From c28a001b4f18b50f183af7434cabfa3916122a72 Mon Sep 17 00:00:00 2001 From: niclas Date: Wed, 6 Mar 2024 09:19:11 +0100 Subject: [PATCH] Fix [tidal] check for existing sub clusters --- clusters/tidal-software.json | 22 ++++------------------ tools/tidal-api/models/cluster.py | 26 ++++++++++++++++++++++++++ 2 files changed, 30 insertions(+), 18 deletions(-) diff --git a/clusters/tidal-software.json b/clusters/tidal-software.json index e68ae49..a5dc88e 100644 --- a/clusters/tidal-software.json +++ b/clusters/tidal-software.json @@ -22752,6 +22752,10 @@ { "dest-uuid": "a4700431-6578-489f-9782-52e394277296", "type": "similar" + }, + { + "dest-uuid": "49d0ae81-d51b-4534-b1e0-08371a47ef79", + "type": "similar" } ], "uuid": "6812793e-6342-4da6-b77f-ed29fab1fd9a", @@ -30905,20 +30909,6 @@ "uuid": "2143f749-d7b8-43c0-8041-8aeb486142c2", "value": "TestWindowRemoteAgent" }, - { - "description": "Based on similar descriptions of functionality, it appears S0146, as named by FireEye, is the same as Stage 4 of a backdoor named DNSMessenger by Cisco's Talos Intelligence Group. However, FireEye appears to break DNSMessenger into two parts: S0145 and S0146. [[Cisco DNSMessenger March 2017](https://app.tidalcyber.com/references/49f22ba2-5aca-4204-858e-c2499a7050ae)] [[FireEye FIN7 March 2017](https://app.tidalcyber.com/references/7987bb91-ec41-42f8-bd2d-dabc26509a08)]", - "meta": { - "id": "1b0ec06d-0748-42ea-912f-e23f14d94b95" - }, - "related": [ - { - "dest-uuid": "49d0ae81-d51b-4534-b1e0-08371a47ef79", - "type": "similar" - } - ], - "uuid": "6812793e-6342-4da6-b77f-ed29fab1fd9a", - "value": "DNSMessenger - Associated Software" - }, { "description": "[TEXTMATE](https://app.tidalcyber.com/software/49d0ae81-d51b-4534-b1e0-08371a47ef79) is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with [POWERSOURCE](https://app.tidalcyber.com/software/a4700431-6578-489f-9782-52e394277296) in February 2017. [[FireEye FIN7 March 2017](https://app.tidalcyber.com/references/7987bb91-ec41-42f8-bd2d-dabc26509a08)]", "meta": { @@ -30942,10 +30932,6 @@ { "dest-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47", "type": "similar" - }, - { - "dest-uuid": "6812793e-6342-4da6-b77f-ed29fab1fd9a", - "type": "similar" } ], "uuid": "49d0ae81-d51b-4534-b1e0-08371a47ef79", diff --git a/tools/tidal-api/models/cluster.py b/tools/tidal-api/models/cluster.py index b793bed..df22826 100644 --- a/tools/tidal-api/models/cluster.py +++ b/tools/tidal-api/models/cluster.py @@ -221,6 +221,19 @@ class GroupCluster(Cluster): ) if self.subs: for associated_group in entry.get("associated_groups"): + found = False + for x in self.values: + if associated_group.get("associated_group_id") == x.get("uuid"): + x["related"].append( + { + "dest-uuid": entry.get("id"), + "type": "similar", + } + ) + found = True + break + if found: + continue associated_meta = AssociatedGroupsMeta( id=associated_group.get("id"), owner_id=associated_group.get("owner_id"), @@ -322,6 +335,19 @@ class SoftwareCluster(Cluster): ) if self.subs: for associated_software in entry.get("associated_software"): + found = False + for x in self.values: + if associated_software.get("associated_software_id") == x.get("uuid"): + x["related"].append( + { + "dest-uuid": entry.get("id"), + "type": "similar", + } + ) + found = True + break + if found: + continue associated_meta = AssociatedSoftwareMeta( id=associated_software.get("id"), owner_id=associated_software.get("owner_id"),