コード例 #1
0
ファイル: _SpyGate.py プロジェクト: Antelox/RATDecoders
def generateIOC(md5, confDict):
	# Create the list for File Artefacts
	fileIOC = []
	fileIOC.append(('is','FileItem','FileItem/FileName','string',confDict["InstallName"]))
	fileIOC.append(('contains','FileItem','FileItem/FilePath','string',confDict["InstallPath"]))
	fileIOC.append(('is','FileItem','FileItem/Md5sum','md5',md5))
	fileIOC.append(('is','ProcessItem','ProcessItem/HandleList/Handle/Name','string',confDict["Mutex"]))
	# Create the list for Registry Artefacts
	regIOC = []
	regIOC.append(('contains','RegistryItem','RegistryItem/Path','string','HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'))
	regIOC.append(('is','RegistryItem','RegistryItem/Value','string',confDict["ActiveXKey"]))
	regIOC.append(('contains','RegistryItem','RegistryItem/Path','string','HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run'))
	regIOC.append(('is','RegistryItem','RegistryItem/Value','string',confDict["HKLMValue"]))
	# add each list to our master list
	items = []
	items.append(fileIOC)
	items.append(regIOC)
	domList = []
	domains = confDict["Domains"].split("|")
	for x in domains:
		domain = x.split(":")[0]
		domList.append(domain)
	database.insertDomain(md5, domList)
	for domain in domList:
		if domain != '':
			items.append([("contains", "Network", "Network/DNS", "string", domain)])
	IOC = createIOC.main(items, 'PoisonIvy', md5)
	database.insertIOC(md5, IOC)
コード例 #2
0
ファイル: _ShadowTech.py プロジェクト: Antelox/RATDecoders
def generateIOC(md5, config_dict):
    netIOC = []
    netIOC.append(("is", "PortItem", "PortItem/remotePort", "string", config_dict["Port"]))
    netIOC.append(("contains", "Network", "Network/DNS", "string", config_dict["Domain"]))
    # add each list to our master list
    items = []
    items.append(netIOC)
    IOC = createIOC.main(items, 'ShadowTech', md5)
    database.insertIOC(md5, IOC)
コード例 #3
0
def generateIOC(md5, config_dict):
    netIOC = []
    netIOC.append(("is", "PortItem", "PortItem/remotePort", "string", config_dict["Port"]))
    netIOC.append(("contains", "Network", "Network/DNS", "string", config_dict["Domain"]))
    # add each list to our master list
    items = []
    items.append(netIOC)
    IOC = createIOC.main(items, "ShadowTech", md5)
    database.insertIOC(md5, IOC)
コード例 #4
0
ファイル: _ShadowTech.py プロジェクト: kevoreilly/CAPEv2
def generateIOC(md5, config_dict):
    items = [
        [
            ("is", "PortItem", "PortItem/remotePort", "string", config_dict["Port"]),
            ("contains", "Network", "Network/DNS", "string", config_dict["Domain"]),
        ]
    ]
    IOC = createIOC.main(items, "ShadowTech", md5)
    database.insertIOC(md5, IOC)
コード例 #5
0
def generateIOC(md5, confDict):
    # Create the list for File Artefacts
    fileIOC = []
    fileIOC.append(('is', 'FileItem', 'FileItem/FileName', 'string',
                    confDict["InstallName"]))
    fileIOC.append(('contains', 'FileItem', 'FileItem/FilePath', 'string',
                    confDict["InstallPath"]))
    fileIOC.append(('is', 'FileItem', 'FileItem/Md5sum', 'md5', md5))
    fileIOC.append(('is', 'ProcessItem', 'ProcessItem/HandleList/Handle/Name',
                    'string', confDict["Mutex"]))
    # Create the list for Registry Artefacts
    regIOC = []
    regIOC.append((
        'contains', 'RegistryItem', 'RegistryItem/Path', 'string',
        'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'
    ))
    regIOC.append(('is', 'RegistryItem', 'RegistryItem/Value', 'string',
                   confDict["ActiveXKey"]))
    regIOC.append(
        ('contains', 'RegistryItem', 'RegistryItem/Path', 'string',
         'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run'))
    regIOC.append(('is', 'RegistryItem', 'RegistryItem/Value', 'string',
                   confDict["HKLMValue"]))
    # add each list to our master list
    items = []
    items.append(fileIOC)
    items.append(regIOC)
    domList = []
    domains = confDict["Domains"].split("|")
    for x in domains:
        domain = x.split(":")[0]
        domList.append(domain)
    database.insertDomain(md5, domList)
    for domain in domList:
        if domain != '':
            items.append([("contains", "Network", "Network/DNS", "string",
                           domain)])
    IOC = createIOC.main(items, 'PoisonIvy', md5)
    database.insertIOC(md5, IOC)