mirror of https://github.com/MISP/MISP-maltego
new: [objects] custom icons for objects
parent
f7cb8740ce
commit
9751947b18
Binary file not shown.
After Width: | Height: | Size: 20 KiB |
Binary file not shown.
After Width: | Height: | Size: 19 KiB |
|
@ -0,0 +1,766 @@
|
|||
from canari.maltego.entities import Hash, Domain, IPv4Address, URL, DNSName, AS, Website, NSRecord, PhoneNumber, EmailAddress, File, Location, Company, Alias, Port, Twitter
|
||||
from MISP_maltego.transforms.common.entities import ThreatActor, Software, AttackTechnique
|
||||
|
||||
mapping_misp_to_maltego = {
|
||||
'AS': [AS],
|
||||
'domain': [Domain, NSRecord, Website, DNSName],
|
||||
'email-dst': [EmailAddress],
|
||||
'email-src': [EmailAddress],
|
||||
'filename': [File],
|
||||
'hostname': [Website, NSRecord, Domain, DNSName],
|
||||
'ip': [IPv4Address],
|
||||
'ip-dst': [IPv4Address],
|
||||
'ip-src': [IPv4Address],
|
||||
'md5': [Hash],
|
||||
'phone-number': [PhoneNumber],
|
||||
'sha1': [Hash],
|
||||
'sha224': [Hash],
|
||||
'sha256': [Hash],
|
||||
'sha384': [Hash],
|
||||
'sha512': [Hash],
|
||||
'sha512/224': [Hash],
|
||||
'sha512/256': [Hash],
|
||||
'ssdeep': [Hash],
|
||||
'impfuzzy': [Hash],
|
||||
'uri': [URL],
|
||||
'url': [URL],
|
||||
|
||||
'whois-registrant-email': [EmailAddress],
|
||||
'country-of-residence': [Location],
|
||||
'github-organisation': [Company],
|
||||
'github-username': [Alias],
|
||||
'imphash': [Hash],
|
||||
'jabber-id': [Alias],
|
||||
'passport-country': [Location],
|
||||
'place-of-birth': [Location],
|
||||
'port': [Port],
|
||||
'target-email': [EmailAddress],
|
||||
'target-location': [Location],
|
||||
'target-org': [Company],
|
||||
'target-user': [Alias],
|
||||
'twitter-id': [Twitter],
|
||||
# object mappings
|
||||
'nameserver': [NSRecord],
|
||||
# TODO add more object mappings
|
||||
# custom types created internally for technical reasons
|
||||
# 'rekey_value': [Unknown]
|
||||
}
|
||||
|
||||
mapping_galaxy_icon = {
|
||||
# "android": "malware", # "android",
|
||||
"btc": "ransomware",
|
||||
"bug": "vulnerability",
|
||||
# "cart-arrow-down": "malware", #"tds",
|
||||
"chain": "course_of_action",
|
||||
"door-open": "backdoor",
|
||||
"eye": "malware",
|
||||
"gavel": "tool",
|
||||
# "globe": "cert-eu-govsector",
|
||||
# "industry": "sector",
|
||||
# "internet-explorer": "exploit-kit",
|
||||
"key": "stealer",
|
||||
"map": "attack_pattern",
|
||||
"optin-monster": "malware",
|
||||
# "shield": "malpedia",
|
||||
# "shield": "preventive-measure",
|
||||
"sitemap": "botnet",
|
||||
"usd": "malware", # "banker",
|
||||
# "user-secret": "mitre-intrusion-set",
|
||||
"user-secret": "threat_actor",
|
||||
}
|
||||
|
||||
mapping_galaxy_type = {
|
||||
# 'amitt-misinformation-pattern': '',
|
||||
'android': Software,
|
||||
'backdoor': Software,
|
||||
'banker': Software,
|
||||
'botnet': Software,
|
||||
# 'branded-vulnerability': '',
|
||||
# 'cert-eu-govsector': '',
|
||||
'cloud-security': AttackTechnique,
|
||||
'exploit-kit': Software,
|
||||
'financial-fraud': AttackTechnique,
|
||||
'guidelines': AttackTechnique,
|
||||
'malpedia': Software,
|
||||
'microsoft-activity-group': ThreatActor,
|
||||
'mitre-attack-pattern': AttackTechnique,
|
||||
# 'mitre-course-of-action': '',
|
||||
'mitre-intrusion-set': ThreatActor,
|
||||
'mitre-malware': Software,
|
||||
'mitre-tool': Software,
|
||||
# 'preventive-measure': '',
|
||||
'ransomware': Software,
|
||||
'rat': Software,
|
||||
# 'region': '',
|
||||
# 'sector': '',
|
||||
'social-dark-patterns': AttackTechnique,
|
||||
'stealer': Software,
|
||||
'surveillance-vendor': ThreatActor,
|
||||
# 'target-information': '',
|
||||
'tds': Software,
|
||||
'threat-actor': ThreatActor,
|
||||
'tool': Software
|
||||
}
|
||||
|
||||
mapping_object_icon = {
|
||||
'ail-leak': '',
|
||||
'ais-info': '',
|
||||
'android-permission': '',
|
||||
'annotation': '',
|
||||
'anonymisation': '',
|
||||
'asn': '',
|
||||
'attack-pattern': '',
|
||||
'authenticode-signerinfo': '',
|
||||
'av-signature': '',
|
||||
'bank-account': '',
|
||||
'bgp-hijack': '',
|
||||
'blog': '',
|
||||
'btc-transaction': '',
|
||||
'btc-wallet': '',
|
||||
'cap-alert': '',
|
||||
'cap-info': '',
|
||||
'cap-resource': '',
|
||||
'coin-address': '',
|
||||
'command': '',
|
||||
'command-line': '',
|
||||
'cookie': '',
|
||||
'cortex': '',
|
||||
'cortex-taxonomy': '',
|
||||
'course-of-action': '',
|
||||
'covid19-csse-daily-report': '',
|
||||
'covid19-dxy-live-city': '',
|
||||
'covid19-dxy-live-province': '',
|
||||
'cowrie': '',
|
||||
'credential': '',
|
||||
'credit-card': '',
|
||||
'crypto-material': '',
|
||||
'cytomic_orion': '',
|
||||
'cytomic_orion_machine': '',
|
||||
'dark-pattern': '',
|
||||
'ddos': '',
|
||||
'device': '',
|
||||
'diameter-attack': '',
|
||||
'dns-record': 'ServerDNS',
|
||||
'domain-crawled': '',
|
||||
'domain-ip': 'NetworkGlobal',
|
||||
'elf': '',
|
||||
'elf-section': '',
|
||||
'email': 'Email',
|
||||
'employee': 'Person',
|
||||
'exploit-poc': 'Person',
|
||||
'facial-composite': '',
|
||||
'fail2ban': '',
|
||||
'file': 'File',
|
||||
'forensic-case': '',
|
||||
'forensic-evidence': '',
|
||||
'forged-document': '',
|
||||
'geolocation': '',
|
||||
'gtp-attack': '',
|
||||
'http-request': 'URL',
|
||||
'ilr-impact': '',
|
||||
'ilr-notification-incident': '',
|
||||
'impersonation': '',
|
||||
'imsi-catcher': '',
|
||||
'instant-message': '',
|
||||
'instant-message-group': '',
|
||||
'intelmq_event': '',
|
||||
'intelmq_report': '',
|
||||
'internal-reference': '',
|
||||
'interpol-notice': '',
|
||||
'iot-device': '',
|
||||
'iot-firmware': '',
|
||||
'ip-api-address': '',
|
||||
'ip-port': 'NetworkCard',
|
||||
'irc': '',
|
||||
'ja3': '',
|
||||
'leaked-document': 'InternetDocument',
|
||||
'legal-entity': '',
|
||||
'lnk': 'File',
|
||||
'macho': '',
|
||||
'macho-section': '',
|
||||
'mactime-timeline-analysis': '',
|
||||
'malware-config': '',
|
||||
'meme-image': '',
|
||||
'microblog': '',
|
||||
'mutex': '',
|
||||
'netflow': '',
|
||||
'network-connection': '',
|
||||
'network-socket': '',
|
||||
'news-agency': '',
|
||||
'news-media': '',
|
||||
'organization': '',
|
||||
'original-imported-file': '',
|
||||
'passive-dns': 'ServerDNS',
|
||||
'paste': '',
|
||||
'pcap-metadata': '',
|
||||
'pe': '',
|
||||
'person': 'Person',
|
||||
'pe-section': '',
|
||||
'pgp-meta': '',
|
||||
'phishing': '',
|
||||
'phishing-kit': '',
|
||||
'phone': '',
|
||||
'process': '',
|
||||
'python-etvx-event-log': '',
|
||||
'r2graphity': '',
|
||||
'regexp': '',
|
||||
'registry-key': '',
|
||||
'regripper-NTUser': '',
|
||||
'regripper-sam-hive-single-user': '',
|
||||
'regripper-sam-hive-user-group': '',
|
||||
'regripper-software-hive-appInit-DLLS': '',
|
||||
'regripper-software-hive-application-paths': '',
|
||||
'regripper-software-hive-applications-installed': '',
|
||||
'regripper-software-hive-BHO': '',
|
||||
'regripper-software-hive-command-shell': '',
|
||||
'regripper-software-hive-general-windows-info': '',
|
||||
'regripper-software-hive-software-run': '',
|
||||
'regripper-software-hive-userprofile-winlogon': '',
|
||||
'regripper-system-hive-firewall-configuration': '',
|
||||
'regripper-system-hive-general-configuration': '',
|
||||
'regripper-system-hive-network-information': '',
|
||||
'regripper-system-hive-service-drivers': '',
|
||||
'report': '',
|
||||
'research-scanner': '',
|
||||
'rogue-dns': '',
|
||||
'rtir': '',
|
||||
'sandbox-report': '',
|
||||
'sb-signature': '',
|
||||
'scrippsco2-c13-daily': '',
|
||||
'scrippsco2-c13-monthly': '',
|
||||
'scrippsco2-co2-daily': '',
|
||||
'scrippsco2-co2-monthly': '',
|
||||
'scrippsco2-o18-daily': '',
|
||||
'scrippsco2-o18-monthly': '',
|
||||
'script': '',
|
||||
'shell-commands': '',
|
||||
'shodan-report': '',
|
||||
'shortened-link': '',
|
||||
'short-message-service': '',
|
||||
'splunk': '',
|
||||
'ss7-attack': '',
|
||||
'ssh-authorized-keys': '',
|
||||
'stix2-pattern': '',
|
||||
'suricata': '',
|
||||
'target-system': '', # TODO intel icons
|
||||
'threatgrid-report': '',
|
||||
'timecode': '',
|
||||
'timesketch_message': '',
|
||||
'timesketch-timeline': '',
|
||||
'timestamp': '',
|
||||
'tor-hiddenservice': '',
|
||||
'tor-node': '',
|
||||
'tracking-id': '',
|
||||
'transaction': '',
|
||||
'translation': '',
|
||||
'trustar_report': '',
|
||||
'TSK-Chats': '',
|
||||
'TSK-Web-Bookmark': '',
|
||||
'TSK-Web-Cookie': '',
|
||||
'TSK-Web-Downloads': '',
|
||||
'TSK-Web-History': '',
|
||||
'TSK-Web-Search-Query': '',
|
||||
'url': 'URL',
|
||||
'user-account': '',
|
||||
'vehicle': '',
|
||||
'victim': '',
|
||||
'virustotal-graph': '',
|
||||
'virustotal-report': '',
|
||||
'vulnerability': '', # TODO intel icons
|
||||
'weakness': '', # TODO intel icons
|
||||
'whois': 'UserID',
|
||||
'x509': '',
|
||||
'yabin': '',
|
||||
'yara': '',
|
||||
}
|
||||
|
||||
# All possible default icons shipped with Maltego - useful for auto_completion
|
||||
# AccessCard
|
||||
# AccessPoint
|
||||
# Accident
|
||||
# Accountant
|
||||
# Add
|
||||
# Admin
|
||||
# AdultFemale
|
||||
# AdultMale
|
||||
# AffiliationAndroid
|
||||
# AffiliationAnonymous
|
||||
# AffiliationApple
|
||||
# AffiliationBebo
|
||||
# AffiliationBlogger
|
||||
# AffiliationBuiltWith
|
||||
# AffiliationCloud
|
||||
# AffiliationColdfusion
|
||||
# AffiliationDigg
|
||||
# AffiliationDropbox
|
||||
# AffiliationEbay
|
||||
# AffiliationFacebook
|
||||
# AffiliationFlickr
|
||||
# AffiliationGoogleDrive
|
||||
# AffiliationGooglePlus
|
||||
# AffiliationInstagram
|
||||
# AffiliationKik
|
||||
# AffiliationLinkedIn
|
||||
# AffiliationLinux
|
||||
# AffiliationMeetup
|
||||
# AffiliationMyspace
|
||||
# AffiliationNewsvine
|
||||
# AffiliationOrkut
|
||||
# AffiliationPayPal
|
||||
# AffiliationPicasa
|
||||
# AffiliationPinterest
|
||||
# Affiliation
|
||||
# AffiliationReddit
|
||||
# AffiliationRSS
|
||||
# AffiliationSkype
|
||||
# AffiliationSnapchat
|
||||
# AffiliationSpock
|
||||
# AffiliationTinder
|
||||
# AffiliationTwitter
|
||||
# AffiliationWechat
|
||||
# AffiliationWhatsapp
|
||||
# AffiliationWiki
|
||||
# AffiliationWindows
|
||||
# AffiliationWWF
|
||||
# AffiliationYammer
|
||||
# AffiliationYelp
|
||||
# AffiliationYouTube
|
||||
# AffiliationZoomInfo
|
||||
# AircraftBomber
|
||||
# AircraftCarrier
|
||||
# AirCrash
|
||||
# Airport
|
||||
# Alarm
|
||||
# Alias
|
||||
# Alliance
|
||||
# Ammunition
|
||||
# Anarchy
|
||||
# Antenna
|
||||
# Apartments
|
||||
# Army
|
||||
# Artist
|
||||
# Assemble
|
||||
# Asteroid
|
||||
# Atom
|
||||
# Author
|
||||
# Baby
|
||||
# Backbone
|
||||
# Ballerina
|
||||
# BandAid
|
||||
# BankAccount
|
||||
# BankCard
|
||||
# Banner
|
||||
# Bear
|
||||
# Bee
|
||||
# Binary
|
||||
# BioAgent
|
||||
# Bit
|
||||
# BlueAura
|
||||
# Bomb
|
||||
# BookPDF
|
||||
# Book
|
||||
# BorderCheckpoint
|
||||
# Businessman
|
||||
# BusinessPhoneSystem
|
||||
# Bus
|
||||
# CableUSB
|
||||
# Camera
|
||||
# Captive
|
||||
# Cargo
|
||||
# Car
|
||||
# CashInTransit
|
||||
# Cash
|
||||
# CellNetwork
|
||||
# Cemetery
|
||||
# CEO
|
||||
# Certificate
|
||||
# Certification
|
||||
# Champion
|
||||
# CheckBox
|
||||
# Checkpoint
|
||||
# ChemicalAnalysis
|
||||
# Child
|
||||
# Church
|
||||
# CircularArea
|
||||
# City
|
||||
# Clock
|
||||
# ClusterOrange
|
||||
# Cluster
|
||||
# CoffeeShop
|
||||
# ColoredBall
|
||||
# Community
|
||||
# Company
|
||||
# ConferenceAudio
|
||||
# Connect
|
||||
# Contract
|
||||
# ControlTower
|
||||
# Cookies
|
||||
# CrimeScene
|
||||
# Criminal
|
||||
# CV
|
||||
# Dam
|
||||
# DatabaseConnect
|
||||
# DatabaseErase
|
||||
# Database
|
||||
# DateField
|
||||
# Deceased
|
||||
# Degree
|
||||
# Delete
|
||||
# Desert
|
||||
# Desktop
|
||||
# Destroy
|
||||
# Diamond
|
||||
# Diary
|
||||
# Dictator
|
||||
# Directions
|
||||
# Disabled
|
||||
# Disconnect
|
||||
# DNACode
|
||||
# Donation
|
||||
# Donkey
|
||||
# Drone
|
||||
# DrugDealer
|
||||
# Earthquake
|
||||
# Elderly
|
||||
# Elephant
|
||||
# Email
|
||||
# Encrypt
|
||||
# Environment
|
||||
# Erase
|
||||
# Event
|
||||
# Explosion
|
||||
# Factory
|
||||
# Farm
|
||||
# FastFood
|
||||
# Fax
|
||||
# FieldDelete
|
||||
# Field
|
||||
# File
|
||||
# FileSharing
|
||||
# Files
|
||||
# Filter
|
||||
# FingerPrint
|
||||
# FireForest
|
||||
# Firewall
|
||||
# Fix
|
||||
# FlightNumber
|
||||
# FlightPath
|
||||
# Flood
|
||||
# FloppyDisk
|
||||
# Form
|
||||
# GamingConsole
|
||||
# GangBoss
|
||||
# GangMember
|
||||
# Gang
|
||||
# GasStation
|
||||
# Gateway
|
||||
# Genealogy
|
||||
# Genetic
|
||||
# Geography
|
||||
# GhostSighting
|
||||
# GlobalWarming
|
||||
# Gorilla
|
||||
# GovermentOfficial
|
||||
# Government
|
||||
# GPS
|
||||
# Green2Grey
|
||||
# Green2Orange2Turquoise
|
||||
# Green2Red2Blue
|
||||
# Group
|
||||
# Guard
|
||||
# Gun
|
||||
# Hacker
|
||||
# Harbour
|
||||
# HardDisk
|
||||
# Harvest
|
||||
# Hashtag
|
||||
# Headphones
|
||||
# Helicopter
|
||||
# Home
|
||||
# HospitalLocation
|
||||
# Hostage
|
||||
# Hotel
|
||||
# Hurricane
|
||||
# HydroPower
|
||||
# IconManager
|
||||
# ID
|
||||
# IED
|
||||
# ImageField
|
||||
# Image
|
||||
# Influencer
|
||||
# InfoMessage
|
||||
# InternetDocument
|
||||
# InternetFastSpeed
|
||||
# InternetIP
|
||||
# InternetISP
|
||||
# InternetMIMEDocs
|
||||
# InternetMIMEFolder
|
||||
# InternetMIME
|
||||
# Internet
|
||||
# InternetUser
|
||||
# Invasion
|
||||
# ISBN
|
||||
# Island
|
||||
# Judge
|
||||
# KeyPrimary
|
||||
# Keys
|
||||
# KillerWhale
|
||||
# Knife
|
||||
# Last
|
||||
# LawEnforcementOfficer
|
||||
# Lawyer
|
||||
# Leader
|
||||
# License
|
||||
# LinkBroke
|
||||
# Link
|
||||
# List
|
||||
# Lobby
|
||||
# Location
|
||||
# Log
|
||||
# MacAddress
|
||||
# MaltegoGraph
|
||||
# ManyIn
|
||||
# Marijuana
|
||||
# MedicalRecord
|
||||
# Medicine
|
||||
# MeetingBusiness
|
||||
# MeetingSocial
|
||||
# Memorial
|
||||
# MergeCells
|
||||
# Messenger
|
||||
# MilitaryOfficer
|
||||
# Mine
|
||||
# MissileRPG
|
||||
# MissingPerson
|
||||
# MobileComputer
|
||||
# MobileNet
|
||||
# MobilePhone
|
||||
# MobileUser
|
||||
# Modem
|
||||
# Monitoring
|
||||
# Moon
|
||||
# Mosque
|
||||
# Motorbike
|
||||
# Movie
|
||||
# Murder
|
||||
# MusicAlbum
|
||||
# MusicSinger
|
||||
# MusicSongwriter
|
||||
# MXRecord
|
||||
# MySQL
|
||||
# Neighborhood
|
||||
# NetAdmin
|
||||
# NetworkAdmin
|
||||
# NetworkAsymetric
|
||||
# NetworkCardBlue
|
||||
# NetworkCard
|
||||
# NetworkConnector
|
||||
# NetworkDistribution
|
||||
# NetworkGlobal
|
||||
# NetworkHub
|
||||
# NetworkID
|
||||
# NetworkIntranet
|
||||
# NetworkISDN
|
||||
# NetworkMonitor
|
||||
# NetworkSoftware
|
||||
# NetworkSymmetric
|
||||
# News
|
||||
# Node
|
||||
# NSRecord
|
||||
# NuclearPlant
|
||||
# Nurse
|
||||
# Objects
|
||||
# OilField
|
||||
# OilSpill
|
||||
# OilWell
|
||||
# OnlineGroup
|
||||
# Orange2Green
|
||||
# Orange2Purple
|
||||
# Organization
|
||||
# OSIModel
|
||||
# Passport
|
||||
# PasswordPHP
|
||||
# Password
|
||||
# Patient
|
||||
# Person
|
||||
# PetrolBomb
|
||||
# PhoneConversation
|
||||
# PhoneLandlineOffice
|
||||
# PhoneLandlineResidential
|
||||
# PhoneNumber
|
||||
# Phrase
|
||||
# Pilot
|
||||
# Piracy
|
||||
# Pirate
|
||||
# Plane
|
||||
# Planet
|
||||
# Play
|
||||
# Poison
|
||||
# PoliticalParty
|
||||
# Port
|
||||
# PowerPlant
|
||||
# Prescription
|
||||
# PrisonCamp
|
||||
# Prisoner
|
||||
# Prison
|
||||
# Privilege
|
||||
# ProgressBar
|
||||
# Protester
|
||||
# Protest
|
||||
# Protocol
|
||||
# Purple2Turquoise
|
||||
# PurplePink2Green
|
||||
# PurplePink2Yellow2Blue
|
||||
# QRCode
|
||||
# Quarantine
|
||||
# QuestionDialog
|
||||
# Radar
|
||||
# Radio
|
||||
# Rain
|
||||
# Red2Blue
|
||||
# Red2Green
|
||||
# Red2Yellow
|
||||
# RefugeeCamp
|
||||
# RegistrationPlate
|
||||
# RegistryErase
|
||||
# RelationshipModel
|
||||
# Relationship
|
||||
# RemoteControl
|
||||
# Repeater
|
||||
# Reporter
|
||||
# Restaurant
|
||||
# Resume
|
||||
# Rhino
|
||||
# Rocket
|
||||
# Role
|
||||
# Route
|
||||
# Router
|
||||
# Royalty
|
||||
# RunningWater
|
||||
# Satellite
|
||||
# Savings
|
||||
# School
|
||||
# Science
|
||||
# Scientist
|
||||
# Script
|
||||
# SecurityCameraMonitoring
|
||||
# SecurityCheckpoints
|
||||
# Security
|
||||
# Seed
|
||||
# Sentiment
|
||||
# ServerBackup
|
||||
# ServerChat
|
||||
# ServerDNS
|
||||
# ServerFTP
|
||||
# ServerMicrosoftSQL
|
||||
# Server
|
||||
# ServerProxy
|
||||
# Service
|
||||
# SexOffender
|
||||
# Sharing
|
||||
# SharkAttack
|
||||
# ShipContainer
|
||||
# ShipCruise
|
||||
# ShipPirate
|
||||
# Ship
|
||||
# ShipSpeed
|
||||
# ShipTanker
|
||||
# ShipTrawler
|
||||
# ShipYacht
|
||||
# Shop
|
||||
# SIMCard
|
||||
# SiteFTP
|
||||
# SizeAllLinks
|
||||
# SizeInLinks
|
||||
# SizeOutLinks
|
||||
# SmileConfused
|
||||
# SmileMad
|
||||
# Smile
|
||||
# SmileSad
|
||||
# SMS
|
||||
# Sniffer
|
||||
# Snow
|
||||
# Socket
|
||||
# SoftwareBlocking
|
||||
# SoftwareCollaborative
|
||||
# SoftwareFTP
|
||||
# SoftwareManager
|
||||
# SoftwareMeeting
|
||||
# Software
|
||||
# Soldier
|
||||
# Solidarity
|
||||
# Space
|
||||
# SpaceStation
|
||||
# Spider
|
||||
# SplitCells
|
||||
# Spy
|
||||
# Spyware
|
||||
# SQLQuery
|
||||
# SSLCertificate
|
||||
# SSL
|
||||
# SSN
|
||||
# Star
|
||||
# Stop
|
||||
# SuicideBomber
|
||||
# SUNET
|
||||
# Suspect
|
||||
# SuspiciousPerson
|
||||
# Switch
|
||||
# Sybase
|
||||
# SynagogueTemple
|
||||
# Syndicate
|
||||
# Table
|
||||
# TabletTouch
|
||||
# Tag
|
||||
# Tank
|
||||
# TargetPerson
|
||||
# Target
|
||||
# Taxi
|
||||
# Technician
|
||||
# Temple
|
||||
# Terminal
|
||||
# TerroristLeader
|
||||
# TerroristMember
|
||||
# TerroristThug
|
||||
# Terror
|
||||
# TextField
|
||||
# Theatre
|
||||
# Ticket
|
||||
# TradeUnion
|
||||
# Train
|
||||
# TrainStation
|
||||
# Transform
|
||||
# Trojan
|
||||
# Truck
|
||||
# TsetseFly
|
||||
# Tsunami
|
||||
# Turquoise2Orange2Red
|
||||
# Turquoise2Yellow
|
||||
# TV
|
||||
# UFOAbduction
|
||||
# Underground
|
||||
# Universe
|
||||
# UnknownBody
|
||||
# Unknown
|
||||
# UPS
|
||||
# Urgent
|
||||
# URL
|
||||
# USB
|
||||
# UserID
|
||||
# User
|
||||
# Victim
|
||||
# VideoCamera
|
||||
# Videoconference
|
||||
# VINNumber
|
||||
# Virus
|
||||
# Voice
|
||||
# VOIP
|
||||
# VolcanoEruption
|
||||
# VPN
|
||||
# WAN
|
||||
# WebDir
|
||||
# Website
|
||||
# WiFi
|
||||
# WindFarm
|
||||
# WirelessRouter
|
||||
#
|
|
@ -1,8 +1,9 @@
|
|||
from canari.maltego.entities import Hash, Domain, IPv4Address, URL, DNSName, AS, Website, NSRecord, PhoneNumber, EmailAddress, File, Person, Hashtag, Location, Company, Alias, Port, Twitter
|
||||
from canari.maltego.entities import Hash, URL, File, Person, Hashtag
|
||||
from canari.maltego.message import Label, LinkStyle, MaltegoException, Bookmark, LinkDirection, UIMessage, UIMessageType
|
||||
from canari.mode import is_local_exec_mode, is_remote_exec_mode
|
||||
from distutils.version import StrictVersion
|
||||
from MISP_maltego.transforms.common.entities import MISPEvent, MISPObject, MISPGalaxy, ThreatActor, Software, AttackTechnique
|
||||
from MISP_maltego.transforms.common.entities import MISPEvent, MISPObject, MISPGalaxy
|
||||
from MISP_maltego.transforms.common.mappings import mapping_object_icon, mapping_misp_to_maltego, mapping_galaxy_icon, mapping_galaxy_type
|
||||
from pymisp import ExpandedPyMISP as PyMISP
|
||||
import json
|
||||
import os
|
||||
|
@ -15,108 +16,6 @@ import time
|
|||
|
||||
__version__ = '1.4.3' # also update version in setup.py
|
||||
|
||||
mapping_misp_to_maltego = {
|
||||
'AS': [AS],
|
||||
'domain': [Domain, NSRecord, Website, DNSName],
|
||||
'email-dst': [EmailAddress],
|
||||
'email-src': [EmailAddress],
|
||||
'filename': [File],
|
||||
'hostname': [Website, NSRecord, Domain, DNSName],
|
||||
'ip': [IPv4Address],
|
||||
'ip-dst': [IPv4Address],
|
||||
'ip-src': [IPv4Address],
|
||||
'md5': [Hash],
|
||||
'phone-number': [PhoneNumber],
|
||||
'sha1': [Hash],
|
||||
'sha224': [Hash],
|
||||
'sha256': [Hash],
|
||||
'sha384': [Hash],
|
||||
'sha512': [Hash],
|
||||
'sha512/224': [Hash],
|
||||
'sha512/256': [Hash],
|
||||
'ssdeep': [Hash],
|
||||
'impfuzzy': [Hash],
|
||||
'uri': [URL],
|
||||
'url': [URL],
|
||||
|
||||
'whois-registrant-email': [EmailAddress],
|
||||
'country-of-residence': [Location],
|
||||
'github-organisation': [Company],
|
||||
'github-username': [Alias],
|
||||
'imphash': [Hash],
|
||||
'jabber-id': [Alias],
|
||||
'passport-country': [Location],
|
||||
'place-of-birth': [Location],
|
||||
'port': [Port],
|
||||
'target-email': [EmailAddress],
|
||||
'target-location': [Location],
|
||||
'target-org': [Company],
|
||||
'target-user': [Alias],
|
||||
'twitter-id': [Twitter],
|
||||
# object mappings
|
||||
'nameserver': [NSRecord],
|
||||
# TODO add more object mappings
|
||||
# custom types created internally for technical reasons
|
||||
# 'rekey_value': [Unknown]
|
||||
}
|
||||
|
||||
mapping_galaxy_icon = {
|
||||
# "android": "malware", # "android",
|
||||
"btc": "ransomware",
|
||||
"bug": "vulnerability",
|
||||
# "cart-arrow-down": "malware", #"tds",
|
||||
"chain": "course_of_action",
|
||||
"door-open": "backdoor",
|
||||
"eye": "malware",
|
||||
"gavel": "tool",
|
||||
# "globe": "cert-eu-govsector",
|
||||
# "industry": "sector",
|
||||
# "internet-explorer": "exploit-kit",
|
||||
"key": "stealer",
|
||||
"map": "attack_pattern",
|
||||
"optin-monster": "malware",
|
||||
# "shield": "malpedia",
|
||||
# "shield": "preventive-measure",
|
||||
"sitemap": "botnet",
|
||||
"usd": "malware", # "banker",
|
||||
# "user-secret": "mitre-intrusion-set",
|
||||
"user-secret": "threat_actor",
|
||||
}
|
||||
|
||||
mapping_galaxy_type = {
|
||||
# 'amitt-misinformation-pattern': '',
|
||||
'android': Software,
|
||||
'backdoor': Software,
|
||||
'banker': Software,
|
||||
'botnet': Software,
|
||||
# 'branded-vulnerability': '',
|
||||
# 'cert-eu-govsector': '',
|
||||
'cloud-security': AttackTechnique,
|
||||
'exploit-kit': Software,
|
||||
'financial-fraud': AttackTechnique,
|
||||
'guidelines': AttackTechnique,
|
||||
'malpedia': Software,
|
||||
'microsoft-activity-group': ThreatActor,
|
||||
'mitre-attack-pattern': AttackTechnique,
|
||||
# 'mitre-course-of-action': '',
|
||||
'mitre-intrusion-set': ThreatActor,
|
||||
'mitre-malware': Software,
|
||||
'mitre-tool': Software,
|
||||
# 'preventive-measure': '',
|
||||
'ransomware': Software,
|
||||
'rat': Software,
|
||||
# 'region': '',
|
||||
# 'sector': '',
|
||||
'social-dark-patterns': AttackTechnique,
|
||||
'stealer': Software,
|
||||
'surveillance-vendor': ThreatActor,
|
||||
# 'target-information': '',
|
||||
'tds': Software,
|
||||
'threat-actor': ThreatActor,
|
||||
'tool': Software
|
||||
}
|
||||
|
||||
|
||||
tag_note_prefixes = ['tlp:', 'PAP:', 'de-vs:', 'euci:', 'fr-classif:', 'nato:']
|
||||
|
||||
misp_connection = None
|
||||
|
@ -278,11 +177,17 @@ def attribute_to_entity(a, link_label=None, event_tags=[], only_self=False):
|
|||
|
||||
|
||||
def object_to_entity(o, link_label=None, link_direction=LinkDirection.InputToOutput):
|
||||
misp = get_misp_connection()
|
||||
# find a nice icon for it
|
||||
try:
|
||||
icon_url = mapping_object_icon[o['name']]
|
||||
except KeyError:
|
||||
# it's not in our mapping, just ignore and leave the default icon
|
||||
icon_url = None
|
||||
# Generate a human readable display-name:
|
||||
# - find the first RequiredOneOf that exists
|
||||
# - if none, use the first RequiredField
|
||||
# LATER further finetune the human readable version of this object
|
||||
misp = get_misp_connection()
|
||||
o_template = misp.get_object_template(o['template_uuid'])
|
||||
human_readable = None
|
||||
try:
|
||||
|
@ -295,7 +200,7 @@ def object_to_entity(o, link_label=None, link_direction=LinkDirection.InputToOut
|
|||
break
|
||||
for a in o['Attribute']:
|
||||
if a['type'] == required_a_type:
|
||||
human_readable = '{}: {}'.format(o['name'], a['value'])
|
||||
human_readable = '{}:\n{}'.format(o['name'], a['value'])
|
||||
found = True
|
||||
break
|
||||
except Exception:
|
||||
|
@ -313,10 +218,9 @@ def object_to_entity(o, link_label=None, link_direction=LinkDirection.InputToOut
|
|||
if a['type'] == required_a_type:
|
||||
parts.append(a['value'])
|
||||
break
|
||||
human_readable = '{}: {}'.format(o['name'], '|'.join(parts))
|
||||
human_readable = '{}:\n{}'.format(o['name'], '|'.join(parts))
|
||||
except Exception:
|
||||
human_readable = o['name']
|
||||
pass
|
||||
return MISPObject(
|
||||
human_readable,
|
||||
uuid=o['uuid'],
|
||||
|
@ -324,6 +228,7 @@ def object_to_entity(o, link_label=None, link_direction=LinkDirection.InputToOut
|
|||
meta_category=o.get('meta_category'),
|
||||
description=o.get('description'),
|
||||
comment=o.get('comment'),
|
||||
icon_url=icon_url,
|
||||
link_label=link_label,
|
||||
link_direction=link_direction,
|
||||
bookmark=Bookmark.Green
|
||||
|
@ -454,9 +359,8 @@ def galaxycluster_to_entity(c, link_label=None, link_direction=LinkDirection.Inp
|
|||
try:
|
||||
icon_url = mapping_galaxy_icon[galaxy_cluster['icon']]
|
||||
except KeyError:
|
||||
# it's not in our mapping, just ignore and leave the default icon
|
||||
icon_url = None
|
||||
# it's not in our mapping, just ignore and leave the default Galaxy icon
|
||||
pass
|
||||
|
||||
# create the right sub-galaxy: ThreatActor, Software, AttackTechnique, ... or MISPGalaxy
|
||||
try:
|
||||
|
|
Loading…
Reference in New Issue