def tag(self, new_tags, strict=False):
if isinstance(new_tags, (str, unicode)):
new_tags = [new_tags]
if strict:
remove = set([t.name for t in self.tags]) - set(new_tags)
for tag in remove:
self.modify(pull__tags__name=tag)
for new_tag in new_tags:
if new_tag.strip() != "":
new_tag = Tag(name=new_tag)
new_tag.clean()
try: # check if tag is a replacement
tag = Tag.objects.get(replaces=new_tag.name)
except DoesNotExist:
tag = Tag.get_or_create(name=new_tag.name)
# search for related entities and link them
for e in Entity.objects(tags__in=[tag.name]):
Link.connect(self, e).add_history("Tagged")
if not self.modify(
{"tags__name": tag.name}, set__tags__S__fresh=True, set__tags__S__last_seen=datetime.now()
):
self.modify(push__tags=ObservableTag(name=tag.name))
tag.modify(inc__count=1)
return self.reload()
def each(url):
try:
host = ProcessUrl.analyze_string(url.value)[0]
h = Observable.guess_type(host).get_or_create(value=host)
h.add_source("analytics")
Link.connect(src=url, dst=h)
except ObservableValidationError:
logging.error("An error occurred when trying to add {} to the database".format(host))
def each(f):
try:
l = f.body.length
except AttributeError as e: # File item has no content
l = 0
if l > 0:
for h in HashFile.extract_hashes(f):
h = Hash.get_or_create(value=h.hexdigest()).save()
h.add_source("analytics")
Link.connect(f, h)
def each(f):
try:
l = f.body.length
except AttributeError as e: # File item has no content
l = 0
if l > 0:
for h in HashFile.extract_hashes(f):
h = Hash.get_or_create(value=h.hexdigest()).save()
h.add_source("analytics")
Link.connect(f, h)
def link_from_contact_info(hostname, contact, field, klass, tag, description=None):
if contact is not None and field in contact:
node = klass.get_or_create(value=contact[field])
link = Link.connect(hostname, node)
link.add_history(tag=tag, description=description)
return link
else:
return None
def analyze(ip):
links = []
results = IPWhois(ip.value)
results = results.lookup_rdap()
for entity in results['objects']:
entity = results['objects'][entity]
if entity['contact']['kind'] != 'individual':
# Create the company
company = Company.get_or_create(name=entity['contact']['name'], rdap=entity)
link = Link.connect(ip, company)
link.add_history('hosting')
links.append(link)
# Link it to every email address referenced
for email_info in entity['contact']['email']:
email = Email.get_or_create(value=email_info['value'])
link = Link.connect(company, email)
links.append(link)
return links
def each(cls, hostname, rtype=None, results=[]):
generated = []
h = Hostname.get_or_create(value=hostname.value)
for rdata in results:
logging.info("{} resolved to {} ({} record)".format(h.value, rdata, rtype))
try:
e = Observable.add_text(rdata)
e.add_source("analytics")
generated.append(e)
l = Link.connect(h, e)
l.add_history(tag=rtype, description='{} record'.format(rtype))
except ObservableValidationError as e:
logging.error("{} is not a valid datatype".format(rdata))
h.analysis_done(cls.__name__)
return generated
def each(cls, hostname, rtype=None, results=[]):
parts = extract(hostname.value)
if parts.suffix in SUSPICIOUS_TLDS:
hostname.tag('suspicious_tld')
if parts.subdomain != '':
hostname.update(domain=False)
domain = Hostname.get_or_create(value=parts.registered_domain, domain=True)
domain.add_source("analytics")
l = Link.connect(hostname, domain)
l.add_history(tag='domain')
if domain.has_tag('dyndns'):
hostname.tag('dyndns')
return domain
else:
hostname.update(domain=True)
return None
def action(self, verb, target, description=None):
Link.connect(self, target).add_history(verb, description)
payload_download = TTP(name="Payload retrieval (HTTP)")
payload_download.killchain = "delivery"
payload_download.description = "Payload is retreived from an external URL"
payload_download.save()
macrodoc.action("leverages", payload_download)
bartalex_callback.action("indicates", payload_download)
bartalex_callback2.action("indicates", payload_download)
# add observables
o1 = Observable.add_text("85.214.71.240")
# o2 = Observable.add_text("http://soccersisters.net/mg.jpg")
o3 = Observable.add_text("http://agentseek.com/mg.jpg")
o4 = Observable.add_text("http://www.delianfoods.com/5t546523/lhf3f334f.exe")
o5 = Observable.add_text("http://sanoko.jp/5t546523/lhf3f334f.exe")
o6 = Observable.add_text("http://hrakrue-home.de/87yte55/6t45eyv.exe")
Link.connect(o6, bartalex_callback2)
Link.connect(o6, bartalex).add_history("Queries")
Link.connect(o6, dridex).add_history("Drops")
o7 = Observable.add_text("http://kdojinyhb.wz.cz/87yte55/6t45eyv.exe")
o8 = Observable.add_text("http://kdojinyhb.wz.cz/87yte55/6t45eyv.exe2")
o9 = Observable.add_text("http://zeuscpanel.com/gate.php")
o9.tag('zeus')
t1 = Observable.add_text("http://toto.com")
t2 = Observable.add_text("Http://tata.com")
t3 = Observable.add_text("hxxp://tomchop[.]me")
l = Link.connect(t1, t2)
print "Links", Link.objects(src=t1)
t2.delete()
print "Links", Link.objects(src=t1)
payload_download = TTP(name="Payload retrieval (HTTP)")
payload_download.killchain = "3"
payload_download.description = "Payload is retreived from an external URL"
payload_download.save()
macrodoc.action(payload_download, 'testrun', verb="leverages")
bartalex_callback.action(payload_download, 'testrun', verb="indicates")
bartalex_callback2.action(payload_download, 'testrun', verb="indicates")
# add observables
o1 = Observable.add_text("85.214.71.240")
# o2 = Observable.add_text("http://soccersisters.net/mg.jpg")
o3 = Observable.add_text("http://agentseek.com/mg.jpg")
o4 = Observable.add_text("http://www.delianfoods.com/5t546523/lhf3f334f.exe")
o5 = Observable.add_text("http://sanoko.jp/5t546523/lhf3f334f.exe")
o6 = Observable.add_text("http://hrakrue-home.de/87yte55/6t45eyv.exe")
Link.connect(o6, bartalex_callback2)
Link.connect(o6, bartalex).add_history('testrun', 'Queries')
Link.connect(o6, dridex).add_history('testrun', 'Drops')
o7 = Observable.add_text("http://kdojinyhb.wz.cz/87yte55/6t45eyv.exe")
o8 = Observable.add_text("http://kdojinyhb.wz.cz/87yte55/6t45eyv.exe2")
o9 = Observable.add_text("http://zeuscpanel.com/gate.php")
o9.tag('zeus')
t1 = Observable.add_text("http://toto.com")
t2 = Observable.add_text("Http://tata.com")
t3 = Observable.add_text("hxxp://tomchop[.]me")
l = Link.connect(t1, t2)
print "Links", Link.objects(src=t1)
t2.delete()
print "Links", Link.objects(src=t1)
payload_download = TTP(name="Payload retrieval (HTTP)")
payload_download.killchain = "3"
payload_download.description = "Payload is retreived from an external URL"
payload_download.save()
macrodoc.action(payload_download, 'testrun', verb="leverages")
bartalex_callback.action(payload_download, 'testrun', verb="indicates")
bartalex_callback2.action(payload_download, 'testrun', verb="indicates")
# add observables
o1 = Observable.add_text("85.214.71.240")
# o2 = Observable.add_text("http://soccersisters.net/mg.jpg")
o3 = Observable.add_text("http://agentseek.com/mg.jpg")
o4 = Observable.add_text("http://www.delianfoods.com/5t546523/lhf3f334f.exe")
o5 = Observable.add_text("http://sanoko.jp/5t546523/lhf3f334f.exe")
o6 = Observable.add_text("http://hrakrue-home.de/87yte55/6t45eyv.exe")
Link.connect(o6, bartalex_callback2)
Link.connect(o6, bartalex).add_history('testrun', 'Queries')
Link.connect(o6, dridex).add_history('testrun', 'Drops')
o7 = Observable.add_text("http://kdojinyhb.wz.cz/87yte55/6t45eyv.exe")
o8 = Observable.add_text("http://kdojinyhb.wz.cz/87yte55/6t45eyv.exe2")
o9 = Observable.add_text("http://zeuscpanel.com/gate.php")
o9.tag('zeus')
t1 = Observable.add_text("http://toto.com")
t2 = Observable.add_text("Http://tata.com")
t3 = Observable.add_text("hxxp://tomchop[.]me")
l = Link.connect(t1, t2)
print "Links", Link.objects(src=t1)
t2.delete()
print "Links", Link.objects(src=t1)
payload_download = TTP(name="Payload retrieval (HTTP)")
payload_download.killchain = "3"
payload_download.description = "Payload is retreived from an external URL"
payload_download.save()
macrodoc.action(payload_download, "testrun", verb="leverages")
bartalex_callback.action(payload_download, "testrun", verb="indicates")
bartalex_callback2.action(payload_download, "testrun", verb="indicates")
# add observables
o1 = Observable.add_text("85.214.71.240")
# o2 = Observable.add_text("http://soccersisters.net/mg.jpg")
o3 = Observable.add_text("http://agentseek.com/mg.jpg")
o4 = Observable.add_text("http://www.delianfoods.com/5t546523/lhf3f334f.exe")
o5 = Observable.add_text("http://sanoko.jp/5t546523/lhf3f334f.exe")
o6 = Observable.add_text("http://hrakrue-home.de/87yte55/6t45eyv.exe")
Link.connect(o6, bartalex_callback2)
Link.connect(o6, bartalex).add_history("testrun", "Queries")
Link.connect(o6, dridex).add_history("testrun", "Drops")
o7 = Observable.add_text("http://kdojinyhb.wz.cz/87yte55/6t45eyv.exe")
o8 = Observable.add_text("http://kdojinyhb.wz.cz/87yte55/6t45eyv.exe2")
o9 = Observable.add_text("http://zeuscpanel.com/gate.php")
o9.tag("zeus")
t1 = Observable.add_text("http://toto.com")
t2 = Observable.add_text("Http://tata.com")
t3 = Observable.add_text("hxxp://tomchop[.]me")
l = Link.connect(t1, t2)
print("Links", Link.objects(src=t1))
t2.delete()
print("Links", Link.objects(src=t1))
