def _make_entities(self, threat):
# use the infomap to get the campaign info link from ProofPoint
if threat["campaignID"] is None:
return None, None
log.debug("_make_entities for campaign %s", threat["campaignID"])
# get the campaign info from pp
campaign_info = self.campaign_api.get_campaign(
campaign_id=threat["campaignID"])
log.debug(pprint.pformat(campaign_info))
# create/get the campaign
_campaign = Campaign.get_or_create(
name=campaign_info["name"],
tags=[self.name],
description=campaign_info["description"],
).save()
if _campaign.description in [None, ""]:
# catch update to description
_campaign.description = campaign_info["description"]
_campaign.save()
# attribute the campaign with the ProofPoint actor denomination
log.info("make Actor entities for %d actors",
len(campaign_info["actors"]))
for actor in campaign_info["actors"]:
_actor = Actor.get_or_create(name=actor["name"],
tags=[self.name]).save()
_actor.action(_campaign, self.name)
# put some links
if _actor.description in [None, ""]:
_actor.description = self._make_actor_web_url(actor["id"])
_actor.save()
# for fam in campaign_info['families']:
# # BUG ? MalwareFamily.get_or_create not existing
# _fam = MalwareFamily.get_or_create(fam['name']).save()
# _campaign.action(_fam, self.name)
# # except mongoengine.errors.NotUniqueError:
log.info("make Malware entities for {nb} malwares".format(
nb=len(campaign_info["malware"])))
for mal in campaign_info["malware"]:
_mal = Malware.get_or_create(name=mal["name"],
tags=[self.name]).save()
_campaign.action(_mal, self.name)
log.info("make TTP entities for {nb} techniques".format(
nb=len(campaign_info["techniques"])))
for ttp in campaign_info["techniques"]:
_t = TTP.get_or_create(name=ttp["name"],
killchain="3",
tags=[self.name]).save()
# _t.killchain = "3"
# _t.description = "Macro-enabled MS Office document"
# _t.save()
# Link.connect(_campaign, _t)
_campaign.action(_t, self.name)
return _campaign, campaign_info
def _make_entities(self, threat):
# use the infomap to get the campaign info link from ProofPoint
if threat['campaignID'] is None:
return None, None
log.debug('_make_entities for campaign %s', threat['campaignID'])
# get the campaign info from pp
campaign_info = self.campaign_api.get_campaign(
campaign_id=threat['campaignID'])
log.debug(pprint.pformat(campaign_info))
# create/get the campaign
_campaign = Campaign.get_or_create(
name=campaign_info['name'],
tags=[self.name],
description=campaign_info['description']).save()
if _campaign.description in [None, '']:
# catch update to description
_campaign.description = campaign_info['description']
_campaign.save()
# attribute the campaign with the ProofPoint actor denomination
log.info(
'make Actor entities for %d actors', len(campaign_info['actors']))
for actor in campaign_info['actors']:
_actor = Actor.get_or_create(
name=actor['name'], tags=[self.name]).save()
_actor.action(_campaign, self.name)
# put some links
if _actor.description in [None, '']:
_actor.description = self._make_actor_web_url(actor['id'])
_actor.save()
# for fam in campaign_info['families']:
# # BUG ? MalwareFamily.get_or_create not existing
# _fam = MalwareFamily.get_or_create(fam['name']).save()
# _campaign.action(_fam, self.name)
# # except mongoengine.errors.NotUniqueError:
log.info(
'make Malware entities for {nb} malwares'.format(
nb=len(campaign_info['malware'])))
for mal in campaign_info['malware']:
_mal = Malware.get_or_create(
name=mal['name'], tags=[self.name]).save()
_campaign.action(_mal, self.name)
log.info(
'make TTP entities for {nb} techniques'.format(
nb=len(campaign_info['techniques'])))
for ttp in campaign_info['techniques']:
_t = TTP.get_or_create(
name=ttp['name'], killchain="3", tags=[self.name]).save()
# _t.killchain = "3"
# _t.description = "Macro-enabled MS Office document"
# _t.save()
# Link.connect(_campaign, _t)
_campaign.action(_t, self.name)
return _campaign, campaign_info
bartalex_callback.action("hosts", dridex, description="Hosting Dridex")
bartalex_callback2.action("hosts", dridex, description="Hosting Dridex")
bartalex.action("drops", dridex, description="Drops Dridex")
zeus_callback = Regex(name="Zeus C2 check-in")
zeus_callback.pattern = "/gate.php$"
zeus_callback.description = "ZeuS post-infection callback"
zeus_callback.diamond = "Capability"
zeus_callback.location = "network"
zeus_callback.save()
zeus_callback.action('indicates', zeus)
# TTP
macrodoc = TTP(name="Macro-dropper")
macrodoc.killchain = "delivery"
macrodoc.description = "Macro-enabled MS Office document"
macrodoc.save()
bartalex.action("leverages", macrodoc)
bartalex_callback.action("seen in", macrodoc)
bartalex_callback2.action("seen in", macrodoc)
payload_download = TTP(name="Payload retrieval (HTTP)")
payload_download.killchain = "delivery"
payload_download.description = "Payload is retreived from an external URL"
payload_download.save()
macrodoc.action("leverages", payload_download)
bartalex_callback.action("indicates", payload_download)
bartalex_callback2.action("indicates", payload_download)
bartalex_callback.action(dridex, 'testrun', verb="hosts") bartalex_callback2.action(dridex, 'testrun', verb="hosts") bartalex.action(dridex, 'testrun', verb="drops") zeus_callback = Regex(name="Zeus C2 check-in", pattern="/gate.php$") zeus_callback.description = "ZeuS post-infection callback" zeus_callback.diamond = "capability" zeus_callback.location = "network" zeus_callback.save() zeus_callback.action(zeus, 'testrun', verb='indicates') # TTP macrodoc = TTP(name="Macro-dropper") macrodoc.killchain = "3" macrodoc.description = "Macro-enabled MS Office document" macrodoc.save() bartalex.action(macrodoc, 'testrun', verb="leverages") bartalex.action(macrodoc, 'testrun', verb="leverages") bartalex.action(macrodoc, 'testrun', verb="leverages") bartalex_callback.action(macrodoc, 'testrun', verb="seen in") bartalex_callback2.action(macrodoc, 'testrun', verb="seen in") payload_download = TTP(name="Payload retrieval (HTTP)") payload_download.killchain = "3" payload_download.description = "Payload is retreived from an external URL" payload_download.save() macrodoc.action(payload_download, 'testrun', verb="leverages")
bartalex_callback.action(dridex, 'testrun', verb="hosts") bartalex_callback2.action(dridex, 'testrun', verb="hosts") bartalex.action(dridex, 'testrun', verb="drops") zeus_callback = Regex(name="Zeus C2 check-in", pattern="/gate.php$") zeus_callback.description = "ZeuS post-infection callback" zeus_callback.diamond = "capability" zeus_callback.location = "network" zeus_callback.save() zeus_callback.action(zeus, 'testrun', verb='indicates') # TTP macrodoc = TTP(name="Macro-dropper") macrodoc.killchain = "3" macrodoc.description = "Macro-enabled MS Office document" macrodoc.save() bartalex.action(macrodoc, 'testrun', verb="leverages") bartalex.action(macrodoc, 'testrun', verb="leverages") bartalex.action(macrodoc, 'testrun', verb="leverages") bartalex_callback.action(macrodoc, 'testrun', verb="seen in") bartalex_callback2.action(macrodoc, 'testrun', verb="seen in") payload_download = TTP(name="Payload retrieval (HTTP)") payload_download.killchain = "3" payload_download.description = "Payload is retreived from an external URL" payload_download.save() macrodoc.action(payload_download, 'testrun', verb="leverages")
