Exemple #1
0
  def create_observable(self, id_, uuid, category, type_, value, data, comment, ioc, share, event):
    if ((category in ['external analysis', 'internal reference', 'targeting data', 'antivirus detection'] and
        (type_ in ['attachment', 'comment', 'link', 'text', 'url', 'text', 'malware-sample', 'filename|sha1', 'filename|md5', 'filename|sha256', 'vulnerability'])) or
        (category == 'internal reference' and type_ in ['text', 'comment']) or
        type_ == 'other' or (category == 'attribution' and type_ == 'comment') or
        category == 'other' or (category == 'antivirus detection' and type_ == 'link')):
      # make a report
      # Create Report it will be just a single one
      reference = self.create_reference(id_, uuid, category, type_, value, data, share, event)
      if reference:
        if len(event.reports) == 0:
          report = Report()
          report.identifier = uuid4()
          self.set_properties(report, True)
          self.set_extended_logging(report, event)
          event.reports.append(report)
        if comment:
          if event.reports[0].description:
            event.reports[0].description = event.reports[0].description + ' - ' + comment
          else:
            event.reports[0].description = comment

        event.reports[0].references.append(reference)
    elif category == 'payload installation' and type_ == 'vulnerability':
      reference = self.create_reference(id_, uuid, category, type_, value, data, share, event)
      if reference:
        reference.value = u'Vulnerablility: {0}'.format(reference.value)
        if len(event.reports) == 0:
          report = Report()
          report.identifier = uuid4()
          self.set_properties(report, True)
          self.set_extended_logging(report, event)
          event.reports.append(report)
        if comment:
          if event.reports[0].description:
            event.reports[0].description = event.reports[0].description + ' - ' + comment
          else:
            event.reports[0].description = comment

        event.reports[0].references.append(reference)
    elif category == 'attribution':
      reference = self.create_reference(id_, uuid, category, type_, value, data, share, event)
      if reference:
        reference.value = u'Attribution: {0}'.format(reference.value)
        if len(event.reports) == 0:
          report = Report()
          report.identifier = uuid4()
          self.set_properties(report, True)
          self.set_extended_logging(report, event)
          event.reports.append(report)
        if comment:
          if event.reports[0].description:
            event.reports[0].description = event.reports[0].description + ' - ' + comment
          else:
            event.reports[0].description = comment

        event.reports[0].references.append(reference)

    else:
      observable = self.make_observable(event, comment, share)
      # create object
      obj = Object()
      obj.identifier = uuid4()
      self.set_properties(obj, share)
      self.set_extended_logging(obj, event)
      observable.object = obj
      obj.definition = self.get_object_definition(category, type_, value, event)
      if obj.definition:
        obj.definition_id = obj.definition.identifier

        # create attribute(s) for object
        self.append_attributes(obj, observable, id_, category, type_, value, ioc, share, event, uuid)
        if not observable.description:
          observable.description = None
        return observable
      else:
        return None
Exemple #2
0
  def append_attributes(self, obj, observable, id_, category, type_, value, ioc, share, event, uuid):

    if type_ in ['regkey', 'regkey|value']:
      if '|' in value:
        value = value.replace('/', '\\')
        splited = value.split('|')
        pos = splited[0].find("\\")
        key_name = splited[0][pos + 1:]
        splitted = key_name.split(' ')
        if len(splitted) > 1:
          key = splitted[0]
          name = splitted[1]
        else:
          key = key_name
          name = None
        hive = splited[0][0:pos]
        data = splited[1]

      else:
        value = value.replace('/', '\\')
        pos = value.find("\\")
        key = value[pos + 1:]
        hive = value[0:pos]
        data = None
        name = None
      if hive == 'HKLM' or 'HKEY_LOCAL_MACHINE' in hive:
        hive = 'HKEY_LOCAL_MACHINE'
      elif hive in ['HKCU', 'HK_CURRENT_USER', 'HCKU'] or 'HKEY_CURRENT_USER' in hive:
        hive = 'HKEY_CURRENT_USER'
      elif hive in ['HKEY_CURRENTUSER', 'HKU']:
        hive = 'HKEY_CURRENT_USER'
      elif hive in ['HKCR', 'HKEY_CLASSES_ROOT']:
        hive = 'HKEY_CLASSES_ROOT'
      else:
        if hive[0:1] == 'H' and hive != 'HKCU_Classes':
          message = '"{0}" not defined from {1}'.format(hive, self.__get_event_msg(event))
          self.syslogger.error(message)
          raise MispMappingException(message)
        else:
          hive = None

      if hive:
        self.append_attributes(obj, observable, id_, category, 'WindowsRegistryKey_Hive', hive, ioc, share, event, uuid4())
      if name:
        self.append_attributes(obj, observable, id_, category, 'WindowsRegistryKey_RegistryValue_Name', name, ioc, share, event, uuid4())
      if data:
        self.append_attributes(obj, observable, id_, category, 'WindowsRegistryKey_RegistryValue_Data', data, ioc, share, event, uuid4())

      self.append_attributes(obj, observable, id_, category, 'WindowsRegistryKey_Key', key, ioc, share, event, uuid)

    elif '|' in type_:
      # it is a composed attribute
      if type_ in ('filename|md5', 'filename|sha1', 'filename|sha256'):
        splitted = type_.split('|')
        if len(splitted) == 2:
          first_type = splitted[0]
          second_type = splitted[1]
          splitted_values = value.split('|')
          first_value = splitted_values[0]
          second_value = splitted_values[1]
          self.append_attributes(obj, observable, id_, category, first_type, first_value, ioc, share, event, uuid)
          self.append_attributes(obj, observable, id_, category, second_type, second_value, ioc, share, event, uuid4())
        else:
          message = 'Composed attribute {0} splits into more than 2 elements for {1}'.format(type_, self.__get_event_msg(event))
          self.syslogger.error(message)
          raise MispMappingException(message)
      else:
        message = 'Composed attribute {0} cannot be mapped for {1}'.format(type_, self.__get_event_msg(event))
        self.syslogger.error(message)
        raise MispMappingException(message)

    elif category in ['artifacts dropped', 'payload delivery', 'payload installation'] and type_ == 'malware-sample':
      filename = value
      filename_uuid = uuid
      splitted = value.split('|')
      if len(splitted) == 2:
        first_type = 'File_Name'

        first_value = splitted[0]
        filename = first_value
        second_value = splitted[1]
        second_type = self.get_hash_type(second_value)
        self.append_attributes(obj, observable, id_, category, first_type, first_value, ioc, share, event, uuid)
        self.append_attributes(obj, observable, id_, category, second_type, second_value, ioc, share, event, uuid4())

      else:
        message = 'Composed attribute {0} splits into more than 2 elements for {1}'.format(type_, self.__get_event_msg(event))
        self.syslogger.error(message)
        raise MispMappingException(message)

      # Download the attachment if it exists
      data = self.fetch_attachment(id_, filename_uuid, event.identifier, filename)

      if data:

        message = u'Downloaded file "{0}" id:{1} from {2}'.format(filename, id_, self.__get_event_msg(event))
        self.syslogger.info(message)

        # build raw_artifact
        raw_artifact = Object()
        raw_artifact.identifier = uuid4()
        self.set_properties(raw_artifact, share)
        self.set_extended_logging(raw_artifact, event)
        raw_artifact.definition = self.get_object_definition('Artifact', None, None, event)
        if raw_artifact.definition:
          raw_artifact.definition_id = raw_artifact.definition.identifier
        else:
          message = 'Could not find object definition Artifact from {0}'.format(self.__get_event_msg(event))
          self.syslogger.error(message)
          raise MispMappingException(message)

        # add raw artifact
        attr = Attribute()
        attr.identifier = uuid4()
        attr.definition = self.get_attibute_definition('', 'raw_artifact', None, raw_artifact, observable, attr, event)
        if attr.definition:
          attr.definition_id = attr.definition.identifier
        else:
          message = 'Could not find attribute definition raw_artifact from {0}'.format(self.__get_event_msg(event))
          self.syslogger.error(message)
          raise MispMappingException(message)
        # TODO
        attr.value = base64.b64encode(data)

        self.set_properties(attr, share)
        self.set_extended_logging(attr, event)
        raw_artifact.attributes.append(attr)
        rel_Object = RelatedObject()
        rel_Object.object = raw_artifact

        obj.related_objects.append(rel_Object)
      else:
        message = u'Failed to download file "{0}" id:{1}, add manually form {2}'.format(filename, id_, self.__get_event_msg(event))

        self.syslogger.warning(message)

    else:
      attribute = Attribute()
      # workaround for https://github.com/MISP/MISP/issues/452
      if uuid not in self.seen_attr_ids:
        attribute.identifier = uuid
        self.seen_attr_ids.append(uuid)
      else:
        uuid = '{0}'.format(uuid4())
        self.seen_attr_ids.append(uuid)
        attribute.identifier = uuid

      self.set_properties(attribute, share)
      self.set_extended_logging(attribute, event)
      attribute.definition = self.get_attibute_definition(category, type_, value, obj, observable, attribute, event)
      if attribute.definition:
        attribute.definition_id = attribute.definition.identifier
        attribute.value = value
        if ioc == 1:
          attribute.is_ioc = True
        else:
          attribute.is_ioc = False
        attribute.properties.is_shareable = True
        obj.attributes.append(attribute)