mirror of https://github.com/MISP/misp-modules
initial implementation supporting regkey. mutexes support waiting osquery table
parent
f0d47fbc63
commit
0c6a205136
|
@ -1 +1 @@
|
|||
__all__ = ['testexport','cef_export','liteexport','goamlexport','threat_connect_export','pdfexport','threatStream_misp_export']
|
||||
__all__ = ['testexport','cef_export','liteexport','goamlexport','threat_connect_export','pdfexport','threatStream_misp_export', 'osqueryexport']
|
||||
|
|
|
@ -0,0 +1,93 @@
|
|||
"""
|
||||
Export module for coverting MISP events into OSQuery query pack.
|
||||
Source: https://github.com/0xmilkmix/misp-modules/blob/master/misp_modules/modules/export_mod/osqueryexport.py
|
||||
"""
|
||||
|
||||
import base64
|
||||
import json
|
||||
import csv
|
||||
import re
|
||||
|
||||
|
||||
misperrors = {"error": "Error"}
|
||||
|
||||
types_to_use = ['regkey', 'mutex']
|
||||
|
||||
|
||||
userConfig = {
|
||||
|
||||
};
|
||||
|
||||
moduleconfig = []
|
||||
|
||||
# fixed for now, options in the future:
|
||||
# event, attribute, event-collection, attribute-collection
|
||||
inputSource = ['event']
|
||||
|
||||
outputFileExtension = 'conf'
|
||||
responseType = 'application/txt'
|
||||
|
||||
|
||||
moduleinfo = {'version': '0.1', 'author': 'Julien Bachmann, Hacknowledge',
|
||||
'description': 'OSQuery query export module',
|
||||
'module-type': ['export']}
|
||||
|
||||
# test : http://misp.vm/events/view/23
|
||||
def handle_regkey(value):
|
||||
rep = {'HKCU': 'HKEY_USERS\\%', 'HKLM': 'HKEY_LOCAL_MACHINE'}
|
||||
rep = dict((re.escape(k), v) for k, v in rep.items())
|
||||
pattern = re.compile("|".join(rep.keys()))
|
||||
value = pattern.sub(lambda m: rep[re.escape(m.group(0))], value)
|
||||
return 'SELECT * FROM registry WHERE path LIKE \'%s\';' % value
|
||||
|
||||
def handle_mutex(value):
|
||||
return '#waiting acceptance of Scott Lundgren PR that would allow to query Kernel Objects'
|
||||
|
||||
handlers = {
|
||||
'regkey' : handle_regkey,
|
||||
'mutex' : handle_mutex
|
||||
}
|
||||
|
||||
def handler(q=False):
|
||||
if q is False:
|
||||
return False
|
||||
r = {'results': []}
|
||||
request = json.loads(q)
|
||||
output = ''
|
||||
|
||||
for event in request["data"]:
|
||||
for attribute in event["Attribute"]:
|
||||
if attribute['type'] in types_to_use:
|
||||
output = output + handlers[attribute['type']](attribute['value']) + '\n'
|
||||
r = {"response":[], "data":str(base64.b64encode(bytes(output, 'utf-8')), 'utf-8')}
|
||||
return r
|
||||
|
||||
|
||||
def introspection():
|
||||
modulesetup = {}
|
||||
try:
|
||||
responseType
|
||||
modulesetup['responseType'] = responseType
|
||||
except NameError:
|
||||
pass
|
||||
try:
|
||||
userConfig
|
||||
modulesetup['userConfig'] = userConfig
|
||||
except NameError:
|
||||
pass
|
||||
try:
|
||||
outputFileExtension
|
||||
modulesetup['outputFileExtension'] = outputFileExtension
|
||||
except NameError:
|
||||
pass
|
||||
try:
|
||||
inputSource
|
||||
modulesetup['inputSource'] = inputSource
|
||||
except NameError:
|
||||
pass
|
||||
return modulesetup
|
||||
|
||||
|
||||
def version():
|
||||
moduleinfo['config'] = moduleconfig
|
||||
return moduleinfo
|
Loading…
Reference in New Issue