Victim Assets

Victim Assets are endpoints used to leverage a Victim and infiltrate a network.

Endpoint: /api/v3/victimAssets

Available Fields

You can retrieve a list of available fields for the /v3/victimAssets endpoint, including the field’s name, description, and accepted data type, by using the following query:

OPTIONS /v3/victimAssets

Hint

To view all fields, including read-only fields, include the ?show=readonly query parameter.

Alternatively, refer to the following tables for a list of available fields that can be included in the body of a POST or PUT request for the victimAssets object.

Field Description Type Required for Creation? Updatable? Example Value(s)
accountName The account name associated with a Network Account or Social Network Victim Asset String TRUE* TRUE “@johnsmith”
address The email address associated with a Email Address Victim Asset String TRUE* TRUE jsmith@companyabc.com
addressType The type of Email Address Victim Asset String FALSE TRUE “Corporate email”
associatedGroups A list of Groups associated to the Victim Asset Group Object FALSE TRUE
{“data”: [{“id”: 12345}]}

{“data”: [{“name”: “Bad Adversary”, “type”: “Adversary”}]}
networkType The type of Network Account Victim Asset String FALSE TRUE “Company network”
phone The phone number associated with a Phone Victim Asset String TRUE* TRUE “0123456789”
socialNetwork The type of Social Account Victim Asset String FALSE TRUE “Twitter”
type The type of Victim Asset being created String TRUE FALSE “Demo Community”
securityLabels A list of Security Labels applied to the Victim String FALSE TRUE “EmailAddress”, “NetworkAccount”, “Phone”, “SocialNetwork”, or “WebSite”
victimId The ID of the Victim to which the Victim Asset should be added Integer TRUE FALSE 1, 2, 3
website The website address associated with a Website Victim Asset String TRUE* TRUE http://examplesite.com

Available values for the type field include:

  • EmailAddress
  • NetworkAccount
  • Phone
  • SocialNetwork
  • WebSite

Note

*This field is required if creating a Victim Asset that matches the type listed in the Description column.

Hint

To associate an existing Group to a Victim Asset, use the Group’s ID when setting the associatedGroups field (e.g., {"data": [{"id": 12345}]}).

Create Victim Assets

The basic format for creating a Victim Asset is:

POST /v3/victimAssets
{
    "type": "Victim Asset type goes here",
    "victimId": 12345
    //additional fields for the selected Victim Asset type
}

For example, the following query will create a Phone Victim Asset and add it to the Victim with ID 2:

POST /v3/victimAssets
{
    "phone": "0123456789",
    "type": "Phone",
    "victimId": 2
}

JSON Response

{
    "data": {
        "id": 4,
        "type": "Phone",
        "victimId": 2,
        "phone": "0123456789"
    },
    "message": "Created",
    "status": "Success"
}

Refer to the Available Fields section for a list of available fields that can be included in the body of a POST request for the victimAssets object.

Retrieve Victim Assets

Retrieve All Victim Assets

To retrieve all Victim Assets, use the following query:

GET /v3/victimAssets

JSON Response

{
    "data": [
        {
            "id": 4,
            "type": "Phone",
            "victimId": 2,
            "phone": "0123456789"
        },
        {
            "id": 3,
            "type": "WebSite",
            "victimId": 2,
            "website": "somewebsite.com"
        },
        {
            "id": 2,
            "type": "EmailAddress",
            "victimId": 2,
            "address": "[email protected]",
            "addressType": "Corporate email"
        },
        {
            "id": 1,
            "type": "EmailAddress",
            "victimId": 1,
            "address": "[email protected]"
        }
    ],
    "status": "Success"
}

Retrieve a Single Victim Asset

To retrieve a specific Victim, use a query in the following format:

GET /v3/victimAssets/{victimAssetId}

For example, the following query will return information about the Victim Asset with ID 3:

GET /v3/victimAssets/3

JSON Response

{
    "data": {
        "id": 3,
        "type": "WebSite",
        "victimId": 2,
        "website": "somewebsite.com"
    },
    "status": "Success"
}

Request Additional Fields

To request additional fields not automatically included with each returned object, refer to Include Additional Fields for Returned Objects.

Filter Results

To filter returned objects using ThreatConnect Query Language (TQL), refer to Filter Results with TQL.

Update Victim Assets

The basic format for updating a Victim Asset is:

PUT /v3/victimAssets/{victimAssetId}
{
    {updatedField}: {updatedValue}
}

For example, the following query will complete the following actions for a Victim Asset with ID 3:

  • Create an Incident Group with a summary of Bad Incident and associate it to the Victim Asset;
  • Update the website associated with the Victim Asset.
PUT /v3/victimAssets/3
{
    "associatedGroups": {"data": [{"name": "Bad Incident", "type": "Incident"}]},
    "website": "hackerwebsite.com"
}

JSON Response

{
    "data": {
        "id": 3,
        "type": "WebSite",
        "victimId": 2,
        "website": "hackerwebsite.com"
    },
    "message": "Updated",
    "status": "Success"
}

Refer to the Available Fields section for a list of available fields that can be included in the body of a PUT request for the victimAssets object.

Hint

When updating a Victim Asset, you can use the mode field to add or remove the following metadata:

  • associatedGroups

See Update an Object’s Metadata for instructions on using the mode field.

Delete Victim Assets

The basic format for deleting a Victim Asset is:

DELETE /v3/victimAssets/{victimAssetId}

For example, the following query will delete the Victim Asset with ID 1:

DELETE /v3/victimAssets/1

JSON Response

{
    "message": "Deleted",
    "status": "Success"
}