def _make_entities(self, threat): # use the infomap to get the campaign info link from ProofPoint if threat["campaignID"] is None: return None, None log.debug("_make_entities for campaign %s", threat["campaignID"]) # get the campaign info from pp campaign_info = self.campaign_api.get_campaign( campaign_id=threat["campaignID"]) log.debug(pprint.pformat(campaign_info)) # create/get the campaign _campaign = Campaign.get_or_create( name=campaign_info["name"], tags=[self.name], description=campaign_info["description"], ).save() if _campaign.description in [None, ""]: # catch update to description _campaign.description = campaign_info["description"] _campaign.save() # attribute the campaign with the ProofPoint actor denomination log.info("make Actor entities for %d actors", len(campaign_info["actors"])) for actor in campaign_info["actors"]: _actor = Actor.get_or_create(name=actor["name"], tags=[self.name]).save() _actor.action(_campaign, self.name) # put some links if _actor.description in [None, ""]: _actor.description = self._make_actor_web_url(actor["id"]) _actor.save() # for fam in campaign_info['families']: # # BUG ? MalwareFamily.get_or_create not existing # _fam = MalwareFamily.get_or_create(fam['name']).save() # _campaign.action(_fam, self.name) # # except mongoengine.errors.NotUniqueError: log.info("make Malware entities for {nb} malwares".format( nb=len(campaign_info["malware"]))) for mal in campaign_info["malware"]: _mal = Malware.get_or_create(name=mal["name"], tags=[self.name]).save() _campaign.action(_mal, self.name) log.info("make TTP entities for {nb} techniques".format( nb=len(campaign_info["techniques"]))) for ttp in campaign_info["techniques"]: _t = TTP.get_or_create(name=ttp["name"], killchain="3", tags=[self.name]).save() # _t.killchain = "3" # _t.description = "Macro-enabled MS Office document" # _t.save() # Link.connect(_campaign, _t) _campaign.action(_t, self.name) return _campaign, campaign_info
def _make_entities(self, threat): # use the infomap to get the campaign info link from ProofPoint if threat['campaignID'] is None: return None, None log.debug('_make_entities for campaign %s', threat['campaignID']) # get the campaign info from pp campaign_info = self.campaign_api.get_campaign( campaign_id=threat['campaignID']) log.debug(pprint.pformat(campaign_info)) # create/get the campaign _campaign = Campaign.get_or_create( name=campaign_info['name'], tags=[self.name], description=campaign_info['description']).save() if _campaign.description in [None, '']: # catch update to description _campaign.description = campaign_info['description'] _campaign.save() # attribute the campaign with the ProofPoint actor denomination log.info( 'make Actor entities for %d actors', len(campaign_info['actors'])) for actor in campaign_info['actors']: _actor = Actor.get_or_create( name=actor['name'], tags=[self.name]).save() _actor.action(_campaign, self.name) # put some links if _actor.description in [None, '']: _actor.description = self._make_actor_web_url(actor['id']) _actor.save() # for fam in campaign_info['families']: # # BUG ? MalwareFamily.get_or_create not existing # _fam = MalwareFamily.get_or_create(fam['name']).save() # _campaign.action(_fam, self.name) # # except mongoengine.errors.NotUniqueError: log.info( 'make Malware entities for {nb} malwares'.format( nb=len(campaign_info['malware']))) for mal in campaign_info['malware']: _mal = Malware.get_or_create( name=mal['name'], tags=[self.name]).save() _campaign.action(_mal, self.name) log.info( 'make TTP entities for {nb} techniques'.format( nb=len(campaign_info['techniques']))) for ttp in campaign_info['techniques']: _t = TTP.get_or_create( name=ttp['name'], killchain="3", tags=[self.name]).save() # _t.killchain = "3" # _t.description = "Macro-enabled MS Office document" # _t.save() # Link.connect(_campaign, _t) _campaign.action(_t, self.name) return _campaign, campaign_info
bartalex_callback.action("hosts", dridex, description="Hosting Dridex") bartalex_callback2.action("hosts", dridex, description="Hosting Dridex") bartalex.action("drops", dridex, description="Drops Dridex") zeus_callback = Regex(name="Zeus C2 check-in") zeus_callback.pattern = "/gate.php$" zeus_callback.description = "ZeuS post-infection callback" zeus_callback.diamond = "Capability" zeus_callback.location = "network" zeus_callback.save() zeus_callback.action('indicates', zeus) # TTP macrodoc = TTP(name="Macro-dropper") macrodoc.killchain = "delivery" macrodoc.description = "Macro-enabled MS Office document" macrodoc.save() bartalex.action("leverages", macrodoc) bartalex_callback.action("seen in", macrodoc) bartalex_callback2.action("seen in", macrodoc) payload_download = TTP(name="Payload retrieval (HTTP)") payload_download.killchain = "delivery" payload_download.description = "Payload is retreived from an external URL" payload_download.save() macrodoc.action("leverages", payload_download) bartalex_callback.action("indicates", payload_download) bartalex_callback2.action("indicates", payload_download)
bartalex_callback.action(dridex, 'testrun', verb="hosts") bartalex_callback2.action(dridex, 'testrun', verb="hosts") bartalex.action(dridex, 'testrun', verb="drops") zeus_callback = Regex(name="Zeus C2 check-in", pattern="/gate.php$") zeus_callback.description = "ZeuS post-infection callback" zeus_callback.diamond = "capability" zeus_callback.location = "network" zeus_callback.save() zeus_callback.action(zeus, 'testrun', verb='indicates') # TTP macrodoc = TTP(name="Macro-dropper") macrodoc.killchain = "3" macrodoc.description = "Macro-enabled MS Office document" macrodoc.save() bartalex.action(macrodoc, 'testrun', verb="leverages") bartalex.action(macrodoc, 'testrun', verb="leverages") bartalex.action(macrodoc, 'testrun', verb="leverages") bartalex_callback.action(macrodoc, 'testrun', verb="seen in") bartalex_callback2.action(macrodoc, 'testrun', verb="seen in") payload_download = TTP(name="Payload retrieval (HTTP)") payload_download.killchain = "3" payload_download.description = "Payload is retreived from an external URL" payload_download.save() macrodoc.action(payload_download, 'testrun', verb="leverages")