mirror of https://github.com/MISP/MISP
add: [stix2 export] Exporting user-account objects
parent
ca3dca42aa
commit
4dd780c25d
|
@ -198,6 +198,8 @@ class StixBuilder():
|
||||||
'stix2': {'pattern': self.resolve_stix2_pattern},
|
'stix2': {'pattern': self.resolve_stix2_pattern},
|
||||||
'url': {'observable': self.resolve_url_observable,
|
'url': {'observable': self.resolve_url_observable,
|
||||||
'pattern': self.resolve_url_pattern},
|
'pattern': self.resolve_url_pattern},
|
||||||
|
'user-account': {'observable': self.resolve_user_account_observable,
|
||||||
|
'pattern': self.resolve_user_account_pattern},
|
||||||
'x509': {'observable': self.resolve_x509_observable,
|
'x509': {'observable': self.resolve_x509_observable,
|
||||||
'pattern': self.resolve_x509_pattern}
|
'pattern': self.resolve_x509_pattern}
|
||||||
}
|
}
|
||||||
|
@ -1261,6 +1263,52 @@ class StixBuilder():
|
||||||
pattern.append(objectsMapping[mapping]['pattern'].format(stix_type, attribute['value']))
|
pattern.append(objectsMapping[mapping]['pattern'].format(stix_type, attribute['value']))
|
||||||
return "[{}]".format(" AND ".join(pattern))
|
return "[{}]".format(" AND ".join(pattern))
|
||||||
|
|
||||||
|
def resolve_user_account_observable(self, attributes, object_id):
|
||||||
|
attributes = self.parse_user_account_attributes(attributes, object_id)
|
||||||
|
observable = {'type': 'user-account'}
|
||||||
|
extension = {}
|
||||||
|
for relation, value in attributes.items():
|
||||||
|
try:
|
||||||
|
observable[userAccountMapping[relation]] = value
|
||||||
|
except KeyError:
|
||||||
|
try:
|
||||||
|
extension[unixAccountExtensionMapping[relation]] = value
|
||||||
|
except KeyError:
|
||||||
|
continue
|
||||||
|
if extension:
|
||||||
|
observable['extensions']['unix-account-ext'] = extension
|
||||||
|
return {'0': observable}
|
||||||
|
|
||||||
|
def resolve_user_account_pattern(self, attributes, object_id):
|
||||||
|
mapping = objectsMapping['user-account']['to_call']
|
||||||
|
attributes = self.parse_user_account_attributes(attributes, object_id)
|
||||||
|
pattern = []
|
||||||
|
for relation, value in attributes.items():
|
||||||
|
try:
|
||||||
|
pattern_part = mapping.format(userAccountMapping[relation], value)
|
||||||
|
except KeyError:
|
||||||
|
try:
|
||||||
|
pattern_part = mapping.format('extensions.unix-account-ext.{}'.format(unixAccountExtensionMapping[relation]), value)
|
||||||
|
except KeyError:
|
||||||
|
continue
|
||||||
|
pattern.append(pattern_part)
|
||||||
|
return "[{}]".format(' AND '.join(pattern))
|
||||||
|
|
||||||
|
def parse_user_account_attributes(self, attributes, object_id):
|
||||||
|
tmp_attributes = defaultdict(list)
|
||||||
|
for attribute in attributes:
|
||||||
|
self.parse_galaxies(attribute['Galaxy'], object_id)
|
||||||
|
relation = attribute['object_relation']
|
||||||
|
if relation == 'group':
|
||||||
|
tmp_attributes[relation].append(attribute['value'])
|
||||||
|
else:
|
||||||
|
tmp_attributes[relation] = attribute['value']
|
||||||
|
if 'user-id' not in tmp_attributes and 'username' in tmp_attributes:
|
||||||
|
tmp_attributes['user-id'] = tmp_attributes.pop('username')
|
||||||
|
if 'text' in tmp_attributes:
|
||||||
|
tmp_attributes.pop('text')
|
||||||
|
return tmp_attributes
|
||||||
|
|
||||||
def resolve_x509_observable(self, attributes, object_id):
|
def resolve_x509_observable(self, attributes, object_id):
|
||||||
observable = {'type': 'x509-certificate'}
|
observable = {'type': 'x509-certificate'}
|
||||||
hashes = {}
|
hashes = {}
|
||||||
|
|
|
@ -307,6 +307,8 @@ objectsMapping = {'asn': {'to_call': 'handle_usual_object_name',
|
||||||
'url': {'to_call': 'handle_usual_object_name',
|
'url': {'to_call': 'handle_usual_object_name',
|
||||||
'observable': {'0': {'type': 'url'}},
|
'observable': {'0': {'type': 'url'}},
|
||||||
'pattern': "url:{0} = '{1}'"},
|
'pattern': "url:{0} = '{1}'"},
|
||||||
|
'user-account': {'to_call': 'handle_usual_object_name',
|
||||||
|
'pattern': "user-account:{0} = '{1}'"},
|
||||||
'vulnerability': {'to_call': 'add_object_vulnerability'},
|
'vulnerability': {'to_call': 'add_object_vulnerability'},
|
||||||
'x509': {'to_call': 'handle_usual_object_name',
|
'x509': {'to_call': 'handle_usual_object_name',
|
||||||
'pattern': "x509-certificate:{0} = '{1}' AND "}
|
'pattern': "x509-certificate:{0} = '{1}' AND "}
|
||||||
|
@ -352,6 +354,15 @@ regkeyMapping = {'data-type': 'data_type', 'data': 'data', 'name': 'name',
|
||||||
|
|
||||||
urlMapping = {'url': 'value', 'domain': 'value', 'port': 'dst_port'}
|
urlMapping = {'url': 'value', 'domain': 'value', 'port': 'dst_port'}
|
||||||
|
|
||||||
|
userAccountMapping = {'account-type': 'account_type', 'can_escalate_privs': 'can_escalate_privs',
|
||||||
|
'created': 'account_created', 'disabled': 'is_disabled', 'display-name': 'display_name',
|
||||||
|
'expires': 'account_expires', 'first_login': 'account_first_login',
|
||||||
|
'is_service_account': 'is_service_account', 'last_login': 'account_last_login',
|
||||||
|
'password': 'credential', 'password_last_changed': 'credential_last_changed',
|
||||||
|
'privileged': 'is_privileged', 'username': 'account_login', 'user-id': 'user_id'}
|
||||||
|
|
||||||
|
unixAccountExtensionMapping = {'group': 'groups', 'group-id': 'gid', 'home_dir': 'home_dir', 'shell': 'shell'}
|
||||||
|
|
||||||
x509mapping = {'pubkey-info-algorithm': 'subject_public_key_algorithm', 'subject': 'subject',
|
x509mapping = {'pubkey-info-algorithm': 'subject_public_key_algorithm', 'subject': 'subject',
|
||||||
'pubkey-info-exponent': 'subject_public_key_exponent', 'issuer': 'issuer',
|
'pubkey-info-exponent': 'subject_public_key_exponent', 'issuer': 'issuer',
|
||||||
'pubkey-info-modulus': 'subject_public_key_modulus', 'serial-number': 'serial_number',
|
'pubkey-info-modulus': 'subject_public_key_modulus', 'serial-number': 'serial_number',
|
||||||
|
|
Loading…
Reference in New Issue