def do_transform(self, request, response, config): base_url = config['OTX_transform.local.otx_url'] api_key = config['OTX_transform.local.api_key'] id_p = request.entity.ID url = '%s/pulses/%s' % (base_url, id_p) r = requests.get(url, headers={'X-OTX-API-KEY': api_key}) if r.status_code == 200: res = r.json() for ind in res['industries']: p = Phrase(ind) response += p for t in res['tags']: p = Phrase(t) response += p for coun in res['targeted_countries']: p = Phrase(coun) response += p return response
def get_status_domains(vt_result): if 'scans' in vt_result: for av, res in vt_result['scans'].items(): ph = Phrase(value=av) ph.link_label = res['result'] yield ph
def do_transform(self, request, response, config): # Since we know what the input_type of this transform is, we can directly access static fields. Alternatively, # dynamic field values can still be accessed by querying the entity.fields property. person = request.entity response += Phrase('Hello %s!' % person.value) response += Phrase('This way Mr(s). %s!' % person.lastname) response += Phrase('Hi %s!' % person.firstnames) return response
def dotransform(request, response): if request.fields['behavioral']!= "false": behavior=ast.literal_eval(request.fields['behavior_data']) if behavior.has_key("mutex"): if behavior['mutex'].has_key('opened'): for mutex in behavior['mutex']['opened']: r=Phrase(mutex['mutex']) r.linklabel="behav->mutex_opened" response+=r else: debug("ripVT: No behavioral for %s" % request.value) return response
def dotransform(request, response): params = dict() params['hash'] = str(request.value) if request.fields.has_key("as_filename"): params['file_name'] = str(request.fields['as_filename']) else: params['file_name'] = params['hash'] if request.fields.has_key("package"): params['package'] = str(request.fields['package']) if request.fields.has_key("timeout"): params['timeout'] = int(request.fields['timeout']) if request.fields.has_key("priority"): params['priority'] = int(request.fields['priority']) if request.fields.has_key("options"): params['options'] = str(request.fields['options']) if request.fields.has_key("machine"): params['machine'] = str(request.fields['machine']) if request.fields.has_key("platform"): params['platform'] = str(request.fields['platform']) if request.fields.has_key("tags"): params['tags'] = str(request.fields['tags']) if request.fields.has_key("custom"): params['custom'] = str(request.fields['custom']) if request.fields.has_key("memory"): params['memory'] = str(request.fields['memory']) if params['timeout']: params['enforce_timeout'] = True if request.fields.has_key("clock"): params['clock'] = str(request.fields['clock']) task_id = send_to_cuckoo(params['hash'], params) r = Phrase(task_id) r.linklabel = "cuckoo_analysis_id" response += r return response
def dotransform(request, response): data = getreport(request.value) try: try: addinfo = data['additional_info'] except: #no additional info pass try: pub = addinfo['sigcheck']['publisher'] response += Phrase(pub) except: #no dns data pass try: prod = addinfo['sigcheck']['product'] response += Phrase(prod) except: #no product data pass try: desc = addinfo['sigcheck']['description'] response += Phrase(desc) except: #no description data pass try: orig = addinfo['sigcheck']['original name'] response += Filename(orig) except: #no original name pass try: sign = addinfo['sigcheck']['signers'] response += Phrase(sign) except: #no signers pass try: intern = addinfo['sigcheck']['internal name'] response += Phrase(intern) except: #no internal name pass except: response += UIMessage(data['verbose_msg']) return response
def do_transform(self, request, response, config): # create persistent HTTP connection session = requests.Session() # as defined in https://github.com/ethereum/wiki/wiki/JSON-RPC#net_version method = 'trace_transaction' ethaddress = request.entity params = [ethaddress.properties_ethereumtransaction] payload = { "jsonrpc": "2.0", "method": method, "params": params, "id": 1 } headers = {'Content-type': 'application/json'} tx = session.post('http://localhost:8545', json=payload, headers=headers).json() if 'result' in tx and not tx['result'] == None: for r in tx['result']: if 'action' in r and 'callType' in r['action']: call_type = ETHTransactionCall(r['action']['callType']) block = Phrase(r['blockNumber']) response += call_type response += block return response
def dotransform(request, response, config): try: results = search(request.value, size=10, pages=1) except ThreatCentralError as err: response += UIMessage(err.value, type='PartialError') else: try: for result in results: rtype = lower(result.get('type')) if result.get('tcScore'): weight = int(result.get('tcScore')) else: weight = 1 # Title ID Description if rtype == 'actor': # Check Title, if no title get resource > name # Actor entity can have an empty title field if result.get('title'): e = Actor(encode_to_utf8(result.get('title')), weight=weight) else: e = Actor(encode_to_utf8(result.get('resource', dict()).get('name')), weight=weight) e.name = encode_to_utf8(result.get('resource', dict()).get('name')) e.actor = encode_to_utf8(result.get('resource', dict()).get('name')) elif rtype == 'case': e = Case(encode_to_utf8(result.get('title')), weight=weight) elif rtype == 'coursesofactions': e = CoursesOfAction(encode_to_utf8(result.get('title')), weight=weight) elif rtype == 'indicator': e = Indicator(encode_to_utf8(result.get('title')), weight=weight) elif rtype == 'incident': e = Incident(encode_to_utf8(result.get('title')), weight=weight) # elif rtype == 'tacticstechniquesandprocedures': elif rtype == 'ttp': e = TTP(encode_to_utf8(result.get('title')), weight=weight) else: # To be safe e = Phrase(encode_to_utf8(result.get('title')), weight=weight) debug(rtype) e.title = encode_to_utf8(result.get('title')) e.resourceId = result.get('id') if result.get('description'): e += Label('Description', '<br/>'.join(encode_to_utf8(result.get('description', '')).split('\n'))) response += e except AttributeError as err: response += UIMessage('Error: {}'.format(err), type='PartialError') except ThreatCentralError as err: response += UIMessage(err.value, type='PartialError') except TypeError: return response return response
def do_transform(self, request, response, config): base_url = config['OTX_transform.local.otx_url'] api_key = config['OTX_transform.local.api_key'] entity_type = gram[request.entity.type] entity_value = request.entity.value url = '%s/indicators/%s/%s/general' % (base_url, entity_type, entity_value) r = requests.get(url, headers={'X-OTX-API-KEY': api_key}) if r.status_code == 200: try: res = r.json() except: p = Phrase(url) response += p return response for pulse in res['pulse_info']['pulses']: p = Pulse() p.URL = 'https://otx.alienvault.com/pulse/%s' % pulse['id'] p.ID = pulse['id'] p.value = pulse['name'] p.link_label = pulse['modified'] response += p return response pass
def do_transform(self, request, response, config): technique_name = request.entity.value for technique in attack.techniques: if technique_name in technique.name: for mitigation in technique.mitigations: response += Phrase(mitigation.name) return response
def dotransform(request, response): page = build(request.value) try: comptime = page.find(text=re.compile('timedatestamp.....: '))[34:51] except: raise MaltegoException('Could not find Compile Time') response += Phrase(comptime) return response
def dotransform(request, response): page = build(request.value) try: results = page.findAll('span', {"class": "field-key"}) for entry in results: text = entry.text if re.search('F-PROT', text): e = entry.next.next.strip() response += Phrase(e) elif re.search('Command', text): e = entry.next.next.strip() response += Phrase(e) elif re.search('PEiD packer identifier', text): e = entry.next.next.strip() response += Phrase(e) except: raise MaltegoException('Could not find Packers') return response
def dotransform(request, response): #Build the request page = build(request.value) try: try: # Searching for the string that indicates a single mutex was created single = page.find( text= 'To mark the presence in the system, the following Mutex object was created:' ).findNext('ul').li.text except: single = None try: # Searching for the string that indicates multiple mutexes were created multiple = page.find( text= 'To mark the presence in the system, the following Mutex objects were created:' ).findNext('ul') except: multiple = None # If a single mutex was found if single is not None: response += Phrase(single) # Account for the instance in which a dropped file may have had additional mutexes if multiple is not None: for mutex in multiple.findAll('li'): current = mutex.text response += Phrase(current) # If multiple mutexes were found elif multiple is not None: for mutex in multiple.findAll('li'): current = mutex.text response += Phrase(current) return response else: pass except: pass return response
def dotransform(request, response, config): if 'taskid' in request.fields: task = request.fields['taskid'] else: task = request.value secs = static_results(report(task))['pe_sections'] for d in secs: response += Phrase(d['name'].decode('ascii')) return response
def addrecord(record, response): if record.type == 2: response += NSRecord(record.rdata.rstrip('.')) elif record.type == 15: e = MXRecord(record.rdata.rstrip('.')) e += Field('mxrecord.priority', record.mxpriority) response += e elif record.type in [1, 5]: response += DNSName(record.rrname.rstrip('.')) elif record.type == 16: response += Phrase(record.rdata) return response
def dotransform(request, response, config): if 'taskid' in request.fields: task = request.fields['taskid'] else: task = request.value reg = behavior(report(task))['summary']['keys'] for d in reg: response += Phrase(d.decode('ascii')) return response
def dotransform(request, response, config): if 'workspace' in request.fields: workspace = request.fields['workspace'] else: workspace = request.value e = Phrase(request.fields["title"].decode('ascii')) e += Field("workspace", workspace, displayname='Workspace') e += Field("fullname", request.value, displayname='Fullname', matchingrule='loose') response += e return response
def dotransform(request, response, config): fname = request.value if 'taskid' in request.fields: task = request.fields['taskid'] else: task = request.value dropped = dropped_files(report(task)) for d in dropped: if d['name'] == fname: response += Phrase(d['type'].decode('ascii')) return response
def dotransform(request, response): #Build the request type = 'hash' page = build(request.value, type) try: list = page.find(text='Mutex Created').previous.previous.parent.findAll('p') except: raise MaltegoException('No Mutexes Created') for item in list: if item.text != 'none': response += Phrase(item.text) return response
def do_transform(self, request, response, config): # TODO: write your code here. scan_request = request.entity scan_id = "".join(random.choice("0123456789abcdef") for x in range(32)) scan_request.ports = scan_request.ports.split( ', ') if scan_request.ports is not None else None start(scan_request.host, [], [], scan_request.ports, scan_request.timeout_sec, scan_request.thread_no, 1, 1, 'abcd', 0, "en", scan_request.verbose, scan_request.socks_proxy, scan_request.retries, [], scan_id, "Through Maltego") results = find_log(scan_id, "en") for result in results: response += Phrase(text=result["DESCRIPTION"], link_label='wappalyzer_scan') return response
def dotransform(request, response): page = build(request.value) try: results = page.findAll('span', {"class": "field-key"}) for entry in results: text = entry.text if re.search('TimeStamp', text): e = entry.next.next.strip() response += Phrase(e) elif re.search('FileType', text): e = entry.next.next.strip() response += Phrase(e) elif re.search('EntryPoint', text): e = entry.next.next.strip() response += Phrase(e) elif re.search('FileVersionNumber', text): e = entry.next.next.strip() response += Phrase(e) elif re.search('LanguageCode', text): e = entry.next.next.strip() response += Phrase(e) elif re.search('CharacterSet', text): e = entry.next.next.strip() response += Phrase(e) elif re.search('InternalName', text): e = entry.next.next.strip() response += Phrase(e) elif re.search('FileDescription', text): e = entry.next.next.strip() response += Phrase(e) elif re.search('OriginalFilename', text): e = entry.next.next.strip() response += Filename(e) elif re.search('ProductVersionNumber', text): e = entry.next.next.strip() response += Phrase(e) except: raise MaltegoException('Could not Exif Information') return response
def dotransform(request, response): domain = request.value results = query('-r', domain, 0, 'n') for result in results: data = json.loads(result) if data.has_key('time_first'): first = data['time_first'] last = data['time_last'] elif data.has_key('zone_time_first'): first = data['zone_time_first'] last = data['zone_time_last'] fnice = datetime.datetime.fromtimestamp( int(first)).strftime('%m-%d-%Y') lnice = datetime.datetime.fromtimestamp(int(last)).strftime('%m-%d-%Y') if data['rrtype'] == 'NS': for item in data['rdata']: e = NSRecord(item) e.linklabel = fnice + ' - ' + lnice response += e elif data['rrtype'] == 'MX': for item in data['rdata']: e = MXRecord(item) e.linklabel = fnice + ' - ' + lnice response += e elif data['rrtype'] == 'CNAME': for item in data['rdata']: e = Domain(item.rstrip('.')) e.linklabel = fnice + ' - ' + lnice response += e elif data['rrtype'] == 'A': pass else: type = data['rrtype'] for item in data['rdata']: label = type + ' ' + item e = Phrase(label) e.linklabel = fnice + ' - ' + lnice response += e return response
def dotransform(request, response, config): HIBP = "https://haveibeenpwned.com/api/breachedaccount/" # http://legacy.python.org/dev/peps/pep-0008/#constants email = request.value getrequrl = HIBP + email progress(50) try: urllib2_response = urllib2.urlopen( getrequrl ) # Renamed "response" due conflict within canari namespace for rep in urllib2_response: e = Phrase("Pwned at %s" % rep) response += e except: print "" progress(100) return response
def dotransform(request, response): #Build Request page = build(request.value) try: comment = page.find('div', {'class': 'altborder'}) response += Phrase(comment.text) prts = page.findAll('td', text="-NA-") for entry in prts: prt = entry.findNext('td') prot = prt.findNext('td') if prot.text != "": msg = "Noted targeting port " + prt.text + ", using protocol " + prot.text else: msg = "Noted targeting port " + prt.text response += Service(msg) except: return response return response
def dotransform(request, response): debug('VT API key %s\n' % config['virustotal/apikey']) r = urlopen( "https://www.virustotal.com/vtapi/v2/url/report", urlencode({ "resource": request.value, "apikey": config['virustotal/apikey'] })) if r.code == 200: d = loads(r.read()) debug('VT output: %s\n' % d) if d['response_code'] == 1: for engine in d['scans'].iteritems(): if engine[1]['detected']: e = Phrase(engine[0]) e += Label("VirusTotal Report", d['permalink']) response += e return response
def dotransform(request, response): debug('VT API key %s\n' % request.value) r = urlopen( "https://www.virustotal.com/vtapi/v2/file/report", urlencode({ "resource": request.value, "apikey": config['virustotal/apikey'] })) if r.code == 200: d = loads(r.read()) debug('VT output: %s\n' % d) # If it's not a clean file, tell Maltego the names of the malware if d['response_code'] == 1: for engine in d['scans'].iteritems(): if engine[1]['detected']: e = Phrase(engine[1]['result']) e += Label("VirusTotal Report", d['permalink']) response += e response += UIMessage(d['verbose_msg']) return response
def dotransform(request, response, config): tr_details = [ 'Reference', 'Source', 'KillChain', 'Firstseen', 'Lastseen', 'Attribution', 'ProcessType', 'Rrname', 'Rdata', 'Country', 'Tags', 'Comment', 'RootNode', 'Confidence' ] #Disable cache to get actual data from Threat Recon cache, found = search(request.value, cache=False) #Default linkcolor linkcolor = "0x000000" if found: if defaultdict == type(found): for rootnode, value in found.iteritems(): #If the RootNode is empty, display attributes if len(rootnode) == 0: for indicator in value: #debug(indicator) e = '' indtype = indicator['Type'].lower().strip() if "whois email" == indtype: e = EmailAddress(indicator['Indicator']) if "name server" == indtype: e = NSRecord(indicator['Indicator']) if "domain" == indtype: e = Domain(indicator['Indicator']) e.fqdn = indicator['Indicator'] if "ip" == indtype: e = IPv4Address(indicator['Indicator']) if "phone or fax no." == indtype: e = PhoneNumber(indicator['Indicator']) if "whois address component" == indtype: e = Phrase(indicator['Indicator']) if "email" == indtype: e = EmailAddress(indicator['Indicator']) if "netname" == indtype: e = NetNameThreatRecon(indicator['Indicator']) if "cidr" == indtype: e = IPv4Address(indicator['Indicator']) if "netrange" == indtype: e = Netblock(indicator['Indicator']) if e: #Set linkcolor e.linkcolor = linkcolor #Set comments if indicator['Comment']: e.notes = string_filter(indicator['Comment']) #Set Details for detail in tr_details: if detail in indicator: if indicator[detail]: e += Label(name=detail, value=string_filter( indicator[detail])) response += e else: #Display the RootNodes e = ThreatRecon(rootnode) response += e return response
def dotransform(request, response, config): command = "--domain_to_score " + request.value qradio_output = get_qradio_data(command, 3) for entry in qradio_output: response += Phrase(entry) return response
def dotransform(request, response, config): tr_details = [ 'Reference', 'Source', 'KillChain', 'Firstseen', 'Lastseen', 'Attribution', 'ProcessType', 'Rrname', 'Rdata', 'Country', 'Tags', 'Comment', 'RootNode', 'Confidence' ] #Default link color is black linkcolor = "0x000000" cache, found = search(request.value) if found: if list == type(found): for indicator in found: debug(indicator) e = '' indtype = indicator['Type'].lower().strip() if "whois email" == indtype: e = EmailAddress(indicator['Indicator']) #response += e if "name server" == indtype: e = NSRecord(indicator['Indicator']) #response += e if "domain" == indtype: e = Domain(indicator['Indicator']) e.fqdn = indicator['Indicator'] #response += e #IF Type is not domain, check if Rrname is not empty elif indicator['Rrname'] and indicator['Rrname'] != 'NA': d = Domain(indicator['Rrname']) d.fqdn = indicator['Rrname'] response += d if "ip" == indtype: e = IPv4Address(indicator['Indicator']) #response += e #IF Type is not IP, check if Rdata is not empty elif indicator['Rdata']: i = IPv4Address(indicator['Rdata']) response += i if "phone or fax no." == indtype: e = PhoneNumber(indicator['Indicator']) #response += e if "whois address component" == indtype: e = Phrase(indicator['Indicator']) #response += e if "email" == indtype: e = EmailAddress(indicator['Indicator']) #response += e if "netname" == indtype: e = NetNameThreatRecon(indicator['Indicator']) #response += e if "cidr" == indtype: e = IPv4Address(indicator['Indicator']) #response += e if "netrange" == indtype: e = Netblock(indicator['Indicator']) #response += e if indicator['Country']: l = Location(indicator['Country']) response += l #Add Comments and details to own Entity entity = e #request.entity #Set comments if indicator['Comment']: entity.notes = string_filter(indicator['Comment']) #Set Details for detail in tr_details: if detail in indicator: if indicator[detail]: entity += Label(name=detail, value=string_filter( indicator[detail])) #Set link color if "Confidence" in indicator: if indicator['Confidence'] >= 70: linkcolor = "0xff0000" entity.linkcolor = linkcolor response += entity return response
def dotransform(request, response, config): command = "--ipv4_to_blacklist " + request.value qradio_output = get_qradio_data(command, 5) for entry in qradio_output: response += Phrase(entry) return response