def do_transform(self, request, response, config):
base_url = config['OTX_transform.local.otx_url']
api_key = config['OTX_transform.local.api_key']
id_p = request.entity.ID
url = '%s/pulses/%s' % (base_url, id_p)
r = requests.get(url, headers={'X-OTX-API-KEY': api_key})
if r.status_code == 200:
res = r.json()
for ind in res['industries']:
p = Phrase(ind)
response += p
for t in res['tags']:
p = Phrase(t)
response += p
for coun in res['targeted_countries']:
p = Phrase(coun)
response += p
return response
def get_status_domains(vt_result):
if 'scans' in vt_result:
for av, res in vt_result['scans'].items():
ph = Phrase(value=av)
ph.link_label = res['result']
yield ph
def do_transform(self, request, response, config):
# Since we know what the input_type of this transform is, we can directly access static fields. Alternatively,
# dynamic field values can still be accessed by querying the entity.fields property.
person = request.entity
response += Phrase('Hello %s!' % person.value)
response += Phrase('This way Mr(s). %s!' % person.lastname)
response += Phrase('Hi %s!' % person.firstnames)
return response
def dotransform(request, response):
if request.fields['behavioral']!= "false":
behavior=ast.literal_eval(request.fields['behavior_data'])
if behavior.has_key("mutex"):
if behavior['mutex'].has_key('opened'):
for mutex in behavior['mutex']['opened']:
r=Phrase(mutex['mutex'])
r.linklabel="behav->mutex_opened"
response+=r
else:
debug("ripVT: No behavioral for %s" % request.value)
return response
def dotransform(request, response):
params = dict()
params['hash'] = str(request.value)
if request.fields.has_key("as_filename"):
params['file_name'] = str(request.fields['as_filename'])
else:
params['file_name'] = params['hash']
if request.fields.has_key("package"):
params['package'] = str(request.fields['package'])
if request.fields.has_key("timeout"):
params['timeout'] = int(request.fields['timeout'])
if request.fields.has_key("priority"):
params['priority'] = int(request.fields['priority'])
if request.fields.has_key("options"):
params['options'] = str(request.fields['options'])
if request.fields.has_key("machine"):
params['machine'] = str(request.fields['machine'])
if request.fields.has_key("platform"):
params['platform'] = str(request.fields['platform'])
if request.fields.has_key("tags"):
params['tags'] = str(request.fields['tags'])
if request.fields.has_key("custom"):
params['custom'] = str(request.fields['custom'])
if request.fields.has_key("memory"):
params['memory'] = str(request.fields['memory'])
if params['timeout']:
params['enforce_timeout'] = True
if request.fields.has_key("clock"):
params['clock'] = str(request.fields['clock'])
task_id = send_to_cuckoo(params['hash'], params)
r = Phrase(task_id)
r.linklabel = "cuckoo_analysis_id"
response += r
return response
def dotransform(request, response): data = getreport(request.value) try: try: addinfo = data['additional_info'] except: #no additional info pass try: pub = addinfo['sigcheck']['publisher'] response += Phrase(pub) except: #no dns data pass try: prod = addinfo['sigcheck']['product'] response += Phrase(prod) except: #no product data pass try: desc = addinfo['sigcheck']['description'] response += Phrase(desc) except: #no description data pass try: orig = addinfo['sigcheck']['original name'] response += Filename(orig) except: #no original name pass try: sign = addinfo['sigcheck']['signers'] response += Phrase(sign) except: #no signers pass try: intern = addinfo['sigcheck']['internal name'] response += Phrase(intern) except: #no internal name pass except: response += UIMessage(data['verbose_msg']) return response
def do_transform(self, request, response, config):
# create persistent HTTP connection
session = requests.Session()
# as defined in https://github.com/ethereum/wiki/wiki/JSON-RPC#net_version
method = 'trace_transaction'
ethaddress = request.entity
params = [ethaddress.properties_ethereumtransaction]
payload = {
"jsonrpc": "2.0",
"method": method,
"params": params,
"id": 1
}
headers = {'Content-type': 'application/json'}
tx = session.post('http://localhost:8545',
json=payload,
headers=headers).json()
if 'result' in tx and not tx['result'] == None:
for r in tx['result']:
if 'action' in r and 'callType' in r['action']:
call_type = ETHTransactionCall(r['action']['callType'])
block = Phrase(r['blockNumber'])
response += call_type
response += block
return response
def dotransform(request, response, config):
try:
results = search(request.value, size=10, pages=1)
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
else:
try:
for result in results:
rtype = lower(result.get('type'))
if result.get('tcScore'):
weight = int(result.get('tcScore'))
else:
weight = 1
# Title ID Description
if rtype == 'actor':
# Check Title, if no title get resource > name
# Actor entity can have an empty title field
if result.get('title'):
e = Actor(encode_to_utf8(result.get('title')), weight=weight)
else:
e = Actor(encode_to_utf8(result.get('resource', dict()).get('name')), weight=weight)
e.name = encode_to_utf8(result.get('resource', dict()).get('name'))
e.actor = encode_to_utf8(result.get('resource', dict()).get('name'))
elif rtype == 'case':
e = Case(encode_to_utf8(result.get('title')), weight=weight)
elif rtype == 'coursesofactions':
e = CoursesOfAction(encode_to_utf8(result.get('title')), weight=weight)
elif rtype == 'indicator':
e = Indicator(encode_to_utf8(result.get('title')), weight=weight)
elif rtype == 'incident':
e = Incident(encode_to_utf8(result.get('title')), weight=weight)
# elif rtype == 'tacticstechniquesandprocedures':
elif rtype == 'ttp':
e = TTP(encode_to_utf8(result.get('title')), weight=weight)
else:
# To be safe
e = Phrase(encode_to_utf8(result.get('title')), weight=weight)
debug(rtype)
e.title = encode_to_utf8(result.get('title'))
e.resourceId = result.get('id')
if result.get('description'):
e += Label('Description', '<br/>'.join(encode_to_utf8(result.get('description',
'')).split('\n')))
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err), type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
def do_transform(self, request, response, config):
base_url = config['OTX_transform.local.otx_url']
api_key = config['OTX_transform.local.api_key']
entity_type = gram[request.entity.type]
entity_value = request.entity.value
url = '%s/indicators/%s/%s/general' % (base_url, entity_type,
entity_value)
r = requests.get(url, headers={'X-OTX-API-KEY': api_key})
if r.status_code == 200:
try:
res = r.json()
except:
p = Phrase(url)
response += p
return response
for pulse in res['pulse_info']['pulses']:
p = Pulse()
p.URL = 'https://otx.alienvault.com/pulse/%s' % pulse['id']
p.ID = pulse['id']
p.value = pulse['name']
p.link_label = pulse['modified']
response += p
return response
pass
def do_transform(self, request, response, config):
technique_name = request.entity.value
for technique in attack.techniques:
if technique_name in technique.name:
for mitigation in technique.mitigations:
response += Phrase(mitigation.name)
return response
def dotransform(request, response):
page = build(request.value)
try:
comptime = page.find(text=re.compile('timedatestamp.....: '))[34:51]
except:
raise MaltegoException('Could not find Compile Time')
response += Phrase(comptime)
return response
def dotransform(request, response):
page = build(request.value)
try:
results = page.findAll('span', {"class": "field-key"})
for entry in results:
text = entry.text
if re.search('F-PROT', text):
e = entry.next.next.strip()
response += Phrase(e)
elif re.search('Command', text):
e = entry.next.next.strip()
response += Phrase(e)
elif re.search('PEiD packer identifier', text):
e = entry.next.next.strip()
response += Phrase(e)
except:
raise MaltegoException('Could not find Packers')
return response
def dotransform(request, response):
#Build the request
page = build(request.value)
try:
try:
# Searching for the string that indicates a single mutex was created
single = page.find(
text=
'To mark the presence in the system, the following Mutex object was created:'
).findNext('ul').li.text
except:
single = None
try:
# Searching for the string that indicates multiple mutexes were created
multiple = page.find(
text=
'To mark the presence in the system, the following Mutex objects were created:'
).findNext('ul')
except:
multiple = None
# If a single mutex was found
if single is not None:
response += Phrase(single)
# Account for the instance in which a dropped file may have had additional mutexes
if multiple is not None:
for mutex in multiple.findAll('li'):
current = mutex.text
response += Phrase(current)
# If multiple mutexes were found
elif multiple is not None:
for mutex in multiple.findAll('li'):
current = mutex.text
response += Phrase(current)
return response
else:
pass
except:
pass
return response
def dotransform(request, response, config):
if 'taskid' in request.fields:
task = request.fields['taskid']
else:
task = request.value
secs = static_results(report(task))['pe_sections']
for d in secs:
response += Phrase(d['name'].decode('ascii'))
return response
def addrecord(record, response):
if record.type == 2:
response += NSRecord(record.rdata.rstrip('.'))
elif record.type == 15:
e = MXRecord(record.rdata.rstrip('.'))
e += Field('mxrecord.priority', record.mxpriority)
response += e
elif record.type in [1, 5]:
response += DNSName(record.rrname.rstrip('.'))
elif record.type == 16:
response += Phrase(record.rdata)
return response
def dotransform(request, response, config):
if 'taskid' in request.fields:
task = request.fields['taskid']
else:
task = request.value
reg = behavior(report(task))['summary']['keys']
for d in reg:
response += Phrase(d.decode('ascii'))
return response
def dotransform(request, response, config):
if 'workspace' in request.fields:
workspace = request.fields['workspace']
else:
workspace = request.value
e = Phrase(request.fields["title"].decode('ascii'))
e += Field("workspace", workspace, displayname='Workspace')
e += Field("fullname", request.value, displayname='Fullname', matchingrule='loose')
response += e
return response
def dotransform(request, response, config):
fname = request.value
if 'taskid' in request.fields:
task = request.fields['taskid']
else:
task = request.value
dropped = dropped_files(report(task))
for d in dropped:
if d['name'] == fname:
response += Phrase(d['type'].decode('ascii'))
return response
def dotransform(request, response):
#Build the request
type = 'hash'
page = build(request.value, type)
try:
list = page.find(text='Mutex Created').previous.previous.parent.findAll('p')
except:
raise MaltegoException('No Mutexes Created')
for item in list:
if item.text != 'none':
response += Phrase(item.text)
return response
def do_transform(self, request, response, config):
# TODO: write your code here.
scan_request = request.entity
scan_id = "".join(random.choice("0123456789abcdef") for x in range(32))
scan_request.ports = scan_request.ports.split(
', ') if scan_request.ports is not None else None
start(scan_request.host, [], [], scan_request.ports,
scan_request.timeout_sec, scan_request.thread_no, 1, 1, 'abcd',
0, "en", scan_request.verbose, scan_request.socks_proxy,
scan_request.retries, [], scan_id, "Through Maltego")
results = find_log(scan_id, "en")
for result in results:
response += Phrase(text=result["DESCRIPTION"],
link_label='wappalyzer_scan')
return response
def dotransform(request, response):
page = build(request.value)
try:
results = page.findAll('span', {"class": "field-key"})
for entry in results:
text = entry.text
if re.search('TimeStamp', text):
e = entry.next.next.strip()
response += Phrase(e)
elif re.search('FileType', text):
e = entry.next.next.strip()
response += Phrase(e)
elif re.search('EntryPoint', text):
e = entry.next.next.strip()
response += Phrase(e)
elif re.search('FileVersionNumber', text):
e = entry.next.next.strip()
response += Phrase(e)
elif re.search('LanguageCode', text):
e = entry.next.next.strip()
response += Phrase(e)
elif re.search('CharacterSet', text):
e = entry.next.next.strip()
response += Phrase(e)
elif re.search('InternalName', text):
e = entry.next.next.strip()
response += Phrase(e)
elif re.search('FileDescription', text):
e = entry.next.next.strip()
response += Phrase(e)
elif re.search('OriginalFilename', text):
e = entry.next.next.strip()
response += Filename(e)
elif re.search('ProductVersionNumber', text):
e = entry.next.next.strip()
response += Phrase(e)
except:
raise MaltegoException('Could not Exif Information')
return response
def dotransform(request, response):
domain = request.value
results = query('-r', domain, 0, 'n')
for result in results:
data = json.loads(result)
if data.has_key('time_first'):
first = data['time_first']
last = data['time_last']
elif data.has_key('zone_time_first'):
first = data['zone_time_first']
last = data['zone_time_last']
fnice = datetime.datetime.fromtimestamp(
int(first)).strftime('%m-%d-%Y')
lnice = datetime.datetime.fromtimestamp(int(last)).strftime('%m-%d-%Y')
if data['rrtype'] == 'NS':
for item in data['rdata']:
e = NSRecord(item)
e.linklabel = fnice + ' - ' + lnice
response += e
elif data['rrtype'] == 'MX':
for item in data['rdata']:
e = MXRecord(item)
e.linklabel = fnice + ' - ' + lnice
response += e
elif data['rrtype'] == 'CNAME':
for item in data['rdata']:
e = Domain(item.rstrip('.'))
e.linklabel = fnice + ' - ' + lnice
response += e
elif data['rrtype'] == 'A':
pass
else:
type = data['rrtype']
for item in data['rdata']:
label = type + ' ' + item
e = Phrase(label)
e.linklabel = fnice + ' - ' + lnice
response += e
return response
def dotransform(request, response, config):
HIBP = "https://haveibeenpwned.com/api/breachedaccount/" # http://legacy.python.org/dev/peps/pep-0008/#constants
email = request.value
getrequrl = HIBP + email
progress(50)
try:
urllib2_response = urllib2.urlopen(
getrequrl
) # Renamed "response" due conflict within canari namespace
for rep in urllib2_response:
e = Phrase("Pwned at %s" % rep)
response += e
except:
print ""
progress(100)
return response
def dotransform(request, response):
#Build Request
page = build(request.value)
try:
comment = page.find('div', {'class': 'altborder'})
response += Phrase(comment.text)
prts = page.findAll('td', text="-NA-")
for entry in prts:
prt = entry.findNext('td')
prot = prt.findNext('td')
if prot.text != "":
msg = "Noted targeting port " + prt.text + ", using protocol " + prot.text
else:
msg = "Noted targeting port " + prt.text
response += Service(msg)
except:
return response
return response
def dotransform(request, response):
debug('VT API key %s\n' % config['virustotal/apikey'])
r = urlopen(
"https://www.virustotal.com/vtapi/v2/url/report",
urlencode({
"resource": request.value,
"apikey": config['virustotal/apikey']
}))
if r.code == 200:
d = loads(r.read())
debug('VT output: %s\n' % d)
if d['response_code'] == 1:
for engine in d['scans'].iteritems():
if engine[1]['detected']:
e = Phrase(engine[0])
e += Label("VirusTotal Report", d['permalink'])
response += e
return response
def dotransform(request, response):
debug('VT API key %s\n' % request.value)
r = urlopen(
"https://www.virustotal.com/vtapi/v2/file/report",
urlencode({
"resource": request.value,
"apikey": config['virustotal/apikey']
}))
if r.code == 200:
d = loads(r.read())
debug('VT output: %s\n' % d)
# If it's not a clean file, tell Maltego the names of the malware
if d['response_code'] == 1:
for engine in d['scans'].iteritems():
if engine[1]['detected']:
e = Phrase(engine[1]['result'])
e += Label("VirusTotal Report", d['permalink'])
response += e
response += UIMessage(d['verbose_msg'])
return response
def dotransform(request, response, config):
tr_details = [
'Reference', 'Source', 'KillChain', 'Firstseen', 'Lastseen',
'Attribution', 'ProcessType', 'Rrname', 'Rdata', 'Country', 'Tags',
'Comment', 'RootNode', 'Confidence'
]
#Disable cache to get actual data from Threat Recon
cache, found = search(request.value, cache=False)
#Default linkcolor
linkcolor = "0x000000"
if found:
if defaultdict == type(found):
for rootnode, value in found.iteritems():
#If the RootNode is empty, display attributes
if len(rootnode) == 0:
for indicator in value:
#debug(indicator)
e = ''
indtype = indicator['Type'].lower().strip()
if "whois email" == indtype:
e = EmailAddress(indicator['Indicator'])
if "name server" == indtype:
e = NSRecord(indicator['Indicator'])
if "domain" == indtype:
e = Domain(indicator['Indicator'])
e.fqdn = indicator['Indicator']
if "ip" == indtype:
e = IPv4Address(indicator['Indicator'])
if "phone or fax no." == indtype:
e = PhoneNumber(indicator['Indicator'])
if "whois address component" == indtype:
e = Phrase(indicator['Indicator'])
if "email" == indtype:
e = EmailAddress(indicator['Indicator'])
if "netname" == indtype:
e = NetNameThreatRecon(indicator['Indicator'])
if "cidr" == indtype:
e = IPv4Address(indicator['Indicator'])
if "netrange" == indtype:
e = Netblock(indicator['Indicator'])
if e:
#Set linkcolor
e.linkcolor = linkcolor
#Set comments
if indicator['Comment']:
e.notes = string_filter(indicator['Comment'])
#Set Details
for detail in tr_details:
if detail in indicator:
if indicator[detail]:
e += Label(name=detail,
value=string_filter(
indicator[detail]))
response += e
else:
#Display the RootNodes
e = ThreatRecon(rootnode)
response += e
return response
def dotransform(request, response, config):
command = "--domain_to_score " + request.value
qradio_output = get_qradio_data(command, 3)
for entry in qradio_output:
response += Phrase(entry)
return response
def dotransform(request, response, config):
tr_details = [
'Reference', 'Source', 'KillChain', 'Firstseen', 'Lastseen',
'Attribution', 'ProcessType', 'Rrname', 'Rdata', 'Country', 'Tags',
'Comment', 'RootNode', 'Confidence'
]
#Default link color is black
linkcolor = "0x000000"
cache, found = search(request.value)
if found:
if list == type(found):
for indicator in found:
debug(indicator)
e = ''
indtype = indicator['Type'].lower().strip()
if "whois email" == indtype:
e = EmailAddress(indicator['Indicator'])
#response += e
if "name server" == indtype:
e = NSRecord(indicator['Indicator'])
#response += e
if "domain" == indtype:
e = Domain(indicator['Indicator'])
e.fqdn = indicator['Indicator']
#response += e
#IF Type is not domain, check if Rrname is not empty
elif indicator['Rrname'] and indicator['Rrname'] != 'NA':
d = Domain(indicator['Rrname'])
d.fqdn = indicator['Rrname']
response += d
if "ip" == indtype:
e = IPv4Address(indicator['Indicator'])
#response += e
#IF Type is not IP, check if Rdata is not empty
elif indicator['Rdata']:
i = IPv4Address(indicator['Rdata'])
response += i
if "phone or fax no." == indtype:
e = PhoneNumber(indicator['Indicator'])
#response += e
if "whois address component" == indtype:
e = Phrase(indicator['Indicator'])
#response += e
if "email" == indtype:
e = EmailAddress(indicator['Indicator'])
#response += e
if "netname" == indtype:
e = NetNameThreatRecon(indicator['Indicator'])
#response += e
if "cidr" == indtype:
e = IPv4Address(indicator['Indicator'])
#response += e
if "netrange" == indtype:
e = Netblock(indicator['Indicator'])
#response += e
if indicator['Country']:
l = Location(indicator['Country'])
response += l
#Add Comments and details to own Entity
entity = e #request.entity
#Set comments
if indicator['Comment']:
entity.notes = string_filter(indicator['Comment'])
#Set Details
for detail in tr_details:
if detail in indicator:
if indicator[detail]:
entity += Label(name=detail,
value=string_filter(
indicator[detail]))
#Set link color
if "Confidence" in indicator:
if indicator['Confidence'] >= 70:
linkcolor = "0xff0000"
entity.linkcolor = linkcolor
response += entity
return response
def dotransform(request, response, config):
command = "--ipv4_to_blacklist " + request.value
qradio_output = get_qradio_data(command, 5)
for entry in qradio_output:
response += Phrase(entry)
return response