MISP
/
MISP-maltego
mirror of https://github.com/MISP/MISP-maltego
2
0
Fork 0
Code Issues Releases Wiki Activity

new: [objects] custom icons for objects

pull/40/head
Christophe Vandeplas 2020-03-14 10:15:07 +01:00
parent f7cb8740ce
commit 9751947b18
4 changed files with 780 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
doc/img/object_icons_new.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
doc/img/object_icons_old.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

766
src/MISP_maltego/transforms/common/mappings.py Normal file
View File

@ -0,0 +1,766 @@
from canari.maltego.entities import Hash, Domain, IPv4Address, URL, DNSName, AS, Website, NSRecord, PhoneNumber, EmailAddress, File, Location, Company, Alias, Port, Twitter
from MISP_maltego.transforms.common.entities import ThreatActor, Software, AttackTechnique
mapping_misp_to_maltego = {
'AS': [AS],
'domain': [Domain, NSRecord, Website, DNSName],
'email-dst': [EmailAddress],
'email-src': [EmailAddress],
'filename': [File],
'hostname': [Website, NSRecord, Domain, DNSName],
'ip': [IPv4Address],
'ip-dst': [IPv4Address],
'ip-src': [IPv4Address],
'md5': [Hash],
'phone-number': [PhoneNumber],
'sha1': [Hash],
'sha224': [Hash],
'sha256': [Hash],
'sha384': [Hash],
'sha512': [Hash],
'sha512/224': [Hash],
'sha512/256': [Hash],
'ssdeep': [Hash],
'impfuzzy': [Hash],
'uri': [URL],
'url': [URL],
'whois-registrant-email': [EmailAddress],
'country-of-residence': [Location],
'github-organisation': [Company],
'github-username': [Alias],
'imphash': [Hash],
'jabber-id': [Alias],
'passport-country': [Location],
'place-of-birth': [Location],
'port': [Port],
'target-email': [EmailAddress],
'target-location': [Location],
'target-org': [Company],
'target-user': [Alias],
'twitter-id': [Twitter],
# object mappings
'nameserver': [NSRecord],
# TODO add more object mappings
# custom types created internally for technical reasons
# 'rekey_value': [Unknown]
}
mapping_galaxy_icon = {
# "android": "malware", # "android",
"btc": "ransomware",
"bug": "vulnerability",
# "cart-arrow-down": "malware", #"tds",
"chain": "course_of_action",
"door-open": "backdoor",
"eye": "malware",
"gavel": "tool",
# "globe": "cert-eu-govsector",
# "industry": "sector",
# "internet-explorer": "exploit-kit",
"key": "stealer",
"map": "attack_pattern",
"optin-monster": "malware",
# "shield": "malpedia",
# "shield": "preventive-measure",
"sitemap": "botnet",
"usd": "malware", # "banker",
# "user-secret": "mitre-intrusion-set",
"user-secret": "threat_actor",
}
mapping_galaxy_type = {
# 'amitt-misinformation-pattern': '',
'android': Software,
'backdoor': Software,
'banker': Software,
'botnet': Software,
# 'branded-vulnerability': '',
# 'cert-eu-govsector': '',
'cloud-security': AttackTechnique,
'exploit-kit': Software,
'financial-fraud': AttackTechnique,
'guidelines': AttackTechnique,
'malpedia': Software,
'microsoft-activity-group': ThreatActor,
'mitre-attack-pattern': AttackTechnique,
# 'mitre-course-of-action': '',
'mitre-intrusion-set': ThreatActor,
'mitre-malware': Software,
'mitre-tool': Software,
# 'preventive-measure': '',
'ransomware': Software,
'rat': Software,
# 'region': '',
# 'sector': '',
'social-dark-patterns': AttackTechnique,
'stealer': Software,
'surveillance-vendor': ThreatActor,
# 'target-information': '',
'tds': Software,
'threat-actor': ThreatActor,
'tool': Software
}
mapping_object_icon = {
'ail-leak': '',
'ais-info': '',
'android-permission': '',
'annotation': '',
'anonymisation': '',
'asn': '',
'attack-pattern': '',
'authenticode-signerinfo': '',
'av-signature': '',
'bank-account': '',
'bgp-hijack': '',
'blog': '',
'btc-transaction': '',
'btc-wallet': '',
'cap-alert': '',
'cap-info': '',
'cap-resource': '',
'coin-address': '',
'command': '',
'command-line': '',
'cookie': '',
'cortex': '',
'cortex-taxonomy': '',
'course-of-action': '',
'covid19-csse-daily-report': '',
'covid19-dxy-live-city': '',
'covid19-dxy-live-province': '',
'cowrie': '',
'credential': '',
'credit-card': '',
'crypto-material': '',
'cytomic_orion': '',
'cytomic_orion_machine': '',
'dark-pattern': '',
'ddos': '',
'device': '',
'diameter-attack': '',
'dns-record': 'ServerDNS',
'domain-crawled': '',
'domain-ip': 'NetworkGlobal',
'elf': '',
'elf-section': '',
'email': 'Email',
'employee': 'Person',
'exploit-poc': 'Person',
'facial-composite': '',
'fail2ban': '',
'file': 'File',
'forensic-case': '',
'forensic-evidence': '',
'forged-document': '',
'geolocation': '',
'gtp-attack': '',
'http-request': 'URL',
'ilr-impact': '',
'ilr-notification-incident': '',
'impersonation': '',
'imsi-catcher': '',
'instant-message': '',
'instant-message-group': '',
'intelmq_event': '',
'intelmq_report': '',
'internal-reference': '',
'interpol-notice': '',
'iot-device': '',
'iot-firmware': '',
'ip-api-address': '',
'ip-port': 'NetworkCard',
'irc': '',
'ja3': '',
'leaked-document': 'InternetDocument',
'legal-entity': '',
'lnk': 'File',
'macho': '',
'macho-section': '',
'mactime-timeline-analysis': '',
'malware-config': '',
'meme-image': '',
'microblog': '',
'mutex': '',
'netflow': '',
'network-connection': '',
'network-socket': '',
'news-agency': '',
'news-media': '',
'organization': '',
'original-imported-file': '',
'passive-dns': 'ServerDNS',
'paste': '',
'pcap-metadata': '',
'pe': '',
'person': 'Person',
'pe-section': '',
'pgp-meta': '',
'phishing': '',
'phishing-kit': '',
'phone': '',
'process': '',
'python-etvx-event-log': '',
'r2graphity': '',
'regexp': '',
'registry-key': '',
'regripper-NTUser': '',
'regripper-sam-hive-single-user': '',
'regripper-sam-hive-user-group': '',
'regripper-software-hive-appInit-DLLS': '',
'regripper-software-hive-application-paths': '',
'regripper-software-hive-applications-installed': '',
'regripper-software-hive-BHO': '',
'regripper-software-hive-command-shell': '',
'regripper-software-hive-general-windows-info': '',
'regripper-software-hive-software-run': '',
'regripper-software-hive-userprofile-winlogon': '',
'regripper-system-hive-firewall-configuration': '',
'regripper-system-hive-general-configuration': '',
'regripper-system-hive-network-information': '',
'regripper-system-hive-service-drivers': '',
'report': '',
'research-scanner': '',
'rogue-dns': '',
'rtir': '',
'sandbox-report': '',
'sb-signature': '',
'scrippsco2-c13-daily': '',
'scrippsco2-c13-monthly': '',
'scrippsco2-co2-daily': '',
'scrippsco2-co2-monthly': '',
'scrippsco2-o18-daily': '',
'scrippsco2-o18-monthly': '',
'script': '',
'shell-commands': '',
'shodan-report': '',
'shortened-link': '',
'short-message-service': '',
'splunk': '',
'ss7-attack': '',
'ssh-authorized-keys': '',
'stix2-pattern': '',
'suricata': '',
'target-system': '', # TODO intel icons
'threatgrid-report': '',
'timecode': '',
'timesketch_message': '',
'timesketch-timeline': '',
'timestamp': '',
'tor-hiddenservice': '',
'tor-node': '',
'tracking-id': '',
'transaction': '',
'translation': '',
'trustar_report': '',
'TSK-Chats': '',
'TSK-Web-Bookmark': '',
'TSK-Web-Cookie': '',
'TSK-Web-Downloads': '',
'TSK-Web-History': '',
'TSK-Web-Search-Query': '',
'url': 'URL',
'user-account': '',
'vehicle': '',
'victim': '',
'virustotal-graph': '',
'virustotal-report': '',
'vulnerability': '', # TODO intel icons
'weakness': '', # TODO intel icons
'whois': 'UserID',
'x509': '',
'yabin': '',
'yara': '',
}
# All possible default icons shipped with Maltego - useful for auto_completion
# AccessCard
# AccessPoint
# Accident
# Accountant
# Add
# Admin
# AdultFemale
# AdultMale
# AffiliationAndroid
# AffiliationAnonymous
# AffiliationApple
# AffiliationBebo
# AffiliationBlogger
# AffiliationBuiltWith
# AffiliationCloud
# AffiliationColdfusion
# AffiliationDigg
# AffiliationDropbox
# AffiliationEbay
# AffiliationFacebook
# AffiliationFlickr
# AffiliationGoogleDrive
# AffiliationGooglePlus
# AffiliationInstagram
# AffiliationKik
# AffiliationLinkedIn
# AffiliationLinux
# AffiliationMeetup
# AffiliationMyspace
# AffiliationNewsvine
# AffiliationOrkut
# AffiliationPayPal
# AffiliationPicasa
# AffiliationPinterest
# Affiliation
# AffiliationReddit
# AffiliationRSS
# AffiliationSkype
# AffiliationSnapchat
# AffiliationSpock
# AffiliationTinder
# AffiliationTwitter
# AffiliationWechat
# AffiliationWhatsapp
# AffiliationWiki
# AffiliationWindows
# AffiliationWWF
# AffiliationYammer
# AffiliationYelp
# AffiliationYouTube
# AffiliationZoomInfo
# AircraftBomber
# AircraftCarrier
# AirCrash
# Airport
# Alarm
# Alias
# Alliance
# Ammunition
# Anarchy
# Antenna
# Apartments
# Army
# Artist
# Assemble
# Asteroid
# Atom
# Author
# Baby
# Backbone
# Ballerina
# BandAid
# BankAccount
# BankCard
# Banner
# Bear
# Bee
# Binary
# BioAgent
# Bit
# BlueAura
# Bomb
# BookPDF
# Book
# BorderCheckpoint
# Businessman
# BusinessPhoneSystem
# Bus
# CableUSB
# Camera
# Captive
# Cargo
# Car
# CashInTransit
# Cash
# CellNetwork
# Cemetery
# CEO
# Certificate
# Certification
# Champion
# CheckBox
# Checkpoint
# ChemicalAnalysis
# Child
# Church
# CircularArea
# City
# Clock
# ClusterOrange
# Cluster
# CoffeeShop
# ColoredBall
# Community
# Company
# ConferenceAudio
# Connect
# Contract
# ControlTower
# Cookies
# CrimeScene
# Criminal
# CV
# Dam
# DatabaseConnect
# DatabaseErase
# Database
# DateField
# Deceased
# Degree
# Delete
# Desert
# Desktop
# Destroy
# Diamond
# Diary
# Dictator
# Directions
# Disabled
# Disconnect
# DNACode
# Donation
# Donkey
# Drone
# DrugDealer
# Earthquake
# Elderly
# Elephant
# Email
# Encrypt
# Environment
# Erase
# Event
# Explosion
# Factory
# Farm
# FastFood
# Fax
# FieldDelete
# Field
# File
# FileSharing
# Files
# Filter
# FingerPrint
# FireForest
# Firewall
# Fix
# FlightNumber
# FlightPath
# Flood
# FloppyDisk
# Form
# GamingConsole
# GangBoss
# GangMember
# Gang
# GasStation
# Gateway
# Genealogy
# Genetic
# Geography
# GhostSighting
# GlobalWarming
# Gorilla
# GovermentOfficial
# Government
# GPS
# Green2Grey
# Green2Orange2Turquoise
# Green2Red2Blue
# Group
# Guard
# Gun
# Hacker
# Harbour
# HardDisk
# Harvest
# Hashtag
# Headphones
# Helicopter
# Home
# HospitalLocation
# Hostage
# Hotel
# Hurricane
# HydroPower
# IconManager
# ID
# IED
# ImageField
# Image
# Influencer
# InfoMessage
# InternetDocument
# InternetFastSpeed
# InternetIP
# InternetISP
# InternetMIMEDocs
# InternetMIMEFolder
# InternetMIME
# Internet
# InternetUser
# Invasion
# ISBN
# Island
# Judge
# KeyPrimary
# Keys
# KillerWhale
# Knife
# Last
# LawEnforcementOfficer
# Lawyer
# Leader
# License
# LinkBroke
# Link
# List
# Lobby
# Location
# Log
# MacAddress
# MaltegoGraph
# ManyIn
# Marijuana
# MedicalRecord
# Medicine
# MeetingBusiness
# MeetingSocial
# Memorial
# MergeCells
# Messenger
# MilitaryOfficer
# Mine
# MissileRPG
# MissingPerson
# MobileComputer
# MobileNet
# MobilePhone
# MobileUser
# Modem
# Monitoring
# Moon
# Mosque
# Motorbike
# Movie
# Murder
# MusicAlbum
# MusicSinger
# MusicSongwriter
# MXRecord
# MySQL
# Neighborhood
# NetAdmin
# NetworkAdmin
# NetworkAsymetric
# NetworkCardBlue
# NetworkCard
# NetworkConnector
# NetworkDistribution
# NetworkGlobal
# NetworkHub
# NetworkID
# NetworkIntranet
# NetworkISDN
# NetworkMonitor
# NetworkSoftware
# NetworkSymmetric
# News
# Node
# NSRecord
# NuclearPlant
# Nurse
# Objects
# OilField
# OilSpill
# OilWell
# OnlineGroup
# Orange2Green
# Orange2Purple
# Organization
# OSIModel
# Passport
# PasswordPHP
# Password
# Patient
# Person
# PetrolBomb
# PhoneConversation
# PhoneLandlineOffice
# PhoneLandlineResidential
# PhoneNumber
# Phrase
# Pilot
# Piracy
# Pirate
# Plane
# Planet
# Play
# Poison
# PoliticalParty
# Port
# PowerPlant
# Prescription
# PrisonCamp
# Prisoner
# Prison
# Privilege
# ProgressBar
# Protester
# Protest
# Protocol
# Purple2Turquoise
# PurplePink2Green
# PurplePink2Yellow2Blue
# QRCode
# Quarantine
# QuestionDialog
# Radar
# Radio
# Rain
# Red2Blue
# Red2Green
# Red2Yellow
# RefugeeCamp
# RegistrationPlate
# RegistryErase
# RelationshipModel
# Relationship
# RemoteControl
# Repeater
# Reporter
# Restaurant
# Resume
# Rhino
# Rocket
# Role
# Route
# Router
# Royalty
# RunningWater
# Satellite
# Savings
# School
# Science
# Scientist
# Script
# SecurityCameraMonitoring
# SecurityCheckpoints
# Security
# Seed
# Sentiment
# ServerBackup
# ServerChat
# ServerDNS
# ServerFTP
# ServerMicrosoftSQL
# Server
# ServerProxy
# Service
# SexOffender
# Sharing
# SharkAttack
# ShipContainer
# ShipCruise
# ShipPirate
# Ship
# ShipSpeed
# ShipTanker
# ShipTrawler
# ShipYacht
# Shop
# SIMCard
# SiteFTP
# SizeAllLinks
# SizeInLinks
# SizeOutLinks
# SmileConfused
# SmileMad
# Smile
# SmileSad
# SMS
# Sniffer
# Snow
# Socket
# SoftwareBlocking
# SoftwareCollaborative
# SoftwareFTP
# SoftwareManager
# SoftwareMeeting
# Software
# Soldier
# Solidarity
# Space
# SpaceStation
# Spider
# SplitCells
# Spy
# Spyware
# SQLQuery
# SSLCertificate
# SSL
# SSN
# Star
# Stop
# SuicideBomber
# SUNET
# Suspect
# SuspiciousPerson
# Switch
# Sybase
# SynagogueTemple
# Syndicate
# Table
# TabletTouch
# Tag
# Tank
# TargetPerson
# Target
# Taxi
# Technician
# Temple
# Terminal
# TerroristLeader
# TerroristMember
# TerroristThug
# Terror
# TextField
# Theatre
# Ticket
# TradeUnion
# Train
# TrainStation
# Transform
# Trojan
# Truck
# TsetseFly
# Tsunami
# Turquoise2Orange2Red
# Turquoise2Yellow
# TV
# UFOAbduction
# Underground
# Universe
# UnknownBody
# Unknown
# UPS
# Urgent
# URL
# USB
# UserID
# User
# Victim
# VideoCamera
# Videoconference
# VINNumber
# Virus
# Voice
# VOIP
# VolcanoEruption
# VPN
# WAN
# WebDir
# Website
# WiFi
# WindFarm
# WirelessRouter
#

124
src/MISP_maltego/transforms/common/util.py
View File

@ -1,8 +1,9 @@
from canari.maltego.entities import Hash, Domain, IPv4Address, URL, DNSName, AS, Website, NSRecord, PhoneNumber, EmailAddress, File, Person, Hashtag, Location, Company, Alias, Port, Twitter
from canari.maltego.entities import Hash, URL, File, Person, Hashtag
from canari.maltego.message import Label, LinkStyle, MaltegoException, Bookmark, LinkDirection, UIMessage, UIMessageType
from canari.mode import is_local_exec_mode, is_remote_exec_mode
from distutils.version import StrictVersion
from MISP_maltego.transforms.common.entities import MISPEvent, MISPObject, MISPGalaxy, ThreatActor, Software, AttackTechnique
from MISP_maltego.transforms.common.entities import MISPEvent, MISPObject, MISPGalaxy
from MISP_maltego.transforms.common.mappings import mapping_object_icon, mapping_misp_to_maltego, mapping_galaxy_icon, mapping_galaxy_type
from pymisp import ExpandedPyMISP as PyMISP
import json
import os
@ -15,108 +16,6 @@ import time
__version__ = '1.4.3' # also update version in setup.py
mapping_misp_to_maltego = {
'AS': [AS],
'domain': [Domain, NSRecord, Website, DNSName],
'email-dst': [EmailAddress],
'email-src': [EmailAddress],
'filename': [File],
'hostname': [Website, NSRecord, Domain, DNSName],
'ip': [IPv4Address],
'ip-dst': [IPv4Address],
'ip-src': [IPv4Address],
'md5': [Hash],
'phone-number': [PhoneNumber],
'sha1': [Hash],
'sha224': [Hash],
'sha256': [Hash],
'sha384': [Hash],
'sha512': [Hash],
'sha512/224': [Hash],
'sha512/256': [Hash],
'ssdeep': [Hash],
'impfuzzy': [Hash],
'uri': [URL],
'url': [URL],
'whois-registrant-email': [EmailAddress],
'country-of-residence': [Location],
'github-organisation': [Company],
'github-username': [Alias],
'imphash': [Hash],
'jabber-id': [Alias],
'passport-country': [Location],
'place-of-birth': [Location],
'port': [Port],
'target-email': [EmailAddress],
'target-location': [Location],
'target-org': [Company],
'target-user': [Alias],
'twitter-id': [Twitter],
# object mappings
'nameserver': [NSRecord],
# TODO add more object mappings
# custom types created internally for technical reasons
# 'rekey_value': [Unknown]
}
mapping_galaxy_icon = {
# "android": "malware", # "android",
"btc": "ransomware",
"bug": "vulnerability",
# "cart-arrow-down": "malware", #"tds",
"chain": "course_of_action",
"door-open": "backdoor",
"eye": "malware",
"gavel": "tool",
# "globe": "cert-eu-govsector",
# "industry": "sector",
# "internet-explorer": "exploit-kit",
"key": "stealer",
"map": "attack_pattern",
"optin-monster": "malware",
# "shield": "malpedia",
# "shield": "preventive-measure",
"sitemap": "botnet",
"usd": "malware", # "banker",
# "user-secret": "mitre-intrusion-set",
"user-secret": "threat_actor",
}
mapping_galaxy_type = {
# 'amitt-misinformation-pattern': '',
'android': Software,
'backdoor': Software,
'banker': Software,
'botnet': Software,
# 'branded-vulnerability': '',
# 'cert-eu-govsector': '',
'cloud-security': AttackTechnique,
'exploit-kit': Software,
'financial-fraud': AttackTechnique,
'guidelines': AttackTechnique,
'malpedia': Software,
'microsoft-activity-group': ThreatActor,
'mitre-attack-pattern': AttackTechnique,
# 'mitre-course-of-action': '',
'mitre-intrusion-set': ThreatActor,
'mitre-malware': Software,
'mitre-tool': Software,
# 'preventive-measure': '',
'ransomware': Software,
'rat': Software,
# 'region': '',
# 'sector': '',
'social-dark-patterns': AttackTechnique,
'stealer': Software,
'surveillance-vendor': ThreatActor,
# 'target-information': '',
'tds': Software,
'threat-actor': ThreatActor,
'tool': Software
}
tag_note_prefixes = ['tlp:', 'PAP:', 'de-vs:', 'euci:', 'fr-classif:', 'nato:']
misp_connection = None
@ -278,11 +177,17 @@ def attribute_to_entity(a, link_label=None, event_tags=[], only_self=False):
def object_to_entity(o, link_label=None, link_direction=LinkDirection.InputToOutput):
misp = get_misp_connection()
# find a nice icon for it
try:
icon_url = mapping_object_icon[o['name']]
except KeyError:
# it's not in our mapping, just ignore and leave the default icon
icon_url = None
# Generate a human readable display-name:
# - find the first RequiredOneOf that exists
# - if none, use the first RequiredField
# LATER further finetune the human readable version of this object
misp = get_misp_connection()
o_template = misp.get_object_template(o['template_uuid'])
human_readable = None
try:
@ -295,7 +200,7 @@ def object_to_entity(o, link_label=None, link_direction=LinkDirection.InputToOut
break
for a in o['Attribute']:
if a['type'] == required_a_type:
human_readable = '{}: {}'.format(o['name'], a['value'])
human_readable = '{}:\n{}'.format(o['name'], a['value'])
found = True
break
except Exception:
@ -313,10 +218,9 @@ def object_to_entity(o, link_label=None, link_direction=LinkDirection.InputToOut
if a['type'] == required_a_type:
parts.append(a['value'])
break
human_readable = '{}: {}'.format(o['name'], '|'.join(parts))
human_readable = '{}:\n{}'.format(o['name'], '|'.join(parts))
except Exception:
human_readable = o['name']
pass
return MISPObject(
human_readable,
uuid=o['uuid'],
@ -324,6 +228,7 @@ def object_to_entity(o, link_label=None, link_direction=LinkDirection.InputToOut
meta_category=o.get('meta_category'),
description=o.get('description'),
comment=o.get('comment'),
icon_url=icon_url,
link_label=link_label,
link_direction=link_direction,
bookmark=Bookmark.Green
@ -454,9 +359,8 @@ def galaxycluster_to_entity(c, link_label=None, link_direction=LinkDirection.Inp
try:
icon_url = mapping_galaxy_icon[galaxy_cluster['icon']]
except KeyError:
# it's not in our mapping, just ignore and leave the default icon
icon_url = None
# it's not in our mapping, just ignore and leave the default Galaxy icon
pass
# create the right sub-galaxy: ThreatActor, Software, AttackTechnique, ... or MISPGalaxy
try: