def virus_total_obj(api_key, indicators): '''Build our VirusTotal report object, File object, and AV signature objects and link them appropriately. indicator: Indicator hash to search in VT for ''' vtr_report = VTReportObject(api_key["virustotal"]["key"], indicators) report_objects = [] report_objects.append(vtr_report) av_report = vtr_report._report if vtr_report._resource_type == 'file': file_object = pymisp.MISPObject(name="file") file_object.add_attribute("md5", value=raw_report["md5"]) file_object.add_attribute("sha1", value=raw_report["sha1"]) file_object.add_attribute("sha256", value=raw_report["sha256"]) vtr_report.add_reference(referenced_uuid=file_object.uuid, relationship_type="report of") report_objects.append(file_object) elif vtr_report._resource_type == "url": parsed = urlsplit(indicator) url_object = pymisp.MISPObject(name="url") url_object.add_attribute("url", value=parsed.geturl()) url_object.add_attribute("host", value=parsed.hostname) url_object.add_attribute("scheme", value=parsed.scheme) url_object.add_attribute("port", value=parsed.port) vtr_report.add_reference(referenced_uuid=url_object.uuid, relationship_type="report of") report_objects.append(url_object) for antivirus in av_report["scans"]: if av_report["scans"][antivirus]["detected"]: av_object = pymisp.MISPObject(name="av-signature") av_object.add_attribute("software", value=antivirus) signature_name = raw_report["scans"][antivirus]["result"] av_object.add_attribute("signature", value=signature_name, disable_correlation=True) vtr_report.add_reference(referenced_uuid=av_object.uuid, relationship_type="included-in") report_objects.append(av_object)
def _make_VT_object(self, to_search, default_attributes_paramaters): try: vt_object = VTReportObject(cfg.virustotal.virustotal_key, to_search, vt_proxies=cfg.virustotal.proxies, standalone=False, default_attributes_paramaters=default_attributes_paramaters) if self.args.populate: vt_object.distribution = default_attributes_paramaters.distribution return vt_object except requests.exceptions.ConnectionError: self.log('error', 'Failed to connect to VT for {}'.format(to_search)) return except InvalidMISPObject as e: self.log('error', e) return None
def generate_report(indicator, apikey): report_objects = [] vt_report = VTReportObject(apikey, indicator) report_objects.append(vt_report) raw_report = vt_report._report file_object = MISPObject(name="file") file_object.add_attribute("md5", value=raw_report["md5"]) file_object.add_attribute("sha1", value=raw_report["sha1"]) file_object.add_attribute("sha256", value=raw_report["sha256"]) vt_report.add_reference(referenced_uuid=file_object.uuid, relationship_type="report of") report_objects.append(file_object) return report_objects
def _make_VT_object(self, to_search, default_attributes_parameters): try: vt_object = VTReportObject( cfg.virustotal.virustotal_key, to_search, vt_proxies=cfg.virustotal.proxies, standalone=False, default_attributes_parameters=default_attributes_parameters) if self.args.populate: vt_object.distribution = default_attributes_parameters.distribution return vt_object except requests.exceptions.ConnectionError: self.log('error', 'Failed to connect to VT for {}'.format(to_search)) return except InvalidMISPObject as e: self.log('error', e) return None
def forwarded_email(self, pseudofile: BytesIO): '''Extracts all possible indicators out of an email and create a MISP event out of it. * Gets all relevant Headers * Attach the body * Create MISP file objects (uses lief if possible) * Set all references ''' email_object = EMailObject(pseudofile=pseudofile, attach_original_mail=True, standalone=False) if email_object.attachments: # Create file objects for the attachments for attachment_name, attachment in email_object.attachments: if not (self.ignore_nullsize_attachments and attachment.getbuffer().nbytes == 0): if not attachment_name: attachment_name = 'NameMissing.txt' if self.config_from_email_body.get( 'attachment' ) == self.config.m2m_benign_attachment_keyword: a = self.misp_event.add_attribute( 'attachment', value=attachment_name, data=attachment) email_object.add_reference(a.uuid, 'related-to', 'Email attachment') else: f_object, main_object, sections = make_binary_objects( pseudofile=attachment, filename=attachment_name, standalone=False) if self.config.vt_key: try: vt_object = VTReportObject( self.config.vt_key, f_object.get_attributes_by_relation( 'sha256')[0].value, standalone=False) self.misp_event.add_object(vt_object) f_object.add_reference(vt_object.uuid, 'analysed-with') except InvalidMISPObject as e: print(e) pass self.misp_event.add_object(f_object) if main_object: self.misp_event.add_object(main_object) for section in sections: self.misp_event.add_object(section) email_object.add_reference(f_object.uuid, 'related-to', 'Email attachment') self.process_body_iocs(email_object) if self.config.spamtrap or self.config.attach_original_mail or self.config_from_email_body.get( 'attach_original_mail'): self.misp_event.add_object(email_object) return email_object
def generate_report(indicator, apikey): ''' Build our VirusTotal report object, File object, and AV signature objects and link them appropriately :indicator: Indicator hash to search in VT for ''' report_objects = [] vt_report = VTReportObject(apikey, indicator) report_objects.append(vt_report) raw_report = vt_report._report if vt_report._resource_type == "file": file_object = pymisp.MISPObject(name="file") file_object.add_attribute("md5", value=raw_report["md5"]) file_object.add_attribute("sha1", value=raw_report["sha1"]) file_object.add_attribute("sha256", value=raw_report["sha256"]) vt_report.add_reference(referenced_uuid=file_object.uuid, relationship_type="report of") report_objects.append(file_object) elif vt_report._resource_type == "url": parsed = urlsplit(indicator) url_object = pymisp.MISPObject(name="url") url_object.add_attribute("url", value=parsed.geturl()) url_object.add_attribute("host", value=parsed.hostname) url_object.add_attribute("scheme", value=parsed.scheme) url_object.add_attribute("port", value=parsed.port) vt_report.add_reference(referenced_uuid=url_object.uuid, relationship_type="report of") report_objects.append(url_object) for antivirus in raw_report["scans"]: if raw_report["scans"][antivirus]["detected"]: av_object = pymisp.MISPObject(name="av-signature") av_object.add_attribute("software", value=antivirus) signature_name = raw_report["scans"][antivirus]["result"] av_object.add_attribute("signature", value=signature_name, disable_correlation=True) vt_report.add_reference(referenced_uuid=av_object.uuid, relationship_type="included-in") report_objects.append(av_object) return report_objects