initial implementation supporting regkey. mutexes support waiting osquery table

pull/237/head
milkmix 2018-06-23 15:51:38 +02:00
parent f0d47fbc63
commit 0c6a205136
2 changed files with 94 additions and 1 deletions

View File

@ -1 +1 @@
__all__ = ['testexport','cef_export','liteexport','goamlexport','threat_connect_export','pdfexport','threatStream_misp_export']
__all__ = ['testexport','cef_export','liteexport','goamlexport','threat_connect_export','pdfexport','threatStream_misp_export', 'osqueryexport']

View File

@ -0,0 +1,93 @@
"""
Export module for coverting MISP events into OSQuery query pack.
Source: https://github.com/0xmilkmix/misp-modules/blob/master/misp_modules/modules/export_mod/osqueryexport.py
"""
import base64
import json
import csv
import re
misperrors = {"error": "Error"}
types_to_use = ['regkey', 'mutex']
userConfig = {
};
moduleconfig = []
# fixed for now, options in the future:
# event, attribute, event-collection, attribute-collection
inputSource = ['event']
outputFileExtension = 'conf'
responseType = 'application/txt'
moduleinfo = {'version': '0.1', 'author': 'Julien Bachmann, Hacknowledge',
'description': 'OSQuery query export module',
'module-type': ['export']}
# test : http://misp.vm/events/view/23
def handle_regkey(value):
rep = {'HKCU': 'HKEY_USERS\\%', 'HKLM': 'HKEY_LOCAL_MACHINE'}
rep = dict((re.escape(k), v) for k, v in rep.items())
pattern = re.compile("|".join(rep.keys()))
value = pattern.sub(lambda m: rep[re.escape(m.group(0))], value)
return 'SELECT * FROM registry WHERE path LIKE \'%s\';' % value
def handle_mutex(value):
return '#waiting acceptance of Scott Lundgren PR that would allow to query Kernel Objects'
handlers = {
'regkey' : handle_regkey,
'mutex' : handle_mutex
}
def handler(q=False):
if q is False:
return False
r = {'results': []}
request = json.loads(q)
output = ''
for event in request["data"]:
for attribute in event["Attribute"]:
if attribute['type'] in types_to_use:
output = output + handlers[attribute['type']](attribute['value']) + '\n'
r = {"response":[], "data":str(base64.b64encode(bytes(output, 'utf-8')), 'utf-8')}
return r
def introspection():
modulesetup = {}
try:
responseType
modulesetup['responseType'] = responseType
except NameError:
pass
try:
userConfig
modulesetup['userConfig'] = userConfig
except NameError:
pass
try:
outputFileExtension
modulesetup['outputFileExtension'] = outputFileExtension
except NameError:
pass
try:
inputSource
modulesetup['inputSource'] = inputSource
except NameError:
pass
return modulesetup
def version():
moduleinfo['config'] = moduleconfig
return moduleinfo