initial implementation supporting regkey. mutexes support waiting osquery table

misp_modules/modules/export_mod/__init__.py

@@ -1 +1 @@
-__all__ = ['testexport','cef_export','liteexport','goamlexport','threat_connect_export','pdfexport','threatStream_misp_export']
+__all__ = ['testexport','cef_export','liteexport','goamlexport','threat_connect_export','pdfexport','threatStream_misp_export', 'osqueryexport']

misp_modules/modules/export_mod/osqueryexport.py

@@ -0,0 +1,93 @@
+"""
+Export module for coverting MISP events into OSQuery query pack.
+Source: https://github.com/0xmilkmix/misp-modules/blob/master/misp_modules/modules/export_mod/osqueryexport.py
+"""
+
+import base64
+import json
+import csv
+import re
+
+
+misperrors = {"error": "Error"}
+
+types_to_use = ['regkey', 'mutex']
+
+
+userConfig = {
+
+};
+
+moduleconfig = []
+
+# fixed for now, options in the future:
+# event, attribute, event-collection, attribute-collection
+inputSource = ['event']
+
+outputFileExtension = 'conf'
+responseType = 'application/txt'
+
+
+moduleinfo = {'version': '0.1', 'author': 'Julien Bachmann, Hacknowledge',
+              'description': 'OSQuery query export module',
+              'module-type': ['export']}
+
+# test : http://misp.vm/events/view/23
+def handle_regkey(value):
+    rep = {'HKCU': 'HKEY_USERS\\%', 'HKLM': 'HKEY_LOCAL_MACHINE'}
+    rep = dict((re.escape(k), v) for k, v in rep.items())
+    pattern = re.compile("|".join(rep.keys()))
+    value = pattern.sub(lambda m: rep[re.escape(m.group(0))], value)
+    return 'SELECT * FROM registry WHERE path LIKE \'%s\';' % value
+
+def handle_mutex(value):
+    return '#waiting acceptance of Scott Lundgren PR that would allow to query Kernel Objects'
+
+handlers = {
+    'regkey' : handle_regkey,
+    'mutex' : handle_mutex
+}
+
+def handler(q=False):
+    if q is False:
+        return False
+    r = {'results': []}
+    request = json.loads(q)
+    output = ''
+
+    for event in request["data"]:
+        for attribute in event["Attribute"]:
+            if attribute['type'] in types_to_use:
+                    output = output + handlers[attribute['type']](attribute['value']) + '\n'
+    r = {"response":[], "data":str(base64.b64encode(bytes(output, 'utf-8')), 'utf-8')}
+    return r
+
+
+def introspection():
+    modulesetup = {}
+    try:
+        responseType
+        modulesetup['responseType'] = responseType
+    except NameError:
+        pass
+    try:
+        userConfig
+        modulesetup['userConfig'] = userConfig
+    except NameError:
+        pass
+    try:
+        outputFileExtension
+        modulesetup['outputFileExtension'] = outputFileExtension
+    except NameError:
+        pass
+    try:
+        inputSource
+        modulesetup['inputSource'] = inputSource
+    except NameError:
+        pass
+    return modulesetup
+
+
+def version():
+    moduleinfo['config'] = moduleconfig
+    return moduleinfo