Mallory MCP Server

Get a specific exploitation

Use this to look up exploitation data when you want to know if a vulnerability has been exploited in the wild, and who detected the exploitation. This function retrieves detailed information about a specific exploitation incident using its unique identifier.

Args: identifier (str): The unique UUID of the exploitation to retrieve. Example format: "123e4567-e89b-12d3-a456-426614174000"

Returns: Dict[str, Any]: Dictionary containing detailed exploitation data including: - uuid: Unique identifier for the exploitation - begins_at: When the exploitation was first observed - ends_at: When the exploitation activity ended - count: Number of exploitation occurrences detected - detection_signature_uuid: UUID of the detection signature - detection_signature_name: Name of the detection signature - detection_signature_source: Source of the detection (e.g., vendor, tool) - detection_signature_method: Method used for detection - created_at: When this record was created - updated_at: When this record was last updated

Get exploitation data

Use this to look up exploitation data when you want to know if vulnerabilities have been exploited in the wild, and who detected the exploitations. This function retrieves a list of exploitation incidents with filtering and sorting options.

The data can help identify:

• Recent exploitations in the wild
• Which detection signatures identified the exploitations
• Frequency of exploitation activities (count)
• Timeframes of exploitation activities

Args: offset (int, optional): The number of items to skip before starting to collect the result set. Defaults to 0. limit (int, optional): The maximum number of items to return. Minimum value is 1. Defaults to 10 (API default is 100). sort (str, optional): Field to sort by - either 'count', 'created_at', or 'updated_at'. Defaults to 'created_at'. order (str, optional): Sort order - either 'asc' or 'desc'. Defaults to 'desc'.

Returns: Dict[str, Any]: Dictionary containing: - data: List of exploitation records with fields including: - uuid - begins_at - ends_at - count - detection_signature_uuid - detection_signature_name - detection_signature_source - detection_signature_method - created_at - updated_at

Get threat actor by identifier

Use this tool when you need detailed intelligence about a specific threat actor or advanced persistent threat (APT) group. This information is valuable for:

• Understanding the tactics, techniques, and procedures (TTPs) of threat actors
• Researching who might be behind a security incident
• Evaluating the sophistication level of potential adversaries
• Gathering threat intelligence for security briefings
• Understanding which sectors or regions a threat actor typically targets

Args: identifier (str): The identifier of the threat actor - can be either: - UUID (e.g., "a9b46d37-42b8-4b27-8b69-583dbcb2f5e1") - Name (e.g., "dark_cloud_shield")

Returns: Dict[str, Any]: Detailed threat actor information including: - uuid: Unique identifier for this threat actor - name: Machine-readable name (typically lowercase with underscores) - display_name: Human-readable name with proper formatting - created_at/updated_at/enriched_at: Timestamps for record management - gen_description: Generated description (if available) - mentions: List of references to this threat actor from various sources, each containing: - uuid: Unique identifier for this mention - overview: Summary of the threat actor's activities from this source - published_at: When the source material was published - collected_at: When this mention was collected - reference_url: URL of the source material - reference_source: Name of the source (e.g., "talos_intelligence_blog") - reference_user_generated_content: Whether this is user-generated content - Other metadata about the mention and reference

These mentions provide valuable context about the threat actor's:

• Known attack vectors and exploited vulnerabilities
• Target sectors, regions, or organizations
• Tools and malware used
• Attribution confidence and alternate names

Get threat actors

Use this tool when you need to search, browse, or list multiple threat actors. This is particularly useful for:

• Discovering recently added threat actors in the database
• Searching for specific threat actors by name
• Creating reports on threat actor landscapes
• Building comprehensive threat intelligence briefings
• Comparing multiple threat actors

Args: filter (str, optional): A string used to filter threat actors. It can start with specific prefixes: * name:: Filter by Name. * uuid:: Filter by UUID. * If no prefix is provided, it defaults to a name filter. Defaults to "". offset (int, optional): The number of items to skip before starting to collect the result set. Defaults to 0. limit (int, optional): The maximum number of items to return. Minimum value is 1. Defaults to 10 (API default is 100). sort (str, optional): Field to sort by - either 'name', 'created_at', or 'updated_at'. Defaults to 'created_at'. order (str, optional): Sort order - either 'asc' or 'desc'. Defaults to 'desc'.

Returns: Dict[str, Any]: Dictionary containing: - total: Total number of threat actors matching the filter criteria - offset: Current pagination offset - limit: Number of items returned per page - message: Status message (usually null when successful) - data: List of threat actor records, each containing: - uuid: Unique identifier for the threat actor - name: Machine-readable name (typically lowercase with underscores) - display_name: Human-readable name with proper formatting - gen_description: Generated description (if available) - misp_uuid: Reference ID in MISP (Malware Information Sharing Platform) - created_at: Timestamp when this record was first added - updated_at: Timestamp when this record was last modified - enriched_at: Timestamp when this record was last enriched with additional data

Note: This function returns summary information about threat actors. To get detailed information including mentions and intelligence sources for a specific threat actor, use the get_threat_actor() function with the uuid or name.

Get mentioned threat actors

Use this tool when you need to monitor recent threat actor activities mentioned in threat intelligence sources. This is especially valuable for:

• Tracking emerging threats and active threat actors
• Monitoring the latest threat intelligence reporting
• Identifying which threat actors are currently active or trending
• Building situational awareness of the current threat landscape
• Obtaining recent summaries of threat actor tactics and campaigns

Unlike list_threat_actors() which returns basic threat actor records, this function returns actual mentions with context from recent intelligence sources.

Args: offset (int, optional): The number of items to skip before starting to collect the result set. Defaults to 0. limit (int, optional): The maximum number of items to return. Minimum value is 1. Defaults to 10. sort (str, optional): Field to sort by - either 'name', 'created_at', or 'updated_at'. Defaults to 'created_at'. order (str, optional): Sort order - either 'asc' or 'desc'. Defaults to 'desc'.

Returns: Dict[str, Any]: Dictionary containing: - total: Total number of threat actor mentions available - offset: Current pagination offset - limit: Number of items returned per page - message: Status message (usually null when successful) - data: List of recent threat actor mentions, each containing: - uuid: Unique identifier for this mention - overview: Summary of the threat actor's recent activities or campaigns - created_at: Timestamp when this mention was first added to the system - updated_at: Timestamp when this mention was last updated - published_at: Original publication date of the source material - collected_at: When this intelligence was collected - reference_url: URL of the source article or report - reference_source: Name of the intelligence source (e.g., "securityaffairs") - reference_user_generated_content: Whether this is from user-generated content - threat_actor_uuid: UUID of the referenced threat actor - threat_actor_name: Name of the referenced threat actor

This function provides timely intelligence about threat actors from recently published sources, making it ideal for staying current on the threat landscape.

Find a vulnerability by CVE identifier

Use this tool when you need detailed information about a specific vulnerability, including its severity scores, description, and whether it has been exploited in the wild. This is particularly useful for threat assessment, prioritizing patching, or understanding the technical details of a specific CVE.

Args: cve (str): The CVE to search for

Returns: Dict[str, Any]: Dictionary containing vulnerability details including: - uuid: Unique identifier for this vulnerability record - cve_id: The CVE identifier - description: Detailed description of the vulnerability - created_at/updated_at: Timestamps for record creation and updates - cvss_base_score: Severity score (0.0-10.0, higher is more severe) - cvss_version: Version of the CVSS scoring system used - cvss_vector: Detailed scoring vector showing attack characteristics - cvss_data: List of all available CVSS scores from different sources - epss_score: Exploit Prediction Scoring System score (probability of exploitation) - epss_percentile: Percentile ranking of the EPSS score - cisa_kev_added_at: When CISA added this to Known Exploited Vulnerabilities catalog (if applicable) - weaknesses: List of CWE identifiers associated with this vulnerability - mentions_count: Number of references to this vulnerability - detection_signatures_count: Number of detection signatures available - exploits_count: Number of known exploit implementations - exploitations_count: Number of recorded instances of exploitation in the wild - vulnerable_configurations_count: Number of affected system configurations

Get vulnerabilities

Use this tool when you need to search or browse multiple vulnerabilities, such as when:

• Discovering recently added vulnerabilities in the database
• Searching for vulnerabilities by keywords in their descriptions
• Finding all vulnerabilities related to a specific technology
• Creating reports on vulnerability trends or statistics
• Looking for high-severity vulnerabilities based on CVSS or EPSS scores

Args: filter (str, optional): A string used to filter vulnerabilities. It can start with specific prefixes: * cve:: Filter by CVE ID. * uuid:: Filter by UUID. * desc:: Filter by description. * If the filter string matches the pattern CVE- or a UUID pattern, it will be treated as a specific filter. * If no prefix is provided, it defaults to a description filter. Defaults to "". offset (int, optional): The number of items to skip before starting to collect the result set. Defaults to 0. limit (int, optional): The maximum number of items to return. Minimum value is 1. Defaults to 10 (API default is 100). sort (str, optional): Field to sort by - either 'cve_id', 'created_at', 'updated_at', 'cvss_3_base_score', 'epss_score', or 'epss_percentile'. Defaults to 'created_at'. order (str, optional): Sort order - either 'asc' or 'desc'. Defaults to 'desc'.

Returns: Dict[str, Any]: Dictionary containing: - total: Total number of vulnerabilities matching the filter criteria - offset: Current pagination offset - limit: Number of items returned per page - message: Status message (usually null when successful) - data: List of vulnerability records, each containing: - uuid: Unique identifier for the vulnerability - cve_id: The CVE identifier - description: Detailed description of the vulnerability - created_at/updated_at: Timestamps for record creation and updates - cvss_base_score: Severity score (if available) - cvss_version: Version of the CVSS scoring system used - cvss_vector: Detailed scoring vector - cvss_data: Additional CVSS scoring information - epss_score: Exploit Prediction Scoring System score - epss_percentile: Percentile ranking of the EPSS score - cisa_kev_added_at: Date added to CISA's Known Exploited Vulnerabilities catalog - gen_description/gen_name: Generated content (if available)

Get detection signatures for a specific vulnerability

Use this tool when you need to understand how a specific vulnerability can be detected in your environment. Detection signatures provide technical indicators that can help security teams identify if they're exposed to or being targeted by a particular vulnerability. This is particularly useful for:

• Building detection rules for security monitoring tools
• Understanding the technical indicators of compromise
• Verifying if detection capabilities exist for a specific vulnerability
• Determining which sources (vendors, researchers) have published detection methods

Args: identifier (str): The unique CVE ID or UUID of the vulnerability to retrieve. Example formats: "CVE-2023-1234" or "123e4567-e89b-12d3-a456-426614174000"

Returns: Dict[str, Any]: List of detection signatures for the specified vulnerability, where each signature contains: - uuid: Unique identifier for this detection signature - source: Origin of the detection signature (e.g., "cisa_kev", "snort", "yara") - method: How the signature was created (e.g., "manual", "automated") - description: Human-readable description of what the signature detects - upstream_id: Original identifier from the source system - created_at: Timestamp when this signature was first added - updated_at: Timestamp when this signature was last modified

Get exploitation data for a specific vulnerability

Use this tool when you need to determine if a vulnerability has been actively exploited in the wild. This information is critical for risk assessment, incident response, and prioritization of remediation efforts. Exploitation data can help you:

• Validate that a vulnerability is being actively used by threat actors
• Understand when exploitation began and if it's ongoing
• Identify which detection mechanisms observed the exploitation
• Determine the frequency or prevalence of exploitation (count)
• Make data-driven decisions about patching priorities

Args: identifier (str): The unique CVE ID or UUID of the vulnerability to retrieve. Example formats: "CVE-2023-1234" or "123e4567-e89b-12d3-a456-426614174000"

Returns: Dict[str, Any]: List of exploitation records for the specified vulnerability, where each record contains: - uuid: Unique identifier for this exploitation record - begins_at: Timestamp when exploitation was first observed - ends_at: Timestamp when exploitation activity ended - count: Number of exploitation occurrences detected - created_at: Timestamp when this record was first added - updated_at: Timestamp when this record was last modified - detection_signature_uuid: UUID of the signature that detected this exploitation - detection_signature_name: Name of the detection signature - detection_signature_source: Source of the detection (e.g., "cisa_kev") - detection_signature_method: Method used for detection (e.g., "manual")

Get configuration information for a specific vulnerability

Use this tool when you need to understand exactly which systems, products, or versions are affected by a vulnerability. This information is essential for:

• Determining if your specific product versions are vulnerable
• Planning targeted remediation efforts
• Conducting accurate asset vulnerability mapping
• Filtering out false positives in vulnerability scanning
• Understanding the scope of affected software/hardware configurations

The configuration data follows CPE (Common Platform Enumeration) standards to precisely identify affected systems.

Args: identifier (str): The unique CVE ID or UUID of the vulnerability to retrieve. Example formats: "CVE-2023-1234" or "123e4567-e89b-12d3-a456-426614174000"

Returns: Dict[str, Any]: List of vulnerable configurations for the specified vulnerability, where each configuration contains: - uuid: Unique identifier for this configuration record - cpe_id: Identifier for this CPE configuration - set_id: Identifier for the set this configuration belongs to - is_vulnerable: Boolean indicating if this configuration is vulnerable - vendor/vendor_display_name: The vendor of the affected product - product/product_display_name: The affected product name - product_type: Type of product (e.g., "application", "os") - Version range indicators: - versionStartIncluding/versionStartExcluding: Minimum affected version - versionEndIncluding/versionEndExcluding: Maximum affected version - updateStartIncluding/updateEndIncluding: Update version specifiers - Platform details: - edition: Edition of the product - language: Language of the product - sw_edition: Software edition information - target_sw: Target software environment (e.g., "wordpress") - target_hw: Target hardware environment - other: Additional targeting information - created_at/updated_at: Timestamps for record management - cve_id: The CVE identifier associated with this configuration