bartalex.action("drops", dridex, description="Drops Dridex") zeus_callback = Regex(name="Zeus C2 check-in") zeus_callback.pattern = "/gate.php$" zeus_callback.description = "ZeuS post-infection callback" zeus_callback.diamond = "Capability" zeus_callback.location = "network" zeus_callback.save() zeus_callback.action('indicates', zeus) # TTP macrodoc = TTP(name="Macro-dropper") macrodoc.killchain = "delivery" macrodoc.description = "Macro-enabled MS Office document" macrodoc.save() bartalex.action("leverages", macrodoc) bartalex_callback.action("seen in", macrodoc) bartalex_callback2.action("seen in", macrodoc) payload_download = TTP(name="Payload retrieval (HTTP)") payload_download.killchain = "delivery" payload_download.description = "Payload is retreived from an external URL" payload_download.save() macrodoc.action("leverages", payload_download) bartalex_callback.action("indicates", payload_download) bartalex_callback2.action("indicates", payload_download) # add observables o1 = Observable.add_text("85.214.71.240") # o2 = Observable.add_text("http://soccersisters.net/mg.jpg")
bartalex.action(dridex, 'testrun', verb="drops") zeus_callback = Regex(name="Zeus C2 check-in", pattern="/gate.php$") zeus_callback.description = "ZeuS post-infection callback" zeus_callback.diamond = "capability" zeus_callback.location = "network" zeus_callback.save() zeus_callback.action(zeus, 'testrun', verb='indicates') # TTP macrodoc = TTP(name="Macro-dropper") macrodoc.killchain = "3" macrodoc.description = "Macro-enabled MS Office document" macrodoc.save() bartalex.action(macrodoc, 'testrun', verb="leverages") bartalex.action(macrodoc, 'testrun', verb="leverages") bartalex.action(macrodoc, 'testrun', verb="leverages") bartalex_callback.action(macrodoc, 'testrun', verb="seen in") bartalex_callback2.action(macrodoc, 'testrun', verb="seen in") payload_download = TTP(name="Payload retrieval (HTTP)") payload_download.killchain = "3" payload_download.description = "Payload is retreived from an external URL" payload_download.save() macrodoc.action(payload_download, 'testrun', verb="leverages") bartalex_callback.action(payload_download, 'testrun', verb="indicates") bartalex_callback2.action(payload_download, 'testrun', verb="indicates")