def tag(self, new_tags, strict=False): if isinstance(new_tags, (str, unicode)): new_tags = [new_tags] if strict: remove = set([t.name for t in self.tags]) - set(new_tags) for tag in remove: self.modify(pull__tags__name=tag) for new_tag in new_tags: if new_tag.strip() != "": new_tag = Tag(name=new_tag) new_tag.clean() try: # check if tag is a replacement tag = Tag.objects.get(replaces=new_tag.name) except DoesNotExist: tag = Tag.get_or_create(name=new_tag.name) # search for related entities and link them for e in Entity.objects(tags__in=[tag.name]): Link.connect(self, e).add_history("Tagged") if not self.modify( {"tags__name": tag.name}, set__tags__S__fresh=True, set__tags__S__last_seen=datetime.now() ): self.modify(push__tags=ObservableTag(name=tag.name)) tag.modify(inc__count=1) return self.reload()
def each(url): try: host = ProcessUrl.analyze_string(url.value)[0] h = Observable.guess_type(host).get_or_create(value=host) h.add_source("analytics") Link.connect(src=url, dst=h) except ObservableValidationError: logging.error("An error occurred when trying to add {} to the database".format(host))
def each(f): try: l = f.body.length except AttributeError as e: # File item has no content l = 0 if l > 0: for h in HashFile.extract_hashes(f): h = Hash.get_or_create(value=h.hexdigest()).save() h.add_source("analytics") Link.connect(f, h)
def link_from_contact_info(hostname, contact, field, klass, tag, description=None): if contact is not None and field in contact: node = klass.get_or_create(value=contact[field]) link = Link.connect(hostname, node) link.add_history(tag=tag, description=description) return link else: return None
def analyze(ip): links = [] results = IPWhois(ip.value) results = results.lookup_rdap() for entity in results['objects']: entity = results['objects'][entity] if entity['contact']['kind'] != 'individual': # Create the company company = Company.get_or_create(name=entity['contact']['name'], rdap=entity) link = Link.connect(ip, company) link.add_history('hosting') links.append(link) # Link it to every email address referenced for email_info in entity['contact']['email']: email = Email.get_or_create(value=email_info['value']) link = Link.connect(company, email) links.append(link) return links
def each(cls, hostname, rtype=None, results=[]): generated = [] h = Hostname.get_or_create(value=hostname.value) for rdata in results: logging.info("{} resolved to {} ({} record)".format(h.value, rdata, rtype)) try: e = Observable.add_text(rdata) e.add_source("analytics") generated.append(e) l = Link.connect(h, e) l.add_history(tag=rtype, description='{} record'.format(rtype)) except ObservableValidationError as e: logging.error("{} is not a valid datatype".format(rdata)) h.analysis_done(cls.__name__) return generated
def each(cls, hostname, rtype=None, results=[]): parts = extract(hostname.value) if parts.suffix in SUSPICIOUS_TLDS: hostname.tag('suspicious_tld') if parts.subdomain != '': hostname.update(domain=False) domain = Hostname.get_or_create(value=parts.registered_domain, domain=True) domain.add_source("analytics") l = Link.connect(hostname, domain) l.add_history(tag='domain') if domain.has_tag('dyndns'): hostname.tag('dyndns') return domain else: hostname.update(domain=True) return None
def action(self, verb, target, description=None): Link.connect(self, target).add_history(verb, description)
payload_download = TTP(name="Payload retrieval (HTTP)") payload_download.killchain = "delivery" payload_download.description = "Payload is retreived from an external URL" payload_download.save() macrodoc.action("leverages", payload_download) bartalex_callback.action("indicates", payload_download) bartalex_callback2.action("indicates", payload_download) # add observables o1 = Observable.add_text("85.214.71.240") # o2 = Observable.add_text("http://soccersisters.net/mg.jpg") o3 = Observable.add_text("http://agentseek.com/mg.jpg") o4 = Observable.add_text("http://www.delianfoods.com/5t546523/lhf3f334f.exe") o5 = Observable.add_text("http://sanoko.jp/5t546523/lhf3f334f.exe") o6 = Observable.add_text("http://hrakrue-home.de/87yte55/6t45eyv.exe") Link.connect(o6, bartalex_callback2) Link.connect(o6, bartalex).add_history("Queries") Link.connect(o6, dridex).add_history("Drops") o7 = Observable.add_text("http://kdojinyhb.wz.cz/87yte55/6t45eyv.exe") o8 = Observable.add_text("http://kdojinyhb.wz.cz/87yte55/6t45eyv.exe2") o9 = Observable.add_text("http://zeuscpanel.com/gate.php") o9.tag('zeus') t1 = Observable.add_text("http://toto.com") t2 = Observable.add_text("Http://tata.com") t3 = Observable.add_text("hxxp://tomchop[.]me") l = Link.connect(t1, t2) print "Links", Link.objects(src=t1) t2.delete() print "Links", Link.objects(src=t1)
payload_download = TTP(name="Payload retrieval (HTTP)") payload_download.killchain = "3" payload_download.description = "Payload is retreived from an external URL" payload_download.save() macrodoc.action(payload_download, 'testrun', verb="leverages") bartalex_callback.action(payload_download, 'testrun', verb="indicates") bartalex_callback2.action(payload_download, 'testrun', verb="indicates") # add observables o1 = Observable.add_text("85.214.71.240") # o2 = Observable.add_text("http://soccersisters.net/mg.jpg") o3 = Observable.add_text("http://agentseek.com/mg.jpg") o4 = Observable.add_text("http://www.delianfoods.com/5t546523/lhf3f334f.exe") o5 = Observable.add_text("http://sanoko.jp/5t546523/lhf3f334f.exe") o6 = Observable.add_text("http://hrakrue-home.de/87yte55/6t45eyv.exe") Link.connect(o6, bartalex_callback2) Link.connect(o6, bartalex).add_history('testrun', 'Queries') Link.connect(o6, dridex).add_history('testrun', 'Drops') o7 = Observable.add_text("http://kdojinyhb.wz.cz/87yte55/6t45eyv.exe") o8 = Observable.add_text("http://kdojinyhb.wz.cz/87yte55/6t45eyv.exe2") o9 = Observable.add_text("http://zeuscpanel.com/gate.php") o9.tag('zeus') t1 = Observable.add_text("http://toto.com") t2 = Observable.add_text("Http://tata.com") t3 = Observable.add_text("hxxp://tomchop[.]me") l = Link.connect(t1, t2) print "Links", Link.objects(src=t1) t2.delete() print "Links", Link.objects(src=t1)
payload_download = TTP(name="Payload retrieval (HTTP)") payload_download.killchain = "3" payload_download.description = "Payload is retreived from an external URL" payload_download.save() macrodoc.action(payload_download, "testrun", verb="leverages") bartalex_callback.action(payload_download, "testrun", verb="indicates") bartalex_callback2.action(payload_download, "testrun", verb="indicates") # add observables o1 = Observable.add_text("85.214.71.240") # o2 = Observable.add_text("http://soccersisters.net/mg.jpg") o3 = Observable.add_text("http://agentseek.com/mg.jpg") o4 = Observable.add_text("http://www.delianfoods.com/5t546523/lhf3f334f.exe") o5 = Observable.add_text("http://sanoko.jp/5t546523/lhf3f334f.exe") o6 = Observable.add_text("http://hrakrue-home.de/87yte55/6t45eyv.exe") Link.connect(o6, bartalex_callback2) Link.connect(o6, bartalex).add_history("testrun", "Queries") Link.connect(o6, dridex).add_history("testrun", "Drops") o7 = Observable.add_text("http://kdojinyhb.wz.cz/87yte55/6t45eyv.exe") o8 = Observable.add_text("http://kdojinyhb.wz.cz/87yte55/6t45eyv.exe2") o9 = Observable.add_text("http://zeuscpanel.com/gate.php") o9.tag("zeus") t1 = Observable.add_text("http://toto.com") t2 = Observable.add_text("Http://tata.com") t3 = Observable.add_text("hxxp://tomchop[.]me") l = Link.connect(t1, t2) print("Links", Link.objects(src=t1)) t2.delete() print("Links", Link.objects(src=t1))