def Run(graph, timetable, report):
print colored.yellow(
"[*] Adding Modules Loaded Threat Intel From Bit9.")
for item in report['process']['modload_complete']:
#print item
if item.split("|")[1] != '':
hashvalue = item.split('|')[1]
intelresult = CheckHash.Run(hashvalue)
#print intelresult
#print type(intelresult[0]['threat'])
if len(intelresult) >= 1 and intelresult[0]['threat'] == 100:
print colored.magenta("[+] Bit9 Threat Intel Hit! " +
str(hashvalue))
threatlabel = intelresult[0]['fileName'] + str(
"-Threat=") + str(intelresult[0]['threat'])
time = item.split("|")[0][:-4]
modload_name = item.split("|")[2]
time_node = GetNode.Run(graph, time, "time", float(1.0))
threat_node = GetNode.Run(graph, threatlabel, "threat",
float(5.0))
modload_node = GetNode.Run(graph, modload_name, "modload",
float(1.0))
ConnectNodes.Run(graph, time_node, modload_node)
ConnectNodes.Run(graph, modload_node, threat_node)
else:
print colored.cyan("[?] Hash not a threat, " +
str(hashvalue))
pass
print colored.green("[+] Completed.\n")
def Run(graph, timetable, report):
print colored.yellow("[*] Adding Modules Loaded actions.")
for item in report['process']['modload_complete']:
if item.split("|")[0][:-4] in timetable:
time = item.split("|")[0][:-4]
time_node = GetNode.Run(graph, time, "time", float(1.0))
modload_name = item.split("|")[2]
modload_node = GetNode.Run(graph, modload_name, "modload",
float(1.0))
ConnectNodes.Run(graph, time_node, modload_node)
print colored.green("[+] Completed.\n")
def Run(graph, timetable, report):
print colored.yellow("[*] Adding file actions.")
for item in report['process'].get('filemod_complete', []):
if item.split("|")[1][:-4] in timetable:
attrs = GetFileActionAttributes.Run(int(item.split("|")[0]))
time = item.split("|")[1][:-4]
fmod_name = '\\'.join(str(item.split("|")[2]).split('\\')[-4:])
time_node = GetNode.Run(graph, time, "time", float(1.0))
fmod_node = GetNode.Run(graph, fmod_name, "file_mod",
float(1.0))
ConnectNodes.Run(graph, time_node, fmod_node, attrs)
print colored.green("[+] Completed.\n")
def Run(graph, timetable, report):
print colored.yellow("[*] Adding Network Connection activity.")
try:
for item in report['process']['netconn_complete']:
print item
if item.split("|")[0][:-4] in timetable:
time = item.split("|")[0][:-4]
time_node = GetNode.Run(graph,time, "time",float(1.0))
netconn_name = item.split("|")[4]
netconn_node = GetNode.Run(graph,netconn_name, "netconn",float(1.0))
ConnectNodes.Run(graph, time_node, netconn_node, attrs={})
print colored.green("[+] Completed.\n")
except:
print colored.red("No Network Connections.")
pass
def Run(graph, timetable, report):
print colored.yellow("[*] Adding registry actions.")
try:
for item in report['process']['regmod_complete']:
if item.split("|")[1][:-4] in timetable:
attrs = GetRegistryActionAttributes.Run(
int(item.split("|")[0]))
time = item.split("|")[1][:-4]
time_node = GetNode.Run(graph, time, "time", float(1.0))
rmod_name = '\\'.join(
str(item.split("|")[2]).split('\\')[-4:])
rmod_node = GetNode.Run(graph, rmod_name, "reg_mod",
float(1.0))
ConnectNodes.Run(graph, time_node, rmod_node, attrs)
print colored.green("[+] Completed.\n")
except:
print colored.red("[-] No Registry Activity")
def Run(graph, timelist):
print colored.yellow("[*] Creating time nodes.")
ConnectNodes.Run(graph,
GetNode.Run(graph, timelist[0], 'time', float(3.0)),
GetNode.Run(graph, timelist[1], 'time', float(1.0)), {
'label': 'time',
'type': 'timestamp',
'og:space:activity': float(1.0)
})
ConnectNodes.Run(graph,
GetNode.Run(graph, timelist[-1], 'time', float(3.0)),
GetNode.Run(graph, timelist[-2], 'time', float(1.0)),
{
'label': 'time',
'type': 'timestamp',
'og:space:activity': float(1.0)
})
for x in range(1, len(timelist) - 2):
ConnectNodes.Run(
graph, GetNode.Run(graph, timelist[x], 'time', float(1.0)),
GetNode.Run(graph, timelist[x + 1], 'time', float(1.0)), {
'label': 'time',
'type': 'timestamp',
'og:space:activity': float(1.0)
})
print colored.green("[+] Completed.\n")
def Run(graph, timetable, report):
print colored.yellow(
"[*] Adding File Modifications Threat Intel From Bit9.")
for item in report['process'].get('filemod_complete', []):
if item.split("|")[3] != '':
hashvalue = item.split('|')[3]
intelresult = CheckHash.Run(hashvalue)
if intelresult[0]['threat'] == 0:
print colored.cyan("[?] Hash not a threat, " +
str(hashvalue))
pass
else:
print colored.magenta("[+] Bit9 Thrat Intel Hit! " +
str(hashvalue))
threatlabel = intelresult[0]['fileName'] + str(
"-Threat=") + str(intelresult[0]['threat'])
fmod_name = '\\'.join(
str(item.split("|")[2]).split('\\')[-4:])
threat_node = GetNode.Run(graph, threatlabel, "threat",
float(5.0))
fmod_node = GetNode.Run(graph, fmod_name, "file_mod",
float(1.0))
ConnectNodes.Run(graph, fmod_node, threat_node)
print colored.green("[+] Completed.\n")