bartalex_callback.action(dridex, 'testrun', verb="hosts") bartalex_callback2.action(dridex, 'testrun', verb="hosts") bartalex.action(dridex, 'testrun', verb="drops") zeus_callback = Regex(name="Zeus C2 check-in", pattern="/gate.php$") zeus_callback.description = "ZeuS post-infection callback" zeus_callback.diamond = "capability" zeus_callback.location = "network" zeus_callback.save() zeus_callback.action(zeus, 'testrun', verb='indicates') # TTP macrodoc = TTP(name="Macro-dropper") macrodoc.killchain = "3" macrodoc.description = "Macro-enabled MS Office document" macrodoc.save() bartalex.action(macrodoc, 'testrun', verb="leverages") bartalex.action(macrodoc, 'testrun', verb="leverages") bartalex.action(macrodoc, 'testrun', verb="leverages") bartalex_callback.action(macrodoc, 'testrun', verb="seen in") bartalex_callback2.action(macrodoc, 'testrun', verb="seen in") payload_download = TTP(name="Payload retrieval (HTTP)") payload_download.killchain = "3" payload_download.description = "Payload is retreived from an external URL" payload_download.save() macrodoc.action(payload_download, 'testrun', verb="leverages") bartalex_callback.action(payload_download, 'testrun', verb="indicates")
bartalex_callback2.action("hosts", dridex, description="Hosting Dridex")
bartalex.action("drops", dridex, description="Drops Dridex")
zeus_callback = Regex(name="Zeus C2 check-in")
zeus_callback.pattern = "/gate.php$"
zeus_callback.description = "ZeuS post-infection callback"
zeus_callback.diamond = "Capability"
zeus_callback.location = "network"
zeus_callback.save()
zeus_callback.action('indicates', zeus)
# TTP
macrodoc = TTP(name="Macro-dropper")
macrodoc.killchain = "delivery"
macrodoc.description = "Macro-enabled MS Office document"
macrodoc.save()
bartalex.action("leverages", macrodoc)
bartalex_callback.action("seen in", macrodoc)
bartalex_callback2.action("seen in", macrodoc)
payload_download = TTP(name="Payload retrieval (HTTP)")
payload_download.killchain = "delivery"
payload_download.description = "Payload is retreived from an external URL"
payload_download.save()
macrodoc.action("leverages", payload_download)
bartalex_callback.action("indicates", payload_download)
bartalex_callback2.action("indicates", payload_download)
# add observables
bartalex_callback.action(dridex, 'testrun', verb="hosts") bartalex_callback2.action(dridex, 'testrun', verb="hosts") bartalex.action(dridex, 'testrun', verb="drops") zeus_callback = Regex(name="Zeus C2 check-in", pattern="/gate.php$") zeus_callback.description = "ZeuS post-infection callback" zeus_callback.diamond = "capability" zeus_callback.location = "network" zeus_callback.save() zeus_callback.action(zeus, 'testrun', verb='indicates') # TTP macrodoc = TTP(name="Macro-dropper") macrodoc.killchain = "3" macrodoc.description = "Macro-enabled MS Office document" macrodoc.save() bartalex.action(macrodoc, 'testrun', verb="leverages") bartalex.action(macrodoc, 'testrun', verb="leverages") bartalex.action(macrodoc, 'testrun', verb="leverages") bartalex_callback.action(macrodoc, 'testrun', verb="seen in") bartalex_callback2.action(macrodoc, 'testrun', verb="seen in") payload_download = TTP(name="Payload retrieval (HTTP)") payload_download.killchain = "3" payload_download.description = "Payload is retreived from an external URL" payload_download.save() macrodoc.action(payload_download, 'testrun', verb="leverages") bartalex_callback.action(payload_download, 'testrun', verb="indicates")
