, refer to Include Additional Fields for Returned Objects.
Filter Results¶
To filter returned objects using ThreatConnect Query Language (TQL), refer to Filter Results with TQL.
Update Victim Assets¶
The basic format for updating a Victim Asset is:
PUT /v3/victimAssets/{victimAssetId}
{
{updatedField}: {updatedValue}
}
For example, the following query will complete the following actions for a Victim Asset with ID 3:
- Create an Incident Group with a summary of
Bad Incidentand associate it to the Victim Asset; - Update the website associated with the Victim Asset.
PUT /v3/victimAssets/3
{
"associatedGroups": {"data": [{"name": "Bad Incident", "type": "Incident"}]},
"website": "hackerwebsite.com"
}
JSON Response
{
"data": {
"id": 3,
"type": "WebSite",
"victimId": 2,
"website": "hackerwebsite.com"
},
"message": "Updated",
"status": "Success"
}
Refer to the Available Fields section for a list of available fields that can be included in the body of a PUT request for the victimAssets object.
Hint
When updating a Victim Asset, you can use the mode field to add or remove the following metadata:
associatedGroups
See Update an Object’s Metadata for instructions on using the mode field.
Delete Victim Assets¶
The basic format for deleting a Victim Asset is:
DELETE /v3/victimAssets/{victimAssetId}
For example, the following query will delete the Victim Asset with ID 1:
DELETE /v3/victimAssets/1
JSON Response
{
"message": "Deleted",
"status": "Success"
}