MISP
/
PyMISPGalaxies
mirror of https://github.com/MISP/PyMISPGalaxies
2
0
Fork 0
Code Issues Releases Wiki Activity

fix: [doc] use cluster.get() instead

pull/25/head
Christophe Vandeplas 2024-06-18 09:37:23 +02:00
parent 104cb81239
commit b9791f98c1
No known key found for this signature in database
GPG Key ID: BDC48619FFDC5A5B
1 changed files with 129 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

232
docs/Galaxie_MISP.ipynb
View File

@ -1,26 +1,10 @@
{ {
"nbformat": 4,
"nbformat_minor": 0,
"metadata": {
"colab": {
"provenance": [],
"authorship_tag": "ABX9TyOFSmnINQ4YRBroomWdb+/2",
"include_colab_link": true
},
"kernelspec": {
"name": "python3",
"display_name": "Python 3"
},
"language_info": {
"name": "python"
}
},
"cells": [ "cells": [
{ {
"cell_type": "markdown", "cell_type": "markdown",
"metadata": { "metadata": {
"id": "view-in-github", "colab_type": "text",
"colab_type": "text" "id": "view-in-github"
}, },
"source": [ "source": [
"<a href=\"https://colab.research.google.com/github/sebdraven/PyMISPGalaxies/blob/main/Galaxie_MISP.ipynb\" target=\"_parent\"><img src=\"https://colab.research.google.com/assets/colab-badge.svg\" alt=\"Open In Colab\"/></a>" "<a href=\"https://colab.research.google.com/github/sebdraven/PyMISPGalaxies/blob/main/Galaxie_MISP.ipynb\" target=\"_parent\"><img src=\"https://colab.research.google.com/assets/colab-badge.svg\" alt=\"Open In Colab\"/></a>"
@ -38,8 +22,8 @@
}, },
"outputs": [ "outputs": [
{ {
"output_type": "stream",
"name": "stdout", "name": "stdout",
"output_type": "stream",
"text": [ "text": [
"Looking in indexes: https://pypi.org/simple, https://us-python.pkg.dev/colab-wheels/public/simple/\n", "Looking in indexes: https://pypi.org/simple, https://us-python.pkg.dev/colab-wheels/public/simple/\n",
"Collecting PyMISPGalaxies\n", "Collecting PyMISPGalaxies\n",
@ -65,38 +49,52 @@
}, },
{ {
"cell_type": "code", "cell_type": "code",
"source": [ "execution_count": 1,
"from pymispgalaxies import Clusters"
],
"metadata": { "metadata": {
"id": "Gy_cjV42Faj-" "id": "Gy_cjV42Faj-"
}, },
"execution_count": 2, "outputs": [],
"outputs": [] "source": [
"from pymispgalaxies import Clusters"
]
}, },
{ {
"cell_type": "markdown", "cell_type": "markdown",
"source": [
"To Choose a cluster, the name of cluster is the name of file in <https://github.com/MISP/misp-galaxy/clusters/>, here we use malpedia"
],
"metadata": { "metadata": {
"id": "Z_FZERTPMV0s" "id": "Z_FZERTPMV0s"
} },
"source": [
"To Choose a cluster, the name of cluster is the name of file in <https://github.com/MISP/misp-galaxy/clusters/>, here we use malpedia"
]
}, },
{ {
"cell_type": "code", "cell_type": "code",
"source": [ "execution_count": 2,
"cluster_malpedia = Clusters().get('malpedia') #corresponding to https://github.com/MISP/misp-galaxy/clusters/malpedia.json\n",
"cluster_malpedia"
],
"metadata": { "metadata": {
"id": "pmsFAlTsFr_Q" "id": "pmsFAlTsFr_Q"
}, },
"execution_count": null, "outputs": [
"outputs": [] {
"data": {
"text/plain": [
"<pymispgalaxies.api.Cluster at 0x75b3464402c0>"
]
},
"execution_count": 2,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"cluster_malpedia = Clusters().get('malpedia') #corresponding to https://github.com/MISP/misp-galaxy/clusters/malpedia.json\n",
"cluster_malpedia"
]
}, },
{ {
"cell_type": "markdown", "cell_type": "markdown",
"metadata": {
"id": "xf3vTuWsNzF6"
},
"source": [ "source": [
"To access in a entry json like Zeus:\n", "To access in a entry json like Zeus:\n",
"\n", "\n",
@ -154,17 +152,11 @@
" \"value\": \"Zeus\"\n", " \"value\": \"Zeus\"\n",
" }\n", " }\n",
" ```" " ```"
], ]
"metadata": {
"id": "xf3vTuWsNzF6"
}
}, },
{ {
"cell_type": "code", "cell_type": "code",
"source": [ "execution_count": 9,
"zeus = cluster_malpedia.cluster_values['Zeus']\n",
"zeus.to_dict()"
],
"metadata": { "metadata": {
"colab": { "colab": {
"base_uri": "https://localhost:8080/" "base_uri": "https://localhost:8080/"
@ -172,36 +164,38 @@
"id": "2dVS64R9Nxwu", "id": "2dVS64R9Nxwu",
"outputId": "7ebb7915-c981-4814-e7cb-b4ba96aa409f" "outputId": "7ebb7915-c981-4814-e7cb-b4ba96aa409f"
}, },
"execution_count": 8,
"outputs": [ "outputs": [
{ {
"output_type": "execute_result",
"data": { "data": {
"text/plain": [ "text/plain": [
"{'value': 'Zeus',\n", "{'value': 'Zeus',\n",
" 'uuid': '4e8c1ab7-2841-4823-a5d1-39284fb0969a',\n", " 'uuid': '4e8c1ab7-2841-4823-a5d1-39284fb0969a',\n",
" 'meta': <pymispgalaxies.api.ClusterValueMeta at 0x7f870e02ba60>}" " 'description': \"According to CrowdStrike, The two primary goals of the Zeus trojan horse virus are stealing people's financial information and adding machines to a botnet. Unlike many types of malware, most Zeus variants try to avoid doing long-term damage to the devices they infect. Their aim is to avoid detection from antivirus software.\",\n",
" 'meta': <pymispgalaxies.api.ClusterValueMeta at 0x75b33bee97f0>}"
] ]
}, },
"execution_count": 9,
"metadata": {}, "metadata": {},
"execution_count": 8 "output_type": "execute_result"
} }
],
"source": [
"zeus = cluster_malpedia.get('Zeus')\n",
"zeus.to_dict()"
] ]
}, },
{ {
"cell_type": "markdown", "cell_type": "markdown",
"source": [
"To access at metadata"
],
"metadata": { "metadata": {
"id": "SHmE7qcDPBcF" "id": "SHmE7qcDPBcF"
} },
"source": [
"To access at metadata"
]
}, },
{ {
"cell_type": "code", "cell_type": "code",
"source": [ "execution_count": 11,
"zeus.meta.to_dict()"
],
"metadata": { "metadata": {
"colab": { "colab": {
"base_uri": "https://localhost:8080/" "base_uri": "https://localhost:8080/"
@ -209,77 +203,76 @@
"id": "-T6MYOzJOrVF", "id": "-T6MYOzJOrVF",
"outputId": "bc22b364-a1a0-470e-d4ab-8e833e81753a" "outputId": "bc22b364-a1a0-470e-d4ab-8e833e81753a"
}, },
"execution_count": 9,
"outputs": [ "outputs": [
{ {
"output_type": "execute_result",
"data": { "data": {
"text/plain": [ "text/plain": [
"{'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus',\n", "{'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus',\n",
" 'https://securelist.com/financial-cyberthreats-in-2020/101638/',\n", " 'https://www.anomali.com/files/white-papers/russian-federation-country-profile.pdf',\n",
" 'https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/',\n",
" 'http://eternal-todo.com/blog/detecting-zeus',\n",
" 'https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite',\n",
" 'http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html',\n",
" 'https://www.youtube.com/watch?v=LUxOcpIRxmg',\n",
" 'https://www.secureworks.com/research/threat-profiles/bronze-woodland',\n",
" 'http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf',\n",
" 'https://www.mnin.org/write/ZeusMalware.pdf',\n",
" 'https://www.secureworks.com/research/zeus?threat=zeus',\n",
" 'https://blog.malwarebytes.com/101/2021/07/the-life-and-death-of-the-zeus-trojan/',\n",
" 'https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/',\n",
" 'https://us-cert.cisa.gov/ncas/alerts/aa20-345a',\n",
" 'http://eternal-todo.com/blog/new-zeus-binary',\n",
" 'https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html',\n",
" 'http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html',\n",
" 'https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/',\n",
" 'https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf',\n",
" 'http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html',\n",
" 'https://www.wired.com/2017/03/russian-hacker-spy-botnet/',\n",
" 'http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html',\n",
" 'http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html',\n",
" 'https://www.secureworks.com/research/threat-profiles/gold-evergreen',\n",
" 'http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html',\n",
" 'https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree',\n", " 'https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree',\n",
" 'https://nakedsecurity.sophos.com/2010/07/24/sample-run/',\n", " 'http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html',\n",
" 'https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals',\n",
" 'http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html',\n",
" 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf',\n", " 'https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf',\n",
" 'https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20',\n",
" 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf',\n",
" 'https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group',\n",
" 'https://www.s21sec.com/en/zeus-the-missing-link/',\n",
" 'http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html',\n",
" 'http://eternal-todo.com/blog/zeus-spreading-facebook',\n",
" 'https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf',\n", " 'https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf',\n",
" 'http://eternal-todo.com/blog/detecting-zeus',\n",
" 'http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html',\n",
" 'https://nakedsecurity.sophos.com/2010/07/24/sample-run/',\n",
" 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf',\n",
" 'https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20',\n",
" 'https://www.mnin.org/write/ZeusMalware.pdf',\n",
" 'https://securelist.com/financial-cyberthreats-in-2020/101638/',\n",
" 'https://www.secureworks.com/research/zeus?threat=zeus',\n",
" 'https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/',\n",
" 'http://eternal-todo.com/blog/zeus-spreading-facebook',\n",
" 'http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html',\n",
" 'http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf',\n",
" 'https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/',\n",
" 'https://www.crowdstrike.com/cybersecurity-101/malware/trojan-zeus-malware',\n",
" 'https://www.wired.com/2017/03/russian-hacker-spy-botnet/',\n",
" 'https://us-cert.cisa.gov/ncas/alerts/aa20-345a',\n",
" 'https://www.s21sec.com/en/zeus-the-missing-link/',\n",
" 'https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite',\n",
" 'https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf',\n",
" 'https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals',\n",
" 'https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group',\n",
" 'https://www.youtube.com/watch?v=LUxOcpIRxmg',\n",
" 'https://www.secureworks.com/research/threat-profiles/gold-evergreen',\n",
" 'https://www.cisecurity.org/insights/blog/top-10-malware-march-2022',\n",
" 'https://www.secureworks.com/research/threat-profiles/bronze-woodland',\n",
" 'https://blog.malwarebytes.com/101/2021/07/the-life-and-death-of-the-zeus-trojan/',\n",
" 'https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html',\n",
" 'https://unit42.paloaltonetworks.com/banking-trojan-techniques/',\n",
" 'https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/',\n",
" 'http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html',\n",
" 'http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html',\n",
" 'http://eternal-todo.com/blog/new-zeus-binary',\n",
" 'http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html',\n",
" 'http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html',\n",
" 'http://www.secureworks.com/research/threat-profiles/gold-evergreen',\n", " 'http://www.secureworks.com/research/threat-profiles/gold-evergreen',\n",
" 'https://www.anomali.com/files/white-papers/russian-federation-country-profile.pdf'],\n", " 'http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html'],\n",
" 'synonyms': ['Zbot']}" " 'synonyms': ['Zbot']}"
] ]
}, },
"execution_count": 11,
"metadata": {}, "metadata": {},
"execution_count": 9 "output_type": "execute_result"
} }
],
"source": [
"zeus.meta.to_dict()"
] ]
}, },
{ {
"cell_type": "markdown", "cell_type": "markdown",
"source": [
"To list all entries, with metadata"
],
"metadata": { "metadata": {
"id": "Tq96ubMoPWoV" "id": "Tq96ubMoPWoV"
} },
"source": [
"To list all entries, with metadata"
]
}, },
{ {
"cell_type": "code", "cell_type": "code",
"source": [ "execution_count": 10,
"for name,cluster_value in cluster_malpedia.cluster_values.items():\n",
" obj_dict = cluster_value.to_dict()\n",
" if 'meta' in obj_dict:\n",
" meta = obj_dict['meta'].to_dict()\n",
" print(name, meta)"
],
"metadata": { "metadata": {
"colab": { "colab": {
"base_uri": "https://localhost:8080/" "base_uri": "https://localhost:8080/"
@ -287,11 +280,10 @@
"id": "rWcAjS6ZPVn_", "id": "rWcAjS6ZPVn_",
"outputId": "ac25600c-fdd7-460c-835d-c6d6b4bfda60" "outputId": "ac25600c-fdd7-460c-835d-c6d6b4bfda60"
}, },
"execution_count": 10,
"outputs": [ "outputs": [
{ {
"output_type": "stream",
"name": "stdout", "name": "stdout",
"output_type": "stream",
"text": [ "text": [
"FastCash {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/aix.fastcash', 'https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf', 'https://github.com/fboldewin/FastCashMalwareDissected/', 'https://www.cisa.gov/uscert/ncas/alerts/TA18-275A', 'https://www.cisa.gov/uscert/ncas/alerts/aa20-239a', 'https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/', 'https://www.youtube.com/watch?v=zGvQPtejX9w', 'https://www.us-cert.gov/ncas/alerts/TA18-275A', 'https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html', 'https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/', 'https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf', 'https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud-wp.pdf', 'https://www.cisa.gov/uscert/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf', 'https://www.youtube.com/watch?v=LUxOcpIRxmg', 'https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf', 'https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware', 'https://www.symantec.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware']}\n", "FastCash {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/aix.fastcash', 'https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf', 'https://github.com/fboldewin/FastCashMalwareDissected/', 'https://www.cisa.gov/uscert/ncas/alerts/TA18-275A', 'https://www.cisa.gov/uscert/ncas/alerts/aa20-239a', 'https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/', 'https://www.youtube.com/watch?v=zGvQPtejX9w', 'https://www.us-cert.gov/ncas/alerts/TA18-275A', 'https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html', 'https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/', 'https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf', 'https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud-wp.pdf', 'https://www.cisa.gov/uscert/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf', 'https://www.youtube.com/watch?v=LUxOcpIRxmg', 'https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf', 'https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware', 'https://www.symantec.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware']}\n",
"888 RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.888_rat', 'https://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/']}\n", "888 RAT {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/apk.888_rat', 'https://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/']}\n",
@ -2869,7 +2861,39 @@
"Zyklon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zyklon', 'https://www.fireeye.com/blog/threat-research/2018/01/microsoft-office-vulnerabilities-used-to-distribute-zyklon-malware.html', 'https://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html']}\n" "Zyklon {'refs': ['https://malpedia.caad.fkie.fraunhofer.de/details/win.zyklon', 'https://www.fireeye.com/blog/threat-research/2018/01/microsoft-office-vulnerabilities-used-to-distribute-zyklon-malware.html', 'https://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html']}\n"
] ]
} }
],
"source": [
"for name,cluster_value in cluster_malpedia.cluster_values.items():\n",
" obj_dict = cluster_value.to_dict()\n",
" if 'meta' in obj_dict:\n",
" meta = obj_dict['meta'].to_dict()\n",
" print(name, meta)"
] ]
} }
] ],
"metadata": {
"colab": {
"authorship_tag": "ABX9TyOFSmnINQ4YRBroomWdb+/2",
"include_colab_link": true,
"provenance": []
},
"kernelspec": {
"display_name": "Python 3",
"name": "python3"
},
"language_info": {
"codemirror_mode": {
"name": "ipython",
"version": 3
},
"file_extension": ".py",
"mimetype": "text/x-python",
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython3",
"version": "3.12.3"
}
},
"nbformat": 4,
"nbformat_minor": 0
} }