diff --git a/doc/img/object_icons_new.png b/doc/img/object_icons_new.png new file mode 100644 index 0000000..de0653b Binary files /dev/null and b/doc/img/object_icons_new.png differ diff --git a/doc/img/object_icons_old.png b/doc/img/object_icons_old.png new file mode 100644 index 0000000..6ab2c7f Binary files /dev/null and b/doc/img/object_icons_old.png differ diff --git a/src/MISP_maltego/transforms/common/mappings.py b/src/MISP_maltego/transforms/common/mappings.py new file mode 100644 index 0000000..34ed148 --- /dev/null +++ b/src/MISP_maltego/transforms/common/mappings.py @@ -0,0 +1,766 @@ +from canari.maltego.entities import Hash, Domain, IPv4Address, URL, DNSName, AS, Website, NSRecord, PhoneNumber, EmailAddress, File, Location, Company, Alias, Port, Twitter +from MISP_maltego.transforms.common.entities import ThreatActor, Software, AttackTechnique + +mapping_misp_to_maltego = { + 'AS': [AS], + 'domain': [Domain, NSRecord, Website, DNSName], + 'email-dst': [EmailAddress], + 'email-src': [EmailAddress], + 'filename': [File], + 'hostname': [Website, NSRecord, Domain, DNSName], + 'ip': [IPv4Address], + 'ip-dst': [IPv4Address], + 'ip-src': [IPv4Address], + 'md5': [Hash], + 'phone-number': [PhoneNumber], + 'sha1': [Hash], + 'sha224': [Hash], + 'sha256': [Hash], + 'sha384': [Hash], + 'sha512': [Hash], + 'sha512/224': [Hash], + 'sha512/256': [Hash], + 'ssdeep': [Hash], + 'impfuzzy': [Hash], + 'uri': [URL], + 'url': [URL], + + 'whois-registrant-email': [EmailAddress], + 'country-of-residence': [Location], + 'github-organisation': [Company], + 'github-username': [Alias], + 'imphash': [Hash], + 'jabber-id': [Alias], + 'passport-country': [Location], + 'place-of-birth': [Location], + 'port': [Port], + 'target-email': [EmailAddress], + 'target-location': [Location], + 'target-org': [Company], + 'target-user': [Alias], + 'twitter-id': [Twitter], + # object mappings + 'nameserver': [NSRecord], + # TODO add more object mappings + # custom types created internally for technical reasons + # 'rekey_value': [Unknown] +} + +mapping_galaxy_icon = { + # "android": "malware", # "android", + "btc": "ransomware", + "bug": "vulnerability", + # "cart-arrow-down": "malware", #"tds", + "chain": "course_of_action", + "door-open": "backdoor", + "eye": "malware", + "gavel": "tool", + # "globe": "cert-eu-govsector", + # "industry": "sector", + # "internet-explorer": "exploit-kit", + "key": "stealer", + "map": "attack_pattern", + "optin-monster": "malware", + # "shield": "malpedia", + # "shield": "preventive-measure", + "sitemap": "botnet", + "usd": "malware", # "banker", + # "user-secret": "mitre-intrusion-set", + "user-secret": "threat_actor", +} + +mapping_galaxy_type = { + # 'amitt-misinformation-pattern': '', + 'android': Software, + 'backdoor': Software, + 'banker': Software, + 'botnet': Software, + # 'branded-vulnerability': '', + # 'cert-eu-govsector': '', + 'cloud-security': AttackTechnique, + 'exploit-kit': Software, + 'financial-fraud': AttackTechnique, + 'guidelines': AttackTechnique, + 'malpedia': Software, + 'microsoft-activity-group': ThreatActor, + 'mitre-attack-pattern': AttackTechnique, + # 'mitre-course-of-action': '', + 'mitre-intrusion-set': ThreatActor, + 'mitre-malware': Software, + 'mitre-tool': Software, + # 'preventive-measure': '', + 'ransomware': Software, + 'rat': Software, + # 'region': '', + # 'sector': '', + 'social-dark-patterns': AttackTechnique, + 'stealer': Software, + 'surveillance-vendor': ThreatActor, + # 'target-information': '', + 'tds': Software, + 'threat-actor': ThreatActor, + 'tool': Software +} + +mapping_object_icon = { + 'ail-leak': '', + 'ais-info': '', + 'android-permission': '', + 'annotation': '', + 'anonymisation': '', + 'asn': '', + 'attack-pattern': '', + 'authenticode-signerinfo': '', + 'av-signature': '', + 'bank-account': '', + 'bgp-hijack': '', + 'blog': '', + 'btc-transaction': '', + 'btc-wallet': '', + 'cap-alert': '', + 'cap-info': '', + 'cap-resource': '', + 'coin-address': '', + 'command': '', + 'command-line': '', + 'cookie': '', + 'cortex': '', + 'cortex-taxonomy': '', + 'course-of-action': '', + 'covid19-csse-daily-report': '', + 'covid19-dxy-live-city': '', + 'covid19-dxy-live-province': '', + 'cowrie': '', + 'credential': '', + 'credit-card': '', + 'crypto-material': '', + 'cytomic_orion': '', + 'cytomic_orion_machine': '', + 'dark-pattern': '', + 'ddos': '', + 'device': '', + 'diameter-attack': '', + 'dns-record': 'ServerDNS', + 'domain-crawled': '', + 'domain-ip': 'NetworkGlobal', + 'elf': '', + 'elf-section': '', + 'email': 'Email', + 'employee': 'Person', + 'exploit-poc': 'Person', + 'facial-composite': '', + 'fail2ban': '', + 'file': 'File', + 'forensic-case': '', + 'forensic-evidence': '', + 'forged-document': '', + 'geolocation': '', + 'gtp-attack': '', + 'http-request': 'URL', + 'ilr-impact': '', + 'ilr-notification-incident': '', + 'impersonation': '', + 'imsi-catcher': '', + 'instant-message': '', + 'instant-message-group': '', + 'intelmq_event': '', + 'intelmq_report': '', + 'internal-reference': '', + 'interpol-notice': '', + 'iot-device': '', + 'iot-firmware': '', + 'ip-api-address': '', + 'ip-port': 'NetworkCard', + 'irc': '', + 'ja3': '', + 'leaked-document': 'InternetDocument', + 'legal-entity': '', + 'lnk': 'File', + 'macho': '', + 'macho-section': '', + 'mactime-timeline-analysis': '', + 'malware-config': '', + 'meme-image': '', + 'microblog': '', + 'mutex': '', + 'netflow': '', + 'network-connection': '', + 'network-socket': '', + 'news-agency': '', + 'news-media': '', + 'organization': '', + 'original-imported-file': '', + 'passive-dns': 'ServerDNS', + 'paste': '', + 'pcap-metadata': '', + 'pe': '', + 'person': 'Person', + 'pe-section': '', + 'pgp-meta': '', + 'phishing': '', + 'phishing-kit': '', + 'phone': '', + 'process': '', + 'python-etvx-event-log': '', + 'r2graphity': '', + 'regexp': '', + 'registry-key': '', + 'regripper-NTUser': '', + 'regripper-sam-hive-single-user': '', + 'regripper-sam-hive-user-group': '', + 'regripper-software-hive-appInit-DLLS': '', + 'regripper-software-hive-application-paths': '', + 'regripper-software-hive-applications-installed': '', + 'regripper-software-hive-BHO': '', + 'regripper-software-hive-command-shell': '', + 'regripper-software-hive-general-windows-info': '', + 'regripper-software-hive-software-run': '', + 'regripper-software-hive-userprofile-winlogon': '', + 'regripper-system-hive-firewall-configuration': '', + 'regripper-system-hive-general-configuration': '', + 'regripper-system-hive-network-information': '', + 'regripper-system-hive-service-drivers': '', + 'report': '', + 'research-scanner': '', + 'rogue-dns': '', + 'rtir': '', + 'sandbox-report': '', + 'sb-signature': '', + 'scrippsco2-c13-daily': '', + 'scrippsco2-c13-monthly': '', + 'scrippsco2-co2-daily': '', + 'scrippsco2-co2-monthly': '', + 'scrippsco2-o18-daily': '', + 'scrippsco2-o18-monthly': '', + 'script': '', + 'shell-commands': '', + 'shodan-report': '', + 'shortened-link': '', + 'short-message-service': '', + 'splunk': '', + 'ss7-attack': '', + 'ssh-authorized-keys': '', + 'stix2-pattern': '', + 'suricata': '', + 'target-system': '', # TODO intel icons + 'threatgrid-report': '', + 'timecode': '', + 'timesketch_message': '', + 'timesketch-timeline': '', + 'timestamp': '', + 'tor-hiddenservice': '', + 'tor-node': '', + 'tracking-id': '', + 'transaction': '', + 'translation': '', + 'trustar_report': '', + 'TSK-Chats': '', + 'TSK-Web-Bookmark': '', + 'TSK-Web-Cookie': '', + 'TSK-Web-Downloads': '', + 'TSK-Web-History': '', + 'TSK-Web-Search-Query': '', + 'url': 'URL', + 'user-account': '', + 'vehicle': '', + 'victim': '', + 'virustotal-graph': '', + 'virustotal-report': '', + 'vulnerability': '', # TODO intel icons + 'weakness': '', # TODO intel icons + 'whois': 'UserID', + 'x509': '', + 'yabin': '', + 'yara': '', +} + +# All possible default icons shipped with Maltego - useful for auto_completion +# AccessCard +# AccessPoint +# Accident +# Accountant +# Add +# Admin +# AdultFemale +# AdultMale +# AffiliationAndroid +# AffiliationAnonymous +# AffiliationApple +# AffiliationBebo +# AffiliationBlogger +# AffiliationBuiltWith +# AffiliationCloud +# AffiliationColdfusion +# AffiliationDigg +# AffiliationDropbox +# AffiliationEbay +# AffiliationFacebook +# AffiliationFlickr +# AffiliationGoogleDrive +# AffiliationGooglePlus +# AffiliationInstagram +# AffiliationKik +# AffiliationLinkedIn +# AffiliationLinux +# AffiliationMeetup +# AffiliationMyspace +# AffiliationNewsvine +# AffiliationOrkut +# AffiliationPayPal +# AffiliationPicasa +# AffiliationPinterest +# Affiliation +# AffiliationReddit +# AffiliationRSS +# AffiliationSkype +# AffiliationSnapchat +# AffiliationSpock +# AffiliationTinder +# AffiliationTwitter +# AffiliationWechat +# AffiliationWhatsapp +# AffiliationWiki +# AffiliationWindows +# AffiliationWWF +# AffiliationYammer +# AffiliationYelp +# AffiliationYouTube +# AffiliationZoomInfo +# AircraftBomber +# AircraftCarrier +# AirCrash +# Airport +# Alarm +# Alias +# Alliance +# Ammunition +# Anarchy +# Antenna +# Apartments +# Army +# Artist +# Assemble +# Asteroid +# Atom +# Author +# Baby +# Backbone +# Ballerina +# BandAid +# BankAccount +# BankCard +# Banner +# Bear +# Bee +# Binary +# BioAgent +# Bit +# BlueAura +# Bomb +# BookPDF +# Book +# BorderCheckpoint +# Businessman +# BusinessPhoneSystem +# Bus +# CableUSB +# Camera +# Captive +# Cargo +# Car +# CashInTransit +# Cash +# CellNetwork +# Cemetery +# CEO +# Certificate +# Certification +# Champion +# CheckBox +# Checkpoint +# ChemicalAnalysis +# Child +# Church +# CircularArea +# City +# Clock +# ClusterOrange +# Cluster +# CoffeeShop +# ColoredBall +# Community +# Company +# ConferenceAudio +# Connect +# Contract +# ControlTower +# Cookies +# CrimeScene +# Criminal +# CV +# Dam +# DatabaseConnect +# DatabaseErase +# Database +# DateField +# Deceased +# Degree +# Delete +# Desert +# Desktop +# Destroy +# Diamond +# Diary +# Dictator +# Directions +# Disabled +# Disconnect +# DNACode +# Donation +# Donkey +# Drone +# DrugDealer +# Earthquake +# Elderly +# Elephant +# Email +# Encrypt +# Environment +# Erase +# Event +# Explosion +# Factory +# Farm +# FastFood +# Fax +# FieldDelete +# Field +# File +# FileSharing +# Files +# Filter +# FingerPrint +# FireForest +# Firewall +# Fix +# FlightNumber +# FlightPath +# Flood +# FloppyDisk +# Form +# GamingConsole +# GangBoss +# GangMember +# Gang +# GasStation +# Gateway +# Genealogy +# Genetic +# Geography +# GhostSighting +# GlobalWarming +# Gorilla +# GovermentOfficial +# Government +# GPS +# Green2Grey +# Green2Orange2Turquoise +# Green2Red2Blue +# Group +# Guard +# Gun +# Hacker +# Harbour +# HardDisk +# Harvest +# Hashtag +# Headphones +# Helicopter +# Home +# HospitalLocation +# Hostage +# Hotel +# Hurricane +# HydroPower +# IconManager +# ID +# IED +# ImageField +# Image +# Influencer +# InfoMessage +# InternetDocument +# InternetFastSpeed +# InternetIP +# InternetISP +# InternetMIMEDocs +# InternetMIMEFolder +# InternetMIME +# Internet +# InternetUser +# Invasion +# ISBN +# Island +# Judge +# KeyPrimary +# Keys +# KillerWhale +# Knife +# Last +# LawEnforcementOfficer +# Lawyer +# Leader +# License +# LinkBroke +# Link +# List +# Lobby +# Location +# Log +# MacAddress +# MaltegoGraph +# ManyIn +# Marijuana +# MedicalRecord +# Medicine +# MeetingBusiness +# MeetingSocial +# Memorial +# MergeCells +# Messenger +# MilitaryOfficer +# Mine +# MissileRPG +# MissingPerson +# MobileComputer +# MobileNet +# MobilePhone +# MobileUser +# Modem +# Monitoring +# Moon +# Mosque +# Motorbike +# Movie +# Murder +# MusicAlbum +# MusicSinger +# MusicSongwriter +# MXRecord +# MySQL +# Neighborhood +# NetAdmin +# NetworkAdmin +# NetworkAsymetric +# NetworkCardBlue +# NetworkCard +# NetworkConnector +# NetworkDistribution +# NetworkGlobal +# NetworkHub +# NetworkID +# NetworkIntranet +# NetworkISDN +# NetworkMonitor +# NetworkSoftware +# NetworkSymmetric +# News +# Node +# NSRecord +# NuclearPlant +# Nurse +# Objects +# OilField +# OilSpill +# OilWell +# OnlineGroup +# Orange2Green +# Orange2Purple +# Organization +# OSIModel +# Passport +# PasswordPHP +# Password +# Patient +# Person +# PetrolBomb +# PhoneConversation +# PhoneLandlineOffice +# PhoneLandlineResidential +# PhoneNumber +# Phrase +# Pilot +# Piracy +# Pirate +# Plane +# Planet +# Play +# Poison +# PoliticalParty +# Port +# PowerPlant +# Prescription +# PrisonCamp +# Prisoner +# Prison +# Privilege +# ProgressBar +# Protester +# Protest +# Protocol +# Purple2Turquoise +# PurplePink2Green +# PurplePink2Yellow2Blue +# QRCode +# Quarantine +# QuestionDialog +# Radar +# Radio +# Rain +# Red2Blue +# Red2Green +# Red2Yellow +# RefugeeCamp +# RegistrationPlate +# RegistryErase +# RelationshipModel +# Relationship +# RemoteControl +# Repeater +# Reporter +# Restaurant +# Resume +# Rhino +# Rocket +# Role +# Route +# Router +# Royalty +# RunningWater +# Satellite +# Savings +# School +# Science +# Scientist +# Script +# SecurityCameraMonitoring +# SecurityCheckpoints +# Security +# Seed +# Sentiment +# ServerBackup +# ServerChat +# ServerDNS +# ServerFTP +# ServerMicrosoftSQL +# Server +# ServerProxy +# Service +# SexOffender +# Sharing +# SharkAttack +# ShipContainer +# ShipCruise +# ShipPirate +# Ship +# ShipSpeed +# ShipTanker +# ShipTrawler +# ShipYacht +# Shop +# SIMCard +# SiteFTP +# SizeAllLinks +# SizeInLinks +# SizeOutLinks +# SmileConfused +# SmileMad +# Smile +# SmileSad +# SMS +# Sniffer +# Snow +# Socket +# SoftwareBlocking +# SoftwareCollaborative +# SoftwareFTP +# SoftwareManager +# SoftwareMeeting +# Software +# Soldier +# Solidarity +# Space +# SpaceStation +# Spider +# SplitCells +# Spy +# Spyware +# SQLQuery +# SSLCertificate +# SSL +# SSN +# Star +# Stop +# SuicideBomber +# SUNET +# Suspect +# SuspiciousPerson +# Switch +# Sybase +# SynagogueTemple +# Syndicate +# Table +# TabletTouch +# Tag +# Tank +# TargetPerson +# Target +# Taxi +# Technician +# Temple +# Terminal +# TerroristLeader +# TerroristMember +# TerroristThug +# Terror +# TextField +# Theatre +# Ticket +# TradeUnion +# Train +# TrainStation +# Transform +# Trojan +# Truck +# TsetseFly +# Tsunami +# Turquoise2Orange2Red +# Turquoise2Yellow +# TV +# UFOAbduction +# Underground +# Universe +# UnknownBody +# Unknown +# UPS +# Urgent +# URL +# USB +# UserID +# User +# Victim +# VideoCamera +# Videoconference +# VINNumber +# Virus +# Voice +# VOIP +# VolcanoEruption +# VPN +# WAN +# WebDir +# Website +# WiFi +# WindFarm +# WirelessRouter +# \ No newline at end of file diff --git a/src/MISP_maltego/transforms/common/util.py b/src/MISP_maltego/transforms/common/util.py index 9653d54..ac42cf3 100644 --- a/src/MISP_maltego/transforms/common/util.py +++ b/src/MISP_maltego/transforms/common/util.py @@ -1,8 +1,9 @@ -from canari.maltego.entities import Hash, Domain, IPv4Address, URL, DNSName, AS, Website, NSRecord, PhoneNumber, EmailAddress, File, Person, Hashtag, Location, Company, Alias, Port, Twitter +from canari.maltego.entities import Hash, URL, File, Person, Hashtag from canari.maltego.message import Label, LinkStyle, MaltegoException, Bookmark, LinkDirection, UIMessage, UIMessageType from canari.mode import is_local_exec_mode, is_remote_exec_mode from distutils.version import StrictVersion -from MISP_maltego.transforms.common.entities import MISPEvent, MISPObject, MISPGalaxy, ThreatActor, Software, AttackTechnique +from MISP_maltego.transforms.common.entities import MISPEvent, MISPObject, MISPGalaxy +from MISP_maltego.transforms.common.mappings import mapping_object_icon, mapping_misp_to_maltego, mapping_galaxy_icon, mapping_galaxy_type from pymisp import ExpandedPyMISP as PyMISP import json import os @@ -15,108 +16,6 @@ import time __version__ = '1.4.3' # also update version in setup.py -mapping_misp_to_maltego = { - 'AS': [AS], - 'domain': [Domain, NSRecord, Website, DNSName], - 'email-dst': [EmailAddress], - 'email-src': [EmailAddress], - 'filename': [File], - 'hostname': [Website, NSRecord, Domain, DNSName], - 'ip': [IPv4Address], - 'ip-dst': [IPv4Address], - 'ip-src': [IPv4Address], - 'md5': [Hash], - 'phone-number': [PhoneNumber], - 'sha1': [Hash], - 'sha224': [Hash], - 'sha256': [Hash], - 'sha384': [Hash], - 'sha512': [Hash], - 'sha512/224': [Hash], - 'sha512/256': [Hash], - 'ssdeep': [Hash], - 'impfuzzy': [Hash], - 'uri': [URL], - 'url': [URL], - - 'whois-registrant-email': [EmailAddress], - 'country-of-residence': [Location], - 'github-organisation': [Company], - 'github-username': [Alias], - 'imphash': [Hash], - 'jabber-id': [Alias], - 'passport-country': [Location], - 'place-of-birth': [Location], - 'port': [Port], - 'target-email': [EmailAddress], - 'target-location': [Location], - 'target-org': [Company], - 'target-user': [Alias], - 'twitter-id': [Twitter], - # object mappings - 'nameserver': [NSRecord], - # TODO add more object mappings - # custom types created internally for technical reasons - # 'rekey_value': [Unknown] -} - -mapping_galaxy_icon = { - # "android": "malware", # "android", - "btc": "ransomware", - "bug": "vulnerability", - # "cart-arrow-down": "malware", #"tds", - "chain": "course_of_action", - "door-open": "backdoor", - "eye": "malware", - "gavel": "tool", - # "globe": "cert-eu-govsector", - # "industry": "sector", - # "internet-explorer": "exploit-kit", - "key": "stealer", - "map": "attack_pattern", - "optin-monster": "malware", - # "shield": "malpedia", - # "shield": "preventive-measure", - "sitemap": "botnet", - "usd": "malware", # "banker", - # "user-secret": "mitre-intrusion-set", - "user-secret": "threat_actor", -} - -mapping_galaxy_type = { - # 'amitt-misinformation-pattern': '', - 'android': Software, - 'backdoor': Software, - 'banker': Software, - 'botnet': Software, - # 'branded-vulnerability': '', - # 'cert-eu-govsector': '', - 'cloud-security': AttackTechnique, - 'exploit-kit': Software, - 'financial-fraud': AttackTechnique, - 'guidelines': AttackTechnique, - 'malpedia': Software, - 'microsoft-activity-group': ThreatActor, - 'mitre-attack-pattern': AttackTechnique, - # 'mitre-course-of-action': '', - 'mitre-intrusion-set': ThreatActor, - 'mitre-malware': Software, - 'mitre-tool': Software, - # 'preventive-measure': '', - 'ransomware': Software, - 'rat': Software, - # 'region': '', - # 'sector': '', - 'social-dark-patterns': AttackTechnique, - 'stealer': Software, - 'surveillance-vendor': ThreatActor, - # 'target-information': '', - 'tds': Software, - 'threat-actor': ThreatActor, - 'tool': Software -} - - tag_note_prefixes = ['tlp:', 'PAP:', 'de-vs:', 'euci:', 'fr-classif:', 'nato:'] misp_connection = None @@ -278,11 +177,17 @@ def attribute_to_entity(a, link_label=None, event_tags=[], only_self=False): def object_to_entity(o, link_label=None, link_direction=LinkDirection.InputToOutput): + misp = get_misp_connection() + # find a nice icon for it + try: + icon_url = mapping_object_icon[o['name']] + except KeyError: + # it's not in our mapping, just ignore and leave the default icon + icon_url = None # Generate a human readable display-name: # - find the first RequiredOneOf that exists # - if none, use the first RequiredField # LATER further finetune the human readable version of this object - misp = get_misp_connection() o_template = misp.get_object_template(o['template_uuid']) human_readable = None try: @@ -295,7 +200,7 @@ def object_to_entity(o, link_label=None, link_direction=LinkDirection.InputToOut break for a in o['Attribute']: if a['type'] == required_a_type: - human_readable = '{}: {}'.format(o['name'], a['value']) + human_readable = '{}:\n{}'.format(o['name'], a['value']) found = True break except Exception: @@ -313,10 +218,9 @@ def object_to_entity(o, link_label=None, link_direction=LinkDirection.InputToOut if a['type'] == required_a_type: parts.append(a['value']) break - human_readable = '{}: {}'.format(o['name'], '|'.join(parts)) + human_readable = '{}:\n{}'.format(o['name'], '|'.join(parts)) except Exception: human_readable = o['name'] - pass return MISPObject( human_readable, uuid=o['uuid'], @@ -324,6 +228,7 @@ def object_to_entity(o, link_label=None, link_direction=LinkDirection.InputToOut meta_category=o.get('meta_category'), description=o.get('description'), comment=o.get('comment'), + icon_url=icon_url, link_label=link_label, link_direction=link_direction, bookmark=Bookmark.Green @@ -454,9 +359,8 @@ def galaxycluster_to_entity(c, link_label=None, link_direction=LinkDirection.Inp try: icon_url = mapping_galaxy_icon[galaxy_cluster['icon']] except KeyError: + # it's not in our mapping, just ignore and leave the default icon icon_url = None - # it's not in our mapping, just ignore and leave the default Galaxy icon - pass # create the right sub-galaxy: ThreatActor, Software, AttackTechnique, ... or MISPGalaxy try: