MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity
MISP/app/files/scripts/misp2stix_mapping.py

449 lines
11 KiB
Python
Raw Blame History

# mappings
status_mapping = {'0': 'New', '1': 'Open', '2': 'Closed'}
threat_level_mapping = {'1': 'High', '2': 'Medium', '3': 'Low', '4': 'Undefined'}
TLP_order = {'RED': 4, 'AMBER': 3, 'AMBER NATO ALLIANCE': 3, 'GREEN': 2, 'WHITE': 1}
confidence_mapping = {False: 'None', True: 'High'}
not_implemented_attributes = ('yara', 'snort', 'pattern-in-traffic', 'pattern-in-memory')
non_indicator_attributes = (
'text',
'comment',
'other',
'link',
'target-user',
'target-email',
'target-machine',
'target-org',
'target-location',
'target-external',
'vulnerability'
)
hash_type_attributes = {
"single": (
"md5",
"sha1",
"sha224",
"sha256",
"sha384",
"sha512",
"sha512/224",
"sha512/256",
"ssdeep",
"imphash",
"authentihash",
"pehash",
"tlsh",
"cdhash"
),
"composite": (
"filename|md5",
"filename|sha1",
"filename|sha224",
"filename|sha256",
"filename|sha384",
"filename|sha512",
"filename|sha512/224",
"filename|sha512/256",
"filename|authentihash",
"filename|ssdeep",
"filename|tlsh",
"filename|imphash",
"filename|pehash"
)
}
# mapping for the attributes that can go through the simpleobservable script
misp_cybox_name = {
"domain": "DomainName",
"hostname": "Hostname",
"url": "URI",
"AS": "AutonomousSystem",
"mutex": "Mutex",
"named pipe": "Pipe",
"link": "URI",
"network-connection": "NetworkConnection",
"windows-service-name": "WinService"
}
cybox_name_attribute = {
"DomainName": "value",
"Hostname": "hostname_value",
"URI": "value",
"AutonomousSystem": "number",
"Pipe": "name",
"Mutex": "name",
"WinService": "name"
}
misp_indicator_type = {
"email-attachment": "Malicious E-mail",
"filename": "File Hash Watchlist",
"mutex": "Host Characteristics",
"named pipe": "Host Characteristics",
"url": "URL Watchlist"
}
misp_indicator_type.update(dict.fromkeys(list(hash_type_attributes["single"]), "File Hash Watchlist"))
misp_indicator_type.update(dict.fromkeys(list(hash_type_attributes["composite"]), "File Hash Watchlist"))
misp_indicator_type.update(
dict.fromkeys(
[
"email-src",
"email-dst",
"email-subject",
"email-reply-to",
"email-attachment"
],
"Malicious E-mail"
)
)
misp_indicator_type.update(
dict.fromkeys(
[
"AS",
"ip-src",
"ip-dst",
"ip-src|port",
"ip-dst|port"
],
"IP Watchlist"
)
)
misp_indicator_type.update(
dict.fromkeys(
[
"domain",
"domain|ip",
"hostname"
],
"Domain Watchlist"
)
)
misp_indicator_type.update(
dict.fromkeys(
[
"regkey",
"regkey|value"
],
"Host Characteristics"
)
)
cybox_validation = {"AutonomousSystem": "isInt"}
## ATTRIBUTES MAPPING
simple_type_to_method = {
'attachment': 'resolve_attachment',
'domain|ip': 'generate_domain_ip_observable',
'email-attachment': 'generate_email_attachment_observable',
'filename': 'resolve_file_observable',
'mac-address': 'resolve_system_observable',
'malware-sample': 'resolve_malware_sample',
'named pipe': 'generate_pipe_observable',
'port': 'generate_port_observable',
}
simple_type_to_method.update(
dict.fromkeys(
list(hash_type_attributes["single"]),
'resolve_file_observable'
)
)
simple_type_to_method.update(
dict.fromkeys(
list(hash_type_attributes["composite"]),
'resolve_file_observable'
)
)
simple_type_to_method.update(
dict.fromkeys(
[
"ip-src",
"ip-dst"
],
'generate_ip_observable'
)
)
simple_type_to_method.update(
dict.fromkeys(
[
"ip-src|port",
"ip-dst|port",
"hostname|port"
],
'generate_socket_address_observable'
)
)
simple_type_to_method.update(
dict.fromkeys(
[
"regkey",
"regkey|value"
],
'generate_regkey_observable'
)
)
simple_type_to_method.update(
dict.fromkeys(
[
"hostname",
"domain",
"url",
"AS",
"mutex",
"named pipe",
"link",
"windows-service-name"
],
'generate_simple_observable'
)
)
simple_type_to_method.update(
dict.fromkeys(
[
"email-src",
"email-dst",
"email-subject",
"email-reply-to"
],
'resolve_email_observable'
)
)
simple_type_to_method.update(
dict.fromkeys(
[
"http-method",
"user-agent"
],
'resolve_http_observable'
)
)
simple_type_to_method.update(
dict.fromkeys(
[
"pattern-in-file",
"pattern-in-traffic",
"pattern-in-memory"
],
'resolve_pattern_observable'
)
)
simple_type_to_method.update(
dict.fromkeys(
[
'x509-fingerprint-md5',
'x509-fingerprint-sha1',
'x509-fingerprint-sha256'
],
'parse_x509_object'
)
)
## OBJECTS MAPPING
ttp_names = {
'attack-pattern': 'parse_attack_pattern',
'course-of-action': 'parse_course_of_action',
'vulnerability': 'parse_vulnerability',
'weakness': 'parse_weakness'
}
objects_mapping = {
"asn": 'parse_asn_object',
"credential": 'parse_credential_object',
"domain-ip": 'parse_domain_ip_object',
"email": 'parse_email_object',
"file": 'parse_file_object',
"ip-port": 'parse_ip_port_object',
"network-connection": 'parse_network_connection_object',
"network-socket": 'parse_network_socket_object',
"pe": 'store_pe',
"pe-section": 'store_pe',
"process": 'parse_process_object',
"registry-key": 'parse_regkey_object',
"url": 'parse_url_object',
"user-account": 'parse_user_account_object',
"whois": 'parse_whois',
"x509": 'parse_x509_object'
}
## GALAXIES MAPPING
galaxy_types_mapping = {'branded-vulnerability': 'parse_vulnerability_galaxy'}
galaxy_types_mapping.update(
dict.fromkeys(
[
'mitre-attack-pattern',
'mitre-enterprise-attack-attack-pattern',
'mitre-mobile-attack-attack-pattern',
'mitre-pre-attack-attack-pattern'
],
'parse_attack_pattern_galaxy'
)
)
galaxy_types_mapping.update(
dict.fromkeys(
[
'mitre-course-of-action',
'mitre-enterprise-attack-course-of-action',
'mitre-mobile-attack-course-of-action'
],
'parse_course_of_action_galaxy'
)
)
galaxy_types_mapping.update(
dict.fromkeys(
[
'android',
'banker',
'stealer',
'backdoor',
'ransomware',
'mitre-malware',
'malpedia',
'mitre-enterprise-attack-malware',
'mitre-mobile-attack-malware'
],
'parse_malware_galaxy'
)
)
galaxy_types_mapping.update(
dict.fromkeys(
[
'threat-actor',
'microsoft-activity-group'
],
'parse_threat_actor_galaxy'
)
)
galaxy_types_mapping.update(
dict.fromkeys(
[
'botnet',
'rat',
'exploit-kit',
'tds',
'tool',
'mitre-tool',
'mitre-enterprise-attack-tool',
'mitre-mobile-attack-tool'
],
'parse_tool_galaxy'
)
)
# mapping Windows Registry Hives and their abbreviations
# see https://cybox.mitre.org/language/version2.1/xsddocs/objects/Win_Registry_Key_Object_xsd.html#RegistryHiveEnum
# the dict keys must be UPPER CASE and end with \\
misp_reghive = {
"HKEY_CLASSES_ROOT\\": "HKEY_CLASSES_ROOT",
"HKCR\\": "HKEY_CLASSES_ROOT",
"HKEY_CURRENT_CONFIG\\": "HKEY_CURRENT_CONFIG",
"HKCC\\": "HKEY_CURRENT_CONFIG",
"HKEY_CURRENT_USER\\": "HKEY_CURRENT_USER",
"HKCU\\": "HKEY_CURRENT_USER",
"HKEY_LOCAL_MACHINE\\": "HKEY_LOCAL_MACHINE",
"HKLM\\": "HKEY_LOCAL_MACHINE",
"HKEY_USERS\\": "HKEY_USERS",
"HKU\\": "HKEY_USERS",
"HKEY_CURRENT_USER_LOCAL_SETTINGS\\": "HKEY_CURRENT_USER_LOCAL_SETTINGS",
"HKCULS\\": "HKEY_CURRENT_USER_LOCAL_SETTINGS",
"HKEY_PERFORMANCE_DATA\\": "HKEY_PERFORMANCE_DATA",
"HKPD\\": "HKEY_PERFORMANCE_DATA",
"HKEY_PERFORMANCE_NLSTEXT\\": "HKEY_PERFORMANCE_NLSTEXT",
"HKPN\\": "HKEY_PERFORMANCE_NLSTEXT",
"HKEY_PERFORMANCE_TEXT\\": "HKEY_PERFORMANCE_TEXT",
"HKPT\\": "HKEY_PERFORMANCE_TEXT",
}
attack_pattern_object_mapping = {
'id': 'capec_id',
'name': 'title',
'summary': 'description'
}
course_of_action_object_keys = (
'type',
'description',
'objective',
'stage',
'cost',
'impact',
'efficacy'
)
email_object_mapping = {
'from': 'from_',
'reply-to': 'reply_to',
'subject': 'subject',
'x-mailer': 'x_mailer',
'mime-boundary': 'boundary',
'user-agent': 'user_agent'
}
file_object_mapping = {
'path': 'full_path',
'size-in-bytes': 'size_in_bytes',
'entropy': 'peak_entropy'
}
process_object_keys = (
'creation-time',
'start-time',
'name',
'pid',
'parent-pid'
)
regkey_object_mapping = {
'name': 'name',
'data': 'data',
'data-type': 'datatype'
}
user_account_id_mapping = {
'unix': 'user_id',
'windows-domain': 'security_id',
'windows-local': 'security_id'
}
user_account_object_mapping = {
'username': 'username',
'display-name': 'full_name',
'disabled': 'disabled',
'created': 'creation_date',
'last_login': 'last_login',
'home_dir': 'home_directory',
'shell': 'script_path'
}
vulnerability_object_mapping = {
'id': 'cve_id',
'summary': 'description',
'published': 'published_datetime'
}
weakness_object_mapping = {
'id': 'cwe_id',
'description': 'description'
}
whois_object_mapping = {
'creation-date': 'creation_date',
'modification-date': 'updated_date',
'expiration-date': 'expiration_date'
}
whois_registrant_mapping = {
'registrant-name': 'name',
'registrant-phone': 'phone_number',
'registrant-email': 'email_address',
'registrant-org': 'organization'
}
x509_creation_mapping = {
'version': 'contents',
'serial-number': 'contents',
'issuer': 'contents',
'subject': 'contents',
'validity-not-before': 'validity',
'validity-not-after': 'validity',
'pubkey-info-exponent': 'rsa_pubkey',
'pubkey-info-modulus': 'rsa_pubkey',
'raw-base64': 'raw_certificate',
'pem': 'raw_certificate',
'x509-fingerprint-md5': 'signature',
'x509-fingerprint-sha1': 'signature',
'x509-fingerprint-sha256': 'signature',
'pubkey-info-algorithm': 'subject_pubkey'
}
x509_object_keys = (
'version',
'serial-number',
'issuer',
'subject'
)
Reference in New Issue View Git Blame Copy Permalink