diff --git a/.gitchangelog.rc b/.gitchangelog.rc new file mode 100644 index 0000000..19d9b85 --- /dev/null +++ b/.gitchangelog.rc @@ -0,0 +1,289 @@ +# -*- coding: utf-8; mode: python -*- +## +## Format +## +## ACTION: [AUDIENCE:] COMMIT_MSG [!TAG ...] +## +## Description +## +## ACTION is one of 'chg', 'fix', 'new' +## +## Is WHAT the change is about. +## +## 'chg' is for refactor, small improvement, cosmetic changes... +## 'fix' is for bug fixes +## 'new' is for new features, big improvement +## +## AUDIENCE is optional and one of 'dev', 'usr', 'pkg', 'test', 'doc'|'docs' +## +## Is WHO is concerned by the change. +## +## 'dev' is for developpers (API changes, refactors...) +## 'usr' is for final users (UI changes) +## 'pkg' is for packagers (packaging changes) +## 'test' is for testers (test only related changes) +## 'doc' is for doc guys (doc only changes) +## +## COMMIT_MSG is ... well ... the commit message itself. +## +## TAGs are additionnal adjective as 'refactor' 'minor' 'cosmetic' +## +## They are preceded with a '!' or a '@' (prefer the former, as the +## latter is wrongly interpreted in github.) Commonly used tags are: +## +## 'refactor' is obviously for refactoring code only +## 'minor' is for a very meaningless change (a typo, adding a comment) +## 'cosmetic' is for cosmetic driven change (re-indentation, 80-col...) +## 'wip' is for partial functionality but complete subfunctionality. +## +## Example: +## +## new: usr: support of bazaar implemented +## chg: re-indentend some lines !cosmetic +## new: dev: updated code to be compatible with last version of killer lib. +## fix: pkg: updated year of licence coverage. +## new: test: added a bunch of test around user usability of feature X. +## fix: typo in spelling my name in comment. !minor +## +## Please note that multi-line commit message are supported, and only the +## first line will be considered as the "summary" of the commit message. So +## tags, and other rules only applies to the summary. The body of the commit +## message will be displayed in the changelog without reformatting. + + +## +## ``ignore_regexps`` is a line of regexps +## +## Any commit having its full commit message matching any regexp listed here +## will be ignored and won't be reported in the changelog. +## +ignore_regexps = [ + r'@minor', r'!minor', + r'@cosmetic', r'!cosmetic', + r'@refactor', r'!refactor', + r'@wip', r'!wip', + r'^([cC]hg|[fF]ix|[nN]ew)\s*:\s*[p|P]kg:', + r'^([cC]hg|[fF]ix|[nN]ew)\s*:\s*[d|D]ev:', + r'^(.{3,3}\s*:)?\s*[fF]irst commit.?\s*$', + ] + + +## ``section_regexps`` is a list of 2-tuples associating a string label and a +## list of regexp +## +## Commit messages will be classified in sections thanks to this. Section +## titles are the label, and a commit is classified under this section if any +## of the regexps associated is matching. +## +## Please note that ``section_regexps`` will only classify commits and won't +## make any changes to the contents. So you'll probably want to go check +## ``subject_process`` (or ``body_process``) to do some changes to the subject, +## whenever you are tweaking this variable. +## +section_regexps = [ + ('New', [ + r'^[nN]ew\s*:\s*((dev|use?r|pkg|test|doc|docs)\s*:\s*)?([^\n]*)$', + ]), + ('Changes', [ + r'^[cC]hg\s*:\s*((dev|use?r|pkg|test|doc|docs)\s*:\s*)?([^\n]*)$', + ]), + ('Fix', [ + r'^[fF]ix\s*:\s*((dev|use?r|pkg|test|doc|docs)\s*:\s*)?([^\n]*)$', + ]), + + ('Other', None ## Match all lines + ), + +] + + +## ``body_process`` is a callable +## +## This callable will be given the original body and result will +## be used in the changelog. +## +## Available constructs are: +## +## - any python callable that take one txt argument and return txt argument. +## +## - ReSub(pattern, replacement): will apply regexp substitution. +## +## - Indent(chars=" "): will indent the text with the prefix +## Please remember that template engines gets also to modify the text and +## will usually indent themselves the text if needed. +## +## - Wrap(regexp=r"\n\n"): re-wrap text in separate paragraph to fill 80-Columns +## +## - noop: do nothing +## +## - ucfirst: ensure the first letter is uppercase. +## (usually used in the ``subject_process`` pipeline) +## +## - final_dot: ensure text finishes with a dot +## (usually used in the ``subject_process`` pipeline) +## +## - strip: remove any spaces before or after the content of the string +## +## - SetIfEmpty(msg="No commit message."): will set the text to +## whatever given ``msg`` if the current text is empty. +## +## Additionally, you can `pipe` the provided filters, for instance: +#body_process = Wrap(regexp=r'\n(?=\w+\s*:)') | Indent(chars=" ") +#body_process = Wrap(regexp=r'\n(?=\w+\s*:)') +#body_process = noop +body_process = ReSub(r'((^|\n)[A-Z]\w+(-\w+)*: .*(\n\s+.*)*)+$', r'') | strip + + +## ``subject_process`` is a callable +## +## This callable will be given the original subject and result will +## be used in the changelog. +## +## Available constructs are those listed in ``body_process`` doc. +subject_process = (strip | + ReSub(r'^([cC]hg|[fF]ix|[nN]ew)\s*:\s*((dev|use?r|pkg|test|doc|docs)\s*:\s*)?([^\n@]*)(@[a-z]+\s+)*$', r'\4') | + SetIfEmpty("No commit message.") | ucfirst | final_dot) + + +## ``tag_filter_regexp`` is a regexp +## +## Tags that will be used for the changelog must match this regexp. +## +tag_filter_regexp = r'^v[0-9]+\.[0-9]+\.[0-9]+$' + + + +## ``unreleased_version_label`` is a string or a callable that outputs a string +## +## This label will be used as the changelog Title of the last set of changes +## between last valid tag and HEAD if any. +unreleased_version_label = "%%version%% (unreleased)" + + +## ``output_engine`` is a callable +## +## This will change the output format of the generated changelog file +## +## Available choices are: +## +## - rest_py +## +## Legacy pure python engine, outputs ReSTructured text. +## This is the default. +## +## - mustache() +## +## Template name could be any of the available templates in +## ``templates/mustache/*.tpl``. +## Requires python package ``pystache``. +## Examples: +## - mustache("markdown") +## - mustache("restructuredtext") +## +## - makotemplate() +## +## Template name could be any of the available templates in +## ``templates/mako/*.tpl``. +## Requires python package ``mako``. +## Examples: +## - makotemplate("restructuredtext") +## +#output_engine = rest_py +#output_engine = mustache("restructuredtext") +output_engine = mustache("markdown") +#output_engine = makotemplate("restructuredtext") + + +## ``include_merge`` is a boolean +## +## This option tells git-log whether to include merge commits in the log. +## The default is to include them. +include_merge = True + + +## ``log_encoding`` is a string identifier +## +## This option tells gitchangelog what encoding is outputed by ``git log``. +## The default is to be clever about it: it checks ``git config`` for +## ``i18n.logOutputEncoding``, and if not found will default to git's own +## default: ``utf-8``. +#log_encoding = 'utf-8' + + +## ``publish`` is a callable +## +## Sets what ``gitchangelog`` should do with the output generated by +## the output engine. ``publish`` is a callable taking one argument +## that is an interator on lines from the output engine. +## +## Some helper callable are provided: +## +## Available choices are: +## +## - stdout +## +## Outputs directly to standard output +## (This is the default) +## +## - FileInsertAtFirstRegexMatch(file, pattern, idx=lamda m: m.start()) +## +## Creates a callable that will parse given file for the given +## regex pattern and will insert the output in the file. +## ``idx`` is a callable that receive the matching object and +## must return a integer index point where to insert the +## the output in the file. Default is to return the position of +## the start of the matched string. +## +## - FileRegexSubst(file, pattern, replace, flags) +## +## Apply a replace inplace in the given file. Your regex pattern must +## take care of everything and might be more complex. Check the README +## for a complete copy-pastable example. +## +# publish = FileInsertIntoFirstRegexMatch( +# "CHANGELOG.rst", +# r'/(?P[0-9]+\.[0-9]+(\.[0-9]+)?)\s+\([0-9]+-[0-9]{2}-[0-9]{2}\)\n--+\n/', +# idx=lambda m: m.start(1) +# ) +#publish = stdout + + +## ``revs`` is a list of callable or a list of string +## +## callable will be called to resolve as strings and allow dynamical +## computation of these. The result will be used as revisions for +## gitchangelog (as if directly stated on the command line). This allows +## to filter exaclty which commits will be read by gitchangelog. +## +## To get a full documentation on the format of these strings, please +## refer to the ``git rev-list`` arguments. There are many examples. +## +## Using callables is especially useful, for instance, if you +## are using gitchangelog to generate incrementally your changelog. +## +## Some helpers are provided, you can use them:: +## +## - FileFirstRegexMatch(file, pattern): will return a callable that will +## return the first string match for the given pattern in the given file. +## If you use named sub-patterns in your regex pattern, it'll output only +## the string matching the regex pattern named "rev". +## +## - Caret(rev): will return the rev prefixed by a "^", which is a +## way to remove the given revision and all its ancestor. +## +## Please note that if you provide a rev-list on the command line, it'll +## replace this value (which will then be ignored). +## +## If empty, then ``gitchangelog`` will act as it had to generate a full +## changelog. +## +## The default is to use all commits to make the changelog. +#revs = ["^1.0.3", ] +#revs = [ +# Caret( +# FileFirstRegexMatch( +# "CHANGELOG.rst", +# r"(?P[0-9]+\.[0-9]+(\.[0-9]+)?)\s+\([0-9]+-[0-9]{2}-[0-9]{2}\)\n--+\n")), +# "HEAD" +#] +revs = [] diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml new file mode 100644 index 0000000..cf717e5 --- /dev/null +++ b/.github/workflows/python-package.yml @@ -0,0 +1,53 @@ +name: Python package + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + +jobs: + build: + + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + python-version: ["3.7", "3.8", "3.9", "3.10"] + + steps: + - name: Install packages + run: | + sudo apt-get install libpoppler-cpp-dev libzbar0 tesseract-ocr + - uses: actions/checkout@v2 + - name: Set up Python ${{ matrix.python-version }} + uses: actions/setup-python@v2 + with: + python-version: ${{ matrix.python-version }} + - name: Cache Python dependencies + uses: actions/cache@v2 + with: + path: ~/.cache/pip + key: ${{ runner.os }}-pip-${{ matrix.python-version }}-${{ hashFiles('REQUIREMENTS') }} + - name: Install dependencies + run: | + python -m pip install --upgrade pip + python -m pip install flake8 pytest + # pyfaul must be installed manually (?) + pip install -r REQUIREMENTS pyfaup + pip install . + - name: Lint with flake8 + run: | + # stop the build if there are Python syntax errors or undefined names + flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics + # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide + flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics + - name: Test with pytest + run: | + # Run server in background + misp-modules -l 127.0.0.1 -s & + sleep 5 + # Check if modules are running + curl -sS localhost:6666/modules + # Run tests + pytest tests diff --git a/.gitignore b/.gitignore index 3d994af..4c3db86 100644 --- a/.gitignore +++ b/.gitignore @@ -10,4 +10,13 @@ misp_modules.egg-info/ docs/expansion* docs/import_mod* docs/export_mod* -site* \ No newline at end of file +site* + +#pycharm env +.idea/* + +#venv +venv* + +#vscode +.vscode* \ No newline at end of file diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..e9f78ac --- /dev/null +++ b/.gitmodules @@ -0,0 +1,4 @@ +[submodule "misp_modules/lib/misp-objects"] + path = misp_modules/lib/misp-objects + url = https://github.com/MISP/misp-objects.git + branch = main diff --git a/.travis.yml b/.travis.yml index 4d551b2..9332806 100644 --- a/.travis.yml +++ b/.travis.yml @@ -11,13 +11,11 @@ python: - "3.7-dev" - "3.8-dev" -before_install: - - docker build -t misp-modules --build-arg BUILD_DATE=$(date -u +"%Y-%m-%d") docker/ - install: - sudo apt-get install libzbar0 libzbar-dev libpoppler-cpp-dev tesseract-ocr libfuzzy-dev libcaca-dev liblua5.3-dev - pip install pipenv - - pipenv install --dev + - pip install -r REQUIREMENTS + # - pipenv install --dev # install gtcaca - git clone git://github.com/stricaud/gtcaca.git - mkdir -p gtcaca/build @@ -37,20 +35,22 @@ install: - popd script: - - pipenv run coverage run -m --parallel-mode --source=misp_modules misp_modules.__init__ -l 127.0.0.1 & + - pip install coverage + - coverage run -m --parallel-mode --source=misp_modules misp_modules.__init__ -l 127.0.0.1 & - pid=$! - sleep 5 - - pipenv run nosetests --with-coverage --cover-package=misp_modules + - nosetests --with-coverage --cover-package=misp_modules - kill -s KILL $pid - pushd ~/ - - pipenv run coverage run -m --parallel-mode --source=misp_modules misp_modules.__init__ -s -l 127.0.0.1 & + - coverage run -m --parallel-mode --source=misp_modules misp_modules.__init__ -s -l 127.0.0.1 & - pid=$! - popd - sleep 5 - - pipenv run nosetests --with-coverage --cover-package=misp_modules + - nosetests --with-coverage --cover-package=misp_modules - kill -s KILL $pid - - pipenv run flake8 --ignore=E501,W503,E226 misp_modules + - pip install flake8 + - flake8 --ignore=E501,W503,E226,E126 misp_modules after_success: - - pipenv run coverage combine .coverage* - - pipenv run codecov + - coverage combine .coverage* + - codecov diff --git a/ChangeLog.md b/ChangeLog.md new file mode 100644 index 0000000..010d2a7 --- /dev/null +++ b/ChangeLog.md @@ -0,0 +1,4602 @@ +# Changelog + + +## v2.4.141 (2021-04-19) + +### Changes + +* [tests] LiveCI set for RBL tests (network connectivity issues in the CI) [Alexandre Dulaunoy] + +* [rbl] Added a timeout parameter to change the resolver timeout & lifetime if needed. [chrisr3d] + +* [rbl] Small changes on the rbl list and the results handling. [chrisr3d] + +* [test] skip some tests if running in the CI (API limitation or specific host issues) [Alexandre Dulaunoy] + +* [tests] historical records in threatcrowd. [Alexandre Dulaunoy] + +* [test] fixing IP addresses. [Alexandre Dulaunoy] + +* [passivetotal] new test IP address. [Alexandre Dulaunoy] + +* [farsight] make PEP happy. [Alexandre Dulaunoy] + +* [requirements] openpyxl added. [Alexandre Dulaunoy] + +* [travis] missing dep. [Alexandre Dulaunoy] + +* [test expansion] IPv4 address of CIRCL updated. [Alexandre Dulaunoy] + +* [coverage] install. [Alexandre Dulaunoy] + +* [pipenv] removed. [Alexandre Dulaunoy] + +* [travis] get rid of pipenv. [Alexandre Dulaunoy] + +* [Pipfile.lock] updated. [Alexandre Dulaunoy] + +* [doc] fix index of mkdocs. [Alexandre Dulaunoy] + +* [documentation] updated. [Alexandre Dulaunoy] + +* [farsight_passivedns] Making first_time and last_time results human readable. [chrisr3d] + + - We get the datetime format instead of the raw + timestamp + +* Bump deps. [Raphaël Vinot] + +* [farsight_passivedns] Making first_time and last_time results human readable. [chrisr3d] + + - We get the datetime format instead of the raw + timestamp + +* [farsight_passivedns] Added input types for more flex queries. [chrisr3d] + + - Standard types still supported as before + - Name or ip lookup, with optional flex queries + - New attribute types added will only send flex + queries to the DNSDB API + +* [doc] fix #460 - rh install. [Alexandre Dulaunoy] + +* [requirements] fix 463. [Alexandre Dulaunoy] + +### Fix + +* [tests] Fixed btc_steroids test assertion. [chrisr3d] + +* [ocr_enrich] Making Pep8 happy. [chrisr3d] + +* [tests] Fixed variable names that have been changed with the latest commit. [chrisr3d] + +* [ocr_enrich] Fixed tesseract input format. [chrisr3d] + + - It looks like the `image_to_string` method now + assumes RGB format and the `imdecode` method + seems to give BGR format, so we convert the + image array before + +* [tests] Fixed tests for some modules waiting for standard MISP Attribute format as input. [chrisr3d] + +* [tests] Fixed hibp test which requires an API key. [chrisr3d] + +* [hibp] Fixed config handling to avoir KeyError exceptions. [chrisr3d] + +* [test] dns module. [Alexandre Dulaunoy] + +* [main] Disable duplicate JSON decoding. [Jakub Onderka] + +* [cve_advanced] Some CVEs are not in CWE format but in NVD-CWE-Other. [Alexandre Dulaunoy] + +* [farsight_passivedns] Fixed lookup_rdata_name results desclaration. [chrisr3d] + + - Getting generator as a list as it is already the + case for all the other results, so it avoids + issues to read the results by accidently looping + through the generator before it is actually + needed, which would lose the content of the + generator + - Also removed print that was accidently introduced + with the last commit + +* [farsight_passivedns] Excluding last_seen value for now, in order to get the available results. [chrisr3d] + + - With last_seen set we can easily get results + included in a certain time frame (between first + seen and last seen), but we do not get the + latest results. In order to get those ones, we + skip filtering on the time_last_before value + +* [farsight_passivedns] Fixed lookup_rdata_name results desclaration. [chrisr3d] + + - Getting generator as a list as it is already the + case for all the other results, so it avoids + issues to read the results by accidently looping + through the generator before it is actually + needed, which would lose the content of the + generator + - Also removed print that was accidently introduced + with the last commit + +* Making pep8 happy. [chrisr3d] + +* [farsight_passivedns] Fixed queries to the API. [chrisr3d] + + - Since flex queries input may be email addresses, + we nake sure we replace '@' by '.' in the flex + queries input. + - We also run the flex queries with the input as + is first, before runnning them as second time + with '.' characters escaped: '\\.' + +* Google.py module. [Jürgen Löhel] + + The search result does not include always 3 elements. It's better to + enumerate here. + The googleapi fails sometimes. Retry it 3 times. + +* Google.py module. [Jürgen Löhel] + + Corrects import for gh.com/abenassi/Google-Search-API. + +* Consider mail body as UTF-8 encoded. [Jakub Onderka] + +### Other + +* Merge branch 'main' of github.com:MISP/misp-modules into main. [Alexandre Dulaunoy] + +* Fix; [tests] Changes on assertion statements that should fix the passivetotal, rbl & shodan tests. [chrisr3d] + +* Merge branch 'main' of github.com:MISP/misp-modules into main. [chrisr3d] + +* Merge branch 'main' of github.com:MISP/misp-modules into main. [Alexandre Dulaunoy] + +* Merge pull request #435 from JakubOnderka/remove-duplicate-decoding. [Alexandre Dulaunoy] + + fix: [main] Remove duplicate JSON decoding + +* Add: [farsight_passivedns] Adding first_seen & last_seen (when available) in passivedns objects. [chrisr3d] + + - The object_relation `time_first` is added as the + `first_seen` value of the object + - Same with `time_last` -> `last_seen` + +* Merge branch 'main' of github.com:MISP/misp-modules into new_features. [chrisr3d] + +* Merge branch 'main' of github.com:MISP/misp-modules into new_features. [chrisr3d] + +* Merge branch 'main' of github.com:MISP/misp-modules into new_features. [chrisr3d] + +* Merge pull request #484 from GreyNoise-Intelligence/main. [Alexandre Dulaunoy] + + Update to GreyNoise expansion module + +* Update community api to released ver. [Brad Chiappetta] + +* Fix ver info. [Brad Chiappetta] + +* Updates for greynoise community api. [Brad Chiappetta] + +* Merge pull request #485 from jgwilson42/patch-1. [Alexandre Dulaunoy] + + Update README.md + +* Update README.md. [James Wilson] + + Ensure that the clone of misp-modules is owned by www-data + +* Merge pull request #482 from MISP/new_features. [Alexandre Dulaunoy] + + Farsight_passivedns module updated with new input types compatible with flex queries + +* Add: [farsight_passivedns] New lookup argument based on the first_seen & last_seen fields. [chrisr3d] + +* Merge branch 'main' of github.com:MISP/misp-modules into new_features. [chrisr3d] + +* Merge branch 'main' of github.com:MISP/misp-modules into new_features. [chrisr3d] + +* Merge pull request #481 from cocaman/main. [Alexandre Dulaunoy] + + Adding ThreatFox enrichment module + +* Adding additional tags. [Corsin Camichel] + +* First version of ThreatFox enrichment module. [Corsin Camichel] + +* Merge pull request #480 from cocaman/patch-1. [Alexandre Dulaunoy] + + updating "hibp" for API version 3 + +* Updating "hibp" for API version 3. [Corsin Camichel] + +* Merge pull request #477 from jloehel/fix/google-module. [Alexandre Dulaunoy] + + Fix/google module + +* Merge pull request #476 from digihash/patch-1. [Alexandre Dulaunoy] + + Update README.md + +* Update README.md. [Kevin Holvoet] + + Added fix based on https://github.com/MISP/MISP/issues/4045 + +* Merge pull request #475 from adammchugh/patch-3. [Alexandre Dulaunoy] + + Fixed the censys version + +* Fixed the censys version. [adammchugh] + + Unsure how I managed to get the version so wrong, but I have updated it to the current version and confirmed as working. + +* Merge pull request #474 from JakubOnderka/patch-4. [Alexandre Dulaunoy] + + fix: Consider mail body as UTF-8 encoded + +* Merge pull request #473 from adammchugh/patch-2. [Alexandre Dulaunoy] + + Change to pandas version requirement to address pip install failure + +* Included missing dependencies for censys and pyfaup. [adammchugh] + + Added censys dependency + Added pyfaup dependency + +* Change to pandas version requirement to address pip install failure. [adammchugh] + + Updated pandas version to 1.1.5 to allow pip install as defined at https://github.com/MISP/misp-modules to complete successfully. + +* Merge pull request #470 from adammchugh/patch-1. [Alexandre Dulaunoy] + + Update assemblyline_submit.py - Add verify SSL option + +* Update assemblyline_submit.py. [adammchugh] + +* Update assemblyline_query.py. [adammchugh] + +* Update assemblyline_submit.py. [adammchugh] + +* Merge branch 'main' of github.com:MISP/misp-modules into main. [Alexandre Dulaunoy] + +* Update README long hyphen is not standard ASCII hyphen. [Alexandre Dulaunoy] + + Fix #464 + + +## v2.4.137 (2021-01-25) + +### Changes + +* Bump deps. [Raphaël Vinot] + +* Bump requirements. [Raphaël Vinot] + +* [pipenv] Enable email extras for PyMISP. [Jakub Onderka] + +### Fix + +* Bump PyMISP dep to latest. [Raphaël Vinot] + +* Use PyMISP from PyPi. [Raphaël Vinot] + +* Use pymisp from pypi. [Raphaël Vinot] + +* [pipenv] Missing clamd. [Jakub Onderka] + +### Other + +* Merge pull request #466 from NoDataFound/main. [Alexandre Dulaunoy] + + Corrected VMray rest API import + +* Corrected VMray rest API import. [Cory Kennedy] + + When loading misp-modules, the VMray module ```modules/expansion/vmray_submit.py ``` incorrectly imports the library. VMray's documentation and examples here: https://pypi.org/project/vmray-rest-api/#history also reflect this change as the correct import. + +* Merge pull request #457 from trustar/main. [Alexandre Dulaunoy] + + added more explicit error messages for indicators that return no enri… + +* Added more explicit error messages for indicators that return no enrichment data. [Jesse Hedden] + +* Merge pull request #452 from kuselfu/main. [Alexandre Dulaunoy] + + update vmray_import, add vmray_summary_json_import + +* Fix imports and unused variables. [Jens Thom] + +* Resolve merge conflict. [Jens Thom] + +* Merge remote-tracking branch 'upstream/main' into main. [Jens Thom] + +* Merge pull request #451 from JakubOnderka/versions-update. [Alexandre Dulaunoy] + + fix: [pipenv] Missing clamd + +* Merge pull request #450 from JakubOnderka/versions-update. [Alexandre Dulaunoy] + + chg: [pipenv] Enable email extras for PyMISP + +* Merge pull request #448 from HacknowledgeCH/export_defender_endpoint. [Alexandre Dulaunoy] + + Export defender endpoint + +* Fixed error reported by LGTM analysis. [milkmix] + +* Added documentation. [milkmix] + +* Added missing quotes. [milkmix] + +* Added URL support. [milkmix] + +* Typo in python src name. [milkmix] + +* Initial work on Defender for Endpoint export module. [milkmix] + +* * add parser for report version v1 and v2 * add summary JSON import module. [Jens Thom] + + +## v2.4.134 (2020-11-18) + +### New + +* [expansion] Added html_to_markdown module. [mokaddem] + + It fetches the HTML from the provided URL, performs a bit of DOM + clean-up then convert it into markdown + +* [clamav] Module for malware scan by ClamAV. [Jakub Onderka] + +* [passivedns, passivessl] Add support for ip-src|port and ip-dst|port. [Jakub Onderka] + +* Censys Expansion module. [Golbark] + +* Expansion module to query MALWAREbazaar API with some hash attribute. [chrisr3d] + +### Changes + +* [pipenv] Updated lock Pipfile again. [chrisr3d] + +* [pipenv] Updated lock Pipfile. [chrisr3d] + +* Added socialscan library in Pipfile and updated the lock file. [chrisr3d] + +* [documentation] Cleaner documentation directories & auto-generation. [chrisr3d] + + Including: + - A move of the previous `doc` and `docs` directories to `documentation` + - `documentation` is now the default directory + - The documentation previously under `doc` is now in `documentation/website` + - The mkdocs previously under `docs` is now in `documentation/mkdocs` + - All single JSON documentation files have been JQed + - Some small improvements to list fields displaying + +* [pipenv] Updated Pipfile. [chrisr3d] + +* [documentation] Updated the farsight-passivedns documentation. [chrisr3d] + +* [cpe] Added default limit to the results. [chrisr3d] + + - Results returned by CVE-search are sorted by + cvss score and limited in number to avoid + potential massive amount of data retuned back + to MISP. + - Users can overwrite the default limit with the + configuration already present as optional, and + can also set the limit to 0 to get the full list + of results + +* [farsight_passivedns] Now using the dnsdb2 python library. [chrisr3d] + + - Also updated the results parsing to check in + each returned result for every field if they are + included, to avoid key errors if any field is + missing + +* [cpe] Support of the new CVE-Search API. [chrisr3d] + +* [doc] Updated the farsight_passivedns module documentation. [chrisr3d] + +* [farsight_passivedns] More context added to the results. [chrisr3d] + + - References between the passive-dns objects and + the initial attribute + - Comment on object attributes mentioning whether + the results come from an rrset or an rdata + lookup + +* [farsight_passivedns] Rework of the module to return MISP objects. [chrisr3d] + + - All the results are parsed as passive-dns MISP + objects + - More love to give to the parsing to add + references between the passive-dns objects and + the input attribute, depending on the type of + the query (rrset or rdata), or the rrtype + (to be determined) + +* [cpe] Changed CVE-Search API default url. [chrisr3d] + +* [clamav] Add reference to original attribute. [Jakub Onderka] + +* [clamav] TCP port connection must be an integer. [Alexandre Dulaunoy] + +* Bump deps. [Raphaël Vinot] + +* Updated expansion modules documentation. [chrisr3d] + + - Added documentation for the missing modules + - Renamed some of the documentation files to match + with the module names and avoid issues within + the documentation file (README.md) with the link + of the miss-spelled module names + +* Updated the bgpranking expansion module test. [chrisr3d] + +* Updated documentation for the recently updated bgpranking module. [chrisr3d] + +* Updated the bgpranking expansion module to return MISP objects. [chrisr3d] + + - The module no longer returns freetext, since the + result returned to the freetext import as text + only allowed MISP to parse the same AS number as + the input attribute. + - The new result returned with the updated module + is an asn object describing more precisely the + AS number, and its ranking for a given day + +* Turned the Shodan expansion module into a misp_standard format module. [chrisr3d] + + - As expected with the misp_standard modules, the + input is a full attribute and the module is able + to return attributes and objects + - There was a lot of data that was parsed as regkey + attributes by the freetext import, the module now + parses properly the different field of the result + of the query returned by Shodan + +* Updated documentation about the greynoise module. [chrisr3d] + +* Updated Greynoise tests following the latest changes on the expansion module. [chrisr3d] + +* Making use of the Greynoise v2 API. [chrisr3d] + +* Bump deps. [Raphaël Vinot] + +* [doc] Added details about faup. [Steve Clement] + +* [doc] in case btc expansion fails, give another hint at why it fails. [Steve Clement] + +* [travis] Added gtcaca and liblua to faup. [Steve Clement] + +* [travis] Added py3.8. [Steve Clement] + +* Bump dependencies. [Raphaël Vinot] + + Should fix https://github.com/MISP/MISP/issues/5739 + +* Quick ransomdncoin test just to make sure the module loads. [chrisr3d] + + - I do not have any api key right now, so the test + should just reach the error + +* Catching missing config issue. [chrisr3d] + +### Fix + +* [pipenv] Removed duplicated dnsdb2 entry that I missed while merging conflict. [chrisr3d] + +* Removed debugging print command. [chrisr3d] + +* [tests] Less specific assertion for the rbl module test. [chrisr3d] + +* [farsight_passivedns] Fixed pep8 backslash issue. [chrisr3d] + +* [farsight_passivedns] Fixed issue with variable name. [chrisr3d] + +* [documentation] Added missing cpe module documentation. [chrisr3d] + +* [cpe] Fixed typo in vulnerable-configuration object relation fields. [chrisr3d] + +* [farsight_passivedns] Fixed typo in the lookup fields. [chrisr3d] + +* [farsight_passivedns] Uncommented mandatory field that was commented for tests. [chrisr3d] + +* [tests] Small fixes on the expansion tests. [chrisr3d] + +* [dnsdb] Avoiding AttributeError with the sys library, probably depending on the python version. [chrisr3d] + +* [documentation] Updated links to the scripts, with the default branch no longer being master, but main. [chrisr3d] + +* Typo. [chrisr3d] + +* Updated Pipfile. [chrisr3d] + +* [cpe] Typos and variable name issues fixed + Making the module available in MISP. [chrisr3d] + +* [cve-advanced] Using the cpe and weakness attribute types. [chrisr3d] + +* [cve_advanced] Avoiding potential MISP object references issues. [chrisr3d] + + - Adding objects as dictionaries in an event may + cause issues in some cases. It is better to pass + the MISP object as is, as it is already a valid + object since the MISPObject class is used + +* [virustotal_public] Resolve key error when user enrich hostname. [chrisr3d] + + - Same as #424 + +* [virustotal] Resolve key error when user enrich hostname. [Jakub Onderka] + +* Typo in EMailObject. [Raphaël Vinot] + + Fix #427 + +* Making pep8 happy. [chrisr3d] + +* Fixed pep8. [chrisr3d] + +* Fixed pep8 + some copy paste issues introduced with the latest commits. [chrisr3d] + +* Avoid issues with the attribute value field name. [chrisr3d] + + - The module setup allows 'value1' as attribute + value field name, but we want to make sure that + users passing standard misp format with 'value' + instead, will not have issues, as well as + keeping the current setup + +* [virustotal] Subdomains is optional in VT response. [Jakub Onderka] + +* Fixed list of sigma backends. [chrisr3d] + +* Fixed validators dependency issues. [chrisr3d] + + - Possible rollback if we get issues with virustotal + +* Removed multiple spaces to comply with pep8. [chrisr3d] + +* Making pep8 happy. [chrisr3d] + +* Removed trustar_import module name in init to avoid validation issues. [chrisr3d] + + (until it is submitted via PR?) + +* [circl_passivessl] Return proper error for IPv6 addresses. [Jakub Onderka] + +* [circl_passivessl] Return not found error. [Jakub Onderka] + + If passivessl returns empty response, return Not found error instead of error in log + +* [circl_passivedns] Return not found error. [Jakub Onderka] + + If passivedns returns empty response, return Not found error instead of error in log + +* [pep] Comply to PEP E261. [Steve Clement] + +* [travis] gtcaca has no build directory. [Steve Clement] + +* [pip] pyfaup required. [Steve Clement] + +* [doc] corrected filenames for 2 docs. [Christophe Vandeplas] + +* Making pep8 happy. [chrisr3d] + +* Catching errors in the reponse of the query to URLhaus. [chrisr3d] + +* Making pep8 happy with indentation. [chrisr3d] + +* Making pep8 happy. [chrisr3d] + +* Removed unused import. [chrisr3d] + +* Making pep8 happy. [chrisr3d] + +* Making the module config available so the module works. [chrisr3d] + +* [VT] Disable SHA512 query for VT. [Jakub Onderka] + +### Other + +* Merge branch 'main' of github.com:MISP/misp-modules into chrisr3d_patch. [chrisr3d] + +* Merge pull request #429 from MISP/new_module. [Christian Studer] + + New module using socialscan to check the availability of an email address or username on some online platforms + +* Merge branch 'main' of github.com:MISP/misp-modules into new_module. [chrisr3d] + +* Merge branch 'main' of github.com:MISP/misp-modules into new_module. [chrisr3d] + +* Add: Added documentation for the socialscan new module. [chrisr3d] + + - Also quick fix of the message for an invalid + result or response concerning the queried email + address or username + +* Merge branch 'main' of github.com:MISP/misp-modules into new_module. [chrisr3d] + +* Add: New module using socialscan library to check email addresses and usernames linked to accounts on online platforms. [chrisr3d] + +* Merge branch 'main' of github.com:MISP/misp-modules into chrisr3d_patch. [chrisr3d] + +* Merge branch 'main' of github.com:MISP/misp-modules into chrisr3d_patch. [chrisr3d] + +* Merge pull request #445 from chrisr3d/main. [Christian Studer] + + Added missing cpe module documentation + +* Merge branch 'main' of github.com:MISP/misp-modules into main. [chrisr3d] + +* Add: [farsight-passivedns] Optional feature to submit flex queries. [chrisr3d] + + - The rrset and rdata queries remain the same but + with the parameter `flex_queries`, users can + also get the results of the flex rrnames & flex + rdata regex queries about their domain, hostname + or ip address + - Results can thus include passive-dns objects + containing the `raw_rdata` object_relation added + with 0a3e948 + +* Merge branch 'main' of github.com:MISP/misp-modules into chrisr3d_patch. [chrisr3d] + +* Merge branch 'main' of github.com:MISP/misp-modules into chrisr3d_patch. [chrisr3d] + +* Merge branch 'chrisr3d_patch' of github.com:MISP/misp-modules into main. [chrisr3d] + +* Merge branch 'main' of github.com:MISP/misp-modules into main. [chrisr3d] + +* Merge branch 'main' of github.com:MISP/misp-modules into chrisr3d_patch. [chrisr3d] + +* Merge pull request #443 from trustar/main. [Alexandre Dulaunoy] + + fixed typo causing firstSeen and lastSeen to not be pulled from enric… + +* Fixed typo causing firstSeen and lastSeen to not be pulled from enrichment data. [Jesse Hedden] + +* Merge pull request #440 from MISP/chrisr3d_patch. [Alexandre Dulaunoy] + + Farsight passivedns module update + +* Merge pull request #437 from chrisr3d/main. [Alexandre Dulaunoy] + + New expansion module to get the vulnerabilities related to a CPE + +* Merge branch 'main' of github.com:MISP/misp-modules into main. [chrisr3d] + +* Merge branch 'main' of github.com:MISP/misp-modules into main. [chrisr3d] + +* Merge pull request #436 from MISP/new-html-to-markdown. [Christian Studer] + + new: [expansion] Added html_to_markdown module + +* Add: Documentation for the html_to_markdown expansion module. [chrisr3d] + +* Add: Added documentation for the cpe module. [chrisr3d] + +* Add: First shot of an expansio module to query cve-search with a cpe to get the related vulnerabilities. [chrisr3d] + +* Merge pull request #432 from JakubOnderka/clamav. [Alexandre Dulaunoy] + + chg: [clamav] Add reference to original attribute + +* Merge pull request #431 from JakubOnderka/clamav. [Alexandre Dulaunoy] + + new: [clamav] Module for malware scan by ClamAV + +* Merge branch 'main' of github.com:MISP/misp-modules into main. [Raphaël Vinot] + +* Merge pull request #424 from JakubOnderka/vt-subdomains-fix. [Christian Studer] + + fix: [virustotal] Resolve key error when user enrich hostname + +* Merge pull request #426 from hildenjohannes/main. [Alexandre Dulaunoy] + + Recorded Future module: Add proxy support and User-Agent header + +* Add proxy support and User-Agent header. [johannesh] + +* Merge pull request #425 from elhoim/elhoim-patch-1. [Alexandre Dulaunoy] + + Disable correlation for detection-ratio attribute in virustotal.py + +* Disable correlation for detection-ratio in virustotal.py. [David André] + +* Merge pull request #422 from trustar/feat/EN-5047/MISP-manual-update. [Alexandre Dulaunoy] + + Feat/en 5047/misp manual update + +* Merge branch 'main' into feat/EN-5047/MISP-manual-update. [Jesse Hedden] + +* Merge pull request #420 from hildenjohannes/main. [Alexandre Dulaunoy] + + Fix typo error introduced in commit: 3b7a5c4dc2541f3b07baee69a7e8b969… + +* Fix typo error introduced in commit: 3b7a5c4dc2541f3b07baee69a7e8b9694a1627fc. [johannesh] + +* Merge pull request #417 from trustar/feat/EN-4664/trustar-misp. [Alexandre Dulaunoy] + + Feat/en 4664/trustar misp + +* Added description to readme. [Jesse Hedden] + +* Merge branch 'master' of github.com:trustar/misp-modules into feat/EN-4664/trustar-misp. [Jesse Hedden] + +* Removed obsoleted module name. [Jesse Hedden] + +* Merge branch 'main' of github.com:MISP/misp-modules into main. [chrisr3d] + +* Merge pull request #416 from hildenjohannes/main. [Alexandre Dulaunoy] + + Add Recorded Future module documentation + +* Improve wording. [johannesh] + +* Add Recorded Future module documentation. [johannesh] + +* Add: Specific error message for misp_standard format expansion modules. [chrisr3d] + + - Checking if the input format is respected and + displaying an error message if it is not + +* Merge pull request #415 from hildenjohannes/main. [Alexandre Dulaunoy] + + Add Recorded Future expansion module + +* Add Recorded Future expansion module. [johannesh] + +* Added comments. [Jesse Hedden] + +* Added comments. [Jesse Hedden] + +* Added comments. [Jesse Hedden] + +* Added error checking. [Jesse Hedden] + +* Updating to include metadata and alter type of trustar link generated. [Jesse Hedden] + +* Merge pull request #1 from trustar/feat/EN-4664/trustar-misp. [Jesse Hedden] + + Feat/en 4664/trustar misp + +* Merge branch 'main' of github.com:MISP/misp-modules into main. [chrisr3d] + +* Merge pull request #411 from JakubOnderka/vt-subdomains-fix. [Alexandre Dulaunoy] + + fix: [virustotal] Subdomains is optional in VT response + +* Merge remote-tracking branch 'origin' into main. [chrisr3d] + +* Add: Trustar python library added to Pipfile. [chrisr3d] + +* Merge branch 'trustar-feat/EN-4664/trustar-misp' [chrisr3d] + +* Merge branch 'feat/EN-4664/trustar-misp' of https://github.com/trustar/misp-modules into trustar-feat/EN-4664/trustar-misp. [chrisr3d] + +* Removed obsolete file. [Jesse Hedden] + +* Corrected variable name. [Jesse Hedden] + +* Fixed indent. [Jesse Hedden] + +* Fixed incorrect attribute name. [Jesse Hedden] + +* Fixed metatag; convert summaries generator to list for error handling. [Jesse Hedden] + +* Added strip to remove potential whitespace. [Jesse Hedden] + +* Removed extra parameter. [Jesse Hedden] + +* Added try/except for TruSTAR API errors and additional comments. [Jesse Hedden] + +* Added comments and increased page size to max for get_indicator_summaries. [Jesse Hedden] + +* Uploaded TruSTAR logo. [Jesse Hedden] + +* Updated client metatag and version. [Jesse Hedden] + +* Added module documentation. [Jesse Hedden] + +* Added client metatag to trustar client. [Jesse Hedden] + +* Ready for code review. [Jesse Hedden] + +* WIP: initial push. [Jesse Hedden] + +* Initial commit. not a working product. need to create a class to manage the MISP event and TruStar client. [Jesse Hedden] + +* Merge pull request #381 from MISP/new_module. [Christian Studer] + + New module for MALWAREbazaar + +* Merge branch 'main' of github.com:MISP/misp-modules into new_module. [chrisr3d] + +* Merge pull request #407 from JakubOnderka/patch-3. [Alexandre Dulaunoy] + + fix: [circl_passivessl] Return proper error for IPv6 addresses + +* Merge pull request #406 from JakubOnderka/ip-port. [Alexandre Dulaunoy] + + new: [passivedns, passivessl] Add support for ip-src|port and ip-dst|port + +* Merge pull request #405 from JakubOnderka/patch-2. [Alexandre Dulaunoy] + + fix: [circl_passivedns] Return not found error + +* Merge pull request #402 from MISP/dependabot/pip/httplib2-0.18.0. [Alexandre Dulaunoy] + + build(deps): bump httplib2 from 0.17.0 to 0.18.0 + +* Build(deps): bump httplib2 from 0.17.0 to 0.18.0. [dependabot[bot]] + + Bumps [httplib2](https://github.com/httplib2/httplib2) from 0.17.0 to 0.18.0. + - [Release notes](https://github.com/httplib2/httplib2/releases) + - [Changelog](https://github.com/httplib2/httplib2/blob/master/CHANGELOG) + - [Commits](https://github.com/httplib2/httplib2/compare/v0.17.0...v0.18.0) + +* Merge branch 'master' of github.com:MISP/misp-modules into new_module. [chrisr3d] + +* Merge pull request #395 from SteveClement/master. [Steve Clement] + + chg: [deps] pyfaup seems to be required but not installed + +* Merge pull request #393 from vmray-labs/update-vmray-module. [Alexandre Dulaunoy] + + Update vmray_submit module + +* Update vmray_submit. [Matthias Meidinger] + + The submit module hat some smaller issues with the reanalyze flag. + The source for the enrichment object has been changed and the robustness + of user supplied config parsing improved. + +* Merge pull request #388 from Golbark/censys_expansion. [Christophe Vandeplas] + + new: usr: Censys Expansion module + +* Fix variable issue in the loop. [Golbark] + +* Adding support for more input types, including multi-types. [Golbark] + +* Add: Added documentation for the latest new modules. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules into new_module. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules. [chrisr3d] + +* Merge pull request #380 from JakubOnderka/patch-1. [Christian Studer] + + csvimport: Return error if input is not valid UTF-8 + +* Csvimport: Return error if input is not valid UTF-8. [Jakub Onderka] + +* Merge pull request #379 from cudeso/master. [Alexandre Dulaunoy] + + Cytomic Orion MISP Module + +* Documentation for Cytomic Orion. [Koen Van Impe] + +* Update __init__ [Koen Van Impe] + +* Make Travis (a little bit) happy. [Koen Van Impe] + +* Cytomic Orion MISP Module. [Koen Van Impe] + + An expansion module to enrich attributes in MISP and share indicators + of compromise with Cytomic Orion + +* Merge pull request #377 from 0xbennyv/master. [Alexandre Dulaunoy] + + Added SophosLabs Intelix as expansion module + +* Removed Unused Import. [bennyv] + +* Fixed handler error handling for missing config. [bennyv] + +* Fixed formatting in README.md. [bennyv] + +* Updated the README.md for SOPHOSLabs Intelix. [bennyv] + +* Initial Build of SOPHOSLabs Intelix Product. [bennyv] + +* Merge pull request #374 from M0un/projet-m2-oun-gindt. [Christian Studer] + + Rendu projet master2 sécurité par Mathilde OUN et Vincent GINDT // No… + +* Rendu projet master2 sécurité par Mathilde OUN et Vincent GINDT // Nouveau module misp de recherche google sur les urls. [Mathilde Oun et Vincent Gindt] + +* Merge pull request #373 from seanthegeek/patch-1. [Christian Studer] + + Create missing __init__.py for _ransomcoindb + +* Revert change inteded for other patch. [Sean Whalen] + +* Install cmake to build faup. [Sean Whalen] + +* Create __init__.py. [Sean Whalen] + +* Merge pull request #371 from GlennHD/master. [Christian Studer] + + Added GeoIP_City and GeoIP_ASN Database Modules + +* Update geoip_asn.py. [GlennHD] + +* Update geoip_city.py. [GlennHD] + +* Added geoip_asn and geoip_city to load. [GlennHD] + +* Added GeoIP_ASN Enrichment module. [GlennHD] + +* Added GeoIP_City Enrichment module. [GlennHD] + +* Added GeoIP City and GeoIP ASN Info. [GlennHD] + +* Merge pull request #370 from JakubOnderka/vt-query-sha512. [Alexandre Dulaunoy] + + fix: [VT] Disable SHA512 query for VT + +* Merge pull request #368 from andurin/lastline_verifyssl. [Christian Studer] + + Lastline verify_ssl option + +* Lastline verify_ssl option. [Hendrik] + + Helps people with on-prem boxes + + +## v2.4.121 (2020-02-06) + +### Fix + +* Making pep8 happy. [chrisr3d] + +* [tests] Fixed BGP raking module test. [chrisr3d] + +### Other + +* Merge pull request #367 from joesecurity/master. [Christian Studer] + + joe: (1) allow users to disable PE object import (2) set 'to_ids' to False + +* Joe: (1) allow users to disable PE object import (2) set 'to_ids' to False. [Georg Schölly] + +* Merge branch 'master' of github.com:MISP/misp-modules. [chrisr3d] + +* Merge pull request #365 from ostefano/analysis. [Alexandre Dulaunoy] + + change: migrate to analysis API when submitting files to Lastline + +* Change: migrate to analysis API when submitting tasks to Lastline. [Stefano Ortolani] + +* Merge pull request #364 from cudeso/master. [Christian Studer] + + 2nd fix for VT Public module + +* 2nd fix for VT Public module. [Koen Van Impe] + +* Fix error message in Public VT module. [Koen Van Impe] + + +## v2.4.120 (2020-01-21) + +### New + +* Updated ipasn and added vt_graph documentation. [chrisr3d] + +* Enrichment module for querying APIVoid with domain attributes. [chrisr3d] + +### Changes + +* Making ipasn module return asn object(s) [chrisr3d] + + - Latest changes on the returned value as string + broke the freetext parser, because no asn number + could be parsed when we return the full json + blob as a freetext attribute + - Now returning asn object(s) with a reference to + the initial attribute + +* Bumped pipfile.lock with up-to-date libraries and new vt_graph_api library requirement. [chrisr3d] + +* Checking attributes category. [chrisr3d] + + - We check the category before adding the + attribute to the event + - Checking if the category is correct and if not, + doing a case insensitive check + - If the category is not correct after the 2 first + tests, we simply delete it from the attribute + and pymisp will give the attribute a default + category value based on the atttribute type, at + the creation of the attribute + +* Regenerated the modules documentation following the latest changes. [chrisr3d] + +* Updated documentation following the latest changes on the passive dns module. [chrisr3d] + +* Made circl_passivedns module able to return MISP objects. [chrisr3d] + +* Updated documentation following the latest changes on the passive ssl module. [chrisr3d] + +* Made circl_passivessl module able to return MISP objects. [chrisr3d] + +* Bump dependencies. [Raphaël Vinot] + +* Install faup in travis. [Raphaël Vinot] + +* Deactive emails tests, need update. [Raphaël Vinot] + +* Update email import module, support objects. [Raphaël Vinot] + +* Bump dependencies. [Raphaël Vinot] + +### Fix + +* Fixed ipasn test input format + module version updated. [chrisr3d] + +* Updated ipasn test following the latest changes on the module. [chrisr3d] + +* Typo. [chrisr3d] + +* Fixed vt_graph imports. [chrisr3d] + +* Fixed pep8 in the new module and related libraries. [chrisr3d] + +* Fixed typo on function import. [chrisr3d] + +* [doc] Added APIVoid logo. [chrisr3d] + +* Making pep8 happy with whitespace after ':' [chrisr3d] + +* [tests] With values, tests are always better ... [chrisr3d] + +* [tests] Fixed copy paste issue. [chrisr3d] + +* [tests] Fixed error catching in passive dns and ssl modules. [chrisr3d] + +* [tests] Avoiding issues with btc addresses. [chrisr3d] + +* Making pep8 happy by having spaces around '+' operators. [chrisr3d] + +* [tests] Added missing variable. [chrisr3d] + +* Making pep8 happy. [chrisr3d] + +* Missing dependency in travis. [Raphaël Vinot] + +* Properly install pymisp with file object dependencies. [Raphaël Vinot] + +* Quick variable name fix. [chrisr3d] + +* OTX tests were failing, new entry. [Raphaël Vinot] + +* Somewhat broken emails needed some love. [Raphaël Vinot] + +* MIssing parameter in skip. [Raphaël Vinot] + +* Missing pushd. [Raphaël Vinot] + +* Missing sudo. [Raphaël Vinot] + +### Other + +* Merge pull request #361 from VirusTotal/master. [Christian Studer] + + add vt_graph export module + +* Add vt-graph-api to the requirements. [Alvaro Garcia] + +* Add vt_graph export module. [Alvaro Garcia] + +* Merge pull request #360 from ec4n6/patch-1. [Alexandre Dulaunoy] + + Fix ipasn.py bug + +* Update ipasn.py. [Erick Cheng] + +* Add: Documentation for the new API Void module. [chrisr3d] + +* Add: [tests] Test case for the APIVoid module. [chrisr3d] + +* Revert "fix: [tests] Fixed copy paste issue" [chrisr3d] + + This reverts commit fd711475dd84749063f9ff15961453f90c804101. + +* Add: Test cases for reworked passive dns and ssl modules. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules into new_module. [chrisr3d] + + +## v2.4.119 (2019-12-03) + +### Changes + +* Bump dependencies. [Raphaël Vinot] + +* Use MISPObject in ransomcoindb. [Raphaël Vinot] + +* Reintroducing the limit to reduce the number of recursive calls to the API when querying for a domain. [chrisr3d] + +### Fix + +* Making pep8 happy. [chrisr3d] + +* Fixed AssemblyLine input description. [chrisr3d] + +* Fixed input types list since domain should not be submitted to AssemblyLine. [chrisr3d] + +* Making pep8 happy. [chrisr3d] + +* Added missing AssemblyLine logo. [chrisr3d] + +* Avoiding KeyError exception when no result is found. [chrisr3d] + +### Other + +* Merge pull request #356 from ostefano/lastline. [Alexandre Dulaunoy] + + add: Modules to query/import/submit data from/to Lastline + +* Add: Modules to query/import/submit data from/to Lastline. [Stefano Ortolani] + +* Revert "Merge pull request #341 from StefanKelm/master" [Raphaël Vinot] + + This reverts commit 1df0d9152ed3346a9432393177c89e137bfc0c64, reversing + changes made to 6042619c6b7fb40fd77b5328f933e67e839e1e83. + + This PR was a fixing a typo in a test case. The typo is in a 3rd party + service. + +* Merge pull request #341 from StefanKelm/master. [Raphaël Vinot] + + Update test_expansions.py + +* Update test_expansions.py. [StefanKelm] + + Tiniest of typos + +* Merge branch 'aaronkaplan-master' [Raphaël Vinot] + +* Oops , use relative import. [aaronkaplan] + +* Use a helpful user-agent string. [aaronkaplan] + +* Final url fix. [aaronkaplan] + +* Revert "fix url" [aaronkaplan] + + This reverts commit 44130e2bf9842c03fb80245b90a873917b56df74. + +* Revert "fix url again" [aaronkaplan] + + This reverts commit c5924aee2543b268b296a57096e636261676b63c. + +* Fix url again. [aaronkaplan] + +* Fix url. [aaronkaplan] + +* Mention the ransomcoindb in the README file as a new module. [aaronkaplan] + +* Remove pprint. [aaronkaplan] + +* Initial version of the ransomcoindb expansion module. [aaronkaplan] + +* Merge pull request #352 from aaronkaplan/patch-1. [Alexandre Dulaunoy] + + Update README.md + +* Update README.md. [AaronK] + + fixes #351 + +* Add: Added documentation for the AssemblyLine query module. [chrisr3d] + +* Add: Module to query AssemblyLine and parse the results. [chrisr3d] + + - Takes an AssemblyLine submission link to query + the API and get the full submission report + - Parses the potentially malicious files and the + IPs, domains or URLs they are connecting to + - Possible improvement of the parsing filters in + order to include more data in the MISP event + +* Add: Added documentation and description in readme for the AssemblyLine submit module. [chrisr3d] + +* Add: Updated python dependencies to include the assemblyline_client library. [chrisr3d] + +* Add: New expansion module to submit samples and urls to AssemblyLine. [chrisr3d] + + +## v2.4.118 (2019-11-08) + +### Changes + +* Using EQL module description from blaverick62. [chrisr3d] + +* [test expansion] Enhanced results parsing. [chrisr3d] + +* [travis] skip E226 as it's more a question of style. [Alexandre Dulaunoy] + +* [apiosintds] make flake8 happy. [Alexandre Dulaunoy] + +* [Pipfile] apiosintDS added as required by new module. [Alexandre Dulaunoy] + +* [env] Pipfile updated. [Alexandre Dulaunoy] + +* [pipenv] updated. [Alexandre Dulaunoy] + +* Avoids returning empty values + easier results parsing. [chrisr3d] + +* Taking into consideration if a user agent is specified in the module configuration. [chrisr3d] + +* Updated csv import documentation. [chrisr3d] + +### Fix + +* Fixed csv file parsing. [chrisr3d] + +* Fixed Xforce Exchange authentication + rework. [chrisr3d] + + - Now able to return MISP objects + - Support of the xforce exchange authentication + with apikey & apipassword + +* Added urlscan & secuirtytrails modules in __init__ list. [chrisr3d] + +* Avoiding empty config error on passivetotal module. [chrisr3d] + +* More clarity on the exception raised on the securitytrails module. [chrisr3d] + +* Better exceptions handling on the passivetotal module. [chrisr3d] + +* Fixed results parsing for various module tests. [chrisr3d] + +* Fixed variable name. [chrisr3d] + +* Bumped Pipfile.lock with the latest libraries versions. [chrisr3d] + +* Fixed config parsing and the associated error message. [chrisr3d] + +* Fixed config parsing + results parsing. [chrisr3d] + + - Avoiding errors with config field when it is + empty or the apikey is not set + - Parsing all the results instead of only the + first one + +* Fixed VT results. [chrisr3d] + +* Making urlscan module available in MISP for ip attributes. [chrisr3d] + + - As expected in the the handler function + +* Avoiding various modules to fail with uncritical issues. [chrisr3d] + + - Avoiding securitytrails to fail with an unavailable + feature for free accounts + - Avoiding urlhaus to fail with input attribute + fields that are not critical for the query and + results + - Avoiding VT modules to fail when a certain + resource does not exist in the dataset + +* Fixed config field parsing for various modules. [chrisr3d] + + - Same as previous commit + +* [expansion] Better config field handling for various modules. [chrisr3d] + + - Testing if config is present before trying to + look whithin the config field + - The config field should be there when the module + is called form MISP, but it is not always the + case when the module is queried from somewhere else + +* [test expansion] Using CVE with lighter results. [chrisr3d] + +* Avoid issues when some config fields are not set. [chrisr3d] + +* Updated pipfile.lock with the correct geoip2 library info. [chrisr3d] + +* Fixed requirements for pymisp and geoip python libraries. [chrisr3d] + +* Fixed Geoip with the supported python library + fixed Geolite db path management. [chrisr3d] + +* Removed unused self param turning the associated functions into static methods. [chrisr3d] + +* Updates following the latest CVE-search version. [chrisr3d] + + - Support of the new vulnerable configuration + field for CPE version > 2.2 + - Support of different 'unknown CWE' message + +* Fixed module names with - to avoid errors with python paths. [chrisr3d] + +* Fixed tesseract python library issues. [Christian Studer] + + - Avoiding 'tesseract is not installed or it's not in your path' issues + +* Using absolute path to open files instead of relative path. [chrisr3d] + +* Removed unused import\ [chrisr3d] + +* Handling issues when the otx api is queried too often in a short time. [chrisr3d] + +* Making pep8 happy. [chrisr3d] + +* Avoiding empty values + Fixed empty types error + Fixed filename KeyError. [chrisr3d] + +* Fixed ThreatMiner results parsing. [chrisr3d] + +* Catching wikidata errors properly + fixed errors parsing. [chrisr3d] + +* Grouped two if conditions to avoid issues with variable unassigned if the second condition is not true. [chrisr3d] + +* Handling errors and exceptions for expansion modules tests that could fail due to a connection error. [chrisr3d] + +* Considering the case of empty results. [chrisr3d] + +* Catching results exceptions properly. [chrisr3d] + +* Catching exceptions and results properly depending on the cases. [chrisr3d] + +* Handling cases where there is no result from the query. [chrisr3d] + +* DBL spamhaus test. [chrisr3d] + +* Quick typo & dbl spamhaus test fixes. [chrisr3d] + +* Fixed pattern parsing + made the module hover only. [chrisr3d] + +* Travis tests should be happy now. [chrisr3d] + +* Copy paste syntax error. [chrisr3d] + +* Fixed greynoise test following the latest changes on the module. [chrisr3d] + +* Returning results in text format. [chrisr3d] + + - Makes the hover functionality display the full + result instead of skipping the records list + +* Making pep8 happy. [chrisr3d] + +* Avoiding errors with uncommon lines. [chrisr3d] + + - Excluding first from data parsed all lines that + are comments or empty + - Skipping lines with failing indexes + +* Fixed unassigned variable name. [chrisr3d] + +* Removed no longer used variables. [chrisr3d] + +* Csv import rework & improvement. [chrisr3d] + + - More efficient parsing + - Support of multiple csv formats + - Possibility to customise headers + - More improvement to come for external csv file + +* Making pep8 happy. [chrisr3d] + +* [tests] Fixed tests to avoid config issues with the cve module. [chrisr3d] + + - Config currently empty in the module, but being + updated soon with a pending pull request + +### Other + +* Add: Updated documentation with the EQL export module. [chrisr3d] + +* Merge branch 'master' of github.com:blaverick62/misp-modules. [chrisr3d] + +* Added documentation json for new modules. [Braden Laverick] + +* Updated README to include EQL modules. [Braden Laverick] + +* Add: Xforce Exchange module tests. [chrisr3d] + +* Merge pull request #347 from MISP/tests. [Christian Studer] + + More advanced expansion tests + +* Merge branch 'master' of github.com:MISP/misp-modules into tests. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules into tests. [chrisr3d] + +* Add: Updated documentation with the latest modules info. [chrisr3d] + +* Updated README with new modules and fixed some links. [chrisr3d] + +* Add: Added test for vulners module. [chrisr3d] + +* Add: Added qrcode module test with its test image. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules into tests. [chrisr3d] + +* Merge pull request #346 from blaverick62/master. [Alexandre Dulaunoy] + + EQL Query Generation Modules + +* Removed extraneous comments and unused imports. [Braden Laverick] + +* Fixed python links. [Braden Laverick] + +* Changed file name to mass eql export. [Braden Laverick] + +* Fixed comments. [Braden Laverick] + +* Added ors for compound queries. [Braden Laverick] + +* Fixed syntax error. [Braden Laverick] + +* Changed to single attribute EQL. [Braden Laverick] + +* Added EQL enrichment module. [Braden Laverick] + +* Fixed string formatting. [Braden Laverick] + +* Fixed type error in JSON parsing. [Braden Laverick] + +* Attempting to import endgame module. [Braden Laverick] + +* Added endgame export to __all__ [Braden Laverick] + +* Added EQL export test module. [Braden Laverick] + +* Add: [test expansion] Added various tests for modules with api authentication. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules into tests. [chrisr3d] + +* Add: [test expansion] New modules tests. [chrisr3d] + + - Starting testing some modules with api keys + - Testing new apiosintDS module + +* Merge pull request #344 from davidonzo/master. [Alexandre Dulaunoy] + + Added apiosintDS module to query OSINT.digitalside.it services + +* Added apiosintDS module to query OSINT.digitalside.it services. [Davide] + +* Merge branch 'master' of github.com:MISP/misp-modules. [chrisr3d] + +* Merge pull request #345 from 0xmilkmix/fix_geoip2. [Alexandre Dulaunoy] + + updated to geoip2 to support mmdb format + +* Updated to geoip2 to support mmdb format. [milkmix] + +* Add: cve_advanced module test + functions to test attributes and objects results. [chrisr3d] + +* Merge pull request #342 from MISP/tests. [Christian Studer] + + More expansion tests + +* Merge branch 'tests' of github.com:MISP/misp-modules into tests. [chrisr3d] + +* Add: Tests for all the office, libreoffice, pdf & OCR enrich modules. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules into tests. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules into tests. [chrisr3d] + +* Add: threatminer module test. [chrisr3d] + +* Add: Tests for expansion modules with different input types. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules. [chrisr3d] + +* Merge pull request #339 from MISP/tests. [Christian Studer] + + Expansion modules tests update + +* Add: Added tests for the rest of the easily testable expansion modules. [chrisr3d] + + - More tests for more complex modules to come soon + +* Merge branch 'master' of github.com:MISP/misp-modules into tests. [chrisr3d] + +* Merge branch 'tests' of github.com:MISP/misp-modules. [chrisr3d] + +* Add: Tests for sigma queries and syntax validator modules. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules into tests. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules into tests. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules into tests. [chrisr3d] + +* Add: More modules tested. [chrisr3d] + +* Add: Added tests for some expansion modules without API key required. [chrisr3d] + + - More tests to come + +* Merge pull request #338 from MISP/features_csvimport. [Christian Studer] + + Fixed the CSV import module + +* Merge pull request #335 from FafnerKeyZee/patch-2. [Christian Studer] + + Travis should not be complaining with the tests after the latest update on "test_cve" + +* Adding custom API. [Fafner [_KeyZee_]] + + Adding the possibility to have our own API server. + +* Merge branch 'master' of github.com:MISP/misp-modules. [chrisr3d] + +* Merge pull request #334 from FafnerKeyZee/patch-1. [Alexandre Dulaunoy] + + Cleaning the error message + +* Cleaning the error message. [Fafner [_KeyZee_]] + + The original message can be confusing is the user change to is own API. + + +## v2.4.116 (2019-09-17) + +### Other + +* Merge branch 'master' of github.com:MISP/misp-modules. [chrisr3d] + +* Merge pull request #329 from 8ear/8ear-add-mkdocs-documentation. [Alexandre Dulaunoy] + + Update mkdocs documentation + +* Fixing Install.md. [8ear] + +* Fix Install.md. [8ear] + +* Change Install documentation. [8ear] + +* Merge pull request #328 from 8ear/8ear-add-docker-capabilitites. [Alexandre Dulaunoy] + + Add Docker Capabilitites + +* Add .travis.yml command for docker build. [8ear] + +* Merge github.com:MISP/misp-modules into 8ear-add-docker-capabilitites. [8ear] + +* Disable not required package virtualenv for final stage. [8ear] + +* Fix entrypoint bug. [8ear] + +* Improve the Dockerfile. [8ear] + +* Add Dockerfile, Entrypoint and Healthcheck script. [8ear] + +* Update install doc. [8ear] + +* Bugfixing for MISP-modules. [8ear] + +* Add: New parameter to specify a custom CVE API to query. [chrisr3d] + + - Any API specified here must return the same + format as the CIRCL CVE search one in order to + be supported by the parsing functions, and + ideally provide response to the same kind of + requests (so the CWE search works as well) + + +## v2.4.114 (2019-08-30) + +### Changes + +* [cuckooimport] Handle archives downloaded from both the WebUI and the API. [Pierre-Jean Grenier] + +### Fix + +* Prevent symlink attacks. [Pierre-Jean Grenier] + +* Have I been pwned API changed again. [Raphaël Vinot] + +### Other + +* Merge pull request #327 from zaphodef/cuckooimport. [Alexandre Dulaunoy] + + fix: prevent symlink attacks + +* Merge pull request #326 from zaphodef/cuckooimport. [Alexandre Dulaunoy] + + chg: [cuckooimport] Handle archives downloaded from both the WebUI and the API + + +## v2.4.113 (2019-08-19) + +### New + +* Rewrite cuckooimport. [Pierre-Jean Grenier] + +### Changes + +* Update PyMISP version. [Pierre-Jean Grenier] + +### Fix + +* Avoiding issues when no CWE id is provided. [chrisr3d] + +* Fixed unnecessary dictionary field call. [chrisr3d] + + - No longer necessary to go under 'Event' field + since PyMISP does not contain it since the + latest update + +### Other + +* Merge pull request #322 from zaphodef/cuckooimport. [Alexandre Dulaunoy] + + Rewrite cuckooimport + +* Merge branch 'master' of github.com:MISP/misp-modules. [chrisr3d] + +* Add: Added initial event to reference it from the vulnerability object created out of it. [chrisr3d] + + +## v2.4.112 (2019-08-02) + +### New + +* First version of an advanced CVE parser module. [chrisr3d] + + - Using cve.circl.lu as well as the initial module + - Going deeper into the CVE parsing + - More parsing to come with the CWE, CAPEC and so on + +### Changes + +* [docs] add additional references. [Alexandre Dulaunoy] + +* [travis] revert. [Alexandre Dulaunoy] + +* [travis] github token. [Alexandre Dulaunoy] + +* [travis] mkdocs disabled for the time being. [Alexandre Dulaunoy] + +* [doc] Fix #317 - update the link to the latest version of the training. [Alexandre Dulaunoy] + +* [doc] README updated to the latest version. [Alexandre Dulaunoy] + +* [docs] symbolic link removed. [Alexandre Dulaunoy] + +* [docs] add logos symbolic link. [Alexandre Dulaunoy] + +* Add print to figure out what's going on on travis. [Raphaël Vinot] + +* Bump dependencies. [Raphaël Vinot] + +* Updated the module to work with the updated VirusTotal API. [chrisr3d] + + - Parsing functions updated to support the updated + format of the VirusTotal API responses + - The module can now return objects + - /!\ This module requires a high number of + requests limit rate to work as expected /!\ + +* Adding references between a domain and their siblings. [chrisr3d] + +* Getting domain siblings attributes uuid for further references. [chrisr3d] + +### Fix + +* Using the attack-pattern object template (copy-paste typo) [chrisr3d] + +* Making pep8 happy. [chrisr3d] + +* Fixed cvss-score object relation name. [chrisr3d] + +* Avoid issues when there is no pe field in a windows file sample analysis. [chrisr3d] + + - For instance: doc file + +* Avoid adding file object twice if a KeyError exception comes for some unexpected reasons. [chrisr3d] + +* Testing if file & registry activities fields exist before trying to parse it. [chrisr3d] + +* Testing if there is some screenshot data before trying to fetch it. [chrisr3d] + +* Fixed direction of the relationship between files, PEs and their sections. [chrisr3d] + + - The file object includes a PE, and the PE + includes sections, not the other way round + +* Fixed variable names. [chrisr3d] + +* Wrong change in last commit. [Raphaël Vinot] + +* Skip tests on haveibeenpwned.com if 403. Make pep8 happy. [Raphaël Vinot] + +* Changed the way references added at the end are saved. [chrisr3d] + + - Some references are saved until they are added + at the end, to make it easier when needed + - Here we changed the way they are saved, from a + dictionary with some keys to identify each part + to the actual dictionary with the keys the + function add_reference needs, so we can directly + use this dictionary as is when the references are + added to the different objects + +* Fixed link in documentation. [chrisr3d] + +* Avoiding issues with non existing sample types. [chrisr3d] + +* Undetected urls are represented in lists. [chrisr3d] + +* Changed function name to avoid confusion with the same variable name. [chrisr3d] + +* Quick fix on siblings & url parsing. [chrisr3d] + +* Typo. [chrisr3d] + +* Parsing detected & undetected urls. [chrisr3d] + +* Various fixes about typo, variable names, data types and so on. [chrisr3d] + +* Making pep8 happy. [chrisr3d] + +### Other + +* Merge pull request #319 from 8ear/8ear-add-mkdocs-documentation. [Alexandre Dulaunoy] + + Add `make deploy` to Makefile + +* Added docker and non-docker make commands. [8ear] + +* Add `make deploy` [8ear] + +* Merge pull request #318 from chrisr3d/master. [Christian Studer] + + Updated cve_advanced module to parse CWE and CAPEC data related to the CVE + +* Merge branch 'master' of github.com:MISP/misp-modules. [chrisr3d] + +* Add: Making vulnerability object reference to its related capec & cwe objects. [chrisr3d] + +* Add: Parsing CAPEC information related to the CVE. [chrisr3d] + +* Add: Parsing CWE related to the CVE. [chrisr3d] + +* Merge pull request #316 from 8ear/8ear-add-mkdocs-documentation. [Alexandre Dulaunoy] + + Add web documentation via mkdocs + +* Fix Bugs. [8ear] + +* Fix Fossa in index.md. [8ear] + +* Delete unused file. [8ear] + +* Change mkdocs deploy method. [8ear] + +* Change index.md. [8ear] + +* Merge branch 'master' into 8ear-add-mkdocs-documentation. [Max H] + +* Add: Parsing linux samples and their elf data. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules. [chrisr3d] + +* Add: Parsing apk samples and their permissions. [chrisr3d] + +* Add: Added virustotal_public to the list of available modules. [chrisr3d] + +* Add: TODO comment for the next improvement. [chrisr3d] + +* Add: [documentation] Updated README and documentation with the virustotal modules changes. [chrisr3d] + +* Add: Parsing communicating samples returned by domain reports. [chrisr3d] + +* Add: Parsing downloaded samples as well as the referrer ones. [chrisr3d] + +* Add: Object for VirusTotal public API queries. [chrisr3d] + + - Lighter analysis of the report to avoid reaching + the limit of queries per minute while recursing + on the different elements + +* Add: Updated README file with the new module description. [chrisr3d] + +* Change contribute.md. [8ear] + +* Update index.md. [8ear] + +* Add mkdocs as a great web documentation. [8ear] + +* Merge pull request #1 from fossabot/master. [Max H] + + Add license scan report and status + +* Add license scan report and status. [fossabot] + + +## v2.4.110 (2019-07-08) + +### New + +* [doc] Joe Sandbox added in the list. [Alexandre Dulaunoy] + +* Expansion module to query urlhaus API. [chrisr3d] + + - Using the next version of modules, taking a + MISP attribute as input and able to return + attributes and objects + - Work still in process in the core part + +### Changes + +* [documentation] Making URLhaus visible from the github page. [chrisr3d] + + - Because of the white color, the logo was not + visible at all + +* Moved JoeParser class to make it reachable from expansion & import modules. [chrisr3d] + +* [install] REQUIREMENTS file updated. [Alexandre Dulaunoy] + +* [install] Pipfile.lock updated. [Alexandre Dulaunoy] + +* [requirements] Python API wrapper for the Joe Sandbox API added. [Alexandre Dulaunoy] + +* Bump dependencies. [Raphaël Vinot] + +* [pep8] try/except # noqa. [Steve Clement] + + Not sure how to make flake happy on this one. + +* Updated csvimport to support files from csv export + import MISP objects. [chrisr3d] + +### Fix + +* Added missing add_attribute function. [chrisr3d] + +* [documentation] Fixed json file name. [chrisr3d] + +* [documentation] Fixed some description & logo. [chrisr3d] + +* Testing if an object is not empty before adding it the the event. [chrisr3d] + +* Making travis happy. [chrisr3d] + +* Support of the latest version of sigmatools. [chrisr3d] + +* We will display galaxies with tags. [chrisr3d] + +* Returning tags & galaxies with results. [chrisr3d] + + - Tags may exist with the current version of the + parser + - Galaxies are not yet expected from the parser, + nevertheless the principle is we want to return + them as well if ever we have some galaxies from + parsing a JoeSandbox report. Can be removed if + we never galaxies at all + +* Removed duplicate finalize_results function call. [chrisr3d] + +* Making pep8 happy + added joe_import module in the init list. [chrisr3d] + +* Fixed variable name typo. [chrisr3d] + +* Fixed references between domaininfo/ipinfo & their targets. [chrisr3d] + + - Fixed references when no target id is set + - Fixed domaininfo parsing when no ip is defined + +* Some quick fixes. [chrisr3d] + + - Fixed strptime matching because months are + expressed in abbreviated format + - Made data loaded while the parsing function is + called, in case it has to be called multiple + times at some point + +* Making pep8 & travis happy. [chrisr3d] + +* Added references between processes and the files they drop. [chrisr3d] + +* Avoiding network connection object duplicates. [chrisr3d] + +* Avoid creating a signer info object when the pe is not signed. [chrisr3d] + +* Avoiding dictionary indexes issues. [chrisr3d] + + - Using tuples as a dictionary indexes is better + than using generators... + +* Avoiding attribute & reference duplicates. [chrisr3d] + +* Handling case of multiple processes in behavior field. [chrisr3d] + + - Also starting parsing file activities + +* Testing if some fields exist before trying to import them. [chrisr3d] + + - Testing for pe itself, pe versions and pe signature + +* Removed test print. [chrisr3d] + +* Fixed output format to match with the recent changes on modules. [chrisr3d] + +* Making pep8 happy. [chrisr3d] + +* Checking not MISP header fields. [chrisr3d] + + - Rejecting fields not recognizable by MISP + +* Using pymisp classes & methods to parse the module results. [chrisr3d] + +* Clearer user config messages displayed in the import view. [chrisr3d] + +* Removed unused library. [chrisr3d] + +* Make pep8 happy. [chrisr3d] + +* [pep8] More fixes. [Steve Clement] + +* [pep8] More pep8 happiness. [Steve Clement] + +* [pep8] Fixes. [Steve Clement] + +* Fixed standard MISP csv format header. [root] + + - The csv header we can find in data produced from + MISP restSearch csv format is the one to use to + recognize a csv file produced by MISP + +* Fixed introspection fields for csvimport & goamlimport. [root] + + - Added format field for goaml so the module is + known as returning MISP attributes & objects + - Fixed introspection to make the format, user + config and input source fields visible from + MISP (format also added at the same time) + +* Fixed libraries import that changed with the latest merge. [root] + +* Fixed fields parsing to support files from csv export with additional context. [chrisr3d] + +* Handling the case of Context included in the csv file exported from MISP. [chrisr3d] + +* Fixed changes omissions in handler function. [chrisr3d] + +* Fixed object_id variable name typo. [root] + +* Making json_decode even happier with full json format. [chrisr3d] + + - Using MISPEvent because it is cleaner & easier + - Also cleaner implementation globally + +* Using to_dict on attributes & objects instead of to_json to make json_decode happy in the core part. [chrisr3d] + +### Other + +* Add: [documentation] Added some missing documentation for the most recently added modules. [chrisr3d] + +* Add: [documentation] Added documentation for Joe Sandbox & URLhaus. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules. [chrisr3d] + +* Merge pull request #309 from Kortho/patch-2. [Steve Clement] + + changed service pointer + +* Changed service pointer. [Kortho] + + Changed so the service starts the modules in the venv where they are installed + +* Merge pull request #308 from Kortho/patch-1. [Steve Clement] + + Fixed missing dependencies for RHEL install + +* Fixed missing dependencies for RHEL install. [Kortho] + + Added dependencies needed for installing the python library pdftotext + +* Add: Added screenshot of the behavior of the analyzed sample. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules. [chrisr3d] + +* Merge pull request #307 from ninoseki/fix-missing-links. [Alexandre Dulaunoy] + + Fix missing links in README.md + +* Fix missing links in README.md. [Manabu Niseki] + +* Merge branch 'master' of github.com:MISP/misp-modules into new_module. [chrisr3d] + +* Merge pull request #306 from MISP/new_module. [Alexandre Dulaunoy] + + New modules able to return MISP objects + +* Add: Added new modules to the list. [chrisr3d] + +* Merge branch 'new_module' of github.com:MISP/misp-modules into new_module. [chrisr3d] + +* Merge pull request #305 from joesecurity/new_module. [Alexandre Dulaunoy] + + joesandbox_query.py: improve behavior in unexpected circumstances + +* Joesandbox_query.py: improve behavior in unexpected circumstances. [Georg Schölly] + +* Add: New expansion module to query Joe Sandbox API with a report link. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules into new_module. [chrisr3d] + +* Merge branch 'joesecurity-joesandbox_submit' [Alexandre Dulaunoy] + +* Merge branch 'joesandbox_submit' of https://github.com/joesecurity/misp-modules into joesecurity-joesandbox_submit. [Alexandre Dulaunoy] + +* Add expansion for joe sandbox. [Georg Schölly] + +* Merge pull request #304 from joesecurity/new_module. [Alexandre Dulaunoy] + + add support for url analyses + +* Support url analyses. [Georg Schölly] + +* Improve forwards-compatibility. [Georg Schölly] + +* Add: Parsing MITRE ATT&CK tactic matrix related to the Joe report. [chrisr3d] + +* Add: Parsing domains, urls & ips contacted by processes. [chrisr3d] + +* Add: Starting parsing dropped files. [chrisr3d] + +* Add: Starting parsing network behavior fields. [chrisr3d] + +* Add: Parsing registry activities under processes. [chrisr3d] + +* Add: Parsing processes called by the file analyzed in the joe sandbox report. [chrisr3d] + +* Add: Parsing some object references at the end of the process. [chrisr3d] + +* Add: [new_module] Module to import data from Joe sandbox reports. [chrisr3d] + + - Parsing file, pe and pe-section objects from the + report file info field + - Deeper file info parsing to come + - Other fields parsing to come as well + +* Merge branch 'master' of github.com:MISP/misp-modules into new_module. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules into new_module. [chrisr3d] + +* Merge pull request #300 from cudeso/master. [Alexandre Dulaunoy] + + Bugfix for "sources" ; do not include as IDS for "access" registry keys + +* Bugfix for "sources" ; do not include as IDS for "access" registry keys. [Koen Van Impe] + + - Bugfix to query "operations" in files, mutex, registry + - Do not set IDS flag for registry 'access' operations + +* Merge branch 'master' of github.com:MISP/misp-modules into new_module. [chrisr3d] + +* New VMRay modules (#299) [Steve Clement] + + New VMRay modules + +* New VMRay modules. [Koen Van Impe] + + New JSON output format of VMRay + Prepare for automation (via PyMISP) with workflow taxonomy tags + +* Merge pull request #1 from MISP/master. [Koen Van Impe] + + Sync + +* Add: Added urlhaus in the expansion modules init list. [root] + +* Merge branch 'new_module' of https://github.com/MISP/misp-modules into new_module. [root] + +* Merge branch 'features_csvimport' of github.com:MISP/misp-modules into new_module. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules into features_csvimport. [chrisr3d] + +* Merge branch 'features_csvimport' of github.com:MISP/misp-modules into features_csvimport. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules into features_csvimport. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules into features_csvimport. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules into new_module. [chrisr3d] + +* Merge branch 'new_module' of github.com:MISP/misp-modules into new_module. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules into new_module. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules into new_module. [chrisr3d] + +* Merge branch 'master' of https://github.com/MISP/misp-modules into new_module. [root] + +* Merge branch 'master' of https://github.com/MISP/misp-modules into new_module. [root] + +* Merge branch 'master' of github.com:MISP/misp-modules into new_module. [chrisr3d] + + +## v2.4.106 (2019-04-27) + +### New + +* Devel mode. [Raphaël Vinot] + + Fix #293 + +* Modules for greynoise, haveibeenpwned and macvendors. [Raphaël Vinot] + +* Add missing dependency (backscatter) [Raphaël Vinot] + +* Add systemd launcher. [Raphaël Vinot] + +* Intel471 module. [Raphaël Vinot] + +* [btc] Very simple BTC expansion chg: [req] yara-python is preferred. [Steve Clement] + +* First version of a yara rule creation expansion module. [chrisr3d] + +* Documentation concerning modules explained in markdown file. [chrisr3d] + +* Expansion hover module to check spamhaus DBL for a domain name. [chrisr3d] + +### Changes + +* [doc] install of deps updated. [Alexandre Dulaunoy] + +* Bump REQUIREMENTS. [Raphaël Vinot] + +* Bump dependencies. [Raphaël Vinot] + +* [doc] new MISP expansion modules added for PDF, OCR, DOCX, XLSX, PPTX , ODS and ODT. [Alexandre Dulaunoy] + +* [init] cleanup for pep. [Alexandre Dulaunoy] + +* [pdf-enrich] updated. [Alexandre Dulaunoy] + +* [Pipfile] collection removed. [Alexandre Dulaunoy] + +* Bump dependencies. [Raphaël Vinot] + +* [doc] Added new dependencies and updated RHEL/CentOS howto. (#295) [Steve Clement] + + chg: [doc] Added new dependencies and updated RHEL/CentOS howto. + +* [doc] Added new dependencies and updated RHEL/CentOS howto. [Steve Clement] + +* [init] removed trailing whitespace. [Alexandre Dulaunoy] + +* [ocr] re module not used - removed. [Alexandre Dulaunoy] + +* Bump dependencies, update REQUIREMENTS file. [Raphaël Vinot] + +* [doc] cuckoo_submit module added. [Alexandre Dulaunoy] + +* Require python3 instead of python 3.6. [Raphaël Vinot] + +* [travis] because we all need sudo. [Alexandre Dulaunoy] + +* [travis] because everyone need a bar. [Alexandre Dulaunoy] + +* [doc] qrcode and Cisco FireSight added. [Alexandre Dulaunoy] + +* [qrcode] add requirements. [Alexandre Dulaunoy] + +* [qrcode] added to the __init__ [Alexandre Dulaunoy] + +* [qrcode] flake8 needs some drugs. [Alexandre Dulaunoy] + +* [qrcode] various fixes to make it PEP compliant. [Alexandre Dulaunoy] + +* Bump dependencies. [Raphaël Vinot] + + Fix CVE-2019-11324 (urllib3) + +* Bump Dependencies. [Raphaël Vinot] + +* [doc] Updated README to reflect current virtualenv efforts. TODO: pipenv. [Steve Clement] + +* [doc] new modules added. [Alexandre Dulaunoy] + +* Bump dependencies. [Raphaël Vinot] + +* Bump dependencies. [Raphaël Vinot] + +* Bump Requirements. [Raphaël Vinot] + +* [doc] asciidoctor requirement removed (new PDF module use reportlab) [Alexandre Dulaunoy] + +* Bump dependencies, add update script. [Raphaël Vinot] + +* [doc] PDF export. [Alexandre Dulaunoy] + +* [pdfexport] make flake8 happy. [Alexandre Dulaunoy] + +* [pipenv] fix the temporary issue that python-yara is not officially released. [Alexandre Dulaunoy] + +* [requirements] reportlab added. [Alexandre Dulaunoy] + +* [pipenv] Pipfile.lock updated. [Alexandre Dulaunoy] + +* [requirements] updated. [Alexandre Dulaunoy] + +* [PyMISP] dep updated to the latest version. [Alexandre Dulaunoy] + +* PyMISP requirement. [Alexandre Dulaunoy] + +* [pypi] Made sure url-normalize installs less stric. [Steve Clement] + +* [btc_scam_check] fix spacing for making flake 8 happy. [Alexandre Dulaunoy] + +* [backscatter.io] blind fix regarding undefined value. [Alexandre Dulaunoy] + +* [doc] backscatter.io updated. [Alexandre Dulaunoy] + +* [doc] backscatter.io documentation added. [Alexandre Dulaunoy] + +* [backscatter.io] remove blank line at the end of the file. [Alexandre Dulaunoy] + +* [backscatter.io] Exception handler fixed for recent version of Python. [Alexandre Dulaunoy] + +* Bump dependencies. [Raphaël Vinot] + +* Use pipenv, update bgpranking/ipasn modules. [Raphaël Vinot] + +* [doc] Nexthink module added. [Alexandre Dulaunoy] + +* [doc] osquery export module added. [Alexandre Dulaunoy] + +* [doc] Nexthink export format added. [Alexandre Dulaunoy] + +* [doc] cannot type today. [Alexandre Dulaunoy] + +* [intel471] module added. [Alexandre Dulaunoy] + +* Regenerated documentation markdown file. [chrisr3d] + +* [onyphe] fix #252. [Alexandre Dulaunoy] + +* [btc] Removed simple PoC for btc expansion. [Steve Clement] + +* [doc] btc module added. [Alexandre Dulaunoy] + +* [doc] generated documentation updated. [Alexandre Dulaunoy] + +* [doc] btc module added to documentation. [Alexandre Dulaunoy] + +* [tools] Added psutil as a dependency to detect misp-modules PID. [Steve Clement] + +* [init] Added try/catch in case misp-modules is already running on a port, or port is in use... [Steve Clement] + +* Validating yara rules after their creation. [chrisr3d] + +* [documentation] osquery logo added. [Alexandre Dulaunoy] + +* [documentation] generated. [Alexandre Dulaunoy] + +* [docs] Added some missing dependencies and instructions for virtualenv deployment. [Steve Clement] + +* [doc] documentation generator updated to include links to source code. [Alexandre Dulaunoy] + +* Changed documentation markdown file name. [chrisr3d] + +* Structurded data. [chrisr3d] + +* Modified the mapping dictionary to support misp-objects updates. [chrisr3d] + +* Modified output format. [chrisr3d] + +* Add new dependency (oauth2) [Raphaël Vinot] + +* Dnspython3 has been superseded by the regular dnspython kit. [Raphaël Vinot] + +* Wikidata module added. [Alexandre Dulaunoy] + +* SPARQLWrapper added (for wikidata module) [Alexandre Dulaunoy] + +### Fix + +* Re-enable python 3.6 support. [Raphaël Vinot] + +* CTRL+C is working again. [Raphaël Vinot] + + Fix #292 + +* Make flake8 happy. [Raphaël Vinot] + +* [doc] Small typo fix. [Steve Clement] + +* Pep8 foobar. [Raphaël Vinot] + +* Add the new module sin the list of modules availables. [Raphaël Vinot] + +* Typos in variable names. [Raphaël Vinot] + +* Remove unused import. [Raphaël Vinot] + +* Tornado expects a KILL now. [Raphaël Vinot] + +* [exportpdf] update documentation. [Falconieri] + +* [exportpdf] custom path parameter. [Falconieri] + +* [exportpdf] add parameters. [Falconieri] + +* [exportpdf] mising whitespace. [Falconieri] + +* [exportpdf] problem on one line. [Falconieri] + +* [exportpdf] add configmodule parameter for galaxy. [Falconieri] + +* [reportlab] Textual description parameter. [Falconieri] + +* [pdfexport] Bugfix on PyMisp exportpdf call. [Falconieri] + +* Systemd service. [Raphaël Vinot] + +* Regenerated documentation. [chrisr3d] + +* Description fixed. [chrisr3d] + +* Pep8 related fixes. [Raphaël Vinot] + +* Make flake8 happy. [Raphaël Vinot] + +* Change in the imports in other sigma module. [Raphaël Vinot] + +* Change in the imports. [Raphaël Vinot] + +* Change module name. [Raphaël Vinot] + +* Allow redis details to be retrieved from environment variables. [Ruiwen Chua] + +* Remove tests on python 3.5. [Raphaël Vinot] + +* Make pep8 happy. [Raphaël Vinot] + +* Removed not valid input type. [chrisr3d] + +* Cleaned up not used variables. [chrisr3d] + +* Updated rbl module result format. [chrisr3d] + + - More readable as str than dumped json + +* Added Macaddress.io module in the init list. [chrisr3d] + +* Typo on input type. [chrisr3d] + +* Fixed type of the result in case of exception. [chrisr3d] + + - Set as str since some exception types are not + jsonable + +* Added hostname attribute support as it is intended. [chrisr3d] + +* Threatanalyzer_import - bugfix for TA6.1 behavior. [Christophe Vandeplas] + +* Displaying documentation items of each module by alphabetic order. [chrisr3d] + + - Also regenerated updated documentation markdown + +* Updated yara import error message. [chrisr3d] + + - Better to 'pip install -I -r REQUIREMENTS' to + have the correct yara-python version working + for all the modules, than having another one + failing with yara hash & pe modules + +* Specifying a yara-python version that works for hash & pe yara modules. [chrisr3d] + +* Making yara query an expansion module for single attributes atm. [chrisr3d] + +* Catching errors while parsing additional info in requests. [chrisr3d] + +* Reduced logos size. [chrisr3d] + +* Typo for separator between each explained module. [chrisr3d] + +* Making python 3.5 happy with the exception type ImportError. [chrisr3d] + +* Fixed exception type for python 3.5. [chrisr3d] + +* Fixed exception type. [chrisr3d] + +* Fixed syntax error. [chrisr3d] + +* Fixed indentation error. [chrisr3d] + +* Fixed 1 variable misuse + cleaned up variable names. [chrisr3d] + + - Fixed use of 'domain' variable instead of 'email' + - Cleaned up variable names to avoid redefinition + of built-in variables + +* Avoiding adding attributes that are already in the event. [chrisr3d] + +* Fixed quick variable issue. [chrisr3d] + +* Cleaned up test function not used anymore. [chrisr3d] + +* Multiple attributes parsing support. [chrisr3d] + + - Fixing one of my previous changes not processing + multiple attributes parsing + +* Removed print. [chrisr3d] + +* Some cleanup and output types fixed. [chrisr3d] + + - hashes types specified in output + +* Quick cleanup. [chrisr3d] + +* Quick cleanup. [chrisr3d] + +* Ta_import - bugfixes. [Christophe Vandeplas] + +* [cleanup] Quick clean up on exception type. [chrisr3d] + +* [cleanup] Quick clean up on yaml load function. [chrisr3d] + +* [cleanup] Quick clean up on exception type. [chrisr3d] + +* Put the report location parsing in a try/catch statement as it is an optional field. [chrisr3d] + +* Put the stix2-pattern library import in a try statement. [chrisr3d] + + --> Error more easily caught + +* Removed STIX related libraries, files, documentation, etc. [chrisr3d] + +* Avoid trying to build attributes with not intended fields. [chrisr3d] + + - Previously: if the header field is not an attribute type, then + it was added as an attribute field. + PyMISP then used to skip it if needed + + - Now: Those fields are discarded before they are put in an attribute + +* Using userConfig to define the header instead of moduleconfig. [chrisr3d] + +* Fixed input & output of the module. [chrisr3d] + +* Added an object checking. [Christian Studer] + + - Checking if there are objects in the event, and then if there is at least 1 transaction object + - This prevents the module from crashing, but does not guaranty having a valid GoAML file (depending on objects and their relations) + +* Fixed input & output of the module. [chrisr3d] + + Also updated some functions + +* Fixed typo of the aml type for country codes. [chrisr3d] + +* Typo in references mapping dictionary. [chrisr3d] + +* Added an object checking. [chrisr3d] + + - Checking if there are objects in the event, and then + if there is at least 1 transaction object + - This prevents the module from crashing, but does not + guaranty having a valid GoAML file (depending on + objects and their relations) + +* Added the moduleinfo field need to have MISP event in standard format. [chrisr3d] + +* Missing cve module test. [Alexandre Dulaunoy] + +* Goamlexport added. [Alexandre Dulaunoy] + +* Python version in Travis. [Alexandre Dulaunoy] + +* Solved reading problems for some files. [chrisr3d] + +* Skipping empty lines. [chrisr3d] + +* Make travis happy. [Raphaël Vinot] + +* OpenIOC importer. [Raphaël Vinot] + +* #137 when a CVE is not found, a return message is given. [Alexandre Dulaunoy] + +* Use the proper formatting method and not the horrible % one. [Hannah Ward] + +* Misp-modules are by default installed in /bin. [Alexandre Dulaunoy] + +* Module_config should be set as introspection relies on it. [Alexandre Dulaunoy] + +* Types array. [Alexandre Dulaunoy] + +* Run the server as "python3 misp-modules" [Raphaël Vinot] + +* Stupid off-by-n line... [Alexandre Dulaunoy] + +### Other + +* Merge branch 'master' of github.com:MISP/misp-modules. [Alexandre Dulaunoy] + +* Removed trailing whitespaces. [Sascha Rommelfangen] + +* Merge branch 'master' of https://github.com/MISP/misp-modules. [Sascha Rommelfangen] + +* Merge branch 'master' of github.com:MISP/misp-modules. [Raphaël Vinot] + +* New modules added. [Sascha Rommelfangen] + +* New requirements for new modules. [Sascha Rommelfangen] + +* Introduction of new modules. [Sascha Rommelfangen] + +* Merge remote-tracking branch 'upstream/master' [Steve Clement] + +* Merge branch 'master' of https://github.com/MISP/misp-modules. [Sascha Rommelfangen] + +* Renamed file. [Sascha Rommelfangen] + +* Renamed module. [Sascha Rommelfangen] + +* Initial version of OCR expansion module. [Sascha Rommelfangen] + +* Merge pull request #291 from Evert0x/submitcuckoo. [Alexandre Dulaunoy] + + Expansion module - File/URL submission to Cuckoo Sandbox + +* Generate latest version of documentation. [Ricardo van Zutphen] + +* Document Cuckoo expansion module. [Ricardo van Zutphen] + +* Use double quotes and provide headers correctly. [Ricardo van Zutphen] + +* Update Cuckoo module to support files and URLs. [Ricardo van Zutphen] + +* Update __init__.py. [Evert0x] + +* Create cuckoo_submit.py. [Evert0x] + +* Brackets are difficult... [Sascha Rommelfangen] + +* Merge branch 'qr-code-module' of https://github.com/rommelfs/misp-modules into rommelfs-qr-code-module. [Alexandre Dulaunoy] + +* Initial version of QR code reader. [Sascha Rommelfangen] + + Module accepts attachments and processes pictures. It tries to identify and analyze an existing QR code. + Identified values can be inserted into the event. + +* Merge branch 'iceone23-patch-1' [Raphaël Vinot] + +* Create cisco_firesight_manager_ACL_rule_export.py. [iceone23] + + Cisco Firesight Manager ACL Rule Export module + +* Merge pull request #289 from SteveClement/master. [Steve Clement] + + fix: [doc] Small typo fix + +* Merge remote-tracking branch 'upstream/master' [Steve Clement] + +* Merge pull request #285 from wesinator/patch-1. [Alexandre Dulaunoy] + + Fix command highlighting + +* Fix command highlighting. [Ԝеѕ] + +* Merge branch 'master' of https://github.com/MISP/misp-modules. [Sascha Rommelfangen] + +* Merge pull request #284 from Vincent-CIRCL/master. [Alexandre Dulaunoy] + + fix: [exportpdf] custom path parameter + +* Merge pull request #283 from Vincent-CIRCL/master. [Alexandre Dulaunoy] + + fix: [exportpdf] add parameters + +* Merge pull request #281 from Vincent-CIRCL/master. [Alexandre Dulaunoy] + + fix: [exportpdf] add configmodule parameter for galaxy + +* Merge pull request #282 from cgi1/patch-1. [Alexandre Dulaunoy] + + Adding virtualenv to apt-get install + +* Adding virtualenv to apt-get install. [cgi1] + +* Merge pull request #279 from Vincent-CIRCL/master. [Alexandre Dulaunoy] + + fix: [reportlab] Textual description parameter + +* Chr: Restart the modules after update. [Raphaël Vinot] + +* Fixed a bug when checking malformed BTC addresses. [Sascha Rommelfangen] + +* Merge remote-tracking branch 'upstream/master' [Steve Clement] + +* Merge branch 'master' of github.com:MISP/misp-modules. [Alexandre Dulaunoy] + +* Merge pull request #278 from Vincent-CIRCL/master. [Alexandre Dulaunoy] + + chg: [pdfexport] Fix pdf export, by calling new PyMISP tool for Misp Event export + +* Fix [exportpdf] update parameters for links generation. [Falconieri] + +* Tidy: Remove old dead export code. [Falconieri] + +* Test 1 - PDF call. [Falconieri] + +* Print values. [Vincent-CIRCL] + +* Test update. [Vincent-CIRCL] + +* Merge branch 'master' of github.com:MISP/misp-modules. [Alexandre Dulaunoy] + +* Merge branch 'master' of github.com:MISP/misp-modules. [Alexandre Dulaunoy] + +* Merge pull request #276 from iwitz/patch-1. [Alexandre Dulaunoy] + + Add RHEL installation instructions + +* Add: rhel installation instructions. [iwitz] + +* Add: [doc] Added backscatter.io logo + regenerated documentation. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules into new_module. [chrisr3d] + +* Merge pull request #274 from 9b/master. [Alexandre Dulaunoy] + + Backscatter.io expansion module + +* Use the write var on return. [9b] + +* Stubbed module. [9b] + +* Add: New module to check if a bitcoin address has been abused. [chrisr3d] + + - Also related update of documentation + +* Sometimes server doesn't return expected values. fixed. [Sascha Rommelfangen] + +* Merge pull request #266 from MISP/pipenv. [Raphaël Vinot] + + chg: Use pipenv, update bgpranking/ipasn modules, fix imports for sigma + +* Merge pull request #259 from ruiwen/fix_redis. [Alexandre Dulaunoy] + + fix: allow redis details to be retrieved from environment variables + +* Add: [doc] link documentation to README. [Alexandre Dulaunoy] + +* Merge branch 'master' of github.com:MISP/misp-modules. [Alexandre Dulaunoy] + +* Merge pull request #258 from HacknowledgeCH/export_nexthink. [Alexandre Dulaunoy] + + Export nexthink + +* Added 2 blank lines to comply w/ pep8. [milkmix] + +* Removed unused re module. [milkmix] + +* Added documentation. [milkmix] + +* Added domain attributes support. [milkmix] + +* Support for md5 and sha1 hashes. [milkmix] + +* First export feature: sha1 attributes nxql query. [milkmix] + +* Merge branch 'master' of https://github.com/MISP/misp-modules. [Sascha Rommelfangen] + +* Add: Added missing expansion modules in readme. [chrisr3d] + +* Add: Completed documentation for expansion modules. [chrisr3d] + +* Add: Updated more expansion documentation files. [chrisr3d] + +* Add: Added new documentation for hashdd module. [chrisr3d] + +* Add: Update to support sha1 & sha256 attributes. [chrisr3d] + +* Add: More documentation on expansion modules. [chrisr3d] + +* Add: Started filling some expansion modules documentation. [chrisr3d] + +* Add: Added yara_query module documentation, update yara_syntax_validator documentation & generated updated documentation markdown. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules into chrisr3d_patch. [chrisr3d] + +* Add: Added test files for yara to test yara library & potentially yara syntax. [chrisr3d] + +* Add: Added imphash to input attribute types. [chrisr3d] + +* Cosmetic output change. [Sascha Rommelfangen] + +* Debug removed. [Sascha Rommelfangen] + +* API changes reflected. [Sascha Rommelfangen] + +* Merge pull request #253 from MISP/chrisr3d_patch. [Alexandre Dulaunoy] + + Validation of yara rules + +* Merge branch 'master' of github.com:MISP/misp-modules into chrisr3d_patch. [chrisr3d] + +* Merge pull request #251 from MISP/rommelfs-patch-4. [Raphaël Vinot] + + bug fix regarding leftovers between runs + +* Bug fix regarding leftovers between runs. [Sascha Rommelfangen] + +* Merge pull request #250 from SteveClement/btc. [Steve Clement] + + chg: [btc] Removed simple PoC for btc expansion. + +* Merge pull request #249 from MISP/rommelfs-patch-3. [Steve Clement] + + added btc_steroids + +* Added btc_steroids. [Sascha Rommelfangen] + +* Merge pull request #248 from rommelfs/master. [Sascha Rommelfangen] + + Pull request for master + +* Added btc_steroids to the list. [Sascha Rommelfangen] + +* Initial version of a Bitcoin module. [Sascha Rommelfangen] + +* Merge pull request #247 from SteveClement/btc. [Alexandre Dulaunoy] + + new: [module] Added very simple BitCoin expansion/hover module + +* Merge pull request #245 from chrisr3d/master. [Alexandre Dulaunoy] + + YARA rules from hashes expansion module + +* Updated list of modules in readme. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules. [chrisr3d] + +* Add: [documentation] osquery logo. [Alexandre Dulaunoy] + +* Merge pull request #241 from 0xmilkmix/doc_osqueryexport. [Alexandre Dulaunoy] + + Added basic documentation for OS query + +* Merge branch 'master' into doc_osqueryexport. [Alexandre Dulaunoy] + +* Merge pull request #240 from 0xmilkmix/support_osquery_win_named_obj. [Alexandre Dulaunoy] + + super simple support for mutexes through winbaseobj in osquery 3.3 + +* Merge branch 'master' into support_osquery_win_named_obj. [Alexandre Dulaunoy] + +* Merge pull request #242 from 0xmilkmix/module_writting. [Steve Clement] + + chg: [doc] Additional documentation for export module + +* Documentation for export module. [milkmix] + +* Super simple support for mutexes through winbaseobj in osquery 3.3. [milkmix] + +* Added basic documentation. [milkmix] + +* Merge pull request #239 from SteveClement/master. [Steve Clement] + + chg: [docs] Added some missing dependencies and instructions for virtualenv deployment + +* Merge pull request #237 from 0xmilkmix/export_osquery. [Alexandre Dulaunoy] + + Export osquery + +* Merge branch 'master' into export_osquery. [Julien Bachmann] + +* Merge pull request #232 from CodeLineFi/master. [Alexandre Dulaunoy] + + macaddres.io module - Date conversion bug fixed + +* Merge branch 'master' into master. [Alexandre Dulaunoy] + +* Merge pull request #233 from chrisr3d/documentation. [Christian Studer] + + Modules documentation + +* Merge branch 'master' of github.com:MISP/misp-modules into documentation. [chrisr3d] + +* Updated documentation result file. [chrisr3d] + +* Add: Added documentation for expansion modules. [chrisr3d] + +* Add: Started adding logos on documentation for each module. [chrisr3d] + +* Renamed directory to have consistency in names. [chrisr3d] + +* Removed documentation about a module deleted from the repository. [chrisr3d] + +* Merging readme. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules into documentation. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules into documentation. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules into documentation. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules into documentation. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules into documentation. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules into documentation. [chrisr3d] + +* First try of documentation for import & export modules. [chrisr3d] + + - Providing information about the general purpose of + the modules, their requirements, how to use them + (if there are special features), some references + about the format concerned or the vendors, and their + input and output. + - Documentation to be completed by additional fields + of documentation and / or more detailed descriptions + +* Added Documentation explanations on readme file. [chrisr3d] + +* CSV import documentation first try. [chrisr3d] + +* GoAML modules documentation first try. [chrisr3d] + +* Updated README. Added a link to the integration tutorial. [Codelinefi-admin] + +* Fixed a bug with wrong dates conversion. [Codelinefi-admin] + +* Merge branch 'vulnersCom-master' [Alexandre Dulaunoy] + +* Merge branch 'master' of https://github.com/vulnersCom/misp-modules into vulnersCom-master. [Alexandre Dulaunoy] + +* Fixed getting of the Vulners AI score. [isox] + +* Merge pull request #230 from lctrcl/master. [Alexandre Dulaunoy] + +* Merge branch 'master' into master. [lctrcl] + +* Merge pull request #229 from lctrcl/master. [Alexandre Dulaunoy] + + New vulners module added + +* HotFix: Vulners AI score. [Igor Ivanov] + +* Code cleanup and formatting. [Igor Ivanov] + +* Added exploit information. [Igor Ivanov] + +* Initial Vulners module PoC. [Igor Ivanov] + +* Merge pull request #226 from CodeLineFi/master. [Alexandre Dulaunoy] + + New macaddress.io hover module added + +* Macaddress.io hover module added. [Codelinefi-admin] + +* Merge pull request #223 from chrisr3d/master. [Christian Studer] + +* Merge branch 'master' of github.com:MISP/misp-modules. [chrisr3d] + +* Merge pull request #222 from chrisr3d/master. [Christian Studer] + + Clean up + fix of some modules + +* Merge branch 'master' of github.com:MISP/misp-modules. [chrisr3d] + +* Merge pull request #221 from MISP/rommelfs-patch-2. [Alexandre Dulaunoy] + + fixed typo + +* Fixed typo. [Sascha Rommelfangen] + + via #220 + +* Merge branch 'master' of github.com:MISP/misp-modules. [chrisr3d] + +* Merge pull request #218 from surbo/patch-1. [Alexandre Dulaunoy] + + Update urlscan.py + +* Update urlscan.py. [SuRb0] + + Added hash to the search so you can take advantage of the new file down load function on urlscan.io. You can use this to pivot on file hashes and find out domains that hosting the same malicious file. + +* Merge branch 'master' of github.com:MISP/misp-modules. [chrisr3d] + +* Merge pull request #217 from threatsmyth/master. [Alexandre Dulaunoy] + + Add error handling for DNS failures, reduce imports, and simplify attribute comments + +* Merge branch 'master' into master. [David J] + +* Merge pull request #215 from threatsmyth/master. [Alexandre Dulaunoy] + + Create urlscan.py + +* Add error handling for DNS failures, reduce imports, and simplify misp_comments. [David J] + +* Create urlscan.py. [David J] + +* Merge branch 'master' of github.com:MISP/misp-modules. [chrisr3d] + +* Merge pull request #214 from chrisr3d/chrisr3d_patch. [Alexandre Dulaunoy] + + New module to check DBL Spamhaus + +* Merge branch 'chrisr3d_patch' of github.com:chrisr3d/misp-modules. [chrisr3d] + +* Add: Added DBL spamhaus module documentation and in expansion init file. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules. [chrisr3d] + +* Ta_import - bugfixes for TA 6.1. [Christophe Vandeplas] + +* Merge pull request #210 from chrisr3d/master. [Christian Studer] + + Put the report location parsing in a try/catch statement as it is an optional field + +* Merge pull request #209 from cvandeplas/master. [Christophe Vandeplas] + + ta_import - support for TheatAnalyzer 6.1 + +* Ta_import - support for TheatAnalyzer 6.1. [Christophe Vandeplas] + +* Securitytrails.com expansion module added. [Alexandre Dulaunoy] + +* Merge pull request #208 from sebdraven/dnstrails. [Alexandre Dulaunoy] + + module securitytrails + +* Merge branch 'master' into dnstrails. [sebdraven] + +* Merge pull request #206 from chrisr3d/master. [Alexandre Dulaunoy] + + Expansion module displaying SIEM signatures from a sigma rule + +* Merge branch 'master' into master. [Alexandre Dulaunoy] + +* Remove the never release Python code in Travis. [Alexandre Dulaunoy] + +* Remove Python 3.4 and Python 3.7 added. [Alexandre Dulaunoy] + +* Merge branch 'master' of github.com:MISP/misp-modules. [chrisr3d] + +* Merge pull request #202 from SteveClement/master. [Alexandre Dulaunoy] + + Removed test modules from view + +* - Removed test modules from view - Moved skeleton expansion module to it's proper place. [Steve Clement] + +* Merge pull request #201 from chrisr3d/master. [Alexandre Dulaunoy] + + add: STIX2 pattern syntax validator + +* Add: Experimental expansion module to display the SIEM signatures from a sigma rule. [chrisr3d] + +* Add: stix2 pattern validator requirements. [chrisr3d] + +* Add: STIX2 pattern syntax validator. [chrisr3d] + +* Merge pull request #199 from SteveClement/master. [Alexandre Dulaunoy] + + Added (Multipage) PDF support to OCR Module, minor refactor + +* - Reverted to <3.6 compatibility. [Steve Clement] + +* - Fixed log output. [Steve Clement] + +* - Forgot to import sys. [Steve Clement] + +* - Added logger functionality for debug sessions. [Steve Clement] + +* - content was already a wand.obj. [Steve Clement] + +* Merge remote-tracking branch 'upstream/master' [Steve Clement] + +* Threatanalyzer_import - order of category tuned. [Christophe Vandeplas] + +* Merge branch 'master' of github.com:SteveClement/misp-modules. [Steve Clement] + +* Merge branch 'master' into master. [Alexandre Dulaunoy] + +* - Some more comments - Removed libmagic, wand can handle it better. [Steve Clement] + +* - Set tornado timeout to 300 seconds. [Steve Clement] + +* - Quick comment ToDo: Avoid using Magic in future releases. [Steve Clement] + +* - added wand requirement - fixed missing return png byte-stream - move module import to handler to catch and report errorz. [Steve Clement] + +* - fixed typo move image back in scope. [Steve Clement] + +* - Added initial PDF support, nothing is processed yet - Test to replace PIL with wand. [Steve Clement] + +* Change type of status. [Sebdraven] + +* Remove print. [Sebdraven] + +* Last commit for release. [Sebdraven] + +* Add logs. [Sebdraven] + +* Add searching_stats. [Sebdraven] + +* Add searching_stats. [Sebdraven] + +* Correct key. [Sebdraven] + +* Correct key. [Sebdraven] + +* Correct param. [Sebdraven] + +* Add searching domains. [Sebdraven] + +* Add searching domains. [Sebdraven] + +* Add return. [Sebdraven] + +* Add logs. [Sebdraven] + +* Add whois expand to test. [Sebdraven] + +* Add whois expand to test. [Sebdraven] + +* Correct index error. [Sebdraven] + +* Error call functions. [Sebdraven] + +* Add logs. [Sebdraven] + +* Add logs. [Sebdraven] + +* Add status_ok to true. [Sebdraven] + +* Add logs. [Sebdraven] + +* Add logs. [Sebdraven] + +* Add logs. [Sebdraven] + +* Add logs. [Sebdraven] + +* Add logs. [Sebdraven] + +* Correct out of bound returns. [Sebdraven] + +* Correct key and return of functions. [Sebdraven] + +* Add logs. [Sebdraven] + +* Add logs. [Sebdraven] + +* Correct typo. [Sebdraven] + +* Test whois history. [Sebdraven] + +* History whois dns. [Sebdraven] + +* Correct typo. [Sebdraven] + +* Rename misp modules. [Sebdraven] + +* Add a test to check if the list is not empty. [Sebdraven] + +* Add a test to check if the list is not empty. [Sebdraven] + +* Add logs. [Sebdraven] + +* Debug whois. [Sebdraven] + +* Debug ipv4 or ipv6. [Sebdraven] + +* Add debug. [Sebdraven] + +* Debug. [Sebdraven] + +* Change status. [Sebdraven] + +* Change history dns. [Sebdraven] + +* Add logs to debug. [Sebdraven] + +* Correct call function. [Sebdraven] + +* Add history mx and soa. [Sebdraven] + +* Add history dns and handler exception. [Sebdraven] + +* Add history dns. [Sebdraven] + +* Switch type ip. [Sebdraven] + +* Refactoring expand_whois. [Sebdraven] + +* Correct typo. [Sebdraven] + +* Add ipv6 and ipv4. [Sebdraven] + +* Change type. [Sebdraven] + +* Change type. [Sebdraven] + +* Change loop. [Sebdraven] + +* Add time sleep in each request. [Sebdraven] + +* Control return of records. [Sebdraven] + +* Add history ipv4. [Sebdraven] + +* Add logs. [Sebdraven] + +* Change categories. [Sebdraven] + +* Concat results. [Sebdraven] + +* Change name keys. [Sebdraven] + +* Change return value. [Sebdraven] + +* Add logs. [Sebdraven] + +* Change errors. [Sebdraven] + +* Add logs. [Sebdraven] + +* Add expand whois. [Sebdraven] + +* Typo. [Sebdraven] + +* Add categories and comments. [Sebdraven] + +* Add expand subdomains. [Sebdraven] + +* Add expand subdomains. [Sebdraven] + +* Change categories. [Sebdraven] + +* Changes keys. [Sebdraven] + +* Add status ! [Sebdraven] + +* Add methods. [Sebdraven] + +* Add expand domains. [Sebdraven] + +* Add link pydnstrain in requirements. [Sebdraven] + +* Add new module dnstrails. [Sebdraven] + +* Merge pull request #198 from chrisr3d/master. [Alexandre Dulaunoy] + + Sigma syntax validator expansion module + some updates + +* Updated README to add sigma & some other missing modules. [chrisr3d] + +* Updated the list of modules (removed stiximport) [chrisr3d] + +* Add: Sigma syntax validator expansion module. [chrisr3d] + + --> Checks sigma rules syntax + - Updated the expansion modules list as well + - Updated the requirements list + +* Updated the list of expansion modules. [chrisr3d] + +* Corrected typos and unused imports. [milkmix] + +* Added support for scheduledtasks. [milkmix] + +* Added support for service-displayname, regkey|value. [milkmix] + +* Initial implementation supporting regkey. mutexes support waiting osquery table. [milkmix] + +* Merge pull request #197 from sebdraven/onyphe_full_module. [Alexandre Dulaunoy] + + Onyphe full module + +* Add return handle domains. [Sebdraven] + +* Add search. [Sebdraven] + +* Add domain to expand. [Sebdraven] + +* Correct bugs. [Sebdraven] + +* Add domain expansion. [Sebdraven] + +* Add comment. [Sebdraven] + +* Correct bugs. [Sebdraven] + +* Correct comments. [Sebdraven] + +* Add threat list expansion. [Sebdraven] + +* Change method to concat methods. [Sebdraven] + +* Set status after requests. [Sebdraven] + +* Set status after requests. [Sebdraven] + +* Add logs. [Sebdraven] + +* Add logs. [Sebdraven] + +* Add logs. [Sebdraven] + +* Pep 8. [Sebdraven] + +* Correct bug. [Sebdraven] + +* Add datascan expansion. [Sebdraven] + +* Add reverse infos. [Sebdraven] + +* Add reverse infos. [Sebdraven] + +* Add reverse infos. [Sebdraven] + +* Add reverse infos. [Sebdraven] + +* Add forward infos. [Sebdraven] + +* Add comment of attributes. [Sebdraven] + +* Add comment of attributes. [Sebdraven] + +* Error loops. [Sebdraven] + +* Error method. [Sebdraven] + +* Error type. [Sebdraven] + +* Error keys. [Sebdraven] + +* Add expansion synscan. [Sebdraven] + +* Change key access domains. [Sebdraven] + +* Change add in results. [Sebdraven] + +* Add logs. [Sebdraven] + +* Correct error keys. [Sebdraven] + +* Test patries expansion. [Sebdraven] + +* Add onyphe full module. [Sebdraven] + +* Add onyphe full module and code the stub. [Sebdraven] + +* Merge pull request #194 from chrisr3d/master. [Alexandre Dulaunoy] + + Removed STIX1 related requirements to avoid version issues + +* Merge branch 'master' of github.com:MISP/misp-modules. [chrisr3d] + +* Merge pull request #193 from sebdraven/onyphe_module. [Alexandre Dulaunoy] + + Onyphe module + +* Delete vcs.xml. [sebdraven] + +* Correct codecov. [Sebdraven] + +* Pep 8 compliant. [Sebdraven] + +* Correct type of comments. [Sebdraven] + +* Correct typo. [Sebdraven] + +* Correct typo. [Sebdraven] + +* Add domains forward. [Sebdraven] + +* Add domains. [Sebdraven] + +* Add targeting os. [Sebdraven] + +* Add category for AS number. [Sebdraven] + +* Change keys. [Sebdraven] + +* Change type. [Sebdraven] + +* Add category. [Sebdraven] + +* Add as number with onyphe. [Sebdraven] + +* Add as number with onyphe. [Sebdraven] + +* Error indentation. [Sebdraven] + +* Correct key in map result. [Sebdraven] + +* Correct a bug. [Sebdraven] + +* Add pastebin url imports. [Sebdraven] + +* Add onyphe module. [Sebdraven] + +* Updated requirements to avoid version issues in the MISP packer installation script. [chrisr3d] + +* Update countrycode.py. [Andras Iklody] + +* Add: mixing modules. [Alexandre Dulaunoy] + +* Merge branch 'master' of github.com:MISP/misp-modules. [Alexandre Dulaunoy] + +* Merge pull request #190 from chrisr3d/master. [Alexandre Dulaunoy] + + Updated csv import following our recent discussions + +* Updated delimiter finder function. [chrisr3d] + +* Add: Added user config to specify if there is a header in the csv to import. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules. [chrisr3d] + +* Merge pull request #189 from chrisr3d/master. [Andras Iklody] + + Using userConfig to define the header instead of moduleconfig + +* Merge pull request #188 from cvandeplas/master. [Christophe Vandeplas] + + ta import - noise removal + +* Merge branch 'master' into master. [Christophe Vandeplas] + +* Merge pull request #187 from cvandeplas/master. [Christophe Vandeplas] + + threatanalyzer_import - minor generic noise removal + +* Threatanalyzer_import - minor generic noise removal. [Christophe Vandeplas] + +* Ta import - more filter for pollution. [Christophe Vandeplas] + +* Threatanalyzer_import - minor generic noise removal. [Christophe Vandeplas] + +* Merge pull request #185 from cvandeplas/master. [Christophe Vandeplas] + + threatanalyzer_import - loads sample info + pollution fix + +* Threatanalyzer_import - loads sample info + pollution fix. [Christophe Vandeplas] + +* Merge pull request #184 from cvandeplas/master. [Christophe Vandeplas] + + threatanalyzer_import - fix regkey issue + +* Threatanalyzer_import - fix regkey issue. [Christophe Vandeplas] + +* Merge pull request #177 from TheDr1ver/patch-1. [Alexandre Dulaunoy] + + fix missing comma + +* Fix missing comma. [Nick Driver] + + fix ip-dst and vulnerability input + +* Merge pull request #176 from cudeso/master. [Alexandre Dulaunoy] + + Fix VMRay API access error + +* Fix VMRay API access error. [Koen Van Impe] + + hotfix for the "Unable to access VMRay API" error + +* Merge remote-tracking branch 'MISP/master' [Koen Van Impe] + +* Merge pull request #173 from m3047/master. [Alexandre Dulaunoy] + + Add exception blocks for query errors. + +* Add exception blocks for query errors. [Fred Morris] + +* Merge pull request #170 from P4rs3R/patch-1. [Alexandre Dulaunoy] + + Improving regex (validating e-mail) + +* Improving regex (validating e-mail) [x41\x43] + + Line 48: + The previous regex ` ^[\w\.\+\-]+\@[\w]+\.[a-z]{2,3}$ ` matched only a small subset of valid e-mail address (e.g.: didn't match domain names longer than 3 chars or user@this-domain.de or user@multiple.level.dom) and needed to be with start (^) and end ($). + This ` [a-zA-Z0-9!#$%&'*+\/=?^_`{|}~-]+(?:\.[a-zA-Z0-9!#$%&'*+\/=?^_`{|}~-]+)*@(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?\.)+[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])? ` is not perfect (e.g: can't match oriental chars), but imho is much more complete. + + Regex tested with several e-mail addresses with Python 3.6.4 and Python 2.7.14 on Linux 4.14. + +* Merge pull request #169 from chrisr3d/master. [Alexandre Dulaunoy] + + Updated GoAML import including Object References + +* Clarified functions arguments using a class. [chrisr3d] + +* Add: Added Object References in the objects imported. [chrisr3d] + +* Merge pull request #168 from chrisr3d/goaml. [Alexandre Dulaunoy] + + GoAML import module & GoAML export updates + +* Merge branch 'master' of github.com:MISP/misp-modules into goaml. [chrisr3d] + +* Merge pull request #167 from chrisr3d/csvimport. [Alexandre Dulaunoy] + + Updated csvimport + +* Merge branch 'csvimport' of github.com:chrisr3d/misp-modules into goaml. [chrisr3d] + +* Removed print. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules into csvimport. [chrisr3d] + +* Merge pull request #165 from chrisr3d/goaml. [Alexandre Dulaunoy] + + fix: Added an object checking + +* Add: added goamlimport. [chrisr3d] + +* Fixed some details about the module output. [chrisr3d] + +* Converting GoAML into MISPEvent. [chrisr3d] + +* Now parsing all the transaction attributes. [chrisr3d] + +* Add: Added dictionary to map aml types into MISP types. [chrisr3d] + +* Typo. [chrisr3d] + +* Merge branch 'master' of github.com:chrisr3d/misp-modules into aml_import. [chrisr3d] + +* Merge pull request #164 from chrisr3d/master. [Alexandre Dulaunoy] + + Latest fixes to make GoAML export module work + +* Add: Added an example file generated by GoAML export module. [chrisr3d] + +* Added GoAML export module in description. [chrisr3d] + +* Reading the entire document, to create a big dictionary containing the data, as a beginning. [chrisr3d] + +* Add: new expansion module to check hashes against hashdd.com including NSLR dataset. [Alexandre Dulaunoy] + +* Merge pull request #163 from chrisr3d/master. [Alexandre Dulaunoy] + + GoAML export + +* Typo. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules. [chrisr3d] + +* Quick fix to the invalid hash types offered on all returned hashes, hopefully fixes #162. [Andras Iklody] + +* Explicit name. [chrisr3d] + + Avoiding confusion with the coming import module for goaml + +* Added "t_to" and "t_from" required fields: funds code & country. [chrisr3d] + +* Added a required field & the latest attributes in transaction. [chrisr3d] + +* Added report expected information fields. [chrisr3d] + +* Simplified ObjectReference dictionary reading. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules. [chrisr3d] + +* Add: YARA syntax validator. [Alexandre Dulaunoy] + +* Merge pull request #161 from eCrimeLabs/ecrimelabs_dev. [Alexandre Dulaunoy] + + Added Yara syntax validation expansion module + +* Added Yara syntax validation expansion module. [Dennis Rand] + +* Added some report information. [chrisr3d] + + Also changed the ObjectReference parser to replace + all the if conditions by a dictionary reading + +* Suporting the recent objects added to misp-objects. [chrisr3d] + + - Matching the aml documents structure + - Some parts of the document still need to be added + +* Wip: added location & signatory information. [chrisr3d] + +* Merge branch 'master' of github.com:MISP/misp-modules into test. [chrisr3d] + +* Merge pull request #157 from CenturyLinkCIRT/master. [Alexandre Dulaunoy] + + added csvimport to __init__.py + +* Added csvimport to __init__.py. [Thomas Gardner] + +* Add: CSV import module added. [Alexandre Dulaunoy] + +* Outputting xml format. [chrisr3d] + + Also mapping MISP and GoAML types + +* First tests for the GoAML export module. [chrisr3d] + +* Merge pull request #156 from chrisr3d/master. [Alexandre Dulaunoy] + + CSV import + +* Merge branch 'master' of github.com:MISP/misp-modules. [chrisr3d] + +* 3.7-alpha removed. [Alexandre Dulaunoy] + +* Updated delimiter finder method. [chrisr3d] + +* Fixed data treatment & other updates. [chrisr3d] + +* Updated delimiter parsing & data reading functions. [chrisr3d] + +* First version of csv import module. [chrisr3d] + + - If more than 1 misp type is recognized, for each one an + attribute is created + + - Needs to have header set by user as parameters of the module atm + + - Review needed to see the feasibility with fields that can create + confusion and be interpreted both as misp type or attribute field + (for instance comment is a misp type and an attribute field) + +* Merge pull request #154 from cvandeplas/master. [Raphaël Vinot] + + added CrowdStrike Falcon Intel Indicators expansion module + +* Added CrowdStrike Falcon Intel Indicators expansion module. [Christophe Vandeplas] + +* Add: RBL added. [Alexandre Dulaunoy] + +* Merge pull request #150 from chrisr3d/master. [Alexandre Dulaunoy] + + RBL check module + +* Merge github.com:MISP/misp-modules. [chrisr3d] + +* Merge pull request #149 from cvandeplas/master. [Alexandre Dulaunoy] + + Added ThreatAnalyzer sandbox import + +* Added ThreatAnalyzer sandbox import. [Christophe Vandeplas] + + Experimental module - some parts should be migrated to + +* Check an IPv4 address against known RBLs. [chrisr3d] + +* Fix farsight_passivedns - rdata 404 not found. [Christophe Vandeplas] + +* Added ThreatStream and PDF export. [Alexandre Dulaunoy] + +* Merge branch 'robertnixon2003-master' + a small fix. [Alexandre Dulaunoy] + +* Fix the __init__ import. [Alexandre Dulaunoy] + +* Update threatStream_misp_export.py. [Robert Nixon] + +* Updated __init__.py. [Robert Nixon] + + Added reference to new ThreatStream export module + +* Added threatStream_misp_export.py. [Robert Nixon] + +* Merge branch 'cvandeplas-master' [Alexandre Dulaunoy] + +* Fixes missing init file in dnsdb library folder. [Christophe Vandeplas] + +* New Farsight DNSDB Passive DNS expansion module. [Christophe Vandeplas] + +* Merge branch 'master' of github.com:MISP/misp-modules. [Raphaël Vinot] + +* Merge pull request #144 from attritionorg/patch-1. [Andras Iklody] + + minor touch-ups on error messages for user friendliness + +* Minor touch-ups on error messages for user friendliness. [Jericho] + +* Merge pull request #140 from cudeso/master. [Alexandre Dulaunoy] + + VulnDB Queries + +* VulnDB Queries. [Koen Van Impe] + + Search on CVE at https://vulndb.cyberriskanalytics.com/ + https://www.riskbasedsecurity.com/ + Get extended CVE info, links + CPE + +* Merge remote-tracking branch 'MISP/master' [Koen Van Impe] + +* Add quick and dirty pdf export. [Raphaël Vinot] + +* Merge pull request #139 from Rafiot/master. [Raphaël Vinot] + + fix: OpenIOC importer + +* Merge pull request #135 from DomainTools/domaintools-patch-1. [Raphaël Vinot] + + Added code to allow 3rd party modules + +* Added default parameter for new -m flag. [Viktor von Drakk] + +* Added code to allow 3rd party modules. [Viktor von Drakk] + + The new '-m pip.module.name' feature allows a pip-installed module to be specified on the command line and then loaded into the available modules without having to copy-paste files into the appropriate directories of this package. + +* Broken links fixed. [Alexandre Dulaunoy] + +* ThreatConnect export module added. [Alexandre Dulaunoy] + +* Merge pull request #133 from CenturyLinkCIRT/master. [Alexandre Dulaunoy] + + ThreatConnect export module + +* Added threat_connect_export to export_mod.__init__ [Thomas Gardner] + +* Added test files for threat_connect_export. [Thomas Gardner] + +* Added threat_connect_export.py. [Thomas Gardner] + +* Merge pull request #129 from seamustuohy/utf_hate. [Raphaël Vinot] + + Added support for malformed internationalized email headers + +* Added support for malformed internationalized email headers. [seamus tuohy] + + When an emails contains headers that use Unicode without properly crafing + them to comform to RFC-6323 the email import module would crash. + (See issue #119 & issue #93) + + To address this I have added additional layers of encoding/decoding to + any possibly internationalized email headers. This decodes properly + formed and malformed UTF-8, UTF-16, and UTF-32 headers appropriately. + When an unknown encoding is encountered it is returned as an 'encoded-word' + per RFC2047. + + This commit also adds unit-tests that tests properly formed and malformed + UTF-8, UTF-16, UTF-32, and CJK encoded strings in all header fields; UTF-8, + UTF-16, and UTF-32 encoded message bodies; and emoji testing for headers + and attachment file names. + +* Merge branch 'master' into utf_hate. [seamus tuohy] + +* Added unit tests for UTF emails. [seamus tuohy] + +* OTX and ThreatCrowd added. [Alexandre Dulaunoy] + +* Merge pull request #130 from chrisdoman/master. [Alexandre Dulaunoy] + + Add AlienVault OTX and ThreatCrowd Expansions + +* Add AlienVault OTX and ThreatCrowd Expansions. [Chris Doman] + +* Use proper version of PyMISP. [Raphaël Vinot] + +* Update travis, fix open ioc import. [Raphaël Vinot] + +* Merge pull request #122 from truckydev/master. [Alexandre Dulaunoy] + + Add tags on import with ioc import module + +* Replace tab by space. [Tristan METAYER] + +* Add a field for user to add tag for this import. [Tristan METAYER] + +* Merge pull request #121 from truckydev/master. [Andras Iklody] + + If filename add iocfilename as attachment + +* Typo correction. [Tristan METAYER] + +* Add user config to not add file as attachement in a box. [Tristan METAYER] + +* If filename add iocfilename as attachment. [Tristan METAYER] + +* Merge pull request #118 from truckydev/master. [Alexandre Dulaunoy] + + Add indent field for export + +* Add indent field for export. [Tristan METAYER] + +* Merge pull request #115 from FloatingGhost/master. [Alexandre Dulaunoy] + + fix: Use the proper formatting method and not the horrible % one + +* Missing expansion modules added in README. [Alexandre Dulaunoy] + +* ThreatMiner added. [Alexandre Dulaunoy] + +* Merge pull request #114 from kx499/master. [Alexandre Dulaunoy] + + ThreatMiner Expansion module + +* Bug fixes. [kx499] + +* Threatminer initial commit. [kx499] + +* Cosmetic changes. [Raphaël Vinot] + +* Merge pull request #111 from kx499/master. [Raphaël Vinot] + + Handful of changes to VirusTotal module + +* Bug fixes, tweaks, and python3 learning curve :) [kx499] + +* Initial commit of IPRep module. [kx499] + +* Fixed spacing, addressed error handling for public api, added subdomains, and added context comment. [kx499] + +* OpenIOC import module added. [Alexandre Dulaunoy] + +* Add OpenIOC import module. [Raphaël Vinot] + +* Merge pull request #109 from truckydev/master. [Alexandre Dulaunoy] + + add information about offline installation + +* Add information about offline installation. [truckydev] + +* Merge pull request #106 from truckydev/master. [Alexandre Dulaunoy] + + Lite export of an event + +* Exclude internal reference. [Tristan METAYER] + +* Add lite Export module. [Tristan METAYER] + +* Merge pull request #100 from rmarsollier/master. [Alexandre Dulaunoy] + + Some improvements of virustotal plugin + +* Some improvements of virustotal plugin. [rmarsollier] + +* Merge pull request #96 from johestephan/master. [Raphaël Vinot] + + XForce Exchange v1 (alpha) + +* Passed local run check. [Joerg Stephan] + +* V1. [Joerg Stephan] + +* Removed urrlib2. [Joerg Stephan] + +* Python3 changes. [Joerg Stephan] + +* Merged xforce exchange. [Joerg Stephan] + +* XForce Exchange v1 (alpha) [Joerg Stephan] + +* Merge pull request #56 from RichieB2B/ncsc-nl/mispjson. [Alexandre Dulaunoy] + + Simple import module to import MISP JSON format + +* Updated description to reflect merging use case. [Richard van den Berg] + +* Simple import module to import MISP JSON format. [Richard van den Berg] + +* Merge pull request #92 from seamustuohy/duck_typing_failure. [Alexandre Dulaunoy] + + Email import no longer unzips major compressed text document formats. + +* Email import no longer unzips major compressed text document formats. [seamus tuohy] + + Let this commit serve as a warning about the perils of duck typing. + Word documents (docx,odt,etc) were being uncompressed when they were + attached to emails. The email importer now checks a list of well known + extensions and will not attempt to unzip them. + + It is stuck using a list of extensions instead of using file magic because + many of these formats produce an application/zip mimetype when scanned. + +* Merge branch 'master' of github.com:MISP/misp-modules. [Raphaël Vinot] + +* Merge pull request #91 from Rafiot/master. [Raphaël Vinot] + + Improve email import module + +* Keep zip content as binary. [Raphaël Vinot] + +* Fix tests, cleanup. [Raphaël Vinot] + +* Improve support of email attachments. [Raphaël Vinot] + + Related to #90 + +* Merge pull request #89 from Rafiot/fix_87. [Raphaël Vinot] + + Improve VT support. + +* Standardised key checking. [Hannah Ward] + +* Fixed checking for submission_names in VT JSON. [Hannah Ward] + +* Update virustotal.py. [CheYenBzh] + +* Merge branch 'master' of github.com:MISP/misp-modules. [Raphaël Vinot] + +* Training materials updated + Cuckoo JSON import module was missing. [Alexandre Dulaunoy] + +* Improve support of email importer if headers are missing. [Raphaël Vinot] + + Fix #88 + +* Remove python 3.3 support. [Raphaël Vinot] + +* Fix python 3.6 support. [Raphaël Vinot] + +* Make PEP8 happy. [Raphaël Vinot] + +* Add email_import in the modules loaded by default. [Raphaël Vinot] + +* Make PEP8 happy. [Raphaël Vinot] + +* Fix failing test (bug in the mail parser?) [Raphaël Vinot] + +* Add additional email parsing and tests. [seamus tuohy] + + Added additional attribute parsing and corresponding unit-tests. + E-mail attachment and url extraction added in this commit. This includes + unpacking zipfiles and simple password cracking of encrypted zipfiles. + +* Fixed basic errors. [seamus tuohy] + +* Merged with current master. [seamus tuohy] + +* Merge pull request #85 from rmarsollier/master. [Raphaël Vinot] + + add libjpeg-dev as a dep to allow pillow to be installed succesfully + +* Add libjpeg-dev as a dep to allow pillow to be installed succesfully. [robin.marsollier@conix.fr] + +* GeoIP module added. [Alexandre Dulaunoy] + +* Merge pull request #84 from MISP/amuehlem-master. [Raphaël Vinot] + + Fix PR + +* Do not crash if the dat file is not available. [Raphaël Vinot] + +* Fix path to config file. [Raphaël Vinot] + +* Merge branch 'master' of https://github.com/amuehlem/misp-modules into amuehlem-master. [Raphaël Vinot] + +* Added empty line to end of config file. [Andreas Muehlemann] + +* Removed DEFAULT section from configfile. [Andreas Muehlemann] + +* Fixed more typos. [Andreas Muehlemann] + +* Fixed typo. [Andreas Muehlemann] + +* Changed configparser from python2 to python3. [Andreas Muehlemann] + +* Updated missing parenthesis. [Andreas Muehlemann] + +* Merge branch 'geoip_country' [Andreas Muehlemann] + +* Removed unneeded config option for misp. [Andreas Muehlemann] + +* Removed debug message. [Andreas Muehlemann] + +* Added config option to geoip_country.py. [Andreas Muehlemann] + +* Added pygeoip to the REQUIREMENTS list. [Andreas Muehlemann] + +* Updated geoip_country to __init__.py. [Andreas Muehlemann] + +* Added geoip_country.py. [Andreas Muehlemann] + +* Better error reporting. [Raphaël Vinot] + +* Catch exception. [Raphaël Vinot] + +* Add reverse lookup. [Raphaël Vinot] + +* Refactoring of domaintools expansion module. [Raphaël Vinot] + +* Merge branch 'master' of github.com:MISP/misp-modules. [Raphaël Vinot] + +* Merge pull request #83 from stoep/master. [Alexandre Dulaunoy] + + Added cuckooimport.py + +* Added cuckooimport.py. [Ubuntu] + +* DomainTools module added. [Alexandre Dulaunoy] + +* Remove domaintools tests. [Raphaël Vinot] + +* Add test for domaintools. [Raphaël Vinot] + +* Merge pull request #78 from deralexxx/patch-2. [Alexandre Dulaunoy] + + Update README.md + +* Update README.md. [Alexander J] + + mentioning import / export modules + +* Merge pull request #76 from deralexxx/patch-1. [Alexandre Dulaunoy] + + Update README.md + +* Update README.md. [Alexander J] + +* Merge pull request #75 from Rafiot/domtools. [Raphaël Vinot] + + Add Domain Tools module + +* Update requirements list. [Raphaël Vinot] + +* Add domaintools to the import list. [Raphaël Vinot] + +* Fix Typo. [Raphaël Vinot] + +* Add domain profile and reputation. [Raphaël Vinot] + +* Add more comments. [Raphaël Vinot] + +* Fix typo. [Raphaël Vinot] + +* Remove json.dumps. [Raphaël Vinot] + +* Avoid passing None in comments. [Raphaël Vinot] + +* Add comments to fields when possible. [Raphaël Vinot] + +* Add initial Domain Tools module. [Raphaël Vinot] + +* Merge pull request #74 from cudeso/master. [Raphaël Vinot] + + Extra VTI detections + +* Merge remote-tracking branch 'MISP/master' [Koen Van Impe] + +* Update README.md. [Raphaël Vinot] + +* Merge pull request #73 from FloatingGhost/master. [Raphaël Vinot] + + Use SpooledTemp, not NamedTemp file + +* Use git for everything we can. [Hannah Ward] + +* Ok we'll use the dep from misp-stix-converter. Surely this'll work? [Hannah Ward] + +* Use the CIRCL pymisp. Silly @rafiot ;) [Hannah Ward] + +* Travis should now use the master branch. [Hannah Ward] + +* Maybe it'll take the git repo now? [Hannah Ward] + +* Added pymisp to reqs. [Hannah Ward] + +* Don't cache anything pls travis. [Hannah Ward] + +* Removed unneeded modules. [Hannah Ward] + +* Use SpooledTemp, not NamedTemp file. [Hannah Ward] + +* VMRay import module added. [Alexandre Dulaunoy] + +* Merge pull request #72 from FloatingGhost/master. [Raphaël Vinot] + + Migrated stiximport to use misp-stix-converter + +* Moved to misp_stix_converter. [Hannah Ward] + +* Merge pull request #70 from cudeso/master. [Raphaël Vinot] + + Submit malware samples + +* Extra VTI detections. [Koen Van Impe] + +* Submit malware samples. [Koen Van Impe] + + _submit now includes malware samples (zipped content from misp) + _import checks when no vti_results are returned + bugfix + +* Fix STIX import module. [Raphaël Vinot] + +* Multiple clanges in the vmray modules. [Raphaël Vinot] + + * Generic fix to load modules requiring a local library + * Fix python3 support + * PEP8 related cleanups + +* Merge pull request #68 from cudeso/master. [Andras Iklody] + + VMRay Import & Submit module + +* VMRay Import & Submit module. [Koen Van Impe] + + * First commit + * No support for archives (yet) submit + +* Merge pull request #59 from rgraf/master. [Alexandre Dulaunoy] + + label replaced by text, which is existing attribute + +* Label replaced by text, which is existing attribute. [Roman Graf] + +* Adding basic test mockup. [seamus tuohy] + +* Adding more steps to module testing. [seamus tuohy] + +* Added attachment and url support. [seamus tuohy] + +* Added email meta-data import module. [seamus tuohy] + + This email meta-data import module collects basic meta-data from an e-mail + and populates an event with it. It populates the email subject, source + addresses, destination addresses, subject, and any attachment file names. + This commit also contains unit-tests for this module as well as updates to + the readme. Readme updates are additions aimed to make it easier for + outsiders to build modules. + +* Merge pull request #58 from rgraf/master. [Alexandre Dulaunoy] + + Added expansion for Wikidata. + +* Added expansion for Wikidata. Analyst can query Wikidata by label to get additional information for particular term. [Roman Graf] + +* Merge pull request #55 from amuehlem/reversedns. [Raphaël Vinot] + + added new module reversedns.py, added reversedns to __init__.py + +* Added new module reversedns.py, added reversedns to __init__.py. [Andreas Muehlemann] + +* Merge pull request #53 from MISP/Rafiot-patch-1. [Alexandre Dulaunoy] + + Dump host info as text + +* Dump host info as text. [Raphaël Vinot] + +* Fix typo. [Raphaël Vinot] + +* Merge pull request #52 from Rafiot/master. [Alexandre Dulaunoy] + + Add simple Shodan module + +* Add simple Shodan module. [Raphaël Vinot] + +* Merge pull request #49 from FloatingGhost/master. [Alexandre Dulaunoy] + + Removed useless pickle storage of stiximport + +* Removed useless pickle storage of stiximport. [Hannah Ward] + +* Create LICENSE. [Alexandre Dulaunoy] + +* Update README.md. [Andras Iklody] + +* Typo fixed. [Alexandre Dulaunoy] + +* CEF export module added. [Alexandre Dulaunoy] + +* Cef_export module added. [Alexandre Dulaunoy] + +* Merge pull request #47 from FloatingGhost/CEF_Export. [Alexandre Dulaunoy] + + CEF export, fixes in CountryCode, virustotal + +* Removed silly subdomain module. [Hannah Ward] + +* Added CEF export module. [Hannah Ward] + +* Now searches within observable_compositions. [Hannah Ward] + +* Removed calls to print. [Hannah Ward] + +* Added body.json to gitignore. [Hannah Ward] + +* Added virustotal tests. [Hannah Ward] + +* CountryCode JSON now is only grabbed once per server run. [Hannah Ward] + +* Merge branch 'master' of github.com:MISP/misp-modules. [Raphaël Vinot] + +* Merge pull request #46 from Rafiot/master. [Raphaël Vinot] + + Make misp-modules really asynchronous + +* Add timeout for the modules, cleanup. [Raphaël Vinot] + +* Fix python 3.3 and 3.4. [Raphaël Vinot] + +* Make misp-modules really asynchronous. [Raphaël Vinot] + +* Improve tornado parallel. [Raphaël Vinot] + +* Coroutine decorator added to post handler. [Alexandre Dulaunoy] + +* -d option added - enabling debug on queried modules. [Alexandre Dulaunoy] + +* New modules added to __init__ [Alexandre Dulaunoy] + +* README updated for the new modules. [Alexandre Dulaunoy] + +* Merge pull request #45 from FloatingGhost/master. [Alexandre Dulaunoy] + + 2 new modules -- VirusTotal and CountryCode + +* Modified readme with virustotal/countrycode. [Hannah Ward] + +* Added virustotal module. [Hannah Ward] + +* Merge branch 'master' of https://github.com/MISP/misp-modules. [Hannah Ward] + +* Merge pull request #44 from Rafiot/travis. [Alexandre Dulaunoy] + + Add coverage, update logging + +* Add coverage, update logging. [Raphaël Vinot] + +* Merge pull request #43 from FloatingGhost/master. [Alexandre Dulaunoy] + + StixImport now uses TemporaryFile rather than a named file in /tmp + +* Improved virustotal module. [Hannah Ward] + +* Added countrycode, working on virustotal. [Hannah Ward] + +* Added lookup by country code. [Hannah Ward] + +* Merge branch 'master' of https://github.com/MISP/misp-modules. [Hannah Ward] + +* Fix a link to the STIX import module reference. [Alexandre Dulaunoy] + +* Stiximport now uses temporary files to store stix data. [Hannah Ward] + + Set max size in config, in bytes + +* Merge pull request #42 from MISP/pr/41. [Alexandre Dulaunoy] + + Cleanup on the stix import module + +* Merge remote-tracking branch 'origin/master' into pr/41. [Raphaël Vinot] + +* Add info about the import modules. [Alexandre Dulaunoy] + +* Make PEP8 happy \o/ [Raphaël Vinot] + +* Move stiximport.py to misp_modules/modules/import_mod/ [Raphaël Vinot] + +* There was a missing comma. [Hannah Ward] + +* Merge branch 'master' of https://github.com/MISP/misp-modules. [Hannah Ward] + +* Merge branch 'master' of github.com:MISP/misp-modules. [Alexandre Dulaunoy] + +* Merge pull request #40 from Rafiot/master. [Alexandre Dulaunoy] + + Remove bin script, use cleaner way. Fix last commit. + +* Remove bin script, use cleaner way. Fix last commit. [Raphaël Vinot] + +* Merge pull request #39 from Rafiot/master. [Alexandre Dulaunoy] + + Use entry_points instead of scripts in the install. + +* Use entry_points instead of scripts. [Raphaël Vinot] + +* Pip --upgrade must be always called (to have modules updated) [Alexandre Dulaunoy] + +* Added STIX to setup.py. [Hannah Ward] + +* Added STIX to reqs. [Hannah Ward] + +* Merge branch 'stix_import' [Hannah Ward] + +* Added tests, also disregards related_observables. Because they're useless. [Hannah Ward] + +* Fixed observables within an indicator not being added. [Hannah Ward] + +* Stiximport will now consume campaigns. [Hannah Ward] + +* Stiximport will now identify file hashes. [Hannah Ward] + +* I can't spell. [Hannah Ward] + +* Added STIXImport to readme. [Hannah Ward] + +* Threat actors now get imported by stix. [Hannah Ward] + +* Added docs to stiximport. [Hannah Ward] + +* Added stix import -- works for IPs/Domains. [Hannah Ward] + +* Update to the DNS module to support domain|ip. [iglocska] + +* Small change to the skeleton export. [iglocska] + +* Merge remote-tracking branch 'origin/import-test' [iglocska] + +* Added test export module. [Iglocska] + +* Merge branch 'master' of github.com:MISP/misp-modules. [Alexandre Dulaunoy] + +* Merge pull request #37 from Rafiot/master. [Raphaël Vinot] + + Update documentation. + +* Update documentation. [Raphaël Vinot] + + Fix https://github.com/MISP/MISP/issues/1424 + +* Merge branch 'import-test' of github.com:MISP/misp-modules into import-test. [Alexandre Dulaunoy] + +* Merge pull request #36 from Rafiot/import-test. [Alexandre Dulaunoy] + + Pass the server port as integer to the uwhois client + +* Pass the server port as integer to the uwhois client. [Raphaël Vinot] + +* Merge pull request #35 from Rafiot/import-test. [Alexandre Dulaunoy] + + Add whois module + +* Add whois module. [Raphaël Vinot] + +* First version of an Optical Character Recognition (OCR) module for MISP. [Alexandre Dulaunoy] + +* First version of the import skeleton. [Iglocska] + +* Added simple import skeleton. [Iglocska] + +* Merge pull request #33 from Rafiot/master. [Raphaël Vinot] + + fix: run the server as "python3 misp-modules" + +* Added category to the return format description. [Iglocska] + +* Merge pull request #31 from treyka/patch-1. [Alexandre Dulaunoy] + + Refine the installation procedure + +* Refine the installation procedure. [Trey Darley] + + Tweak this to make it more inline with the MISP installation docs, start misp-modules at startup via /etc/rc.local + +* Install documentation updated. [Alexandre Dulaunoy] + +* Merge pull request #28 from Rafiot/pip. [Alexandre Dulaunoy] + + Make it a package + +* Also run travis tests on the system-wide instance. [Raphaël Vinot] + +* Fix typos in the readme. [Raphaël Vinot] + +* Fix travis. [Raphaël Vinot] + +* Make sure misp-modules can be launched from anywhere. [Raphaël Vinot] + +* Proper testcases. [Raphaël Vinot] + +* Make it a package. [Raphaël Vinot] + +* Merge pull request #29 from iglocska/master. [Alexandre Dulaunoy] + + Added skeleton structure for new modules + +* Added skeleton structure for new modules. [Iglocska] + +* Fixed a bug introduced by previous commit if started from the current directory. [Alexandre Dulaunoy] + +* Merge pull request #26 from Rafiot/master. [Alexandre Dulaunoy] + + Automatic chdir when the modules are started + +* Automatic chdir when the modules are started. [Raphaël Vinot] + +* Merge pull request #25 from eu-pi/eupi_expansion_fix. [Alexandre Dulaunoy] + + [EUPI] Fix expansion for empty EUPI response + +* [EUPI] Fix expansion for empty EUPI response. [Rogdham] + + Offer no enrichment instead of displaying an error message + +* Merge pull request #24 from eu-pi/eupi_hover. [Alexandre Dulaunoy] + + [EUPI] Change module for a simple hover status + +* [EUPI] Simplify hover. [Rogdham] + +* Merge pull request #23 from Rafiot/master. [Raphaël Vinot] + + [EUPI] Return error message if unknown + +* [EUPI] Return error message is unknown. [Raphaël Vinot] + +* Merge pull request #22 from Rafiot/master. [Raphaël Vinot] + + [EUPI] Do not return empty results + +* [EUPI] Do not return empty results. [Raphaël Vinot] + +* ASN History added. [Alexandre Dulaunoy] + +* Merge pull request #21 from Rafiot/master. [Raphaël Vinot] + + [ASN description] Fix input type + +* [ASN description] Fix input type. [Raphaël Vinot] + +* Merge pull request #20 from Rafiot/master. [Raphaël Vinot] + + Add ASN Description expansion module + +* Add ASN Description expansion module. [Raphaël Vinot] + +* Merge pull request #19 from Rafiot/master. [Raphaël Vinot] + + Fix last commit + +* Fix last commit. [Raphaël Vinot] + +* Merge pull request #18 from Rafiot/master. [Raphaël Vinot] + + Improve rendering of IP ASN + +* Improve rendering of IP ASN. [Raphaël Vinot] + +* Merge pull request #17 from Rafiot/master. [Raphaël Vinot] + + Fix again IPASN module + +* Fix again IPASN module. [Raphaël Vinot] + +* Merge pull request #16 from Rafiot/master. [Raphaël Vinot] + + Fix IPASN module + +* Fix IPASN module. [Raphaël Vinot] + +* Ipasn module added. [Alexandre Dulaunoy] + +* Merge pull request #15 from Rafiot/master. [Alexandre Dulaunoy] + + Add IPASN history module + +* Add IPASN history module. [Raphaël Vinot] + +* Merge pull request #14 from eu-pi/listen-addr. [Alexandre Dulaunoy] + + Add option to specify listen address + +* Add option to specify listen address. [Rogdham] + +* EUPI module added. [Alexandre Dulaunoy] + +* Merge pull request #13 from Rafiot/master. [Raphaël Vinot] + + Fix eupi module + +* Fix eupi module. [Raphaël Vinot] + +* Merge pull request #12 from Rafiot/master. [Raphaël Vinot] + + Add EUPI module + +* Add redis server. [Raphaël Vinot] + +* Add EUPI module. [Raphaël Vinot] + +* Skip modules that cannot import. [Alexandre Dulaunoy] + +* Skip dot files. [Alexandre Dulaunoy] + +* Value is not required. [Alexandre Dulaunoy] + +* Cache helper added. [Alexandre Dulaunoy] + + The cache helper is a simple helper to cache data + in Redis back-end. The format in the cache is the following: + m::sha1(key) -> value. Default expiration is 86400 seconds. + +* Skeleton for misp-modules helpers added. [Alexandre Dulaunoy] + + Helpers will support modules with basic functionalities + like caching or alike. + +* Option -p added to specify the TCP port of the misp-modules server. [Alexandre Dulaunoy] + +* Intelmq req. removed. [Alexandre Dulaunoy] + +* Argparse used for the test mode. [Alexandre Dulaunoy] + +* Deleted. [Alexandre Dulaunoy] + +* Intelmq is an experimental module (not production ready) [Alexandre Dulaunoy] + +* Merge pull request #11 from Rafiot/master. [Raphaël Vinot] + + Fix test mode + +* Fix test mode. [Raphaël Vinot] + +* Fix install commands. [Raphaël Vinot] + +* Add Travis logo. [Raphaël Vinot] + +* Merge pull request #10 from Rafiot/travis. [Raphaël Vinot] + + Add basic travis file + +* Add basic travis file. [Raphaël Vinot] + +* Merge pull request #9 from Rafiot/master. [Alexandre Dulaunoy] + + Please PEP8 on all expansions + +* Merge branch 'master' of https://github.com/MISP/misp-modules. [Raphaël Vinot] + +* Merge pull request #8 from aaronkaplan/master. [Alexandre Dulaunoy] + + initial example of intelmq connector/enrichtment. Need to change to u… + +* Initial example of intelmq connector/enrichtment. Need to change to use the eventDB RESTful API, not the postgresql DB. [aaronkaplan] + +* Update README.md. [Raphaël Vinot] + +* Dns module test with option added. [Alexandre Dulaunoy] + +* New modules added. [Alexandre Dulaunoy] + +* Dns MISP module - option to specify nameserver added. [Alexandre Dulaunoy] + +* Slides reference added. [Alexandre Dulaunoy] + +* Add missing requirements. [Alexandre Dulaunoy] + +* Merge pull request #7 from Rafiot/master. [Alexandre Dulaunoy] + + Make loader more flexible + +* Make PEP8 happy. [Raphaël Vinot] + +* Add CIRCL pssl module. [Raphaël Vinot] + +* Make loader more flexible. [Raphaël Vinot] + +* First module to test the freetext import functionality. [Alexandre Dulaunoy] + +* CIRCL Passive DNS output attributes updated. [Alexandre Dulaunoy] + +* PyPDNS requirement added. [Alexandre Dulaunoy] + +* CIRCL Passive DNS added. [Alexandre Dulaunoy] + +* Tests updated to include CIRCL passive dns. [Alexandre Dulaunoy] + +* Test file for passivetotal updated. [Alexandre Dulaunoy] + +* Merge pull request #5 from passivetotal/master. [Alexandre Dulaunoy] + + Rewrote the entire PassiveTotal extension + +* Rewrote the entire PassiveTotal extension. [Brandon Dixon] + +* Return a text attribute for an hover only module. [Alexandre Dulaunoy] + +* How to start MISP modules. [Alexandre Dulaunoy] + +* 2.4.28 includes misp modules by default. [Alexandre Dulaunoy] + +* Types are now described. [Alexandre Dulaunoy] + +* Debug removed. [Alexandre Dulaunoy] + +* Convert the base64 to ascii. [Iglocska] + +* Module-type added as default. [Alexandre Dulaunoy] + +* Return base64 value of the archived data. [Alexandre Dulaunoy] + +* Merge pull request #2 from iglocska/master. [Alexandre Dulaunoy] + + Some changes to the sourcecache expansion + +* Merge branch 'alternate_response' [Iglocska] + +* Some changes to the sourcecache expansion. [Iglocska] + + - return attachment or malware sample + +* Cve module tests added. [Alexandre Dulaunoy] + +* CVE hover expansion module. [Alexandre Dulaunoy] + + An hover module is a module returning a JSON that can be used + as hover element in the MISP UI. + +* Sourcecache module includes the metadata config. [Alexandre Dulaunoy] + +* README updated to reflect config parameters changes. [Alexandre Dulaunoy] + +* Removed unused attributes. [Alexandre Dulaunoy] + +* Sample JSON files reflecting config changes. [Alexandre Dulaunoy] + +* Config parameters are now exposed via the meta information. [Alexandre Dulaunoy] + + config uses a specific list of values exposed via the + introspection of the module. config is now passed as an additional + dictionary to the request. MISP attributes include only MISP attributes. + +* Sourcecache module added. [Alexandre Dulaunoy] + +* A minimal caching module added to cache link or url from MISP. [Alexandre Dulaunoy] + +* Typo fixed + meta output. [Alexandre Dulaunoy] + +* Minimal functions requirements updated + PR request. [Alexandre Dulaunoy] + +* Exclude dot files from modules list to be loaded. [Alexandre Dulaunoy] + +* Example of module introspection including meta information. [Alexandre Dulaunoy] + +* Module meta added to return version, description and author per module. [Alexandre Dulaunoy] + +* Authentication notes added. [Alexandre Dulaunoy] + +* Passivetotal module added. [Alexandre Dulaunoy] + +* First version of a passivetotal MISP expansion module. [Alexandre Dulaunoy] + +* Default DNS updated. [Alexandre Dulaunoy] + +* Add a note regarding error codes. [Alexandre Dulaunoy] + +* Handling of error added. [Alexandre Dulaunoy] + +* Merge pull request #1 from Rafiot/master. [Alexandre Dulaunoy] + + Make PEP8 happy. + +* Make PEP8 happy. [Raphaël Vinot] + +* Output updated (type of module added) [Alexandre Dulaunoy] + +* Add a version per default. [Alexandre Dulaunoy] + +* Add type per module. [Alexandre Dulaunoy] + +* Format updated following Andras updates. [Alexandre Dulaunoy] + +* Default var directory added. [Alexandre Dulaunoy] + +* Python pip REQUIREMENTS file added. [Alexandre Dulaunoy] + +* Merge branch 'master' of https://github.com/MISP/misp-modules. [Iglocska] + +* Minimal logging added to the server. [Alexandre Dulaunoy] + +* Debug messages removed. [Alexandre Dulaunoy] + +* Minimal documentation added. [Alexandre Dulaunoy] + +* Curl is now silent. [Alexandre Dulaunoy] + +* Changed the output format to include all matching attribute types. [Iglocska] + + - changed the output format to give us a bit more flexibility + - return an array of results + - return the valid misp attribute types for each result + +* Basic test cases added. [Alexandre Dulaunoy] + +* MISP dns expansion module. [Alexandre Dulaunoy] + +* First version of a web services to provide ReST API to MISP expansion services. [Alexandre Dulaunoy] + + diff --git a/DOC-REQUIREMENTS b/DOC-REQUIREMENTS new file mode 100644 index 0000000..8373cb7 --- /dev/null +++ b/DOC-REQUIREMENTS @@ -0,0 +1,3 @@ +mkdocs +pymdown-extensions +mkdocs-material diff --git a/Makefile b/Makefile index 1cff13f..b37670e 100644 --- a/Makefile +++ b/Makefile @@ -3,12 +3,15 @@ .PHONY: prepare_docs generate_docs ci_generate_docs test_docs prepare_docs: - cd doc; python generate_documentation.py + cd documentation; python3 generate_documentation.py mkdir -p docs/expansion/logos docs/export_mod/logos docs/import_mod/logos - cp -R doc/logos/* docs/expansion/logos - cp -R doc/logos/* docs/export_mod/logos - cp -R doc/logos/* docs/import_mod/logos - cp LICENSE docs/license.md + mkdir -p docs/logos + cd documentation; cp -R ./logos/* ../docs/logos + cd documentation; cp -R ./logos/* ../docs/expansion/logos + cd documentation; cp -R ./logos/* ../docs/export_mod/logos + cd documentation; cp -R ./logos/* ../docs/import_mod/logos + cp ./documentation/mkdocs/*.md ./docs + cp LICENSE ./docs/license.md install_requirements: pip install -r docs/REQUIREMENTS.txt diff --git a/Pipfile b/Pipfile index 1169368..ddc0201 100644 --- a/Pipfile +++ b/Pipfile @@ -11,56 +11,70 @@ flake8 = "*" [packages] dnspython = "*" -requests = {extras = ["security"],version = "*"} +requests = { extras = ["security"], version = "*" } urlarchiver = "*" passivetotal = "*" pypdns = "*" pypssl = "*" pyeupi = "*" -uwhois = {editable = true,git = "https://github.com/Rafiot/uwhoisd.git",ref = "testing",subdirectory = "client"} -pymisp = {editable = true,extras = ["fileobjects,openioc,pdfexport"],git = "https://github.com/MISP/PyMISP.git"} -pyonyphe = {editable = true,git = "https://github.com/sebdraven/pyonyphe"} -pydnstrails = {editable = true,git = "https://github.com/sebdraven/pydnstrails"} +pymisp = { extras = ["fileobjects,openioc,pdfexport,email,url"], version = "*" } +pyonyphe = { git = "https://github.com/sebdraven/pyonyphe" } +pydnstrails = { git = "https://github.com/sebdraven/pydnstrails" } pytesseract = "*" pygeoip = "*" beautifulsoup4 = "*" oauth2 = "*" yara-python = "==3.8.1" sigmatools = "*" +stix2 = "*" stix2-patterns = "*" +taxii2-client = "*" maclookup = "*" vulners = "*" blockchain = "*" reportlab = "*" -pyintel471 = {editable = true,git = "https://github.com/MISP/PyIntel471.git"} +pyintel471 = { git = "https://github.com/MISP/PyIntel471.git" } shodan = "*" -Pillow = "*" +Pillow = ">=8.2.0" Wand = "*" SPARQLWrapper = "*" domaintools_api = "*" -misp-modules = {editable = true,path = "."} -pybgpranking = {editable = true,git = "https://github.com/D4-project/BGP-Ranking.git/",subdirectory = "client"} -pyipasnhistory = {editable = true,git = "https://github.com/D4-project/IPASN-History.git/",subdirectory = "client"} +misp-modules = { path = "." } +pybgpranking = { git = "https://github.com/D4-project/BGP-Ranking.git/", subdirectory = "client", ref = "68de39f6c5196f796055c1ac34504054d688aa59" } +pyipasnhistory = { git = "https://github.com/D4-project/IPASN-History.git/", subdirectory = "client", ref = "a2853c39265cecdd0c0d16850bd34621c0551b87" } backscatter = "*" pyzbar = "*" opencv-python = "*" np = "*" -ODTReader = {editable = true,git = "https://github.com/cartertemm/ODTReader.git/"} +ODTReader = { git = "https://github.com/cartertemm/ODTReader.git/" } python-pptx = "*" python-docx = "*" ezodf = "*" -pandas = "*" -pandas_ods_reader = "*" +pandas = "==1.3.5" +pandas_ods_reader = "==0.1.2" pdftotext = "*" lxml = "*" xlrd = "*" -idna-ssl = {markers = "python_version < '3.7'"} jbxapi = "*" geoip2 = "*" apiosintDS = "*" assemblyline_client = "*" vt-graph-api = "*" -trustar = "*" +trustar = { git = "https://github.com/SteveClement/trustar-python.git" } +markdownify = "==0.5.3" +socialscan = "*" +dnsdb2 = "*" +clamd = "*" +aiohttp = ">=3.7.4" +tau-clients = "*" +vt-py = ">=0.7.1" +crowdstrike-falconpy = "0.9.0" +censys = "2.0.9" +mwdblib = "3.4.1" +ndjson = "0.3.1" +Jinja2 = "3.1.2" +mattermostdriver = "7.3.2" +openpyxl = "*" [requires] -python_version = "3" +python_version = "3.7" diff --git a/Pipfile.lock b/Pipfile.lock deleted file mode 100644 index 73aeaed..0000000 --- a/Pipfile.lock +++ /dev/null @@ -1,1363 +0,0 @@ -{ - "_meta": { - "hash": { - "sha256": "c2d937b384431e4b313b29bb02db0bd1d3a866ddcb7c6e91cbfa34f88d351b59" - }, - "pipfile-spec": 6, - "requires": { - "python_version": "3" - }, - "sources": [ - { - "name": "pypi", - "url": "https://pypi.org/simple", - "verify_ssl": true - } - ] - }, - "default": { - "aiohttp": { - "hashes": [ - "sha256:1e984191d1ec186881ffaed4581092ba04f7c61582a177b187d3a2f07ed9719e", - "sha256:259ab809ff0727d0e834ac5e8a283dc5e3e0ecc30c4d80b3cd17a4139ce1f326", - "sha256:2f4d1a4fdce595c947162333353d4a44952a724fba9ca3205a3df99a33d1307a", - "sha256:32e5f3b7e511aa850829fbe5aa32eb455e5534eaa4b1ce93231d00e2f76e5654", - "sha256:344c780466b73095a72c616fac5ea9c4665add7fc129f285fbdbca3cccf4612a", - "sha256:460bd4237d2dbecc3b5ed57e122992f60188afe46e7319116da5eb8a9dfedba4", - "sha256:4c6efd824d44ae697814a2a85604d8e992b875462c6655da161ff18fd4f29f17", - "sha256:50aaad128e6ac62e7bf7bd1f0c0a24bc968a0c0590a726d5a955af193544bcec", - "sha256:6206a135d072f88da3e71cc501c59d5abffa9d0bb43269a6dcd28d66bfafdbdd", - "sha256:65f31b622af739a802ca6fd1a3076fd0ae523f8485c52924a89561ba10c49b48", - "sha256:ae55bac364c405caa23a4f2d6cfecc6a0daada500274ffca4a9230e7129eac59", - "sha256:b778ce0c909a2653741cb4b1ac7015b5c130ab9c897611df43ae6a58523cb965" - ], - "markers": "python_full_version >= '3.5.3'", - "version": "==3.6.2" - }, - "antlr4-python3-runtime": { - "hashes": [ - "sha256:15793f5d0512a372b4e7d2284058ad32ce7dd27126b105fb0b2245130445db33" - ], - "markers": "python_version >= '3'", - "version": "==4.8" - }, - "apiosintds": { - "hashes": [ - "sha256:d8ab4dcf75a9989572cd6808773b56fdf535b6080d6041d98e911e6c5eb31f3c" - ], - "index": "pypi", - "version": "==1.8.3" - }, - "argparse": { - "hashes": [ - "sha256:62b089a55be1d8949cd2bc7e0df0bddb9e028faefc8c32038cc84862aefdd6e4", - "sha256:c31647edb69fd3d465a847ea3157d37bed1f95f19760b11a47aa91c04b666314" - ], - "version": "==1.4.0" - }, - "assemblyline-client": { - "hashes": [ - "sha256:6f45cab3be3ec60984a5c2049d46dac80d4e3d4f3d9538220518a44c7a6ddb15", - "sha256:971371065f2b41027325bf9fa9c72960262a446c7e08bda57865d34dcc4108b0" - ], - "index": "pypi", - "version": "==3.7.3" - }, - "async-timeout": { - "hashes": [ - "sha256:0c3c816a028d47f659d6ff5c745cb2acf1f966da1fe5c19c77a70282b25f4c5f", - "sha256:4291ca197d287d274d0b6cb5d6f8f8f82d434ed288f962539ff18cc9012f9ea3" - ], - "markers": "python_full_version >= '3.5.3'", - "version": "==3.0.1" - }, - "attrs": { - "hashes": [ - "sha256:08a96c641c3a74e44eb59afb61a24f2cb9f4d7188748e76ba4bb5edfa3cb7d1c", - "sha256:f7b7ce16570fe9965acd6d30101a28f62fb4a7f9e926b3bbc9b61f8b04247e72" - ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==19.3.0" - }, - "backscatter": { - "hashes": [ - "sha256:7a0d1aa3661635de81e2a09b15d53e35cbe399a111cc58a70925f80e6874abd3", - "sha256:afb0efcf5d2551dac953ec4c38fb710b274b8e811775650e02c1ef42cafb14c8" - ], - "index": "pypi", - "version": "==0.2.4" - }, - "beautifulsoup4": { - "hashes": [ - "sha256:73cc4d115b96f79c7d77c1c7f7a0a8d4c57860d1041df407dd1aae7f07a77fd7", - "sha256:a6237df3c32ccfaee4fd201c8f5f9d9df619b93121d01353a64a73ce8c6ef9a8", - "sha256:e718f2342e2e099b640a34ab782407b7b676f47ee272d6739e60b8ea23829f2c" - ], - "index": "pypi", - "version": "==4.9.1" - }, - "blockchain": { - "hashes": [ - "sha256:dbaa3eebb6f81b4245005739da802c571b09f98d97eb66520afd95d9ccafebe2" - ], - "index": "pypi", - "version": "==1.4.4" - }, - "certifi": { - "hashes": [ - "sha256:5930595817496dd21bb8dc35dad090f1c2cd0adfaf21204bf6732ca5d8ee34d3", - "sha256:8fc0819f1f30ba15bdb34cceffb9ef04d99f420f68eb75d901e9560b8749fc41" - ], - "version": "==2020.6.20" - }, - "cffi": { - "hashes": [ - "sha256:001bf3242a1bb04d985d63e138230802c6c8d4db3668fb545fb5005ddf5bb5ff", - "sha256:00789914be39dffba161cfc5be31b55775de5ba2235fe49aa28c148236c4e06b", - "sha256:028a579fc9aed3af38f4892bdcc7390508adabc30c6af4a6e4f611b0c680e6ac", - "sha256:14491a910663bf9f13ddf2bc8f60562d6bc5315c1f09c704937ef17293fb85b0", - "sha256:1cae98a7054b5c9391eb3249b86e0e99ab1e02bb0cc0575da191aedadbdf4384", - "sha256:2089ed025da3919d2e75a4d963d008330c96751127dd6f73c8dc0c65041b4c26", - "sha256:2d384f4a127a15ba701207f7639d94106693b6cd64173d6c8988e2c25f3ac2b6", - "sha256:337d448e5a725bba2d8293c48d9353fc68d0e9e4088d62a9571def317797522b", - "sha256:399aed636c7d3749bbed55bc907c3288cb43c65c4389964ad5ff849b6370603e", - "sha256:3b911c2dbd4f423b4c4fcca138cadde747abdb20d196c4a48708b8a2d32b16dd", - "sha256:3d311bcc4a41408cf5854f06ef2c5cab88f9fded37a3b95936c9879c1640d4c2", - "sha256:62ae9af2d069ea2698bf536dcfe1e4eed9090211dbaafeeedf5cb6c41b352f66", - "sha256:66e41db66b47d0d8672d8ed2708ba91b2f2524ece3dee48b5dfb36be8c2f21dc", - "sha256:675686925a9fb403edba0114db74e741d8181683dcf216be697d208857e04ca8", - "sha256:7e63cbcf2429a8dbfe48dcc2322d5f2220b77b2e17b7ba023d6166d84655da55", - "sha256:8a6c688fefb4e1cd56feb6c511984a6c4f7ec7d2a1ff31a10254f3c817054ae4", - "sha256:8c0ffc886aea5df6a1762d0019e9cb05f825d0eec1f520c51be9d198701daee5", - "sha256:95cd16d3dee553f882540c1ffe331d085c9e629499ceadfbda4d4fde635f4b7d", - "sha256:99f748a7e71ff382613b4e1acc0ac83bf7ad167fb3802e35e90d9763daba4d78", - "sha256:b8c78301cefcf5fd914aad35d3c04c2b21ce8629b5e4f4e45ae6812e461910fa", - "sha256:c420917b188a5582a56d8b93bdd8e0f6eca08c84ff623a4c16e809152cd35793", - "sha256:c43866529f2f06fe0edc6246eb4faa34f03fe88b64a0a9a942561c8e22f4b71f", - "sha256:cab50b8c2250b46fe738c77dbd25ce017d5e6fb35d3407606e7a4180656a5a6a", - "sha256:cef128cb4d5e0b3493f058f10ce32365972c554572ff821e175dbc6f8ff6924f", - "sha256:cf16e3cf6c0a5fdd9bc10c21687e19d29ad1fe863372b5543deaec1039581a30", - "sha256:e56c744aa6ff427a607763346e4170629caf7e48ead6921745986db3692f987f", - "sha256:e577934fc5f8779c554639376beeaa5657d54349096ef24abe8c74c5d9c117c3", - "sha256:f2b0fa0c01d8a0c7483afd9f31d7ecf2d71760ca24499c8697aeb5ca37dc090c" - ], - "version": "==1.14.0" - }, - "chardet": { - "hashes": [ - "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae", - "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691" - ], - "version": "==3.0.4" - }, - "click": { - "hashes": [ - "sha256:d2b5255c7c6349bc1bd1e59e08cd12acbbd63ce649f2588755783aa94dfb6b1a", - "sha256:dacca89f4bfadd5de3d7489b7c8a566eee0d3676333fbb50030263894c38c0dc" - ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", - "version": "==7.1.2" - }, - "click-plugins": { - "hashes": [ - "sha256:46ab999744a9d831159c3411bb0c79346d94a444df9a3a3742e9ed63645f264b", - "sha256:5d262006d3222f5057fd81e1623d4443e41dcda5dc815c06b442aa3c02889fc8" - ], - "version": "==1.1.1" - }, - "colorama": { - "hashes": [ - "sha256:7d73d2a99753107a36ac6b455ee49046802e59d9d076ef8e47b61499fa29afff", - "sha256:e96da0d330793e2cb9485e9ddfd918d456036c7149416295932478192f4436a1" - ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", - "version": "==0.4.3" - }, - "configparser": { - "hashes": [ - "sha256:2ca44140ee259b5e3d8aaf47c79c36a7ab0d5e94d70bd4105c03ede7a20ea5a1", - "sha256:cffc044844040c7ce04e9acd1838b5f2e5fa3170182f6fda4d2ea8b0099dbadd" - ], - "markers": "python_version >= '3.6'", - "version": "==5.0.0" - }, - "cryptography": { - "hashes": [ - "sha256:091d31c42f444c6f519485ed528d8b451d1a0c7bf30e8ca583a0cac44b8a0df6", - "sha256:18452582a3c85b96014b45686af264563e3e5d99d226589f057ace56196ec78b", - "sha256:1dfa985f62b137909496e7fc182dac687206d8d089dd03eaeb28ae16eec8e7d5", - "sha256:1e4014639d3d73fbc5ceff206049c5a9a849cefd106a49fa7aaaa25cc0ce35cf", - "sha256:22e91636a51170df0ae4dcbd250d318fd28c9f491c4e50b625a49964b24fe46e", - "sha256:3b3eba865ea2754738616f87292b7f29448aec342a7c720956f8083d252bf28b", - "sha256:651448cd2e3a6bc2bb76c3663785133c40d5e1a8c1a9c5429e4354201c6024ae", - "sha256:726086c17f94747cedbee6efa77e99ae170caebeb1116353c6cf0ab67ea6829b", - "sha256:844a76bc04472e5135b909da6aed84360f522ff5dfa47f93e3dd2a0b84a89fa0", - "sha256:88c881dd5a147e08d1bdcf2315c04972381d026cdb803325c03fe2b4a8ed858b", - "sha256:96c080ae7118c10fcbe6229ab43eb8b090fccd31a09ef55f83f690d1ef619a1d", - "sha256:a0c30272fb4ddda5f5ffc1089d7405b7a71b0b0f51993cb4e5dbb4590b2fc229", - "sha256:bb1f0281887d89617b4c68e8db9a2c42b9efebf2702a3c5bf70599421a8623e3", - "sha256:c447cf087cf2dbddc1add6987bbe2f767ed5317adb2d08af940db517dd704365", - "sha256:c4fd17d92e9d55b84707f4fd09992081ba872d1a0c610c109c18e062e06a2e55", - "sha256:d0d5aeaedd29be304848f1c5059074a740fa9f6f26b84c5b63e8b29e73dfc270", - "sha256:daf54a4b07d67ad437ff239c8a4080cfd1cc7213df57d33c97de7b4738048d5e", - "sha256:e993468c859d084d5579e2ebee101de8f5a27ce8e2159959b6673b418fd8c785", - "sha256:f118a95c7480f5be0df8afeb9a11bd199aa20afab7a96bcf20409b411a3a85f0" - ], - "version": "==2.9.2" - }, - "decorator": { - "hashes": [ - "sha256:41fa54c2a0cc4ba648be4fd43cff00aedf5b9465c9bf18d64325bc225f08f760", - "sha256:e3a62f0520172440ca0dcc823749319382e377f37f140a0b99ef45fecb84bfe7" - ], - "version": "==4.4.2" - }, - "deprecated": { - "hashes": [ - "sha256:525ba66fb5f90b07169fdd48b6373c18f1ee12728ca277ca44567a367d9d7f74", - "sha256:a766c1dccb30c5f6eb2b203f87edd1d8588847709c78589e1521d769addc8218" - ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==1.2.10" - }, - "dnspython": { - "hashes": [ - "sha256:36c5e8e38d4369a08b6780b7f27d790a292b2b08eea01607865bf0936c558e01", - "sha256:f69c21288a962f4da86e56c4905b49d11aba7938d3d740e80d9e366ee4f1632d" - ], - "index": "pypi", - "version": "==1.16.0" - }, - "domaintools-api": { - "hashes": [ - "sha256:62e2e688d14dbd7ca51a44bd0a8490aa69c712895475598afbdbb1e1e15bf2f2", - "sha256:fe75e3cc86e7e2904b06d8e94b1986e721fdce85d695c87d1140403957e4c989" - ], - "index": "pypi", - "version": "==0.5.2" - }, - "enum-compat": { - "hashes": [ - "sha256:3677daabed56a6f724451d585662253d8fb4e5569845aafa8bb0da36b1a8751e", - "sha256:88091b617c7fc3bbbceae50db5958023c48dc40b50520005aa3bf27f8f7ea157" - ], - "version": "==0.0.3" - }, - "ez-setup": { - "hashes": [ - "sha256:303c5b17d552d1e3fb0505d80549f8579f557e13d8dc90e5ecef3c07d7f58642" - ], - "version": "==0.9" - }, - "ezodf": { - "hashes": [ - "sha256:000da534f689c6d55297a08f9e2ed7eada9810d194d31d164388162fb391122d" - ], - "index": "pypi", - "version": "==0.3.2" - }, - "future": { - "hashes": [ - "sha256:b1bead90b70cf6ec3f0710ae53a525360fa360d306a86583adc6bf83a4db537d" - ], - "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==0.18.2" - }, - "futures": { - "hashes": [ - "sha256:3a44f286998ae64f0cc083682fcfec16c406134a81a589a5de445d7bb7c2751b", - "sha256:51ecb45f0add83c806c68e4b06106f90db260585b25ef2abfcda0bd95c0132fd", - "sha256:c4884a65654a7c45435063e14ae85280eb1f111d94e542396717ba9828c4337f" - ], - "version": "==3.1.1" - }, - "geoip2": { - "hashes": [ - "sha256:5869e987bc54c0d707264fec4710661332cc38d2dca5a7f9bb5362d0308e2ce0", - "sha256:99ec12d2f1271a73a0a4a2b663fe6ce25fd02289c0a6bef05c0a1c3b30ee95a4" - ], - "index": "pypi", - "version": "==3.0.0" - }, - "httplib2": { - "hashes": [ - "sha256:8af66c1c52c7ffe1aa5dc4bcd7c769885254b0756e6e69f953c7f0ab49a70ba3", - "sha256:ca2914b015b6247791c4866782fa6042f495b94401a0f0bd3e1d6e0ba2236782" - ], - "version": "==0.18.1" - }, - "idna": { - "hashes": [ - "sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6", - "sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0" - ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==2.10" - }, - "idna-ssl": { - "hashes": [ - "sha256:a933e3bb13da54383f9e8f35dc4f9cb9eb9b3b78c6b36f311254d6d0d92c6c7c" - ], - "markers": "python_version < '3.7'", - "version": "==1.1.0" - }, - "isodate": { - "hashes": [ - "sha256:2e364a3d5759479cdb2d37cce6b9376ea504db2ff90252a2e5b7cc89cc9ff2d8", - "sha256:aa4d33c06640f5352aca96e4b81afd8ab3b47337cc12089822d6f322ac772c81" - ], - "version": "==0.6.0" - }, - "jbxapi": { - "hashes": [ - "sha256:58eb7d77a52169309e2322ce874c0f00a7900a515d1d0798ff85973cdb2766e3" - ], - "index": "pypi", - "version": "==3.8.0" - }, - "jsonschema": { - "hashes": [ - "sha256:4e5b3cf8216f577bee9ce139cbe72eca3ea4f292ec60928ff24758ce626cd163", - "sha256:c8a85b28d377cc7737e46e2d9f2b4f44ee3c0e1deac6bf46ddefc7187d30797a" - ], - "version": "==3.2.0" - }, - "lief": { - "hashes": [ - "sha256:276cc63ec12a21bdf01b8d30962692c17499788234f0765247ca7a35872097ec", - "sha256:3e6baaeb52bdc339b5f19688b58fd8d5778b92e50221f920cedfa2bec1f4d5c2", - "sha256:45e5c592b57168c447698381d927eb2386ffdd52afe0c48245f848d4cc7ee05a", - "sha256:6547752b5db105cd41c9fa65d0d7452a4d7541b77ffee716b46246c6d81e172f", - "sha256:83b51e01627b5982662f9550ac1230758aa56945ed86829e4291932d98417da3", - "sha256:895599194ea7495bf304e39317b04df20cccf799fc2751867cc1aa4997cfcdae", - "sha256:8a91cee2568306fe1d2bf84341b459c85368317d01d7105fa49e4f4ede837076", - "sha256:913b36a67707dc2afa72f117bab9856ea3f434f332b04a002a0f9723c8779320", - "sha256:9f604a361a3b1b3ed5fdafed0321c5956cb3b265b5efe2250d1bf8911a80c65b", - "sha256:a487fe7234c04bccd58223dbb79214421176e2629814c7a4a887764cceb5be7c", - "sha256:bc8488fb0661cb436fe4bb4fe947d0f9aa020e9acaed233ccf01ab04d888c68a", - "sha256:bddbf333af62310a10cb738a1df1dc2b140dd9c663b55ba3500c10c249d416d2", - "sha256:cce48d7c97cef85e01e6cfeff55f2068956b5c0257eb9c2d2c6d15e33dd1e4fc", - "sha256:f8b3f66956c56b582b3adc573bf2a938c25fb21c8894b373a113e24c494fc982" - ], - "version": "==0.10.1" - }, - "lxml": { - "hashes": [ - "sha256:06748c7192eab0f48e3d35a7adae609a329c6257495d5e53878003660dc0fec6", - "sha256:0790ddca3f825dd914978c94c2545dbea5f56f008b050e835403714babe62a5f", - "sha256:1aa7a6197c1cdd65d974f3e4953764eee3d9c7b67e3966616b41fab7f8f516b7", - "sha256:22c6d34fdb0e65d5f782a4d1a1edb52e0a8365858dafb1c08cb1d16546cf0786", - "sha256:2754d4406438c83144f9ffd3628bbe2dcc6d62b20dbc5c1ec4bc4385e5d44b42", - "sha256:27ee0faf8077c7c1a589573b1450743011117f1aa1a91d5ae776bbc5ca6070f2", - "sha256:2b02c106709466a93ed424454ce4c970791c486d5fcdf52b0d822a7e29789626", - "sha256:2d1ddce96cf15f1254a68dba6935e6e0f1fe39247de631c115e84dd404a6f031", - "sha256:4f282737d187ae723b2633856085c31ae5d4d432968b7f3f478a48a54835f5c4", - "sha256:51bb4edeb36d24ec97eb3e6a6007be128b720114f9a875d6b370317d62ac80b9", - "sha256:7eee37c1b9815e6505847aa5e68f192e8a1b730c5c7ead39ff317fde9ce29448", - "sha256:7fd88cb91a470b383aafad554c3fe1ccf6dfb2456ff0e84b95335d582a799804", - "sha256:9144ce36ca0824b29ebc2e02ca186e54040ebb224292072250467190fb613b96", - "sha256:925baf6ff1ef2c45169f548cc85204433e061360bfa7d01e1be7ae38bef73194", - "sha256:a636346c6c0e1092ffc202d97ec1843a75937d8c98aaf6771348ad6422e44bb0", - "sha256:a87dbee7ad9dce3aaefada2081843caf08a44a8f52e03e0a4cc5819f8398f2f4", - "sha256:a9e3b8011388e7e373565daa5e92f6c9cb844790dc18e43073212bb3e76f7007", - "sha256:afb53edf1046599991fb4a7d03e601ab5f5422a5435c47ee6ba91ec3b61416a6", - "sha256:b26719890c79a1dae7d53acac5f089d66fd8cc68a81f4e4bd355e45470dc25e1", - "sha256:b7462cdab6fffcda853338e1741ce99706cdf880d921b5a769202ea7b94e8528", - "sha256:b77975465234ff49fdad871c08aa747aae06f5e5be62866595057c43f8d2f62c", - "sha256:c47a8a5d00060122ca5908909478abce7bbf62d812e3fc35c6c802df8fb01fe7", - "sha256:c79e5debbe092e3c93ca4aee44c9a7631bdd407b2871cb541b979fd350bbbc29", - "sha256:d8d40e0121ca1606aa9e78c28a3a7d88a05c06b3ca61630242cded87d8ce55fa", - "sha256:ee2be8b8f72a2772e72ab926a3bccebf47bb727bda41ae070dc91d1fb759b726", - "sha256:f95d28193c3863132b1f55c1056036bf580b5a488d908f7d22a04ace8935a3a9", - "sha256:fadd2a63a2bfd7fb604508e553d1cf68eca250b2fbdbd81213b5f6f2fbf23529" - ], - "index": "pypi", - "version": "==4.5.1" - }, - "maclookup": { - "hashes": [ - "sha256:33bf8eaebe3b1e4ab4ae9277dd93c78024e0ebf6b3c42f76c37695bc26ce287a", - "sha256:795e792cd3e03c9bdad77e52904d43ff71d3ac03b360443f99d4bae08a6bffef" - ], - "index": "pypi", - "version": "==1.0.3" - }, - "maxminddb": { - "hashes": [ - "sha256:f4d28823d9ca23323d113dc7af8db2087aa4f657fafc64ff8f7a8afda871425b" - ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", - "version": "==1.5.4" - }, - "misp-modules": { - "editable": true, - "path": "." - }, - "multidict": { - "hashes": [ - "sha256:1ece5a3369835c20ed57adadc663400b5525904e53bae59ec854a5d36b39b21a", - "sha256:275ca32383bc5d1894b6975bb4ca6a7ff16ab76fa622967625baeebcf8079000", - "sha256:3750f2205b800aac4bb03b5ae48025a64e474d2c6cc79547988ba1d4122a09e2", - "sha256:4538273208e7294b2659b1602490f4ed3ab1c8cf9dbdd817e0e9db8e64be2507", - "sha256:5141c13374e6b25fe6bf092052ab55c0c03d21bd66c94a0e3ae371d3e4d865a5", - "sha256:51a4d210404ac61d32dada00a50ea7ba412e6ea945bbe992e4d7a595276d2ec7", - "sha256:5cf311a0f5ef80fe73e4f4c0f0998ec08f954a6ec72b746f3c179e37de1d210d", - "sha256:6513728873f4326999429a8b00fc7ceddb2509b01d5fd3f3be7881a257b8d463", - "sha256:7388d2ef3c55a8ba80da62ecfafa06a1c097c18032a501ffd4cabbc52d7f2b19", - "sha256:9456e90649005ad40558f4cf51dbb842e32807df75146c6d940b6f5abb4a78f3", - "sha256:c026fe9a05130e44157b98fea3ab12969e5b60691a276150db9eda71710cd10b", - "sha256:d14842362ed4cf63751648e7672f7174c9818459d169231d03c56e84daf90b7c", - "sha256:e0d072ae0f2a179c375f67e3da300b47e1a83293c554450b29c900e50afaae87", - "sha256:f07acae137b71af3bb548bd8da720956a3bc9f9a0b87733e0899226a2317aeb7", - "sha256:fbb77a75e529021e7c4a8d4e823d88ef4d23674a202be4f5addffc72cbb91430", - "sha256:fcfbb44c59af3f8ea984de67ec7c306f618a3ec771c2843804069917a8f2e255", - "sha256:feed85993dbdb1dbc29102f50bca65bdc68f2c0c8d352468c25b54874f23c39d" - ], - "markers": "python_version >= '3.5'", - "version": "==4.7.6" - }, - "np": { - "hashes": [ - "sha256:781265283f3823663ad8fb48741aae62abcf4c78bc19f908f8aa7c1d3eb132f8" - ], - "index": "pypi", - "version": "==1.0.2" - }, - "numpy": { - "hashes": [ - "sha256:13af0184177469192d80db9bd02619f6fa8b922f9f327e077d6f2a6acb1ce1c0", - "sha256:26a45798ca2a4e168d00de75d4a524abf5907949231512f372b217ede3429e98", - "sha256:26f509450db547e4dfa3ec739419b31edad646d21fb8d0ed0734188b35ff6b27", - "sha256:30a59fb41bb6b8c465ab50d60a1b298d1cd7b85274e71f38af5a75d6c475d2d2", - "sha256:33c623ef9ca5e19e05991f127c1be5aeb1ab5cdf30cb1c5cf3960752e58b599b", - "sha256:356f96c9fbec59974a592452ab6a036cd6f180822a60b529a975c9467fcd5f23", - "sha256:3c40c827d36c6d1c3cf413694d7dc843d50997ebffbc7c87d888a203ed6403a7", - "sha256:4d054f013a1983551254e2379385e359884e5af105e3efe00418977d02f634a7", - "sha256:63d971bb211ad3ca37b2adecdd5365f40f3b741a455beecba70fd0dde8b2a4cb", - "sha256:658624a11f6e1c252b2cd170d94bf28c8f9410acab9f2fd4369e11e1cd4e1aaf", - "sha256:76766cc80d6128750075378d3bb7812cf146415bd29b588616f72c943c00d598", - "sha256:7b57f26e5e6ee2f14f960db46bd58ffdca25ca06dd997729b1b179fddd35f5a3", - "sha256:7b852817800eb02e109ae4a9cef2beda8dd50d98b76b6cfb7b5c0099d27b52d4", - "sha256:8cde829f14bd38f6da7b2954be0f2837043e8b8d7a9110ec5e318ae6bf706610", - "sha256:a2e3a39f43f0ce95204beb8fe0831199542ccab1e0c6e486a0b4947256215632", - "sha256:a86c962e211f37edd61d6e11bb4df7eddc4a519a38a856e20a6498c319efa6b0", - "sha256:a8705c5073fe3fcc297fb8e0b31aa794e05af6a329e81b7ca4ffecab7f2b95ef", - "sha256:b6aaeadf1e4866ca0fdf7bb4eed25e521ae21a7947c59f78154b24fc7abbe1dd", - "sha256:be62aeff8f2f054eff7725f502f6228298891fd648dc2630e03e44bf63e8cee0", - "sha256:c2edbb783c841e36ca0fa159f0ae97a88ce8137fb3a6cd82eae77349ba4b607b", - "sha256:cbe326f6d364375a8e5a8ccb7e9cd73f4b2f6dc3b2ed205633a0db8243e2a96a", - "sha256:d34fbb98ad0d6b563b95de852a284074514331e6b9da0a9fc894fb1cdae7a79e", - "sha256:d97a86937cf9970453c3b62abb55a6475f173347b4cde7f8dcdb48c8e1b9952d", - "sha256:dd53d7c4a69e766e4900f29db5872f5824a06827d594427cf1a4aa542818b796", - "sha256:df1889701e2dfd8ba4dc9b1a010f0a60950077fb5242bb92c8b5c7f1a6f2668a", - "sha256:fa1fe75b4a9e18b66ae7f0b122543c42debcf800aaafa0212aaff3ad273c2596" - ], - "markers": "python_version >= '3.6'", - "version": "==1.19.0" - }, - "oauth2": { - "hashes": [ - "sha256:15b5c42301f46dd63113f1214b0d81a8b16254f65a86d3c32a1b52297f3266e6", - "sha256:c006a85e7c60107c7cc6da1b184b5c719f6dd7202098196dfa6e55df669b59bf" - ], - "index": "pypi", - "version": "==1.9.0.post1" - }, - "odtreader": { - "editable": true, - "git": "https://github.com/cartertemm/ODTReader.git/", - "ref": "49d6938693f6faa3ff09998f86dba551ae3a996b" - }, - "opencv-python": { - "hashes": [ - "sha256:068928b9907b3d3acd53b129062557d6b0b8b324bfade77f028dbe4dfe482bf2", - "sha256:0e7c91718351449877c2d4141abd64eee1f9c8701bcfaf4e8627bd023e303368", - "sha256:1ab92d807427641ec45d28d5907426aa06b4ffd19c5b794729c74d91cd95090e", - "sha256:31d634dea1b47c231b88d384f90605c598214d0c596443c9bb808e11761829f5", - "sha256:5fdfc0bed37315f27d30ae5ae9bad47ec0a0a28c323739d39c8177b7e0929238", - "sha256:6fa8fac14dd5af4819d475f74af12d65fbbfa391d3110c3a972934a5e6507c24", - "sha256:78cc89ebc808886eb190626ee71ab65e47f374121975f86e4d5f7c0e3ce6bed9", - "sha256:7c7ba11720d01cb572b4b6945d115cb103462c0a28996b44d4e540d06e6a90fd", - "sha256:a37ee82f1b8ed4b4645619c504311e71ce845b78f40055e78d71add5fab7da82", - "sha256:aa3ca1f54054e1c6439fdf1edafa2a2b940a9eaac04a7b422a1cba9b2d7b9690", - "sha256:b9de3dd956574662712da8e285f0f54327959a4e95b96a2847d3c3f5ee7b96e2", - "sha256:c0087b428cef9a32d977390656d91b02245e0e91f909870492df7e39202645dd", - "sha256:d87e506ab205799727f0efa34b3888949bf029a3ada5eb000ff632606370ca6e", - "sha256:d8a55585631f9c9eca4b1a996e9732ae023169cf2f46f69e4518d67d96198226", - "sha256:dcb8da8c5ebaa6360c8555547a4c7beb6cd983dd95ba895bb78b86cc8cf3de2b", - "sha256:e2206bb8c17c0f212f1f356d82d72dd090ff4651994034416da9bf0c29732825", - "sha256:e3c57d6579e5bf85f564d6d48d8ee89868b92879a9232b9975d072c346625e92", - "sha256:ef89cbf332b9a735d8a82e9ff79cc743eeeb775ad1cd7100bc2aa2429b496f07", - "sha256:f45c1c3cdda1857bedd4dfe0bbd49c9419af0cc57f33490341edeae97d18f037", - "sha256:fb3c855347310788e4286b867997be354c55535597966ed5dac876d9166013a4" - ], - "index": "pypi", - "version": "==4.2.0.34" - }, - "pandas": { - "hashes": [ - "sha256:02f1e8f71cd994ed7fcb9a35b6ddddeb4314822a0e09a9c5b2d278f8cb5d4096", - "sha256:13f75fb18486759da3ff40f5345d9dd20e7d78f2a39c5884d013456cec9876f0", - "sha256:35b670b0abcfed7cad76f2834041dcf7ae47fd9b22b63622d67cdc933d79f453", - "sha256:4c73f373b0800eb3062ffd13d4a7a2a6d522792fa6eb204d67a4fad0a40f03dc", - "sha256:5759edf0b686b6f25a5d4a447ea588983a33afc8a0081a0954184a4a87fd0dd7", - "sha256:5a7cf6044467c1356b2b49ef69e50bf4d231e773c3ca0558807cdba56b76820b", - "sha256:69c5d920a0b2a9838e677f78f4dde506b95ea8e4d30da25859db6469ded84fa8", - "sha256:8778a5cc5a8437a561e3276b85367412e10ae9fff07db1eed986e427d9a674f8", - "sha256:9871ef5ee17f388f1cb35f76dc6106d40cb8165c562d573470672f4cdefa59ef", - "sha256:9c31d52f1a7dd2bb4681d9f62646c7aa554f19e8e9addc17e8b1b20011d7522d", - "sha256:ab8173a8efe5418bbe50e43f321994ac6673afc5c7c4839014cf6401bbdd0705", - "sha256:ae961f1f0e270f1e4e2273f6a539b2ea33248e0e3a11ffb479d757918a5e03a9", - "sha256:b3c4f93fcb6e97d993bf87cdd917883b7dab7d20c627699f360a8fb49e9e0b91", - "sha256:c9410ce8a3dee77653bc0684cfa1535a7f9c291663bd7ad79e39f5ab58f67ab3", - "sha256:f69e0f7b7c09f1f612b1f8f59e2df72faa8a6b41c5a436dde5b615aaf948f107", - "sha256:faa42a78d1350b02a7d2f0dbe3c80791cf785663d6997891549d0f86dc49125e" - ], - "index": "pypi", - "version": "==1.0.5" - }, - "pandas-ods-reader": { - "hashes": [ - "sha256:d2d6e4f9cd2850da32808bbc68d433a337911058387992026d3987ead1f4a7c8", - "sha256:d4d6781cc46e782e265b48681416f636e7659343dec948c6fccc4236af6fa1e6" - ], - "index": "pypi", - "version": "==0.0.7" - }, - "passivetotal": { - "hashes": [ - "sha256:2944974d380a41f19f8fbb3d7cbfc8285479eb81092940b57bf0346d66706a05", - "sha256:a0cbea84b0bd6e9f3694ddeb447472b3d6f09e28940a7a0388456b8cf6a8e478", - "sha256:e35bf2cbccb385795a67d66f180d14ce9136cf1611b1c3da8a1055a1aced6264" - ], - "index": "pypi", - "version": "==1.0.31" - }, - "pdftotext": { - "hashes": [ - "sha256:d37864049581fb13cdcf7b23d4ea23dac7ca2e9c646e8ecac1a39275ab1cae03" - ], - "index": "pypi", - "version": "==2.1.4" - }, - "pillow": { - "hashes": [ - "sha256:0295442429645fa16d05bd567ef5cff178482439c9aad0411d3f0ce9b88b3a6f", - "sha256:06aba4169e78c439d528fdeb34762c3b61a70813527a2c57f0540541e9f433a8", - "sha256:09d7f9e64289cb40c2c8d7ad674b2ed6105f55dc3b09aa8e4918e20a0311e7ad", - "sha256:0a80dd307a5d8440b0a08bd7b81617e04d870e40a3e46a32d9c246e54705e86f", - "sha256:1ca594126d3c4def54babee699c055a913efb01e106c309fa6b04405d474d5ae", - "sha256:25930fadde8019f374400f7986e8404c8b781ce519da27792cbe46eabec00c4d", - "sha256:431b15cffbf949e89df2f7b48528be18b78bfa5177cb3036284a5508159492b5", - "sha256:52125833b070791fcb5710fabc640fc1df07d087fc0c0f02d3661f76c23c5b8b", - "sha256:5e51ee2b8114def244384eda1c82b10e307ad9778dac5c83fb0943775a653cd8", - "sha256:612cfda94e9c8346f239bf1a4b082fdd5c8143cf82d685ba2dba76e7adeeb233", - "sha256:6d7741e65835716ceea0fd13a7d0192961212fd59e741a46bbed7a473c634ed6", - "sha256:6edb5446f44d901e8683ffb25ebdfc26988ee813da3bf91e12252b57ac163727", - "sha256:725aa6cfc66ce2857d585f06e9519a1cc0ef6d13f186ff3447ab6dff0a09bc7f", - "sha256:8dad18b69f710bf3a001d2bf3afab7c432785d94fcf819c16b5207b1cfd17d38", - "sha256:94cf49723928eb6070a892cb39d6c156f7b5a2db4e8971cb958f7b6b104fb4c4", - "sha256:97f9e7953a77d5a70f49b9a48da7776dc51e9b738151b22dacf101641594a626", - "sha256:9ad7f865eebde135d526bb3163d0b23ffff365cf87e767c649550964ad72785d", - "sha256:a060cf8aa332052df2158e5a119303965be92c3da6f2d93b6878f0ebca80b2f6", - "sha256:c79f9c5fb846285f943aafeafda3358992d64f0ef58566e23484132ecd8d7d63", - "sha256:c92302a33138409e8f1ad16731568c55c9053eee71bb05b6b744067e1b62380f", - "sha256:d08b23fdb388c0715990cbc06866db554e1822c4bdcf6d4166cf30ac82df8c41", - "sha256:d350f0f2c2421e65fbc62690f26b59b0bcda1b614beb318c81e38647e0f673a1", - "sha256:ec29604081f10f16a7aea809ad42e27764188fc258b02259a03a8ff7ded3808d", - "sha256:edf31f1150778abd4322444c393ab9c7bd2af271dd4dafb4208fb613b1f3cdc9", - "sha256:f7e30c27477dffc3e85c2463b3e649f751789e0f6c8456099eea7ddd53be4a8a", - "sha256:ffe538682dc19cc542ae7c3e504fdf54ca7f86fb8a135e59dd6bc8627eae6cce" - ], - "index": "pypi", - "version": "==7.2.0" - }, - "progressbar2": { - "hashes": [ - "sha256:13f228cf357f94cdef933c91c1e771e52e1b1931dbae48267be8fcdc2ae2ce36", - "sha256:27abf038efe5b1b5dd91ecc5f704bc88683c1e2a0b2c0fee04de80a648634a0c" - ], - "version": "==3.51.4" - }, - "psutil": { - "hashes": [ - "sha256:1413f4158eb50e110777c4f15d7c759521703bd6beb58926f1d562da40180058", - "sha256:298af2f14b635c3c7118fd9183843f4e73e681bb6f01e12284d4d70d48a60953", - "sha256:60b86f327c198561f101a92be1995f9ae0399736b6eced8f24af41ec64fb88d4", - "sha256:685ec16ca14d079455892f25bd124df26ff9137664af445563c1bd36629b5e0e", - "sha256:73f35ab66c6c7a9ce82ba44b1e9b1050be2a80cd4dcc3352cc108656b115c74f", - "sha256:75e22717d4dbc7ca529ec5063000b2b294fc9a367f9c9ede1f65846c7955fd38", - "sha256:a02f4ac50d4a23253b68233b07e7cdb567bd025b982d5cf0ee78296990c22d9e", - "sha256:d008ddc00c6906ec80040d26dc2d3e3962109e40ad07fd8a12d0284ce5e0e4f8", - "sha256:d84029b190c8a66a946e28b4d3934d2ca1528ec94764b180f7d6ea57b0e75e26", - "sha256:e2d0c5b07c6fe5a87fa27b7855017edb0d52ee73b71e6ee368fae268605cc3f5", - "sha256:f344ca230dd8e8d5eee16827596f1c22ec0876127c28e800d7ae20ed44c4b310" - ], - "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==5.7.0" - }, - "pybgpranking": { - "editable": true, - "git": "https://github.com/D4-project/BGP-Ranking.git/", - "ref": "fd9c0e03af9b61d4bf0b67ac73c7208a55178a54", - "subdirectory": "client" - }, - "pycparser": { - "hashes": [ - "sha256:2d475327684562c3a96cc71adf7dc8c4f0565175cf86b6d7a404ff4c771f15f0", - "sha256:7582ad22678f0fcd81102833f60ef8d0e57288b6b5fb00323d101be910e35705" - ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==2.20" - }, - "pycryptodome": { - "hashes": [ - "sha256:02e51e1d5828d58f154896ddfd003e2e7584869c275e5acbe290443575370fba", - "sha256:03d5cca8618620f45fd40f827423f82b86b3a202c8d44108601b0f5f56b04299", - "sha256:0e24171cf01021bc5dc17d6a9d4f33a048f09d62cc3f62541e95ef104588bda4", - "sha256:132a56abba24e2e06a479d8e5db7a48271a73a215f605017bbd476d31f8e71c1", - "sha256:1e655746f539421d923fd48df8f6f40b3443d80b75532501c0085b64afed9df5", - "sha256:2b998dc45ef5f4e5cf5248a6edfcd8d8e9fb5e35df8e4259b13a1b10eda7b16b", - "sha256:360955eece2cd0fa694a708d10303c6abd7b39614fa2547b6bd245da76198beb", - "sha256:39ef9fb52d6ec7728fce1f1693cb99d60ce302aeebd59bcedea70ca3203fda60", - "sha256:4350a42028240c344ee855f032c7d4ad6ff4f813bfbe7121547b7dc579ecc876", - "sha256:50348edd283afdccddc0938cdc674484533912ba8a99a27c7bfebb75030aa856", - "sha256:54bdedd28476dea8a3cd86cb67c0df1f0e3d71cae8022354b0f879c41a3d27b2", - "sha256:55eb61aca2c883db770999f50d091ff7c14016f2769ad7bca3d9b75d1d7c1b68", - "sha256:6276478ada411aca97c0d5104916354b3d740d368407912722bd4d11aa9ee4c2", - "sha256:67dcad1b8b201308586a8ca2ffe89df1e4f731d5a4cdd0610cc4ea790351c739", - "sha256:709b9f144d23e290b9863121d1ace14a72e01f66ea9c903fbdc690520dfdfcf0", - "sha256:8063a712fba642f78d3c506b0896846601b6de7f5c3d534e388ad0cc07f5a149", - "sha256:80d57177a0b7c14d4594c62bbb47fe2f6309ad3b0a34348a291d570925c97a82", - "sha256:a207231a52426de3ff20f5608f0687261a3329d97a036c51f7d4c606a6f30c23", - "sha256:abc2e126c9490e58a36a0f83516479e781d83adfb134576a5cbe5c6af2a3e93c", - "sha256:b56638d58a3a4be13229c6a815cd448f9e3ce40c00880a5398471b42ee86f50e", - "sha256:bcd5b8416e73e4b0d48afba3704d8c826414764dafaed7a1a93c442188d90ccc", - "sha256:bec2bcdf7c9ce7f04d718e51887f3b05dc5c1cfaf5d2c2e9065ecddd1b2f6c9a", - "sha256:c8bf40cf6e281a4378e25846924327e728a887e8bf0ee83b2604a0f4b61692e8", - "sha256:d8074c8448cfd0705dfa71ca333277fce9786d0b9cac75d120545de6253f996a", - "sha256:dd302b6ae3965afeb5ef1b0d92486f986c0e65183cd7835973f0b593800590e6", - "sha256:de6e1cd75677423ff64712c337521e62e3a7a4fc84caabbd93207752e831a85a", - "sha256:ef39c98d9b8c0736d91937d193653e47c3b19ddf4fc3bccdc5e09aaa4b0c5d21", - "sha256:f521178e5a991ffd04182ed08f552daca1affcb826aeda0e1945cd989a9d4345", - "sha256:f78a68c2c820e4731e510a2df3eef0322f24fde1781ced970bf497b6c7d92982", - "sha256:fbe65d5cfe04ff2f7684160d50f5118bdefb01e3af4718eeb618bfed40f19d94" - ], - "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==3.9.8" - }, - "pycryptodomex": { - "hashes": [ - "sha256:06f5a458624c9b0e04c0086c7f84bcc578567dab0ddc816e0476b3057b18339f", - "sha256:1714675fb4ac29a26ced38ca22eb8ffd923ac851b7a6140563863194d7158422", - "sha256:17272d06e4b2f6455ee2cbe93e8eb50d9450a5dc6223d06862ee1ea5d1235861", - "sha256:2199708ebeed4b82eb45b10e1754292677f5a0df7d627ee91ea01290b9bab7e6", - "sha256:2275a663c9e744ee4eace816ef2d446b3060554c5773a92fbc79b05bf47debda", - "sha256:2710fc8d83b3352b370db932b3710033b9d630b970ff5aaa3e7458b5336e3b32", - "sha256:35b9c9177a9fe7288b19dd41554c9c8ca1063deb426dd5a02e7e2a7416b6bd11", - "sha256:3caa32cf807422adf33c10c88c22e9e2e08b9d9d042f12e1e25fe23113dd618f", - "sha256:48cc2cfc251f04a6142badeb666d1ff49ca6fdfc303fd72579f62b768aaa52b9", - "sha256:4ae6379350a09339109e9b6f419bb2c3f03d3e441f4b0f5b8ca699d47cc9ff7e", - "sha256:4e0b27697fa1621c6d3d3b4edeec723c2e841285de6a8d378c1962da77b349be", - "sha256:58e19560814dabf5d788b95a13f6b98279cf41a49b1e49ee6cf6c79a57adb4c9", - "sha256:8044eae59301dd392fbb4a7c5d64e1aea8ef0be2540549807ecbe703d6233d68", - "sha256:89be1bf55e50116fe7e493a7c0c483099770dd7f81b87ac8d04a43b1a203e259", - "sha256:8fcdda24dddf47f716400d54fc7f75cadaaba1dd47cc127e59d752c9c0fc3c48", - "sha256:914fbb18e29c54585e6aa39d300385f90d0fa3b3cc02ed829b08f95c1acf60c2", - "sha256:93a75d1acd54efed314b82c952b39eac96ce98d241ad7431547442e5c56138aa", - "sha256:9fd758e5e2fe02d57860b85da34a1a1e7037155c4eadc2326fc7af02f9cae214", - "sha256:a2bc4e1a2e6ca3a18b2e0be6131a23af76fecb37990c159df6edc7da6df913e3", - "sha256:a2ee8ba99d33e1a434fcd27d7d0aa7964163efeee0730fe2efc9d60edae1fc71", - "sha256:b2d756620078570d3f940c84bc94dd30aa362b795cce8b2723300a8800b87f1c", - "sha256:c0d085c8187a1e4d3402f626c9e438b5861151ab132d8761d9c5ce6491a87761", - "sha256:c990f2c58f7c67688e9e86e6557ed05952669ff6f1343e77b459007d85f7df00", - "sha256:ccbbec59bf4b74226170c54476da5780c9176bae084878fc94d9a2c841218e34", - "sha256:dc2bed32c7b138f1331794e454a953360c8cedf3ee62ae31f063822da6007489", - "sha256:e070a1f91202ed34c396be5ea842b886f6fa2b90d2db437dc9fb35a26c80c060", - "sha256:e42860fbe1292668b682f6dabd225fbe2a7a4fa1632f0c39881c019e93dea594", - "sha256:e4e1c486bf226822c8dceac81d0ec59c0a2399dbd1b9e04f03c3efa3605db677", - "sha256:ea4d4b58f9bc34e224ef4b4604a6be03d72ef1f8c486391f970205f6733dbc46", - "sha256:f60b3484ce4be04f5da3777c51c5140d3fe21cdd6674f2b6568f41c8130bcdeb" - ], - "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==3.9.8" - }, - "pydeep": { - "hashes": [ - "sha256:22866eb422d1d5907f8076ee792da65caecb172425d27576274e2a8eacf6afc1" - ], - "version": "==0.4" - }, - "pydnstrails": { - "editable": true, - "git": "https://github.com/sebdraven/pydnstrails", - "ref": "48c1f740025c51289f43a24863d1845ff12fd21a" - }, - "pyeupi": { - "hashes": [ - "sha256:2309c61ac2ef0eafabd6e9f32a0078069ffbba0e113ebc6b51cffc1869094472", - "sha256:a0798a4a52601b0840339449a1bbf2aa2bc180d8f82a979022954e05fcb5bfba" - ], - "index": "pypi", - "version": "==1.1" - }, - "pygeoip": { - "hashes": [ - "sha256:1938b9dac7b00d77f94d040b9465ea52c938f3fcdcd318b5537994f3c16aef96", - "sha256:f22c4e00ddf1213e0fae36dc60b46ee7c25a6339941ec1a975539014c1f9a96d" - ], - "index": "pypi", - "version": "==0.3.2" - }, - "pyintel471": { - "editable": true, - "git": "https://github.com/MISP/PyIntel471.git", - "ref": "0df8d51f1c1425de66714b3a5a45edb69b8cc2fc" - }, - "pyipasnhistory": { - "editable": true, - "git": "https://github.com/D4-project/IPASN-History.git/", - "ref": "fc5e48608afc113e101ca6421bf693b7b9753f9e", - "subdirectory": "client" - }, - "pymisp": { - "editable": true, - "extras": [ - "fileobjects", - "openioc", - "pdfexport" - ], - "git": "https://github.com/MISP/PyMISP.git", - "ref": "ec28820cf491ca7d385477996afa0547eb6b6830" - }, - "pyonyphe": { - "editable": true, - "git": "https://github.com/sebdraven/pyonyphe", - "ref": "1ce15581beebb13e841193a08a2eb6f967855fcb" - }, - "pyopenssl": { - "hashes": [ - "sha256:621880965a720b8ece2f1b2f54ea2071966ab00e2970ad2ce11d596102063504", - "sha256:9a24494b2602aaf402be5c9e30a0b82d4a5c67528fe8fb475e3f3bc00dd69507" - ], - "version": "==19.1.0" - }, - "pyparsing": { - "hashes": [ - "sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1", - "sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b" - ], - "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==2.4.7" - }, - "pypdns": { - "hashes": [ - "sha256:640a7e08c3e1e6d6cf378bc7bf48225d847a9c86583c196994fb15acc20ec6f4", - "sha256:9cd2d42ed5e9e4ff7ea29b3947b133a74b0fe0f548ca4c9fac26c0b8f8b750d5" - ], - "index": "pypi", - "version": "==1.5.1" - }, - "pypssl": { - "hashes": [ - "sha256:4dbe772aefdf4ab18934d83cde79e2fc5d5ba9d2b4153dc419a63faab3432643" - ], - "index": "pypi", - "version": "==2.1" - }, - "pyrsistent": { - "hashes": [ - "sha256:28669905fe725965daa16184933676547c5bb40a5153055a8dee2a4bd7933ad3" - ], - "version": "==0.16.0" - }, - "pytesseract": { - "hashes": [ - "sha256:afd8a5cdf8ab5d35690efbe71cbf5f89419f668ea8dde7649149815d5c5a899a" - ], - "index": "pypi", - "version": "==0.3.4" - }, - "python-dateutil": { - "hashes": [ - "sha256:73ebfe9dbf22e832286dafa60473e4cd239f8592f699aa5adaf10050e6e1823c", - "sha256:75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a" - ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==2.8.1" - }, - "python-docx": { - "hashes": [ - "sha256:bc76ecac6b2d00ce6442a69d03a6f35c71cd72293cd8405a7472dfe317920024" - ], - "index": "pypi", - "version": "==0.8.10" - }, - "python-magic": { - "hashes": [ - "sha256:356efa93c8899047d1eb7d3eb91e871ba2f5b1376edbaf4cc305e3c872207355", - "sha256:b757db2a5289ea3f1ced9e60f072965243ea43a2221430048fd8cacab17be0ce" - ], - "version": "==0.4.18" - }, - "python-pptx": { - "hashes": [ - "sha256:a857d69e52d7e8a8fb32fca8182fdd4a3c68c689de8d4e4460e9b4a95efa7bc4" - ], - "index": "pypi", - "version": "==0.6.18" - }, - "python-utils": { - "hashes": [ - "sha256:ebaadab29d0cb9dca0a82eab9c405f5be5125dbbff35b8f32cc433fa498dbaa7", - "sha256:f21fc09ff58ea5ebd1fd2e8ef7f63e39d456336900f26bdc9334a03a3f7d8089" - ], - "version": "==2.4.0" - }, - "pytz": { - "hashes": [ - "sha256:1c557d7d0e871de1f5ccd5833f60fb2550652da6be2693c1e02300743d21500d", - "sha256:b02c06db6cf09c12dd25137e563b31700d3b80fcc4ad23abb7a315f2789819be" - ], - "version": "==2019.3" - }, - "pyyaml": { - "hashes": [ - "sha256:06a0d7ba600ce0b2d2fe2e78453a470b5a6e000a985dd4a4e54e436cc36b0e97", - "sha256:240097ff019d7c70a4922b6869d8a86407758333f02203e0fc6ff79c5dcede76", - "sha256:4f4b913ca1a7319b33cfb1369e91e50354d6f07a135f3b901aca02aa95940bd2", - "sha256:69f00dca373f240f842b2931fb2c7e14ddbacd1397d57157a9b005a6a9942648", - "sha256:73f099454b799e05e5ab51423c7bcf361c58d3206fa7b0d555426b1f4d9a3eaf", - "sha256:74809a57b329d6cc0fdccee6318f44b9b8649961fa73144a98735b0aaf029f1f", - "sha256:7739fc0fa8205b3ee8808aea45e968bc90082c10aef6ea95e855e10abf4a37b2", - "sha256:95f71d2af0ff4227885f7a6605c37fd53d3a106fcab511b8860ecca9fcf400ee", - "sha256:b8eac752c5e14d3eca0e6dd9199cd627518cb5ec06add0de9d32baeee6fe645d", - "sha256:cc8955cfbfc7a115fa81d85284ee61147059a753344bc51098f3ccd69b0d7e0c", - "sha256:d13155f591e6fcc1ec3b30685d50bf0711574e2c0dfffd7644babf8b5102ca1a" - ], - "version": "==5.3.1" - }, - "pyzbar": { - "hashes": [ - "sha256:0e204b904e093e5e75aa85e0203bb0e02888105732a509b51f31cff400f34265", - "sha256:496249b546be70ec98c0ff0ad9151e73daaffff129266df86150a15dcd8dac4c", - "sha256:7d6c01d2c0a352fa994aa91b5540d1caeaeaac466656eb41468ca5df33be9f2e" - ], - "index": "pypi", - "version": "==0.1.8" - }, - "pyzipper": { - "hashes": [ - "sha256:49813f1d415bdd7c87064009b9270c6dd0a96da770cfe57df2c6d2d84a6c085a", - "sha256:bfdc65f616278b38ef03c6ea5a1aca7499caf98cbfcd47fc44f73e68f4307145" - ], - "markers": "python_version >= '3.5'", - "version": "==0.3.3" - }, - "rdflib": { - "hashes": [ - "sha256:78149dd49d385efec3b3adfbd61c87afaf1281c30d3fcaf1b323b34f603fb155", - "sha256:88208ea971a87886d60ae2b1a4b2cdc263527af0454c422118d43fe64b357877" - ], - "version": "==5.0.0" - }, - "redis": { - "hashes": [ - "sha256:0e7e0cfca8660dea8b7d5cd8c4f6c5e29e11f31158c0b0ae91a397f00e5a05a2", - "sha256:432b788c4530cfe16d8d943a09d40ca6c16149727e4afe8c2c9d5580c59d9f24" - ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", - "version": "==3.5.3" - }, - "reportlab": { - "hashes": [ - "sha256:0f0c2d98e213d51ae527c0301364d3376cb05f6c47251368a9abd4c3197fcefa", - "sha256:1425c7ea60b8691a881ae21ea0f6907a1dc480d84204ccbfea6da41fbee8f594", - "sha256:204f1d245875ab3d076b37c1a18ac8d2e3222842e13cfa282bcd95282be239e5", - "sha256:21627b57249303bf9b5a633099d058ae9f8625fd6f90cfe79348c48fd5a242cd", - "sha256:2e8e3242f80b79f2470f1b5979abbdb41f31b1333543b830749100342f837d40", - "sha256:2eced06dec3f36135c626b9823649ef9cac95c5634d1bc743a15ee470027483b", - "sha256:3472aa0b74a3b2f252dce823f3c3ba6af8a24de0c1729441deaaf50bed6de9f9", - "sha256:3f0353ffefd3afc0061f4794ef608d6c6f32e69816885f4d45c625c20d8eaf5b", - "sha256:4a9f4540a8eddf56d900ceeb8136bd0ca866c208ba3dcbcde73f07405dbadfba", - "sha256:4eea1afb4aa89780734f44175508edff82928fdf460c9bd60bc719dd99041dc3", - "sha256:5803ffebd36de1ada417f50ce65d379ea5a0bf1a2e8f5d5710a031b3b349b726", - "sha256:58f5f72fc8e5932dedcf24789908a81c6b1e13ea4d63bd9a9a39dc698d8c3321", - "sha256:5b588e5f251c76a8d3589023d1c369c7968e0efe2b38ad5948f665edbf6f9e8b", - "sha256:5d922768fe11a58d80694852aba7389d613c15eb1871c5581a2f075996873d57", - "sha256:5d98f297c5cdd5bc0ccf5697c20b03602ee3378c97938d20312662b27cd9a1d6", - "sha256:66d1d96e97a562614943ecb9daf438e392b3d0b033bd5f4a8098ab616dd877da", - "sha256:670650970c7ba7164cf6340bcd182e7e933eff5d65183af98ee77b40cc25a438", - "sha256:67bb95af7bc8ad7925d299f310d15d556d3e7026fe1b60d8e290454604ae0a85", - "sha256:9c999f5d1a600c4970ba293789b6da14e02e3763a8d3d9abe42dcafa8a5318e9", - "sha256:9d62bef5347063a984e63410fa5a69f1d2cc2fdf8d6ed3d0b9d4ea2ccb4b4154", - "sha256:a14a0d603727b6be2e549c52dd42678ab2d06d2721d4580199e3161843e59298", - "sha256:a3a17b46ff1a15eb29370e11796d8914ef4ea67471bdbc4aa9a9eb9284f4e44c", - "sha256:a6d3e20beeba3fd68cec73b8c0785bfa648c06ac76d1f142c60ccb1a8d2506b6", - "sha256:ad7d7003c732f2be42580e3906e92bd9d2aca5e098898c597554be9ca627fad5", - "sha256:af0ee7b50b85543b68b043e61271963ff5671e564e1d620a404c24a24d4f537c", - "sha256:b3eec55274f5ead7e3af2bf0c01b481ffe1b4c6a7dae42b63d85543e9f2f9a0f", - "sha256:b48c21d43a7ab956954591ce3f71db92ce542bb7428db09734425e2b77ac3142", - "sha256:b761905ab85beb79cf7929c9a019f30ad65664e5733d57a30a995e7b9bef06d1", - "sha256:bbae2f054d0f234c3382076efa337802997aca0f3f664e314f65eefb9d694fa9", - "sha256:bd4157d0bc40fb72bb676fc745fdd648022cccaf4ccfbb291af7f48831d0d5d9", - "sha256:bf74cfabf332034f42a54938eb335543cbf92790170300dbe236ba83b7601cd0", - "sha256:c253c8571db2df3886e390a2bfbe917222953054f4643437373b824f64b013cd", - "sha256:ce1277a6acbc62e9966f410f2596ac533ee0cd5df9b69d5fe4406338a169b7d8", - "sha256:ce8f56987e0e456063e311f066a81496b8b9626c846f2cb0ebb554d1a5f40839", - "sha256:d6264a0589ba8032d9c3bdca9a3e87a897ede09b7f6a8ad5e83b57573212e01e", - "sha256:e6fa0c97e3929d00db27e8cf3b2b5771e94f5f179086c4b0e3213dff53637372", - "sha256:f0930f2b6dddd477b3331ec670171a4662336aac1a778e1a30e980a5cbf40b17", - "sha256:f8cb2b4b925ca6b6e4fdefd288a707776ac686c45034f34d4c952f122d11c40b", - "sha256:f9b71539f518323d95850405c49c01fc3d2f0f0b9f3e157de6d2786804fb28a4", - "sha256:fc488e661f99c915362e0373218f8727cecf888eb1b0eb3a8fe1af624a1b9776" - ], - "index": "pypi", - "version": "==3.5.44" - }, - "requests": { - "extras": [ - "security" - ], - "hashes": [ - "sha256:b3559a131db72c33ee969480840fff4bb6dd111de7dd27c8ee1f820f4f00231b", - "sha256:fe75cc94a9443b9246fc7049224f75604b113c36acb93f87b80ed42c44cbb898" - ], - "index": "pypi", - "version": "==2.24.0" - }, - "requests-cache": { - "hashes": [ - "sha256:813023269686045f8e01e2289cc1e7e9ae5ab22ddd1e2849a9093ab3ab7270eb", - "sha256:81e13559baee64677a7d73b85498a5a8f0639e204517b5d05ff378e44a57831a" - ], - "version": "==0.5.2" - }, - "shodan": { - "hashes": [ - "sha256:31b0740ffaf7c5196a26a0b1edf7d271dffe54ea52bb1b34ba87aa231b5c339b" - ], - "index": "pypi", - "version": "==1.23.0" - }, - "sigmatools": { - "hashes": [ - "sha256:5453717e452aa7860c5e6ac80bcee4f398d70956fc2ee9859bc7255067da8736", - "sha256:cdfeb8200c09c0a40ea1a015e57f3b8e2ba62a28352ca05fa015674f640871e3" - ], - "index": "pypi", - "version": "==0.17.0" - }, - "six": { - "hashes": [ - "sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259", - "sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced" - ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==1.15.0" - }, - "socketio-client": { - "hashes": [ - "sha256:540d8ab209154d1d9cdb97c170c589a14f7d7f17e19c14e2f59f0307e6175485" - ], - "version": "==0.5.6" - }, - "soupsieve": { - "hashes": [ - "sha256:1634eea42ab371d3d346309b93df7870a88610f0725d47528be902a0d95ecc55", - "sha256:a59dc181727e95d25f781f0eb4fd1825ff45590ec8ff49eadfd7f1a537cc0232" - ], - "markers": "python_version >= '3.5'", - "version": "==2.0.1" - }, - "sparqlwrapper": { - "hashes": [ - "sha256:17ec44b08b8ae2888c801066249f74fe328eec25d90203ce7eadaf82e64484c7", - "sha256:357ee8a27bc910ea13d77836dbddd0b914991495b8cc1bf70676578155e962a8", - "sha256:8cf6c21126ed76edc85c5c232fd6f77b9f61f8ad1db90a7147cdde2104aff145", - "sha256:c7f9c9d8ebb13428771bc3b6dee54197422507dcc3dea34e30d5dcfc53478dec", - "sha256:d6a66b5b8cda141660e07aeb00472db077a98d22cb588c973209c7336850fb3c" - ], - "index": "pypi", - "version": "==1.8.5" - }, - "stix2-patterns": { - "hashes": [ - "sha256:587a82545680311431e5610036dd6c8c247347a24243fafdafaae2df4d6d7799", - "sha256:7fcb2fa67efeac2a8c493d367c93d0ce6243a10e2eff715ae9f2983e6b32b95d" - ], - "index": "pypi", - "version": "==1.3.0" - }, - "tabulate": { - "hashes": [ - "sha256:ac64cb76d53b1231d364babcd72abbb16855adac7de6665122f97b593f1eb2ba", - "sha256:db2723a20d04bcda8522165c73eea7c300eda74e0ce852d9022e0159d7895007" - ], - "version": "==0.8.7" - }, - "tornado": { - "hashes": [ - "sha256:0fe2d45ba43b00a41cd73f8be321a44936dc1aba233dee979f17a042b83eb6dc", - "sha256:22aed82c2ea340c3771e3babc5ef220272f6fd06b5108a53b4976d0d722bcd52", - "sha256:2c027eb2a393d964b22b5c154d1a23a5f8727db6fda837118a776b29e2b8ebc6", - "sha256:5217e601700f24e966ddab689f90b7ea4bd91ff3357c3600fa1045e26d68e55d", - "sha256:5618f72e947533832cbc3dec54e1dffc1747a5cb17d1fd91577ed14fa0dc081b", - "sha256:5f6a07e62e799be5d2330e68d808c8ac41d4a259b9cea61da4101b83cb5dc673", - "sha256:c58d56003daf1b616336781b26d184023ea4af13ae143d9dda65e31e534940b9", - "sha256:c952975c8ba74f546ae6de2e226ab3cc3cc11ae47baf607459a6728585bb542a", - "sha256:c98232a3ac391f5faea6821b53db8db461157baa788f5d6222a193e9456e1740" - ], - "markers": "python_version >= '3.5'", - "version": "==6.0.4" - }, - "trustar": { - "hashes": [ - "sha256:73336b94012427b66ee61db65fc3c2cea2ed743beaa56cdd5a4c1674ef1a7660" - ], - "index": "pypi", - "version": "==0.3.29" - }, - "tzlocal": { - "hashes": [ - "sha256:643c97c5294aedc737780a49d9df30889321cbe1204eac2c2ec6134035a92e44", - "sha256:e2cb6c6b5b604af38597403e9852872d7f534962ae2954c7f35efcb1ccacf4a4" - ], - "version": "==2.1" - }, - "unicodecsv": { - "hashes": [ - "sha256:018c08037d48649a0412063ff4eda26eaa81eff1546dbffa51fa5293276ff7fc" - ], - "version": "==0.14.1" - }, - "url-normalize": { - "hashes": [ - "sha256:1709cb4739e496f9f807a894e361915792f273538e250b1ab7da790544a665c3", - "sha256:1bd7085349dcdf06e52194d0f75ff99fff2eeed0da85a50e4cc2346452c1b8bc" - ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'", - "version": "==1.4.2" - }, - "urlarchiver": { - "hashes": [ - "sha256:652e0890dab58bf62a759656671dcfb9a40eb4a77aac8a8d93154f00360238b5" - ], - "index": "pypi", - "version": "==0.2" - }, - "urllib3": { - "hashes": [ - "sha256:3018294ebefce6572a474f0604c2021e33b3fd8006ecd11d62107a5d2a963527", - "sha256:88206b0eb87e6d677d424843ac5209e3fb9d0190d0ee169599165ec25e9d9115" - ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' and python_version < '4'", - "version": "==1.25.9" - }, - "uwhois": { - "editable": true, - "git": "https://github.com/Rafiot/uwhoisd.git", - "ref": "783bba09b5a6964f25566089826a1be4b13f2a22", - "subdirectory": "client" - }, - "validators": { - "hashes": [ - "sha256:f0ac832212e3ee2e9b10e156f19b106888cf1429c291fbc5297aae87685014ae" - ], - "version": "==0.14.0" - }, - "vt-graph-api": { - "hashes": [ - "sha256:200c4f5a7c0a518502e890c4f4508a5ea042af9407d2889ef16a17ef11b7d25c", - "sha256:223c1cf32d69e10b5d3e178ec315589c7dfa7d43ccff6630a11ed5c5f498715c" - ], - "index": "pypi", - "version": "==1.0.1" - }, - "vulners": { - "hashes": [ - "sha256:00ff8744d07f398880afc1efcab6dac4abb614c84553fa31b2d439f986b8e0db", - "sha256:90a855915b4fb4dbd0325643d9e643602975fcb931162e5dc2e7778d1daa2fd8", - "sha256:f230bfcd42663326b7c9b8fa117752e26cad4ccca528caaab531c5b592af8cb5" - ], - "index": "pypi", - "version": "==1.5.5" - }, - "wand": { - "hashes": [ - "sha256:d5b75ac13d7485032970926415648586eafeeb1eb62ed6ebd0778358cf9d70e0", - "sha256:df0780b1b54938a43d29279a6588fde11e349550c8958a673d57c26a3e6de7f1" - ], - "index": "pypi", - "version": "==0.6.1" - }, - "websocket-client": { - "hashes": [ - "sha256:0fc45c961324d79c781bab301359d5a1b00b13ad1b10415a4780229ef71a5549", - "sha256:d735b91d6d1692a6a181f2a8c9e0238e5f6373356f561bb9dc4c7af36f452010" - ], - "version": "==0.57.0" - }, - "wrapt": { - "hashes": [ - "sha256:b62ffa81fb85f4332a4f609cab4ac40709470da05643a082ec1eb88e6d9b97d7" - ], - "version": "==1.12.1" - }, - "xlrd": { - "hashes": [ - "sha256:546eb36cee8db40c3eaa46c351e67ffee6eeb5fa2650b71bc4c758a29a1b29b2", - "sha256:e551fb498759fa3a5384a94ccd4c3c02eb7c00ea424426e212ac0c57be9dfbde" - ], - "index": "pypi", - "version": "==1.2.0" - }, - "xlsxwriter": { - "hashes": [ - "sha256:828b3285fc95105f5b1946a6a015b31cf388bd5378fdc6604e4d1b7839df2e77", - "sha256:82a3b0e73e3913483da23791d1a25e4d2dbb3837d1be4129473526b9a270a5cc" - ], - "version": "==1.2.9" - }, - "yara-python": { - "hashes": [ - "sha256:03e5c5e333c8572e7994b0b11964d515d61a393f23c5e272f8d0e4229f368c58", - "sha256:0423e08bd618752a028ac0405ff8e0103f3a8fd607dde7618a64a4c010c3757b", - "sha256:0a0dd632dcdb347d1a9a8b1f6a83b3a77d5e63f691357ea4021fb1cf1d7ff0a4", - "sha256:728b99627a8072a877eaaa4dafb4eff39d1b14ff4fd70d39f18899ce81e29625", - "sha256:7cb0d5724eccfa52e1bcd352a56cb4dc422aa51f5f6d0945d4f830783927513b", - "sha256:8c76531e89806c0309586dd4863a972d12f1d5d63261c6d4b9331a99859fd1d8", - "sha256:9472676583e212bc4e17c2236634e02273d53c872b350f0571b48e06183de233", - "sha256:9735b680a7d95c1d3f255c351bb067edc62cdb3c0999f7064278cb2c85245405", - "sha256:997f104590167220a9af5564c042ec4d6534261e7b8a5b49655d8dffecc6b8a2", - "sha256:a48e071d02a3699363e628ac899b5b7237803bcb4b512c92ebcb4fb9b1488497", - "sha256:b67c0d75a6519ca357b4b85ede9768c96a81fff20fbc169bd805ff009ddee561" - ], - "index": "pypi", - "version": "==3.8.1" - }, - "yarl": { - "hashes": [ - "sha256:0c2ab325d33f1b824734b3ef51d4d54a54e0e7a23d13b86974507602334c2cce", - "sha256:0ca2f395591bbd85ddd50a82eb1fde9c1066fafe888c5c7cc1d810cf03fd3cc6", - "sha256:2098a4b4b9d75ee352807a95cdf5f10180db903bc5b7270715c6bbe2551f64ce", - "sha256:25e66e5e2007c7a39541ca13b559cd8ebc2ad8fe00ea94a2aad28a9b1e44e5ae", - "sha256:26d7c90cb04dee1665282a5d1a998defc1a9e012fdca0f33396f81508f49696d", - "sha256:308b98b0c8cd1dfef1a0311dc5e38ae8f9b58349226aa0533f15a16717ad702f", - "sha256:3ce3d4f7c6b69c4e4f0704b32eca8123b9c58ae91af740481aa57d7857b5e41b", - "sha256:58cd9c469eced558cd81aa3f484b2924e8897049e06889e8ff2510435b7ef74b", - "sha256:5b10eb0e7f044cf0b035112446b26a3a2946bca9d7d7edb5e54a2ad2f6652abb", - "sha256:6faa19d3824c21bcbfdfce5171e193c8b4ddafdf0ac3f129ccf0cdfcb083e462", - "sha256:944494be42fa630134bf907714d40207e646fd5a94423c90d5b514f7b0713fea", - "sha256:a161de7e50224e8e3de6e184707476b5a989037dcb24292b391a3d66ff158e70", - "sha256:a4844ebb2be14768f7994f2017f70aca39d658a96c786211be5ddbe1c68794c1", - "sha256:c2b509ac3d4b988ae8769901c66345425e361d518aecbe4acbfc2567e416626a", - "sha256:c9959d49a77b0e07559e579f38b2f3711c2b8716b8410b320bf9713013215a1b", - "sha256:d8cdee92bc930d8b09d8bd2043cedd544d9c8bd7436a77678dd602467a993080", - "sha256:e15199cdb423316e15f108f51249e44eb156ae5dba232cb73be555324a1d49c2" - ], - "markers": "python_version >= '3.5'", - "version": "==1.4.2" - } - }, - "develop": { - "attrs": { - "hashes": [ - "sha256:08a96c641c3a74e44eb59afb61a24f2cb9f4d7188748e76ba4bb5edfa3cb7d1c", - "sha256:f7b7ce16570fe9965acd6d30101a28f62fb4a7f9e926b3bbc9b61f8b04247e72" - ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==19.3.0" - }, - "certifi": { - "hashes": [ - "sha256:5930595817496dd21bb8dc35dad090f1c2cd0adfaf21204bf6732ca5d8ee34d3", - "sha256:8fc0819f1f30ba15bdb34cceffb9ef04d99f420f68eb75d901e9560b8749fc41" - ], - "version": "==2020.6.20" - }, - "chardet": { - "hashes": [ - "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae", - "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691" - ], - "version": "==3.0.4" - }, - "codecov": { - "hashes": [ - "sha256:491938ad774ea94a963d5d16354c7299e90422a33a353ba0d38d0943ed1d5091", - "sha256:b67bb8029e8340a7bf22c71cbece5bd18c96261fdebc2f105ee4d5a005bc8728", - "sha256:d8b8109f44edad03b24f5f189dac8de9b1e3dc3c791fa37eeaf8c7381503ec34" - ], - "index": "pypi", - "version": "==2.1.7" - }, - "coverage": { - "hashes": [ - "sha256:00f1d23f4336efc3b311ed0d807feb45098fc86dee1ca13b3d6768cdab187c8a", - "sha256:01333e1bd22c59713ba8a79f088b3955946e293114479bbfc2e37d522be03355", - "sha256:0cb4be7e784dcdc050fc58ef05b71aa8e89b7e6636b99967fadbdba694cf2b65", - "sha256:0e61d9803d5851849c24f78227939c701ced6704f337cad0a91e0972c51c1ee7", - "sha256:1601e480b9b99697a570cea7ef749e88123c04b92d84cedaa01e117436b4a0a9", - "sha256:2742c7515b9eb368718cd091bad1a1b44135cc72468c731302b3d641895b83d1", - "sha256:2d27a3f742c98e5c6b461ee6ef7287400a1956c11421eb574d843d9ec1f772f0", - "sha256:402e1744733df483b93abbf209283898e9f0d67470707e3c7516d84f48524f55", - "sha256:5c542d1e62eece33c306d66fe0a5c4f7f7b3c08fecc46ead86d7916684b36d6c", - "sha256:5f2294dbf7875b991c381e3d5af2bcc3494d836affa52b809c91697449d0eda6", - "sha256:6402bd2fdedabbdb63a316308142597534ea8e1895f4e7d8bf7476c5e8751fef", - "sha256:66460ab1599d3cf894bb6baee8c684788819b71a5dc1e8fa2ecc152e5d752019", - "sha256:782caea581a6e9ff75eccda79287daefd1d2631cc09d642b6ee2d6da21fc0a4e", - "sha256:79a3cfd6346ce6c13145731d39db47b7a7b859c0272f02cdb89a3bdcbae233a0", - "sha256:7a5bdad4edec57b5fb8dae7d3ee58622d626fd3a0be0dfceda162a7035885ecf", - "sha256:8fa0cbc7ecad630e5b0f4f35b0f6ad419246b02bc750de7ac66db92667996d24", - "sha256:a027ef0492ede1e03a8054e3c37b8def89a1e3c471482e9f046906ba4f2aafd2", - "sha256:a3f3654d5734a3ece152636aad89f58afc9213c6520062db3978239db122f03c", - "sha256:a82b92b04a23d3c8a581fc049228bafde988abacba397d57ce95fe95e0338ab4", - "sha256:acf3763ed01af8410fc36afea23707d4ea58ba7e86a8ee915dfb9ceff9ef69d0", - "sha256:adeb4c5b608574a3d647011af36f7586811a2c1197c861aedb548dd2453b41cd", - "sha256:b83835506dfc185a319031cf853fa4bb1b3974b1f913f5bb1a0f3d98bdcded04", - "sha256:bb28a7245de68bf29f6fb199545d072d1036a1917dca17a1e75bbb919e14ee8e", - "sha256:bf9cb9a9fd8891e7efd2d44deb24b86d647394b9705b744ff6f8261e6f29a730", - "sha256:c317eaf5ff46a34305b202e73404f55f7389ef834b8dbf4da09b9b9b37f76dd2", - "sha256:dbe8c6ae7534b5b024296464f387d57c13caa942f6d8e6e0346f27e509f0f768", - "sha256:de807ae933cfb7f0c7d9d981a053772452217df2bf38e7e6267c9cbf9545a796", - "sha256:dead2ddede4c7ba6cb3a721870f5141c97dc7d85a079edb4bd8d88c3ad5b20c7", - "sha256:dec5202bfe6f672d4511086e125db035a52b00f1648d6407cc8e526912c0353a", - "sha256:e1ea316102ea1e1770724db01998d1603ed921c54a86a2efcb03428d5417e489", - "sha256:f90bfc4ad18450c80b024036eaf91e4a246ae287701aaa88eaebebf150868052" - ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' and python_version < '4'", - "version": "==5.1" - }, - "flake8": { - "hashes": [ - "sha256:15e351d19611c887e482fb960eae4d44845013cc142d42896e9862f775d8cf5c", - "sha256:f04b9fcbac03b0a3e58c0ab3a0ecc462e023a9faf046d57794184028123aa208" - ], - "index": "pypi", - "version": "==3.8.3" - }, - "idna": { - "hashes": [ - "sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6", - "sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0" - ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==2.10" - }, - "mccabe": { - "hashes": [ - "sha256:ab8a6258860da4b6677da4bd2fe5dc2c659cff31b3ee4f7f5d64e79735b80d42", - "sha256:dd8d182285a0fe56bace7f45b5e7d1a6ebcbf524e8f3bd87eb0f125271b8831f" - ], - "version": "==0.6.1" - }, - "more-itertools": { - "hashes": [ - "sha256:68c70cc7167bdf5c7c9d8f6954a7837089c6a36bf565383919bb595efb8a17e5", - "sha256:b78134b2063dd214000685165d81c154522c3ee0a1c0d4d113c80361c234c5a2" - ], - "markers": "python_version >= '3.5'", - "version": "==8.4.0" - }, - "nose": { - "hashes": [ - "sha256:9ff7c6cc443f8c51994b34a667bbcf45afd6d945be7477b52e97516fd17c53ac", - "sha256:dadcddc0aefbf99eea214e0f1232b94f2fa9bd98fa8353711dacb112bfcbbb2a", - "sha256:f1bffef9cbc82628f6e7d7b40d7e255aefaa1adb6a1b1d26c69a8b79e6208a98" - ], - "index": "pypi", - "version": "==1.3.7" - }, - "packaging": { - "hashes": [ - "sha256:4357f74f47b9c12db93624a82154e9b120fa8293699949152b22065d556079f8", - "sha256:998416ba6962ae7fbd6596850b80e17859a5753ba17c32284f67bfff33784181" - ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==20.4" - }, - "pluggy": { - "hashes": [ - "sha256:15b2acde666561e1298d71b523007ed7364de07029219b604cf808bfa1c765b0", - "sha256:966c145cd83c96502c3c3868f50408687b38434af77734af1e9ca461a4081d2d" - ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==0.13.1" - }, - "py": { - "hashes": [ - "sha256:366389d1db726cd2fcfc79732e75410e5fe4d31db13692115529d34069a043c2", - "sha256:9ca6883ce56b4e8da7e79ac18787889fa5206c79dcc67fb065376cd2fe03f342" - ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==1.9.0" - }, - "pycodestyle": { - "hashes": [ - "sha256:2295e7b2f6b5bd100585ebcb1f616591b652db8a741695b3d8f5d28bdc934367", - "sha256:c58a7d2815e0e8d7972bf1803331fb0152f867bd89adf8a01dfd55085434192e" - ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==2.6.0" - }, - "pyflakes": { - "hashes": [ - "sha256:0d94e0e05a19e57a99444b6ddcf9a6eb2e5c68d3ca1e98e90707af8152c90a92", - "sha256:35b2d75ee967ea93b55750aa9edbbf72813e06a66ba54438df2cfac9e3c27fc8" - ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==2.2.0" - }, - "pyparsing": { - "hashes": [ - "sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1", - "sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b" - ], - "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==2.4.7" - }, - "pytest": { - "hashes": [ - "sha256:5c0db86b698e8f170ba4582a492248919255fcd4c79b1ee64ace34301fb589a1", - "sha256:7979331bfcba207414f5e1263b5a0f8f521d0f457318836a7355531ed1a4c7d8" - ], - "index": "pypi", - "version": "==5.4.3" - }, - "requests": { - "extras": [ - "security" - ], - "hashes": [ - "sha256:b3559a131db72c33ee969480840fff4bb6dd111de7dd27c8ee1f820f4f00231b", - "sha256:fe75cc94a9443b9246fc7049224f75604b113c36acb93f87b80ed42c44cbb898" - ], - "index": "pypi", - "version": "==2.24.0" - }, - "six": { - "hashes": [ - "sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259", - "sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced" - ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==1.15.0" - }, - "urllib3": { - "hashes": [ - "sha256:3018294ebefce6572a474f0604c2021e33b3fd8006ecd11d62107a5d2a963527", - "sha256:88206b0eb87e6d677d424843ac5209e3fb9d0190d0ee169599165ec25e9d9115" - ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' and python_version < '4'", - "version": "==1.25.9" - }, - "wcwidth": { - "hashes": [ - "sha256:beb4802a9cebb9144e99086eff703a642a13d6a0052920003a230f3294bbe784", - "sha256:c4d647b99872929fdb7bdcaa4fbe7f01413ed3d98077df798530e5b04f116c83" - ], - "version": "==0.2.5" - } - } -} diff --git a/README.md b/README.md index 77ece38..653695b 100644 --- a/README.md +++ b/README.md @@ -1,17 +1,14 @@ # MISP modules -[![Build Status](https://travis-ci.org/MISP/misp-modules.svg?branch=master)](https://travis-ci.org/MISP/misp-modules) -[![Coverage Status](https://coveralls.io/repos/github/MISP/misp-modules/badge.svg?branch=master)](https://coveralls.io/github/MISP/misp-modules?branch=master) -[![codecov](https://codecov.io/gh/MISP/misp-modules/branch/master/graph/badge.svg)](https://codecov.io/gh/MISP/misp-modules) +[![Python package](https://github.com/MISP/misp-modules/actions/workflows/python-package.yml/badge.svg)](https://github.com/MISP/misp-modules/actions/workflows/python-package.yml)[![Coverage Status](https://coveralls.io/repos/github/MISP/misp-modules/badge.svg?branch=main)](https://coveralls.io/github/MISP/misp-modules?branch=main) +[![codecov](https://codecov.io/gh/MISP/misp-modules/branch/main/graph/badge.svg)](https://codecov.io/gh/MISP/misp-modules) -MISP modules are autonomous modules that can be used for expansion and other services in [MISP](https://github.com/MISP/MISP). +MISP modules are autonomous modules that can be used to extend [MISP](https://github.com/MISP/MISP) for new services such as expansion, import and export. The modules are written in Python 3 following a simple API interface. The objective is to ease the extensions of MISP functionalities without modifying core components. The API is available via a simple REST API which is independent from MISP installation or configuration. -MISP modules support is included in MISP starting from version 2.4.28. - -For more information: [Extending MISP with Python modules](https://www.misp-project.org/misp-training/3.1-misp-modules.pdf) slides from MISP training. +For more information: [Extending MISP with Python modules](https://www.misp-project.org/misp-training/3.1-misp-modules.pdf) slides from [MISP training](https://github.com/MISP/misp-training). ## Existing MISP modules @@ -22,7 +19,7 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj * [AssemblyLine submit](misp_modules/modules/expansion/assemblyline_submit.py) - an expansion module to submit samples and urls to AssemblyLine. * [AssemblyLine query](misp_modules/modules/expansion/assemblyline_query.py) - an expansion module to query AssemblyLine and parse the full submission report. * [Backscatter.io](misp_modules/modules/expansion/backscatter_io.py) - a hover and expansion module to expand an IP address with mass-scanning observations. -* [BGP Ranking](misp_modules/modules/expansion/bgpranking.py) - a hover and expansion module to expand an AS number with the ASN description, its history, and position in BGP Ranking. +* [BGP Ranking](misp_modules/modules/expansion/bgpranking.py) - a hover and expansion module to expand an AS number with the ASN description and its ranking and position in BGP Ranking. * [RansomcoinDB check](misp_modules/modules/expansion/ransomcoindb.py) - An expansion hover module to query the [ransomcoinDB](https://ransomcoindb.concinnity-risks.com): it contains mapping between BTC addresses and malware hashes. Enrich MISP by querying for BTC -> hash or hash -> BTC addresses. * [BTC scam check](misp_modules/modules/expansion/btc_scam_check.py) - An expansion hover module to instantly check if a BTC address has been abused. * [BTC transactions](misp_modules/modules/expansion/btc_steroids.py) - An expansion hover module to get a blockchain balance and the transactions from a BTC address in MISP. @@ -31,6 +28,7 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj * [CIRCL Passive SSL](misp_modules/modules/expansion/circl_passivessl.py) - a hover and expansion module to expand IP addresses with the X.509 certificate(s) seen. * [countrycode](misp_modules/modules/expansion/countrycode.py) - a hover module to tell you what country a URL belongs to. * [CrowdStrike Falcon](misp_modules/modules/expansion/crowdstrike_falcon.py) - an expansion module to expand using CrowdStrike Falcon Intel Indicator API. +* [CPE](misp_modules/modules/expansion/cpe.py) - An expansion module to query the CVE Search API with a cpe code, to get its related vulnerabilities. * [CVE](misp_modules/modules/expansion/cve.py) - a hover module to give more information about a vulnerability (CVE). * [CVE advanced](misp_modules/modules/expansion/cve_advanced.py) - An expansion module to query the CIRCL CVE search API for more information about a vulnerability (CVE). * [Cuckoo submit](misp_modules/modules/expansion/cuckoo_submit.py) - A hover module to submit malware sample, url, attachment, domain to Cuckoo Sandbox. @@ -48,6 +46,8 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj * [Greynoise](misp_modules/modules/expansion/greynoise.py) - a hover to get information from greynoise. * [hashdd](misp_modules/modules/expansion/hashdd.py) - a hover module to check file hashes against [hashdd.com](http://www.hashdd.com) including NSLR dataset. * [hibp](misp_modules/modules/expansion/hibp.py) - a hover module to lookup against Have I Been Pwned? +* [html_to_markdown](misp_modules/modules/expansion/html_to_markdown.py) - Simple HTML to markdown converter +* [HYAS Insight](misp_modules/modules/expansion/hyasinsight.py) - a hover and expansion module to get information from [HYAS Insight](https://www.hyas.com/hyas-insight). * [intel471](misp_modules/modules/expansion/intel471.py) - an expansion module to get info from [Intel471](https://intel471.com). * [IPASN](misp_modules/modules/expansion/ipasn.py) - a hover and expansion to get the BGP ASN of an IP address. * [iprep](misp_modules/modules/expansion/iprep.py) - an expansion module to get IP reputation from packetmail.net. @@ -58,6 +58,8 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj * [macaddress.io](misp_modules/modules/expansion/macaddress_io.py) - a hover module to retrieve vendor details and other information regarding a given MAC address or an OUI from [MAC address Vendor Lookup](https://macaddress.io). See [integration tutorial here](https://macaddress.io/integrations/MISP-module). * [macvendors](misp_modules/modules/expansion/macvendors.py) - a hover module to retrieve mac vendor information. * [MALWAREbazaar](misp_modules/modules/expansion/malwarebazaar.py) - an expansion module to query MALWAREbazaar with some payload. +* [McAfee MVISION Insights](misp_modules/modules/expansion/mcafee_insights_enrich.py) - an expansion module enrich IOCs with McAfee MVISION Insights. +* [Mmdb server lookup](misp_modules/modules/expansion/mmdb_lookup.py) - an expansion module to enrich an ip with geolocation information from an mmdb server such as ip.circl.lu. * [ocr-enrich](misp_modules/modules/expansion/ocr_enrich.py) - an enrichment module to get OCRized data from images into MISP. * [ods-enrich](misp_modules/modules/expansion/ods_enrich.py) - an enrichment module to get text out of OpenOffice spreadsheet document into MISP (using free-text parser). * [odt-enrich](misp_modules/modules/expansion/odt_enrich.py) - an enrichment module to get text out of OpenOffice document into MISP (using free-text parser). @@ -75,16 +77,20 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj * [shodan](misp_modules/modules/expansion/shodan.py) - a minimal [shodan](https://www.shodan.io/) expansion module. * [Sigma queries](misp_modules/modules/expansion/sigma_queries.py) - Experimental expansion module querying a sigma rule to convert it into all the available SIEM signatures. * [Sigma syntax validator](misp_modules/modules/expansion/sigma_syntax_validator.py) - Sigma syntax validator. -* [SophosLabs Intelix](misp_modules/modules/expansion/sophoslabs_intelix.py) - SophosLabs Intelix is an API for Threat Intelligence and Analysis (free tier availible). [SophosLabs](https://aws.amazon.com/marketplace/pp/B07SLZPMCS) +* [Socialscan](misp_modules/modules/expansion/socialscan.py) - a hover module to check if an email address or a username is used on different online platforms, using the [socialscan](https://github.com/iojw/socialscan) python library +* [SophosLabs Intelix](misp_modules/modules/expansion/sophoslabs_intelix.py) - SophosLabs Intelix is an API for Threat Intelligence and Analysis (free tier available). [SophosLabs](https://aws.amazon.com/marketplace/pp/B07SLZPMCS) * [sourcecache](misp_modules/modules/expansion/sourcecache.py) - a module to cache a specific link from a MISP instance. * [STIX2 pattern syntax validator](misp_modules/modules/expansion/stix2_pattern_syntax_validator.py) - a module to check a STIX2 pattern syntax. * [ThreatCrowd](misp_modules/modules/expansion/threatcrowd.py) - an expansion module for [ThreatCrowd](https://www.threatcrowd.org/). * [threatminer](misp_modules/modules/expansion/threatminer.py) - an expansion module to expand from [ThreatMiner](https://www.threatminer.org/). +* [TruSTAR Enrich](misp_modules/modules/expansion/trustar_enrich.py) - an expansion module to enrich MISP data with [TruSTAR](https://www.trustar.co/). * [urlhaus](misp_modules/modules/expansion/urlhaus.py) - Query urlhaus to get additional data about a domain, hash, hostname, ip or url. * [urlscan](misp_modules/modules/expansion/urlscan.py) - an expansion module to query [urlscan.io](https://urlscan.io). +* [variotdbs](misp_modules/modules/expansion/variotdbs.py) - an expansion module to query the [VARIoT db](https://www.variotdbs.pl) API to get more information about a Vulnerability * [virustotal](misp_modules/modules/expansion/virustotal.py) - an expansion module to query the [VirusTotal](https://www.virustotal.com/gui/home) API with a high request rate limit required. (More details about the API: [here](https://developers.virustotal.com/reference)) * [virustotal_public](misp_modules/modules/expansion/virustotal_public.py) - an expansion module to query the [VirusTotal](https://www.virustotal.com/gui/home) API with a public key and a low request rate limit. (More details about the API: [here](https://developers.virustotal.com/reference)) * [VMray](misp_modules/modules/expansion/vmray_submit.py) - a module to submit a sample to VMray. +* [VMware NSX](misp_modules/modules/expansion/vmware_nsx.py) - a module to enrich a file or URL with VMware NSX Defender. * [VulnDB](misp_modules/modules/expansion/vulndb.py) - a module to query [VulnDB](https://www.riskbasedsecurity.com/). * [Vulners](misp_modules/modules/expansion/vulners.py) - an expansion module to expand information about CVEs using Vulners API. * [whois](misp_modules/modules/expansion/whois.py) - a module to query a local instance of [uwhois](https://github.com/rafiot/uwhoisd). @@ -123,12 +129,14 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj ## How to install and start MISP modules in a Python virtualenv? (recommended) +***Be sure to run the latest version of `pip`***. To install the latest version of pip, `pip install --upgrade pip` will do the job. + ~~~~bash sudo apt-get install python3-dev python3-pip libpq5 libjpeg-dev tesseract-ocr libpoppler-cpp-dev imagemagick virtualenv libopencv-dev zbar-tools libzbar0 libzbar-dev libfuzzy-dev build-essential -y sudo -u www-data virtualenv -p python3 /var/www/MISP/venv cd /usr/local/src/ -chown -R www-data . -sudo git clone https://github.com/MISP/misp-modules.git +sudo chown -R www-data: . +sudo -u www-data git clone https://github.com/MISP/misp-modules.git cd misp-modules sudo -u www-data /var/www/MISP/venv/bin/pip install -I -r REQUIREMENTS sudo -u www-data /var/www/MISP/venv/bin/pip install . @@ -136,14 +144,15 @@ sudo -u www-data /var/www/MISP/venv/bin/pip install . sudo cp etc/systemd/system/misp-modules.service /etc/systemd/system/ sudo systemctl daemon-reload sudo systemctl enable --now misp-modules -/var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s & #to start the modules +sudo service misp-modules start #or +/var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 & #to start the modules ~~~~ ## How to install and start MISP modules on RHEL-based distributions ? As of this writing, the official RHEL repositories only contain Ruby 2.0.0 and Ruby 2.1 or higher is required. As such, this guide installs Ruby 2.2 from the [SCL](https://access.redhat.com/documentation/en-us/red_hat_software_collections/3/html/3.2_release_notes/chap-installation#sect-Installation-Subscribe) repository. ~~~~bash -sudo yum install rh-ruby22 +sudo yum install rh-python36 rh-ruby22 sudo yum install openjpeg-devel sudo yum install rubygem-rouge rubygem-asciidoctor zbar-devel opencv-devel gcc-c++ pkgconfig poppler-cpp-devel python-devel redhat-rpm-config cd /var/www/MISP @@ -164,7 +173,7 @@ After=misp-workers.service Type=simple User=apache Group=apache -ExecStart=/usr/bin/scl enable rh-python36 rh-ruby22 '/var/www/MISP/venv/bin/misp-modules –l 127.0.0.1 –s' +ExecStart=/usr/bin/scl enable rh-python36 rh-ruby22 '/var/www/MISP/venv/bin/misp-modules -l 127.0.0.1' Restart=always RestartSec=10 diff --git a/doc/expansion/bgpranking.json b/doc/expansion/bgpranking.json deleted file mode 100644 index a98b780..0000000 --- a/doc/expansion/bgpranking.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "description": "Query BGP Ranking (https://bgpranking-ng.circl.lu/).", - "requirements": ["pybgpranking python library"], - "features": "The module takes an AS number attribute as input and displays its description and history, and position in BGP Ranking.\n\n", - "references": ["https://github.com/D4-project/BGP-Ranking/"], - "input": "Autonomous system number.", - "output": "Text containing a description of the ASN, its history, and the position in BGP Ranking." -} diff --git a/doc/expansion/farsight_passivedns.json b/doc/expansion/farsight_passivedns.json deleted file mode 100644 index 2c1bf05..0000000 --- a/doc/expansion/farsight_passivedns.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "description": "Module to access Farsight DNSDB Passive DNS.", - "logo": "logos/farsight.png", - "requirements": ["An access to the Farsight Passive DNS API (apikey)"], - "input": "A domain, hostname or IP address MISP attribute.", - "output": "Text containing information about the input, resulting from the query on the Farsight Passive DNS API.", - "references": ["https://www.farsightsecurity.com/"], - "features": "This module takes a domain, hostname or IP address MISP attribute as input to query the Farsight Passive DNS API. The API returns then the result of the query with some information about the value queried." -} diff --git a/doc/expansion/greynoise.json b/doc/expansion/greynoise.json deleted file mode 100644 index f1f1003..0000000 --- a/doc/expansion/greynoise.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "description": "Module to access GreyNoise.io API", - "logo": "logos/greynoise.png", - "requirements": [], - "input": "An IP address.", - "output": "Additional information about the IP fetched from Greynoise API.", - "references": ["https://greynoise.io/", "https://github.com/GreyNoise-Intelligence/api.greynoise.io"], - "features": "The module takes an IP address as input and queries Greynoise for some additional information about it. The result is returned as text." -} diff --git a/doc/expansion/lastline_query.json b/doc/expansion/lastline_query.json deleted file mode 100644 index 6165890..0000000 --- a/doc/expansion/lastline_query.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "description": "Query Lastline with an analysis link and parse the report into MISP attributes and objects.\nThe analysis link can also be retrieved from the output of the [lastline_submit](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/lastline_submit.py) expansion module.", - "logo": "logos/lastline.png", - "requirements": [], - "input": "Link to a Lastline analysis.", - "output": "MISP attributes and objects parsed from the analysis report.", - "references": ["https://www.lastline.com"], - "features": "The module requires a Lastline Portal `username` and `password`.\nThe module uses the new format and it is able to return MISP attributes and objects.\nThe module returns the same results as the [lastline_import](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/lastline_import.py) import module." -} diff --git a/doc/export_mod/cef_export.json b/doc/export_mod/cef_export.json deleted file mode 100644 index 84bba8e..0000000 --- a/doc/export_mod/cef_export.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "description": "Module to export a MISP event in CEF format.", - "requirements": [], - "features": "The module takes a MISP event in input, to look every attribute. Each attribute matching with some predefined types is then exported in Common Event Format.\nThus, there is no particular feature concerning MISP Events since any event can be exported. However, 4 configuration parameters recognized by CEF format are required and should be provided by users before exporting data: the device vendor, product and version, as well as the default severity of data.", - "references": ["https://community.softwaregrp.com/t5/ArcSight-Connectors/ArcSight-Common-Event-Format-CEF-Guide/ta-p/1589306?attachment-id=65537"], - "input": "MISP Event attributes", - "output": "Common Event Format file" -} diff --git a/doc/export_mod/goamlexport.json b/doc/export_mod/goamlexport.json deleted file mode 100644 index 57a1587..0000000 --- a/doc/export_mod/goamlexport.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "description": "This module is used to export MISP events containing transaction objects into GoAML format.", - "logo": "logos/goAML.jpg", - "requirements": ["PyMISP","MISP objects"], - "features": "The module works as long as there is at least one transaction object in the Event.\n\nThen in order to have a valid GoAML document, please follow these guidelines:\n- For each transaction object, use either a bank-account, person, or legal-entity object to describe the origin of the transaction, and again one of them to describe the target of the transaction.\n- Create an object reference for both origin and target objects of the transaction.\n- A bank-account object needs a signatory, which is a person object, put as object reference of the bank-account.\n- A person can have an address, which is a geolocation object, put as object reference of the person.\n\nSupported relation types for object references that are recommended for each object are the folowing:\n- transaction:\n\t- 'from', 'from_my_client': Origin of the transaction - at least one of them is required.\n\t- 'to', 'to_my_client': Target of the transaction - at least one of them is required.\n\t- 'address': Location of the transaction - optional.\n- bank-account:\n\t- 'signatory': Signatory of a bank-account - the reference from bank-account to a signatory is required, but the relation-type is optional at the moment since this reference will always describe a signatory.\n\t- 'entity': Entity owning the bank account - optional.\n- person:\n\t- 'address': Address of a person - optional.", - "references": ["http://goaml.unodc.org/"], - "input": "MISP objects (transaction, bank-account, person, legal-entity, geolocation), with references, describing financial transactions and their origin and target.", - "output": "GoAML format file, describing financial transactions, with their origin and target (bank accounts, persons or entities)." -} diff --git a/doc/export_mod/liteexport.json b/doc/export_mod/liteexport.json deleted file mode 100644 index 110577c..0000000 --- a/doc/export_mod/liteexport.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "description": "Lite export of a MISP event.", - "requirements": [], - "features": "This module is simply producing a json MISP event format file, but exporting only Attributes from the Event. Thus, MISP Events exported with this module should have attributes that are not internal references, otherwise the resulting event would be empty.", - "references": [], - "input": "MISP Event attributes", - "output": "Lite MISP Event" -} diff --git a/doc/export_mod/nexthinkexport.json b/doc/export_mod/nexthinkexport.json deleted file mode 100644 index 182448c..0000000 --- a/doc/export_mod/nexthinkexport.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "description": "Nexthink NXQL query export module", - "requirements": [], - "features": "This module export an event as Nexthink NXQL queries that can then be used in your own python3 tool or from wget/powershell", - "references": ["https://doc.nexthink.com/Documentation/Nexthink/latest/APIAndIntegrations/IntroducingtheWebAPIV2"], - "input": "MISP Event attributes", - "output": "Nexthink NXQL queries", - "logo": "logos/nexthink.svg" -} diff --git a/doc/export_mod/osqueryexport.json b/doc/export_mod/osqueryexport.json deleted file mode 100644 index 6543cb1..0000000 --- a/doc/export_mod/osqueryexport.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "description": "OSQuery export of a MISP event.", - "requirements": [], - "features": "This module export an event as osquery queries that can be used in packs or in fleet management solution like Kolide.", - "references": [], - "input": "MISP Event attributes", - "output": "osquery SQL queries", - "logo": "logos/osquery.png" -} diff --git a/doc/export_mod/pdfexport.json b/doc/export_mod/pdfexport.json deleted file mode 100644 index f1654dc..0000000 --- a/doc/export_mod/pdfexport.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "description": "Simple export of a MISP event to PDF.", - "requirements": ["PyMISP", "reportlab"], - "features": "The module takes care of the PDF file building, and work with any MISP Event. Except the requirement of reportlab, used to create the file, there is no special feature concerning the Event. Some parameters can be given through the config dict. 'MISP_base_url_for_dynamic_link' is your MISP URL, to attach an hyperlink to your event on your MISP instance from the PDF. Keep it clear to avoid hyperlinks in the generated pdf.\n 'MISP_name_for_metadata' is your CERT or MISP instance name. Used as text in the PDF' metadata\n 'Activate_textual_description' is a boolean (True or void) to activate the textual description/header abstract of an event\n 'Activate_galaxy_description' is a boolean (True or void) to activate the description of event related galaxies.\n 'Activate_related_events' is a boolean (True or void) to activate the description of related event. Be aware this might leak information on confidential events linked to the current event !\n 'Activate_internationalization_fonts' is a boolean (True or void) to activate Noto fonts instead of default fonts (Helvetica). This allows the support of CJK alphabet. Be sure to have followed the procedure to download Noto fonts (~70Mo) in the right place (/tools/pdf_fonts/Noto_TTF), to allow PyMisp to find and use them during PDF generation.\n 'Custom_fonts_path' is a text (path or void) to the TTF file of your choice, to create the PDF with it. Be aware the PDF won't support bold/italic/special style anymore with this option ", - "references": ["https://acrobat.adobe.com/us/en/acrobat/about-adobe-pdf.html"], - "input": "MISP Event", - "output": "MISP Event in a PDF file." -} diff --git a/doc/export_mod/threatStream_misp_export.json b/doc/export_mod/threatStream_misp_export.json deleted file mode 100644 index 3fdc50a..0000000 --- a/doc/export_mod/threatStream_misp_export.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "description": "Module to export a structured CSV file for uploading to threatStream.", - "logo": "logos/threatstream.png", - "requirements": ["csv"], - "features": "The module takes a MISP event in input, to look every attribute. Each attribute matching with some predefined types is then exported in a CSV format recognized by ThreatStream.", - "references": ["https://www.anomali.com/platform/threatstream", "https://github.com/threatstream"], - "input": "MISP Event attributes", - "output": "ThreatStream CSV format file" -} diff --git a/doc/export_mod/threat_connect_export.json b/doc/export_mod/threat_connect_export.json deleted file mode 100644 index 8d19572..0000000 --- a/doc/export_mod/threat_connect_export.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "description": "Module to export a structured CSV file for uploading to ThreatConnect.", - "logo": "logos/threatconnect.png", - "requirements": ["csv"], - "features": "The module takes a MISP event in input, to look every attribute. Each attribute matching with some predefined types is then exported in a CSV format recognized by ThreatConnect.\nUsers should then provide, as module configuration, the source of data they export, because it is required by the output format.", - "references": ["https://www.threatconnect.com"], - "input": "MISP Event attributes", - "output": "ThreatConnect CSV format file" -} diff --git a/doc/generate_documentation.py b/doc/generate_documentation.py deleted file mode 100644 index f86b5a7..0000000 --- a/doc/generate_documentation.py +++ /dev/null @@ -1,65 +0,0 @@ -# -*- coding: utf-8 -*- -import os -import json - -module_types = ['expansion', 'export_mod', 'import_mod'] -titles = ['Expansion Modules', 'Export Modules', 'Import Modules'] -markdown = ["# MISP modules documentation\n"] -githublink = 'https://github.com/MISP/misp-modules/tree/master/misp_modules/modules' - - -def generate_doc(root_path): - for _path, title in zip(module_types, titles): - markdown.append('\n## {}\n'.format(title)) - current_path = os.path.join(root_path, _path) - files = sorted(os.listdir(current_path)) - githubpath = '{}/{}'.format(githublink, _path) - for _file in files: - modulename = _file.split('.json')[0] - githubref = '{}/{}.py'.format(githubpath, modulename) - markdown.append('\n#### [{}]({})\n'.format(modulename, githubref)) - filename = os.path.join(current_path, _file) - with open(filename, 'rt') as f: - definition = json.loads(f.read()) - if 'logo' in definition: - markdown.append('\n\n'.format(definition.pop('logo'))) - if 'description' in definition: - markdown.append('\n{}\n'.format(definition.pop('description'))) - for field, value in sorted(definition.items()): - if value: - value = ', '.join(value) if isinstance(value, list) else '{}'.format(value.replace('\n', '\n>')) - markdown.append('- **{}**:\n>{}\n'.format(field, value)) - markdown.append('\n-----\n') - with open('README.md', 'w') as w: - w.write(''.join(markdown)) - -def generate_docs_for_mkdocs(root_path): - for _path, title in zip(module_types, titles): - markdown = [] - #markdown.append('## {}\n'.format(title)) - current_path = os.path.join(root_path, _path) - files = sorted(os.listdir(current_path)) - githubpath = '{}/{}'.format(githublink, _path) - for _file in files: - modulename = _file.split('.json')[0] - githubref = '{}/{}.py'.format(githubpath, modulename) - markdown.append('\n#### [{}]({})\n'.format(modulename, githubref)) - filename = os.path.join(current_path, _file) - with open(filename, 'rt') as f: - definition = json.loads(f.read()) - if 'logo' in definition: - markdown.append('\n\n'.format(definition.pop('logo'))) - if 'description' in definition: - markdown.append('\n{}\n'.format(definition.pop('description'))) - for field, value in sorted(definition.items()): - if value: - value = ', '.join(value) if isinstance(value, list) else '{}'.format(value.replace('\n', '\n>')) - markdown.append('- **{}**:\n>{}\n'.format(field, value)) - markdown.append('\n-----\n') - with open(root_path+"/../"+"/docs/"+_path+".md", 'w') as w: - w.write(''.join(markdown)) - -if __name__ == '__main__': - root_path = os.path.dirname(os.path.realpath(__file__)) - generate_doc(root_path) - generate_docs_for_mkdocs(root_path) diff --git a/doc/import_mod/csvimport.json b/doc/import_mod/csvimport.json deleted file mode 100644 index 66a10fd..0000000 --- a/doc/import_mod/csvimport.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "description": "Module to import MISP attributes from a csv file.", - "requirements": ["PyMISP"], - "features": "In order to parse data from a csv file, a header is required to let the module know which column is matching with known attribute fields / MISP types.\n\nThis header either comes from the csv file itself or is part of the configuration of the module and should be filled out in MISP plugin settings, each field separated by COMMAS. Fields that do not match with any type known in MISP or are not MISP attribute fields should be ignored in import, using a space or simply nothing between two separators (example: 'ip-src, , comment, ').\n\nIf the csv file already contains a header that does not start by a '#', you should tick the checkbox 'has_header' to avoid importing it and have potential issues. You can also redefine the header even if it is already contained in the file, by following the rules for headers explained earlier. One reason why you would redefine a header is for instance when you want to skip some fields, or some fields are not valid types.", - "references": ["https://tools.ietf.org/html/rfc4180", "https://tools.ietf.org/html/rfc7111"], - "input": "CSV format file.", - "output": "MISP Event attributes" -} diff --git a/doc/import_mod/cuckooimport.json b/doc/import_mod/cuckooimport.json deleted file mode 100644 index 8091d07..0000000 --- a/doc/import_mod/cuckooimport.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "description": "Module to import Cuckoo JSON.", - "logo": "logos/cuckoo.png", - "requirements": [], - "features": "The module simply imports MISP Attributes from a Cuckoo JSON format file. There is thus no special feature to make it work.", - "references": ["https://cuckoosandbox.org/", "https://github.com/cuckoosandbox/cuckoo"], - "input": "Cuckoo JSON file", - "output": "MISP Event attributes" -} diff --git a/doc/import_mod/email_import.json b/doc/import_mod/email_import.json deleted file mode 100644 index 1f53852..0000000 --- a/doc/import_mod/email_import.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "description": "Module to import emails in MISP.", - "requirements": [], - "features": "This module can be used to import e-mail text as well as attachments and urls.\n3 configuration parameters are then used to unzip attachments, guess zip attachment passwords, and extract urls: set each one of them to True or False to process or not the respective corresponding actions.", - "references": [], - "input": "E-mail file", - "output": "MISP Event attributes" -} diff --git a/doc/import_mod/goamlimport.json b/doc/import_mod/goamlimport.json deleted file mode 100644 index f2a1ec2..0000000 --- a/doc/import_mod/goamlimport.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "description": "Module to import MISP objects about financial transactions from GoAML files.", - "logo": "logos/goAML.jpg", - "requirements": ["PyMISP"], - "features": "Unlike the GoAML export module, there is here no special feature to import data from GoAML external files, since the module will import MISP Objects with their References on its own, as it is required for the export module to rebuild a valid GoAML document.", - "references": "http://goaml.unodc.org/", - "input": "GoAML format file, describing financial transactions, with their origin and target (bank accounts, persons or entities).", - "output": "MISP objects (transaction, bank-account, person, legal-entity, geolocation), with references, describing financial transactions and their origin and target." -} diff --git a/doc/import_mod/mispjson.json b/doc/import_mod/mispjson.json deleted file mode 100644 index dd11405..0000000 --- a/doc/import_mod/mispjson.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "description": "Module to import MISP JSON format for merging MISP events.", - "requirements": [], - "features": "The module simply imports MISP Attributes from an other MISP Event in order to merge events together. There is thus no special feature to make it work.", - "references": [], - "input": "MISP Event", - "output": "MISP Event attributes" -} diff --git a/doc/import_mod/ocr.json b/doc/import_mod/ocr.json deleted file mode 100644 index 14bbf0b..0000000 --- a/doc/import_mod/ocr.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "description": "Optical Character Recognition (OCR) module for MISP.", - "requirements": [], - "features": "The module tries to recognize some text from an image and import the result as a freetext attribute, there is then no special feature asked to users to make it work.", - "references": [], - "input": "Image", - "output": "freetext MISP attribute" -} diff --git a/doc/import_mod/openiocimport.json b/doc/import_mod/openiocimport.json deleted file mode 100644 index e173392..0000000 --- a/doc/import_mod/openiocimport.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "description": "Module to import OpenIOC packages.", - "requirements": ["PyMISP"], - "features": "The module imports MISP Attributes from OpenIOC packages, there is then no special feature for users to make it work.", - "references": ["https://www.fireeye.com/blog/threat-research/2013/10/openioc-basics.html"], - "input": "OpenIOC packages", - "output": "MISP Event attributes" -} diff --git a/doc/import_mod/threatanalyzer_import.json b/doc/import_mod/threatanalyzer_import.json deleted file mode 100644 index 40e4436..0000000 --- a/doc/import_mod/threatanalyzer_import.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "description": "Module to import ThreatAnalyzer archive.zip / analysis.json files.", - "requirements": [], - "features": "The module imports MISP Attributes from a ThreatAnalyzer format file. This file can be either ZIP, or JSON format.\nThere is by the way no special feature for users to make the module work.", - "references": ["https://www.threattrack.com/malware-analysis.aspx"], - "input": "ThreatAnalyzer format file", - "output": "MISP Event attributes" -} diff --git a/doc/import_mod/vmray_import.json b/doc/import_mod/vmray_import.json deleted file mode 100644 index b7c0dad..0000000 --- a/doc/import_mod/vmray_import.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "description": "Module to import VMRay (VTI) results.", - "logo": "logos/vmray.png", - "requirements": ["vmray_rest_api"], - "features": "The module imports MISP Attributes from VMRay format, using the VMRay api.\nUsers should then provide as the module configuration the API Key as well as the server url in order to fetch their data to import.", - "references": ["https://www.vmray.com/"], - "input": "VMRay format", - "output": "MISP Event attributes" -} diff --git a/doc/logos/greynoise.png b/doc/logos/greynoise.png deleted file mode 100644 index b4d4f91..0000000 Binary files a/doc/logos/greynoise.png and /dev/null differ diff --git a/docs/install.md b/docs/install.md index 662e675..3eed0f4 100644 --- a/docs/install.md +++ b/docs/install.md @@ -14,7 +14,8 @@ sudo apt-get install -y \ zbar-tools \ libzbar0 \ libzbar-dev \ - libfuzzy-dev + libfuzzy-dev \ + libcaca-dev # BEGIN with virtualenv: $SUDO_WWW virtualenv -p python3 /var/www/MISP/venv diff --git a/doc/logos/apivoid.png b/docs/logos/apivoid.png similarity index 100% rename from doc/logos/apivoid.png rename to docs/logos/apivoid.png diff --git a/doc/logos/assemblyline.png b/docs/logos/assemblyline.png similarity index 100% rename from doc/logos/assemblyline.png rename to docs/logos/assemblyline.png diff --git a/doc/logos/backscatter_io.png b/docs/logos/backscatter_io.png similarity index 100% rename from doc/logos/backscatter_io.png rename to docs/logos/backscatter_io.png diff --git a/doc/logos/bitcoin.png b/docs/logos/bitcoin.png similarity index 100% rename from doc/logos/bitcoin.png rename to docs/logos/bitcoin.png diff --git a/docs/logos/circl.png b/docs/logos/circl.png new file mode 100644 index 0000000..516678d Binary files /dev/null and b/docs/logos/circl.png differ diff --git a/doc/logos/cisco.png b/docs/logos/cisco.png similarity index 100% rename from doc/logos/cisco.png rename to docs/logos/cisco.png diff --git a/doc/logos/crowdstrike.png b/docs/logos/crowdstrike.png similarity index 100% rename from doc/logos/crowdstrike.png rename to docs/logos/crowdstrike.png diff --git a/doc/logos/cuckoo.png b/docs/logos/cuckoo.png similarity index 100% rename from doc/logos/cuckoo.png rename to docs/logos/cuckoo.png diff --git a/doc/logos/cve.png b/docs/logos/cve.png similarity index 100% rename from doc/logos/cve.png rename to docs/logos/cve.png diff --git a/doc/logos/cytomic_orion.png b/docs/logos/cytomic_orion.png similarity index 100% rename from doc/logos/cytomic_orion.png rename to docs/logos/cytomic_orion.png diff --git a/docs/logos/defender_endpoing.png b/docs/logos/defender_endpoing.png new file mode 100644 index 0000000..efc7ace Binary files /dev/null and b/docs/logos/defender_endpoing.png differ diff --git a/doc/logos/docx.png b/docs/logos/docx.png similarity index 100% rename from doc/logos/docx.png rename to docs/logos/docx.png diff --git a/doc/logos/domaintools.png b/docs/logos/domaintools.png similarity index 100% rename from doc/logos/domaintools.png rename to docs/logos/domaintools.png diff --git a/doc/logos/eql.png b/docs/logos/eql.png similarity index 100% rename from doc/logos/eql.png rename to docs/logos/eql.png diff --git a/doc/logos/eupi.png b/docs/logos/eupi.png similarity index 100% rename from doc/logos/eupi.png rename to docs/logos/eupi.png diff --git a/doc/logos/farsight.png b/docs/logos/farsight.png similarity index 100% rename from doc/logos/farsight.png rename to docs/logos/farsight.png diff --git a/doc/logos/goAML.jpg b/docs/logos/goAML.jpg similarity index 100% rename from doc/logos/goAML.jpg rename to docs/logos/goAML.jpg diff --git a/docs/logos/google.png b/docs/logos/google.png new file mode 100644 index 0000000..492f44c Binary files /dev/null and b/docs/logos/google.png differ diff --git a/docs/logos/greynoise.png b/docs/logos/greynoise.png new file mode 100644 index 0000000..0c57e64 Binary files /dev/null and b/docs/logos/greynoise.png differ diff --git a/doc/logos/hibp.png b/docs/logos/hibp.png similarity index 100% rename from doc/logos/hibp.png rename to docs/logos/hibp.png diff --git a/docs/logos/hyas.png b/docs/logos/hyas.png new file mode 100644 index 0000000..42acf22 Binary files /dev/null and b/docs/logos/hyas.png differ diff --git a/docs/logos/intel471.png b/docs/logos/intel471.png new file mode 100644 index 0000000..08264e9 Binary files /dev/null and b/docs/logos/intel471.png differ diff --git a/doc/logos/intelmq.png b/docs/logos/intelmq.png similarity index 100% rename from doc/logos/intelmq.png rename to docs/logos/intelmq.png diff --git a/docs/logos/ipqualityscore.png b/docs/logos/ipqualityscore.png new file mode 100644 index 0000000..da52d96 Binary files /dev/null and b/docs/logos/ipqualityscore.png differ diff --git a/doc/logos/joesandbox.png b/docs/logos/joesandbox.png similarity index 100% rename from doc/logos/joesandbox.png rename to docs/logos/joesandbox.png diff --git a/doc/logos/lastline.png b/docs/logos/lastline.png similarity index 100% rename from doc/logos/lastline.png rename to docs/logos/lastline.png diff --git a/doc/logos/macaddress_io.png b/docs/logos/macaddress_io.png similarity index 100% rename from doc/logos/macaddress_io.png rename to docs/logos/macaddress_io.png diff --git a/doc/logos/macvendors.png b/docs/logos/macvendors.png similarity index 100% rename from doc/logos/macvendors.png rename to docs/logos/macvendors.png diff --git a/doc/logos/maxmind.png b/docs/logos/maxmind.png similarity index 100% rename from doc/logos/maxmind.png rename to docs/logos/maxmind.png diff --git a/docs/logos/misp-modules-full-small.png b/docs/logos/misp-modules-full-small.png new file mode 100644 index 0000000..dbbc084 Binary files /dev/null and b/docs/logos/misp-modules-full-small.png differ diff --git a/docs/logos/misp-modules-full.png b/docs/logos/misp-modules-full.png new file mode 100644 index 0000000..2b432e3 Binary files /dev/null and b/docs/logos/misp-modules-full.png differ diff --git a/docs/logos/misp-modules-full.svg b/docs/logos/misp-modules-full.svg new file mode 100644 index 0000000..eba9571 --- /dev/null +++ b/docs/logos/misp-modules-full.svg @@ -0,0 +1,125 @@ + + + + + + + + + + image/svg+xml + + + + + + + + + + + + + + + + misp-modules + + diff --git a/docs/logos/misp-modules-small.png b/docs/logos/misp-modules-small.png new file mode 100644 index 0000000..dbe9d19 Binary files /dev/null and b/docs/logos/misp-modules-small.png differ diff --git a/docs/logos/misp-modules.svg b/docs/logos/misp-modules.svg new file mode 100644 index 0000000..023daf4 --- /dev/null +++ b/docs/logos/misp-modules.svg @@ -0,0 +1,114 @@ + + + + + + + + + + image/svg+xml + + + + + + + + + + + + + + + + + diff --git a/doc/logos/nexthink.svg b/docs/logos/nexthink.svg similarity index 100% rename from doc/logos/nexthink.svg rename to docs/logos/nexthink.svg diff --git a/doc/logos/ods.png b/docs/logos/ods.png similarity index 100% rename from doc/logos/ods.png rename to docs/logos/ods.png diff --git a/doc/logos/odt.png b/docs/logos/odt.png similarity index 100% rename from doc/logos/odt.png rename to docs/logos/odt.png diff --git a/doc/logos/onyphe.jpg b/docs/logos/onyphe.jpg similarity index 100% rename from doc/logos/onyphe.jpg rename to docs/logos/onyphe.jpg diff --git a/doc/logos/osquery.png b/docs/logos/osquery.png similarity index 100% rename from doc/logos/osquery.png rename to docs/logos/osquery.png diff --git a/doc/logos/otx.png b/docs/logos/otx.png similarity index 100% rename from doc/logos/otx.png rename to docs/logos/otx.png diff --git a/doc/logos/passivedns.png b/docs/logos/passivedns.png similarity index 100% rename from doc/logos/passivedns.png rename to docs/logos/passivedns.png diff --git a/docs/logos/passivessh.png b/docs/logos/passivessh.png new file mode 100644 index 0000000..42c8190 Binary files /dev/null and b/docs/logos/passivessh.png differ diff --git a/doc/logos/passivessl.png b/docs/logos/passivessl.png similarity index 100% rename from doc/logos/passivessl.png rename to docs/logos/passivessl.png diff --git a/doc/logos/passivetotal.png b/docs/logos/passivetotal.png similarity index 100% rename from doc/logos/passivetotal.png rename to docs/logos/passivetotal.png diff --git a/doc/logos/pdf.jpg b/docs/logos/pdf.jpg similarity index 100% rename from doc/logos/pdf.jpg rename to docs/logos/pdf.jpg diff --git a/doc/logos/pptx.png b/docs/logos/pptx.png similarity index 100% rename from doc/logos/pptx.png rename to docs/logos/pptx.png diff --git a/docs/logos/qintel.png b/docs/logos/qintel.png new file mode 100644 index 0000000..fa3af76 Binary files /dev/null and b/docs/logos/qintel.png differ diff --git a/docs/logos/recordedfuture.png b/docs/logos/recordedfuture.png new file mode 100644 index 0000000..a208c04 Binary files /dev/null and b/docs/logos/recordedfuture.png differ diff --git a/doc/logos/securitytrails.png b/docs/logos/securitytrails.png similarity index 100% rename from doc/logos/securitytrails.png rename to docs/logos/securitytrails.png diff --git a/doc/logos/shodan.png b/docs/logos/shodan.png similarity index 100% rename from doc/logos/shodan.png rename to docs/logos/shodan.png diff --git a/doc/logos/sigma.png b/docs/logos/sigma.png similarity index 100% rename from doc/logos/sigma.png rename to docs/logos/sigma.png diff --git a/docs/logos/sophoslabs_intelix.svg b/docs/logos/sophoslabs_intelix.svg new file mode 100644 index 0000000..9fe952f --- /dev/null +++ b/docs/logos/sophoslabs_intelix.svg @@ -0,0 +1,32 @@ + + + + CC812F0D-F9F0-4D68-9347-3579CDA181A3 + Created with sketchtool. + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/doc/logos/spamhaus.jpg b/docs/logos/spamhaus.jpg similarity index 100% rename from doc/logos/spamhaus.jpg rename to docs/logos/spamhaus.jpg diff --git a/doc/logos/stix.png b/docs/logos/stix.png similarity index 100% rename from doc/logos/stix.png rename to docs/logos/stix.png diff --git a/doc/logos/threatconnect.png b/docs/logos/threatconnect.png similarity index 100% rename from doc/logos/threatconnect.png rename to docs/logos/threatconnect.png diff --git a/doc/logos/threatcrowd.png b/docs/logos/threatcrowd.png similarity index 100% rename from doc/logos/threatcrowd.png rename to docs/logos/threatcrowd.png diff --git a/doc/logos/threatminer.png b/docs/logos/threatminer.png similarity index 100% rename from doc/logos/threatminer.png rename to docs/logos/threatminer.png diff --git a/doc/logos/threatstream.png b/docs/logos/threatstream.png similarity index 100% rename from doc/logos/threatstream.png rename to docs/logos/threatstream.png diff --git a/doc/logos/trustar.png b/docs/logos/trustar.png similarity index 100% rename from doc/logos/trustar.png rename to docs/logos/trustar.png diff --git a/doc/logos/urlhaus.png b/docs/logos/urlhaus.png similarity index 100% rename from doc/logos/urlhaus.png rename to docs/logos/urlhaus.png diff --git a/doc/logos/urlscan.jpg b/docs/logos/urlscan.jpg similarity index 100% rename from doc/logos/urlscan.jpg rename to docs/logos/urlscan.jpg diff --git a/docs/logos/variot.png b/docs/logos/variot.png new file mode 100644 index 0000000..717b7e7 Binary files /dev/null and b/docs/logos/variot.png differ diff --git a/doc/logos/virustotal.png b/docs/logos/virustotal.png similarity index 100% rename from doc/logos/virustotal.png rename to docs/logos/virustotal.png diff --git a/doc/logos/vmray.png b/docs/logos/vmray.png similarity index 100% rename from doc/logos/vmray.png rename to docs/logos/vmray.png diff --git a/docs/logos/vmware_nsx.png b/docs/logos/vmware_nsx.png new file mode 100644 index 0000000..4d4ba96 Binary files /dev/null and b/docs/logos/vmware_nsx.png differ diff --git a/doc/logos/vulndb.png b/docs/logos/vulndb.png similarity index 100% rename from doc/logos/vulndb.png rename to docs/logos/vulndb.png diff --git a/doc/logos/vulners.png b/docs/logos/vulners.png similarity index 100% rename from doc/logos/vulners.png rename to docs/logos/vulners.png diff --git a/doc/logos/wikidata.png b/docs/logos/wikidata.png similarity index 100% rename from doc/logos/wikidata.png rename to docs/logos/wikidata.png diff --git a/doc/logos/xforce.png b/docs/logos/xforce.png similarity index 100% rename from doc/logos/xforce.png rename to docs/logos/xforce.png diff --git a/doc/logos/xlsx.png b/docs/logos/xlsx.png similarity index 100% rename from doc/logos/xlsx.png rename to docs/logos/xlsx.png diff --git a/doc/logos/yara.png b/docs/logos/yara.png similarity index 100% rename from doc/logos/yara.png rename to docs/logos/yara.png diff --git a/docs/logos/yeti.png b/docs/logos/yeti.png new file mode 100644 index 0000000..46b77da Binary files /dev/null and b/docs/logos/yeti.png differ diff --git a/doc/README.md b/documentation/README.md similarity index 64% rename from doc/README.md rename to documentation/README.md index e173ad4..524e1a2 100644 --- a/doc/README.md +++ b/documentation/README.md @@ -2,7 +2,7 @@ ## Expansion Modules -#### [apiosintds](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/apiosintds.py) +#### [apiosintds](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/apiosintds.py) On demand query API for OSINT.digitalside.it project. - **features**: @@ -22,7 +22,7 @@ On demand query API for OSINT.digitalside.it project. ----- -#### [apivoid](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/apivoid.py) +#### [apivoid](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/apivoid.py) @@ -42,7 +42,7 @@ Module to query APIVoid with some domain attributes. ----- -#### [assemblyline_query](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/assemblyline_query.py) +#### [assemblyline_query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/assemblyline_query.py) @@ -64,7 +64,7 @@ A module tu query the AssemblyLine API with a submission ID to get the submissio ----- -#### [assemblyline_submit](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/assemblyline_submit.py) +#### [assemblyline_submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/assemblyline_submit.py) @@ -84,15 +84,13 @@ A module to submit samples and URLs to AssemblyLine for advanced analysis, and r ----- -#### [backscatter_io](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/backscatter_io.py) +#### [backscatter_io](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/backscatter_io.py) Query backscatter.io (https://backscatter.io/). - **features**: >The module takes a source or destination IP address as input and displays the information known by backscatter.io. -> -> - **input**: >IP addresses. - **output**: @@ -104,17 +102,15 @@ Query backscatter.io (https://backscatter.io/). ----- -#### [bgpranking](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/bgpranking.py) +#### [bgpranking](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/bgpranking.py) Query BGP Ranking (https://bgpranking-ng.circl.lu/). - **features**: ->The module takes an AS number attribute as input and displays its description and history, and position in BGP Ranking. -> -> +>The module takes an AS number attribute as input and displays its description as well as its ranking position in BGP Ranking for a given day. - **input**: >Autonomous system number. - **output**: ->Text containing a description of the ASN, its history, and the position in BGP Ranking. +>An asn object with its related bgp-ranking object. - **references**: >https://github.com/D4-project/BGP-Ranking/ - **requirements**: @@ -122,7 +118,7 @@ Query BGP Ranking (https://bgpranking-ng.circl.lu/). ----- -#### [btc_scam_check](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/btc_scam_check.py) +#### [btc_scam_check](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/btc_scam_check.py) @@ -140,7 +136,7 @@ An expansion hover module to query a special dns blacklist to check if a bitcoin ----- -#### [btc_steroids](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/btc_steroids.py) +#### [btc_steroids](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/btc_steroids.py) @@ -152,7 +148,7 @@ An expansion hover module to get a blockchain balance from a BTC address in MISP ----- -#### [censys_enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/censys_enrich.py) +#### [censys_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/censys_enrich.py) An expansion module to enrich attributes in MISP by quering the censys.io API - **features**: @@ -168,7 +164,7 @@ An expansion module to enrich attributes in MISP by quering the censys.io API ----- -#### [circl_passivedns](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/circl_passivedns.py) +#### [circl_passivedns](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/circl_passivedns.py) @@ -182,13 +178,15 @@ Module to access CIRCL Passive DNS. - **ouput**: >Passive DNS objects related to the input attribute. - **references**: ->https://www.circl.lu/services/passive-dns/, https://datatracker.ietf.org/doc/draft-dulaunoy-dnsop-passive-dns-cof/ +> - https://www.circl.lu/services/passive-dns/ +> - https://datatracker.ietf.org/doc/draft-dulaunoy-dnsop-passive-dns-cof/ - **requirements**: ->pypdns: Passive DNS python library, A CIRCL passive DNS account with username & password +> - pypdns: Passive DNS python library +> - A CIRCL passive DNS account with username & password ----- -#### [circl_passivessl](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/circl_passivessl.py) +#### [circl_passivessl](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/circl_passivessl.py) @@ -204,11 +202,12 @@ Modules to access CIRCL Passive SSL. - **references**: >https://www.circl.lu/services/passive-ssl/ - **requirements**: ->pypssl: Passive SSL python library, A CIRCL passive SSL account with username & password +> - pypssl: Passive SSL python library +> - A CIRCL passive SSL account with username & password ----- -#### [countrycode](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/countrycode.py) +#### [countrycode](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/countrycode.py) Module to expand country codes. - **features**: @@ -222,7 +221,28 @@ Module to expand country codes. ----- -#### [crowdstrike_falcon](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/crowdstrike_falcon.py) +#### [cpe](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cpe.py) + + + +An expansion module to query the CVE search API with a cpe code to get its related vulnerabilities. +- **features**: +>The module takes a cpe attribute as input and queries the CVE search API to get its related vulnerabilities. +>The list of vulnerabilities is then parsed and returned as vulnerability objects. +> +>Users can use their own CVE search API url by defining a value to the custom_API_URL parameter. If no custom API url is given, the default cve.circl.lu api url is used. +> +>In order to limit the amount of data returned by CVE serach, users can also the limit parameter. With the limit set, the API returns only the requested number of vulnerabilities, sorted from the highest cvss score to the lowest one. +- **input**: +>CPE attribute. +- **output**: +>The vulnerabilities related to the CPE. +- **references**: +>https://cve.circl.lu/api/ + +----- + +#### [crowdstrike_falcon](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/crowdstrike_falcon.py) @@ -276,7 +296,7 @@ Module to query Crowdstrike Falcon. ----- -#### [cuckoo_submit](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/cuckoo_submit.py) +#### [cuckoo_submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cuckoo_submit.py) @@ -289,13 +309,14 @@ An expansion module to submit files and URLs to Cuckoo Sandbox. - **output**: >A text field containing 'Cuckoo task id: ' - **references**: ->https://cuckoosandbox.org/, https://cuckoo.sh/docs/ +> - https://cuckoosandbox.org/ +> - https://cuckoo.sh/docs/ - **requirements**: >Access to a Cuckoo Sandbox API and an API key if the API requires it. (api_url and api_key) ----- -#### [cve](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/cve.py) +#### [cve](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cve.py) @@ -307,11 +328,33 @@ An expansion hover module to expand information about CVE id. - **output**: >Text giving information about the CVE related to the Vulnerability. - **references**: ->https://cve.circl.lu/, https://cve.mitre.org/ +> - https://cve.circl.lu/ +> - https://cve.mitre.org/ ----- -#### [cytomic_orion](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/cytomic_orion.py) +#### [cve_advanced](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cve_advanced.py) + + + +An expansion module to query the CIRCL CVE search API for more information about a vulnerability (CVE). +- **features**: +>The module takes a vulnerability attribute as input and queries the CIRCL CVE search API to gather additional information. +> +>The result of the query is then parsed to return additional information about the vulnerability, like its cvss score or some references, as well as the potential related weaknesses and attack patterns. +> +>The vulnerability additional data is returned in a vulnerability MISP object, and the related additional information are put into weakness and attack-pattern MISP objects. +- **input**: +>Vulnerability attribute. +- **output**: +>Additional information about the vulnerability, such as its cvss score, some references, or the related weaknesses and attack patterns. +- **references**: +> - https://cve.circl.lu +> - https://cve/mitre.org/ + +----- + +#### [cytomic_orion](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cytomic_orion.py) @@ -323,13 +366,14 @@ An expansion module to enrich attributes in MISP by quering the Cytomic Orion AP - **output**: >MISP objects with sightings of the hash in Cytomic Orion. Includes files and machines. - **references**: ->https://www.vanimpe.eu/2020/03/10/integrating-misp-and-cytomic-orion/, https://www.cytomicmodel.com/solutions/ +> - https://www.vanimpe.eu/2020/03/10/integrating-misp-and-cytomic-orion/ +> - https://www.cytomicmodel.com/solutions/ - **requirements**: >Access (license) to Cytomic Orion ----- -#### [dbl_spamhaus](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/dbl_spamhaus.py) +#### [dbl_spamhaus](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/dbl_spamhaus.py) @@ -351,7 +395,7 @@ Module to check Spamhaus DBL for a domain name. ----- -#### [dns](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/dns.py) +#### [dns](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/dns.py) A simple DNS expansion service to resolve IP address from domain MISP attributes. - **features**: @@ -369,7 +413,7 @@ A simple DNS expansion service to resolve IP address from domain MISP attributes ----- -#### [docx-enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/docx-enrich.py) +#### [docx_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/docx_enrich.py) @@ -385,7 +429,7 @@ Module to extract freetext from a .docx document. ----- -#### [domaintools](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/domaintools.py) +#### [domaintools](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/domaintools.py) @@ -418,11 +462,12 @@ DomainTools MISP expansion module. - **references**: >https://www.domaintools.com/ - **requirements**: ->Domaintools python library, A Domaintools API access (username & apikey) +> - Domaintools python library +> - A Domaintools API access (username & apikey) ----- -#### [eql](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/eql.py) +#### [eql](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/eql.py) @@ -438,7 +483,7 @@ EQL query generation for a MISP attribute. ----- -#### [eupi](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/eupi.py) +#### [eupi](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/eupi.py) @@ -454,29 +499,72 @@ A module to query the Phishing Initiative service (https://phishing-initiative.l - **references**: >https://phishing-initiative.eu/?lang=en - **requirements**: ->pyeupi: eupi python library, An access to the Phishing Initiative API (apikey & url) +> - pyeupi: eupi python library +> - An access to the Phishing Initiative API (apikey & url) ----- -#### [farsight_passivedns](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/farsight_passivedns.py) +#### [farsight_passivedns](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/farsight_passivedns.py) Module to access Farsight DNSDB Passive DNS. - **features**: ->This module takes a domain, hostname or IP address MISP attribute as input to query the Farsight Passive DNS API. The API returns then the result of the query with some information about the value queried. +>This module takes a domain, hostname or IP address MISP attribute as input to query the Farsight Passive DNS API. +> The results of rdata and rrset lookups are then returned and parsed into passive-dns objects. +> +>An API key is required to submit queries to the API. +> It is also possible to define a custom server URL, and to set a limit of results to get. +> This limit is set for each lookup, which means we can have an up to the limit number of passive-dns objects resulting from an rdata query about an IP address, but an up to the limit number of passive-dns objects for each lookup queries about a domain or a hostname (== twice the limit). - **input**: >A domain, hostname or IP address MISP attribute. - **output**: ->Text containing information about the input, resulting from the query on the Farsight Passive DNS API. +>Passive-dns objects, resulting from the query on the Farsight Passive DNS API. - **references**: ->https://www.farsightsecurity.com/ +> - https://www.farsightsecurity.com/ +> - https://docs.dnsdb.info/dnsdb-api/ - **requirements**: >An access to the Farsight Passive DNS API (apikey) ----- -#### [geoip_country](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/geoip_country.py) +#### [geoip_asn](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_asn.py) + + +- **descrption**: +>An expansion module to query a local copy of Maxmind's Geolite database with an IP address, in order to get information about its related AS number. +- **features**: +>The module takes an IP address attribute as input and queries a local copy of the Maxmind's Geolite database to get information about the related AS number. +- **input**: +>An IP address MISP attribute. +- **output**: +>Text containing information about the AS number of the IP address. +- **references**: +>https://www.maxmind.com/en/home +- **requirements**: +>A local copy of Maxmind's Geolite database + +----- + +#### [geoip_city](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_city.py) + + + +An expansion module to query a local copy of Maxmind's Geolite database with an IP address, in order to get information about the city where it is located. +- **features**: +>The module takes an IP address attribute as input and queries a local copy of the Maxmind's Geolite database to get information about the city where this IP address is located. +- **input**: +>An IP address MISP attribute. +- **output**: +>Text containing information about the city where the IP address is located. +- **references**: +>https://www.maxmind.com/en/home +- **requirements**: +>A local copy of Maxmind's Geolite database + +----- + +#### [geoip_country](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_country.py) @@ -496,23 +584,45 @@ Module to query a local copy of Maxmind's Geolite database. ----- -#### [greynoise](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/greynoise.py) +#### [google_search](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/google_search.py) - - -Module to access GreyNoise.io API + +- **descrption**: +>A hover module to get information about an url using a Google search. - **features**: ->The module takes an IP address as input and queries Greynoise for some additional information about it. The result is returned as text. +>The module takes an url as input to query the Google search API. The result of the query is then return as raw text. - **input**: ->An IP address. +>An url attribute. - **output**: ->Additional information about the IP fetched from Greynoise API. +>Text containing the result of a Google search on the input url. - **references**: ->https://greynoise.io/, https://github.com/GreyNoise-Intelligence/api.greynoise.io +>https://github.com/abenassi/Google-Search-API +- **requirements**: +>The python Google Search API library ----- -#### [hashdd](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/hashdd.py) +#### [greynoise](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/greynoise.py) + + + +Module to query IP and CVE information from GreyNoise +- **features**: +>This module supports: 1) Query an IP from GreyNoise to see if it is internet background noise or a common business service 2) Query a CVE from GreyNoise to see the total number of internet scanners looking for the CVE in the last 7 days. +- **input**: +>An IP address or CVE ID +- **output**: +>IP Lookup information or CVE scanning profile for past 7 days +- **references**: +> - https://greynoise.io/ +> - https://docs.greyniose.io/ +> - https://www.greynoise.io/viz/account/ +- **requirements**: +>A Greynoise API key. Both Enterprise (Paid) and Community (Free) API keys are supported, however Community API users will only be able to perform IP lookups. + +----- + +#### [hashdd](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hashdd.py) A hover module to check hashes against hashdd.com including NSLR dataset. - **features**: @@ -526,7 +636,26 @@ A hover module to check hashes against hashdd.com including NSLR dataset. ----- -#### [hibp](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/hibp.py) +#### [hashlookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hashlookup.py) + + + +An expansion module to query the CIRCL hashlookup services to find it if a hash is part of a known set such as NSRL. +- **features**: +>The module takes file hashes as input such as a MD5 or SHA1. +> It queries the public CIRCL.lu hashlookup service and return all the hits if the hashes are known in an existing dataset. The module can be configured with a custom hashlookup url if required. +> The module can be used an hover module but also an expansion model to add related MISP objects. +> +- **input**: +>File hashes (MD5, SHA1) +- **output**: +>Object with the filename associated hashes if the hash is part of a known set. +- **references**: +>https://www.circl.lu/services/hashlookup/ + +----- + +#### [hibp](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hibp.py) @@ -542,7 +671,74 @@ Module to access haveibeenpwned.com API. ----- -#### [intelmq_eventdb](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/intelmq_eventdb.py) +#### [html_to_markdown](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/html_to_markdown.py) + +Expansion module to fetch the html content from an url and convert it into markdown. +- **features**: +>The module take an URL as input and the HTML content is fetched from it. This content is then converted into markdown that is returned as text. +- **input**: +>URL attribute. +- **output**: +>Markdown content converted from the HTML fetched from the url. +- **requirements**: +>The markdownify python library + +----- + +#### [hyasinsight](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hyasinsight.py) + + + +HYAS Insight integration to MISP provides direct, high volume access to HYAS Insight data. It enables investigators and analysts to understand and defend against cyber adversaries and their infrastructure. +- **features**: +>This Module takes the IP Address, Domain, URL, Email, Phone Number, MD5, SHA1, Sha256, SHA512 MISP Attributes as input to query the HYAS Insight API. +> The results of the HYAS Insight API are than are then returned and parsed into Hyas Insight Objects. +> +>An API key is required to submit queries to the HYAS Insight API. +> +- **input**: +>A MISP attribute of type IP Address(ip-src, ip-dst), Domain(hostname, domain), Email Address(email, email-src, email-dst, target-email, whois-registrant-email), Phone Number(phone-number, whois-registrant-phone), MDS(md5, x509-fingerprint-md5, ja3-fingerprint-md5, hassh-md5, hasshserver-md5), SHA1(sha1, x509-fingerprint-sha1), SHA256(sha256, x509-fingerprint-sha256), SHA512(sha512) +- **output**: +>Hyas Insight objects, resulting from the query on the HYAS Insight API. +- **references**: +>https://www.hyas.com/hyas-insight/ +- **requirements**: +>A HYAS Insight API Key. + +----- + +#### [intel471](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/intel471.py) + + +- **descrption**: +>An expansion module to query Intel471 in order to get additional information about a domain, ip address, email address, url or hash. +- **features**: +>The module uses the Intel471 python library to query the Intel471 API with the value of the input attribute. The result of the query is then returned as freetext so the Freetext import parses it. +- **input**: +>A MISP attribute whose type is included in the following list: +>- hostname +>- domain +>- url +>- ip-src +>- ip-dst +>- email-src +>- email-dst +>- target-email +>- whois-registrant-email +>- whois-registrant-name +>- md5 +>- sha1 +>- sha256 +- **output**: +>Freetext +- **references**: +>https://public.intel471.com/ +- **requirements**: +>The intel471 python library + +----- + +#### [intelmq_eventdb](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/intelmq_eventdb.py) @@ -556,13 +752,15 @@ Module to access intelmqs eventdb. - **output**: >Text giving information about the input using IntelMQ database. - **references**: ->https://github.com/certtools/intelmq, https://intelmq.readthedocs.io/en/latest/Developers-Guide/ +> - https://github.com/certtools/intelmq +> - https://intelmq.readthedocs.io/en/latest/Developers-Guide/ - **requirements**: ->psycopg2: Python library to support PostgreSQL, An access to the IntelMQ database (username, password, hostname and database reference) +> - psycopg2: Python library to support PostgreSQL +> - An access to the IntelMQ database (username, password, hostname and database reference) ----- -#### [ipasn](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/ipasn.py) +#### [ipasn](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipasn.py) Module to query an IP ASN history service (https://github.com/D4-project/IPASN-History). - **features**: @@ -578,7 +776,27 @@ Module to query an IP ASN history service (https://github.com/D4-project/IPASN-H ----- -#### [iprep](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/iprep.py) +#### [ipqs_fraud_and_risk_scoring](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipqs_fraud_and_risk_scoring.py) + + + +IPQualityScore MISP Expansion Module for IP reputation, Email Validation, Phone Number Validation, Malicious Domain and Malicious URL Scanner. +- **features**: +>This Module takes the IP Address, Domain, URL, Email and Phone Number MISP Attributes as input to query the IPQualityScore API. +> The results of the IPQualityScore API are than returned as IPQS Fraud and Risk Scoring Object. +> The object contains a copy of the enriched attribute with added tags presenting the verdict based on fraud score,risk score and other attributes from IPQualityScore. +- **input**: +>A MISP attribute of type IP Address(ip-src, ip-dst), Domain(hostname, domain), URL(url, uri), Email Address(email, email-src, email-dst, target-email, whois-registrant-email) and Phone Number(phone-number, whois-registrant-phone). +- **output**: +>IPQualityScore object, resulting from the query on the IPQualityScore API. +- **references**: +>https://www.ipqualityscore.com/ +- **requirements**: +>A IPQualityScore API Key. + +----- + +#### [iprep](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/iprep.py) Module to query IPRep data for IP addresses. - **features**: @@ -594,7 +812,7 @@ Module to query IPRep data for IP addresses. ----- -#### [joesandbox_query](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/joesandbox_query.py) +#### [joesandbox_query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_query.py) @@ -614,13 +832,14 @@ This url can by the way come from the result of the [joesandbox_submit expansion - **output**: >MISP attributes & objects parsed from the analysis report. - **references**: ->https://www.joesecurity.org, https://www.joesandbox.com/ +> - https://www.joesecurity.org +> - https://www.joesandbox.com/ - **requirements**: >jbxapi: Joe Sandbox API python3 library ----- -#### [joesandbox_submit](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/joesandbox_submit.py) +#### [joesandbox_submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_submit.py) @@ -634,16 +853,19 @@ A module to submit files or URLs to Joe Sandbox for an advanced analysis, and re - **output**: >Link of the report generated in Joe Sandbox. - **references**: ->https://www.joesecurity.org, https://www.joesandbox.com/ +> - https://www.joesecurity.org +> - https://www.joesandbox.com/ - **requirements**: >jbxapi: Joe Sandbox API python3 library ----- -#### [lastline_query](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/lastline_query.py) +#### [lastline_query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_query.py) +Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module. + Query Lastline with an analysis link and parse the report into MISP attributes and objects. The analysis link can also be retrieved from the output of the [lastline_submit](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/lastline_submit.py) expansion module. - **features**: @@ -659,10 +881,12 @@ The analysis link can also be retrieved from the output of the [lastline_submit] ----- -#### [lastline_submit](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/lastline_submit.py) +#### [lastline_submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_submit.py) +Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module. + Module to submit a file or URL to Lastline. - **features**: >The module requires a Lastline Analysis `api_token` and `key`. @@ -676,7 +900,7 @@ Module to submit a file or URL to Lastline. ----- -#### [macaddress_io](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/macaddress_io.py) +#### [macaddress_io](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/macaddress_io.py) @@ -693,13 +917,15 @@ MISP hover module for macaddress.io - **output**: >Text containing information on the MAC address fetched from a query on macaddress.io. - **references**: ->https://macaddress.io/, https://github.com/CodeLineFi/maclookup-python +> - https://macaddress.io/ +> - https://github.com/CodeLineFi/maclookup-python - **requirements**: ->maclookup: macaddress.io python library, An access to the macaddress.io API (apikey) +> - maclookup: macaddress.io python library +> - An access to the macaddress.io API (apikey) ----- -#### [macvendors](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/macvendors.py) +#### [macvendors](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/macvendors.py) @@ -711,11 +937,12 @@ Module to access Macvendors API. - **output**: >Additional information about the MAC address. - **references**: ->https://macvendors.com/, https://macvendors.com/api +> - https://macvendors.com/ +> - https://macvendors.com/api ----- -#### [malwarebazaar](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/malwarebazaar.py) +#### [malwarebazaar](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/malwarebazaar.py) Query the MALWAREbazaar API to get additional information about the input hash attribute. - **features**: @@ -731,7 +958,40 @@ Query the MALWAREbazaar API to get additional information about the input hash a ----- -#### [ocr-enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/ocr-enrich.py) +#### [mmdb_lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/mmdb_lookup.py) + + + +A hover and expansion module to enrich an ip with geolocation and ASN information from an mmdb server instance, such as CIRCL's ip.circl.lu. +- **features**: +>The module takes an IP address related attribute as input. +> It queries the public CIRCL.lu mmdb-server instance, available at ip.circl.lu, by default. The module can be configured with a custom mmdb server url if required. +> It is also possible to filter results on 1 db_source by configuring db_source_filter. +- **input**: +>An IP address attribute (for example ip-src or ip-src|port). +- **output**: +>Geolocation and asn objects. +- **references**: +> - https://data.public.lu/fr/datasets/geo-open-ip-address-geolocation-per-country-in-mmdb-format/ +> - https://github.com/adulau/mmdb-server + +----- + +#### [mwdb](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/mwdb.py) + +Module to push malware samples to a MWDB instance +- **features**: +>An expansion module to push malware samples to a MWDB (https://github.com/CERT-Polska/mwdb-core) instance. This module does not push samples to a sandbox. This can be achieved via Karton (connected to the MWDB). Does: * Upload of attachment or malware sample to MWDB * Tags of events and/or attributes are added to MWDB. * Comment of the MISP attribute is added to MWDB. * A link back to the MISP event is added to MWDB via the MWDB attribute. * A link to the MWDB attribute is added as an enrichted attribute to the MISP event. +- **input**: +>Attachment or malware sample +- **output**: +>Link attribute that points to the sample at the MWDB instane +- **requirements**: +>* mwdblib installed (pip install mwdblib) ; * (optional) keys.py file to add tags of events/attributes to MWDB * (optional) MWDB attribute created for the link back to MISP (defined in mwdb_misp_attribute) + +----- + +#### [ocr_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ocr_enrich.py) Module to process some optical character recognition on pictures. - **features**: @@ -745,7 +1005,7 @@ Module to process some optical character recognition on pictures. ----- -#### [ods-enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/ods-enrich.py) +#### [ods_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ods_enrich.py) @@ -757,11 +1017,12 @@ Module to extract freetext from a .ods document. - **output**: >Text and freetext parsed from the document. - **requirements**: ->ezodf: Python package to create/manipulate OpenDocumentFormat files., pandas_ods_reader: Python library to read in ODS files. +> - ezodf: Python package to create/manipulate OpenDocumentFormat files. +> - pandas_ods_reader: Python library to read in ODS files. ----- -#### [odt-enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/odt-enrich.py) +#### [odt_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/odt_enrich.py) @@ -777,7 +1038,7 @@ Module to extract freetext from a .odt document. ----- -#### [onyphe](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/onyphe.py) +#### [onyphe](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onyphe.py) @@ -789,13 +1050,15 @@ Module to process a query on Onyphe. - **output**: >MISP attributes fetched from the Onyphe query. - **references**: ->https://www.onyphe.io/, https://github.com/sebdraven/pyonyphe +> - https://www.onyphe.io/ +> - https://github.com/sebdraven/pyonyphe - **requirements**: ->onyphe python library, An access to the Onyphe API (apikey) +> - onyphe python library +> - An access to the Onyphe API (apikey) ----- -#### [onyphe_full](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/onyphe_full.py) +#### [onyphe_full](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onyphe_full.py) @@ -809,13 +1072,15 @@ Module to process a full query on Onyphe. - **output**: >MISP attributes fetched from the Onyphe query. - **references**: ->https://www.onyphe.io/, https://github.com/sebdraven/pyonyphe +> - https://www.onyphe.io/ +> - https://github.com/sebdraven/pyonyphe - **requirements**: ->onyphe python library, An access to the Onyphe API (apikey) +> - onyphe python library +> - An access to the Onyphe API (apikey) ----- -#### [otx](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/otx.py) +#### [otx](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/otx.py) @@ -850,7 +1115,26 @@ Module to get information from AlienVault OTX. ----- -#### [passivetotal](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/passivetotal.py) +#### [passivessh](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/passivessh.py) + + + +An expansion module to query the CIRCL Passive SSH. +- **features**: +>The module queries the Passive SSH service from CIRCL. +> +> The module can be used an hover module but also an expansion model to add related MISP objects. +> +- **input**: +>IP addresses or SSH fingerprints +- **output**: +>SSH key materials, complementary IP addresses with similar SSH key materials +- **references**: +>https://github.com/D4-project/passive-ssh + +----- + +#### [passivetotal](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/passivetotal.py) @@ -896,11 +1180,12 @@ Module to get information from AlienVault OTX. - **references**: >https://www.passivetotal.org/register - **requirements**: ->Passivetotal python library, An access to the PassiveTotal API (apikey) +> - Passivetotal python library +> - An access to the PassiveTotal API (apikey) ----- -#### [pdf-enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/pdf-enrich.py) +#### [pdf_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/pdf_enrich.py) @@ -916,7 +1201,7 @@ Module to extract freetext from a PDF document. ----- -#### [pptx-enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/pptx-enrich.py) +#### [pptx_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/pptx_enrich.py) @@ -932,7 +1217,25 @@ Module to extract freetext from a .pptx document. ----- -#### [qrcode](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/qrcode.py) +#### [qintel_qsentry](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/qintel_qsentry.py) + + + +A hover and expansion module which queries Qintel QSentry for ip reputation data +- **features**: +>This module takes an ip-address (ip-src or ip-dst) attribute as input, and queries the Qintel QSentry API to retrieve ip reputation data +- **input**: +>ip address attribute +- **ouput**: +>Objects containing the enriched IP, threat tags, last seen attributes and associated Autonomous System information +- **references**: +>https://www.qintel.com/products/qsentry/ +- **requirements**: +>A Qintel API token + +----- + +#### [qrcode](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/qrcode.py) Module to decode QR codes. - **features**: @@ -942,11 +1245,30 @@ Module to decode QR codes. - **output**: >The URL or bitcoin address the QR code is pointing to. - **requirements**: ->cv2: The OpenCV python library., pyzbar: Python library to read QR codes. +> - cv2: The OpenCV python library. +> - pyzbar: Python library to read QR codes. ----- -#### [rbl](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/rbl.py) +#### [ransomcoindb](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ransomcoindb.py) +- **descrption**: +>Module to access the ransomcoinDB with a hash or btc address attribute and get the associated btc address of hashes. +- **features**: +>The module takes either a hash attribute or a btc attribute as input to query the ransomcoinDB API for some additional data. +> +>If the input is a btc address, we will get the associated hashes returned in a file MISP object. If we query ransomcoinDB with a hash, the response contains the associated btc addresses returned as single MISP btc attributes. +- **input**: +>A hash (md5, sha1 or sha256) or btc attribute. +- **output**: +>Hashes associated to a btc address or btc addresses associated to a hash. +- **references**: +>https://ransomcoindb.concinnity-risks.com +- **requirements**: +>A ransomcoinDB API key. + +----- + +#### [rbl](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rbl.py) Module to check an IPv4 address against known RBLs. - **features**: @@ -964,7 +1286,25 @@ Module to check an IPv4 address against known RBLs. ----- -#### [reversedns](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/reversedns.py) +#### [recordedfuture](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/recordedfuture.py) + + + +Module to enrich attributes with threat intelligence from Recorded Future. +- **features**: +>Enrich an attribute to add a custom enrichment object to the event. The object contains a copy of the enriched attribute with added tags presenting risk score and triggered risk rules from Recorded Future. Malware and Threat Actors related to the enriched indicator in Recorded Future is matched against MISP's galaxy clusters and applied as galaxy tags. The custom enrichment object also includes a list of related indicators from Recorded Future (IP's, domains, hashes, URL's and vulnerabilities) added as additional attributes. +- **input**: +>A MISP attribute of one of the following types: ip, ip-src, ip-dst, domain, hostname, md5, sha1, sha256, uri, url, vulnerability, weakness. +- **output**: +>A MISP object containing a copy of the enriched attribute with added tags from Recorded Future and a list of new attributes related to the enriched attribute. +- **references**: +>https://www.recordedfuture.com/ +- **requirements**: +>A Recorded Future API token. + +----- + +#### [reversedns](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/reversedns.py) Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes. - **features**: @@ -982,7 +1322,7 @@ Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes ----- -#### [securitytrails](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/securitytrails.py) +#### [securitytrails](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/securitytrails.py) @@ -1011,11 +1351,12 @@ An expansion modules for SecurityTrails. - **references**: >https://securitytrails.com/ - **requirements**: ->dnstrails python library, An access to the SecurityTrails API (apikey) +> - dnstrails python library +> - An access to the SecurityTrails API (apikey) ----- -#### [shodan](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/shodan.py) +#### [shodan](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/shodan.py) @@ -1029,11 +1370,12 @@ Module to query on Shodan. - **references**: >https://www.shodan.io/ - **requirements**: ->shodan python library, An access to the Shodan API (apikey) +> - shodan python library +> - An access to the Shodan API (apikey) ----- -#### [sigma_queries](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/sigma_queries.py) +#### [sigma_queries](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigma_queries.py) @@ -1051,7 +1393,7 @@ An expansion hover module to display the result of sigma queries. ----- -#### [sigma_syntax_validator](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/sigma_syntax_validator.py) +#### [sigma_syntax_validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigma_syntax_validator.py) @@ -1067,11 +1409,46 @@ An expansion hover module to perform a syntax check on sigma rules. - **references**: >https://github.com/Neo23x0/sigma/wiki - **requirements**: ->Sigma python library, Yaml python library +> - Sigma python library +> - Yaml python library ----- -#### [sourcecache](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/sourcecache.py) +#### [socialscan](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/socialscan.py) + +A hover module to get information on the availability of an email address or username on some online platforms. +- **features**: +>The module takes an email address or username as input and check its availability on some online platforms. The results for each platform are then returned to see if the email address or the username is used, available or if there is an issue with it. +- **input**: +>An email address or usename attribute. +- **output**: +>Text containing information about the availability of an email address or a username in some online platforms. +- **references**: +>https://github.com/iojw/socialscan +- **requirements**: +>The socialscan python library + +----- + +#### [sophoslabs_intelix](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sophoslabs_intelix.py) + + + +An expansion module to query the Sophoslabs intelix API to get additional information about an ip address, url, domain or sha256 attribute. +- **features**: +>The module takes an ip address, url, domain or sha256 attribute and queries the SophosLabs Intelix API with the attribute value. The result of this query is a SophosLabs Intelix hash report, or an ip or url lookup, that is then parsed and returned in a MISP object. +- **input**: +>An ip address, url, domain or sha256 attribute. +- **output**: +>SophosLabs Intelix report and lookup objects +- **references**: +>https://aws.amazon.com/marketplace/pp/B07SLZPMCS +- **requirements**: +>A client_id and client_secret pair to authenticate to the SophosLabs Intelix API + +----- + +#### [sourcecache](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sourcecache.py) Module to cache web pages of analysis reports, OSINT sources. The module returns a link of the cached page. - **features**: @@ -1087,7 +1464,7 @@ Module to cache web pages of analysis reports, OSINT sources. The module returns ----- -#### [stix2_pattern_syntax_validator](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/stix2_pattern_syntax_validator.py) +#### [stix2_pattern_syntax_validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/stix2_pattern_syntax_validator.py) @@ -1107,7 +1484,7 @@ An expansion hover module to perform a syntax check on stix2 patterns. ----- -#### [threatcrowd](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/threatcrowd.py) +#### [threatcrowd](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatcrowd.py) @@ -1144,7 +1521,7 @@ Module to get information from ThreatCrowd. ----- -#### [threatminer](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/threatminer.py) +#### [threatminer](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatminer.py) @@ -1184,7 +1561,7 @@ Module to get information from ThreatMiner. ----- -#### [trustar_enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/trustar_enrich.py) +#### [trustar_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/trustar_enrich.py) @@ -1213,7 +1590,7 @@ Module to get enrich indicators with TruSTAR. ----- -#### [urlhaus](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/urlhaus.py) +#### [urlhaus](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/urlhaus.py) @@ -1231,7 +1608,7 @@ Query of the URLhaus API to get additional information about the input attribute ----- -#### [urlscan](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/urlscan.py) +#### [urlscan](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/urlscan.py) @@ -1251,7 +1628,29 @@ An expansion module to query urlscan.io. ----- -#### [virustotal](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/virustotal.py) +#### [variotdbs](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/variotdbs.py) + + + +An expansion module to query the VARIoT db API for more information about a vulnerability. +- **features**: +>The module takes a vulnerability attribute as input and queries que VARIoT db API to gather additional information. +> +>The `vuln` endpoint is queried first to look for additional information about the vulnerability itself. +> +>The `exploits` endpoint is also queried then to look for the information of the potential related exploits, which are parsed and added to the results using the `exploit` object template. +- **input**: +>Vulnerability attribute. +- **output**: +>Additional information about the vulnerability, as it is stored on the VARIoT db, about the vulnerability itself, and the potential related exploits. +- **references**: +>https://www.variotdbs.pl/ +- **requirements**: +>A VARIoT db API key (if you do not want to be limited to 100 queries / day) + +----- + +#### [virustotal](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/virustotal.py) @@ -1269,13 +1668,14 @@ Module to get advanced information from virustotal. - **output**: >MISP attributes and objects resulting from the parsing of the VirusTotal report concerning the input attribute. - **references**: ->https://www.virustotal.com/, https://developers.virustotal.com/reference +> - https://www.virustotal.com/ +> - https://developers.virustotal.com/reference - **requirements**: >An access to the VirusTotal API (apikey), with a high request rate limit. ----- -#### [virustotal_public](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/virustotal_public.py) +#### [virustotal_public](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/virustotal_public.py) @@ -1293,13 +1693,14 @@ Module to get information from VirusTotal. - **output**: >MISP attributes and objects resulting from the parsing of the VirusTotal report concerning the input attribute. - **references**: ->https://www.virustotal.com, https://developers.virustotal.com/reference +> - https://www.virustotal.com +> - https://developers.virustotal.com/reference - **requirements**: >An access to the VirusTotal API (apikey) ----- -#### [vmray_submit](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/vmray_submit.py) +#### [vmray_submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vmray_submit.py) @@ -1324,7 +1725,27 @@ Module to submit a sample to VMRay. ----- -#### [vulndb](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/vulndb.py) +#### [vmware_nsx](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vmware_nsx.py) + + + +Module to enrich a file or URL with VMware NSX Defender. +- **features**: +>This module takes an IoC such as file hash, file attachment, malware-sample or url as input to query VMware NSX Defender. +> +>The IoC is then enriched with data from VMware NSX Defender. +- **input**: +>File hash, attachment or URL to be enriched with VMware NSX Defender. +- **output**: +>Objects and tags generated by VMware NSX Defender. +- **references**: +>https://www.vmware.com +- **requirements**: +>The module requires a VMware NSX Defender Analysis `api_token` and `key`. + +----- + +#### [vulndb](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulndb.py) @@ -1344,7 +1765,7 @@ Module to query VulnDB (RiskBasedSecurity.com). ----- -#### [vulners](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/vulners.py) +#### [vulners](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulners.py) @@ -1360,11 +1781,12 @@ An expansion hover module to expand information about CVE id using Vulners API. - **references**: >https://vulners.com/ - **requirements**: ->Vulners python library, An access to the Vulners API +> - Vulners python library +> - An access to the Vulners API ----- -#### [whois](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/whois.py) +#### [whois](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/whois.py) Module to query a local instance of uwhois (https://github.com/rafiot/uwhoisd). - **features**: @@ -1380,7 +1802,7 @@ Module to query a local instance of uwhois (https://github.com/rafiot/uwhoisd). ----- -#### [wiki](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/wiki.py) +#### [wiki](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/wiki.py) @@ -1398,7 +1820,7 @@ An expansion hover module to extract information from Wikidata to have additiona ----- -#### [xforceexchange](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/xforceexchange.py) +#### [xforceexchange](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/xforceexchange.py) @@ -1422,7 +1844,7 @@ An expansion module for IBM X-Force Exchange. ----- -#### [xlsx-enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/xlsx-enrich.py) +#### [xlsx_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/xlsx_enrich.py) @@ -1438,7 +1860,7 @@ Module to extract freetext from a .xlsx document. ----- -#### [yara_query](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/yara_query.py) +#### [yara_query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yara_query.py) @@ -1451,13 +1873,14 @@ An expansion & hover module to translate any hash attribute into a yara rule. - **output**: >YARA rule. - **references**: ->https://virustotal.github.io/yara/, https://github.com/virustotal/yara-python +> - https://virustotal.github.io/yara/ +> - https://github.com/virustotal/yara-python - **requirements**: >yara-python python library ----- -#### [yara_syntax_validator](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/yara_syntax_validator.py) +#### [yara_syntax_validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yara_syntax_validator.py) @@ -1475,9 +1898,29 @@ An expansion hover module to perform a syntax check on if yara rules are valid o ----- +#### [yeti](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yeti.py) + + + +Module to process a query on Yeti. +- **features**: +>This module add context and links between observables using yeti +- **input**: +>A domain, hostname,IP, sha256,sha1, md5, url of MISP attribute. +- **output**: +>MISP attributes and objects fetched from the Yeti instances. +- **references**: +> - https://github.com/yeti-platform/yeti +> - https://github.com/sebdraven/pyeti +- **requirements**: +> - pyeti +> - API key + +----- + ## Export Modules -#### [cef_export](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/cef_export.py) +#### [cef_export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/cef_export.py) Module to export a MISP event in CEF format. - **features**: @@ -1492,7 +1935,7 @@ Module to export a MISP event in CEF format. ----- -#### [cisco_firesight_manager_ACL_rule_export](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py) +#### [cisco_firesight_manager_ACL_rule_export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py) @@ -1508,7 +1951,23 @@ Module to export malicious network activity attributes to Cisco fireSIGHT manage ----- -#### [goamlexport](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/goamlexport.py) +#### [defender_endpoint_export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/defender_endpoint_export.py) + + + +Defender for Endpoint KQL hunting query export module +- **features**: +>This module export an event as Defender for Endpoint KQL queries that can then be used in your own python3 or Powershell tool. If you are using Microsoft Sentinel, you can directly connect your MISP instance to Sentinel and then create queries using the `ThreatIntelligenceIndicator` table to match events against imported IOC. +- **input**: +>MISP Event attributes +- **output**: +>Defender for Endpoint KQL queries +- **references**: +>https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference + +----- + +#### [goamlexport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/goamlexport.py) @@ -1539,11 +1998,12 @@ This module is used to export MISP events containing transaction objects into Go - **references**: >http://goaml.unodc.org/ - **requirements**: ->PyMISP, MISP objects +> - PyMISP +> - MISP objects ----- -#### [liteexport](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/liteexport.py) +#### [liteexport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/liteexport.py) Lite export of a MISP event. - **features**: @@ -1555,7 +2015,7 @@ Lite export of a MISP event. ----- -#### [mass_eql_export](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/mass_eql_export.py) +#### [mass_eql_export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/mass_eql_export.py) @@ -1571,7 +2031,7 @@ Mass EQL query export for a MISP event. ----- -#### [nexthinkexport](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/nexthinkexport.py) +#### [nexthinkexport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/nexthinkexport.py) @@ -1587,7 +2047,7 @@ Nexthink NXQL query export module ----- -#### [osqueryexport](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/osqueryexport.py) +#### [osqueryexport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/osqueryexport.py) @@ -1601,7 +2061,7 @@ OSQuery export of a MISP event. ----- -#### [pdfexport](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/pdfexport.py) +#### [pdfexport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/pdfexport.py) Simple export of a MISP event to PDF. - **features**: @@ -1619,17 +2079,18 @@ Simple export of a MISP event to PDF. - **references**: >https://acrobat.adobe.com/us/en/acrobat/about-adobe-pdf.html - **requirements**: ->PyMISP, reportlab +> - PyMISP +> - reportlab ----- -#### [testexport](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/testexport.py) +#### [testexport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/testexport.py) Skeleton export module. ----- -#### [threatStream_misp_export](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/threatStream_misp_export.py) +#### [threatStream_misp_export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/threatStream_misp_export.py) @@ -1641,13 +2102,14 @@ Module to export a structured CSV file for uploading to threatStream. - **output**: >ThreatStream CSV format file - **references**: ->https://www.anomali.com/platform/threatstream, https://github.com/threatstream +> - https://www.anomali.com/platform/threatstream +> - https://github.com/threatstream - **requirements**: >csv ----- -#### [threat_connect_export](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/threat_connect_export.py) +#### [threat_connect_export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/threat_connect_export.py) @@ -1666,7 +2128,26 @@ Module to export a structured CSV file for uploading to ThreatConnect. ----- -#### [vt_graph](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/vt_graph.py) +#### [virustotal_collections](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/virustotal_collections.py) + + + +Creates a VT Collection from an event iocs. +- **features**: +>This export module which takes advantage of a new endpoint in VT APIv3 to create VT Collections from IOCs contained in a MISP event. With this module users will be able to create a collection just using the Download as... button. +- **input**: +>A domain, hash (md5, sha1, sha256 or sha512), hostname, url or IP address attribute. +- **output**: +>A VirusTotal collection in VT. +- **references**: +> - https://www.virustotal.com/ +> - https://blog.virustotal.com/2021/11/introducing-virustotal-collections.html +- **requirements**: +>An access to the VirusTotal API (apikey). + +----- + +#### [vt_graph](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/vt_graph.py) @@ -1688,7 +2169,23 @@ This module is used to create a VirusTotal Graph from a MISP event. ## Import Modules -#### [csvimport](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/csvimport.py) +#### [cof2misp](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/cof2misp.py) + +Passive DNS Common Output Format (COF) MISP importer +- **features**: +>Takes as input a valid COF file or the output of the dnsdbflex utility and creates MISP objects for the input. +- **input**: +>Passive DNS output in Common Output Format (COF) +- **output**: +>MISP objects +- **references**: +>https://tools.ietf.org/id/draft-dulaunoy-dnsop-passive-dns-cof-08.html +- **requirements**: +>PyMISP + +----- + +#### [csvimport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/csvimport.py) Module to import MISP attributes from a csv file. - **features**: @@ -1702,13 +2199,14 @@ Module to import MISP attributes from a csv file. - **output**: >MISP Event attributes - **references**: ->https://tools.ietf.org/html/rfc4180, https://tools.ietf.org/html/rfc7111 +> - https://tools.ietf.org/html/rfc4180 +> - https://tools.ietf.org/html/rfc7111 - **requirements**: >PyMISP ----- -#### [cuckooimport](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/cuckooimport.py) +#### [cuckooimport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/cuckooimport.py) @@ -1720,11 +2218,12 @@ Module to import Cuckoo JSON. - **output**: >MISP Event attributes - **references**: ->https://cuckoosandbox.org/, https://github.com/cuckoosandbox/cuckoo +> - https://cuckoosandbox.org/ +> - https://github.com/cuckoosandbox/cuckoo ----- -#### [email_import](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/email_import.py) +#### [email_import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/email_import.py) Module to import emails in MISP. - **features**: @@ -1737,7 +2236,7 @@ Module to import emails in MISP. ----- -#### [goamlimport](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/goamlimport.py) +#### [goamlimport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/goamlimport.py) @@ -1755,7 +2254,7 @@ Module to import MISP objects about financial transactions from GoAML files. ----- -#### [joe_import](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/joe_import.py) +#### [joe_import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/joe_import.py) @@ -1764,21 +2263,22 @@ A module to import data from a Joe Sandbox analysis json report. >Module using the new format of modules able to return attributes and objects. > >The module returns the same results as the expansion module [joesandbox_query](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/joesandbox_query.py) using the submission link of the analysis to get the json report. -> -> - **input**: >Json report of a Joe Sandbox analysis. - **output**: >MISP attributes & objects parsed from the analysis report. - **references**: ->https://www.joesecurity.org, https://www.joesandbox.com/ +> - https://www.joesecurity.org +> - https://www.joesandbox.com/ ----- -#### [lastline_import](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/lastline_import.py) +#### [lastline_import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/lastline_import.py) +Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module. + Module to import and parse reports from Lastline analysis links. - **features**: >The module requires a Lastline Portal `username` and `password`. @@ -1793,7 +2293,7 @@ Module to import and parse reports from Lastline analysis links. ----- -#### [mispjson](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/mispjson.py) +#### [mispjson](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/mispjson.py) Module to import MISP JSON format for merging MISP events. - **features**: @@ -1805,7 +2305,7 @@ Module to import MISP JSON format for merging MISP events. ----- -#### [ocr](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/ocr.py) +#### [ocr](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/ocr.py) Optical Character Recognition (OCR) module for MISP. - **features**: @@ -1817,7 +2317,7 @@ Optical Character Recognition (OCR) module for MISP. ----- -#### [openiocimport](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/openiocimport.py) +#### [openiocimport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/openiocimport.py) Module to import OpenIOC packages. - **features**: @@ -1833,7 +2333,7 @@ Module to import OpenIOC packages. ----- -#### [threatanalyzer_import](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/threatanalyzer_import.py) +#### [threatanalyzer_import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/threatanalyzer_import.py) Module to import ThreatAnalyzer archive.zip / analysis.json files. - **features**: @@ -1848,7 +2348,7 @@ Module to import ThreatAnalyzer archive.zip / analysis.json files. ----- -#### [vmray_import](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/vmray_import.py) +#### [vmray_import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/vmray_import.py) diff --git a/documentation/generate_documentation.py b/documentation/generate_documentation.py new file mode 100644 index 0000000..8d9116e --- /dev/null +++ b/documentation/generate_documentation.py @@ -0,0 +1,70 @@ +# -*- coding: utf-8 -*- +import os +import json +import sys + +module_types = ['expansion', 'export_mod', 'import_mod'] +titles = ['Expansion Modules', 'Export Modules', 'Import Modules'] +githublink = 'https://github.com/MISP/misp-modules/tree/main/misp_modules/modules' + + +def generate_doc(module_type, root_path, logo_path='logos'): + markdown = [] + current_path = os.path.join(root_path, 'website', module_type) + files = sorted(os.listdir(current_path)) + githubpath = f'{githublink}/{module_type}' + for filename in files: + modulename = filename.split('.json')[0] + githubref = f'{githubpath}/{modulename}.py' + markdown.append(f'\n#### [{modulename}]({githubref})\n') + filename = os.path.join(current_path, filename) + print(f'Processing {filename}') + with open(filename, 'rt') as f: + definition = json.loads(f.read()) + if 'logo' in definition: + logo = os.path.join(logo_path, definition.pop('logo')) + markdown.append(f"\n\n") + if 'description' in definition: + markdown.append(f"\n{definition.pop('description')}\n") + for field, value in sorted(definition.items()): + if not value: + continue + if isinstance(value, list): + markdown.append(handle_list(field, value)) + continue + markdown.append(get_single_value(field, value.replace('\n', '\n>'))) + markdown.append('\n-----\n') + return markdown + + +def get_single_value(field, value): + return f"- **{field}**:\n>{value}\n" + + +def handle_list(field, values): + if len(values) == 1: + return get_single_value(field, values[0]) + values = '\n> - '.join(values) + return f"- **{field}**:\n> - {values}\n" + + +def write_doc(root_path): + markdown = ["# MISP modules documentation\n"] + for _path, title in zip(module_types, titles): + markdown.append(f'\n## {title}\n') + markdown.extend(generate_doc(_path, root_path)) + with open('README.md', 'w') as w: + w.write(''.join(markdown)) + + +def write_docs_for_mkdocs(root_path): + for _path, title in zip(module_types, titles): + markdown = generate_doc(_path, root_path, logo_path='../logos') + with open(os.path.join(root_path, 'mkdocs', f'{_path}.md'), 'w') as w: + w.write(''.join(markdown)) + + +if __name__ == '__main__': + root_path = os.path.dirname(os.path.realpath(__file__)) + write_doc(root_path) + write_docs_for_mkdocs(root_path) diff --git a/documentation/logos/apivoid.png b/documentation/logos/apivoid.png new file mode 100644 index 0000000..e4f84a7 Binary files /dev/null and b/documentation/logos/apivoid.png differ diff --git a/documentation/logos/assemblyline.png b/documentation/logos/assemblyline.png new file mode 100644 index 0000000..bda4518 Binary files /dev/null and b/documentation/logos/assemblyline.png differ diff --git a/documentation/logos/backscatter_io.png b/documentation/logos/backscatter_io.png new file mode 100644 index 0000000..0973112 Binary files /dev/null and b/documentation/logos/backscatter_io.png differ diff --git a/documentation/logos/bitcoin.png b/documentation/logos/bitcoin.png new file mode 100644 index 0000000..e80ad6d Binary files /dev/null and b/documentation/logos/bitcoin.png differ diff --git a/documentation/logos/circl.png b/documentation/logos/circl.png new file mode 100644 index 0000000..516678d Binary files /dev/null and b/documentation/logos/circl.png differ diff --git a/documentation/logos/cisco.png b/documentation/logos/cisco.png new file mode 100644 index 0000000..87b863b Binary files /dev/null and b/documentation/logos/cisco.png differ diff --git a/documentation/logos/crowdstrike.png b/documentation/logos/crowdstrike.png new file mode 100644 index 0000000..359cb01 Binary files /dev/null and b/documentation/logos/crowdstrike.png differ diff --git a/documentation/logos/cuckoo.png b/documentation/logos/cuckoo.png new file mode 100644 index 0000000..57cf35a Binary files /dev/null and b/documentation/logos/cuckoo.png differ diff --git a/documentation/logos/cve.png b/documentation/logos/cve.png new file mode 100644 index 0000000..315ccd8 Binary files /dev/null and b/documentation/logos/cve.png differ diff --git a/documentation/logos/cytomic_orion.png b/documentation/logos/cytomic_orion.png new file mode 100644 index 0000000..45704e9 Binary files /dev/null and b/documentation/logos/cytomic_orion.png differ diff --git a/documentation/logos/defender_endpoing.png b/documentation/logos/defender_endpoing.png new file mode 100644 index 0000000..efc7ace Binary files /dev/null and b/documentation/logos/defender_endpoing.png differ diff --git a/documentation/logos/docx.png b/documentation/logos/docx.png new file mode 100644 index 0000000..018d2c1 Binary files /dev/null and b/documentation/logos/docx.png differ diff --git a/documentation/logos/domaintools.png b/documentation/logos/domaintools.png new file mode 100644 index 0000000..69965e1 Binary files /dev/null and b/documentation/logos/domaintools.png differ diff --git a/documentation/logos/eql.png b/documentation/logos/eql.png new file mode 100644 index 0000000..4cddb91 Binary files /dev/null and b/documentation/logos/eql.png differ diff --git a/documentation/logos/eupi.png b/documentation/logos/eupi.png new file mode 100644 index 0000000..1800657 Binary files /dev/null and b/documentation/logos/eupi.png differ diff --git a/documentation/logos/farsight.png b/documentation/logos/farsight.png new file mode 100644 index 0000000..31a73c1 Binary files /dev/null and b/documentation/logos/farsight.png differ diff --git a/documentation/logos/goAML.jpg b/documentation/logos/goAML.jpg new file mode 100644 index 0000000..4e938ee Binary files /dev/null and b/documentation/logos/goAML.jpg differ diff --git a/documentation/logos/google.png b/documentation/logos/google.png new file mode 100644 index 0000000..492f44c Binary files /dev/null and b/documentation/logos/google.png differ diff --git a/documentation/logos/greynoise.png b/documentation/logos/greynoise.png new file mode 100644 index 0000000..0c57e64 Binary files /dev/null and b/documentation/logos/greynoise.png differ diff --git a/documentation/logos/hibp.png b/documentation/logos/hibp.png new file mode 100644 index 0000000..849ccf2 Binary files /dev/null and b/documentation/logos/hibp.png differ diff --git a/documentation/logos/hyas.png b/documentation/logos/hyas.png new file mode 100644 index 0000000..42acf22 Binary files /dev/null and b/documentation/logos/hyas.png differ diff --git a/documentation/logos/intel471.png b/documentation/logos/intel471.png new file mode 100644 index 0000000..08264e9 Binary files /dev/null and b/documentation/logos/intel471.png differ diff --git a/documentation/logos/intelmq.png b/documentation/logos/intelmq.png new file mode 100644 index 0000000..fad627c Binary files /dev/null and b/documentation/logos/intelmq.png differ diff --git a/documentation/logos/ipqualityscore.png b/documentation/logos/ipqualityscore.png new file mode 100644 index 0000000..da52d96 Binary files /dev/null and b/documentation/logos/ipqualityscore.png differ diff --git a/documentation/logos/joesandbox.png b/documentation/logos/joesandbox.png new file mode 100644 index 0000000..8072f6e Binary files /dev/null and b/documentation/logos/joesandbox.png differ diff --git a/documentation/logos/lastline.png b/documentation/logos/lastline.png new file mode 100644 index 0000000..6bffe77 Binary files /dev/null and b/documentation/logos/lastline.png differ diff --git a/documentation/logos/macaddress_io.png b/documentation/logos/macaddress_io.png new file mode 100644 index 0000000..e77f455 Binary files /dev/null and b/documentation/logos/macaddress_io.png differ diff --git a/documentation/logos/macvendors.png b/documentation/logos/macvendors.png new file mode 100644 index 0000000..3316ea3 Binary files /dev/null and b/documentation/logos/macvendors.png differ diff --git a/documentation/logos/maxmind.png b/documentation/logos/maxmind.png new file mode 100644 index 0000000..8f8a6c6 Binary files /dev/null and b/documentation/logos/maxmind.png differ diff --git a/documentation/logos/nexthink.svg b/documentation/logos/nexthink.svg new file mode 100644 index 0000000..f18ba8f --- /dev/null +++ b/documentation/logos/nexthink.svg @@ -0,0 +1,22 @@ + + + + nexthink + Created with Sketch. + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/documentation/logos/ods.png b/documentation/logos/ods.png new file mode 100644 index 0000000..19b42f1 Binary files /dev/null and b/documentation/logos/ods.png differ diff --git a/documentation/logos/odt.png b/documentation/logos/odt.png new file mode 100644 index 0000000..d177a21 Binary files /dev/null and b/documentation/logos/odt.png differ diff --git a/documentation/logos/onyphe.jpg b/documentation/logos/onyphe.jpg new file mode 100644 index 0000000..cd16f76 Binary files /dev/null and b/documentation/logos/onyphe.jpg differ diff --git a/documentation/logos/osquery.png b/documentation/logos/osquery.png new file mode 100644 index 0000000..2e4320e Binary files /dev/null and b/documentation/logos/osquery.png differ diff --git a/documentation/logos/otx.png b/documentation/logos/otx.png new file mode 100644 index 0000000..eae32c1 Binary files /dev/null and b/documentation/logos/otx.png differ diff --git a/documentation/logos/passivedns.png b/documentation/logos/passivedns.png new file mode 100644 index 0000000..4959a84 Binary files /dev/null and b/documentation/logos/passivedns.png differ diff --git a/documentation/logos/passivessh.png b/documentation/logos/passivessh.png new file mode 100644 index 0000000..42c8190 Binary files /dev/null and b/documentation/logos/passivessh.png differ diff --git a/documentation/logos/passivessl.png b/documentation/logos/passivessl.png new file mode 100644 index 0000000..e92c87d Binary files /dev/null and b/documentation/logos/passivessl.png differ diff --git a/documentation/logos/passivetotal.png b/documentation/logos/passivetotal.png new file mode 100644 index 0000000..87cef69 Binary files /dev/null and b/documentation/logos/passivetotal.png differ diff --git a/documentation/logos/pdf.jpg b/documentation/logos/pdf.jpg new file mode 100644 index 0000000..74f4297 Binary files /dev/null and b/documentation/logos/pdf.jpg differ diff --git a/documentation/logos/pptx.png b/documentation/logos/pptx.png new file mode 100644 index 0000000..11b2133 Binary files /dev/null and b/documentation/logos/pptx.png differ diff --git a/documentation/logos/qintel.png b/documentation/logos/qintel.png new file mode 100644 index 0000000..fa3af76 Binary files /dev/null and b/documentation/logos/qintel.png differ diff --git a/documentation/logos/recordedfuture.png b/documentation/logos/recordedfuture.png new file mode 100644 index 0000000..a208c04 Binary files /dev/null and b/documentation/logos/recordedfuture.png differ diff --git a/documentation/logos/securitytrails.png b/documentation/logos/securitytrails.png new file mode 100644 index 0000000..072dac5 Binary files /dev/null and b/documentation/logos/securitytrails.png differ diff --git a/documentation/logos/shodan.png b/documentation/logos/shodan.png new file mode 100644 index 0000000..7de068e Binary files /dev/null and b/documentation/logos/shodan.png differ diff --git a/documentation/logos/sigma.png b/documentation/logos/sigma.png new file mode 100644 index 0000000..0bd0db1 Binary files /dev/null and b/documentation/logos/sigma.png differ diff --git a/documentation/logos/sophoslabs_intelix.svg b/documentation/logos/sophoslabs_intelix.svg new file mode 100644 index 0000000..9fe952f --- /dev/null +++ b/documentation/logos/sophoslabs_intelix.svg @@ -0,0 +1,32 @@ + + + + CC812F0D-F9F0-4D68-9347-3579CDA181A3 + Created with sketchtool. + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/documentation/logos/spamhaus.jpg b/documentation/logos/spamhaus.jpg new file mode 100644 index 0000000..4c868e4 Binary files /dev/null and b/documentation/logos/spamhaus.jpg differ diff --git a/documentation/logos/stix.png b/documentation/logos/stix.png new file mode 100644 index 0000000..e8b8241 Binary files /dev/null and b/documentation/logos/stix.png differ diff --git a/documentation/logos/threatconnect.png b/documentation/logos/threatconnect.png new file mode 100644 index 0000000..4c8a5b1 Binary files /dev/null and b/documentation/logos/threatconnect.png differ diff --git a/documentation/logos/threatcrowd.png b/documentation/logos/threatcrowd.png new file mode 100644 index 0000000..94eacfc Binary files /dev/null and b/documentation/logos/threatcrowd.png differ diff --git a/documentation/logos/threatminer.png b/documentation/logos/threatminer.png new file mode 100644 index 0000000..d7ac96e Binary files /dev/null and b/documentation/logos/threatminer.png differ diff --git a/documentation/logos/threatstream.png b/documentation/logos/threatstream.png new file mode 100644 index 0000000..eb3837e Binary files /dev/null and b/documentation/logos/threatstream.png differ diff --git a/documentation/logos/trustar.png b/documentation/logos/trustar.png new file mode 100644 index 0000000..d4ac521 Binary files /dev/null and b/documentation/logos/trustar.png differ diff --git a/documentation/logos/urlhaus.png b/documentation/logos/urlhaus.png new file mode 100644 index 0000000..3460d81 Binary files /dev/null and b/documentation/logos/urlhaus.png differ diff --git a/documentation/logos/urlscan.jpg b/documentation/logos/urlscan.jpg new file mode 100644 index 0000000..52e24e2 Binary files /dev/null and b/documentation/logos/urlscan.jpg differ diff --git a/documentation/logos/variot.png b/documentation/logos/variot.png new file mode 100644 index 0000000..717b7e7 Binary files /dev/null and b/documentation/logos/variot.png differ diff --git a/documentation/logos/virustotal.png b/documentation/logos/virustotal.png new file mode 100644 index 0000000..935c5cc Binary files /dev/null and b/documentation/logos/virustotal.png differ diff --git a/documentation/logos/vmray.png b/documentation/logos/vmray.png new file mode 100644 index 0000000..e2e9fa1 Binary files /dev/null and b/documentation/logos/vmray.png differ diff --git a/documentation/logos/vmware_nsx.png b/documentation/logos/vmware_nsx.png new file mode 100644 index 0000000..4d4ba96 Binary files /dev/null and b/documentation/logos/vmware_nsx.png differ diff --git a/documentation/logos/vulndb.png b/documentation/logos/vulndb.png new file mode 100644 index 0000000..bfaf40f Binary files /dev/null and b/documentation/logos/vulndb.png differ diff --git a/documentation/logos/vulners.png b/documentation/logos/vulners.png new file mode 100644 index 0000000..ef9bab4 Binary files /dev/null and b/documentation/logos/vulners.png differ diff --git a/documentation/logos/wikidata.png b/documentation/logos/wikidata.png new file mode 100644 index 0000000..0ffb4b1 Binary files /dev/null and b/documentation/logos/wikidata.png differ diff --git a/documentation/logos/xforce.png b/documentation/logos/xforce.png new file mode 100644 index 0000000..96db659 Binary files /dev/null and b/documentation/logos/xforce.png differ diff --git a/documentation/logos/xlsx.png b/documentation/logos/xlsx.png new file mode 100644 index 0000000..fbe6e13 Binary files /dev/null and b/documentation/logos/xlsx.png differ diff --git a/documentation/logos/yara.png b/documentation/logos/yara.png new file mode 100644 index 0000000..c74c314 Binary files /dev/null and b/documentation/logos/yara.png differ diff --git a/documentation/logos/yeti.png b/documentation/logos/yeti.png new file mode 100644 index 0000000..46b77da Binary files /dev/null and b/documentation/logos/yeti.png differ diff --git a/docs/REQUIREMENTS.txt b/documentation/mkdocs/REQUIREMENTS.txt similarity index 100% rename from docs/REQUIREMENTS.txt rename to documentation/mkdocs/REQUIREMENTS.txt diff --git a/documentation/mkdocs/contribute.md b/documentation/mkdocs/contribute.md new file mode 100644 index 0000000..ef312f6 --- /dev/null +++ b/documentation/mkdocs/contribute.md @@ -0,0 +1,374 @@ +## How to add your own MISP modules? + +Create your module in [misp_modules/modules/expansion/](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/), [misp_modules/modules/export_mod/](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/), or [misp_modules/modules/import_mod/](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/). The module should have at minimum three functions: + +* **introspection** function that returns a dict of the supported attributes (input and output) by your expansion module. +* **handler** function which accepts a JSON document to expand the values and return a dictionary of the expanded values. +* **version** function that returns a dict with the version and the associated meta-data including potential configurations required of the module. + +Don't forget to return an error key and value if an error is raised to propagate it to the MISP user-interface. + +Your module's script name should also be added in the `__all__` list of `/__init__.py` in order for it to be loaded. + +~~~python +... + # Checking for required value + if not request.get('ip-src'): + # Return an error message + return {'error': "A source IP is required"} +... +~~~ + + +### introspection + +The function that returns a dict of the supported attributes (input and output) by your expansion module. + +~~~python +mispattributes = {'input': ['link', 'url'], + 'output': ['attachment', 'malware-sample']} + +def introspection(): + return mispattributes +~~~ + +### version + +The function that returns a dict with the version and the associated meta-data including potential configurations required of the module. + + +### Additional Configuration Values + +If your module requires additional configuration (to be exposed via the MISP user-interface), you can define those in the moduleconfig value returned by the version function. + +~~~python +# config fields that your code expects from the site admin +moduleconfig = ["apikey", "event_limit"] + +def version(): + moduleinfo['config'] = moduleconfig + return moduleinfo +~~~ + + +When you do this a config array is added to the meta-data output containing all the potential configuration values: + +~~~ +"meta": { + "description": "PassiveTotal expansion service to expand values with multiple Passive DNS sources", + "config": [ + "username", + "password" + ], + "module-type": [ + "expansion", + "hover" + ], + +... +~~~ + + +If you want to use the configuration values set in the web interface they are stored in the key `config` in the JSON object passed to the handler. + +~~~ +def handler(q=False): + + # Check if we were given a configuration + config = q.get("config", {}) + + # Find out if there is a username field + username = config.get("username", None) +~~~ + + +### handler + +The function which accepts a JSON document to expand the values and return a dictionary of the expanded values. + +~~~python +def handler(q=False): + "Fully functional rot-13 encoder" + if q is False: + return False + request = json.loads(q) + src = request.get('ip-src') + if src is None: + # Return an error message + return {'error': "A source IP is required"} + else: + return {'results': + codecs.encode(src, "rot-13")} +~~~ + +#### export module + +For an export module, the `request["data"]` object corresponds to a list of events (dictionaries) to handle. + +Iterating over events attributes is performed using their `Attribute` key. + +~~~python +... +for event in request["data"]: + for attribute in event["Attribute"]: + # do stuff w/ attribute['type'], attribute['value'], ... +... + +### Returning Binary Data + +If you want to return a file or other data you need to add a data attribute. + +~~~python +{"results": {"values": "filename.txt", + "types": "attachment", + "data" : base64.b64encode() # base64 encode your data first + "comment": "This is an attachment"}} +~~~ + +If the binary file is malware you can use 'malware-sample' as the type. If you do this the malware sample will be automatically zipped and password protected ('infected') after being uploaded. + + +~~~python +{"results": {"values": "filename.txt", + "types": "malware-sample", + "data" : base64.b64encode() # base64 encode your data first + "comment": "This is an attachment"}} +~~~ + +[To learn more about how data attributes are processed you can read the processing code here.](https://github.com/MISP/PyMISP/blob/4f230c9299ad9d2d1c851148c629b61a94f3f117/pymisp/mispevent.py#L185-L200) + + +### Module type + +A MISP module can be of four types: + +- **expansion** - service related to an attribute that can be used to extend and update an existing event. +- **hover** - service related to an attribute to provide additional information to the users without updating the event. +- **import** - service related to importing and parsing an external object that can be used to extend an existing event. +- **export** - service related to exporting an object, event, or data. + +module-type is an array where the list of supported types can be added. + +## Testing your modules? + +MISP uses the **modules** function to discover the available MISP modules and their supported MISP attributes: + +~~~ +% curl -s http://127.0.0.1:6666/modules | jq . +[ + { + "name": "passivetotal", + "type": "expansion", + "mispattributes": { + "input": [ + "hostname", + "domain", + "ip-src", + "ip-dst" + ], + "output": [ + "ip-src", + "ip-dst", + "hostname", + "domain" + ] + }, + "meta": { + "description": "PassiveTotal expansion service to expand values with multiple Passive DNS sources", + "config": [ + "username", + "password" + ], + "author": "Alexandre Dulaunoy", + "version": "0.1" + } + }, + { + "name": "sourcecache", + "type": "expansion", + "mispattributes": { + "input": [ + "link" + ], + "output": [ + "link" + ] + }, + "meta": { + "description": "Module to cache web pages of analysis reports, OSINT sources. The module returns a link of the cached page.", + "author": "Alexandre Dulaunoy", + "version": "0.1" + } + }, + { + "name": "dns", + "type": "expansion", + "mispattributes": { + "input": [ + "hostname", + "domain" + ], + "output": [ + "ip-src", + "ip-dst" + ] + }, + "meta": { + "description": "Simple DNS expansion service to resolve IP address from MISP attributes", + "author": "Alexandre Dulaunoy", + "version": "0.1" + } + } +] + +~~~ + +The MISP module service returns the available modules in a JSON array containing each module name along with their supported input attributes. + +Based on this information, a query can be built in a JSON format and saved as body.json: + +~~~json +{ + "hostname": "www.foo.be", + "module": "dns" +} +~~~ + +Then you can POST this JSON format query towards the MISP object server: + +~~~bash +curl -s http://127.0.0.1:6666/query -H "Content-Type: application/json" --data @body.json -X POST +~~~ + +The module should output the following JSON: + +~~~json +{ + "results": [ + { + "types": [ + "ip-src", + "ip-dst" + ], + "values": [ + "188.65.217.78" + ] + } + ] +} +~~~ + +It is also possible to restrict the category options of the resolved attributes by passing a list of categories along (optional): + +~~~json +{ + "results": [ + { + "types": [ + "ip-src", + "ip-dst" + ], + "values": [ + "188.65.217.78" + ], + "categories": [ + "Network activity", + "Payload delivery" + ] + } + ] +} +~~~ + +For both the type and the category lists, the first item in the list will be the default setting on the interface. + +### Enable your module in the web interface + +For a module to be activated in the MISP web interface it must be enabled in the "Plugin Settings. + +Go to "Administration > Server Settings" in the top menu +- Go to "Plugin Settings" in the top "tab menu bar" +- Click on the name of the type of module you have created to expand the list of plugins to show your module. +- Find the name of your plugin's "enabled" value in the Setting Column. +"Plugin.[MODULE NAME]_enabled" +- Double click on its "Value" column + +~~~ +Priority Setting Value Description Error Message +Recommended Plugin.Import_ocr_enabled false Enable or disable the ocr module. Value not set. +~~~ + +- Use the drop-down to set the enabled value to 'true' + +~~~ +Priority Setting Value Description Error Message +Recommended Plugin.Import_ocr_enabled true Enable or disable the ocr module. Value not set. +~~~ + +### Set any other required settings for your module + +In this same menu set any other plugin settings that are required for testing. + + + +## Documentation + +In order to provide documentation about some modules that require specific input / output / configuration, the [doc](https://github.com/MISP/misp-modules/tree/master/doc) directory contains detailed information about the general purpose, requirements, features, input and output of each of these modules: + +- ***description** - quick description of the general purpose of the module, as the one given by the moduleinfo +- **requirements** - special libraries needed to make the module work +- **features** - description of the way to use the module, with the required MISP features to make the module give the intended result +- **references** - link(s) giving additional information about the format concerned in the module +- **input** - description of the format of data used in input +- **output** - description of the format given as the result of the module execution + +In addition to the module documentation please add your module to [docs/index.md](https://github.com/MISP/misp-modules/tree/master/docs/index.md). + +There are also [complementary slides](https://www.misp-project.org/misp-training/3.1-misp-modules.pdf) for the creation of MISP modules. + + +## Tips for developers creating modules + +Download a pre-built virtual image from the [MISP training materials](https://www.circl.lu/services/misp-training-materials/). + +- Create a Host-Only adapter in VirtualBox +- Set your Misp OVA to that Host-Only adapter +- Start the virtual machine +- Get the IP address of the virutal machine +- SSH into the machine (Login info on training page) +- Go into the misp-modules directory + +~~~bash +cd /usr/local/src/misp-modules +~~~ + +Set the git repo to your fork and checkout your development branch. If you SSH'ed in as the misp user you will have to use sudo. + +~~~bash +sudo git remote set-url origin https://github.com/YourRepo/misp-modules.git +sudo git pull +sudo git checkout MyModBranch +~~~ + +Remove the contents of the build directory and re-install misp-modules. + +~~~python +sudo rm -fr build/* +sudo pip3 install --upgrade . +~~~ + +SSH in with a different terminal and run `misp-modules` with debugging enabled. + +~~~python +sudo killall misp-modules +misp-modules -d +~~~ + + +In your original terminal you can now run your tests manually and see any errors that arrive + +~~~bash +cd tests/ +curl -s http://127.0.0.1:6666/query -H "Content-Type: application/json" --data @MY_TEST_FILE.json -X POST +cd ../ +~~~ diff --git a/documentation/mkdocs/expansion.md b/documentation/mkdocs/expansion.md new file mode 100644 index 0000000..c85cb12 --- /dev/null +++ b/documentation/mkdocs/expansion.md @@ -0,0 +1,1916 @@ + +#### [apiosintds](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/apiosintds.py) + +On demand query API for OSINT.digitalside.it project. +- **features**: +>The module simply queries the API of OSINT.digitalside.it with a domain, ip, url or hash attribute. +> +>The result of the query is then parsed to extract additional hashes or urls. A module parameters also allows to parse the hashes related to the urls. +> +>Furthermore, it is possible to cache the urls and hashes collected over the last 7 days by OSINT.digitalside.it +- **input**: +>A domain, ip, url or hash attribute. +- **output**: +>Hashes and urls resulting from the query to OSINT.digitalside.it +- **references**: +>https://osint.digitalside.it/#About +- **requirements**: +>The apiosintDS python library to query the OSINT.digitalside.it API. + +----- + +#### [apivoid](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/apivoid.py) + + + +Module to query APIVoid with some domain attributes. +- **features**: +>This module takes a domain name and queries API Void to get the related DNS records and the SSL certificates. It returns then those pieces of data as MISP objects that can be added to the event. +> +>To make it work, a valid API key and enough credits to proceed 2 queries (0.06 + 0.07 credits) are required. +- **input**: +>A domain attribute. +- **output**: +>DNS records and SSL certificates related to the domain. +- **references**: +>https://www.apivoid.com/ +- **requirements**: +>A valid APIVoid API key with enough credits to proceed 2 queries + +----- + +#### [assemblyline_query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/assemblyline_query.py) + + + +A module tu query the AssemblyLine API with a submission ID to get the submission report and parse it. +- **features**: +>The module requires the address of the AssemblyLine server you want to query as well as your credentials used for this instance. Credentials include the used-ID and an API key or the password associated to the user-ID. +> +>The submission ID extracted from the submission link is then used to query AssemblyLine and get the full submission report. This report is parsed to extract file objects and the associated IPs, domains or URLs the files are connecting to. +> +>Some more data may be parsed in the future. +- **input**: +>Link of an AssemblyLine submission report. +- **output**: +>MISP attributes & objects parsed from the AssemblyLine submission. +- **references**: +>https://www.cyber.cg.ca/en/assemblyline +- **requirements**: +>assemblyline_client: Python library to query the AssemblyLine rest API. + +----- + +#### [assemblyline_submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/assemblyline_submit.py) + + + +A module to submit samples and URLs to AssemblyLine for advanced analysis, and return the link of the submission. +- **features**: +>The module requires the address of the AssemblyLine server you want to query as well as your credentials used for this instance. Credentials include the user-ID and an API key or the password associated to the user-ID. +> +>If the sample or url is correctly submitted, you get then the link of the submission. +- **input**: +>Sample, or url to submit to AssemblyLine. +- **output**: +>Link of the report generated in AssemblyLine. +- **references**: +>https://www.cyber.gc.ca/en/assemblyline +- **requirements**: +>assemblyline_client: Python library to query the AssemblyLine rest API. + +----- + +#### [backscatter_io](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/backscatter_io.py) + + + +Query backscatter.io (https://backscatter.io/). +- **features**: +>The module takes a source or destination IP address as input and displays the information known by backscatter.io. +- **input**: +>IP addresses. +- **output**: +>Text containing a history of the IP addresses especially on scanning based on backscatter.io information . +- **references**: +>https://pypi.org/project/backscatter/ +- **requirements**: +>backscatter python library + +----- + +#### [bgpranking](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/bgpranking.py) + +Query BGP Ranking (https://bgpranking-ng.circl.lu/). +- **features**: +>The module takes an AS number attribute as input and displays its description as well as its ranking position in BGP Ranking for a given day. +- **input**: +>Autonomous system number. +- **output**: +>An asn object with its related bgp-ranking object. +- **references**: +>https://github.com/D4-project/BGP-Ranking/ +- **requirements**: +>pybgpranking python library + +----- + +#### [btc_scam_check](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/btc_scam_check.py) + + + +An expansion hover module to query a special dns blacklist to check if a bitcoin address has been abused. +- **features**: +>The module queries a dns blacklist directly with the bitcoin address and get a response if the address has been abused. +- **input**: +>btc address attribute. +- **output**: +>Text to indicate if the BTC address has been abused. +- **references**: +>https://btcblack.it/ +- **requirements**: +>dnspython3: dns python library + +----- + +#### [btc_steroids](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/btc_steroids.py) + + + +An expansion hover module to get a blockchain balance from a BTC address in MISP. +- **input**: +>btc address attribute. +- **output**: +>Text to describe the blockchain balance and the transactions related to the btc address in input. + +----- + +#### [censys_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/censys_enrich.py) + +An expansion module to enrich attributes in MISP by quering the censys.io API +- **features**: +>This module takes an IP, hostname or a certificate fingerprint and attempts to enrich it by querying the Censys API. +- **input**: +>IP, domain or certificate fingerprint (md5, sha1 or sha256) +- **output**: +>MISP objects retrieved from censys, including open ports, ASN, Location of the IP, x509 details +- **references**: +>https://www.censys.io +- **requirements**: +>API credentials to censys.io + +----- + +#### [circl_passivedns](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/circl_passivedns.py) + + + +Module to access CIRCL Passive DNS. +- **features**: +>This module takes a hostname, domain or ip-address (ip-src or ip-dst) attribute as input, and queries the CIRCL Passive DNS REST API to get the asssociated passive dns entries and return them as MISP objects. +> +>To make it work a username and a password are thus required to authenticate to the CIRCL Passive DNS API. +- **input**: +>Hostname, domain, or ip-address attribute. +- **ouput**: +>Passive DNS objects related to the input attribute. +- **references**: +> - https://www.circl.lu/services/passive-dns/ +> - https://datatracker.ietf.org/doc/draft-dulaunoy-dnsop-passive-dns-cof/ +- **requirements**: +> - pypdns: Passive DNS python library +> - A CIRCL passive DNS account with username & password + +----- + +#### [circl_passivessl](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/circl_passivessl.py) + + + +Modules to access CIRCL Passive SSL. +- **features**: +>This module takes an ip-address (ip-src or ip-dst) attribute as input, and queries the CIRCL Passive SSL REST API to gather the related certificates and return the corresponding MISP objects. +> +>To make it work a username and a password are required to authenticate to the CIRCL Passive SSL API. +- **input**: +>IP address attribute. +- **output**: +>x509 certificate objects seen by the IP address(es). +- **references**: +>https://www.circl.lu/services/passive-ssl/ +- **requirements**: +> - pypssl: Passive SSL python library +> - A CIRCL passive SSL account with username & password + +----- + +#### [countrycode](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/countrycode.py) + +Module to expand country codes. +- **features**: +>The module takes a domain or a hostname as input, and returns the country it belongs to. +> +>For non country domains, a list of the most common possible extensions is used. +- **input**: +>Hostname or domain attribute. +- **output**: +>Text with the country code the input belongs to. + +----- + +#### [cpe](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cpe.py) + + + +An expansion module to query the CVE search API with a cpe code to get its related vulnerabilities. +- **features**: +>The module takes a cpe attribute as input and queries the CVE search API to get its related vulnerabilities. +>The list of vulnerabilities is then parsed and returned as vulnerability objects. +> +>Users can use their own CVE search API url by defining a value to the custom_API_URL parameter. If no custom API url is given, the default cve.circl.lu api url is used. +> +>In order to limit the amount of data returned by CVE serach, users can also the limit parameter. With the limit set, the API returns only the requested number of vulnerabilities, sorted from the highest cvss score to the lowest one. +- **input**: +>CPE attribute. +- **output**: +>The vulnerabilities related to the CPE. +- **references**: +>https://cve.circl.lu/api/ + +----- + +#### [crowdstrike_falcon](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/crowdstrike_falcon.py) + + + +Module to query Crowdstrike Falcon. +- **features**: +>This module takes a MISP attribute as input to query a CrowdStrike Falcon API. The API returns then the result of the query with some types we map into compatible types we add as MISP attributes. +> +>Please note that composite attributes composed by at least one of the input types mentionned below (domains, IPs, hostnames) are also supported. +- **input**: +>A MISP attribute included in the following list: +>- domain +>- email-attachment +>- email-dst +>- email-reply-to +>- email-src +>- email-subject +>- filename +>- hostname +>- ip-src +>- ip-dst +>- md5 +>- mutex +>- regkey +>- sha1 +>- sha256 +>- uri +>- url +>- user-agent +>- whois-registrant-email +>- x509-fingerprint-md5 +- **output**: +>MISP attributes mapped after the CrowdStrike API has been queried, included in the following list: +>- hostname +>- email-src +>- email-subject +>- filename +>- md5 +>- sha1 +>- sha256 +>- ip-dst +>- ip-dst +>- mutex +>- regkey +>- url +>- user-agent +>- x509-fingerprint-md5 +- **references**: +>https://www.crowdstrike.com/products/crowdstrike-falcon-faq/ +- **requirements**: +>A CrowdStrike API access (API id & key) + +----- + +#### [cuckoo_submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cuckoo_submit.py) + + + +An expansion module to submit files and URLs to Cuckoo Sandbox. +- **features**: +>The module takes a malware-sample, attachment, url or domain and submits it to Cuckoo Sandbox. +> The returned task id can be used to retrieve results when the analysis completed. +- **input**: +>A malware-sample or attachment for files. A url or domain for URLs. +- **output**: +>A text field containing 'Cuckoo task id: ' +- **references**: +> - https://cuckoosandbox.org/ +> - https://cuckoo.sh/docs/ +- **requirements**: +>Access to a Cuckoo Sandbox API and an API key if the API requires it. (api_url and api_key) + +----- + +#### [cve](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cve.py) + + + +An expansion hover module to expand information about CVE id. +- **features**: +>The module takes a vulnerability attribute as input and queries the CIRCL CVE search API to get information about the vulnerability as it is described in the list of CVEs. +- **input**: +>Vulnerability attribute. +- **output**: +>Text giving information about the CVE related to the Vulnerability. +- **references**: +> - https://cve.circl.lu/ +> - https://cve.mitre.org/ + +----- + +#### [cve_advanced](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cve_advanced.py) + + + +An expansion module to query the CIRCL CVE search API for more information about a vulnerability (CVE). +- **features**: +>The module takes a vulnerability attribute as input and queries the CIRCL CVE search API to gather additional information. +> +>The result of the query is then parsed to return additional information about the vulnerability, like its cvss score or some references, as well as the potential related weaknesses and attack patterns. +> +>The vulnerability additional data is returned in a vulnerability MISP object, and the related additional information are put into weakness and attack-pattern MISP objects. +- **input**: +>Vulnerability attribute. +- **output**: +>Additional information about the vulnerability, such as its cvss score, some references, or the related weaknesses and attack patterns. +- **references**: +> - https://cve.circl.lu +> - https://cve/mitre.org/ + +----- + +#### [cytomic_orion](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cytomic_orion.py) + + + +An expansion module to enrich attributes in MISP by quering the Cytomic Orion API +- **features**: +>This module takes an MD5 hash and searches for occurrences of this hash in the Cytomic Orion database. Returns observed files and machines. +- **input**: +>MD5, hash of the sample / malware to search for. +- **output**: +>MISP objects with sightings of the hash in Cytomic Orion. Includes files and machines. +- **references**: +> - https://www.vanimpe.eu/2020/03/10/integrating-misp-and-cytomic-orion/ +> - https://www.cytomicmodel.com/solutions/ +- **requirements**: +>Access (license) to Cytomic Orion + +----- + +#### [dbl_spamhaus](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/dbl_spamhaus.py) + + + +Module to check Spamhaus DBL for a domain name. +- **features**: +>This modules takes a domain or a hostname in input and queries the Domain Block List provided by Spamhaus to determine what kind of domain it is. +> +>DBL then returns a response code corresponding to a certain classification of the domain we display. If the queried domain is not in the list, it is also mentionned. +> +>Please note that composite MISP attributes containing domain or hostname are supported as well. +- **input**: +>Domain or hostname attribute. +- **output**: +>Information about the nature of the input. +- **references**: +>https://www.spamhaus.org/faq/section/Spamhaus%20DBL +- **requirements**: +>dnspython3: DNS python3 library + +----- + +#### [dns](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/dns.py) + +A simple DNS expansion service to resolve IP address from domain MISP attributes. +- **features**: +>The module takes a domain of hostname attribute as input, and tries to resolve it. If no error is encountered, the IP address that resolves the domain is returned, otherwise the origin of the error is displayed. +> +>The address of the DNS resolver to use is also configurable, but if no configuration is set, we use the Google public DNS address (8.8.8.8). +> +>Please note that composite MISP attributes containing domain or hostname are supported as well. +- **input**: +>Domain or hostname attribute. +- **output**: +>IP address resolving the input. +- **requirements**: +>dnspython3: DNS python3 library + +----- + +#### [docx_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/docx_enrich.py) + + + +Module to extract freetext from a .docx document. +- **features**: +>The module reads the text contained in a .docx document. The result is passed to the freetext import parser so IoCs can be extracted out of it. +- **input**: +>Attachment attribute containing a .docx document. +- **output**: +>Text and freetext parsed from the document. +- **requirements**: +>docx python library + +----- + +#### [domaintools](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/domaintools.py) + + + +DomainTools MISP expansion module. +- **features**: +>This module takes a MISP attribute as input to query the Domaintools API. The API returns then the result of the query with some types we map into compatible types we add as MISP attributes. +> +>Please note that composite attributes composed by at least one of the input types mentionned below (domains, IPs, hostnames) are also supported. +- **input**: +>A MISP attribute included in the following list: +>- domain +>- hostname +>- email-src +>- email-dst +>- target-email +>- whois-registrant-email +>- whois-registrant-name +>- whois-registrant-phone +>- ip-src +>- ip-dst +- **output**: +>MISP attributes mapped after the Domaintools API has been queried, included in the following list: +>- whois-registrant-email +>- whois-registrant-phone +>- whois-registrant-name +>- whois-registrar +>- whois-creation-date +>- text +>- domain +- **references**: +>https://www.domaintools.com/ +- **requirements**: +> - Domaintools python library +> - A Domaintools API access (username & apikey) + +----- + +#### [eql](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/eql.py) + + + +EQL query generation for a MISP attribute. +- **features**: +>This module adds a new attribute to a MISP event containing an EQL query for a network or file attribute. +- **input**: +>A filename or ip attribute. +- **output**: +>Attribute containing EQL for a network or file attribute. +- **references**: +>https://eql.readthedocs.io/en/latest/ + +----- + +#### [eupi](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/eupi.py) + + + +A module to query the Phishing Initiative service (https://phishing-initiative.lu). +- **features**: +>This module takes a domain, hostname or url MISP attribute as input to query the Phishing Initiative API. The API returns then the result of the query with some information about the value queried. +> +>Please note that composite attributes containing domain or hostname are also supported. +- **input**: +>A domain, hostname or url MISP attribute. +- **output**: +>Text containing information about the input, resulting from the query on Phishing Initiative. +- **references**: +>https://phishing-initiative.eu/?lang=en +- **requirements**: +> - pyeupi: eupi python library +> - An access to the Phishing Initiative API (apikey & url) + +----- + +#### [farsight_passivedns](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/farsight_passivedns.py) + + + +Module to access Farsight DNSDB Passive DNS. +- **features**: +>This module takes a domain, hostname or IP address MISP attribute as input to query the Farsight Passive DNS API. +> The results of rdata and rrset lookups are then returned and parsed into passive-dns objects. +> +>An API key is required to submit queries to the API. +> It is also possible to define a custom server URL, and to set a limit of results to get. +> This limit is set for each lookup, which means we can have an up to the limit number of passive-dns objects resulting from an rdata query about an IP address, but an up to the limit number of passive-dns objects for each lookup queries about a domain or a hostname (== twice the limit). +- **input**: +>A domain, hostname or IP address MISP attribute. +- **output**: +>Passive-dns objects, resulting from the query on the Farsight Passive DNS API. +- **references**: +> - https://www.farsightsecurity.com/ +> - https://docs.dnsdb.info/dnsdb-api/ +- **requirements**: +>An access to the Farsight Passive DNS API (apikey) + +----- + +#### [geoip_asn](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_asn.py) + + +- **descrption**: +>An expansion module to query a local copy of Maxmind's Geolite database with an IP address, in order to get information about its related AS number. +- **features**: +>The module takes an IP address attribute as input and queries a local copy of the Maxmind's Geolite database to get information about the related AS number. +- **input**: +>An IP address MISP attribute. +- **output**: +>Text containing information about the AS number of the IP address. +- **references**: +>https://www.maxmind.com/en/home +- **requirements**: +>A local copy of Maxmind's Geolite database + +----- + +#### [geoip_city](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_city.py) + + + +An expansion module to query a local copy of Maxmind's Geolite database with an IP address, in order to get information about the city where it is located. +- **features**: +>The module takes an IP address attribute as input and queries a local copy of the Maxmind's Geolite database to get information about the city where this IP address is located. +- **input**: +>An IP address MISP attribute. +- **output**: +>Text containing information about the city where the IP address is located. +- **references**: +>https://www.maxmind.com/en/home +- **requirements**: +>A local copy of Maxmind's Geolite database + +----- + +#### [geoip_country](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/geoip_country.py) + + + +Module to query a local copy of Maxmind's Geolite database. +- **features**: +>This module takes an IP address MISP attribute as input and queries a local copy of the Maxmind's Geolite database to get information about the location of this IP address. +> +>Please note that composite attributes domain|ip are also supported. +- **input**: +>An IP address MISP Attribute. +- **output**: +>Text containing information about the location of the IP address. +- **references**: +>https://www.maxmind.com/en/home +- **requirements**: +>A local copy of Maxmind's Geolite database + +----- + +#### [google_search](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/google_search.py) + + +- **descrption**: +>A hover module to get information about an url using a Google search. +- **features**: +>The module takes an url as input to query the Google search API. The result of the query is then return as raw text. +- **input**: +>An url attribute. +- **output**: +>Text containing the result of a Google search on the input url. +- **references**: +>https://github.com/abenassi/Google-Search-API +- **requirements**: +>The python Google Search API library + +----- + +#### [greynoise](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/greynoise.py) + + + +Module to query IP and CVE information from GreyNoise +- **features**: +>This module supports: 1) Query an IP from GreyNoise to see if it is internet background noise or a common business service 2) Query a CVE from GreyNoise to see the total number of internet scanners looking for the CVE in the last 7 days. +- **input**: +>An IP address or CVE ID +- **output**: +>IP Lookup information or CVE scanning profile for past 7 days +- **references**: +> - https://greynoise.io/ +> - https://docs.greyniose.io/ +> - https://www.greynoise.io/viz/account/ +- **requirements**: +>A Greynoise API key. Both Enterprise (Paid) and Community (Free) API keys are supported, however Community API users will only be able to perform IP lookups. + +----- + +#### [hashdd](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hashdd.py) + +A hover module to check hashes against hashdd.com including NSLR dataset. +- **features**: +>This module takes a hash attribute as input to check its known level, using the hashdd API. This information is then displayed. +- **input**: +>A hash MISP attribute (md5). +- **output**: +>Text describing the known level of the hash in the hashdd databases. +- **references**: +>https://hashdd.com/ + +----- + +#### [hashlookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hashlookup.py) + + + +An expansion module to query the CIRCL hashlookup services to find it if a hash is part of a known set such as NSRL. +- **features**: +>The module takes file hashes as input such as a MD5 or SHA1. +> It queries the public CIRCL.lu hashlookup service and return all the hits if the hashes are known in an existing dataset. The module can be configured with a custom hashlookup url if required. +> The module can be used an hover module but also an expansion model to add related MISP objects. +> +- **input**: +>File hashes (MD5, SHA1) +- **output**: +>Object with the filename associated hashes if the hash is part of a known set. +- **references**: +>https://www.circl.lu/services/hashlookup/ + +----- + +#### [hibp](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hibp.py) + + + +Module to access haveibeenpwned.com API. +- **features**: +>The module takes an email address as input and queries haveibeenpwned.com API to find additional information about it. This additional information actually tells if any account using the email address has already been compromised in a data breach. +- **input**: +>An email address +- **output**: +>Additional information about the email address. +- **references**: +>https://haveibeenpwned.com/ + +----- + +#### [html_to_markdown](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/html_to_markdown.py) + +Expansion module to fetch the html content from an url and convert it into markdown. +- **features**: +>The module take an URL as input and the HTML content is fetched from it. This content is then converted into markdown that is returned as text. +- **input**: +>URL attribute. +- **output**: +>Markdown content converted from the HTML fetched from the url. +- **requirements**: +>The markdownify python library + +----- + +#### [hyasinsight](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hyasinsight.py) + + + +HYAS Insight integration to MISP provides direct, high volume access to HYAS Insight data. It enables investigators and analysts to understand and defend against cyber adversaries and their infrastructure. +- **features**: +>This Module takes the IP Address, Domain, URL, Email, Phone Number, MD5, SHA1, Sha256, SHA512 MISP Attributes as input to query the HYAS Insight API. +> The results of the HYAS Insight API are than are then returned and parsed into Hyas Insight Objects. +> +>An API key is required to submit queries to the HYAS Insight API. +> +- **input**: +>A MISP attribute of type IP Address(ip-src, ip-dst), Domain(hostname, domain), Email Address(email, email-src, email-dst, target-email, whois-registrant-email), Phone Number(phone-number, whois-registrant-phone), MDS(md5, x509-fingerprint-md5, ja3-fingerprint-md5, hassh-md5, hasshserver-md5), SHA1(sha1, x509-fingerprint-sha1), SHA256(sha256, x509-fingerprint-sha256), SHA512(sha512) +- **output**: +>Hyas Insight objects, resulting from the query on the HYAS Insight API. +- **references**: +>https://www.hyas.com/hyas-insight/ +- **requirements**: +>A HYAS Insight API Key. + +----- + +#### [intel471](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/intel471.py) + + +- **descrption**: +>An expansion module to query Intel471 in order to get additional information about a domain, ip address, email address, url or hash. +- **features**: +>The module uses the Intel471 python library to query the Intel471 API with the value of the input attribute. The result of the query is then returned as freetext so the Freetext import parses it. +- **input**: +>A MISP attribute whose type is included in the following list: +>- hostname +>- domain +>- url +>- ip-src +>- ip-dst +>- email-src +>- email-dst +>- target-email +>- whois-registrant-email +>- whois-registrant-name +>- md5 +>- sha1 +>- sha256 +- **output**: +>Freetext +- **references**: +>https://public.intel471.com/ +- **requirements**: +>The intel471 python library + +----- + +#### [intelmq_eventdb](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/intelmq_eventdb.py) + + + +Module to access intelmqs eventdb. +- **features**: +>/!\ EXPERIMENTAL MODULE, some features may not work /!\ +> +>This module takes a domain, hostname, IP address or Autonomous system MISP attribute as input to query the IntelMQ database. The result of the query gives then additional information about the input. +- **input**: +>A hostname, domain, IP address or AS attribute. +- **output**: +>Text giving information about the input using IntelMQ database. +- **references**: +> - https://github.com/certtools/intelmq +> - https://intelmq.readthedocs.io/en/latest/Developers-Guide/ +- **requirements**: +> - psycopg2: Python library to support PostgreSQL +> - An access to the IntelMQ database (username, password, hostname and database reference) + +----- + +#### [ipasn](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipasn.py) + +Module to query an IP ASN history service (https://github.com/D4-project/IPASN-History). +- **features**: +>This module takes an IP address attribute as input and queries the CIRCL IPASN service. The result of the query is the latest asn related to the IP address, that is returned as a MISP object. +- **input**: +>An IP address MISP attribute. +- **output**: +>Asn object(s) objects related to the IP address used as input. +- **references**: +>https://github.com/D4-project/IPASN-History +- **requirements**: +>pyipasnhistory: Python library to access IPASN-history instance + +----- + +#### [ipqs_fraud_and_risk_scoring](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ipqs_fraud_and_risk_scoring.py) + + + +IPQualityScore MISP Expansion Module for IP reputation, Email Validation, Phone Number Validation, Malicious Domain and Malicious URL Scanner. +- **features**: +>This Module takes the IP Address, Domain, URL, Email and Phone Number MISP Attributes as input to query the IPQualityScore API. +> The results of the IPQualityScore API are than returned as IPQS Fraud and Risk Scoring Object. +> The object contains a copy of the enriched attribute with added tags presenting the verdict based on fraud score,risk score and other attributes from IPQualityScore. +- **input**: +>A MISP attribute of type IP Address(ip-src, ip-dst), Domain(hostname, domain), URL(url, uri), Email Address(email, email-src, email-dst, target-email, whois-registrant-email) and Phone Number(phone-number, whois-registrant-phone). +- **output**: +>IPQualityScore object, resulting from the query on the IPQualityScore API. +- **references**: +>https://www.ipqualityscore.com/ +- **requirements**: +>A IPQualityScore API Key. + +----- + +#### [iprep](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/iprep.py) + +Module to query IPRep data for IP addresses. +- **features**: +>This module takes an IP address attribute as input and queries the database from packetmail.net to get some information about the reputation of the IP. +- **input**: +>An IP address MISP attribute. +- **output**: +>Text describing additional information about the input after a query on the IPRep API. +- **references**: +>https://github.com/mahesh557/packetmail +- **requirements**: +>An access to the packetmail API (apikey) + +----- + +#### [joesandbox_query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_query.py) + + + +Query Joe Sandbox API with a submission url to get the json report and extract its data that is parsed and converted into MISP attributes and objects. + +This url can by the way come from the result of the [joesandbox_submit expansion module](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/joesandbox_submit.py). +- **features**: +>Module using the new format of modules able to return attributes and objects. +> +>The module returns the same results as the import module [joe_import](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/joe_import.py) taking directly the json report as input. +> +>Even if the introspection will allow all kinds of links to call this module, obviously only the ones presenting a sample or url submission in the Joe Sandbox API will return results. +> +>To make it work you will need to fill the 'apikey' configuration with your Joe Sandbox API key and provide a valid link as input. +- **input**: +>Link of a Joe Sandbox sample or url submission. +- **output**: +>MISP attributes & objects parsed from the analysis report. +- **references**: +> - https://www.joesecurity.org +> - https://www.joesandbox.com/ +- **requirements**: +>jbxapi: Joe Sandbox API python3 library + +----- + +#### [joesandbox_submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/joesandbox_submit.py) + + + +A module to submit files or URLs to Joe Sandbox for an advanced analysis, and return the link of the submission. +- **features**: +>The module requires a Joe Sandbox API key to submit files or URL, and returns the link of the submitted analysis. +> +>It is then possible, when the analysis is completed, to query the Joe Sandbox API to get the data related to the analysis, using the [joesandbox_query module](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/joesandbox_query.py) directly on this submission link. +- **input**: +>Sample, url (or domain) to submit to Joe Sandbox for an advanced analysis. +- **output**: +>Link of the report generated in Joe Sandbox. +- **references**: +> - https://www.joesecurity.org +> - https://www.joesandbox.com/ +- **requirements**: +>jbxapi: Joe Sandbox API python3 library + +----- + +#### [lastline_query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_query.py) + + + +Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module. + +Query Lastline with an analysis link and parse the report into MISP attributes and objects. +The analysis link can also be retrieved from the output of the [lastline_submit](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/lastline_submit.py) expansion module. +- **features**: +>The module requires a Lastline Portal `username` and `password`. +>The module uses the new format and it is able to return MISP attributes and objects. +>The module returns the same results as the [lastline_import](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/lastline_import.py) import module. +- **input**: +>Link to a Lastline analysis. +- **output**: +>MISP attributes and objects parsed from the analysis report. +- **references**: +>https://www.lastline.com + +----- + +#### [lastline_submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/lastline_submit.py) + + + +Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module. + +Module to submit a file or URL to Lastline. +- **features**: +>The module requires a Lastline Analysis `api_token` and `key`. +>When the analysis is completed, it is possible to import the generated report by feeding the analysis link to the [lastline_query](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/lastline_query.py) module. +- **input**: +>File or URL to submit to Lastline. +- **output**: +>Link to the report generated by Lastline. +- **references**: +>https://www.lastline.com + +----- + +#### [macaddress_io](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/macaddress_io.py) + + + +MISP hover module for macaddress.io +- **features**: +>This module takes a MAC address attribute as input and queries macaddress.io for additional information. +> +>This information contains data about: +>- MAC address details +>- Vendor details +>- Block details +- **input**: +>MAC address MISP attribute. +- **output**: +>Text containing information on the MAC address fetched from a query on macaddress.io. +- **references**: +> - https://macaddress.io/ +> - https://github.com/CodeLineFi/maclookup-python +- **requirements**: +> - maclookup: macaddress.io python library +> - An access to the macaddress.io API (apikey) + +----- + +#### [macvendors](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/macvendors.py) + + + +Module to access Macvendors API. +- **features**: +>The module takes a MAC address as input and queries macvendors.com for some information about it. The API returns the name of the vendor related to the address. +- **input**: +>A MAC address. +- **output**: +>Additional information about the MAC address. +- **references**: +> - https://macvendors.com/ +> - https://macvendors.com/api + +----- + +#### [malwarebazaar](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/malwarebazaar.py) + +Query the MALWAREbazaar API to get additional information about the input hash attribute. +- **features**: +>The module takes a hash attribute as input and queries MALWAREbazaar's API to fetch additional data about it. The result, if the payload is known on the databases, is at least one file object describing the file the input hash is related to. +> +>The module is using the new format of modules able to return object since the result is one or multiple MISP object(s). +- **input**: +>A hash attribute (md5, sha1 or sha256). +- **output**: +>File object(s) related to the input attribute found on MALWAREbazaar databases. +- **references**: +>https://bazaar.abuse.ch/ + +----- + +#### [mmdb_lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/mmdb_lookup.py) + + + +A hover and expansion module to enrich an ip with geolocation and ASN information from an mmdb server instance, such as CIRCL's ip.circl.lu. +- **features**: +>The module takes an IP address related attribute as input. +> It queries the public CIRCL.lu mmdb-server instance, available at ip.circl.lu, by default. The module can be configured with a custom mmdb server url if required. +> It is also possible to filter results on 1 db_source by configuring db_source_filter. +- **input**: +>An IP address attribute (for example ip-src or ip-src|port). +- **output**: +>Geolocation and asn objects. +- **references**: +> - https://data.public.lu/fr/datasets/geo-open-ip-address-geolocation-per-country-in-mmdb-format/ +> - https://github.com/adulau/mmdb-server + +----- + +#### [mwdb](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/mwdb.py) + +Module to push malware samples to a MWDB instance +- **features**: +>An expansion module to push malware samples to a MWDB (https://github.com/CERT-Polska/mwdb-core) instance. This module does not push samples to a sandbox. This can be achieved via Karton (connected to the MWDB). Does: * Upload of attachment or malware sample to MWDB * Tags of events and/or attributes are added to MWDB. * Comment of the MISP attribute is added to MWDB. * A link back to the MISP event is added to MWDB via the MWDB attribute. * A link to the MWDB attribute is added as an enrichted attribute to the MISP event. +- **input**: +>Attachment or malware sample +- **output**: +>Link attribute that points to the sample at the MWDB instane +- **requirements**: +>* mwdblib installed (pip install mwdblib) ; * (optional) keys.py file to add tags of events/attributes to MWDB * (optional) MWDB attribute created for the link back to MISP (defined in mwdb_misp_attribute) + +----- + +#### [ocr_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ocr_enrich.py) + +Module to process some optical character recognition on pictures. +- **features**: +>The module takes an attachment attributes as input and process some optical character recognition on it. The text found is then passed to the Freetext importer to extract potential IoCs. +- **input**: +>A picture attachment. +- **output**: +>Text and freetext fetched from the input picture. +- **requirements**: +>cv2: The OpenCV python library. + +----- + +#### [ods_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ods_enrich.py) + + + +Module to extract freetext from a .ods document. +- **features**: +>The module reads the text contained in a .ods document. The result is passed to the freetext import parser so IoCs can be extracted out of it. +- **input**: +>Attachment attribute containing a .ods document. +- **output**: +>Text and freetext parsed from the document. +- **requirements**: +> - ezodf: Python package to create/manipulate OpenDocumentFormat files. +> - pandas_ods_reader: Python library to read in ODS files. + +----- + +#### [odt_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/odt_enrich.py) + + + +Module to extract freetext from a .odt document. +- **features**: +>The module reads the text contained in a .odt document. The result is passed to the freetext import parser so IoCs can be extracted out of it. +- **input**: +>Attachment attribute containing a .odt document. +- **output**: +>Text and freetext parsed from the document. +- **requirements**: +>ODT reader python library. + +----- + +#### [onyphe](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onyphe.py) + + + +Module to process a query on Onyphe. +- **features**: +>This module takes a domain, hostname, or IP address attribute as input in order to query the Onyphe API. Data fetched from the query is then parsed and MISP attributes are extracted. +- **input**: +>A domain, hostname or IP address MISP attribute. +- **output**: +>MISP attributes fetched from the Onyphe query. +- **references**: +> - https://www.onyphe.io/ +> - https://github.com/sebdraven/pyonyphe +- **requirements**: +> - onyphe python library +> - An access to the Onyphe API (apikey) + +----- + +#### [onyphe_full](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onyphe_full.py) + + + +Module to process a full query on Onyphe. +- **features**: +>This module takes a domain, hostname, or IP address attribute as input in order to query the Onyphe API. Data fetched from the query is then parsed and MISP attributes are extracted. +> +>The parsing is here more advanced than the one on onyphe module, and is returning more attributes, since more fields of the query result are watched and parsed. +- **input**: +>A domain, hostname or IP address MISP attribute. +- **output**: +>MISP attributes fetched from the Onyphe query. +- **references**: +> - https://www.onyphe.io/ +> - https://github.com/sebdraven/pyonyphe +- **requirements**: +> - onyphe python library +> - An access to the Onyphe API (apikey) + +----- + +#### [otx](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/otx.py) + + + +Module to get information from AlienVault OTX. +- **features**: +>This module takes a MISP attribute as input to query the OTX Alienvault API. The API returns then the result of the query with some types we map into compatible types we add as MISP attributes. +- **input**: +>A MISP attribute included in the following list: +>- hostname +>- domain +>- ip-src +>- ip-dst +>- md5 +>- sha1 +>- sha256 +>- sha512 +- **output**: +>MISP attributes mapped from the result of the query on OTX, included in the following list: +>- domain +>- ip-src +>- ip-dst +>- text +>- md5 +>- sha1 +>- sha256 +>- sha512 +>- email +- **references**: +>https://www.alienvault.com/open-threat-exchange +- **requirements**: +>An access to the OTX API (apikey) + +----- + +#### [passivessh](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/passivessh.py) + + + +An expansion module to query the CIRCL Passive SSH. +- **features**: +>The module queries the Passive SSH service from CIRCL. +> +> The module can be used an hover module but also an expansion model to add related MISP objects. +> +- **input**: +>IP addresses or SSH fingerprints +- **output**: +>SSH key materials, complementary IP addresses with similar SSH key materials +- **references**: +>https://github.com/D4-project/passive-ssh + +----- + +#### [passivetotal](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/passivetotal.py) + + + + +- **features**: +>The PassiveTotal MISP expansion module brings the datasets derived from Internet scanning directly into your MISP instance. This module supports passive DNS, historic SSL, WHOIS, and host attributes. In order to use the module, you must have a valid PassiveTotal account username and API key. Registration is free and can be done by visiting https://www.passivetotal.org/register +- **input**: +>A MISP attribute included in the following list: +>- hostname +>- domain +>- ip-src +>- ip-dst +>- x509-fingerprint-sha1 +>- email-src +>- email-dst +>- target-email +>- whois-registrant-email +>- whois-registrant-phone +>- text +>- whois-registrant-name +>- whois-registrar +>- whois-creation-date +- **output**: +>MISP attributes mapped from the result of the query on PassiveTotal, included in the following list: +>- hostname +>- domain +>- ip-src +>- ip-dst +>- x509-fingerprint-sha1 +>- email-src +>- email-dst +>- target-email +>- whois-registrant-email +>- whois-registrant-phone +>- text +>- whois-registrant-name +>- whois-registrar +>- whois-creation-date +>- md5 +>- sha1 +>- sha256 +>- link +- **references**: +>https://www.passivetotal.org/register +- **requirements**: +> - Passivetotal python library +> - An access to the PassiveTotal API (apikey) + +----- + +#### [pdf_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/pdf_enrich.py) + + + +Module to extract freetext from a PDF document. +- **features**: +>The module reads the text contained in a PDF document. The result is passed to the freetext import parser so IoCs can be extracted out of it. +- **input**: +>Attachment attribute containing a PDF document. +- **output**: +>Text and freetext parsed from the document. +- **requirements**: +>pdftotext: Python library to extract text from PDF. + +----- + +#### [pptx_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/pptx_enrich.py) + + + +Module to extract freetext from a .pptx document. +- **features**: +>The module reads the text contained in a .pptx document. The result is passed to the freetext import parser so IoCs can be extracted out of it. +- **input**: +>Attachment attribute containing a .pptx document. +- **output**: +>Text and freetext parsed from the document. +- **requirements**: +>pptx: Python library to read PowerPoint files. + +----- + +#### [qintel_qsentry](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/qintel_qsentry.py) + + + +A hover and expansion module which queries Qintel QSentry for ip reputation data +- **features**: +>This module takes an ip-address (ip-src or ip-dst) attribute as input, and queries the Qintel QSentry API to retrieve ip reputation data +- **input**: +>ip address attribute +- **ouput**: +>Objects containing the enriched IP, threat tags, last seen attributes and associated Autonomous System information +- **references**: +>https://www.qintel.com/products/qsentry/ +- **requirements**: +>A Qintel API token + +----- + +#### [qrcode](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/qrcode.py) + +Module to decode QR codes. +- **features**: +>The module reads the QR code and returns the related address, which can be an URL or a bitcoin address. +- **input**: +>A QR code stored as attachment attribute. +- **output**: +>The URL or bitcoin address the QR code is pointing to. +- **requirements**: +> - cv2: The OpenCV python library. +> - pyzbar: Python library to read QR codes. + +----- + +#### [ransomcoindb](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/ransomcoindb.py) +- **descrption**: +>Module to access the ransomcoinDB with a hash or btc address attribute and get the associated btc address of hashes. +- **features**: +>The module takes either a hash attribute or a btc attribute as input to query the ransomcoinDB API for some additional data. +> +>If the input is a btc address, we will get the associated hashes returned in a file MISP object. If we query ransomcoinDB with a hash, the response contains the associated btc addresses returned as single MISP btc attributes. +- **input**: +>A hash (md5, sha1 or sha256) or btc attribute. +- **output**: +>Hashes associated to a btc address or btc addresses associated to a hash. +- **references**: +>https://ransomcoindb.concinnity-risks.com +- **requirements**: +>A ransomcoinDB API key. + +----- + +#### [rbl](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/rbl.py) + +Module to check an IPv4 address against known RBLs. +- **features**: +>This module takes an IP address attribute as input and queries multiple know Real-time Blackhost Lists to check if they have already seen this IP address. +> +>We display then all the information we get from those different sources. +- **input**: +>IP address attribute. +- **output**: +>Text with additional data from Real-time Blackhost Lists about the IP address. +- **references**: +>[RBLs list](https://github.com/MISP/misp-modules/blob/8817de476572a10a9c9d03258ec81ca70f3d926d/misp_modules/modules/expansion/rbl.py#L20) +- **requirements**: +>dnspython3: DNS python3 library + +----- + +#### [recordedfuture](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/recordedfuture.py) + + + +Module to enrich attributes with threat intelligence from Recorded Future. +- **features**: +>Enrich an attribute to add a custom enrichment object to the event. The object contains a copy of the enriched attribute with added tags presenting risk score and triggered risk rules from Recorded Future. Malware and Threat Actors related to the enriched indicator in Recorded Future is matched against MISP's galaxy clusters and applied as galaxy tags. The custom enrichment object also includes a list of related indicators from Recorded Future (IP's, domains, hashes, URL's and vulnerabilities) added as additional attributes. +- **input**: +>A MISP attribute of one of the following types: ip, ip-src, ip-dst, domain, hostname, md5, sha1, sha256, uri, url, vulnerability, weakness. +- **output**: +>A MISP object containing a copy of the enriched attribute with added tags from Recorded Future and a list of new attributes related to the enriched attribute. +- **references**: +>https://www.recordedfuture.com/ +- **requirements**: +>A Recorded Future API token. + +----- + +#### [reversedns](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/reversedns.py) + +Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes. +- **features**: +>The module takes an IP address as input and tries to find the hostname this IP address is resolved into. +> +>The address of the DNS resolver to use is also configurable, but if no configuration is set, we use the Google public DNS address (8.8.8.8). +> +>Please note that composite MISP attributes containing IP addresses are supported as well. +- **input**: +>An IP address attribute. +- **output**: +>Hostname attribute the input is resolved into. +- **requirements**: +>DNS python library + +----- + +#### [securitytrails](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/securitytrails.py) + + + +An expansion modules for SecurityTrails. +- **features**: +>The module takes a domain, hostname or IP address attribute as input and queries the SecurityTrails API with it. +> +>Multiple parsing operations are then processed on the result of the query to extract a much information as possible. +> +>From this data extracted are then mapped MISP attributes. +- **input**: +>A domain, hostname or IP address attribute. +- **output**: +>MISP attributes resulting from the query on SecurityTrails API, included in the following list: +>- hostname +>- domain +>- ip-src +>- ip-dst +>- dns-soa-email +>- whois-registrant-email +>- whois-registrant-phone +>- whois-registrant-name +>- whois-registrar +>- whois-creation-date +>- domain +- **references**: +>https://securitytrails.com/ +- **requirements**: +> - dnstrails python library +> - An access to the SecurityTrails API (apikey) + +----- + +#### [shodan](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/shodan.py) + + + +Module to query on Shodan. +- **features**: +>The module takes an IP address as input and queries the Shodan API to get some additional data about it. +- **input**: +>An IP address MISP attribute. +- **output**: +>Text with additional data about the input, resulting from the query on Shodan. +- **references**: +>https://www.shodan.io/ +- **requirements**: +> - shodan python library +> - An access to the Shodan API (apikey) + +----- + +#### [sigma_queries](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigma_queries.py) + + + +An expansion hover module to display the result of sigma queries. +- **features**: +>This module takes a Sigma rule attribute as input and tries all the different queries available to convert it into different formats recognized by SIEMs. +- **input**: +>A Sigma attribute. +- **output**: +>Text displaying results of queries on the Sigma attribute. +- **references**: +>https://github.com/Neo23x0/sigma/wiki +- **requirements**: +>Sigma python library + +----- + +#### [sigma_syntax_validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sigma_syntax_validator.py) + + + +An expansion hover module to perform a syntax check on sigma rules. +- **features**: +>This module takes a Sigma rule attribute as input and performs a syntax check on it. +> +>It displays then that the rule is valid if it is the case, and the error related to the rule otherwise. +- **input**: +>A Sigma attribute. +- **output**: +>Text describing the validity of the Sigma rule. +- **references**: +>https://github.com/Neo23x0/sigma/wiki +- **requirements**: +> - Sigma python library +> - Yaml python library + +----- + +#### [socialscan](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/socialscan.py) + +A hover module to get information on the availability of an email address or username on some online platforms. +- **features**: +>The module takes an email address or username as input and check its availability on some online platforms. The results for each platform are then returned to see if the email address or the username is used, available or if there is an issue with it. +- **input**: +>An email address or usename attribute. +- **output**: +>Text containing information about the availability of an email address or a username in some online platforms. +- **references**: +>https://github.com/iojw/socialscan +- **requirements**: +>The socialscan python library + +----- + +#### [sophoslabs_intelix](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sophoslabs_intelix.py) + + + +An expansion module to query the Sophoslabs intelix API to get additional information about an ip address, url, domain or sha256 attribute. +- **features**: +>The module takes an ip address, url, domain or sha256 attribute and queries the SophosLabs Intelix API with the attribute value. The result of this query is a SophosLabs Intelix hash report, or an ip or url lookup, that is then parsed and returned in a MISP object. +- **input**: +>An ip address, url, domain or sha256 attribute. +- **output**: +>SophosLabs Intelix report and lookup objects +- **references**: +>https://aws.amazon.com/marketplace/pp/B07SLZPMCS +- **requirements**: +>A client_id and client_secret pair to authenticate to the SophosLabs Intelix API + +----- + +#### [sourcecache](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/sourcecache.py) + +Module to cache web pages of analysis reports, OSINT sources. The module returns a link of the cached page. +- **features**: +>This module takes a link or url attribute as input and caches the related web page. It returns then a link of the cached page. +- **input**: +>A link or url attribute. +- **output**: +>A malware-sample attribute describing the cached page. +- **references**: +>https://github.com/adulau/url_archiver +- **requirements**: +>urlarchiver: python library to fetch and archive URL on the file-system + +----- + +#### [stix2_pattern_syntax_validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/stix2_pattern_syntax_validator.py) + + + +An expansion hover module to perform a syntax check on stix2 patterns. +- **features**: +>This module takes a STIX2 pattern attribute as input and performs a syntax check on it. +> +>It displays then that the rule is valid if it is the case, and the error related to the rule otherwise. +- **input**: +>A STIX2 pattern attribute. +- **output**: +>Text describing the validity of the STIX2 pattern. +- **references**: +>[STIX2.0 patterning specifications](http://docs.oasis-open.org/cti/stix/v2.0/cs01/part5-stix-patterning/stix-v2.0-cs01-part5-stix-patterning.html) +- **requirements**: +>stix2patterns python library + +----- + +#### [threatcrowd](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatcrowd.py) + + + +Module to get information from ThreatCrowd. +- **features**: +>This module takes a MISP attribute as input and queries ThreatCrowd with it. +> +>The result of this query is then parsed and some data is mapped into MISP attributes in order to enrich the input attribute. +- **input**: +>A MISP attribute included in the following list: +>- hostname +>- domain +>- ip-src +>- ip-dst +>- md5 +>- sha1 +>- sha256 +>- sha512 +>- whois-registrant-email +- **output**: +>MISP attributes mapped from the result of the query on ThreatCrowd, included in the following list: +>- domain +>- ip-src +>- ip-dst +>- text +>- md5 +>- sha1 +>- sha256 +>- sha512 +>- hostname +>- whois-registrant-email +- **references**: +>https://www.threatcrowd.org/ + +----- + +#### [threatminer](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/threatminer.py) + + + +Module to get information from ThreatMiner. +- **features**: +>This module takes a MISP attribute as input and queries ThreatMiner with it. +> +>The result of this query is then parsed and some data is mapped into MISP attributes in order to enrich the input attribute. +- **input**: +>A MISP attribute included in the following list: +>- hostname +>- domain +>- ip-src +>- ip-dst +>- md5 +>- sha1 +>- sha256 +>- sha512 +- **output**: +>MISP attributes mapped from the result of the query on ThreatMiner, included in the following list: +>- domain +>- ip-src +>- ip-dst +>- text +>- md5 +>- sha1 +>- sha256 +>- sha512 +>- ssdeep +>- authentihash +>- filename +>- whois-registrant-email +>- url +>- link +- **references**: +>https://www.threatminer.org/ + +----- + +#### [trustar_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/trustar_enrich.py) + + + +Module to get enrich indicators with TruSTAR. +- **features**: +>This module enriches MISP attributes with scoring and metadata from TruSTAR. +> +>The TruSTAR indicator summary is appended to the attributes along with links to any associated reports. +- **input**: +>Any of the following MISP attributes: +>- btc +>- domain +>- email-src +>- filename +>- hostname +>- ip-src +>- ip-dst +>- md5 +>- sha1 +>- sha256 +>- url +- **output**: +>MISP attributes enriched with indicator summary data from the TruSTAR API. Data includes a severity level score and additional source and scoring info. +- **references**: +>https://docs.trustar.co/api/v13/indicators/get_indicator_summaries.html + +----- + +#### [urlhaus](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/urlhaus.py) + + + +Query of the URLhaus API to get additional information about the input attribute. +- **features**: +>Module using the new format of modules able to return attributes and objects. +> +>The module takes one of the attribute type specified as input, and query the URLhaus API with it. If any result is returned by the API, attributes and objects are created accordingly. +- **input**: +>A domain, hostname, url, ip, md5 or sha256 attribute. +- **output**: +>MISP attributes & objects fetched from the result of the URLhaus API query. +- **references**: +>https://urlhaus.abuse.ch/ + +----- + +#### [urlscan](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/urlscan.py) + + + +An expansion module to query urlscan.io. +- **features**: +>This module takes a MISP attribute as input and queries urlscan.io with it. +> +>The result of this query is then parsed and some data is mapped into MISP attributes in order to enrich the input attribute. +- **input**: +>A domain, hostname or url attribute. +- **output**: +>MISP attributes mapped from the result of the query on urlscan.io. +- **references**: +>https://urlscan.io/ +- **requirements**: +>An access to the urlscan.io API + +----- + +#### [variotdbs](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/variotdbs.py) + + + +An expansion module to query the VARIoT db API for more information about a vulnerability. +- **features**: +>The module takes a vulnerability attribute as input and queries que VARIoT db API to gather additional information. +> +>The `vuln` endpoint is queried first to look for additional information about the vulnerability itself. +> +>The `exploits` endpoint is also queried then to look for the information of the potential related exploits, which are parsed and added to the results using the `exploit` object template. +- **input**: +>Vulnerability attribute. +- **output**: +>Additional information about the vulnerability, as it is stored on the VARIoT db, about the vulnerability itself, and the potential related exploits. +- **references**: +>https://www.variotdbs.pl/ +- **requirements**: +>A VARIoT db API key (if you do not want to be limited to 100 queries / day) + +----- + +#### [virustotal](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/virustotal.py) + + + +Module to get advanced information from virustotal. +- **features**: +>New format of modules able to return attributes and objects. +> +>A module to take a MISP attribute as input and query the VirusTotal API to get additional data about it. +> +>Compared to the [standard VirusTotal expansion module](https://github.com/MISP/misp-modules/blob/master/misp_modules/modules/expansion/virustotal_public.py), this module is made for advanced parsing of VirusTotal report, with a recursive analysis of the elements found after the first request. +> +>Thus, it requires a higher request rate limit to avoid the API to return a 204 error (Request rate limit exceeded), and the data parsed from the different requests are returned as MISP attributes and objects, with the corresponding relations between each one of them. +- **input**: +>A domain, hash (md5, sha1, sha256 or sha512), hostname or IP address attribute. +- **output**: +>MISP attributes and objects resulting from the parsing of the VirusTotal report concerning the input attribute. +- **references**: +> - https://www.virustotal.com/ +> - https://developers.virustotal.com/reference +- **requirements**: +>An access to the VirusTotal API (apikey), with a high request rate limit. + +----- + +#### [virustotal_public](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/virustotal_public.py) + + + +Module to get information from VirusTotal. +- **features**: +>New format of modules able to return attributes and objects. +> +>A module to take a MISP attribute as input and query the VirusTotal API to get additional data about it. +> +>Compared to the [more advanced VirusTotal expansion module](https://github.com/MISP/misp-modules/blob/master/misp_modules/modules/expansion/virustotal.py), this module is made for VirusTotal users who have a low request rate limit. +> +>Thus, it only queries the API once and returns the results that is parsed into MISP attributes and objects. +- **input**: +>A domain, hostname, ip, url or hash (md5, sha1, sha256 or sha512) attribute. +- **output**: +>MISP attributes and objects resulting from the parsing of the VirusTotal report concerning the input attribute. +- **references**: +> - https://www.virustotal.com +> - https://developers.virustotal.com/reference +- **requirements**: +>An access to the VirusTotal API (apikey) + +----- + +#### [vmray_submit](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vmray_submit.py) + + + +Module to submit a sample to VMRay. +- **features**: +>This module takes an attachment or malware-sample attribute as input to query the VMRay API. +> +>The sample contained within the attribute in then enriched with data from VMRay mapped into MISP attributes. +- **input**: +>An attachment or malware-sample attribute. +- **output**: +>MISP attributes mapped from the result of the query on VMRay API, included in the following list: +>- text +>- sha1 +>- sha256 +>- md5 +>- link +- **references**: +>https://www.vmray.com/ +- **requirements**: +>An access to the VMRay API (apikey & url) + +----- + +#### [vmware_nsx](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vmware_nsx.py) + + + +Module to enrich a file or URL with VMware NSX Defender. +- **features**: +>This module takes an IoC such as file hash, file attachment, malware-sample or url as input to query VMware NSX Defender. +> +>The IoC is then enriched with data from VMware NSX Defender. +- **input**: +>File hash, attachment or URL to be enriched with VMware NSX Defender. +- **output**: +>Objects and tags generated by VMware NSX Defender. +- **references**: +>https://www.vmware.com +- **requirements**: +>The module requires a VMware NSX Defender Analysis `api_token` and `key`. + +----- + +#### [vulndb](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulndb.py) + + + +Module to query VulnDB (RiskBasedSecurity.com). +- **features**: +>This module takes a vulnerability attribute as input and queries VulnDB in order to get some additional data about it. +> +>The API gives the result of the query which can be displayed in the screen, and/or mapped into MISP attributes to add in the event. +- **input**: +>A vulnerability attribute. +- **output**: +>Additional data enriching the CVE input, fetched from VulnDB. +- **references**: +>https://vulndb.cyberriskanalytics.com/ +- **requirements**: +>An access to the VulnDB API (apikey, apisecret) + +----- + +#### [vulners](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulners.py) + + + +An expansion hover module to expand information about CVE id using Vulners API. +- **features**: +>This module takes a vulnerability attribute as input and queries the Vulners API in order to get some additional data about it. +> +>The API then returns details about the vulnerability. +- **input**: +>A vulnerability attribute. +- **output**: +>Text giving additional information about the CVE in input. +- **references**: +>https://vulners.com/ +- **requirements**: +> - Vulners python library +> - An access to the Vulners API + +----- + +#### [whois](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/whois.py) + +Module to query a local instance of uwhois (https://github.com/rafiot/uwhoisd). +- **features**: +>This module takes a domain or IP address attribute as input and queries a 'Univseral Whois proxy server' to get the correct details of the Whois query on the input value (check the references for more details about this whois server). +- **input**: +>A domain or IP address attribute. +- **output**: +>Text describing the result of a whois request for the input value. +- **references**: +>https://github.com/rafiot/uwhoisd +- **requirements**: +>uwhois: A whois python library + +----- + +#### [wiki](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/wiki.py) + + + +An expansion hover module to extract information from Wikidata to have additional information about particular term for analysis. +- **features**: +>This module takes a text attribute as input and queries the Wikidata API. If the text attribute is clear enough to define a specific term, the API returns a wikidata link in response. +- **input**: +>Text attribute. +- **output**: +>Text attribute. +- **references**: +>https://www.wikidata.org +- **requirements**: +>SPARQLWrapper python library + +----- + +#### [xforceexchange](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/xforceexchange.py) + + + +An expansion module for IBM X-Force Exchange. +- **features**: +>This module takes a MISP attribute as input to query the X-Force API. The API returns then additional information known in their threats data, that is mapped into MISP attributes. +- **input**: +>A MISP attribute included in the following list: +>- ip-src +>- ip-dst +>- vulnerability +>- md5 +>- sha1 +>- sha256 +- **output**: +>MISP attributes mapped from the result of the query on X-Force Exchange. +- **references**: +>https://exchange.xforce.ibmcloud.com/ +- **requirements**: +>An access to the X-Force API (apikey) + +----- + +#### [xlsx_enrich](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/xlsx_enrich.py) + + + +Module to extract freetext from a .xlsx document. +- **features**: +>The module reads the text contained in a .xlsx document. The result is passed to the freetext import parser so IoCs can be extracted out of it. +- **input**: +>Attachment attribute containing a .xlsx document. +- **output**: +>Text and freetext parsed from the document. +- **requirements**: +>pandas: Python library to perform data analysis, time series and statistics. + +----- + +#### [yara_query](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yara_query.py) + + + +An expansion & hover module to translate any hash attribute into a yara rule. +- **features**: +>The module takes a hash attribute (md5, sha1, sha256, imphash) as input, and is returning a YARA rule from it. This YARA rule is also validated using the same method as in 'yara_syntax_validator' module. +>Both hover and expansion functionalities are supported with this module, where the hover part is displaying the resulting YARA rule and the expansion part allows you to add the rule as a new attribute, as usual with expansion modules. +- **input**: +>MISP Hash attribute (md5, sha1, sha256, imphash, or any of the composite attribute with filename and one of the previous hash type). +- **output**: +>YARA rule. +- **references**: +> - https://virustotal.github.io/yara/ +> - https://github.com/virustotal/yara-python +- **requirements**: +>yara-python python library + +----- + +#### [yara_syntax_validator](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yara_syntax_validator.py) + + + +An expansion hover module to perform a syntax check on if yara rules are valid or not. +- **features**: +>This modules simply takes a YARA rule as input, and checks its syntax. It returns then a confirmation if the syntax is valid, otherwise the syntax error is displayed. +- **input**: +>YARA rule attribute. +- **output**: +>Text to inform users if their rule is valid. +- **references**: +>http://virustotal.github.io/yara/ +- **requirements**: +>yara_python python library + +----- + +#### [yeti](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yeti.py) + + + +Module to process a query on Yeti. +- **features**: +>This module add context and links between observables using yeti +- **input**: +>A domain, hostname,IP, sha256,sha1, md5, url of MISP attribute. +- **output**: +>MISP attributes and objects fetched from the Yeti instances. +- **references**: +> - https://github.com/yeti-platform/yeti +> - https://github.com/sebdraven/pyeti +- **requirements**: +> - pyeti +> - API key + +----- diff --git a/documentation/mkdocs/export_mod.md b/documentation/mkdocs/export_mod.md new file mode 100644 index 0000000..c0848f5 --- /dev/null +++ b/documentation/mkdocs/export_mod.md @@ -0,0 +1,247 @@ + +#### [cef_export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/cef_export.py) + +Module to export a MISP event in CEF format. +- **features**: +>The module takes a MISP event in input, to look every attribute. Each attribute matching with some predefined types is then exported in Common Event Format. +>Thus, there is no particular feature concerning MISP Events since any event can be exported. However, 4 configuration parameters recognized by CEF format are required and should be provided by users before exporting data: the device vendor, product and version, as well as the default severity of data. +- **input**: +>MISP Event attributes +- **output**: +>Common Event Format file +- **references**: +>https://community.softwaregrp.com/t5/ArcSight-Connectors/ArcSight-Common-Event-Format-CEF-Guide/ta-p/1589306?attachment-id=65537 + +----- + +#### [cisco_firesight_manager_ACL_rule_export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py) + + + +Module to export malicious network activity attributes to Cisco fireSIGHT manager block rules. +- **features**: +>The module goes through the attributes to find all the network activity ones in order to create block rules for the Cisco fireSIGHT manager. +- **input**: +>Network activity attributes (IPs, URLs). +- **output**: +>Cisco fireSIGHT manager block rules. +- **requirements**: +>Firesight manager console credentials + +----- + +#### [defender_endpoint_export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/defender_endpoint_export.py) + + + +Defender for Endpoint KQL hunting query export module +- **features**: +>This module export an event as Defender for Endpoint KQL queries that can then be used in your own python3 or Powershell tool. If you are using Microsoft Sentinel, you can directly connect your MISP instance to Sentinel and then create queries using the `ThreatIntelligenceIndicator` table to match events against imported IOC. +- **input**: +>MISP Event attributes +- **output**: +>Defender for Endpoint KQL queries +- **references**: +>https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference + +----- + +#### [goamlexport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/goamlexport.py) + + + +This module is used to export MISP events containing transaction objects into GoAML format. +- **features**: +>The module works as long as there is at least one transaction object in the Event. +> +>Then in order to have a valid GoAML document, please follow these guidelines: +>- For each transaction object, use either a bank-account, person, or legal-entity object to describe the origin of the transaction, and again one of them to describe the target of the transaction. +>- Create an object reference for both origin and target objects of the transaction. +>- A bank-account object needs a signatory, which is a person object, put as object reference of the bank-account. +>- A person can have an address, which is a geolocation object, put as object reference of the person. +> +>Supported relation types for object references that are recommended for each object are the folowing: +>- transaction: +> - 'from', 'from_my_client': Origin of the transaction - at least one of them is required. +> - 'to', 'to_my_client': Target of the transaction - at least one of them is required. +> - 'address': Location of the transaction - optional. +>- bank-account: +> - 'signatory': Signatory of a bank-account - the reference from bank-account to a signatory is required, but the relation-type is optional at the moment since this reference will always describe a signatory. +> - 'entity': Entity owning the bank account - optional. +>- person: +> - 'address': Address of a person - optional. +- **input**: +>MISP objects (transaction, bank-account, person, legal-entity, geolocation), with references, describing financial transactions and their origin and target. +- **output**: +>GoAML format file, describing financial transactions, with their origin and target (bank accounts, persons or entities). +- **references**: +>http://goaml.unodc.org/ +- **requirements**: +> - PyMISP +> - MISP objects + +----- + +#### [liteexport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/liteexport.py) + +Lite export of a MISP event. +- **features**: +>This module is simply producing a json MISP event format file, but exporting only Attributes from the Event. Thus, MISP Events exported with this module should have attributes that are not internal references, otherwise the resulting event would be empty. +- **input**: +>MISP Event attributes +- **output**: +>Lite MISP Event + +----- + +#### [mass_eql_export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/mass_eql_export.py) + + + +Mass EQL query export for a MISP event. +- **features**: +>This module produces EQL queries for all relevant attributes in a MISP event. +- **input**: +>MISP Event attributes +- **output**: +>Text file containing one or more EQL queries +- **references**: +>https://eql.readthedocs.io/en/latest/ + +----- + +#### [nexthinkexport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/nexthinkexport.py) + + + +Nexthink NXQL query export module +- **features**: +>This module export an event as Nexthink NXQL queries that can then be used in your own python3 tool or from wget/powershell +- **input**: +>MISP Event attributes +- **output**: +>Nexthink NXQL queries +- **references**: +>https://doc.nexthink.com/Documentation/Nexthink/latest/APIAndIntegrations/IntroducingtheWebAPIV2 + +----- + +#### [osqueryexport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/osqueryexport.py) + + + +OSQuery export of a MISP event. +- **features**: +>This module export an event as osquery queries that can be used in packs or in fleet management solution like Kolide. +- **input**: +>MISP Event attributes +- **output**: +>osquery SQL queries + +----- + +#### [pdfexport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/pdfexport.py) + +Simple export of a MISP event to PDF. +- **features**: +>The module takes care of the PDF file building, and work with any MISP Event. Except the requirement of reportlab, used to create the file, there is no special feature concerning the Event. Some parameters can be given through the config dict. 'MISP_base_url_for_dynamic_link' is your MISP URL, to attach an hyperlink to your event on your MISP instance from the PDF. Keep it clear to avoid hyperlinks in the generated pdf. +> 'MISP_name_for_metadata' is your CERT or MISP instance name. Used as text in the PDF' metadata +> 'Activate_textual_description' is a boolean (True or void) to activate the textual description/header abstract of an event +> 'Activate_galaxy_description' is a boolean (True or void) to activate the description of event related galaxies. +> 'Activate_related_events' is a boolean (True or void) to activate the description of related event. Be aware this might leak information on confidential events linked to the current event ! +> 'Activate_internationalization_fonts' is a boolean (True or void) to activate Noto fonts instead of default fonts (Helvetica). This allows the support of CJK alphabet. Be sure to have followed the procedure to download Noto fonts (~70Mo) in the right place (/tools/pdf_fonts/Noto_TTF), to allow PyMisp to find and use them during PDF generation. +> 'Custom_fonts_path' is a text (path or void) to the TTF file of your choice, to create the PDF with it. Be aware the PDF won't support bold/italic/special style anymore with this option +- **input**: +>MISP Event +- **output**: +>MISP Event in a PDF file. +- **references**: +>https://acrobat.adobe.com/us/en/acrobat/about-adobe-pdf.html +- **requirements**: +> - PyMISP +> - reportlab + +----- + +#### [testexport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/testexport.py) + +Skeleton export module. + +----- + +#### [threatStream_misp_export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/threatStream_misp_export.py) + + + +Module to export a structured CSV file for uploading to threatStream. +- **features**: +>The module takes a MISP event in input, to look every attribute. Each attribute matching with some predefined types is then exported in a CSV format recognized by ThreatStream. +- **input**: +>MISP Event attributes +- **output**: +>ThreatStream CSV format file +- **references**: +> - https://www.anomali.com/platform/threatstream +> - https://github.com/threatstream +- **requirements**: +>csv + +----- + +#### [threat_connect_export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/threat_connect_export.py) + + + +Module to export a structured CSV file for uploading to ThreatConnect. +- **features**: +>The module takes a MISP event in input, to look every attribute. Each attribute matching with some predefined types is then exported in a CSV format recognized by ThreatConnect. +>Users should then provide, as module configuration, the source of data they export, because it is required by the output format. +- **input**: +>MISP Event attributes +- **output**: +>ThreatConnect CSV format file +- **references**: +>https://www.threatconnect.com +- **requirements**: +>csv + +----- + +#### [virustotal_collections](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/virustotal_collections.py) + + + +Creates a VT Collection from an event iocs. +- **features**: +>This export module which takes advantage of a new endpoint in VT APIv3 to create VT Collections from IOCs contained in a MISP event. With this module users will be able to create a collection just using the Download as... button. +- **input**: +>A domain, hash (md5, sha1, sha256 or sha512), hostname, url or IP address attribute. +- **output**: +>A VirusTotal collection in VT. +- **references**: +> - https://www.virustotal.com/ +> - https://blog.virustotal.com/2021/11/introducing-virustotal-collections.html +- **requirements**: +>An access to the VirusTotal API (apikey). + +----- + +#### [vt_graph](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/vt_graph.py) + + + +This module is used to create a VirusTotal Graph from a MISP event. +- **features**: +>The module takes the MISP event as input and queries the VirusTotal Graph API to create a new graph out of the event. +> +>Once the graph is ready, we get the url of it, which is returned so we can view it on VirusTotal. +- **input**: +>A MISP event. +- **output**: +>Link of the VirusTotal Graph created for the event. +- **references**: +>https://www.virustotal.com/gui/graph-overview +- **requirements**: +>vt_graph_api, the python library to query the VirusTotal graph API + +----- diff --git a/documentation/mkdocs/img/favicon.ico b/documentation/mkdocs/img/favicon.ico new file mode 100644 index 0000000..dca12d1 Binary files /dev/null and b/documentation/mkdocs/img/favicon.ico differ diff --git a/documentation/mkdocs/img/misp.png b/documentation/mkdocs/img/misp.png new file mode 100644 index 0000000..5f2d4dd Binary files /dev/null and b/documentation/mkdocs/img/misp.png differ diff --git a/documentation/mkdocs/import_mod.md b/documentation/mkdocs/import_mod.md new file mode 100644 index 0000000..5fe6ccf --- /dev/null +++ b/documentation/mkdocs/import_mod.md @@ -0,0 +1,198 @@ + +#### [cof2misp](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/cof2misp.py) + +Passive DNS Common Output Format (COF) MISP importer +- **features**: +>Takes as input a valid COF file or the output of the dnsdbflex utility and creates MISP objects for the input. +- **input**: +>Passive DNS output in Common Output Format (COF) +- **output**: +>MISP objects +- **references**: +>https://tools.ietf.org/id/draft-dulaunoy-dnsop-passive-dns-cof-08.html +- **requirements**: +>PyMISP + +----- + +#### [csvimport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/csvimport.py) + +Module to import MISP attributes from a csv file. +- **features**: +>In order to parse data from a csv file, a header is required to let the module know which column is matching with known attribute fields / MISP types. +> +>This header either comes from the csv file itself or is part of the configuration of the module and should be filled out in MISP plugin settings, each field separated by COMMAS. Fields that do not match with any type known in MISP or are not MISP attribute fields should be ignored in import, using a space or simply nothing between two separators (example: 'ip-src, , comment, '). +> +>If the csv file already contains a header that does not start by a '#', you should tick the checkbox 'has_header' to avoid importing it and have potential issues. You can also redefine the header even if it is already contained in the file, by following the rules for headers explained earlier. One reason why you would redefine a header is for instance when you want to skip some fields, or some fields are not valid types. +- **input**: +>CSV format file. +- **output**: +>MISP Event attributes +- **references**: +> - https://tools.ietf.org/html/rfc4180 +> - https://tools.ietf.org/html/rfc7111 +- **requirements**: +>PyMISP + +----- + +#### [cuckooimport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/cuckooimport.py) + + + +Module to import Cuckoo JSON. +- **features**: +>The module simply imports MISP Attributes from a Cuckoo JSON format file. There is thus no special feature to make it work. +- **input**: +>Cuckoo JSON file +- **output**: +>MISP Event attributes +- **references**: +> - https://cuckoosandbox.org/ +> - https://github.com/cuckoosandbox/cuckoo + +----- + +#### [email_import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/email_import.py) + +Module to import emails in MISP. +- **features**: +>This module can be used to import e-mail text as well as attachments and urls. +>3 configuration parameters are then used to unzip attachments, guess zip attachment passwords, and extract urls: set each one of them to True or False to process or not the respective corresponding actions. +- **input**: +>E-mail file +- **output**: +>MISP Event attributes + +----- + +#### [goamlimport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/goamlimport.py) + + + +Module to import MISP objects about financial transactions from GoAML files. +- **features**: +>Unlike the GoAML export module, there is here no special feature to import data from GoAML external files, since the module will import MISP Objects with their References on its own, as it is required for the export module to rebuild a valid GoAML document. +- **input**: +>GoAML format file, describing financial transactions, with their origin and target (bank accounts, persons or entities). +- **output**: +>MISP objects (transaction, bank-account, person, legal-entity, geolocation), with references, describing financial transactions and their origin and target. +- **references**: +>http://goaml.unodc.org/ +- **requirements**: +>PyMISP + +----- + +#### [joe_import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/joe_import.py) + + + +A module to import data from a Joe Sandbox analysis json report. +- **features**: +>Module using the new format of modules able to return attributes and objects. +> +>The module returns the same results as the expansion module [joesandbox_query](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/joesandbox_query.py) using the submission link of the analysis to get the json report. +- **input**: +>Json report of a Joe Sandbox analysis. +- **output**: +>MISP attributes & objects parsed from the analysis report. +- **references**: +> - https://www.joesecurity.org +> - https://www.joesandbox.com/ + +----- + +#### [lastline_import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/lastline_import.py) + + + +Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module. + +Module to import and parse reports from Lastline analysis links. +- **features**: +>The module requires a Lastline Portal `username` and `password`. +>The module uses the new format and it is able to return MISP attributes and objects. +>The module returns the same results as the [lastline_query](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/lastline_query.py) expansion module. +- **input**: +>Link to a Lastline analysis. +- **output**: +>MISP attributes and objects parsed from the analysis report. +- **references**: +>https://www.lastline.com + +----- + +#### [mispjson](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/mispjson.py) + +Module to import MISP JSON format for merging MISP events. +- **features**: +>The module simply imports MISP Attributes from an other MISP Event in order to merge events together. There is thus no special feature to make it work. +- **input**: +>MISP Event +- **output**: +>MISP Event attributes + +----- + +#### [ocr](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/ocr.py) + +Optical Character Recognition (OCR) module for MISP. +- **features**: +>The module tries to recognize some text from an image and import the result as a freetext attribute, there is then no special feature asked to users to make it work. +- **input**: +>Image +- **output**: +>freetext MISP attribute + +----- + +#### [openiocimport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/openiocimport.py) + +Module to import OpenIOC packages. +- **features**: +>The module imports MISP Attributes from OpenIOC packages, there is then no special feature for users to make it work. +- **input**: +>OpenIOC packages +- **output**: +>MISP Event attributes +- **references**: +>https://www.fireeye.com/blog/threat-research/2013/10/openioc-basics.html +- **requirements**: +>PyMISP + +----- + +#### [threatanalyzer_import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/threatanalyzer_import.py) + +Module to import ThreatAnalyzer archive.zip / analysis.json files. +- **features**: +>The module imports MISP Attributes from a ThreatAnalyzer format file. This file can be either ZIP, or JSON format. +>There is by the way no special feature for users to make the module work. +- **input**: +>ThreatAnalyzer format file +- **output**: +>MISP Event attributes +- **references**: +>https://www.threattrack.com/malware-analysis.aspx + +----- + +#### [vmray_import](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/vmray_import.py) + + + +Module to import VMRay (VTI) results. +- **features**: +>The module imports MISP Attributes from VMRay format, using the VMRay api. +>Users should then provide as the module configuration the API Key as well as the server url in order to fetch their data to import. +- **input**: +>VMRay format +- **output**: +>MISP Event attributes +- **references**: +>https://www.vmray.com/ +- **requirements**: +>vmray_rest_api + +----- diff --git a/documentation/mkdocs/index.md b/documentation/mkdocs/index.md new file mode 100644 index 0000000..1297a3b --- /dev/null +++ b/documentation/mkdocs/index.md @@ -0,0 +1,120 @@ +# Home + +[![Build Status](https://travis-ci.org/MISP/misp-modules.svg?branch=master)](https://travis-ci.org/MISP/misp-modules) +[![Coverage Status](https://coveralls.io/repos/github/MISP/misp-modules/badge.svg?branch=master)](https://coveralls.io/github/MISP/misp-modules?branch=master) +[![codecov](https://codecov.io/gh/MISP/misp-modules/branch/master/graph/badge.svg)](https://codecov.io/gh/MISP/misp-modules) +[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%MISP%2Fmisp-modules.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2FMISP%2Fmisp-modules?ref=badge_shield) + +MISP modules are autonomous modules that can be used for expansion and other services in [MISP](https://github.com/MISP/MISP). + +The modules are written in Python 3 following a simple API interface. The objective is to ease the extensions of MISP functionalities +without modifying core components. The API is available via a simple REST API which is independent from MISP installation or configuration. + +MISP modules support is included in MISP starting from version `2.4.28`. + +For more information: [Extending MISP with Python modules](https://www.circl.lu/assets/files/misp-training/switch2016/2-misp-modules.pdf) slides from MISP training. + + +## Existing MISP modules + +### Expansion modules + +* [Backscatter.io](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/backscatter_io.py) - a hover and expansion module to expand an IP address with mass-scanning observations. +* [BGP Ranking](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/bgpranking.py) - a hover and expansion module to expand an AS number with the ASN description, its history, and position in BGP Ranking. +* [BTC scam check](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/btc_scam_check.py) - An expansion hover module to instantly check if a BTC address has been abused. +* [BTC transactions](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/btc_steroids.py) - An expansion hover module to get a blockchain balance and the transactions from a BTC address in MISP. +* [CIRCL Passive DNS](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/circl_passivedns.py) - a hover and expansion module to expand hostname and IP addresses with passive DNS information. +* [CIRCL Passive SSL](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/circl_passivessl.py) - a hover and expansion module to expand IP addresses with the X.509 certificate seen. +* [countrycode](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/countrycode.py) - a hover module to tell you what country a URL belongs to. +* [CrowdStrike Falcon](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/crowdstrike_falcon.py) - an expansion module to expand using CrowdStrike Falcon Intel Indicator API. +* [CVE](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/cve.py) - a hover module to give more information about a vulnerability (CVE). +* [CVE advanced](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/cve_advanced.py) - An expansion module to query the CIRCL CVE search API for more information about a vulnerability (CVE). +* [Cuckoo submit](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/cuckoo_submit.py) - A hover module to submit malware sample, url, attachment, domain to Cuckoo Sandbox. +* [DBL Spamhaus](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/dbl_spamhaus.py) - a hover module to check Spamhaus DBL for a domain name. +* [DNS](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/dns.py) - a simple module to resolve MISP attributes like hostname and domain to expand IP addresses attributes. +* [docx-enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/docx-enrich.py) - an enrichment module to get text out of Word document into MISP (using free-text parser). +* [DomainTools](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/domaintools.py) - a hover and expansion module to get information from [DomainTools](http://www.domaintools.com/) whois. +* [EUPI](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/eupi.py) - a hover and expansion module to get information about an URL from the [Phishing Initiative project](https://phishing-initiative.eu/?lang=en). +* [EQL](misp_modules/modules/expansion/eql.py) - an expansion module to generate event query language (EQL) from an attribute. [Event Query Language](https://eql.readthedocs.io/en/latest/) +* [Farsight DNSDB Passive DNS](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/farsight_passivedns.py) - a hover and expansion module to expand hostname and IP addresses with passive DNS information. +* [GeoIP](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/geoip_country.py) - a hover and expansion module to get GeoIP information from geolite/maxmind. +* [Greynoise](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/greynoise.py) - a hover to get information from greynoise. +* [hashdd](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/hashdd.py) - a hover module to check file hashes against [hashdd.com](http://www.hashdd.com) including NSLR dataset. +* [hibp](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/hibp.py) - a hover module to lookup against Have I Been Pwned? +* [intel471](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/intel471.py) - an expansion module to get info from [Intel471](https://intel471.com). +* [IPASN](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/ipasn.py) - a hover and expansion to get the BGP ASN of an IP address. +* [iprep](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/iprep.py) - an expansion module to get IP reputation from packetmail.net. +* [Joe Sandbox submit](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/joesandbox_submit.py) - Submit files and URLs to Joe Sandbox. +* [Joe Sandbox query](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/joesandbox_query.py) - Query Joe Sandbox with the link of an analysis and get the parsed data. +* [macaddress.io](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/macaddress_io.py) - a hover module to retrieve vendor details and other information regarding a given MAC address or an OUI from [MAC address Vendor Lookup](https://macaddress.io). See [integration tutorial here](https://macaddress.io/integrations/MISP-module). +* [macvendors](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/macvendors.py) - a hover module to retrieve mac vendor information. +* [ocr-enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/ocr-enrich.py) - an enrichment module to get OCRized data from images into MISP. +* [ods-enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/ods-enrich.py) - an enrichment module to get text out of OpenOffice spreadsheet document into MISP (using free-text parser). +* [odt-enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/odt-enrich.py) - an enrichment module to get text out of OpenOffice document into MISP (using free-text parser). +* [onyphe](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/onyphe.py) - a modules to process queries on Onyphe. +* [onyphe_full](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/onyphe_full.py) - a modules to process full queries on Onyphe. +* [OTX](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/otx.py) - an expansion module for [OTX](https://otx.alienvault.com/). +* [passivetotal](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/passivetotal.py) - a [passivetotal](https://www.passivetotal.org/) module that queries a number of different PassiveTotal datasets. +* [pdf-enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/pdf-enrich.py) - an enrichment module to extract text from PDF into MISP (using free-text parser). +* [pptx-enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/pptx-enrich.py) - an enrichment module to get text out of PowerPoint document into MISP (using free-text parser). +* [qrcode](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/qrcode.py) - a module decode QR code, barcode and similar codes from an image and enrich with the decoded values. +* [rbl](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/rbl.py) - a module to get RBL (Real-Time Blackhost List) values from an attribute. +* [reversedns](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/reversedns.py) - Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes. +* [securitytrails](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/securitytrails.py) - an expansion module for [securitytrails](https://securitytrails.com/). +* [shodan](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/shodan.py) - a minimal [shodan](https://www.shodan.io/) expansion module. +* [Sigma queries](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/sigma_queries.py) - Experimental expansion module querying a sigma rule to convert it into all the available SIEM signatures. +* [Sigma syntax validator](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/sigma_syntax_validator.py) - Sigma syntax validator. +* [sourcecache](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/sourcecache.py) - a module to cache a specific link from a MISP instance. +* [STIX2 pattern syntax validator](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/stix2_pattern_syntax_validator.py) - a module to check a STIX2 pattern syntax. +* [ThreatCrowd](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/threatcrowd.py) - an expansion module for [ThreatCrowd](https://www.threatcrowd.org/). +* [threatminer](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/threatminer.py) - an expansion module to expand from [ThreatMiner](https://www.threatminer.org/). +* [urlhaus](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/urlhaus.py) - Query urlhaus to get additional data about a domain, hash, hostname, ip or url. +* [urlscan](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/urlscan.py) - an expansion module to query [urlscan.io](https://urlscan.io). +* [virustotal](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/virustotal.py) - an expansion module to query the [VirusTotal](https://www.virustotal.com/gui/home) API with a high request rate limit required. (More details about the API: [here](https://developers.virustotal.com/reference)) +* [virustotal_public](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/virustotal_public.py) - an expansion module to query the [VirusTotal](https://www.virustotal.com/gui/home) API with a public key and a low request rate limit. (More details about the API: [here](https://developers.virustotal.com/reference)) +* [VMray](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/vmray_submit.py) - a module to submit a sample to VMray. +* [VulnDB](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/vulndb.py) - a module to query [VulnDB](https://www.riskbasedsecurity.com/). +* [Vulners](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/vulners.py) - an expansion module to expand information about CVEs using Vulners API. +* [whois](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/whois.py) - a module to query a local instance of [uwhois](https://github.com/rafiot/uwhoisd). +* [wikidata](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/wiki.py) - a [wikidata](https://www.wikidata.org) expansion module. +* [xforce](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/xforceexchange.py) - an IBM X-Force Exchange expansion module. +* [xlsx-enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/xlsx-enrich.py) - an enrichment module to get text out of an Excel document into MISP (using free-text parser). +* [YARA query](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/yara_query.py) - a module to create YARA rules from single hash attributes. +* [YARA syntax validator](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/yara_syntax_validator.py) - YARA syntax validator. + +### Export modules + +* [CEF](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/cef_export.py) module to export Common Event Format (CEF). +* [Cisco FireSight Manager ACL rule](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py) module to export as rule for the Cisco FireSight manager ACL. +* [GoAML export](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/goamlexport.py) module to export in [GoAML format](http://goaml.unodc.org/goaml/en/index.html). +* [Lite Export](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/liteexport.py) module to export a lite event. +* [Mass EQL Export](misp_modules/modules/export_mod/mass_eql_export.py) module to export applicable attributes from an event to a mass EQL query. +* [PDF export](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/pdfexport.py) module to export an event in PDF. +* [Nexthink query format](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/nexthinkexport.py) module to export in Nexthink query format. +* [osquery](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/osqueryexport.py) module to export in [osquery](https://osquery.io/) query format. +* [ThreatConnect](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/threat_connect_export.py) module to export in ThreatConnect CSV format. +* [ThreatStream](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/threatStream_misp_export.py) module to export in ThreatStream format. + +### Import modules + +* [CSV import](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/csvimport.py) Customizable CSV import module. +* [Cuckoo JSON](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/cuckooimport.py) Cuckoo JSON import. +* [Email Import](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/email_import.py) Email import module for MISP to import basic metadata. +* [GoAML import](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/goamlimport.py) Module to import [GoAML](http://goaml.unodc.org/goaml/en/index.html) XML format. +* [Joe Sandbox import](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/joe_import.py) Parse data from a Joe Sandbox json report. +* [OCR](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/ocr.py) Optical Character Recognition (OCR) module for MISP to import attributes from images, scan or faxes. +* [OpenIOC](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/openiocimport.py) OpenIOC import based on PyMISP library. +* [ThreatAnalyzer](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/threatanalyzer_import.py) - An import module to process ThreatAnalyzer archive.zip/analysis.json sandbox exports. +* [VMRay](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/vmray_import.py) - An import module to process VMRay export. + + +## How to contribute your own module? + +Fork the project, add your module, test it and make a pull-request. Modules can be also private as you can add a module in your own MISP installation. +For further information please see [Contribute](contribute/). + + +## Licenses +[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%MISP%2Fmisp-modules.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2FMISP%2Fmisp-modules?ref=badge_large) + +For further Information see also the [license file](license/). \ No newline at end of file diff --git a/documentation/mkdocs/install.md b/documentation/mkdocs/install.md new file mode 100644 index 0000000..3eed0f4 --- /dev/null +++ b/documentation/mkdocs/install.md @@ -0,0 +1,192 @@ +## How to install and start MISP modules (in a Python virtualenv)? + +~~~~bash +SUDO_WWW="sudo -u www-data" + +sudo apt-get install -y \ + git \ + libpq5 \ + libjpeg-dev \ + tesseract-ocr \ + libpoppler-cpp-dev \ + imagemagick virtualenv \ + libopencv-dev \ + zbar-tools \ + libzbar0 \ + libzbar-dev \ + libfuzzy-dev \ + libcaca-dev + +# BEGIN with virtualenv: +$SUDO_WWW virtualenv -p python3 /var/www/MISP/venv +# END with virtualenv + +cd /usr/local/src/ +# Ideally you add your user to the staff group and make /usr/local/src group writeable, below follows an example with user misp +sudo adduser misp staff +sudo chmod 2775 /usr/local/src +sudo chown root:staff /usr/local/src +git clone https://github.com/MISP/misp-modules.git +git clone git://github.com/stricaud/faup.git faup +git clone git://github.com/stricaud/gtcaca.git gtcaca + +# Install gtcaca/faup +cd gtcaca +mkdir -p build +cd build +cmake .. && make +sudo make install +cd ../../faup +mkdir -p build +cd build +cmake .. && make +sudo make install +sudo ldconfig + +cd ../../misp-modules + +# BEGIN with virtualenv: +$SUDO_WWW /var/www/MISP/venv/bin/pip install -I -r REQUIREMENTS +$SUDO_WWW /var/www/MISP/venv/bin/pip install . +# END with virtualenv + +# BEGIN without virtualenv: +sudo pip install -I -r REQUIREMENTS +sudo pip install . +# END without virtualenv + +# Start misp-modules as a service +sudo cp etc/systemd/system/misp-modules.service /etc/systemd/system/ +sudo systemctl daemon-reload +sudo systemctl enable --now misp-modules +/var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s & #to start the modules +~~~~ + +## How to install and start MISP modules on RHEL-based distributions ? + +As of this writing, the official RHEL repositories only contain Ruby 2.0.0 and Ruby 2.1 or higher is required. As such, this guide installs Ruby 2.2 from the SCL repository. + +~~~~bash +SUDO_WWW="sudo -u apache" +sudo yum install \ + rh-ruby22 \ + openjpeg-devel \ + rubygem-rouge \ + rubygem-asciidoctor \ + zbar-devel \ + opencv-devel \ + gcc-c++ \ + pkgconfig \ + poppler-cpp-devel \ + python-devel \ + redhat-rpm-config +cd /usr/local/src/ +sudo git clone https://github.com/MISP/misp-modules.git +cd misp-modules +$SUDO_WWW /usr/bin/scl enable rh-python36 "virtualenv -p python3 /var/www/MISP/venv" +$SUDO_WWW /var/www/MISP/venv/bin/pip install -U -I -r REQUIREMENTS +$SUDO_WWW /var/www/MISP/venv/bin/pip install -U . +~~~~ + +Create the service file /etc/systemd/system/misp-modules.service : + +~~~~bash +echo "[Unit] +Description=MISP's modules +After=misp-workers.service + +[Service] +Type=simple +User=apache +Group=apache +ExecStart=/usr/bin/scl enable rh-python36 rh-ruby22 '/var/www/MISP/venv/bin/misp-modules –l 127.0.0.1 –s' +Restart=always +RestartSec=10 + +[Install] +WantedBy=multi-user.target" | sudo tee /etc/systemd/system/misp-modules.service +~~~~ + +The After=misp-workers.service must be changed or removed if you have not created a misp-workers service. Then, enable the misp-modules service and start it: + +~~~~bash +systemctl daemon-reload +systemctl enable --now misp-modules +~~~~ + +## How to use an MISP modules Docker container + +### Docker build + +~~~~bash +docker build -t misp-modules \ + --build-arg BUILD_DATE=$(date -u +"%Y-%m-%d") \ + docker/ +~~~~ + +### Docker run + +~~~~bash +# Start Redis +docker run --rm -d --name=misp-redis redis:alpine +# Start MISP-modules +docker run \ + --rm -d --name=misp-modules \ + -e REDIS_BACKEND=misp-redis \ + -e REDIS_PORT="6379" \ + -e REDIS_PW="" \ + -e REDIS_DATABASE="245" \ + -e MISP_MODULES_DEBUG="false" \ + dcso/misp-dockerized-misp-modules +~~~~ + +### Docker-compose + +~~~~yml +services: + misp-modules: + # https://hub.docker.com/r/dcso/misp-dockerized-misp-modules + image: dcso/misp-dockerized-misp-modules:3 + + # Local image: + #image: misp-modules + #build: + # context: docker/ + + environment: + # Redis + REDIS_BACKEND: misp-redis + REDIS_PORT: "6379" + REDIS_DATABASE: "245" + # System PROXY (OPTIONAL) + http_proxy: + https_proxy: + no_proxy: 0.0.0.0 + # Timezone (OPTIONAL) + TZ: Europe/Berlin + # MISP-Modules (OPTIONAL) + MISP_MODULES_DEBUG: "false" + # Logging options (OPTIONAL) + LOG_SYSLOG_ENABLED: "no" + misp-redis: + # https://hub.docker.com/_/redis or alternative https://hub.docker.com/r/dcso/misp-dockerized-redis/ + image: redis:alpine +~~~~ + +## Install misp-module on an offline instance. +First, you need to grab all necessary packages for example like this : + +Use pip wheel to create an archive +~~~ +mkdir misp-modules-offline +pip3 wheel -r REQUIREMENTS shodan --wheel-dir=./misp-modules-offline +tar -cjvf misp-module-bundeled.tar.bz2 ./misp-modules-offline/* +~~~ +On offline machine : +~~~ +mkdir misp-modules-bundle +tar xvf misp-module-bundeled.tar.bz2 -C misp-modules-bundle +cd misp-modules-bundle +ls -1|while read line; do sudo pip3 install --force-reinstall --ignore-installed --upgrade --no-index --no-deps ${line};done +~~~ +Next you can follow standard install procedure. diff --git a/documentation/mkdocs/license.md b/documentation/mkdocs/license.md new file mode 100644 index 0000000..dbbe355 --- /dev/null +++ b/documentation/mkdocs/license.md @@ -0,0 +1,661 @@ + GNU AFFERO GENERAL PUBLIC LICENSE + Version 3, 19 November 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU Affero General Public License is a free, copyleft license for +software and other kinds of works, specifically designed to ensure +cooperation with the community in the case of network server software. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +our General Public Licenses are intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + Developers that use our General Public Licenses protect your rights +with two steps: (1) assert copyright on the software, and (2) offer +you this License which gives you legal permission to copy, distribute +and/or modify the software. + + A secondary benefit of defending all users' freedom is that +improvements made in alternate versions of the program, if they +receive widespread use, become available for other developers to +incorporate. Many developers of free software are heartened and +encouraged by the resulting cooperation. However, in the case of +software used on network servers, this result may fail to come about. +The GNU General Public License permits making a modified version and +letting the public access it on a server without ever releasing its +source code to the public. + + The GNU Affero General Public License is designed specifically to +ensure that, in such cases, the modified source code becomes available +to the community. It requires the operator of a network server to +provide the source code of the modified version running there to the +users of that server. Therefore, public use of a modified version, on +a publicly accessible server, gives the public access to the source +code of the modified version. + + An older license, called the Affero General Public License and +published by Affero, was designed to accomplish similar goals. This is +a different license, not a version of the Affero GPL, but Affero has +released a new version of the Affero GPL which permits relicensing under +this license. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU Affero General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Remote Network Interaction; Use with the GNU General Public License. + + Notwithstanding any other provision of this License, if you modify the +Program, your modified version must prominently offer all users +interacting with it remotely through a computer network (if your version +supports such interaction) an opportunity to receive the Corresponding +Source of your version by providing access to the Corresponding Source +from a network server at no charge, through some standard or customary +means of facilitating copying of software. This Corresponding Source +shall include the Corresponding Source for any work covered by version 3 +of the GNU General Public License that is incorporated pursuant to the +following paragraph. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the work with which it is combined will remain governed by version +3 of the GNU General Public License. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU Affero General Public License from time to time. Such new versions +will be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU Affero General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU Affero General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU Affero General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published + by the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If your software can interact with users remotely through a computer +network, you should also make sure that it provides a way for users to +get its source. For example, if your program is a web application, its +interface could display a "Source" link that leads users to an archive +of the code. There are many ways you could offer source, and different +solutions will be better for different programs; see section 13 for the +specific requirements. + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU AGPL, see +. diff --git a/doc/expansion/apiosintds.json b/documentation/website/expansion/apiosintds.json similarity index 76% rename from doc/expansion/apiosintds.json rename to documentation/website/expansion/apiosintds.json index 81a1eec..8bdaf39 100644 --- a/doc/expansion/apiosintds.json +++ b/documentation/website/expansion/apiosintds.json @@ -1,8 +1,12 @@ { "description": "On demand query API for OSINT.digitalside.it project.", - "requirements": ["The apiosintDS python library to query the OSINT.digitalside.it API."], + "requirements": [ + "The apiosintDS python library to query the OSINT.digitalside.it API." + ], "input": "A domain, ip, url or hash attribute.", "output": "Hashes and urls resulting from the query to OSINT.digitalside.it", - "references": ["https://osint.digitalside.it/#About"], + "references": [ + "https://osint.digitalside.it/#About" + ], "features": "The module simply queries the API of OSINT.digitalside.it with a domain, ip, url or hash attribute.\n\nThe result of the query is then parsed to extract additional hashes or urls. A module parameters also allows to parse the hashes related to the urls.\n\nFurthermore, it is possible to cache the urls and hashes collected over the last 7 days by OSINT.digitalside.it" -} +} \ No newline at end of file diff --git a/doc/expansion/apivoid.json b/documentation/website/expansion/apivoid.json similarity index 72% rename from doc/expansion/apivoid.json rename to documentation/website/expansion/apivoid.json index 2173d5b..5962f57 100644 --- a/doc/expansion/apivoid.json +++ b/documentation/website/expansion/apivoid.json @@ -1,9 +1,13 @@ { "description": "Module to query APIVoid with some domain attributes.", - "logo": "logos/apivoid.png", - "requirements": ["A valid APIVoid API key with enough credits to proceed 2 queries"], + "logo": "apivoid.png", + "requirements": [ + "A valid APIVoid API key with enough credits to proceed 2 queries" + ], "input": "A domain attribute.", "output": "DNS records and SSL certificates related to the domain.", "features": "This module takes a domain name and queries API Void to get the related DNS records and the SSL certificates. It returns then those pieces of data as MISP objects that can be added to the event.\n\nTo make it work, a valid API key and enough credits to proceed 2 queries (0.06 + 0.07 credits) are required.", - "references": ["https://www.apivoid.com/"] -} + "references": [ + "https://www.apivoid.com/" + ] +} \ No newline at end of file diff --git a/doc/expansion/assemblyline_query.json b/documentation/website/expansion/assemblyline_query.json similarity index 78% rename from doc/expansion/assemblyline_query.json rename to documentation/website/expansion/assemblyline_query.json index 700bde0..4d54176 100644 --- a/doc/expansion/assemblyline_query.json +++ b/documentation/website/expansion/assemblyline_query.json @@ -1,9 +1,13 @@ { "description": "A module tu query the AssemblyLine API with a submission ID to get the submission report and parse it.", - "logo": "logos/assemblyline.png", - "requirements": ["assemblyline_client: Python library to query the AssemblyLine rest API."], + "logo": "assemblyline.png", + "requirements": [ + "assemblyline_client: Python library to query the AssemblyLine rest API." + ], "input": "Link of an AssemblyLine submission report.", "output": "MISP attributes & objects parsed from the AssemblyLine submission.", - "references": ["https://www.cyber.cg.ca/en/assemblyline"], + "references": [ + "https://www.cyber.cg.ca/en/assemblyline" + ], "features": "The module requires the address of the AssemblyLine server you want to query as well as your credentials used for this instance. Credentials include the used-ID and an API key or the password associated to the user-ID.\n\nThe submission ID extracted from the submission link is then used to query AssemblyLine and get the full submission report. This report is parsed to extract file objects and the associated IPs, domains or URLs the files are connecting to.\n\nSome more data may be parsed in the future." -} +} \ No newline at end of file diff --git a/doc/expansion/assemblyline_submit.json b/documentation/website/expansion/assemblyline_submit.json similarity index 72% rename from doc/expansion/assemblyline_submit.json rename to documentation/website/expansion/assemblyline_submit.json index 9fe9af6..8f147ca 100644 --- a/doc/expansion/assemblyline_submit.json +++ b/documentation/website/expansion/assemblyline_submit.json @@ -1,9 +1,13 @@ { "description": "A module to submit samples and URLs to AssemblyLine for advanced analysis, and return the link of the submission.", - "logo": "logos/assemblyline.png", - "requirements": ["assemblyline_client: Python library to query the AssemblyLine rest API."], + "logo": "assemblyline.png", + "requirements": [ + "assemblyline_client: Python library to query the AssemblyLine rest API." + ], "input": "Sample, or url to submit to AssemblyLine.", "output": "Link of the report generated in AssemblyLine.", - "references": ["https://www.cyber.gc.ca/en/assemblyline"], + "references": [ + "https://www.cyber.gc.ca/en/assemblyline" + ], "features": "The module requires the address of the AssemblyLine server you want to query as well as your credentials used for this instance. Credentials include the user-ID and an API key or the password associated to the user-ID.\n\nIf the sample or url is correctly submitted, you get then the link of the submission." -} +} \ No newline at end of file diff --git a/doc/expansion/backscatter_io.json b/documentation/website/expansion/backscatter_io.json similarity index 66% rename from doc/expansion/backscatter_io.json rename to documentation/website/expansion/backscatter_io.json index a8475c5..146e41c 100644 --- a/doc/expansion/backscatter_io.json +++ b/documentation/website/expansion/backscatter_io.json @@ -1,9 +1,13 @@ { "description": "Query backscatter.io (https://backscatter.io/).", - "requirements": ["backscatter python library"], - "features": "The module takes a source or destination IP address as input and displays the information known by backscatter.io.\n\n", - "logo": "logos/backscatter_io.png", - "references": ["https://pypi.org/project/backscatter/"], + "requirements": [ + "backscatter python library" + ], + "features": "The module takes a source or destination IP address as input and displays the information known by backscatter.io.", + "logo": "backscatter_io.png", + "references": [ + "https://pypi.org/project/backscatter/" + ], "input": "IP addresses.", "output": "Text containing a history of the IP addresses especially on scanning based on backscatter.io information ." } diff --git a/documentation/website/expansion/bgpranking.json b/documentation/website/expansion/bgpranking.json new file mode 100644 index 0000000..5b0383e --- /dev/null +++ b/documentation/website/expansion/bgpranking.json @@ -0,0 +1,12 @@ +{ + "description": "Query BGP Ranking (https://bgpranking-ng.circl.lu/).", + "requirements": [ + "pybgpranking python library" + ], + "features": "The module takes an AS number attribute as input and displays its description as well as its ranking position in BGP Ranking for a given day.", + "references": [ + "https://github.com/D4-project/BGP-Ranking/" + ], + "input": "Autonomous system number.", + "output": "An asn object with its related bgp-ranking object." +} diff --git a/doc/expansion/btc_scam_check.json b/documentation/website/expansion/btc_scam_check.json similarity index 57% rename from doc/expansion/btc_scam_check.json rename to documentation/website/expansion/btc_scam_check.json index 44fce03..01fe8ff 100644 --- a/doc/expansion/btc_scam_check.json +++ b/documentation/website/expansion/btc_scam_check.json @@ -1,9 +1,13 @@ { "description": "An expansion hover module to query a special dns blacklist to check if a bitcoin address has been abused.", - "requirements": ["dnspython3: dns python library"], + "requirements": [ + "dnspython3: dns python library" + ], "features": "The module queries a dns blacklist directly with the bitcoin address and get a response if the address has been abused.", - "logo": "logos/bitcoin.png", + "logo": "bitcoin.png", "input": "btc address attribute.", - "output" : "Text to indicate if the BTC address has been abused.", - "references": ["https://btcblack.it/"] -} + "output": "Text to indicate if the BTC address has been abused.", + "references": [ + "https://btcblack.it/" + ] +} \ No newline at end of file diff --git a/doc/expansion/btc_steroids.json b/documentation/website/expansion/btc_steroids.json similarity index 88% rename from doc/expansion/btc_steroids.json rename to documentation/website/expansion/btc_steroids.json index fd264d8..b365d44 100644 --- a/doc/expansion/btc_steroids.json +++ b/documentation/website/expansion/btc_steroids.json @@ -1,6 +1,6 @@ { "description": "An expansion hover module to get a blockchain balance from a BTC address in MISP.", - "logo": "logos/bitcoin.png", + "logo": "bitcoin.png", "input": "btc address attribute.", "output": "Text to describe the blockchain balance and the transactions related to the btc address in input." -} +} \ No newline at end of file diff --git a/doc/expansion/censys_enrich.json b/documentation/website/expansion/censys_enrich.json similarity index 76% rename from doc/expansion/censys_enrich.json rename to documentation/website/expansion/censys_enrich.json index 83e6d5f..9f3a6f0 100644 --- a/doc/expansion/censys_enrich.json +++ b/documentation/website/expansion/censys_enrich.json @@ -1,8 +1,12 @@ { "description": "An expansion module to enrich attributes in MISP by quering the censys.io API", - "requirements": ["API credentials to censys.io"], + "requirements": [ + "API credentials to censys.io" + ], "input": "IP, domain or certificate fingerprint (md5, sha1 or sha256)", "output": "MISP objects retrieved from censys, including open ports, ASN, Location of the IP, x509 details", - "references": ["https://www.censys.io"], + "references": [ + "https://www.censys.io" + ], "features": "This module takes an IP, hostname or a certificate fingerprint and attempts to enrich it by querying the Censys API." -} +} \ No newline at end of file diff --git a/doc/expansion/circl_passivedns.json b/documentation/website/expansion/circl_passivedns.json similarity index 61% rename from doc/expansion/circl_passivedns.json rename to documentation/website/expansion/circl_passivedns.json index 024437c..b50136b 100644 --- a/doc/expansion/circl_passivedns.json +++ b/documentation/website/expansion/circl_passivedns.json @@ -1,9 +1,15 @@ { "description": "Module to access CIRCL Passive DNS.", - "logo": "logos/passivedns.png", - "requirements": ["pypdns: Passive DNS python library", "A CIRCL passive DNS account with username & password"], + "logo": "passivedns.png", + "requirements": [ + "pypdns: Passive DNS python library", + "A CIRCL passive DNS account with username & password" + ], "input": "Hostname, domain, or ip-address attribute.", "ouput": "Passive DNS objects related to the input attribute.", "features": "This module takes a hostname, domain or ip-address (ip-src or ip-dst) attribute as input, and queries the CIRCL Passive DNS REST API to get the asssociated passive dns entries and return them as MISP objects.\n\nTo make it work a username and a password are thus required to authenticate to the CIRCL Passive DNS API.", - "references": ["https://www.circl.lu/services/passive-dns/", "https://datatracker.ietf.org/doc/draft-dulaunoy-dnsop-passive-dns-cof/"] -} + "references": [ + "https://www.circl.lu/services/passive-dns/", + "https://datatracker.ietf.org/doc/draft-dulaunoy-dnsop-passive-dns-cof/" + ] +} \ No newline at end of file diff --git a/doc/expansion/circl_passivessl.json b/documentation/website/expansion/circl_passivessl.json similarity index 66% rename from doc/expansion/circl_passivessl.json rename to documentation/website/expansion/circl_passivessl.json index f9792e1..4010297 100644 --- a/doc/expansion/circl_passivessl.json +++ b/documentation/website/expansion/circl_passivessl.json @@ -1,9 +1,14 @@ { "description": "Modules to access CIRCL Passive SSL.", - "logo": "logos/passivessl.png", - "requirements": ["pypssl: Passive SSL python library", "A CIRCL passive SSL account with username & password"], + "logo": "passivessl.png", + "requirements": [ + "pypssl: Passive SSL python library", + "A CIRCL passive SSL account with username & password" + ], "input": "IP address attribute.", "output": "x509 certificate objects seen by the IP address(es).", "features": "This module takes an ip-address (ip-src or ip-dst) attribute as input, and queries the CIRCL Passive SSL REST API to gather the related certificates and return the corresponding MISP objects.\n\nTo make it work a username and a password are required to authenticate to the CIRCL Passive SSL API.", - "references": ["https://www.circl.lu/services/passive-ssl/"] -} + "references": [ + "https://www.circl.lu/services/passive-ssl/" + ] +} \ No newline at end of file diff --git a/doc/expansion/countrycode.json b/documentation/website/expansion/countrycode.json similarity index 99% rename from doc/expansion/countrycode.json rename to documentation/website/expansion/countrycode.json index c6214e5..110bdf7 100644 --- a/doc/expansion/countrycode.json +++ b/documentation/website/expansion/countrycode.json @@ -3,4 +3,4 @@ "input": "Hostname or domain attribute.", "output": "Text with the country code the input belongs to.", "features": "The module takes a domain or a hostname as input, and returns the country it belongs to.\n\nFor non country domains, a list of the most common possible extensions is used." -} +} \ No newline at end of file diff --git a/documentation/website/expansion/cpe.json b/documentation/website/expansion/cpe.json new file mode 100644 index 0000000..0160d1c --- /dev/null +++ b/documentation/website/expansion/cpe.json @@ -0,0 +1,10 @@ +{ + "description": "An expansion module to query the CVE search API with a cpe code to get its related vulnerabilities.", + "logo": "cve.png", + "input": "CPE attribute.", + "output": "The vulnerabilities related to the CPE.", + "references": [ + "https://cve.circl.lu/api/" + ], + "features": "The module takes a cpe attribute as input and queries the CVE search API to get its related vulnerabilities. \nThe list of vulnerabilities is then parsed and returned as vulnerability objects.\n\nUsers can use their own CVE search API url by defining a value to the custom_API_URL parameter. If no custom API url is given, the default cve.circl.lu api url is used.\n\nIn order to limit the amount of data returned by CVE serach, users can also the limit parameter. With the limit set, the API returns only the requested number of vulnerabilities, sorted from the highest cvss score to the lowest one." +} \ No newline at end of file diff --git a/doc/expansion/crowdstrike_falcon.json b/documentation/website/expansion/crowdstrike_falcon.json similarity index 83% rename from doc/expansion/crowdstrike_falcon.json rename to documentation/website/expansion/crowdstrike_falcon.json index 07e9dbd..a2408b9 100644 --- a/doc/expansion/crowdstrike_falcon.json +++ b/documentation/website/expansion/crowdstrike_falcon.json @@ -1,9 +1,13 @@ { "description": "Module to query Crowdstrike Falcon.", - "logo": "logos/crowdstrike.png", - "requirements": ["A CrowdStrike API access (API id & key)"], + "logo": "crowdstrike.png", + "requirements": [ + "A CrowdStrike API access (API id & key)" + ], "input": "A MISP attribute included in the following list:\n- domain\n- email-attachment\n- email-dst\n- email-reply-to\n- email-src\n- email-subject\n- filename\n- hostname\n- ip-src\n- ip-dst\n- md5\n- mutex\n- regkey\n- sha1\n- sha256\n- uri\n- url\n- user-agent\n- whois-registrant-email\n- x509-fingerprint-md5", "output": "MISP attributes mapped after the CrowdStrike API has been queried, included in the following list:\n- hostname\n- email-src\n- email-subject\n- filename\n- md5\n- sha1\n- sha256\n- ip-dst\n- ip-dst\n- mutex\n- regkey\n- url\n- user-agent\n- x509-fingerprint-md5", - "references": ["https://www.crowdstrike.com/products/crowdstrike-falcon-faq/"], + "references": [ + "https://www.crowdstrike.com/products/crowdstrike-falcon-faq/" + ], "features": "This module takes a MISP attribute as input to query a CrowdStrike Falcon API. The API returns then the result of the query with some types we map into compatible types we add as MISP attributes.\n\nPlease note that composite attributes composed by at least one of the input types mentionned below (domains, IPs, hostnames) are also supported." -} +} \ No newline at end of file diff --git a/doc/expansion/cuckoo_submit.json b/documentation/website/expansion/cuckoo_submit.json similarity index 62% rename from doc/expansion/cuckoo_submit.json rename to documentation/website/expansion/cuckoo_submit.json index 7fe8067..5c23218 100644 --- a/doc/expansion/cuckoo_submit.json +++ b/documentation/website/expansion/cuckoo_submit.json @@ -1,9 +1,14 @@ { "description": "An expansion module to submit files and URLs to Cuckoo Sandbox.", - "logo": "logos/cuckoo.png", - "requirements": ["Access to a Cuckoo Sandbox API and an API key if the API requires it. (api_url and api_key)"], + "logo": "cuckoo.png", + "requirements": [ + "Access to a Cuckoo Sandbox API and an API key if the API requires it. (api_url and api_key)" + ], "input": "A malware-sample or attachment for files. A url or domain for URLs.", "output": "A text field containing 'Cuckoo task id: '", - "references": ["https://cuckoosandbox.org/", "https://cuckoo.sh/docs/"], + "references": [ + "https://cuckoosandbox.org/", + "https://cuckoo.sh/docs/" + ], "features": "The module takes a malware-sample, attachment, url or domain and submits it to Cuckoo Sandbox.\n The returned task id can be used to retrieve results when the analysis completed." -} +} \ No newline at end of file diff --git a/doc/expansion/cve.json b/documentation/website/expansion/cve.json similarity index 77% rename from doc/expansion/cve.json rename to documentation/website/expansion/cve.json index 04f131f..04f5733 100644 --- a/doc/expansion/cve.json +++ b/documentation/website/expansion/cve.json @@ -1,8 +1,11 @@ { "description": "An expansion hover module to expand information about CVE id.", - "logo": "logos/cve.png", + "logo": "cve.png", "input": "Vulnerability attribute.", "output": "Text giving information about the CVE related to the Vulnerability.", - "references": ["https://cve.circl.lu/", "https://cve.mitre.org/"], + "references": [ + "https://cve.circl.lu/", + "https://cve.mitre.org/" + ], "features": "The module takes a vulnerability attribute as input and queries the CIRCL CVE search API to get information about the vulnerability as it is described in the list of CVEs." -} +} \ No newline at end of file diff --git a/documentation/website/expansion/cve_advanced.json b/documentation/website/expansion/cve_advanced.json new file mode 100644 index 0000000..364fb32 --- /dev/null +++ b/documentation/website/expansion/cve_advanced.json @@ -0,0 +1,11 @@ +{ + "description": "An expansion module to query the CIRCL CVE search API for more information about a vulnerability (CVE).", + "logo": "cve.png", + "input": "Vulnerability attribute.", + "output": "Additional information about the vulnerability, such as its cvss score, some references, or the related weaknesses and attack patterns.", + "references": [ + "https://cve.circl.lu", + "https://cve/mitre.org/" + ], + "features": "The module takes a vulnerability attribute as input and queries the CIRCL CVE search API to gather additional information.\n\nThe result of the query is then parsed to return additional information about the vulnerability, like its cvss score or some references, as well as the potential related weaknesses and attack patterns.\n\nThe vulnerability additional data is returned in a vulnerability MISP object, and the related additional information are put into weakness and attack-pattern MISP objects." +} \ No newline at end of file diff --git a/doc/expansion/cytomic_orion.json b/documentation/website/expansion/cytomic_orion.json similarity index 62% rename from doc/expansion/cytomic_orion.json rename to documentation/website/expansion/cytomic_orion.json index 6f87657..8623670 100644 --- a/doc/expansion/cytomic_orion.json +++ b/documentation/website/expansion/cytomic_orion.json @@ -1,9 +1,14 @@ { "description": "An expansion module to enrich attributes in MISP by quering the Cytomic Orion API", - "logo": "logos/cytomic_orion.png", - "requirements": ["Access (license) to Cytomic Orion"], + "logo": "cytomic_orion.png", + "requirements": [ + "Access (license) to Cytomic Orion" + ], "input": "MD5, hash of the sample / malware to search for.", "output": "MISP objects with sightings of the hash in Cytomic Orion. Includes files and machines.", - "references": ["https://www.vanimpe.eu/2020/03/10/integrating-misp-and-cytomic-orion/", "https://www.cytomicmodel.com/solutions/"], + "references": [ + "https://www.vanimpe.eu/2020/03/10/integrating-misp-and-cytomic-orion/", + "https://www.cytomicmodel.com/solutions/" + ], "features": "This module takes an MD5 hash and searches for occurrences of this hash in the Cytomic Orion database. Returns observed files and machines." -} +} \ No newline at end of file diff --git a/doc/expansion/dbl_spamhaus.json b/documentation/website/expansion/dbl_spamhaus.json similarity index 76% rename from doc/expansion/dbl_spamhaus.json rename to documentation/website/expansion/dbl_spamhaus.json index ea73dcb..6a33c8e 100644 --- a/doc/expansion/dbl_spamhaus.json +++ b/documentation/website/expansion/dbl_spamhaus.json @@ -1,9 +1,13 @@ { "description": "Module to check Spamhaus DBL for a domain name.", - "logo": "logos/spamhaus.jpg", - "requirements": ["dnspython3: DNS python3 library"], + "logo": "spamhaus.jpg", + "requirements": [ + "dnspython3: DNS python3 library" + ], "input": "Domain or hostname attribute.", "output": "Information about the nature of the input.", - "references": ["https://www.spamhaus.org/faq/section/Spamhaus%20DBL"], + "references": [ + "https://www.spamhaus.org/faq/section/Spamhaus%20DBL" + ], "features": "This modules takes a domain or a hostname in input and queries the Domain Block List provided by Spamhaus to determine what kind of domain it is.\n\nDBL then returns a response code corresponding to a certain classification of the domain we display. If the queried domain is not in the list, it is also mentionned.\n\nPlease note that composite MISP attributes containing domain or hostname are supported as well." -} +} \ No newline at end of file diff --git a/doc/expansion/dns.json b/documentation/website/expansion/dns.json similarity index 90% rename from doc/expansion/dns.json rename to documentation/website/expansion/dns.json index dc43b64..a0fb4dd 100644 --- a/doc/expansion/dns.json +++ b/documentation/website/expansion/dns.json @@ -1,7 +1,9 @@ { "description": "A simple DNS expansion service to resolve IP address from domain MISP attributes.", - "requirements": ["dnspython3: DNS python3 library"], + "requirements": [ + "dnspython3: DNS python3 library" + ], "input": "Domain or hostname attribute.", "output": "IP address resolving the input.", "features": "The module takes a domain of hostname attribute as input, and tries to resolve it. If no error is encountered, the IP address that resolves the domain is returned, otherwise the origin of the error is displayed.\n\nThe address of the DNS resolver to use is also configurable, but if no configuration is set, we use the Google public DNS address (8.8.8.8).\n\nPlease note that composite MISP attributes containing domain or hostname are supported as well." -} +} \ No newline at end of file diff --git a/doc/expansion/docx-enrich.json b/documentation/website/expansion/docx_enrich.json similarity index 82% rename from doc/expansion/docx-enrich.json rename to documentation/website/expansion/docx_enrich.json index fccba57..55bd955 100644 --- a/doc/expansion/docx-enrich.json +++ b/documentation/website/expansion/docx_enrich.json @@ -1,9 +1,11 @@ { "description": "Module to extract freetext from a .docx document.", - "logo": "logos/docx.png", - "requirements": ["docx python library"], + "logo": "docx.png", + "requirements": [ + "docx python library" + ], "input": "Attachment attribute containing a .docx document.", "output": "Text and freetext parsed from the document.", "references": [], "features": "The module reads the text contained in a .docx document. The result is passed to the freetext import parser so IoCs can be extracted out of it." -} +} \ No newline at end of file diff --git a/doc/expansion/domaintools.json b/documentation/website/expansion/domaintools.json similarity index 80% rename from doc/expansion/domaintools.json rename to documentation/website/expansion/domaintools.json index 849028c..99c916b 100644 --- a/doc/expansion/domaintools.json +++ b/documentation/website/expansion/domaintools.json @@ -1,9 +1,14 @@ { "description": "DomainTools MISP expansion module.", - "logo": "logos/domaintools.png", - "requirements": ["Domaintools python library", "A Domaintools API access (username & apikey)"], + "logo": "domaintools.png", + "requirements": [ + "Domaintools python library", + "A Domaintools API access (username & apikey)" + ], "input": "A MISP attribute included in the following list:\n- domain\n- hostname\n- email-src\n- email-dst\n- target-email\n- whois-registrant-email\n- whois-registrant-name\n- whois-registrant-phone\n- ip-src\n- ip-dst", "output": "MISP attributes mapped after the Domaintools API has been queried, included in the following list:\n- whois-registrant-email\n- whois-registrant-phone\n- whois-registrant-name\n- whois-registrar\n- whois-creation-date\n- text\n- domain", - "references": ["https://www.domaintools.com/"], + "references": [ + "https://www.domaintools.com/" + ], "features": "This module takes a MISP attribute as input to query the Domaintools API. The API returns then the result of the query with some types we map into compatible types we add as MISP attributes.\n\nPlease note that composite attributes composed by at least one of the input types mentionned below (domains, IPs, hostnames) are also supported." -} +} \ No newline at end of file diff --git a/doc/expansion/eql.json b/documentation/website/expansion/eql.json similarity index 77% rename from doc/expansion/eql.json rename to documentation/website/expansion/eql.json index 1a32adf..4af9df4 100644 --- a/doc/expansion/eql.json +++ b/documentation/website/expansion/eql.json @@ -1,9 +1,11 @@ { "description": "EQL query generation for a MISP attribute.", - "logo": "logos/eql.png", + "logo": "eql.png", "requirements": [], "input": "A filename or ip attribute.", "output": "Attribute containing EQL for a network or file attribute.", - "references": ["https://eql.readthedocs.io/en/latest/"], + "references": [ + "https://eql.readthedocs.io/en/latest/" + ], "features": "This module adds a new attribute to a MISP event containing an EQL query for a network or file attribute." -} +} \ No newline at end of file diff --git a/doc/expansion/eupi.json b/documentation/website/expansion/eupi.json similarity index 71% rename from doc/expansion/eupi.json rename to documentation/website/expansion/eupi.json index 02a16fb..07eb59e 100644 --- a/doc/expansion/eupi.json +++ b/documentation/website/expansion/eupi.json @@ -1,9 +1,14 @@ { "description": "A module to query the Phishing Initiative service (https://phishing-initiative.lu).", - "logo": "logos/eupi.png", - "requirements": ["pyeupi: eupi python library", "An access to the Phishing Initiative API (apikey & url)"], + "logo": "eupi.png", + "requirements": [ + "pyeupi: eupi python library", + "An access to the Phishing Initiative API (apikey & url)" + ], "input": "A domain, hostname or url MISP attribute.", "output": "Text containing information about the input, resulting from the query on Phishing Initiative.", - "references": ["https://phishing-initiative.eu/?lang=en"], + "references": [ + "https://phishing-initiative.eu/?lang=en" + ], "features": "This module takes a domain, hostname or url MISP attribute as input to query the Phishing Initiative API. The API returns then the result of the query with some information about the value queried.\n\nPlease note that composite attributes containing domain or hostname are also supported." -} +} \ No newline at end of file diff --git a/documentation/website/expansion/farsight_passivedns.json b/documentation/website/expansion/farsight_passivedns.json new file mode 100644 index 0000000..93183ce --- /dev/null +++ b/documentation/website/expansion/farsight_passivedns.json @@ -0,0 +1,14 @@ +{ + "description": "Module to access Farsight DNSDB Passive DNS.", + "logo": "farsight.png", + "requirements": [ + "An access to the Farsight Passive DNS API (apikey)" + ], + "input": "A domain, hostname or IP address MISP attribute.", + "output": "Passive-dns objects, resulting from the query on the Farsight Passive DNS API.", + "references": [ + "https://www.farsightsecurity.com/", + "https://docs.dnsdb.info/dnsdb-api/" + ], + "features": "This module takes a domain, hostname or IP address MISP attribute as input to query the Farsight Passive DNS API.\n The results of rdata and rrset lookups are then returned and parsed into passive-dns objects.\n\nAn API key is required to submit queries to the API.\n It is also possible to define a custom server URL, and to set a limit of results to get.\n This limit is set for each lookup, which means we can have an up to the limit number of passive-dns objects resulting from an rdata query about an IP address, but an up to the limit number of passive-dns objects for each lookup queries about a domain or a hostname (== twice the limit)." +} diff --git a/documentation/website/expansion/geoip_asn.json b/documentation/website/expansion/geoip_asn.json new file mode 100644 index 0000000..9a7b1dd --- /dev/null +++ b/documentation/website/expansion/geoip_asn.json @@ -0,0 +1,13 @@ +{ + "descrption": "An expansion module to query a local copy of Maxmind's Geolite database with an IP address, in order to get information about its related AS number.", + "logo": "maxmind.png", + "requirements": [ + "A local copy of Maxmind's Geolite database" + ], + "input": "An IP address MISP attribute.", + "output": "Text containing information about the AS number of the IP address.", + "references": [ + "https://www.maxmind.com/en/home" + ], + "features": "The module takes an IP address attribute as input and queries a local copy of the Maxmind's Geolite database to get information about the related AS number." +} \ No newline at end of file diff --git a/documentation/website/expansion/geoip_city.json b/documentation/website/expansion/geoip_city.json new file mode 100644 index 0000000..24d286b --- /dev/null +++ b/documentation/website/expansion/geoip_city.json @@ -0,0 +1,13 @@ +{ + "description": "An expansion module to query a local copy of Maxmind's Geolite database with an IP address, in order to get information about the city where it is located.", + "logo": "maxmind.png", + "requirements": [ + "A local copy of Maxmind's Geolite database" + ], + "input": "An IP address MISP attribute.", + "output": "Text containing information about the city where the IP address is located.", + "references": [ + "https://www.maxmind.com/en/home" + ], + "features": "The module takes an IP address attribute as input and queries a local copy of the Maxmind's Geolite database to get information about the city where this IP address is located." +} \ No newline at end of file diff --git a/doc/expansion/geoip_country.json b/documentation/website/expansion/geoip_country.json similarity index 72% rename from doc/expansion/geoip_country.json rename to documentation/website/expansion/geoip_country.json index 9db49a2..ec84282 100644 --- a/doc/expansion/geoip_country.json +++ b/documentation/website/expansion/geoip_country.json @@ -1,9 +1,13 @@ { "description": "Module to query a local copy of Maxmind's Geolite database.", - "logo": "logos/maxmind.png", - "requirements": ["A local copy of Maxmind's Geolite database"], + "logo": "maxmind.png", + "requirements": [ + "A local copy of Maxmind's Geolite database" + ], "input": "An IP address MISP Attribute.", "output": "Text containing information about the location of the IP address.", - "references": ["https://www.maxmind.com/en/home"], + "references": [ + "https://www.maxmind.com/en/home" + ], "features": "This module takes an IP address MISP attribute as input and queries a local copy of the Maxmind's Geolite database to get information about the location of this IP address.\n\nPlease note that composite attributes domain|ip are also supported." -} +} \ No newline at end of file diff --git a/documentation/website/expansion/google_search.json b/documentation/website/expansion/google_search.json new file mode 100644 index 0000000..8772d21 --- /dev/null +++ b/documentation/website/expansion/google_search.json @@ -0,0 +1,13 @@ +{ + "descrption": "A hover module to get information about an url using a Google search.", + "logo": "google.png", + "requirements": [ + "The python Google Search API library" + ], + "input": "An url attribute.", + "output": "Text containing the result of a Google search on the input url.", + "references": [ + "https://github.com/abenassi/Google-Search-API" + ], + "features": "The module takes an url as input to query the Google search API. The result of the query is then return as raw text." +} \ No newline at end of file diff --git a/documentation/website/expansion/greynoise.json b/documentation/website/expansion/greynoise.json new file mode 100644 index 0000000..4988537 --- /dev/null +++ b/documentation/website/expansion/greynoise.json @@ -0,0 +1,15 @@ +{ + "description": "Module to query IP and CVE information from GreyNoise", + "logo": "greynoise.png", + "requirements": [ + "A Greynoise API key. Both Enterprise (Paid) and Community (Free) API keys are supported, however Community API users will only be able to perform IP lookups." + ], + "input": "An IP address or CVE ID", + "output": "IP Lookup information or CVE scanning profile for past 7 days", + "references": [ + "https://greynoise.io/", + "https://docs.greyniose.io/", + "https://www.greynoise.io/viz/account/" + ], + "features": "This module supports: 1) Query an IP from GreyNoise to see if it is internet background noise or a common business service 2) Query a CVE from GreyNoise to see the total number of internet scanners looking for the CVE in the last 7 days." +} \ No newline at end of file diff --git a/doc/expansion/hashdd.json b/documentation/website/expansion/hashdd.json similarity index 86% rename from doc/expansion/hashdd.json rename to documentation/website/expansion/hashdd.json index d963820..2edc1d1 100644 --- a/doc/expansion/hashdd.json +++ b/documentation/website/expansion/hashdd.json @@ -2,6 +2,8 @@ "description": "A hover module to check hashes against hashdd.com including NSLR dataset.", "input": "A hash MISP attribute (md5).", "output": "Text describing the known level of the hash in the hashdd databases.", - "references": ["https://hashdd.com/"], + "references": [ + "https://hashdd.com/" + ], "features": "This module takes a hash attribute as input to check its known level, using the hashdd API. This information is then displayed." -} +} \ No newline at end of file diff --git a/documentation/website/expansion/hashlookup.json b/documentation/website/expansion/hashlookup.json new file mode 100644 index 0000000..713be83 --- /dev/null +++ b/documentation/website/expansion/hashlookup.json @@ -0,0 +1,10 @@ +{ + "description": "An expansion module to query the CIRCL hashlookup services to find it if a hash is part of a known set such as NSRL.", + "logo": "circl.png", + "input": "File hashes (MD5, SHA1)", + "output": "Object with the filename associated hashes if the hash is part of a known set.", + "references": [ + "https://www.circl.lu/services/hashlookup/" + ], + "features": "The module takes file hashes as input such as a MD5 or SHA1.\n It queries the public CIRCL.lu hashlookup service and return all the hits if the hashes are known in an existing dataset. The module can be configured with a custom hashlookup url if required.\n The module can be used an hover module but also an expansion model to add related MISP objects.\n" +} diff --git a/doc/expansion/hibp.json b/documentation/website/expansion/hibp.json similarity index 83% rename from doc/expansion/hibp.json rename to documentation/website/expansion/hibp.json index 3c3ee54..a2b7b09 100644 --- a/doc/expansion/hibp.json +++ b/documentation/website/expansion/hibp.json @@ -1,9 +1,11 @@ { "description": "Module to access haveibeenpwned.com API.", - "logo": "logos/hibp.png", + "logo": "hibp.png", "requirements": [], "input": "An email address", "output": "Additional information about the email address.", - "references": ["https://haveibeenpwned.com/"], + "references": [ + "https://haveibeenpwned.com/" + ], "features": "The module takes an email address as input and queries haveibeenpwned.com API to find additional information about it. This additional information actually tells if any account using the email address has already been compromised in a data breach." -} +} \ No newline at end of file diff --git a/documentation/website/expansion/html_to_markdown.json b/documentation/website/expansion/html_to_markdown.json new file mode 100644 index 0000000..0864431 --- /dev/null +++ b/documentation/website/expansion/html_to_markdown.json @@ -0,0 +1,9 @@ +{ + "description": "Expansion module to fetch the html content from an url and convert it into markdown.", + "input": "URL attribute.", + "output": "Markdown content converted from the HTML fetched from the url.", + "requirements": [ + "The markdownify python library" + ], + "features": "The module take an URL as input and the HTML content is fetched from it. This content is then converted into markdown that is returned as text." +} \ No newline at end of file diff --git a/documentation/website/expansion/hyasinsight.json b/documentation/website/expansion/hyasinsight.json new file mode 100644 index 0000000..2762a08 --- /dev/null +++ b/documentation/website/expansion/hyasinsight.json @@ -0,0 +1,13 @@ +{ + "description": "HYAS Insight integration to MISP provides direct, high volume access to HYAS Insight data. It enables investigators and analysts to understand and defend against cyber adversaries and their infrastructure.", + "logo": "hyas.png", + "requirements": [ + "A HYAS Insight API Key." + ], + "input": "A MISP attribute of type IP Address(ip-src, ip-dst), Domain(hostname, domain), Email Address(email, email-src, email-dst, target-email, whois-registrant-email), Phone Number(phone-number, whois-registrant-phone), MDS(md5, x509-fingerprint-md5, ja3-fingerprint-md5, hassh-md5, hasshserver-md5), SHA1(sha1, x509-fingerprint-sha1), SHA256(sha256, x509-fingerprint-sha256), SHA512(sha512)", + "output": "Hyas Insight objects, resulting from the query on the HYAS Insight API.", + "references": [ + "https://www.hyas.com/hyas-insight/" + ], + "features": "This Module takes the IP Address, Domain, URL, Email, Phone Number, MD5, SHA1, Sha256, SHA512 MISP Attributes as input to query the HYAS Insight API.\n The results of the HYAS Insight API are than are then returned and parsed into Hyas Insight Objects. \n\nAn API key is required to submit queries to the HYAS Insight API.\n" +} diff --git a/documentation/website/expansion/intel471.json b/documentation/website/expansion/intel471.json new file mode 100644 index 0000000..8935276 --- /dev/null +++ b/documentation/website/expansion/intel471.json @@ -0,0 +1,13 @@ +{ + "descrption": "An expansion module to query Intel471 in order to get additional information about a domain, ip address, email address, url or hash.", + "logo": "intel471.png", + "requirements": [ + "The intel471 python library" + ], + "input": "A MISP attribute whose type is included in the following list:\n- hostname\n- domain\n- url\n- ip-src\n- ip-dst\n- email-src\n- email-dst\n- target-email\n- whois-registrant-email\n- whois-registrant-name\n- md5\n- sha1\n- sha256", + "output": "Freetext", + "references": [ + "https://public.intel471.com/" + ], + "features": "The module uses the Intel471 python library to query the Intel471 API with the value of the input attribute. The result of the query is then returned as freetext so the Freetext import parses it." +} \ No newline at end of file diff --git a/doc/expansion/intelmq_eventdb.json b/documentation/website/expansion/intelmq_eventdb.json similarity index 57% rename from doc/expansion/intelmq_eventdb.json rename to documentation/website/expansion/intelmq_eventdb.json index bc48414..ce2b12a 100644 --- a/doc/expansion/intelmq_eventdb.json +++ b/documentation/website/expansion/intelmq_eventdb.json @@ -1,9 +1,15 @@ { "description": "Module to access intelmqs eventdb.", - "logo": "logos/intelmq.png", - "requirements": ["psycopg2: Python library to support PostgreSQL", "An access to the IntelMQ database (username, password, hostname and database reference)"], + "logo": "intelmq.png", + "requirements": [ + "psycopg2: Python library to support PostgreSQL", + "An access to the IntelMQ database (username, password, hostname and database reference)" + ], "input": "A hostname, domain, IP address or AS attribute.", "output": "Text giving information about the input using IntelMQ database.", - "references": ["https://github.com/certtools/intelmq", "https://intelmq.readthedocs.io/en/latest/Developers-Guide/"], + "references": [ + "https://github.com/certtools/intelmq", + "https://intelmq.readthedocs.io/en/latest/Developers-Guide/" + ], "features": "/!\\ EXPERIMENTAL MODULE, some features may not work /!\\\n\nThis module takes a domain, hostname, IP address or Autonomous system MISP attribute as input to query the IntelMQ database. The result of the query gives then additional information about the input." -} +} \ No newline at end of file diff --git a/doc/expansion/ipasn.json b/documentation/website/expansion/ipasn.json similarity index 70% rename from doc/expansion/ipasn.json rename to documentation/website/expansion/ipasn.json index 8caed92..5f30608 100644 --- a/doc/expansion/ipasn.json +++ b/documentation/website/expansion/ipasn.json @@ -1,8 +1,12 @@ { "description": "Module to query an IP ASN history service (https://github.com/D4-project/IPASN-History).", - "requirements": ["pyipasnhistory: Python library to access IPASN-history instance"], + "requirements": [ + "pyipasnhistory: Python library to access IPASN-history instance" + ], "input": "An IP address MISP attribute.", "output": "Asn object(s) objects related to the IP address used as input.", - "references": ["https://github.com/D4-project/IPASN-History"], + "references": [ + "https://github.com/D4-project/IPASN-History" + ], "features": "This module takes an IP address attribute as input and queries the CIRCL IPASN service. The result of the query is the latest asn related to the IP address, that is returned as a MISP object." -} +} \ No newline at end of file diff --git a/documentation/website/expansion/ipqs_fraud_and_risk_scoring.json b/documentation/website/expansion/ipqs_fraud_and_risk_scoring.json new file mode 100644 index 0000000..d0d4665 --- /dev/null +++ b/documentation/website/expansion/ipqs_fraud_and_risk_scoring.json @@ -0,0 +1,13 @@ +{ + "description": "IPQualityScore MISP Expansion Module for IP reputation, Email Validation, Phone Number Validation, Malicious Domain and Malicious URL Scanner.", + "logo": "ipqualityscore.png", + "requirements": [ + "A IPQualityScore API Key." + ], + "input": "A MISP attribute of type IP Address(ip-src, ip-dst), Domain(hostname, domain), URL(url, uri), Email Address(email, email-src, email-dst, target-email, whois-registrant-email) and Phone Number(phone-number, whois-registrant-phone).", + "output": "IPQualityScore object, resulting from the query on the IPQualityScore API.", + "references": [ + "https://www.ipqualityscore.com/" + ], + "features": "This Module takes the IP Address, Domain, URL, Email and Phone Number MISP Attributes as input to query the IPQualityScore API.\n The results of the IPQualityScore API are than returned as IPQS Fraud and Risk Scoring Object. \n The object contains a copy of the enriched attribute with added tags presenting the verdict based on fraud score,risk score and other attributes from IPQualityScore." +} diff --git a/doc/expansion/iprep.json b/documentation/website/expansion/iprep.json similarity index 71% rename from doc/expansion/iprep.json rename to documentation/website/expansion/iprep.json index 95250e0..2e27304 100644 --- a/doc/expansion/iprep.json +++ b/documentation/website/expansion/iprep.json @@ -1,8 +1,12 @@ { "description": "Module to query IPRep data for IP addresses.", - "requirements": ["An access to the packetmail API (apikey)"], + "requirements": [ + "An access to the packetmail API (apikey)" + ], "input": "An IP address MISP attribute.", "output": "Text describing additional information about the input after a query on the IPRep API.", - "references": ["https://github.com/mahesh557/packetmail"], + "references": [ + "https://github.com/mahesh557/packetmail" + ], "features": "This module takes an IP address attribute as input and queries the database from packetmail.net to get some information about the reputation of the IP." -} +} \ No newline at end of file diff --git a/doc/expansion/joesandbox_query.json b/documentation/website/expansion/joesandbox_query.json similarity index 84% rename from doc/expansion/joesandbox_query.json rename to documentation/website/expansion/joesandbox_query.json index 1a94edb..12f2853 100644 --- a/doc/expansion/joesandbox_query.json +++ b/documentation/website/expansion/joesandbox_query.json @@ -1,9 +1,14 @@ { "description": "Query Joe Sandbox API with a submission url to get the json report and extract its data that is parsed and converted into MISP attributes and objects.\n\nThis url can by the way come from the result of the [joesandbox_submit expansion module](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/joesandbox_submit.py).", - "logo": "logos/joesandbox.png", - "requirements": ["jbxapi: Joe Sandbox API python3 library"], + "logo": "joesandbox.png", + "requirements": [ + "jbxapi: Joe Sandbox API python3 library" + ], "input": "Link of a Joe Sandbox sample or url submission.", "output": "MISP attributes & objects parsed from the analysis report.", - "references": ["https://www.joesecurity.org", "https://www.joesandbox.com/"], + "references": [ + "https://www.joesecurity.org", + "https://www.joesandbox.com/" + ], "features": "Module using the new format of modules able to return attributes and objects.\n\nThe module returns the same results as the import module [joe_import](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/joe_import.py) taking directly the json report as input.\n\nEven if the introspection will allow all kinds of links to call this module, obviously only the ones presenting a sample or url submission in the Joe Sandbox API will return results.\n\nTo make it work you will need to fill the 'apikey' configuration with your Joe Sandbox API key and provide a valid link as input." -} +} \ No newline at end of file diff --git a/doc/expansion/joesandbox_submit.json b/documentation/website/expansion/joesandbox_submit.json similarity index 77% rename from doc/expansion/joesandbox_submit.json rename to documentation/website/expansion/joesandbox_submit.json index ad59239..0ac454f 100644 --- a/doc/expansion/joesandbox_submit.json +++ b/documentation/website/expansion/joesandbox_submit.json @@ -1,9 +1,14 @@ { "description": "A module to submit files or URLs to Joe Sandbox for an advanced analysis, and return the link of the submission.", - "logo": "logos/joesandbox.png", - "requirements": ["jbxapi: Joe Sandbox API python3 library"], + "logo": "joesandbox.png", + "requirements": [ + "jbxapi: Joe Sandbox API python3 library" + ], "input": "Sample, url (or domain) to submit to Joe Sandbox for an advanced analysis.", "output": "Link of the report generated in Joe Sandbox.", - "references": ["https://www.joesecurity.org", "https://www.joesandbox.com/"], + "references": [ + "https://www.joesecurity.org", + "https://www.joesandbox.com/" + ], "features": "The module requires a Joe Sandbox API key to submit files or URL, and returns the link of the submitted analysis.\n\nIt is then possible, when the analysis is completed, to query the Joe Sandbox API to get the data related to the analysis, using the [joesandbox_query module](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/joesandbox_query.py) directly on this submission link." -} +} \ No newline at end of file diff --git a/documentation/website/expansion/lastline_query.json b/documentation/website/expansion/lastline_query.json new file mode 100644 index 0000000..4b925b5 --- /dev/null +++ b/documentation/website/expansion/lastline_query.json @@ -0,0 +1,11 @@ +{ + "description": "Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module.\n\nQuery Lastline with an analysis link and parse the report into MISP attributes and objects.\nThe analysis link can also be retrieved from the output of the [lastline_submit](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/lastline_submit.py) expansion module.", + "logo": "lastline.png", + "requirements": [], + "input": "Link to a Lastline analysis.", + "output": "MISP attributes and objects parsed from the analysis report.", + "references": [ + "https://www.lastline.com" + ], + "features": "The module requires a Lastline Portal `username` and `password`.\nThe module uses the new format and it is able to return MISP attributes and objects.\nThe module returns the same results as the [lastline_import](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/lastline_import.py) import module." +} \ No newline at end of file diff --git a/doc/expansion/lastline_submit.json b/documentation/website/expansion/lastline_submit.json similarity index 63% rename from doc/expansion/lastline_submit.json rename to documentation/website/expansion/lastline_submit.json index d053f55..3050481 100644 --- a/doc/expansion/lastline_submit.json +++ b/documentation/website/expansion/lastline_submit.json @@ -1,9 +1,11 @@ { - "description": "Module to submit a file or URL to Lastline.", - "logo": "logos/lastline.png", + "description": "Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module.\n\nModule to submit a file or URL to Lastline.", + "logo": "lastline.png", "requirements": [], "input": "File or URL to submit to Lastline.", "output": "Link to the report generated by Lastline.", - "references": ["https://www.lastline.com"], + "references": [ + "https://www.lastline.com" + ], "features": "The module requires a Lastline Analysis `api_token` and `key`.\nWhen the analysis is completed, it is possible to import the generated report by feeding the analysis link to the [lastline_query](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/lastline_query.py) module." -} +} \ No newline at end of file diff --git a/doc/expansion/macaddress_io.json b/documentation/website/expansion/macaddress_io.json similarity index 60% rename from doc/expansion/macaddress_io.json rename to documentation/website/expansion/macaddress_io.json index 6bd2658..013564a 100644 --- a/doc/expansion/macaddress_io.json +++ b/documentation/website/expansion/macaddress_io.json @@ -1,9 +1,15 @@ { "description": "MISP hover module for macaddress.io", - "logo": "logos/macaddress_io.png", - "requirements": ["maclookup: macaddress.io python library", "An access to the macaddress.io API (apikey)"], + "logo": "macaddress_io.png", + "requirements": [ + "maclookup: macaddress.io python library", + "An access to the macaddress.io API (apikey)" + ], "input": "MAC address MISP attribute.", "output": "Text containing information on the MAC address fetched from a query on macaddress.io.", - "references": ["https://macaddress.io/", "https://github.com/CodeLineFi/maclookup-python"], + "references": [ + "https://macaddress.io/", + "https://github.com/CodeLineFi/maclookup-python" + ], "features": "This module takes a MAC address attribute as input and queries macaddress.io for additional information.\n\nThis information contains data about:\n- MAC address details\n- Vendor details\n- Block details" -} +} \ No newline at end of file diff --git a/doc/expansion/macvendors.json b/documentation/website/expansion/macvendors.json similarity index 73% rename from doc/expansion/macvendors.json rename to documentation/website/expansion/macvendors.json index cc10475..38c3588 100644 --- a/doc/expansion/macvendors.json +++ b/documentation/website/expansion/macvendors.json @@ -1,9 +1,12 @@ { "description": "Module to access Macvendors API.", - "logo": "logos/macvendors.png", + "logo": "macvendors.png", "requirements": [], "input": "A MAC address.", "output": "Additional information about the MAC address.", - "references": ["https://macvendors.com/", "https://macvendors.com/api"], + "references": [ + "https://macvendors.com/", + "https://macvendors.com/api" + ], "features": "The module takes a MAC address as input and queries macvendors.com for some information about it. The API returns the name of the vendor related to the address." -} +} \ No newline at end of file diff --git a/doc/expansion/malwarebazaar.json b/documentation/website/expansion/malwarebazaar.json similarity index 91% rename from doc/expansion/malwarebazaar.json rename to documentation/website/expansion/malwarebazaar.json index 2db6ad5..8c8228c 100644 --- a/doc/expansion/malwarebazaar.json +++ b/documentation/website/expansion/malwarebazaar.json @@ -3,6 +3,8 @@ "requirements": [], "input": "A hash attribute (md5, sha1 or sha256).", "output": "File object(s) related to the input attribute found on MALWAREbazaar databases.", - "references": ["https://bazaar.abuse.ch/"], + "references": [ + "https://bazaar.abuse.ch/" + ], "features": "The module takes a hash attribute as input and queries MALWAREbazaar's API to fetch additional data about it. The result, if the payload is known on the databases, is at least one file object describing the file the input hash is related to.\n\nThe module is using the new format of modules able to return object since the result is one or multiple MISP object(s)." -} +} \ No newline at end of file diff --git a/documentation/website/expansion/mmdb_lookup.json b/documentation/website/expansion/mmdb_lookup.json new file mode 100644 index 0000000..ebfbf49 --- /dev/null +++ b/documentation/website/expansion/mmdb_lookup.json @@ -0,0 +1,11 @@ +{ + "description": "A hover and expansion module to enrich an ip with geolocation and ASN information from an mmdb server instance, such as CIRCL's ip.circl.lu.", + "logo": "circl.png", + "input": "An IP address attribute (for example ip-src or ip-src|port).", + "output": "Geolocation and asn objects.", + "references": [ + "https://data.public.lu/fr/datasets/geo-open-ip-address-geolocation-per-country-in-mmdb-format/", + "https://github.com/adulau/mmdb-server" + ], + "features": "The module takes an IP address related attribute as input.\n It queries the public CIRCL.lu mmdb-server instance, available at ip.circl.lu, by default. The module can be configured with a custom mmdb server url if required.\n It is also possible to filter results on 1 db_source by configuring db_source_filter." +} \ No newline at end of file diff --git a/documentation/website/expansion/mwdb.json b/documentation/website/expansion/mwdb.json new file mode 100644 index 0000000..456a160 --- /dev/null +++ b/documentation/website/expansion/mwdb.json @@ -0,0 +1,11 @@ +{ + "description": "Module to push malware samples to a MWDB instance", + "requirements": [ + "* mwdblib installed (pip install mwdblib) ; * (optional) keys.py file to add tags of events/attributes to MWDB * (optional) MWDB attribute created for the link back to MISP (defined in mwdb_misp_attribute)" + ], + "input": "Attachment or malware sample", + "output": "Link attribute that points to the sample at the MWDB instane", + "references": [ + ], + "features": "An expansion module to push malware samples to a MWDB (https://github.com/CERT-Polska/mwdb-core) instance. This module does not push samples to a sandbox. This can be achieved via Karton (connected to the MWDB). Does: * Upload of attachment or malware sample to MWDB * Tags of events and/or attributes are added to MWDB. * Comment of the MISP attribute is added to MWDB. * A link back to the MISP event is added to MWDB via the MWDB attribute. * A link to the MWDB attribute is added as an enrichted attribute to the MISP event." +} \ No newline at end of file diff --git a/doc/expansion/ocr-enrich.json b/documentation/website/expansion/ocr_enrich.json similarity index 85% rename from doc/expansion/ocr-enrich.json rename to documentation/website/expansion/ocr_enrich.json index 8765b22..0e8f627 100644 --- a/doc/expansion/ocr-enrich.json +++ b/documentation/website/expansion/ocr_enrich.json @@ -1,8 +1,10 @@ { "description": "Module to process some optical character recognition on pictures.", - "requirements": ["cv2: The OpenCV python library."], + "requirements": [ + "cv2: The OpenCV python library." + ], "input": "A picture attachment.", "output": "Text and freetext fetched from the input picture.", "references": [], "features": "The module takes an attachment attributes as input and process some optical character recognition on it. The text found is then passed to the Freetext importer to extract potential IoCs." -} +} \ No newline at end of file diff --git a/doc/expansion/ods-enrich.json b/documentation/website/expansion/ods_enrich.json similarity index 65% rename from doc/expansion/ods-enrich.json rename to documentation/website/expansion/ods_enrich.json index dda4281..ade4105 100644 --- a/doc/expansion/ods-enrich.json +++ b/documentation/website/expansion/ods_enrich.json @@ -1,10 +1,12 @@ { "description": "Module to extract freetext from a .ods document.", - "logo": "logos/ods.png", - "requirements": ["ezodf: Python package to create/manipulate OpenDocumentFormat files.", - "pandas_ods_reader: Python library to read in ODS files."], + "logo": "ods.png", + "requirements": [ + "ezodf: Python package to create/manipulate OpenDocumentFormat files.", + "pandas_ods_reader: Python library to read in ODS files." + ], "input": "Attachment attribute containing a .ods document.", "output": "Text and freetext parsed from the document.", "references": [], "features": "The module reads the text contained in a .ods document. The result is passed to the freetext import parser so IoCs can be extracted out of it." -} +} \ No newline at end of file diff --git a/doc/expansion/odt-enrich.json b/documentation/website/expansion/odt_enrich.json similarity index 80% rename from doc/expansion/odt-enrich.json rename to documentation/website/expansion/odt_enrich.json index e201c77..8922a9b 100644 --- a/doc/expansion/odt-enrich.json +++ b/documentation/website/expansion/odt_enrich.json @@ -1,9 +1,11 @@ { "description": "Module to extract freetext from a .odt document.", - "logo": "logos/odt.png", - "requirements": ["ODT reader python library."], + "logo": "odt.png", + "requirements": [ + "ODT reader python library." + ], "input": "Attachment attribute containing a .odt document.", "output": "Text and freetext parsed from the document.", "references": [], "features": "The module reads the text contained in a .odt document. The result is passed to the freetext import parser so IoCs can be extracted out of it." -} +} \ No newline at end of file diff --git a/doc/expansion/onyphe.json b/documentation/website/expansion/onyphe.json similarity index 61% rename from doc/expansion/onyphe.json rename to documentation/website/expansion/onyphe.json index 04ebdd3..f38ea25 100644 --- a/doc/expansion/onyphe.json +++ b/documentation/website/expansion/onyphe.json @@ -1,9 +1,15 @@ { "description": "Module to process a query on Onyphe.", - "logo": "logos/onyphe.jpg", - "requirements": ["onyphe python library", "An access to the Onyphe API (apikey)"], + "logo": "onyphe.jpg", + "requirements": [ + "onyphe python library", + "An access to the Onyphe API (apikey)" + ], "input": "A domain, hostname or IP address MISP attribute.", "output": "MISP attributes fetched from the Onyphe query.", - "references": ["https://www.onyphe.io/", "https://github.com/sebdraven/pyonyphe"], + "references": [ + "https://www.onyphe.io/", + "https://github.com/sebdraven/pyonyphe" + ], "features": "This module takes a domain, hostname, or IP address attribute as input in order to query the Onyphe API. Data fetched from the query is then parsed and MISP attributes are extracted." -} +} \ No newline at end of file diff --git a/doc/expansion/onyphe_full.json b/documentation/website/expansion/onyphe_full.json similarity index 69% rename from doc/expansion/onyphe_full.json rename to documentation/website/expansion/onyphe_full.json index 4b722fa..e1a040a 100644 --- a/doc/expansion/onyphe_full.json +++ b/documentation/website/expansion/onyphe_full.json @@ -1,9 +1,15 @@ { "description": "Module to process a full query on Onyphe.", - "logo": "logos/onyphe.jpg", - "requirements": ["onyphe python library", "An access to the Onyphe API (apikey)"], + "logo": "onyphe.jpg", + "requirements": [ + "onyphe python library", + "An access to the Onyphe API (apikey)" + ], "input": "A domain, hostname or IP address MISP attribute.", "output": "MISP attributes fetched from the Onyphe query.", - "references": ["https://www.onyphe.io/", "https://github.com/sebdraven/pyonyphe"], + "references": [ + "https://www.onyphe.io/", + "https://github.com/sebdraven/pyonyphe" + ], "features": "This module takes a domain, hostname, or IP address attribute as input in order to query the Onyphe API. Data fetched from the query is then parsed and MISP attributes are extracted.\n\nThe parsing is here more advanced than the one on onyphe module, and is returning more attributes, since more fields of the query result are watched and parsed." -} +} \ No newline at end of file diff --git a/doc/expansion/otx.json b/documentation/website/expansion/otx.json similarity index 77% rename from doc/expansion/otx.json rename to documentation/website/expansion/otx.json index c6032cc..a17e2ff 100644 --- a/doc/expansion/otx.json +++ b/documentation/website/expansion/otx.json @@ -1,9 +1,13 @@ { "description": "Module to get information from AlienVault OTX.", - "logo": "logos/otx.png", - "requirements": ["An access to the OTX API (apikey)"], + "logo": "otx.png", + "requirements": [ + "An access to the OTX API (apikey)" + ], "input": "A MISP attribute included in the following list:\n- hostname\n- domain\n- ip-src\n- ip-dst\n- md5\n- sha1\n- sha256\n- sha512", "output": "MISP attributes mapped from the result of the query on OTX, included in the following list:\n- domain\n- ip-src\n- ip-dst\n- text\n- md5\n- sha1\n- sha256\n- sha512\n- email", - "references": ["https://www.alienvault.com/open-threat-exchange"], + "references": [ + "https://www.alienvault.com/open-threat-exchange" + ], "features": "This module takes a MISP attribute as input to query the OTX Alienvault API. The API returns then the result of the query with some types we map into compatible types we add as MISP attributes." -} +} \ No newline at end of file diff --git a/documentation/website/expansion/passivessh.json b/documentation/website/expansion/passivessh.json new file mode 100644 index 0000000..68f7eb7 --- /dev/null +++ b/documentation/website/expansion/passivessh.json @@ -0,0 +1,10 @@ +{ + "description": "An expansion module to query the CIRCL Passive SSH.", + "logo": "passivessh.png", + "input": "IP addresses or SSH fingerprints", + "output": "SSH key materials, complementary IP addresses with similar SSH key materials", + "references": [ + "https://github.com/D4-project/passive-ssh" + ], + "features": "The module queries the Passive SSH service from CIRCL.\n \n The module can be used an hover module but also an expansion model to add related MISP objects.\n" +} diff --git a/doc/expansion/passivetotal.json b/documentation/website/expansion/passivetotal.json similarity index 82% rename from doc/expansion/passivetotal.json rename to documentation/website/expansion/passivetotal.json index ef8b044..26835d5 100644 --- a/doc/expansion/passivetotal.json +++ b/documentation/website/expansion/passivetotal.json @@ -1,9 +1,14 @@ { "description": "", - "logo": "logos/passivetotal.png", - "requirements": ["Passivetotal python library", "An access to the PassiveTotal API (apikey)"], + "logo": "passivetotal.png", + "requirements": [ + "Passivetotal python library", + "An access to the PassiveTotal API (apikey)" + ], "input": "A MISP attribute included in the following list:\n- hostname\n- domain\n- ip-src\n- ip-dst\n- x509-fingerprint-sha1\n- email-src\n- email-dst\n- target-email\n- whois-registrant-email\n- whois-registrant-phone\n- text\n- whois-registrant-name\n- whois-registrar\n- whois-creation-date", "output": "MISP attributes mapped from the result of the query on PassiveTotal, included in the following list:\n- hostname\n- domain\n- ip-src\n- ip-dst\n- x509-fingerprint-sha1\n- email-src\n- email-dst\n- target-email\n- whois-registrant-email\n- whois-registrant-phone\n- text\n- whois-registrant-name\n- whois-registrar\n- whois-creation-date\n- md5\n- sha1\n- sha256\n- link", - "references": ["https://www.passivetotal.org/register"], + "references": [ + "https://www.passivetotal.org/register" + ], "features": "The PassiveTotal MISP expansion module brings the datasets derived from Internet scanning directly into your MISP instance. This module supports passive DNS, historic SSL, WHOIS, and host attributes. In order to use the module, you must have a valid PassiveTotal account username and API key. Registration is free and can be done by visiting https://www.passivetotal.org/register" -} +} \ No newline at end of file diff --git a/doc/expansion/pdf-enrich.json b/documentation/website/expansion/pdf_enrich.json similarity index 76% rename from doc/expansion/pdf-enrich.json rename to documentation/website/expansion/pdf_enrich.json index 5b3f0a8..a17ef51 100644 --- a/doc/expansion/pdf-enrich.json +++ b/documentation/website/expansion/pdf_enrich.json @@ -1,9 +1,11 @@ { "description": "Module to extract freetext from a PDF document.", - "logo": "logos/pdf.jpg", - "requirements": ["pdftotext: Python library to extract text from PDF."], + "logo": "pdf.jpg", + "requirements": [ + "pdftotext: Python library to extract text from PDF." + ], "input": "Attachment attribute containing a PDF document.", "output": "Text and freetext parsed from the document.", "references": [], "features": "The module reads the text contained in a PDF document. The result is passed to the freetext import parser so IoCs can be extracted out of it." -} +} \ No newline at end of file diff --git a/doc/expansion/pptx-enrich.json b/documentation/website/expansion/pptx_enrich.json similarity index 77% rename from doc/expansion/pptx-enrich.json rename to documentation/website/expansion/pptx_enrich.json index aff0d8d..664c70a 100644 --- a/doc/expansion/pptx-enrich.json +++ b/documentation/website/expansion/pptx_enrich.json @@ -1,9 +1,11 @@ { "description": "Module to extract freetext from a .pptx document.", - "logo": "logos/pptx.png", - "requirements": ["pptx: Python library to read PowerPoint files."], + "logo": "pptx.png", + "requirements": [ + "pptx: Python library to read PowerPoint files." + ], "input": "Attachment attribute containing a .pptx document.", "output": "Text and freetext parsed from the document.", "references": [], "features": "The module reads the text contained in a .pptx document. The result is passed to the freetext import parser so IoCs can be extracted out of it." -} +} \ No newline at end of file diff --git a/documentation/website/expansion/qintel_qsentry.json b/documentation/website/expansion/qintel_qsentry.json new file mode 100644 index 0000000..4994a62 --- /dev/null +++ b/documentation/website/expansion/qintel_qsentry.json @@ -0,0 +1,13 @@ +{ + "description": "A hover and expansion module which queries Qintel QSentry for ip reputation data", + "logo": "qintel.png", + "requirements": [ + "A Qintel API token" + ], + "input": "ip address attribute", + "ouput": "Objects containing the enriched IP, threat tags, last seen attributes and associated Autonomous System information", + "features": "This module takes an ip-address (ip-src or ip-dst) attribute as input, and queries the Qintel QSentry API to retrieve ip reputation data", + "references": [ + "https://www.qintel.com/products/qsentry/" + ] +} \ No newline at end of file diff --git a/doc/expansion/qrcode.json b/documentation/website/expansion/qrcode.json similarity index 72% rename from doc/expansion/qrcode.json rename to documentation/website/expansion/qrcode.json index 38ed77c..f585511 100644 --- a/doc/expansion/qrcode.json +++ b/documentation/website/expansion/qrcode.json @@ -1,9 +1,11 @@ { "description": "Module to decode QR codes.", - "requirements": ["cv2: The OpenCV python library.", - "pyzbar: Python library to read QR codes."], + "requirements": [ + "cv2: The OpenCV python library.", + "pyzbar: Python library to read QR codes." + ], "input": "A QR code stored as attachment attribute.", "output": "The URL or bitcoin address the QR code is pointing to.", "references": [], "features": "The module reads the QR code and returns the related address, which can be an URL or a bitcoin address." -} +} \ No newline at end of file diff --git a/documentation/website/expansion/ransomcoindb.json b/documentation/website/expansion/ransomcoindb.json new file mode 100644 index 0000000..26c3c55 --- /dev/null +++ b/documentation/website/expansion/ransomcoindb.json @@ -0,0 +1,12 @@ +{ + "descrption": "Module to access the ransomcoinDB with a hash or btc address attribute and get the associated btc address of hashes.", + "requirements": [ + "A ransomcoinDB API key." + ], + "input": "A hash (md5, sha1 or sha256) or btc attribute.", + "output": "Hashes associated to a btc address or btc addresses associated to a hash.", + "references": [ + "https://ransomcoindb.concinnity-risks.com" + ], + "features": "The module takes either a hash attribute or a btc attribute as input to query the ransomcoinDB API for some additional data.\n\nIf the input is a btc address, we will get the associated hashes returned in a file MISP object. If we query ransomcoinDB with a hash, the response contains the associated btc addresses returned as single MISP btc attributes." +} \ No newline at end of file diff --git a/doc/expansion/rbl.json b/documentation/website/expansion/rbl.json similarity index 65% rename from doc/expansion/rbl.json rename to documentation/website/expansion/rbl.json index 9700eca..942daa7 100644 --- a/doc/expansion/rbl.json +++ b/documentation/website/expansion/rbl.json @@ -1,8 +1,12 @@ { "description": "Module to check an IPv4 address against known RBLs.", - "requirements": ["dnspython3: DNS python3 library"], + "requirements": [ + "dnspython3: DNS python3 library" + ], "input": "IP address attribute.", "output": "Text with additional data from Real-time Blackhost Lists about the IP address.", - "references": ["[RBLs list](https://github.com/MISP/misp-modules/blob/8817de476572a10a9c9d03258ec81ca70f3d926d/misp_modules/modules/expansion/rbl.py#L20)"], + "references": [ + "[RBLs list](https://github.com/MISP/misp-modules/blob/8817de476572a10a9c9d03258ec81ca70f3d926d/misp_modules/modules/expansion/rbl.py#L20)" + ], "features": "This module takes an IP address attribute as input and queries multiple know Real-time Blackhost Lists to check if they have already seen this IP address.\n\nWe display then all the information we get from those different sources." -} +} \ No newline at end of file diff --git a/documentation/website/expansion/recordedfuture.json b/documentation/website/expansion/recordedfuture.json new file mode 100644 index 0000000..91cf23e --- /dev/null +++ b/documentation/website/expansion/recordedfuture.json @@ -0,0 +1,13 @@ +{ + "description": "Module to enrich attributes with threat intelligence from Recorded Future.", + "logo": "recordedfuture.png", + "requirements": [ + "A Recorded Future API token." + ], + "input": "A MISP attribute of one of the following types: ip, ip-src, ip-dst, domain, hostname, md5, sha1, sha256, uri, url, vulnerability, weakness.", + "output": "A MISP object containing a copy of the enriched attribute with added tags from Recorded Future and a list of new attributes related to the enriched attribute.", + "references": [ + "https://www.recordedfuture.com/" + ], + "features": "Enrich an attribute to add a custom enrichment object to the event. The object contains a copy of the enriched attribute with added tags presenting risk score and triggered risk rules from Recorded Future. Malware and Threat Actors related to the enriched indicator in Recorded Future is matched against MISP's galaxy clusters and applied as galaxy tags. The custom enrichment object also includes a list of related indicators from Recorded Future (IP's, domains, hashes, URL's and vulnerabilities) added as additional attributes." +} \ No newline at end of file diff --git a/doc/expansion/reversedns.json b/documentation/website/expansion/reversedns.json similarity index 90% rename from doc/expansion/reversedns.json rename to documentation/website/expansion/reversedns.json index 6934462..cdd3419 100644 --- a/doc/expansion/reversedns.json +++ b/documentation/website/expansion/reversedns.json @@ -1,7 +1,9 @@ { "description": "Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes.", - "requirements": ["DNS python library"], + "requirements": [ + "DNS python library" + ], "input": "An IP address attribute.", "output": "Hostname attribute the input is resolved into.", "features": "The module takes an IP address as input and tries to find the hostname this IP address is resolved into.\n\nThe address of the DNS resolver to use is also configurable, but if no configuration is set, we use the Google public DNS address (8.8.8.8).\n\nPlease note that composite MISP attributes containing IP addresses are supported as well." -} +} \ No newline at end of file diff --git a/doc/expansion/securitytrails.json b/documentation/website/expansion/securitytrails.json similarity index 77% rename from doc/expansion/securitytrails.json rename to documentation/website/expansion/securitytrails.json index 8541e4e..97f81b4 100644 --- a/doc/expansion/securitytrails.json +++ b/documentation/website/expansion/securitytrails.json @@ -1,9 +1,14 @@ { "description": "An expansion modules for SecurityTrails.", - "logo": "logos/securitytrails.png", - "requirements": ["dnstrails python library", "An access to the SecurityTrails API (apikey)"], + "logo": "securitytrails.png", + "requirements": [ + "dnstrails python library", + "An access to the SecurityTrails API (apikey)" + ], "input": "A domain, hostname or IP address attribute.", "output": "MISP attributes resulting from the query on SecurityTrails API, included in the following list:\n- hostname\n- domain\n- ip-src\n- ip-dst\n- dns-soa-email\n- whois-registrant-email\n- whois-registrant-phone\n- whois-registrant-name\n- whois-registrar\n- whois-creation-date\n- domain", - "references": ["https://securitytrails.com/"], + "references": [ + "https://securitytrails.com/" + ], "features": "The module takes a domain, hostname or IP address attribute as input and queries the SecurityTrails API with it.\n\nMultiple parsing operations are then processed on the result of the query to extract a much information as possible.\n\nFrom this data extracted are then mapped MISP attributes." -} +} \ No newline at end of file diff --git a/doc/expansion/shodan.json b/documentation/website/expansion/shodan.json similarity index 61% rename from doc/expansion/shodan.json rename to documentation/website/expansion/shodan.json index 57241f0..703a084 100644 --- a/doc/expansion/shodan.json +++ b/documentation/website/expansion/shodan.json @@ -1,9 +1,14 @@ { "description": "Module to query on Shodan.", - "logo": "logos/shodan.png", - "requirements": ["shodan python library", "An access to the Shodan API (apikey)"], + "logo": "shodan.png", + "requirements": [ + "shodan python library", + "An access to the Shodan API (apikey)" + ], "input": "An IP address MISP attribute.", "output": "Text with additional data about the input, resulting from the query on Shodan.", - "references": ["https://www.shodan.io/"], + "references": [ + "https://www.shodan.io/" + ], "features": "The module takes an IP address as input and queries the Shodan API to get some additional data about it." -} +} \ No newline at end of file diff --git a/doc/expansion/sigma_queries.json b/documentation/website/expansion/sigma_queries.json similarity index 69% rename from doc/expansion/sigma_queries.json rename to documentation/website/expansion/sigma_queries.json index f127ba4..c967112 100644 --- a/doc/expansion/sigma_queries.json +++ b/documentation/website/expansion/sigma_queries.json @@ -1,9 +1,13 @@ { "description": "An expansion hover module to display the result of sigma queries.", - "logo": "logos/sigma.png", - "requirements": ["Sigma python library"], + "logo": "sigma.png", + "requirements": [ + "Sigma python library" + ], "input": "A Sigma attribute.", "output": "Text displaying results of queries on the Sigma attribute.", - "references": ["https://github.com/Neo23x0/sigma/wiki"], + "references": [ + "https://github.com/Neo23x0/sigma/wiki" + ], "features": "This module takes a Sigma rule attribute as input and tries all the different queries available to convert it into different formats recognized by SIEMs." -} +} \ No newline at end of file diff --git a/doc/expansion/sigma_syntax_validator.json b/documentation/website/expansion/sigma_syntax_validator.json similarity index 67% rename from doc/expansion/sigma_syntax_validator.json rename to documentation/website/expansion/sigma_syntax_validator.json index 8e17ae0..b90c931 100644 --- a/doc/expansion/sigma_syntax_validator.json +++ b/documentation/website/expansion/sigma_syntax_validator.json @@ -1,9 +1,14 @@ { "description": "An expansion hover module to perform a syntax check on sigma rules.", - "logo": "logos/sigma.png", - "requirements": ["Sigma python library", "Yaml python library"], + "logo": "sigma.png", + "requirements": [ + "Sigma python library", + "Yaml python library" + ], "input": "A Sigma attribute.", "output": "Text describing the validity of the Sigma rule.", - "references": ["https://github.com/Neo23x0/sigma/wiki"], + "references": [ + "https://github.com/Neo23x0/sigma/wiki" + ], "features": "This module takes a Sigma rule attribute as input and performs a syntax check on it.\n\nIt displays then that the rule is valid if it is the case, and the error related to the rule otherwise." -} +} \ No newline at end of file diff --git a/documentation/website/expansion/socialscan.json b/documentation/website/expansion/socialscan.json new file mode 100644 index 0000000..a1cf359 --- /dev/null +++ b/documentation/website/expansion/socialscan.json @@ -0,0 +1,8 @@ +{ + "description": "A hover module to get information on the availability of an email address or username on some online platforms.", + "requirements": ["The socialscan python library"], + "input": "An email address or usename attribute.", + "output": "Text containing information about the availability of an email address or a username in some online platforms.", + "references": ["https://github.com/iojw/socialscan"], + "features": "The module takes an email address or username as input and check its availability on some online platforms. The results for each platform are then returned to see if the email address or the username is used, available or if there is an issue with it." +} diff --git a/documentation/website/expansion/sophoslabs_intelix.json b/documentation/website/expansion/sophoslabs_intelix.json new file mode 100644 index 0000000..8871192 --- /dev/null +++ b/documentation/website/expansion/sophoslabs_intelix.json @@ -0,0 +1,13 @@ +{ + "description": "An expansion module to query the Sophoslabs intelix API to get additional information about an ip address, url, domain or sha256 attribute.", + "logo": "sophoslabs_intelix.svg", + "requirements": [ + "A client_id and client_secret pair to authenticate to the SophosLabs Intelix API" + ], + "input": "An ip address, url, domain or sha256 attribute.", + "output": "SophosLabs Intelix report and lookup objects", + "references": [ + "https://aws.amazon.com/marketplace/pp/B07SLZPMCS" + ], + "features": "The module takes an ip address, url, domain or sha256 attribute and queries the SophosLabs Intelix API with the attribute value. The result of this query is a SophosLabs Intelix hash report, or an ip or url lookup, that is then parsed and returned in a MISP object." +} \ No newline at end of file diff --git a/doc/expansion/sourcecache.json b/documentation/website/expansion/sourcecache.json similarity index 67% rename from doc/expansion/sourcecache.json rename to documentation/website/expansion/sourcecache.json index ab4669c..4340f2c 100644 --- a/doc/expansion/sourcecache.json +++ b/documentation/website/expansion/sourcecache.json @@ -1,8 +1,12 @@ { "description": "Module to cache web pages of analysis reports, OSINT sources. The module returns a link of the cached page.", - "requirements": ["urlarchiver: python library to fetch and archive URL on the file-system"], + "requirements": [ + "urlarchiver: python library to fetch and archive URL on the file-system" + ], "input": "A link or url attribute.", "output": "A malware-sample attribute describing the cached page.", - "references": ["https://github.com/adulau/url_archiver"], + "references": [ + "https://github.com/adulau/url_archiver" + ], "features": "This module takes a link or url attribute as input and caches the related web page. It returns then a link of the cached page." -} +} \ No newline at end of file diff --git a/doc/expansion/stix2_pattern_syntax_validator.json b/documentation/website/expansion/stix2_pattern_syntax_validator.json similarity index 60% rename from doc/expansion/stix2_pattern_syntax_validator.json rename to documentation/website/expansion/stix2_pattern_syntax_validator.json index 2ea43b5..0ac079d 100644 --- a/doc/expansion/stix2_pattern_syntax_validator.json +++ b/documentation/website/expansion/stix2_pattern_syntax_validator.json @@ -1,9 +1,13 @@ { "description": "An expansion hover module to perform a syntax check on stix2 patterns.", - "logo": "logos/stix.png", - "requirements": ["stix2patterns python library"], + "logo": "stix.png", + "requirements": [ + "stix2patterns python library" + ], "input": "A STIX2 pattern attribute.", "output": "Text describing the validity of the STIX2 pattern.", - "references": ["[STIX2.0 patterning specifications](http://docs.oasis-open.org/cti/stix/v2.0/cs01/part5-stix-patterning/stix-v2.0-cs01-part5-stix-patterning.html)"], + "references": [ + "[STIX2.0 patterning specifications](http://docs.oasis-open.org/cti/stix/v2.0/cs01/part5-stix-patterning/stix-v2.0-cs01-part5-stix-patterning.html)" + ], "features": "This module takes a STIX2 pattern attribute as input and performs a syntax check on it.\n\nIt displays then that the rule is valid if it is the case, and the error related to the rule otherwise." -} +} \ No newline at end of file diff --git a/doc/expansion/threatcrowd.json b/documentation/website/expansion/threatcrowd.json similarity index 87% rename from doc/expansion/threatcrowd.json rename to documentation/website/expansion/threatcrowd.json index 99725b8..e279ece 100644 --- a/doc/expansion/threatcrowd.json +++ b/documentation/website/expansion/threatcrowd.json @@ -1,8 +1,10 @@ { "description": "Module to get information from ThreatCrowd.", - "logo": "logos/threatcrowd.png", + "logo": "threatcrowd.png", "input": "A MISP attribute included in the following list:\n- hostname\n- domain\n- ip-src\n- ip-dst\n- md5\n- sha1\n- sha256\n- sha512\n- whois-registrant-email", "output": "MISP attributes mapped from the result of the query on ThreatCrowd, included in the following list:\n- domain\n- ip-src\n- ip-dst\n- text\n- md5\n- sha1\n- sha256\n- sha512\n- hostname\n- whois-registrant-email", - "references": ["https://www.threatcrowd.org/"], + "references": [ + "https://www.threatcrowd.org/" + ], "features": "This module takes a MISP attribute as input and queries ThreatCrowd with it.\n\nThe result of this query is then parsed and some data is mapped into MISP attributes in order to enrich the input attribute." -} +} \ No newline at end of file diff --git a/doc/expansion/threatminer.json b/documentation/website/expansion/threatminer.json similarity index 87% rename from doc/expansion/threatminer.json rename to documentation/website/expansion/threatminer.json index d2f26bd..0b0d641 100644 --- a/doc/expansion/threatminer.json +++ b/documentation/website/expansion/threatminer.json @@ -1,8 +1,10 @@ { "description": "Module to get information from ThreatMiner.", - "logo": "logos/threatminer.png", + "logo": "threatminer.png", "input": "A MISP attribute included in the following list:\n- hostname\n- domain\n- ip-src\n- ip-dst\n- md5\n- sha1\n- sha256\n- sha512", "output": "MISP attributes mapped from the result of the query on ThreatMiner, included in the following list:\n- domain\n- ip-src\n- ip-dst\n- text\n- md5\n- sha1\n- sha256\n- sha512\n- ssdeep\n- authentihash\n- filename\n- whois-registrant-email\n- url\n- link", - "references": ["https://www.threatminer.org/"], + "references": [ + "https://www.threatminer.org/" + ], "features": "This module takes a MISP attribute as input and queries ThreatMiner with it.\n\nThe result of this query is then parsed and some data is mapped into MISP attributes in order to enrich the input attribute." -} +} \ No newline at end of file diff --git a/doc/expansion/trustar_enrich.json b/documentation/website/expansion/trustar_enrich.json similarity index 81% rename from doc/expansion/trustar_enrich.json rename to documentation/website/expansion/trustar_enrich.json index 294419d..415f52d 100644 --- a/doc/expansion/trustar_enrich.json +++ b/documentation/website/expansion/trustar_enrich.json @@ -1,8 +1,10 @@ { "description": "Module to get enrich indicators with TruSTAR.", - "logo": "logos/trustar.png", + "logo": "trustar.png", "input": "Any of the following MISP attributes:\n- btc\n- domain\n- email-src\n- filename\n- hostname\n- ip-src\n- ip-dst\n- md5\n- sha1\n- sha256\n- url", "output": "MISP attributes enriched with indicator summary data from the TruSTAR API. Data includes a severity level score and additional source and scoring info.", - "references": ["https://docs.trustar.co/api/v13/indicators/get_indicator_summaries.html"], + "references": [ + "https://docs.trustar.co/api/v13/indicators/get_indicator_summaries.html" + ], "features": "This module enriches MISP attributes with scoring and metadata from TruSTAR.\n\nThe TruSTAR indicator summary is appended to the attributes along with links to any associated reports." -} +} \ No newline at end of file diff --git a/doc/expansion/urlhaus.json b/documentation/website/expansion/urlhaus.json similarity index 86% rename from doc/expansion/urlhaus.json rename to documentation/website/expansion/urlhaus.json index 8e5cef3..cd59661 100644 --- a/doc/expansion/urlhaus.json +++ b/documentation/website/expansion/urlhaus.json @@ -1,9 +1,11 @@ { "description": "Query of the URLhaus API to get additional information about the input attribute.", - "logo": "logos/urlhaus.png", + "logo": "urlhaus.png", "requirements": [], "input": "A domain, hostname, url, ip, md5 or sha256 attribute.", "output": "MISP attributes & objects fetched from the result of the URLhaus API query.", - "references": ["https://urlhaus.abuse.ch/"], + "references": [ + "https://urlhaus.abuse.ch/" + ], "features": "Module using the new format of modules able to return attributes and objects.\n\nThe module takes one of the attribute type specified as input, and query the URLhaus API with it. If any result is returned by the API, attributes and objects are created accordingly." -} +} \ No newline at end of file diff --git a/doc/expansion/urlscan.json b/documentation/website/expansion/urlscan.json similarity index 73% rename from doc/expansion/urlscan.json rename to documentation/website/expansion/urlscan.json index d847761..3aab2ab 100644 --- a/doc/expansion/urlscan.json +++ b/documentation/website/expansion/urlscan.json @@ -1,9 +1,13 @@ { "description": "An expansion module to query urlscan.io.", - "logo": "logos/urlscan.jpg", - "requirements": ["An access to the urlscan.io API"], + "logo": "urlscan.jpg", + "requirements": [ + "An access to the urlscan.io API" + ], "input": "A domain, hostname or url attribute.", "output": "MISP attributes mapped from the result of the query on urlscan.io.", - "references": ["https://urlscan.io/"], + "references": [ + "https://urlscan.io/" + ], "features": "This module takes a MISP attribute as input and queries urlscan.io with it.\n\nThe result of this query is then parsed and some data is mapped into MISP attributes in order to enrich the input attribute." -} +} \ No newline at end of file diff --git a/documentation/website/expansion/variotdbs.json b/documentation/website/expansion/variotdbs.json new file mode 100644 index 0000000..f561866 --- /dev/null +++ b/documentation/website/expansion/variotdbs.json @@ -0,0 +1,13 @@ +{ + "description": "An expansion module to query the VARIoT db API for more information about a vulnerability.", + "logo": "variot.png", + "requirements": [ + "A VARIoT db API key (if you do not want to be limited to 100 queries / day)" + ], + "input": "Vulnerability attribute.", + "output": "Additional information about the vulnerability, as it is stored on the VARIoT db, about the vulnerability itself, and the potential related exploits.", + "references": [ + "https://www.variotdbs.pl/" + ], + "features": "The module takes a vulnerability attribute as input and queries que VARIoT db API to gather additional information.\n\nThe `vuln` endpoint is queried first to look for additional information about the vulnerability itself.\n\nThe `exploits` endpoint is also queried then to look for the information of the potential related exploits, which are parsed and added to the results using the `exploit` object template." +} diff --git a/doc/expansion/virustotal.json b/documentation/website/expansion/virustotal.json similarity index 80% rename from doc/expansion/virustotal.json rename to documentation/website/expansion/virustotal.json index 31fd6ac..85c036f 100644 --- a/doc/expansion/virustotal.json +++ b/documentation/website/expansion/virustotal.json @@ -1,9 +1,14 @@ { "description": "Module to get advanced information from virustotal.", - "logo": "logos/virustotal.png", - "requirements": ["An access to the VirusTotal API (apikey), with a high request rate limit."], + "logo": "virustotal.png", + "requirements": [ + "An access to the VirusTotal API (apikey), with a high request rate limit." + ], "input": "A domain, hash (md5, sha1, sha256 or sha512), hostname or IP address attribute.", "output": "MISP attributes and objects resulting from the parsing of the VirusTotal report concerning the input attribute.", - "references": ["https://www.virustotal.com/", "https://developers.virustotal.com/reference"], + "references": [ + "https://www.virustotal.com/", + "https://developers.virustotal.com/reference" + ], "features": "New format of modules able to return attributes and objects.\n\nA module to take a MISP attribute as input and query the VirusTotal API to get additional data about it.\n\nCompared to the [standard VirusTotal expansion module](https://github.com/MISP/misp-modules/blob/master/misp_modules/modules/expansion/virustotal_public.py), this module is made for advanced parsing of VirusTotal report, with a recursive analysis of the elements found after the first request.\n\nThus, it requires a higher request rate limit to avoid the API to return a 204 error (Request rate limit exceeded), and the data parsed from the different requests are returned as MISP attributes and objects, with the corresponding relations between each one of them." -} +} \ No newline at end of file diff --git a/doc/expansion/virustotal_public.json b/documentation/website/expansion/virustotal_public.json similarity index 78% rename from doc/expansion/virustotal_public.json rename to documentation/website/expansion/virustotal_public.json index 242c734..2b9df12 100644 --- a/doc/expansion/virustotal_public.json +++ b/documentation/website/expansion/virustotal_public.json @@ -1,9 +1,14 @@ { "description": "Module to get information from VirusTotal.", - "logo": "logos/virustotal.png", - "requirements": ["An access to the VirusTotal API (apikey)"], + "logo": "virustotal.png", + "requirements": [ + "An access to the VirusTotal API (apikey)" + ], "input": "A domain, hostname, ip, url or hash (md5, sha1, sha256 or sha512) attribute.", "output": "MISP attributes and objects resulting from the parsing of the VirusTotal report concerning the input attribute.", - "references": ["https://www.virustotal.com", "https://developers.virustotal.com/reference"], + "references": [ + "https://www.virustotal.com", + "https://developers.virustotal.com/reference" + ], "features": "New format of modules able to return attributes and objects.\n\nA module to take a MISP attribute as input and query the VirusTotal API to get additional data about it.\n\nCompared to the [more advanced VirusTotal expansion module](https://github.com/MISP/misp-modules/blob/master/misp_modules/modules/expansion/virustotal.py), this module is made for VirusTotal users who have a low request rate limit.\n\nThus, it only queries the API once and returns the results that is parsed into MISP attributes and objects." -} +} \ No newline at end of file diff --git a/doc/expansion/vmray_submit.json b/documentation/website/expansion/vmray_submit.json similarity index 74% rename from doc/expansion/vmray_submit.json rename to documentation/website/expansion/vmray_submit.json index ea6cf3f..2b38792 100644 --- a/doc/expansion/vmray_submit.json +++ b/documentation/website/expansion/vmray_submit.json @@ -1,9 +1,13 @@ { "description": "Module to submit a sample to VMRay.", - "logo": "logos/vmray.png", - "requirements": ["An access to the VMRay API (apikey & url)"], + "logo": "vmray.png", + "requirements": [ + "An access to the VMRay API (apikey & url)" + ], "input": "An attachment or malware-sample attribute.", "output": "MISP attributes mapped from the result of the query on VMRay API, included in the following list:\n- text\n- sha1\n- sha256\n- md5\n- link", - "references": ["https://www.vmray.com/"], + "references": [ + "https://www.vmray.com/" + ], "features": "This module takes an attachment or malware-sample attribute as input to query the VMRay API.\n\nThe sample contained within the attribute in then enriched with data from VMRay mapped into MISP attributes." -} +} \ No newline at end of file diff --git a/documentation/website/expansion/vmware_nsx.json b/documentation/website/expansion/vmware_nsx.json new file mode 100644 index 0000000..c7e5b02 --- /dev/null +++ b/documentation/website/expansion/vmware_nsx.json @@ -0,0 +1,14 @@ +{ + "description": "Module to enrich a file or URL with VMware NSX Defender.", + "logo": "vmware_nsx.png", + "requirements": [ + "The module requires a VMware NSX Defender Analysis `api_token` and `key`." + ], + "input": "File hash, attachment or URL to be enriched with VMware NSX Defender.", + "output": "Objects and tags generated by VMware NSX Defender.", + "references": [ + "https://www.vmware.com" + ], + "features": "This module takes an IoC such as file hash, file attachment, malware-sample or url as input to query VMware NSX Defender.\n\nThe IoC is then enriched with data from VMware NSX Defender." +} + diff --git a/doc/expansion/vulndb.json b/documentation/website/expansion/vulndb.json similarity index 71% rename from doc/expansion/vulndb.json rename to documentation/website/expansion/vulndb.json index 330a3eb..e1dd869 100644 --- a/doc/expansion/vulndb.json +++ b/documentation/website/expansion/vulndb.json @@ -1,9 +1,13 @@ { "description": "Module to query VulnDB (RiskBasedSecurity.com).", - "logo": "logos/vulndb.png", - "requirements": ["An access to the VulnDB API (apikey, apisecret)"], + "logo": "vulndb.png", + "requirements": [ + "An access to the VulnDB API (apikey, apisecret)" + ], "input": "A vulnerability attribute.", "output": "Additional data enriching the CVE input, fetched from VulnDB.", - "references": ["https://vulndb.cyberriskanalytics.com/"], + "references": [ + "https://vulndb.cyberriskanalytics.com/" + ], "features": "This module takes a vulnerability attribute as input and queries VulnDB in order to get some additional data about it.\n\nThe API gives the result of the query which can be displayed in the screen, and/or mapped into MISP attributes to add in the event." -} +} \ No newline at end of file diff --git a/doc/expansion/vulners.json b/documentation/website/expansion/vulners.json similarity index 69% rename from doc/expansion/vulners.json rename to documentation/website/expansion/vulners.json index f3f3026..ab5a778 100644 --- a/doc/expansion/vulners.json +++ b/documentation/website/expansion/vulners.json @@ -1,9 +1,14 @@ { "description": "An expansion hover module to expand information about CVE id using Vulners API.", - "logo": "logos/vulners.png", - "requirements": ["Vulners python library", "An access to the Vulners API"], + "logo": "vulners.png", + "requirements": [ + "Vulners python library", + "An access to the Vulners API" + ], "input": "A vulnerability attribute.", "output": "Text giving additional information about the CVE in input.", - "references": ["https://vulners.com/"], + "references": [ + "https://vulners.com/" + ], "features": "This module takes a vulnerability attribute as input and queries the Vulners API in order to get some additional data about it.\n\nThe API then returns details about the vulnerability." -} +} \ No newline at end of file diff --git a/doc/expansion/whois.json b/documentation/website/expansion/whois.json similarity index 77% rename from doc/expansion/whois.json rename to documentation/website/expansion/whois.json index 938bad5..bba0828 100644 --- a/doc/expansion/whois.json +++ b/documentation/website/expansion/whois.json @@ -1,8 +1,12 @@ { "description": "Module to query a local instance of uwhois (https://github.com/rafiot/uwhoisd).", - "requirements": ["uwhois: A whois python library"], + "requirements": [ + "uwhois: A whois python library" + ], "input": "A domain or IP address attribute.", "output": "Text describing the result of a whois request for the input value.", - "references": ["https://github.com/rafiot/uwhoisd"], + "references": [ + "https://github.com/rafiot/uwhoisd" + ], "features": "This module takes a domain or IP address attribute as input and queries a 'Univseral Whois proxy server' to get the correct details of the Whois query on the input value (check the references for more details about this whois server)." -} +} \ No newline at end of file diff --git a/doc/expansion/wiki.json b/documentation/website/expansion/wiki.json similarity index 72% rename from doc/expansion/wiki.json rename to documentation/website/expansion/wiki.json index d6de62b..36bb009 100644 --- a/doc/expansion/wiki.json +++ b/documentation/website/expansion/wiki.json @@ -1,9 +1,13 @@ { "description": "An expansion hover module to extract information from Wikidata to have additional information about particular term for analysis.", - "logo": "logos/wikidata.png", - "requirements": ["SPARQLWrapper python library"], + "logo": "wikidata.png", + "requirements": [ + "SPARQLWrapper python library" + ], "input": "Text attribute.", "output": "Text attribute.", - "references": ["https://www.wikidata.org"], + "references": [ + "https://www.wikidata.org" + ], "features": "This module takes a text attribute as input and queries the Wikidata API. If the text attribute is clear enough to define a specific term, the API returns a wikidata link in response." -} +} \ No newline at end of file diff --git a/doc/expansion/xforceexchange.json b/documentation/website/expansion/xforceexchange.json similarity index 73% rename from doc/expansion/xforceexchange.json rename to documentation/website/expansion/xforceexchange.json index bbe3c86..fe6fcbb 100644 --- a/doc/expansion/xforceexchange.json +++ b/documentation/website/expansion/xforceexchange.json @@ -1,9 +1,13 @@ { "description": "An expansion module for IBM X-Force Exchange.", - "logo": "logos/xforce.png", - "requirements": ["An access to the X-Force API (apikey)"], + "logo": "xforce.png", + "requirements": [ + "An access to the X-Force API (apikey)" + ], "input": "A MISP attribute included in the following list:\n- ip-src\n- ip-dst\n- vulnerability\n- md5\n- sha1\n- sha256", "output": "MISP attributes mapped from the result of the query on X-Force Exchange.", - "references": ["https://exchange.xforce.ibmcloud.com/"], + "references": [ + "https://exchange.xforce.ibmcloud.com/" + ], "features": "This module takes a MISP attribute as input to query the X-Force API. The API returns then additional information known in their threats data, that is mapped into MISP attributes." -} +} \ No newline at end of file diff --git a/doc/expansion/xlsx-enrich.json b/documentation/website/expansion/xlsx_enrich.json similarity index 73% rename from doc/expansion/xlsx-enrich.json rename to documentation/website/expansion/xlsx_enrich.json index c41f17c..dff623d 100644 --- a/doc/expansion/xlsx-enrich.json +++ b/documentation/website/expansion/xlsx_enrich.json @@ -1,9 +1,11 @@ { "description": "Module to extract freetext from a .xlsx document.", - "logo": "logos/xlsx.png", - "requirements": ["pandas: Python library to perform data analysis, time series and statistics."], + "logo": "xlsx.png", + "requirements": [ + "pandas: Python library to perform data analysis, time series and statistics." + ], "input": "Attachment attribute containing a .xlsx document.", "output": "Text and freetext parsed from the document.", "references": [], "features": "The module reads the text contained in a .xlsx document. The result is passed to the freetext import parser so IoCs can be extracted out of it." -} +} \ No newline at end of file diff --git a/doc/expansion/yara_query.json b/documentation/website/expansion/yara_query.json similarity index 77% rename from doc/expansion/yara_query.json rename to documentation/website/expansion/yara_query.json index 408353d..453e599 100644 --- a/doc/expansion/yara_query.json +++ b/documentation/website/expansion/yara_query.json @@ -1,9 +1,14 @@ { "description": "An expansion & hover module to translate any hash attribute into a yara rule.", - "logo": "logos/yara.png", - "requirements": ["yara-python python library"], + "logo": "yara.png", + "requirements": [ + "yara-python python library" + ], "features": "The module takes a hash attribute (md5, sha1, sha256, imphash) as input, and is returning a YARA rule from it. This YARA rule is also validated using the same method as in 'yara_syntax_validator' module.\nBoth hover and expansion functionalities are supported with this module, where the hover part is displaying the resulting YARA rule and the expansion part allows you to add the rule as a new attribute, as usual with expansion modules.", "input": "MISP Hash attribute (md5, sha1, sha256, imphash, or any of the composite attribute with filename and one of the previous hash type).", "output": "YARA rule.", - "references": ["https://virustotal.github.io/yara/", "https://github.com/virustotal/yara-python"] -} + "references": [ + "https://virustotal.github.io/yara/", + "https://github.com/virustotal/yara-python" + ] +} \ No newline at end of file diff --git a/doc/expansion/yara_syntax_validator.json b/documentation/website/expansion/yara_syntax_validator.json similarity index 70% rename from doc/expansion/yara_syntax_validator.json rename to documentation/website/expansion/yara_syntax_validator.json index 93a96ee..72550b2 100644 --- a/doc/expansion/yara_syntax_validator.json +++ b/documentation/website/expansion/yara_syntax_validator.json @@ -1,9 +1,13 @@ { "description": "An expansion hover module to perform a syntax check on if yara rules are valid or not.", - "logo": "logos/yara.png", - "requirements": ["yara_python python library"], + "logo": "yara.png", + "requirements": [ + "yara_python python library" + ], "input": "YARA rule attribute.", "output": "Text to inform users if their rule is valid.", - "references": ["http://virustotal.github.io/yara/"], + "references": [ + "http://virustotal.github.io/yara/" + ], "features": "This modules simply takes a YARA rule as input, and checks its syntax. It returns then a confirmation if the syntax is valid, otherwise the syntax error is displayed." -} +} \ No newline at end of file diff --git a/documentation/website/expansion/yeti.json b/documentation/website/expansion/yeti.json new file mode 100644 index 0000000..93341dc --- /dev/null +++ b/documentation/website/expansion/yeti.json @@ -0,0 +1,9 @@ +{ + "description": "Module to process a query on Yeti.", + "logo": "yeti.png", + "requirements": ["pyeti", "API key "], + "input": "A domain, hostname,IP, sha256,sha1, md5, url of MISP attribute.", + "output": "MISP attributes and objects fetched from the Yeti instances.", + "references": ["https://github.com/yeti-platform/yeti", "https://github.com/sebdraven/pyeti"], + "features": "This module add context and links between observables using yeti" +} diff --git a/documentation/website/export_mod/cef_export.json b/documentation/website/export_mod/cef_export.json new file mode 100644 index 0000000..cd247a7 --- /dev/null +++ b/documentation/website/export_mod/cef_export.json @@ -0,0 +1,10 @@ +{ + "description": "Module to export a MISP event in CEF format.", + "requirements": [], + "features": "The module takes a MISP event in input, to look every attribute. Each attribute matching with some predefined types is then exported in Common Event Format.\nThus, there is no particular feature concerning MISP Events since any event can be exported. However, 4 configuration parameters recognized by CEF format are required and should be provided by users before exporting data: the device vendor, product and version, as well as the default severity of data.", + "references": [ + "https://community.softwaregrp.com/t5/ArcSight-Connectors/ArcSight-Common-Event-Format-CEF-Guide/ta-p/1589306?attachment-id=65537" + ], + "input": "MISP Event attributes", + "output": "Common Event Format file" +} \ No newline at end of file diff --git a/doc/export_mod/cisco_firesight_manager_ACL_rule_export.json b/documentation/website/export_mod/cisco_firesight_manager_ACL_rule_export.json similarity index 79% rename from doc/export_mod/cisco_firesight_manager_ACL_rule_export.json rename to documentation/website/export_mod/cisco_firesight_manager_ACL_rule_export.json index 6d1d0dd..b9c72f9 100644 --- a/doc/export_mod/cisco_firesight_manager_ACL_rule_export.json +++ b/documentation/website/export_mod/cisco_firesight_manager_ACL_rule_export.json @@ -1,9 +1,11 @@ { "description": "Module to export malicious network activity attributes to Cisco fireSIGHT manager block rules.", - "logo": "logos/cisco.png", - "requirements": ["Firesight manager console credentials"], + "logo": "cisco.png", + "requirements": [ + "Firesight manager console credentials" + ], "input": "Network activity attributes (IPs, URLs).", "output": "Cisco fireSIGHT manager block rules.", "references": [], "features": "The module goes through the attributes to find all the network activity ones in order to create block rules for the Cisco fireSIGHT manager." -} +} \ No newline at end of file diff --git a/documentation/website/export_mod/defender_endpoint_export.json b/documentation/website/export_mod/defender_endpoint_export.json new file mode 100644 index 0000000..ee45766 --- /dev/null +++ b/documentation/website/export_mod/defender_endpoint_export.json @@ -0,0 +1,11 @@ +{ + "description": "Defender for Endpoint KQL hunting query export module", + "requirements": [], + "features": "This module export an event as Defender for Endpoint KQL queries that can then be used in your own python3 or Powershell tool. If you are using Microsoft Sentinel, you can directly connect your MISP instance to Sentinel and then create queries using the `ThreatIntelligenceIndicator` table to match events against imported IOC.", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference" + ], + "input": "MISP Event attributes", + "output": "Defender for Endpoint KQL queries", + "logo": "defender_endpoint.png" +} \ No newline at end of file diff --git a/documentation/website/export_mod/goamlexport.json b/documentation/website/export_mod/goamlexport.json new file mode 100644 index 0000000..aaab295 --- /dev/null +++ b/documentation/website/export_mod/goamlexport.json @@ -0,0 +1,14 @@ +{ + "description": "This module is used to export MISP events containing transaction objects into GoAML format.", + "logo": "goAML.jpg", + "requirements": [ + "PyMISP", + "MISP objects" + ], + "features": "The module works as long as there is at least one transaction object in the Event.\n\nThen in order to have a valid GoAML document, please follow these guidelines:\n- For each transaction object, use either a bank-account, person, or legal-entity object to describe the origin of the transaction, and again one of them to describe the target of the transaction.\n- Create an object reference for both origin and target objects of the transaction.\n- A bank-account object needs a signatory, which is a person object, put as object reference of the bank-account.\n- A person can have an address, which is a geolocation object, put as object reference of the person.\n\nSupported relation types for object references that are recommended for each object are the folowing:\n- transaction:\n\t- 'from', 'from_my_client': Origin of the transaction - at least one of them is required.\n\t- 'to', 'to_my_client': Target of the transaction - at least one of them is required.\n\t- 'address': Location of the transaction - optional.\n- bank-account:\n\t- 'signatory': Signatory of a bank-account - the reference from bank-account to a signatory is required, but the relation-type is optional at the moment since this reference will always describe a signatory.\n\t- 'entity': Entity owning the bank account - optional.\n- person:\n\t- 'address': Address of a person - optional.", + "references": [ + "http://goaml.unodc.org/" + ], + "input": "MISP objects (transaction, bank-account, person, legal-entity, geolocation), with references, describing financial transactions and their origin and target.", + "output": "GoAML format file, describing financial transactions, with their origin and target (bank accounts, persons or entities)." +} \ No newline at end of file diff --git a/documentation/website/export_mod/liteexport.json b/documentation/website/export_mod/liteexport.json new file mode 100644 index 0000000..1f91039 --- /dev/null +++ b/documentation/website/export_mod/liteexport.json @@ -0,0 +1,8 @@ +{ + "description": "Lite export of a MISP event.", + "requirements": [], + "features": "This module is simply producing a json MISP event format file, but exporting only Attributes from the Event. Thus, MISP Events exported with this module should have attributes that are not internal references, otherwise the resulting event would be empty.", + "references": [], + "input": "MISP Event attributes", + "output": "Lite MISP Event" +} \ No newline at end of file diff --git a/doc/export_mod/mass_eql_export.json b/documentation/website/export_mod/mass_eql_export.json similarity index 74% rename from doc/export_mod/mass_eql_export.json rename to documentation/website/export_mod/mass_eql_export.json index 5eadd23..30b12a9 100644 --- a/doc/export_mod/mass_eql_export.json +++ b/documentation/website/export_mod/mass_eql_export.json @@ -1,9 +1,11 @@ { "description": "Mass EQL query export for a MISP event.", - "logo": "logos/eql.png", + "logo": "eql.png", "requirements": [], "features": "This module produces EQL queries for all relevant attributes in a MISP event.", - "references": ["https://eql.readthedocs.io/en/latest/"], + "references": [ + "https://eql.readthedocs.io/en/latest/" + ], "input": "MISP Event attributes", "output": "Text file containing one or more EQL queries" - } +} \ No newline at end of file diff --git a/documentation/website/export_mod/nexthinkexport.json b/documentation/website/export_mod/nexthinkexport.json new file mode 100644 index 0000000..0c06f9e --- /dev/null +++ b/documentation/website/export_mod/nexthinkexport.json @@ -0,0 +1,11 @@ +{ + "description": "Nexthink NXQL query export module", + "requirements": [], + "features": "This module export an event as Nexthink NXQL queries that can then be used in your own python3 tool or from wget/powershell", + "references": [ + "https://doc.nexthink.com/Documentation/Nexthink/latest/APIAndIntegrations/IntroducingtheWebAPIV2" + ], + "input": "MISP Event attributes", + "output": "Nexthink NXQL queries", + "logo": "nexthink.svg" +} \ No newline at end of file diff --git a/documentation/website/export_mod/osqueryexport.json b/documentation/website/export_mod/osqueryexport.json new file mode 100644 index 0000000..5b563c0 --- /dev/null +++ b/documentation/website/export_mod/osqueryexport.json @@ -0,0 +1,9 @@ +{ + "description": "OSQuery export of a MISP event.", + "requirements": [], + "features": "This module export an event as osquery queries that can be used in packs or in fleet management solution like Kolide.", + "references": [], + "input": "MISP Event attributes", + "output": "osquery SQL queries", + "logo": "osquery.png" +} \ No newline at end of file diff --git a/documentation/website/export_mod/pdfexport.json b/documentation/website/export_mod/pdfexport.json new file mode 100644 index 0000000..b23c681 --- /dev/null +++ b/documentation/website/export_mod/pdfexport.json @@ -0,0 +1,13 @@ +{ + "description": "Simple export of a MISP event to PDF.", + "requirements": [ + "PyMISP", + "reportlab" + ], + "features": "The module takes care of the PDF file building, and work with any MISP Event. Except the requirement of reportlab, used to create the file, there is no special feature concerning the Event. Some parameters can be given through the config dict. 'MISP_base_url_for_dynamic_link' is your MISP URL, to attach an hyperlink to your event on your MISP instance from the PDF. Keep it clear to avoid hyperlinks in the generated pdf.\n 'MISP_name_for_metadata' is your CERT or MISP instance name. Used as text in the PDF' metadata\n 'Activate_textual_description' is a boolean (True or void) to activate the textual description/header abstract of an event\n 'Activate_galaxy_description' is a boolean (True or void) to activate the description of event related galaxies.\n 'Activate_related_events' is a boolean (True or void) to activate the description of related event. Be aware this might leak information on confidential events linked to the current event !\n 'Activate_internationalization_fonts' is a boolean (True or void) to activate Noto fonts instead of default fonts (Helvetica). This allows the support of CJK alphabet. Be sure to have followed the procedure to download Noto fonts (~70Mo) in the right place (/tools/pdf_fonts/Noto_TTF), to allow PyMisp to find and use them during PDF generation.\n 'Custom_fonts_path' is a text (path or void) to the TTF file of your choice, to create the PDF with it. Be aware the PDF won't support bold/italic/special style anymore with this option ", + "references": [ + "https://acrobat.adobe.com/us/en/acrobat/about-adobe-pdf.html" + ], + "input": "MISP Event", + "output": "MISP Event in a PDF file." +} \ No newline at end of file diff --git a/doc/export_mod/testexport.json b/documentation/website/export_mod/testexport.json similarity index 95% rename from doc/export_mod/testexport.json rename to documentation/website/export_mod/testexport.json index 213ea92..884ccbe 100644 --- a/doc/export_mod/testexport.json +++ b/documentation/website/export_mod/testexport.json @@ -1,3 +1,3 @@ { "description": "Skeleton export module." -} +} \ No newline at end of file diff --git a/documentation/website/export_mod/threatStream_misp_export.json b/documentation/website/export_mod/threatStream_misp_export.json new file mode 100644 index 0000000..b096f41 --- /dev/null +++ b/documentation/website/export_mod/threatStream_misp_export.json @@ -0,0 +1,14 @@ +{ + "description": "Module to export a structured CSV file for uploading to threatStream.", + "logo": "threatstream.png", + "requirements": [ + "csv" + ], + "features": "The module takes a MISP event in input, to look every attribute. Each attribute matching with some predefined types is then exported in a CSV format recognized by ThreatStream.", + "references": [ + "https://www.anomali.com/platform/threatstream", + "https://github.com/threatstream" + ], + "input": "MISP Event attributes", + "output": "ThreatStream CSV format file" +} \ No newline at end of file diff --git a/documentation/website/export_mod/threat_connect_export.json b/documentation/website/export_mod/threat_connect_export.json new file mode 100644 index 0000000..23708dd --- /dev/null +++ b/documentation/website/export_mod/threat_connect_export.json @@ -0,0 +1,13 @@ +{ + "description": "Module to export a structured CSV file for uploading to ThreatConnect.", + "logo": "threatconnect.png", + "requirements": [ + "csv" + ], + "features": "The module takes a MISP event in input, to look every attribute. Each attribute matching with some predefined types is then exported in a CSV format recognized by ThreatConnect.\nUsers should then provide, as module configuration, the source of data they export, because it is required by the output format.", + "references": [ + "https://www.threatconnect.com" + ], + "input": "MISP Event attributes", + "output": "ThreatConnect CSV format file" +} \ No newline at end of file diff --git a/documentation/website/export_mod/virustotal_collections.json b/documentation/website/export_mod/virustotal_collections.json new file mode 100644 index 0000000..1ecdbe9 --- /dev/null +++ b/documentation/website/export_mod/virustotal_collections.json @@ -0,0 +1,14 @@ +{ + "description": "Creates a VT Collection from an event iocs.", + "logo": "virustotal.png", + "requirements": [ + "An access to the VirusTotal API (apikey)." + ], + "input": "A domain, hash (md5, sha1, sha256 or sha512), hostname, url or IP address attribute.", + "output": "A VirusTotal collection in VT.", + "references": [ + "https://www.virustotal.com/", + "https://blog.virustotal.com/2021/11/introducing-virustotal-collections.html" + ], + "features": "This export module which takes advantage of a new endpoint in VT APIv3 to create VT Collections from IOCs contained in a MISP event. With this module users will be able to create a collection just using the Download as... button." +} diff --git a/doc/export_mod/vt_graph.json b/documentation/website/export_mod/vt_graph.json similarity index 66% rename from doc/export_mod/vt_graph.json rename to documentation/website/export_mod/vt_graph.json index e317730..993c791 100644 --- a/doc/export_mod/vt_graph.json +++ b/documentation/website/export_mod/vt_graph.json @@ -1,9 +1,13 @@ { "description": "This module is used to create a VirusTotal Graph from a MISP event.", - "logo": "logos/virustotal.png", - "requirements": ["vt_graph_api, the python library to query the VirusTotal graph API"], + "logo": "virustotal.png", + "requirements": [ + "vt_graph_api, the python library to query the VirusTotal graph API" + ], "features": "The module takes the MISP event as input and queries the VirusTotal Graph API to create a new graph out of the event.\n\nOnce the graph is ready, we get the url of it, which is returned so we can view it on VirusTotal.", - "references": ["https://www.virustotal.com/gui/graph-overview"], + "references": [ + "https://www.virustotal.com/gui/graph-overview" + ], "input": "A MISP event.", "output": "Link of the VirusTotal Graph created for the event." -} +} \ No newline at end of file diff --git a/documentation/website/import_mod/cof2misp.json b/documentation/website/import_mod/cof2misp.json new file mode 100644 index 0000000..cbbb0cc --- /dev/null +++ b/documentation/website/import_mod/cof2misp.json @@ -0,0 +1,12 @@ +{ + "description": "Passive DNS Common Output Format (COF) MISP importer", + "requirements": [ + "PyMISP" + ], + "features": "Takes as input a valid COF file or the output of the dnsdbflex utility and creates MISP objects for the input.", + "references": [ + "https://tools.ietf.org/id/draft-dulaunoy-dnsop-passive-dns-cof-08.html" + ], + "input": "Passive DNS output in Common Output Format (COF)", + "output": "MISP objects" +} diff --git a/documentation/website/import_mod/csvimport.json b/documentation/website/import_mod/csvimport.json new file mode 100644 index 0000000..61bc6cc --- /dev/null +++ b/documentation/website/import_mod/csvimport.json @@ -0,0 +1,13 @@ +{ + "description": "Module to import MISP attributes from a csv file.", + "requirements": [ + "PyMISP" + ], + "features": "In order to parse data from a csv file, a header is required to let the module know which column is matching with known attribute fields / MISP types.\n\nThis header either comes from the csv file itself or is part of the configuration of the module and should be filled out in MISP plugin settings, each field separated by COMMAS. Fields that do not match with any type known in MISP or are not MISP attribute fields should be ignored in import, using a space or simply nothing between two separators (example: 'ip-src, , comment, ').\n\nIf the csv file already contains a header that does not start by a '#', you should tick the checkbox 'has_header' to avoid importing it and have potential issues. You can also redefine the header even if it is already contained in the file, by following the rules for headers explained earlier. One reason why you would redefine a header is for instance when you want to skip some fields, or some fields are not valid types.", + "references": [ + "https://tools.ietf.org/html/rfc4180", + "https://tools.ietf.org/html/rfc7111" + ], + "input": "CSV format file.", + "output": "MISP Event attributes" +} \ No newline at end of file diff --git a/documentation/website/import_mod/cuckooimport.json b/documentation/website/import_mod/cuckooimport.json new file mode 100644 index 0000000..2e51ea8 --- /dev/null +++ b/documentation/website/import_mod/cuckooimport.json @@ -0,0 +1,12 @@ +{ + "description": "Module to import Cuckoo JSON.", + "logo": "cuckoo.png", + "requirements": [], + "features": "The module simply imports MISP Attributes from a Cuckoo JSON format file. There is thus no special feature to make it work.", + "references": [ + "https://cuckoosandbox.org/", + "https://github.com/cuckoosandbox/cuckoo" + ], + "input": "Cuckoo JSON file", + "output": "MISP Event attributes" +} \ No newline at end of file diff --git a/documentation/website/import_mod/email_import.json b/documentation/website/import_mod/email_import.json new file mode 100644 index 0000000..95ec3c7 --- /dev/null +++ b/documentation/website/import_mod/email_import.json @@ -0,0 +1,8 @@ +{ + "description": "Module to import emails in MISP.", + "requirements": [], + "features": "This module can be used to import e-mail text as well as attachments and urls.\n3 configuration parameters are then used to unzip attachments, guess zip attachment passwords, and extract urls: set each one of them to True or False to process or not the respective corresponding actions.", + "references": [], + "input": "E-mail file", + "output": "MISP Event attributes" +} \ No newline at end of file diff --git a/documentation/website/import_mod/goamlimport.json b/documentation/website/import_mod/goamlimport.json new file mode 100644 index 0000000..e8f12cf --- /dev/null +++ b/documentation/website/import_mod/goamlimport.json @@ -0,0 +1,11 @@ +{ + "description": "Module to import MISP objects about financial transactions from GoAML files.", + "logo": "goAML.jpg", + "requirements": [ + "PyMISP" + ], + "features": "Unlike the GoAML export module, there is here no special feature to import data from GoAML external files, since the module will import MISP Objects with their References on its own, as it is required for the export module to rebuild a valid GoAML document.", + "references": "http://goaml.unodc.org/", + "input": "GoAML format file, describing financial transactions, with their origin and target (bank accounts, persons or entities).", + "output": "MISP objects (transaction, bank-account, person, legal-entity, geolocation), with references, describing financial transactions and their origin and target." +} \ No newline at end of file diff --git a/doc/import_mod/joe_import.json b/documentation/website/import_mod/joe_import.json similarity index 78% rename from doc/import_mod/joe_import.json rename to documentation/website/import_mod/joe_import.json index ceba4ab..f60d1dd 100644 --- a/doc/import_mod/joe_import.json +++ b/documentation/website/import_mod/joe_import.json @@ -1,9 +1,12 @@ { "description": "A module to import data from a Joe Sandbox analysis json report.", - "logo": "logos/joesandbox.png", + "logo": "joesandbox.png", "requirements": [], "input": "Json report of a Joe Sandbox analysis.", "output": "MISP attributes & objects parsed from the analysis report.", - "references": ["https://www.joesecurity.org", "https://www.joesandbox.com/"], - "features": "Module using the new format of modules able to return attributes and objects.\n\nThe module returns the same results as the expansion module [joesandbox_query](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/joesandbox_query.py) using the submission link of the analysis to get the json report.\n\n" + "references": [ + "https://www.joesecurity.org", + "https://www.joesandbox.com/" + ], + "features": "Module using the new format of modules able to return attributes and objects.\n\nThe module returns the same results as the expansion module [joesandbox_query](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/joesandbox_query.py) using the submission link of the analysis to get the json report." } diff --git a/doc/import_mod/lastline_import.json b/documentation/website/import_mod/lastline_import.json similarity index 63% rename from doc/import_mod/lastline_import.json rename to documentation/website/import_mod/lastline_import.json index 99414e0..775b9ce 100644 --- a/doc/import_mod/lastline_import.json +++ b/documentation/website/import_mod/lastline_import.json @@ -1,9 +1,11 @@ { - "description": "Module to import and parse reports from Lastline analysis links.", - "logo": "logos/lastline.png", + "description": "Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module.\n\nModule to import and parse reports from Lastline analysis links.", + "logo": "lastline.png", "requirements": [], "input": "Link to a Lastline analysis.", "output": "MISP attributes and objects parsed from the analysis report.", - "references": ["https://www.lastline.com"], + "references": [ + "https://www.lastline.com" + ], "features": "The module requires a Lastline Portal `username` and `password`.\nThe module uses the new format and it is able to return MISP attributes and objects.\nThe module returns the same results as the [lastline_query](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/lastline_query.py) expansion module." -} +} \ No newline at end of file diff --git a/documentation/website/import_mod/mispjson.json b/documentation/website/import_mod/mispjson.json new file mode 100644 index 0000000..7ba47bd --- /dev/null +++ b/documentation/website/import_mod/mispjson.json @@ -0,0 +1,8 @@ +{ + "description": "Module to import MISP JSON format for merging MISP events.", + "requirements": [], + "features": "The module simply imports MISP Attributes from an other MISP Event in order to merge events together. There is thus no special feature to make it work.", + "references": [], + "input": "MISP Event", + "output": "MISP Event attributes" +} \ No newline at end of file diff --git a/documentation/website/import_mod/ocr.json b/documentation/website/import_mod/ocr.json new file mode 100644 index 0000000..a33c7e2 --- /dev/null +++ b/documentation/website/import_mod/ocr.json @@ -0,0 +1,8 @@ +{ + "description": "Optical Character Recognition (OCR) module for MISP.", + "requirements": [], + "features": "The module tries to recognize some text from an image and import the result as a freetext attribute, there is then no special feature asked to users to make it work.", + "references": [], + "input": "Image", + "output": "freetext MISP attribute" +} \ No newline at end of file diff --git a/documentation/website/import_mod/openiocimport.json b/documentation/website/import_mod/openiocimport.json new file mode 100644 index 0000000..3e00baf --- /dev/null +++ b/documentation/website/import_mod/openiocimport.json @@ -0,0 +1,12 @@ +{ + "description": "Module to import OpenIOC packages.", + "requirements": [ + "PyMISP" + ], + "features": "The module imports MISP Attributes from OpenIOC packages, there is then no special feature for users to make it work.", + "references": [ + "https://www.fireeye.com/blog/threat-research/2013/10/openioc-basics.html" + ], + "input": "OpenIOC packages", + "output": "MISP Event attributes" +} \ No newline at end of file diff --git a/documentation/website/import_mod/threatanalyzer_import.json b/documentation/website/import_mod/threatanalyzer_import.json new file mode 100644 index 0000000..5866e09 --- /dev/null +++ b/documentation/website/import_mod/threatanalyzer_import.json @@ -0,0 +1,10 @@ +{ + "description": "Module to import ThreatAnalyzer archive.zip / analysis.json files.", + "requirements": [], + "features": "The module imports MISP Attributes from a ThreatAnalyzer format file. This file can be either ZIP, or JSON format.\nThere is by the way no special feature for users to make the module work.", + "references": [ + "https://www.threattrack.com/malware-analysis.aspx" + ], + "input": "ThreatAnalyzer format file", + "output": "MISP Event attributes" +} \ No newline at end of file diff --git a/documentation/website/import_mod/vmray_import.json b/documentation/website/import_mod/vmray_import.json new file mode 100644 index 0000000..c80b237 --- /dev/null +++ b/documentation/website/import_mod/vmray_import.json @@ -0,0 +1,13 @@ +{ + "description": "Module to import VMRay (VTI) results.", + "logo": "vmray.png", + "requirements": [ + "vmray_rest_api" + ], + "features": "The module imports MISP Attributes from VMRay format, using the VMRay api.\nUsers should then provide as the module configuration the API Key as well as the server url in order to fetch their data to import.", + "references": [ + "https://www.vmray.com/" + ], + "input": "VMRay format", + "output": "MISP Event attributes" +} \ No newline at end of file diff --git a/etc/systemd/system/misp-modules.service b/etc/systemd/system/misp-modules.service index 99cd102..078ebec 100644 --- a/etc/systemd/system/misp-modules.service +++ b/etc/systemd/system/misp-modules.service @@ -7,7 +7,7 @@ User=www-data Group=www-data WorkingDirectory=/usr/local/src/misp-modules Environment="PATH=/var/www/MISP/venv/bin" -ExecStart=/var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s +ExecStart=/var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 [Install] WantedBy=multi-user.target diff --git a/misp_modules/__init__.py b/misp_modules/__init__.py index 440ad3f..b068d8a 100644 --- a/misp_modules/__init__.py +++ b/misp_modules/__init__.py @@ -41,14 +41,14 @@ try: from .modules import * # noqa HAS_PACKAGE_MODULES = True except Exception as e: - print(e) + logging.exception(e) HAS_PACKAGE_MODULES = False try: from .helpers import * # noqa HAS_PACKAGE_HELPERS = True except Exception as e: - print(e) + logging.exception(e) HAS_PACKAGE_HELPERS = False log = logging.getLogger('misp-modules') @@ -183,10 +183,9 @@ class QueryModule(tornado.web.RequestHandler): executor = ThreadPoolExecutor(nb_threads) @run_on_executor - def run_request(self, jsonpayload): - x = json.loads(jsonpayload) + def run_request(self, module, jsonpayload): log.debug('MISP QueryModule request {0}'.format(jsonpayload)) - response = mhandlers[x['module']].handler(q=jsonpayload) + response = mhandlers[module].handler(q=jsonpayload) return json.dumps(response) @tornado.gen.coroutine @@ -198,7 +197,7 @@ class QueryModule(tornado.web.RequestHandler): timeout = datetime.timedelta(seconds=int(dict_payload.get('timeout'))) else: timeout = datetime.timedelta(seconds=300) - response = yield tornado.gen.with_timeout(timeout, self.run_request(jsonpayload)) + response = yield tornado.gen.with_timeout(timeout, self.run_request(dict_payload['module'], jsonpayload)) self.write(response) except tornado.gen.TimeoutError: log.warning('Timeout on {} '.format(dict_payload['module'])) diff --git a/misp_modules/lib/__init__.py b/misp_modules/lib/__init__.py index c078cf7..dffa255 100644 --- a/misp_modules/lib/__init__.py +++ b/misp_modules/lib/__init__.py @@ -1,3 +1,4 @@ +import joe_mapping from .vt_graph_parser import * # noqa -all = ['joe_parser', 'lastline_api'] +all = ['joe_parser', 'lastline_api', 'cof2misp', 'qintel_helper'] diff --git a/misp_modules/modules/expansion/_vmray/__init__.py b/misp_modules/lib/_vmray/__init__.py similarity index 100% rename from misp_modules/modules/expansion/_vmray/__init__.py rename to misp_modules/lib/_vmray/__init__.py diff --git a/misp_modules/lib/_vmray/parser.py b/misp_modules/lib/_vmray/parser.py new file mode 100644 index 0000000..6e8d375 --- /dev/null +++ b/misp_modules/lib/_vmray/parser.py @@ -0,0 +1,1411 @@ +import base64 +import json +import re + +from abc import ABC, abstractmethod +from dataclasses import asdict, dataclass, field +from enum import Enum +from pathlib import PureWindowsPath +from typing import Any, Dict, Iterator, List, Optional, Tuple, Union + +from pymisp import MISPAttribute, MISPEvent, MISPObject + +from .rest_api import VMRayRESTAPI, VMRayRESTAPIError + + +USER_RE = re.compile(r".:.Users\\(.*?)\\", re.IGNORECASE) +DOC_RE = re.compile(r".:.DOCUME~1.\\(.*?)\\", re.IGNORECASE) +DOC_AND_SETTINGS_RE = re.compile(r".:.Documents and Settings\\(.*?)\\", re.IGNORECASE) +USERPROFILES = [USER_RE, DOC_RE, DOC_AND_SETTINGS_RE] + + +def classifications_to_str(classifications: List[str]) -> Optional[str]: + if classifications: + return "Classifications: " + ", ".join(classifications) + return None + + +def merge_lists(target: List[Any], source: List[Any]): + return list({*target, *source}) + + +@dataclass +class Attribute: + type: str + value: str + category: Optional[str] = None + comment: Optional[str] = None + to_ids: bool = False + + def __eq__(self, other: Dict[str, Any]) -> bool: + return asdict(self) == other + + +@dataclass +class Artifact: + is_ioc: bool + verdict: Optional[str] + + @abstractmethod + def to_attributes(self) -> Iterator[Attribute]: + raise NotImplementedError() + + @abstractmethod + def to_misp_object(self, tag: bool) -> MISPObject: + raise NotImplementedError() + + @abstractmethod + def merge(self, other: "Artifact") -> None: + raise NotImplementedError() + + @abstractmethod + def __eq__(self, other: "Artifact") -> bool: + raise NotImplementedError() + + def tag_artifact_attribute(self, attribute: MISPAttribute) -> None: + if self.is_ioc: + attribute.add_tag('vmray:artifact="IOC"') + + if self.verdict: + attribute.add_tag(f'vmray:verdict="{self.verdict}"') + + +@dataclass +class DomainArtifact(Artifact): + domain: str + sources: List[str] + ips: List[str] = field(default_factory=list) + classifications: List[str] = field(default_factory=list) + + def to_attributes(self) -> Iterator[Attribute]: + value = self.domain + comment = ", ".join(self.sources) if self.sources else None + + attr = Attribute(type="domain", value=value, comment=comment) + yield attr + + def to_misp_object(self, tag: bool) -> MISPObject: + obj = MISPObject(name="domain-ip") + + classifications = classifications_to_str(self.classifications) + attr = obj.add_attribute( + "domain", value=self.domain, to_ids=self.is_ioc, comment=classifications + ) + if tag: + self.tag_artifact_attribute(attr) + + for ip in self.ips: + obj.add_attribute("ip", value=ip, to_ids=self.is_ioc) + + return obj + + def merge(self, other: Artifact) -> None: + if not isinstance(other, DomainArtifact): + return + + self.ips = merge_lists(self.ips, other.ips) + self.classifications = merge_lists(self.classifications, other.classifications) + + def __eq__(self, other: Artifact) -> bool: + if not isinstance(other, DomainArtifact): + return NotImplemented + + return self.domain == other.domain + + +@dataclass +class EmailArtifact(Artifact): + sender: Optional[str] + subject: Optional[str] + recipients: List[str] = field(default_factory=list) + classifications: List[str] = field(default_factory=list) + + def to_attributes(self) -> Iterator[Attribute]: + if self.sender: + classifications = classifications_to_str(self.classifications) + yield Attribute( + type="email-src", value=self.sender, comment=classifications + ) + + if self.subject: + yield Attribute(type="email-subject", value=self.subject, to_ids=False) + + for recipient in self.recipients: + yield Attribute(type="email-dst", value=recipient, to_ids=False) + + def to_misp_object(self, tag: bool) -> MISPObject: + obj = MISPObject(name="email") + + if self.sender: + classifications = classifications_to_str(self.classifications) + attr = obj.add_attribute( + "from", value=self.sender, to_ids=self.is_ioc, comment=classifications + ) + if tag: + self.tag_artifact_attribute(attr) + + if self.subject: + obj.add_attribute("subject", value=self.subject, to_ids=False) + + for recipient in self.recipients: + obj.add_attribute("to", value=recipient, to_ids=False) + + return obj + + def merge(self, other: Artifact) -> None: + if not isinstance(other, EmailArtifact): + return + + self.recipients = merge_lists(self.recipients, other.recipients) + self.classifications = merge_lists(self.classifications, other.classifications) + + def __eq__(self, other: Artifact) -> bool: + if not isinstance(other, EmailArtifact): + return NotImplemented + + return self.sender == other.sender and self.subject == other.subject + + +@dataclass +class FileArtifact(Artifact): + filenames: List[str] + operations: List[str] + md5: str + sha1: str + sha256: str + ssdeep: str + imphash: Optional[str] + classifications: List[str] + size: Optional[int] + mimetype: Optional[str] = None + + def to_attributes(self) -> Iterator[Attribute]: + operations = ", ".join(self.operations) + comment = f"File operations: {operations}" + + for filename in self.filenames: + attr = Attribute(type="filename", value=filename, comment=comment) + yield attr + + for hash_type in ("md5", "sha1", "sha256", "ssdeep", "imphash"): + for filename in self.filenames: + value = getattr(self, hash_type) + if value is not None: + attr = Attribute( + type=f"filename|{hash_type}", + value=f"{filename}|{value}", + category="Payload delivery", + to_ids=True, + ) + yield attr + + def to_misp_object(self, tag: bool) -> MISPObject: + obj = MISPObject(name="file") + + if self.size: + obj.add_attribute("size-in-bytes", value=self.size) + + classifications = classifications_to_str(self.classifications) + hashes = [ + ("md5", self.md5), + ("sha1", self.sha1), + ("sha256", self.sha256), + ("ssdeep", self.ssdeep), + ] + for (key, value) in hashes: + if not value: + continue + + attr = obj.add_attribute( + key, value=value, to_ids=self.is_ioc, comment=classifications + ) + + if tag: + self.tag_artifact_attribute(attr) + + if self.mimetype: + obj.add_attribute("mimetype", value=self.mimetype, to_ids=False) + + operations = None + if self.operations: + operations = "Operations: " + ", ".join(self.operations) + + for filename in self.filenames: + filename = PureWindowsPath(filename) + obj.add_attribute("filename", value=filename.name, comment=operations) + + fullpath = str(filename) + for regex in USERPROFILES: + fullpath = regex.sub(r"%USERPROFILE%\\", fullpath) + + obj.add_attribute("fullpath", fullpath) + + return obj + + def merge(self, other: Artifact) -> None: + if not isinstance(other, FileArtifact): + return + + self.filenames = merge_lists(self.filenames, other.filenames) + self.operations = merge_lists(self.operations, other.operations) + self.classifications = merge_lists(self.classifications, other.classifications) + + def __eq__(self, other: Artifact) -> bool: + if not isinstance(other, FileArtifact): + return NotImplemented + + return self.sha256 == other.sha256 + + +@dataclass +class IpArtifact(Artifact): + ip: str + sources: List[str] + classifications: List[str] = field(default_factory=list) + + def to_attributes(self) -> Iterator[Attribute]: + sources = ", ".join(self.sources) + comment = f"Found in: {sources}" + + attr = Attribute(type="ip-dst", value=self.ip, comment=comment) + yield attr + + def to_misp_object(self, tag: bool) -> MISPObject: + obj = MISPObject(name="ip-port") + + classifications = classifications_to_str(self.classifications) + attr = obj.add_attribute( + "ip", value=self.ip, comment=classifications, to_ids=self.is_ioc + ) + if tag: + self.tag_artifact_attribute(attr) + + return obj + + def merge(self, other: Artifact) -> None: + if not isinstance(other, IpArtifact): + return + + self.sources = merge_lists(self.sources, other.sources) + self.classifications = merge_lists(self.classifications, other.classifications) + + def __eq__(self, other: Artifact) -> bool: + if not isinstance(other, IpArtifact): + return NotImplemented + + return self.ip == other.ip + + +@dataclass +class MutexArtifact(Artifact): + name: str + operations: List[str] + classifications: List[str] = field(default_factory=list) + + def to_attributes(self) -> Iterator[Attribute]: + operations = ", ".join(self.operations) + comment = f"Operations: {operations}" + + attr = Attribute(type="mutex", value=self.name, comment=comment) + yield attr + + def to_misp_object(self, tag: bool) -> MISPObject: + obj = MISPObject(name="mutex") + + classifications = classifications_to_str(self.classifications) + attr = obj.add_attribute( + "name", + value=self.name, + category="External analysis", + to_ids=False, + comment=classifications, + ) + if tag: + self.tag_artifact_attribute(attr) + + operations = None + if self.operations: + operations = "Operations: " + ", ".join(self.operations) + obj.add_attribute("description", value=operations, to_ids=False) + + return obj + + def merge(self, other: Artifact) -> None: + if not isinstance(other, MutexArtifact): + return + + self.operations = merge_lists(self.operations, other.operations) + self.classifications = merge_lists(self.classifications, other.classifications) + + def __eq__(self, other: Artifact) -> bool: + if not isinstance(other, MutexArtifact): + return NotImplemented + + return self.name == other.name + + +@dataclass +class ProcessArtifact(Artifact): + filename: str + pid: Optional[int] = None + parent_pid: Optional[int] = None + cmd_line: Optional[str] = None + operations: List[str] = field(default_factory=list) + classifications: List[str] = field(default_factory=list) + + def to_attributes(self) -> Iterator[Attribute]: + process_desc = f"Process created: {self.filename}\nPID: {self.pid}" + classifications = classifications_to_str(self.classifications) + yield Attribute(type="text", value=process_desc, comment=classifications) + + def to_misp_object(self, tag: bool) -> MISPObject: + obj = MISPObject(name="process") + + if self.pid: + obj.add_attribute("pid", value=self.pid, category="External analysis") + + if self.parent_pid: + obj.add_attribute( + "parent-pid", value=self.parent_pid, category="External analysis" + ) + + classifications = classifications_to_str(self.classifications) + name_attr = obj.add_attribute( + "name", self.filename, category="External analysis", comment=classifications + ) + + cmd_attr = obj.add_attribute("command-line", value=self.cmd_line) + + if tag: + self.tag_artifact_attribute(name_attr) + self.tag_artifact_attribute(cmd_attr) + + return obj + + def merge(self, other: Artifact) -> None: + if not isinstance(other, ProcessArtifact): + return + + self.operations = merge_lists(self.operations, other.operations) + self.classifications = merge_lists(self.classifications, other.classifications) + + def __eq__(self, other: Artifact) -> bool: + if not isinstance(other, ProcessArtifact): + return NotImplemented + + return self.filename == other.filename and self.cmd_line == other.cmd_line + + +@dataclass +class RegistryArtifact(Artifact): + key: str + operations: List[str] + + def to_attributes(self) -> Iterator[Attribute]: + operations = ", ".join(self.operations) + comment = f"Operations: {operations}" + + attr = Attribute(type="regkey", value=self.key, comment=comment) + yield attr + + def to_misp_object(self, tag: bool) -> MISPObject: + obj = MISPObject(name="registry-key") + + operations = None + if self.operations: + operations = "Operations: " + ", ".join(self.operations) + + attr = obj.add_attribute( + "key", value=self.key, to_ids=self.is_ioc, comment=operations + ) + if tag: + self.tag_artifact_attribute(attr) + + return obj + + def merge(self, other: Artifact) -> None: + if not isinstance(other, RegistryArtifact): + return + + self.operations = merge_lists(self.operations, other.operations) + + def __eq__(self, other: Artifact) -> bool: + if not isinstance(other, RegistryArtifact): + return NotImplemented + + return self.key == other.key + + +@dataclass +class UrlArtifact(Artifact): + url: str + operations: List[str] + domain: Optional[str] = None + ips: List[str] = field(default_factory=list) + + def to_attributes(self) -> Iterator[Attribute]: + operations = ", ".join(self.operations) + comment = f"Operations: {operations}" + + attr = Attribute(type="url", value=self.url, comment=comment) + yield attr + + def to_misp_object(self, tag: bool) -> MISPObject: + obj = MISPObject(name="url") + + operations = None + if self.operations: + operations = "Operations: " + ", ".join(self.operations) + + attr = obj.add_attribute( + "url", + value=self.url, + comment=operations, + category="External analysis", + to_ids=False, + ) + if tag: + self.tag_artifact_attribute(attr) + + if self.domain: + obj.add_attribute( + "domain", self.domain, category="External analysis", to_ids=False + ) + + for ip in self.ips: + obj.add_attribute("ip", ip, category="External analysis", to_ids=False) + + return obj + + def merge(self, other: Artifact) -> None: + if not isinstance(other, UrlArtifact): + return + + self.ips = merge_lists(self.ips, other.ips) + self.operations = merge_lists(self.operations, other.operations) + + def __eq__(self, other: Artifact) -> bool: + if not isinstance(other, UrlArtifact): + return NotImplemented + + return self.url == other.url and self.domain == other.domain + + +@dataclass +class MitreAttack: + description: str + id: str + + def to_misp_galaxy(self) -> str: + return f'misp-galaxy:mitre-attack-pattern="{self.description} - {self.id}"' + + +@dataclass +class VTI: + category: str + operation: str + technique: str + score: int + + +class ReportVersion(Enum): + v1 = "v1" + v2 = "v2" + + +class VMRayParseError(Exception): + pass + + +class ReportParser(ABC): + @abstractmethod + def __init__(self, api: VMRayRESTAPI, analysis_id: int): + raise NotImplementedError() + + @abstractmethod + def is_static_report(self) -> bool: + raise NotImplementedError() + + @abstractmethod + def artifacts(self) -> Iterator[Artifact]: + raise NotImplementedError() + + @abstractmethod + def classifications(self) -> Optional[str]: + raise NotImplementedError() + + @abstractmethod + def details(self) -> Iterator[str]: + raise NotImplementedError() + + @abstractmethod + def mitre_attacks(self) -> Iterator[MitreAttack]: + raise NotImplementedError() + + @abstractmethod + def sandbox_type(self) -> str: + raise NotImplementedError() + + @abstractmethod + def score(self) -> str: + raise NotImplementedError() + + @abstractmethod + def vtis(self) -> Iterator[VTI]: + raise NotImplementedError() + + +class Summary(ReportParser): + def __init__( + self, analysis_id: int, api: VMRayRESTAPI = None, report: Dict[str, Any] = None + ): + self.analysis_id = analysis_id + + if report: + self.report = report + else: + data = api.call( + "GET", + f"/rest/analysis/{analysis_id}/archive/logs/summary.json", + raw_data=True, + ) + self.report = json.load(data) + + @staticmethod + def to_verdict(score: Union[int, str]) -> Optional[str]: + if isinstance(score, int): + if 0 <= score <= 24: + return "clean" + if 25 <= score <= 74: + return "suspicious" + if 75 <= score <= 100: + return "malicious" + return "n/a" + if isinstance(score, str): + score = score.lower() + if score in ("not_suspicious", "whitelisted"): + return "clean" + if score == "blacklisted": + return "malicious" + if score in ("not_available", "unknown"): + return "n/a" + return score + return None + + def is_static_report(self) -> bool: + return self.report["vti"]["vti_rule_type"] == "Static" + + def artifacts(self) -> Iterator[Artifact]: + artifacts = self.report["artifacts"] + domains = artifacts.get("domains", []) + for domain in domains: + classifications = domain.get("classifications", []) + is_ioc = domain.get("ioc", False) + verdict = self.to_verdict(domain.get("severity")) + ips = domain.get("ip_addresses", []) + artifact = DomainArtifact( + domain=domain["domain"], + sources=domain["sources"], + ips=ips, + classifications=classifications, + is_ioc=is_ioc, + verdict=verdict, + ) + yield artifact + + emails = artifacts.get("emails", []) + for email in emails: + sender = email.get("sender") + subject = email.get("subject") + verdict = self.to_verdict(email.get("severity")) + recipients = email.get("recipients", []) + classifications = email.get("classifications", []) + is_ioc = email.get("ioc", False) + + artifact = EmailArtifact( + sender=sender, + subject=subject, + verdict=verdict, + recipients=recipients, + classifications=classifications, + is_ioc=is_ioc, + ) + yield artifact + + files = artifacts.get("files", []) + for file_ in files: + if file_["filename"] is None: + continue + + filenames = [file_["filename"]] + if "filenames" in file_: + filenames += file_["filenames"] + + hashes = file_["hashes"] + classifications = file_.get("classifications", []) + operations = file_.get("operations", []) + is_ioc = file_.get("ioc", False) + mimetype = file_.get("mime_type") + verdict = self.to_verdict(file_.get("severity")) + + for hash_dict in hashes: + imp = hash_dict.get("imp_hash") + + artifact = FileArtifact( + filenames=filenames, + imphash=imp, + md5=hash_dict["md5_hash"], + ssdeep=hash_dict["ssdeep_hash"], + sha256=hash_dict["sha256_hash"], + sha1=hash_dict["sha1_hash"], + operations=operations, + classifications=classifications, + size=file_.get("file_size"), + is_ioc=is_ioc, + mimetype=mimetype, + verdict=verdict, + ) + yield artifact + + ips = artifacts.get("ips", []) + for ip in ips: + is_ioc = ip.get("ioc", False) + verdict = self.to_verdict(ip.get("severity")) + classifications = ip.get("classifications", []) + artifact = IpArtifact( + ip=ip["ip_address"], + sources=ip["sources"], + classifications=classifications, + verdict=verdict, + is_ioc=is_ioc, + ) + yield artifact + + mutexes = artifacts.get("mutexes", []) + for mutex in mutexes: + verdict = self.to_verdict(mutex.get("severity")) + is_ioc = mutex.get("ioc", False) + artifact = MutexArtifact( + name=mutex["mutex_name"], + operations=mutex["operations"], + classifications=[], + verdict=verdict, + is_ioc=is_ioc, + ) + yield artifact + + processes = artifacts.get("processes", []) + for process in processes: + classifications = process.get("classifications", []) + cmd_line = process.get("cmd_line") + name = process["image_name"] + verdict = self.to_verdict(process.get("severity")) + is_ioc = process.get("ioc", False) + + artifact = ProcessArtifact( + filename=name, + classifications=classifications, + cmd_line=cmd_line, + verdict=verdict, + is_ioc=is_ioc, + ) + yield artifact + + registry = artifacts.get("registry", []) + for reg in registry: + is_ioc = reg.get("ioc", False) + verdict = self.to_verdict(reg.get("severity")) + artifact = RegistryArtifact( + key=reg["reg_key_name"], + operations=reg["operations"], + verdict=verdict, + is_ioc=is_ioc, + ) + yield artifact + + urls = artifacts.get("urls", []) + for url in urls: + ips = url.get("ip_addresses", []) + is_ioc = url.get("ioc", False) + verdict = self.to_verdict(url.get("severity")) + + artifact = UrlArtifact( + url=url["url"], + operations=url["operations"], + ips=ips, + is_ioc=is_ioc, + verdict=verdict, + ) + yield artifact + + def classifications(self) -> Optional[str]: + classifications = self.report["classifications"] + if classifications: + str_classifications = ", ".join(classifications) + return f"Classifications: {str_classifications}" + return None + + def details(self) -> Iterator[str]: + details = self.report["analysis_details"] + execution_successful = details["execution_successful"] + termination_reason = details["termination_reason"] + result = details["result_str"] + + if self.analysis_id == 0: + analysis = "" + else: + analysis = f" {self.analysis_id}" + + yield f"Analysis{analysis}: execution_successful: {execution_successful}" + yield f"Analysis{analysis}: termination_reason: {termination_reason}" + yield f"Analysis{analysis}: result: {result}" + + def mitre_attacks(self) -> Iterator[MitreAttack]: + mitre_attack = self.report["mitre_attack"] + techniques = mitre_attack.get("techniques", []) + + for technique in techniques: + mitre_attack = MitreAttack( + description=technique["description"], id=technique["id"] + ) + yield mitre_attack + + def sandbox_type(self) -> str: + vm_name = self.report["vm_and_analyzer_details"]["vm_name"] + sample_type = self.report["sample_details"]["sample_type"] + return f"{vm_name} | {sample_type}" + + def score(self) -> str: + vti_score = self.report["vti"]["vti_score"] + return self.to_verdict(vti_score) + + def vtis(self) -> Iterator[VTI]: + try: + vtis = self.report["vti"]["vti_rule_matches"] + except KeyError: + vtis = [] + + for vti in vtis: + new_vti = VTI( + category=vti["category_desc"], + operation=vti["operation_desc"], + technique=vti["technique_desc"], + score=vti["rule_score"], + ) + + yield new_vti + + +class SummaryV2(ReportParser): + def __init__( + self, analysis_id: int, api: VMRayRESTAPI = None, report: Dict[str, Any] = None + ): + self.analysis_id = analysis_id + + if report: + self.report = report + else: + self.api = api + data = api.call( + "GET", + f"/rest/analysis/{analysis_id}/archive/logs/summary_v2.json", + raw_data=True, + ) + self.report = json.load(data) + + def _resolve_refs( + self, data: Union[List[Dict[str, Any]], Dict[str, Any]] + ) -> Iterator[Dict[str, Any]]: + if not data: + return [] + + if isinstance(data, dict): + data = [data] + + for ref in data: + yield self._resolve_ref(ref) + + def _resolve_ref(self, data: Dict[str, Any]) -> Dict[str, Any]: + if data == {}: + return {} + + if data["_type"] != "reference" or data["source"] != "logs/summary_v2.json": + return {} + + resolved_ref = self.report + paths = data["path"] + for path_part in paths: + try: + resolved_ref = resolved_ref[path_part] + except KeyError: + return {} + + return resolved_ref + + @staticmethod + def convert_verdict(verdict: Optional[str]) -> str: + if verdict == "not_available" or not verdict: + return "n/a" + + return verdict + + def is_static_report(self) -> bool: + return self.report["vti"]["score_type"] == "static" + + def artifacts(self) -> Iterator[Artifact]: + artifacts = self.report["artifacts"] + + ref_domains = artifacts.get("ref_domains", []) + for domain in self._resolve_refs(ref_domains): + classifications = domain.get("classifications", []) + artifact = DomainArtifact( + domain=domain["domain"], + sources=domain["sources"], + classifications=classifications, + is_ioc=domain["is_ioc"], + verdict=domain["verdict"], + ) + + ref_ip_addresses = domain.get("ref_ip_addresses", []) + if not ref_ip_addresses: + continue + + for ip_address in self._resolve_refs(ref_ip_addresses): + artifact.ips.append(ip_address["ip_address"]) + + yield artifact + + ref_emails = artifacts.get("ref_emails", []) + for email in self._resolve_refs(ref_emails): + sender = email.get("sender") + subject = email.get("subject") + recipients = email.get("recipients", []) + verdict = email["verdict"] + is_ioc = email["is_ioc"] + classifications = email.get("classifications", []) + + artifact = EmailArtifact( + sender=sender, + subject=subject, + recipients=recipients, + classifications=classifications, + verdict=verdict, + is_ioc=is_ioc, + ) + + yield artifact + + ref_files = artifacts.get("ref_files", []) + for file_ in self._resolve_refs(ref_files): + filenames = [] + + if "ref_filenames" in file_: + for filename in self._resolve_refs(file_["ref_filenames"]): + if not filename: + continue + filenames.append(filename["filename"]) + + artifact = FileArtifact( + operations=file_.get("operations", []), + md5=file_["hash_values"]["md5"], + sha1=file_["hash_values"]["sha1"], + sha256=file_["hash_values"]["sha256"], + ssdeep=file_["hash_values"]["ssdeep"], + imphash=None, + mimetype=file_.get("mime_type"), + filenames=filenames, + is_ioc=file_["is_ioc"], + classifications=file_.get("classifications", []), + size=file_["size"], + verdict=file_["verdict"], + ) + yield artifact + + ref_ip_addresses = artifacts.get("ref_ip_addresses", []) + for ip in self._resolve_refs(ref_ip_addresses): + classifications = ip.get("classifications", []) + verdict = ip["verdict"] + is_ioc = ip["is_ioc"] + artifact = IpArtifact( + ip=ip["ip_address"], + sources=ip["sources"], + classifications=classifications, + verdict=verdict, + is_ioc=is_ioc, + ) + yield artifact + + ref_mutexes = artifacts.get("ref_mutexes", []) + for mutex in self._resolve_refs(ref_mutexes): + is_ioc = mutex["is_ioc"] + classifications = mutex.get("classifications", []) + artifact = MutexArtifact( + name=mutex["name"], + operations=mutex["operations"], + verdict=mutex["verdict"], + classifications=classifications, + is_ioc=is_ioc, + ) + yield artifact + + ref_processes = artifacts.get("ref_processes", []) + for process in self._resolve_refs(ref_processes): + cmd_line = process.get("cmd_line") + classifications = process.get("classifications", []) + verdict = process.get("verdict") + artifact = ProcessArtifact( + pid=process["os_pid"], + parent_pid=process["origin_monitor_id"], + filename=process["filename"], + is_ioc=process["is_ioc"], + cmd_line=cmd_line, + classifications=classifications, + verdict=verdict, + ) + yield artifact + + ref_registry_records = artifacts.get("ref_registry_records", []) + for reg in self._resolve_refs(ref_registry_records): + artifact = RegistryArtifact( + key=reg["reg_key_name"], + operations=reg["operations"], + is_ioc=reg["is_ioc"], + verdict=reg["verdict"], + ) + yield artifact + + url_refs = artifacts.get("ref_urls", []) + for url in self._resolve_refs(url_refs): + domain = None + ref_domain = url.get("ref_domain", {}) + if ref_domain: + domain = self._resolve_ref(ref_domain)["domain"] + + ips = [] + ref_ip_addresses = url.get("ref_ip_addresses", []) + for ip_address in self._resolve_refs(ref_ip_addresses): + ips.append(ip_address["ip_address"]) + + artifact = UrlArtifact( + url=url["url"], + operations=url["operations"], + is_ioc=url["is_ioc"], + domain=domain, + ips=ips, + verdict=url["verdict"], + ) + yield artifact + + def classifications(self) -> Optional[str]: + try: + classifications = ", ".join(self.report["classifications"]) + return f"Classifications: {classifications}" + except KeyError: + return None + + def details(self) -> Iterator[str]: + details = self.report["analysis_metadata"] + is_execution_successful = details["is_execution_successful"] + termination_reason = details["termination_reason"] + result = details["result_str"] + + yield f"Analysis {self.analysis_id}: execution_successful: {is_execution_successful}" + yield f"Analysis {self.analysis_id}: termination_reason: {termination_reason}" + yield f"Analysis {self.analysis_id}: result: {result}" + + def mitre_attacks(self) -> Iterator[MitreAttack]: + mitre_attack = self.report["mitre_attack"] + techniques = mitre_attack["v4"]["techniques"] + + for technique_id, technique in techniques.items(): + mitre_attack = MitreAttack( + description=technique["description"], + id=technique_id.replace("technique_", ""), + ) + yield mitre_attack + + def sandbox_type(self) -> str: + vm_information = self.report["virtual_machine"]["description"] + sample_type = self.report["analysis_metadata"]["sample_type"] + return f"{vm_information} | {sample_type}" + + def score(self) -> str: + verdict = self.report["analysis_metadata"]["verdict"] + return self.convert_verdict(verdict) + + def vtis(self) -> Iterator[VTI]: + if "matches" not in self.report["vti"]: + return + + vti_matches = self.report["vti"]["matches"] + for vti in vti_matches.values(): + new_vti = VTI( + category=vti["category_desc"], + operation=vti["operation_desc"], + technique=vti["technique_desc"], + score=vti["analysis_score"], + ) + + yield new_vti + + +class VMRayParser: + def __init__(self) -> None: + # required for api import + self.api: Optional[VMRayRESTAPI] = None + self.sample_id: Optional[int] = None + + # required for file import + self.report: Optional[Dict[str, Any]] = None + self.report_name: Optional[str] = None + self.include_report = False + + # required by API import and file import + self.report_version = ReportVersion.v2 + + self.use_misp_object = True + self.ignore_analysis_finished = False + self.tag_objects = True + + self.include_analysis_id = True + self.include_vti_details = True + self.include_iocs = True + self.include_all_artifacts = False + self.include_analysis_details = True + + # a new event if we use misp objects + self.event = MISPEvent() + + # new attributes if we don't use misp objects + self.attributes: List[Attribute] = [] + + def from_api(self, config: Dict[str, Any]) -> None: + url = self._read_config_key(config, "url") + api_key = self._read_config_key(config, "apikey") + + try: + self.sample_id = int(self._read_config_key(config, "Sample ID")) + except ValueError: + raise VMRayParseError("Could not convert sample id to integer.") + + self.api = VMRayRESTAPI(url, api_key, False) + + self.ignore_analysis_finished = self._config_from_string(config.get("ignore_analysis_finished")) + self._setup_optional_config(config) + self.report_version = self._get_report_version() + + def from_base64_string( + self, config: Dict[str, Any], data: str, filename: str + ) -> None: + """ read base64 encoded summary json """ + + buffer = base64.b64decode(data) + self.report = json.loads(buffer) + self.report_name = filename + + if "analysis_details" in self.report: + self.report_version = ReportVersion.v1 + elif "analysis_metadata" in self.report: + self.report_version = ReportVersion.v2 + else: + raise VMRayParseError("Uploaded file is not a summary.json") + + self._setup_optional_config(config) + self.include_report = bool(int(config.get("Attach Report", "0"))) + + def _setup_optional_config(self, config: Dict[str, Any]) -> None: + self.include_analysis_id = bool(int(config.get("Analysis ID", "1"))) + self.include_vti_details = bool(int(config.get("VTI", "1"))) + self.include_iocs = bool(int(config.get("IOCs", "1"))) + self.include_all_artifacts = bool(int(config.get("Artifacts", "0"))) + self.include_analysis_details = bool(int(config.get("Analysis Details", "1"))) + + self.use_misp_object = not self._config_from_string( + config.get("disable_misp_objects") + ) + self.tag_objects = not self._config_from_string(config.get("disable_tags")) + + @staticmethod + def _config_from_string(text: Optional[str]) -> bool: + if not text: + return False + + text = text.lower() + return text in ("yes", "true") + + @staticmethod + def _read_config_key(config: Dict[str, Any], key: str) -> str: + try: + value = config[key] + return value + except KeyError: + raise VMRayParseError(f"VMRay config is missing a value for `{key}`.") + + @staticmethod + def _analysis_score_to_taxonomies(analysis_score: int) -> Optional[str]: + mapping = { + -1: "-1", + 1: "1/5", + 2: "2/5", + 3: "3/5", + 4: "4/5", + 5: "5/5", + } + + try: + return mapping[analysis_score] + except KeyError: + return None + + def _get_report_version(self) -> ReportVersion: + info = self._vmary_api_call("/rest/system_info") + if info["version_major"] >= 4: + return ReportVersion.v2 + + # version 3.2 an less do not tag artifacts as ICOs + # so we extract all artifacts + if info["version_major"] == 3 and info["version_minor"] < 3: + self.include_all_artifacts = True + return ReportVersion.v1 + + def _vmary_api_call( + self, api_path: str, params: Dict[str, Any] = None, raw_data: bool = False + ) -> Union[Dict[str, Any], bytes]: + try: + return self.api.call("GET", api_path, params=params, raw_data=raw_data) + except (VMRayRESTAPIError, ValueError) as exc: + raise VMRayParseError(str(exc)) + + def _get_analysis(self) -> Dict[str, Any]: + return self._vmary_api_call(f"/rest/analysis/sample/{self.sample_id}") + + def _analysis_finished(self) -> bool: + result = self._vmary_api_call(f"/rest/submission/sample/{self.sample_id}") + + all_finished = [] + for submission in result: + finished = submission["submission_finished"] + all_finished.append(finished) + + return all(all_finished) + + def _online_reports(self) -> Iterator[Tuple[ReportParser, str]]: + # check if sample id exists + try: + self._vmary_api_call(f"/rest/sample/{self.sample_id}") + except VMRayRESTAPIError: + raise VMRayParseError( + f"Could not find sample id `{self.sample_id}` on server." + ) + + # check if all submission are finished + if not self.ignore_analysis_finished and not self._analysis_finished(): + raise VMRayParseError( + f"Not all analysis for `{self.sample_id}` are finished. " + "Try it again in a few minutes." + ) + + analysis_results = self._get_analysis() + for analysis in analysis_results: + analysis_id = analysis["analysis_id"] + permalink = analysis["analysis_webif_url"] + + # the summary json could not exist, due to a VM error + try: + if self.report_version == ReportVersion.v1: + report_parser = Summary(api=self.api, analysis_id=analysis_id) + else: + report_parser = SummaryV2(api=self.api, analysis_id=analysis_id) + except VMRayRESTAPIError: + continue + + yield report_parser, permalink + + def _offline_report(self) -> ReportParser: + if self.report_version == ReportVersion.v1: + analysis_id = 0 + return Summary(report=self.report, analysis_id=analysis_id) + else: + analysis_id = self.report["analysis_metadata"]["analysis_id"] + return SummaryV2(report=self.report, analysis_id=analysis_id) + + def _reports(self) -> Iterator[Tuple[ReportParser, Optional[str]]]: + if self.report: + yield self._offline_report(), None + else: + yield from self._online_reports() + + def _get_sample_verdict(self) -> Optional[str]: + if self.report: + if self.report_version == ReportVersion.v2: + verdict = SummaryV2.convert_verdict( + self.report["analysis_metadata"]["verdict"] + ) + return verdict + return None + + data = self._vmary_api_call(f"/rest/sample/{self.sample_id}") + if "sample_verdict" in data: + verdict = SummaryV2.convert_verdict(data["sample_verdict"]) + return verdict + + if "sample_severity" in data: + verdict = Summary.to_verdict(data["sample_severity"]) + return verdict + + return None + + def parse(self) -> None: + """ Convert analysis results to MISP Objects """ + + if self.use_misp_object: + self.parse_as_misp_object() + else: + self.parse_as_attributes() + + def parse_as_attributes(self) -> None: + """ + Parse report as attributes + This method is compatible with the implementation provided + by Koen Van Impe + """ + + for report, permalink in self._reports(): + if report.is_static_report(): + continue + + if self.include_analysis_details: + for detail in report.details(): + attr = Attribute(type="text", value=detail) + self.attributes.append(attr) + + classifications = report.classifications() + if classifications: + attr = Attribute(type="text", value=classifications) + self.attributes.append(attr) + + if self.include_vti_details: + for vti in report.vtis(): + attr = Attribute(type="text", value=vti.operation) + self.attributes.append(attr) + + for artifact in report.artifacts(): + if self.include_all_artifacts or ( + self.include_iocs and artifact.is_ioc + ): + for attr in artifact.to_attributes(): + self.attributes.append(attr) + + if self.include_analysis_id and permalink: + attr = Attribute(type="link", value=permalink) + self.attributes.append(attr) + + def parse_as_misp_object(self): + mitre_attacks = [] + vtis = [] + artifacts = [] + + # add sandbox signature + sb_sig = MISPObject(name="sb-signature") + sb_sig.add_attribute("software", "VMRay Platform") + + for report, permalink in self._reports(): + if report.is_static_report(): + continue + + # create sandbox object + obj = MISPObject(name="sandbox-report") + obj.add_attribute("on-premise-sandbox", "vmray") + + if permalink: + obj.add_attribute("permalink", permalink) + + if self.include_report and self.report: + report_data = base64.b64encode( + json.dumps(self.report, indent=2).encode("utf-8") + ).decode("utf-8") + obj.add_attribute( + "sandbox-file", value=self.report_name, data=report_data + ) + + score = report.score() + attr_score = obj.add_attribute("score", score) + + if self.tag_objects: + attr_score.add_tag(f'vmray:verdict="{score}"') + + sandbox_type = report.sandbox_type() + obj.add_attribute("sandbox-type", sandbox_type) + + classifications = report.classifications() + if classifications: + obj.add_attribute("results", classifications) + + self.event.add_object(obj) + + if self.include_vti_details: + for vti in report.vtis(): + if vti not in vtis: + vtis.append(vti) + + for artifact in report.artifacts(): + if self.include_all_artifacts or ( + self.include_iocs and artifact.is_ioc + ): + if artifact not in artifacts: + artifacts.append(artifact) + else: + idx = artifacts.index(artifact) + dup = artifacts[idx] + dup.merge(artifact) + + for mitre_attack in report.mitre_attacks(): + if mitre_attack not in mitre_attacks: + mitre_attacks.append(mitre_attack) + + # process VTI's + for vti in vtis: + vti_text = f"{vti.category}: {vti.operation}. {vti.technique}" + vti_attr = sb_sig.add_attribute("signature", value=vti_text) + + if self.tag_objects: + value = self._analysis_score_to_taxonomies(vti.score) + if value: + vti_attr.add_tag(f'vmray:vti_analysis_score="{value}"') + + self.event.add_object(sb_sig) + + # process artifacts + for artifact in artifacts: + artifact_obj = artifact.to_misp_object(self.tag_objects) + self.event.add_object(artifact_obj) + + # tag event with Mitre Att&ck + for mitre_attack in mitre_attacks: + self.event.add_tag(mitre_attack.to_misp_galaxy()) + + # tag event + if self.tag_objects: + verdict = self._get_sample_verdict() + if verdict: + self.event.add_tag(f'vmray:verdict="{verdict}"') + + def to_json(self) -> Dict[str, Any]: + """ Convert parsed results into JSON """ + + if not self.use_misp_object: + results = [] + + # remove duplicates + for attribute in self.attributes: + if attribute not in results: + results.append(asdict(attribute)) + + # add attributes to event + for attribute in results: + self.event.add_attribute(**attribute) + + self.event.run_expansions() + event = json.loads(self.event.to_json()) + + return {"results": event} diff --git a/misp_modules/modules/import_mod/_vmray/vmray_rest_api.py b/misp_modules/lib/_vmray/rest_api.py similarity index 100% rename from misp_modules/modules/import_mod/_vmray/vmray_rest_api.py rename to misp_modules/lib/_vmray/rest_api.py diff --git a/misp_modules/lib/cof2misp/LICENSE-2.0.txt b/misp_modules/lib/cof2misp/LICENSE-2.0.txt new file mode 100644 index 0000000..d645695 --- /dev/null +++ b/misp_modules/lib/cof2misp/LICENSE-2.0.txt @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/misp_modules/modules/import_mod/_vmray/__init__.py b/misp_modules/lib/cof2misp/__init__.py similarity index 100% rename from misp_modules/modules/import_mod/_vmray/__init__.py rename to misp_modules/lib/cof2misp/__init__.py diff --git a/misp_modules/lib/cof2misp/cof.py b/misp_modules/lib/cof2misp/cof.py new file mode 100644 index 0000000..d7420a0 --- /dev/null +++ b/misp_modules/lib/cof2misp/cof.py @@ -0,0 +1,165 @@ +""" +Common Output Format for passive DNS library. + +Copyright 2021: Farsight Security (https://www.farsightsecurity.com/) + +Author: Aaron Kaplan + +Released under the Apache 2.0 license. +See: https://www.apache.org/licenses/LICENSE-2.0.txt + +""" + +import ipaddress +import sys +import ndjson + + +def is_valid_ip(ip: str) -> bool: + """Check if an IP address given as string would be convertible to + an ipaddress object (and thus if it is a valid IP). + + Returns + -------- + True on success, False on validation failure. + """ + + try: + ipaddress.ip_address(ip) + except Exception as ex: + print("is_valid_ip(%s) returned False. Reason: %s" % (ip, str(ex)), file = sys.stderr) + return False + return True + + +def is_cof_valid_strict(d: dict) -> bool: + """Check the COF - do the full JSON schema validation. + + Returns + -------- + True on success, False on validation failure. + """ + return True # FIXME + + +def is_cof_valid_simple(d: dict) -> bool: + """Check MANDATORY fields according to COF - simple check, do not do the full JSON schema validation. + + Returns + -------- + True on success, False on validation failure. + """ + + if "rrname" not in d: + print("Missing MANDATORY field 'rrname'", file = sys.stderr) + return False + if not isinstance(d['rrname'], str): + print("Type error: 'rrname' is not a JSON string", file = sys.stderr) + return False + if "rrtype" not in d: + print("Missing MANDATORY field 'rrtype'", file = sys.stderr) + return False + if not isinstance(d['rrtype'], str): + print("Type error: 'rrtype' is not a JSON string", file = sys.stderr) + return False + if "rdata" not in d: + print("Missing MANDATORY field 'rdata'", file = sys.stderr) + return False + if "rdata" not in d: + print("Missing MANDATORY field 'rdata'", file = sys.stderr) + return False + if not isinstance(d['rdata'], str) and not isinstance(d['rdata'], list): + print("'rdata' is not a list and not a string.", file = sys.stderr) + return False + if not ("time_first" in d and "time_last" in d) or ("zone_time_first" in d and "zone_time_last" in d): + print("We are missing EITHER ('first_seen' and 'last_seen') OR ('zone_time_first' and zone_time_last') fields", + file = sys.stderr) + return False + # currently we don't check the OPTIONAL fields. Sorry... to be done later. + return True + + +def validate_cof(d: dict, strict=True) -> bool: + """Validate an input passive DNS COF (given as dict). + strict might be set to False in order to loosen the checking. + With strict==True, a full JSON Schema validation will happen. + + + Returns + -------- + True on success, False on validation failure. + """ + if not strict: + return is_cof_valid_simple(d) + else: + return is_cof_valid_strict(d) + + +def validate_dnsdbflex(d: dict, strict=True) -> bool: + """ + Validate if dict d is valid dnsdbflex. It should looks like this: + { "rrtype": , "rrname": } + """ + if "rrname" not in d: + print("Missing MANDATORY field 'rrname'", file = sys.stderr) + return False + if not isinstance(d['rrname'], str): + print("Type error: 'rrname' is not a JSON string", file = sys.stderr) + return False + if "rrtype" not in d: + print("Missing MANDATORY field 'rrtype'", file = sys.stderr) + return False + if not isinstance(d['rrtype'], str): + print("Type error: 'rrtype' is not a JSON string", file = sys.stderr) + return False + return True + + +if __name__ == "__main__": + # simple, poor man's unit tests. + + print(80 * "=", file = sys.stderr) + print("Unit Tests:", file = sys.stderr) + assert not is_valid_ip("a.2.3.4") + assert is_valid_ip("99.88.77.6") + assert is_valid_ip("2a0c:88:77:6::1") + + # COF validation + print(80 * "=", file = sys.stderr) + print("COF unit tests....", file = sys.stderr) + + mock_input = """{"count":1909,"rdata":["cpa.circl.lu"],"rrname":"www.circl.lu","rrtype":"CNAME","time_first":"1315586409","time_last":"1449566799"} +{"count":2560,"rdata":["cpab.circl.lu"],"rrname":"www.circl.lu","rrtype":"CNAME","time_first":"1449584660","time_last":"1617676151"}""" + + i = 0 + for entry in ndjson.loads(mock_input): + retval = validate_cof(entry, strict = False) + assert retval + print("line %d is valid: %s" % (i, retval)) + i += 1 + + test2 = '{"count": 2, "time_first": 1619556027, "time_last": 1619556034, "rrname": "westernunion.com.ph.unblock-all.com.beta.opera-mini.net.", "rrtype": "A", "bailiwick": "beta.opera-mini.net.", "rdata": ["185.26.181.253"]}' + for entry in ndjson.loads(test2): + assert validate_cof(entry) + + # dnsdbflex validation + print(80 * "=", file = sys.stderr) + print("dnsdbflex unit tests....", file = sys.stderr) + + mock_input = """{"rrname":"labs.deep-insights.ai.","rrtype":"A"} +{"rrname":"www.deep-insights.ca.","rrtype":"CNAME"} +{"rrname":"mail.deep-insights.ca.","rrtype":"CNAME"} +{"rrname":"cpanel.deep-insights.ca.","rrtype":"A"} +{"rrname":"webdisk.deep-insights.ca.","rrtype":"A"} +{"rrname":"webmail.deep-insights.ca.","rrtype":"A"}""" + + i = 0 + for entry in ndjson.loads(mock_input): + retval = validate_dnsdbflex(entry, strict = False) + assert retval + print("dnsdbflex line %d is valid: %s" % (i, retval)) + i += 1 + + + print(80 * "=", file = sys.stderr) + print("Unit Tests DONE", file = sys.stderr) diff --git a/misp_modules/lib/joe_mapping.py b/misp_modules/lib/joe_mapping.py new file mode 100644 index 0000000..eda961e --- /dev/null +++ b/misp_modules/lib/joe_mapping.py @@ -0,0 +1,114 @@ +arch_type_mapping = { + 'ANDROID': 'parse_apk', + 'LINUX': 'parse_elf', + 'WINDOWS': 'parse_pe' +} +domain_object_mapping = { + '@ip': {'type': 'ip-dst', 'object_relation': 'ip'}, + '@name': {'type': 'domain', 'object_relation': 'domain'} +} +dropped_file_mapping = { + '@entropy': {'type': 'float', 'object_relation': 'entropy'}, + '@file': {'type': 'filename', 'object_relation': 'filename'}, + '@size': {'type': 'size-in-bytes', 'object_relation': 'size-in-bytes'}, + '@type': {'type': 'mime-type', 'object_relation': 'mimetype'} +} +dropped_hash_mapping = { + 'MD5': 'md5', + 'SHA': 'sha1', + 'SHA-256': 'sha256', + 'SHA-512': 'sha512' +} +elf_object_mapping = { + 'epaddr': 'entrypoint-address', + 'machine': 'arch', + 'osabi': 'os_abi' +} +elf_section_flags_mapping = { + 'A': 'ALLOC', + 'I': 'INFO_LINK', + 'M': 'MERGE', + 'S': 'STRINGS', + 'T': 'TLS', + 'W': 'WRITE', + 'X': 'EXECINSTR' +} +file_object_fields = ( + 'filename', + 'md5', + 'sha1', + 'sha256', + 'sha512', + 'ssdeep' +) +file_object_mapping = { + 'entropy': {'type': 'float', 'object_relation': 'entropy'}, + 'filesize': {'type': 'size-in-bytes', 'object_relation': 'size-in-bytes'}, + 'filetype': {'type': 'mime-type', 'object_relation': 'mimetype'} +} +file_references_mapping = { + 'fileCreated': 'creates', + 'fileDeleted': 'deletes', + 'fileMoved': 'moves', + 'fileRead': 'reads', + 'fileWritten': 'writes' +} +network_behavior_fields = ('srcip', 'dstip', 'srcport', 'dstport') +network_connection_object_mapping = { + 'srcip': {'type': 'ip-src', 'object_relation': 'ip-src'}, + 'dstip': {'type': 'ip-dst', 'object_relation': 'ip-dst'}, + 'srcport': {'type': 'port', 'object_relation': 'src-port'}, + 'dstport': {'type': 'port', 'object_relation': 'dst-port'} +} +pe_object_fields = { + 'entrypoint': {'type': 'text', 'object_relation': 'entrypoint-address'}, + 'imphash': {'type': 'imphash', 'object_relation': 'imphash'} +} +pe_object_mapping = { + 'CompanyName': 'company-name', + 'FileDescription': 'file-description', + 'FileVersion': 'file-version', + 'InternalName': 'internal-filename', + 'LegalCopyright': 'legal-copyright', + 'OriginalFilename': 'original-filename', + 'ProductName': 'product-filename', + 'ProductVersion': 'product-version', + 'Translation': 'lang-id' +} +pe_section_object_mapping = { + 'characteristics': {'type': 'text', 'object_relation': 'characteristic'}, + 'entropy': {'type': 'float', 'object_relation': 'entropy'}, + 'name': {'type': 'text', 'object_relation': 'name'}, + 'rawaddr': {'type': 'hex', 'object_relation': 'offset'}, + 'rawsize': {'type': 'size-in-bytes', 'object_relation': 'size-in-bytes'}, + 'virtaddr': {'type': 'hex', 'object_relation': 'virtual_address'}, + 'virtsize': {'type': 'size-in-bytes', 'object_relation': 'virtual_size'} +} +process_object_fields = { + 'cmdline': 'command-line', + 'name': 'name', + 'parentpid': 'parent-pid', + 'pid': 'pid', + 'path': 'current-directory' +} +protocols = { + 'tcp': 4, + 'udp': 4, + 'icmp': 3, + 'http': 7, + 'https': 7, + 'ftp': 7 +} +registry_references_mapping = { + 'keyValueCreated': 'creates', + 'keyValueModified': 'modifies' +} +regkey_object_mapping = { + 'name': {'type': 'text', 'object_relation': 'name'}, + 'newdata': {'type': 'text', 'object_relation': 'data'}, + 'path': {'type': 'regkey', 'object_relation': 'key'} +} +signerinfo_object_mapping = { + 'sigissuer': {'type': 'text', 'object_relation': 'issuer'}, + 'version': {'type': 'text', 'object_relation': 'version'} +} diff --git a/misp_modules/lib/joe_parser.py b/misp_modules/lib/joe_parser.py index 22a4918..e701ff3 100644 --- a/misp_modules/lib/joe_parser.py +++ b/misp_modules/lib/joe_parser.py @@ -1,53 +1,15 @@ # -*- coding: utf-8 -*- +import json from collections import defaultdict from datetime import datetime from pymisp import MISPAttribute, MISPEvent, MISPObject -import json - - -arch_type_mapping = {'ANDROID': 'parse_apk', 'LINUX': 'parse_elf', 'WINDOWS': 'parse_pe'} -domain_object_mapping = {'@ip': ('ip-dst', 'ip'), '@name': ('domain', 'domain')} -dropped_file_mapping = {'@entropy': ('float', 'entropy'), - '@file': ('filename', 'filename'), - '@size': ('size-in-bytes', 'size-in-bytes'), - '@type': ('mime-type', 'mimetype')} -dropped_hash_mapping = {'MD5': 'md5', 'SHA': 'sha1', 'SHA-256': 'sha256', 'SHA-512': 'sha512'} -elf_object_mapping = {'epaddr': 'entrypoint-address', 'machine': 'arch', 'osabi': 'os_abi'} -elf_section_flags_mapping = {'A': 'ALLOC', 'I': 'INFO_LINK', 'M': 'MERGE', - 'S': 'STRINGS', 'T': 'TLS', 'W': 'WRITE', - 'X': 'EXECINSTR'} -file_object_fields = ['filename', 'md5', 'sha1', 'sha256', 'sha512', 'ssdeep'] -file_object_mapping = {'entropy': ('float', 'entropy'), - 'filesize': ('size-in-bytes', 'size-in-bytes'), - 'filetype': ('mime-type', 'mimetype')} -file_references_mapping = {'fileCreated': 'creates', 'fileDeleted': 'deletes', - 'fileMoved': 'moves', 'fileRead': 'reads', 'fileWritten': 'writes'} -network_behavior_fields = ('srcip', 'dstip', 'srcport', 'dstport') -network_connection_object_mapping = {'srcip': ('ip-src', 'ip-src'), 'dstip': ('ip-dst', 'ip-dst'), - 'srcport': ('port', 'src-port'), 'dstport': ('port', 'dst-port')} -pe_object_fields = {'entrypoint': ('text', 'entrypoint-address'), - 'imphash': ('imphash', 'imphash')} -pe_object_mapping = {'CompanyName': 'company-name', 'FileDescription': 'file-description', - 'FileVersion': 'file-version', 'InternalName': 'internal-filename', - 'LegalCopyright': 'legal-copyright', 'OriginalFilename': 'original-filename', - 'ProductName': 'product-filename', 'ProductVersion': 'product-version', - 'Translation': 'lang-id'} -pe_section_object_mapping = {'characteristics': ('text', 'characteristic'), - 'entropy': ('float', 'entropy'), - 'name': ('text', 'name'), 'rawaddr': ('hex', 'offset'), - 'rawsize': ('size-in-bytes', 'size-in-bytes'), - 'virtaddr': ('hex', 'virtual_address'), - 'virtsize': ('size-in-bytes', 'virtual_size')} -process_object_fields = {'cmdline': 'command-line', 'name': 'name', - 'parentpid': 'parent-pid', 'pid': 'pid', - 'path': 'current-directory'} -protocols = {'tcp': 4, 'udp': 4, 'icmp': 3, - 'http': 7, 'https': 7, 'ftp': 7} -registry_references_mapping = {'keyValueCreated': 'creates', 'keyValueModified': 'modifies'} -regkey_object_mapping = {'name': ('text', 'name'), 'newdata': ('text', 'data'), - 'path': ('regkey', 'key')} -signerinfo_object_mapping = {'sigissuer': ('text', 'issuer'), - 'version': ('text', 'version')} +from joe_mapping import (arch_type_mapping, domain_object_mapping, + dropped_file_mapping, dropped_hash_mapping, elf_object_mapping, + elf_section_flags_mapping, file_object_fields, file_object_mapping, + file_references_mapping, network_behavior_fields, + network_connection_object_mapping, pe_object_fields, pe_object_mapping, + pe_section_object_mapping, process_object_fields, protocols, + registry_references_mapping, regkey_object_mapping, signerinfo_object_mapping) class JoeParser(): @@ -57,7 +19,7 @@ class JoeParser(): self.attributes = defaultdict(lambda: defaultdict(set)) self.process_references = {} - self.import_pe = config["import_pe"] + self.import_executable = config["import_executable"] self.create_mitre_attack = config["mitre_attack"] def parse_data(self, data): @@ -101,26 +63,46 @@ class JoeParser(): for droppedfile in droppedinfo['hash']: file_object = MISPObject('file') for key, mapping in dropped_file_mapping.items(): - attribute_type, object_relation = mapping - file_object.add_attribute(object_relation, **{'type': attribute_type, 'value': droppedfile[key], 'to_ids': False}) + if droppedfile.get(key) is not None: + attribute = {'value': droppedfile[key], 'to_ids': False} + attribute.update(mapping) + file_object.add_attribute(**attribute) if droppedfile['@malicious'] == 'true': - file_object.add_attribute('state', **{'type': 'text', 'value': 'Malicious', 'to_ids': False}) + file_object.add_attribute( + **{ + 'type': 'text', + 'object_relation': 'state', + 'value': 'Malicious', + 'to_ids': False + } + ) for h in droppedfile['value']: hash_type = dropped_hash_mapping[h['@algo']] - file_object.add_attribute(hash_type, **{'type': hash_type, 'value': h['$'], 'to_ids': False}) - self.misp_event.add_object(**file_object) - self.references[self.process_references[(int(droppedfile['@targetid']), droppedfile['@process'])]].append({ - 'referenced_uuid': file_object.uuid, - 'relationship_type': 'drops' - }) + file_object.add_attribute( + **{ + 'type': hash_type, + 'object_relation': hash_type, + 'value': h['$'], + 'to_ids': False + } + ) + self.misp_event.add_object(file_object) + reference_key = (int(droppedfile['@targetid']), droppedfile['@process']) + if reference_key in self.process_references: + self.references[self.process_references[reference_key]].append( + { + 'referenced_uuid': file_object.uuid, + 'relationship_type': 'drops' + } + ) def parse_mitre_attack(self): - mitreattack = self.data['mitreattack'] + mitreattack = self.data.get('mitreattack', {}) if mitreattack: for tactic in mitreattack['tactic']: if tactic.get('technique'): for technique in tactic['technique']: - self.misp_event.add_tag('misp-galaxy:mitre-attack-pattern="{} - {}"'.format(technique['name'], technique['id'])) + self.misp_event.add_tag(f'misp-galaxy:mitre-attack-pattern="{technique["name"]} - {technique["id"]}"') def parse_network_behavior(self): network = self.data['behavior']['network'] @@ -129,44 +111,74 @@ class JoeParser(): if network.get(protocol): for packet in network[protocol]['packet']: timestamp = datetime.strptime(self.parse_timestamp(packet['timestamp']), '%b %d, %Y %H:%M:%S.%f') - connections[tuple(packet[field] for field in network_behavior_fields)][protocol].add(timestamp) + connections[tuple(packet.get(field) for field in network_behavior_fields)][protocol].add(timestamp) for connection, data in connections.items(): attributes = self.prefetch_attributes_data(connection) if len(data.keys()) == len(set(protocols[protocol] for protocol in data.keys())): network_connection_object = MISPObject('network-connection') - for object_relation, attribute in attributes.items(): - network_connection_object.add_attribute(object_relation, **attribute) - network_connection_object.add_attribute('first-packet-seen', - **{'type': 'datetime', - 'value': min(tuple(min(timestamp) for timestamp in data.values())), - 'to_ids': False}) + for attribute in attributes: + network_connection_object.add_attribute(**attribute) + network_connection_object.add_attribute( + **{ + 'type': 'datetime', + 'object_relation': 'first-packet-seen', + 'value': min(tuple(min(timestamp) for timestamp in data.values())), + 'to_ids': False + } + ) for protocol in data.keys(): - network_connection_object.add_attribute('layer{}-protocol'.format(protocols[protocol]), - **{'type': 'text', 'value': protocol, 'to_ids': False}) - self.misp_event.add_object(**network_connection_object) + network_connection_object.add_attribute( + **{ + 'type': 'text', + 'object_relation': f'layer{protocols[protocol]}-protocol', + 'value': protocol, + 'to_ids': False + } + ) + self.misp_event.add_object(network_connection_object) self.references[self.analysisinfo_uuid].append(dict(referenced_uuid=network_connection_object.uuid, relationship_type='initiates')) else: for protocol, timestamps in data.items(): network_connection_object = MISPObject('network-connection') - for object_relation, attribute in attributes.items(): - network_connection_object.add_attribute(object_relation, **attribute) - network_connection_object.add_attribute('first-packet-seen', **{'type': 'datetime', 'value': min(timestamps), 'to_ids': False}) - network_connection_object.add_attribute('layer{}-protocol'.format(protocols[protocol]), **{'type': 'text', 'value': protocol, 'to_ids': False}) - self.misp_event.add_object(**network_connection_object) + for attribute in attributes: + network_connection_object.add_attribute(**attribute) + network_connection_object.add_attribute( + **{ + 'type': 'datetime', + 'object_relation': 'first-packet-seen', + 'value': min(timestamps), + 'to_ids': False + } + ) + network_connection_object.add_attribute( + **{ + 'type': 'text', + 'object_relation': f'layer{protocols[protocol]}-protocol', + 'value': protocol, + 'to_ids': False + } + ) + self.misp_event.add_object(network_connection_object) self.references[self.analysisinfo_uuid].append(dict(referenced_uuid=network_connection_object.uuid, relationship_type='initiates')) def parse_screenshot(self): - screenshotdata = self.data['behavior']['screenshotdata'] - if screenshotdata: - screenshotdata = screenshotdata['interesting']['$'] - attribute = {'type': 'attachment', 'value': 'screenshot.jpg', - 'data': screenshotdata, 'disable_correlation': True, - 'to_ids': False} - self.misp_event.add_attribute(**attribute) + if self.data['behavior'].get('screenshotdata', {}).get('interesting') is not None: + screenshotdata = self.data['behavior']['screenshotdata']['interesting']['$'] + self.misp_event.add_attribute( + **{ + 'type': 'attachment', + 'value': 'screenshot.jpg', + 'data': screenshotdata, + 'disable_correlation': True, + 'to_ids': False + } + ) def parse_system_behavior(self): + if not 'system' in self.data['behavior']: + return system = self.data['behavior']['system'] if system.get('processes'): process_activities = {'fileactivities': self.parse_fileactivities, @@ -175,10 +187,24 @@ class JoeParser(): general = process['general'] process_object = MISPObject('process') for feature, relation in process_object_fields.items(): - process_object.add_attribute(relation, **{'type': 'text', 'value': general[feature], 'to_ids': False}) - start_time = datetime.strptime('{} {}'.format(general['date'], general['time']), '%d/%m/%Y %H:%M:%S') - process_object.add_attribute('start-time', **{'type': 'datetime', 'value': start_time, 'to_ids': False}) - self.misp_event.add_object(**process_object) + process_object.add_attribute( + **{ + 'type': 'text', + 'object_relation': relation, + 'value': general[feature], + 'to_ids': False + } + ) + start_time = datetime.strptime(f"{general['date']} {general['time']}", '%d/%m/%Y %H:%M:%S') + process_object.add_attribute( + **{ + 'type': 'datetime', + 'object_relation': 'start-time', + 'value': start_time, + 'to_ids': False + } + ) + self.misp_event.add_object(process_object) for field, to_call in process_activities.items(): if process.get(field): to_call(process_object.uuid, process[field]) @@ -211,9 +237,15 @@ class JoeParser(): url_object = MISPObject("url") self.analysisinfo_uuid = url_object.uuid - - url_object.add_attribute("url", generalinfo["target"]["url"], to_ids=False) - self.misp_event.add_object(**url_object) + url_object.add_attribute( + **{ + 'type': 'url', + 'object_relation': 'url', + 'value': generalinfo["target"]["url"], + 'to_ids': False + } + ) + self.misp_event.add_object(url_object) def parse_fileinfo(self): fileinfo = self.data['fileinfo'] @@ -222,20 +254,29 @@ class JoeParser(): self.analysisinfo_uuid = file_object.uuid for field in file_object_fields: - file_object.add_attribute(field, **{'type': field, 'value': fileinfo[field], 'to_ids': False}) + file_object.add_attribute( + **{ + 'type': field, + 'object_relation': field, + 'value': fileinfo[field], + 'to_ids': False + } + ) for field, mapping in file_object_mapping.items(): - attribute_type, object_relation = mapping - file_object.add_attribute(object_relation, **{'type': attribute_type, 'value': fileinfo[field], 'to_ids': False}) + if fileinfo.get(field) is not None: + attribute = {'value': fileinfo[field], 'to_ids': False} + attribute.update(mapping) + file_object.add_attribute(**attribute) arch = self.data['generalinfo']['arch'] - if arch in arch_type_mapping: + if self.import_executable and arch in arch_type_mapping: to_call = arch_type_mapping[arch] getattr(self, to_call)(fileinfo, file_object) else: - self.misp_event.add_object(**file_object) + self.misp_event.add_object(file_object) def parse_apk(self, fileinfo, file_object): apkinfo = fileinfo['apk'] - self.misp_event.add_object(**file_object) + self.misp_event.add_object(file_object) permission_lists = defaultdict(list) for permission in apkinfo['requiredpermissions']['permission']: permission = permission['@name'].split('.') @@ -243,16 +284,30 @@ class JoeParser(): attribute_type = 'text' for comment, permissions in permission_lists.items(): permission_object = MISPObject('android-permission') - permission_object.add_attribute('comment', **dict(type=attribute_type, value=comment, to_ids=False)) + permission_object.add_attribute( + **{ + 'type': attribute_type, + 'object_relation': 'comment', + 'value': comment, + 'to_ids': False + } + ) for permission in permissions: - permission_object.add_attribute('permission', **dict(type=attribute_type, value=permission, to_ids=False)) - self.misp_event.add_object(**permission_object) + permission_object.add_attribute( + **{ + 'type': attribute_type, + 'object_relation': 'permission', + 'value': permission, + 'to_ids': False + } + ) + self.misp_event.add_object(permission_object) self.references[file_object.uuid].append(dict(referenced_uuid=permission_object.uuid, relationship_type='grants')) def parse_elf(self, fileinfo, file_object): elfinfo = fileinfo['elf'] - self.misp_event.add_object(**file_object) + self.misp_event.add_object(file_object) attribute_type = 'text' relationship = 'includes' size = 'size-in-bytes' @@ -264,47 +319,96 @@ class JoeParser(): if elf.get('type'): # Haven't seen anything but EXEC yet in the files I tested attribute_value = "EXECUTABLE" if elf['type'] == "EXEC (Executable file)" else elf['type'] - elf_object.add_attribute('type', **dict(type=attribute_type, value=attribute_value, to_ids=False)) + elf_object.add_attribute( + **{ + 'type': attribute_type, + 'object_relation': 'type', + 'value': attribute_value, + 'to_ids': False + } + ) for feature, relation in elf_object_mapping.items(): if elf.get(feature): - elf_object.add_attribute(relation, **dict(type=attribute_type, value=elf[feature], to_ids=False)) + elf_object.add_attribute( + **{ + 'type': attribute_type, + 'object_relation': relation, + 'value': elf[feature], + 'to_ids': False + } + ) sections_number = len(fileinfo['sections']['section']) - elf_object.add_attribute('number-sections', **{'type': 'counter', 'value': sections_number, 'to_ids': False}) - self.misp_event.add_object(**elf_object) + elf_object.add_attribute( + **{ + 'type': 'counter', + 'object_relation': 'number-sections', + 'value': sections_number, + 'to_ids': False + } + ) + self.misp_event.add_object(elf_object) for section in fileinfo['sections']['section']: section_object = MISPObject('elf-section') for feature in ('name', 'type'): if section.get(feature): - section_object.add_attribute(feature, **dict(type=attribute_type, value=section[feature], to_ids=False)) + section_object.add_attribute( + **{ + 'type': attribute_type, + 'object_relation': feature, + 'value': section[feature], + 'to_ids': False + } + ) if section.get('size'): - section_object.add_attribute(size, **dict(type=size, value=int(section['size'], 16), to_ids=False)) + section_object.add_attribute( + **{ + 'type': size, + 'object_relation': size, + 'value': int(section['size'], 16), + 'to_ids': False + } + ) for flag in section['flagsdesc']: try: attribute_value = elf_section_flags_mapping[flag] - section_object.add_attribute('flag', **dict(type=attribute_type, value=attribute_value, to_ids=False)) + section_object.add_attribute( + **{ + 'type': attribute_type, + 'object_relation': 'flag', + 'value': attribute_value, + 'to_ids': False + } + ) except KeyError: print(f'Unknown elf section flag: {flag}') continue - self.misp_event.add_object(**section_object) + self.misp_event.add_object(section_object) self.references[elf_object.uuid].append(dict(referenced_uuid=section_object.uuid, relationship_type=relationship)) def parse_pe(self, fileinfo, file_object): - if not self.import_pe: - return try: peinfo = fileinfo['pe'] except KeyError: - self.misp_event.add_object(**file_object) + self.misp_event.add_object(file_object) return pe_object = MISPObject('pe') relationship = 'includes' file_object.add_reference(pe_object.uuid, relationship) - self.misp_event.add_object(**file_object) + self.misp_event.add_object(file_object) for field, mapping in pe_object_fields.items(): - attribute_type, object_relation = mapping - pe_object.add_attribute(object_relation, **{'type': attribute_type, 'value': peinfo[field], 'to_ids': False}) - pe_object.add_attribute('compilation-timestamp', **{'type': 'datetime', 'value': int(peinfo['timestamp'].split()[0], 16), 'to_ids': False}) + if peinfo.get(field) is not None: + attribute = {'value': peinfo[field], 'to_ids': False} + attribute.update(mapping) + pe_object.add_attribute(**attribute) + pe_object.add_attribute( + **{ + 'type': 'datetime', + 'object_relation': 'compilation-timestamp', + 'value': int(peinfo['timestamp'].split()[0], 16), + 'to_ids': False + } + ) program_name = fileinfo['filename'] if peinfo['versions']: for feature in peinfo['versions']['version']: @@ -312,33 +416,57 @@ class JoeParser(): if name == 'InternalName': program_name = feature['value'] if name in pe_object_mapping: - pe_object.add_attribute(pe_object_mapping[name], **{'type': 'text', 'value': feature['value'], 'to_ids': False}) + pe_object.add_attribute( + **{ + 'type': 'text', + 'object_relation': pe_object_mapping[name], + 'value': feature['value'], + 'to_ids': False + } + ) sections_number = len(peinfo['sections']['section']) - pe_object.add_attribute('number-sections', **{'type': 'counter', 'value': sections_number, 'to_ids': False}) + pe_object.add_attribute( + **{ + 'type': 'counter', + 'object_relation': 'number-sections', + 'value': sections_number, + 'to_ids': False + } + ) signatureinfo = peinfo['signature'] if signatureinfo['signed']: signerinfo_object = MISPObject('authenticode-signerinfo') pe_object.add_reference(signerinfo_object.uuid, 'signed-by') - self.misp_event.add_object(**pe_object) - signerinfo_object.add_attribute('program-name', **{'type': 'text', 'value': program_name, 'to_ids': False}) + self.misp_event.add_object(pe_object) + signerinfo_object.add_attribute( + **{ + 'type': 'text', + 'object_relation': 'program-name', + 'value': program_name, + 'to_ids': False + } + ) for feature, mapping in signerinfo_object_mapping.items(): - attribute_type, object_relation = mapping - signerinfo_object.add_attribute(object_relation, **{'type': attribute_type, 'value': signatureinfo[feature], 'to_ids': False}) - self.misp_event.add_object(**signerinfo_object) + if signatureinfo.get(feature) is not None: + attribute = {'value': signatureinfo[feature], 'to_ids': False} + attribute.update(mapping) + signerinfo_object.add_attribute(**attribute) + self.misp_event.add_object(signerinfo_object) else: - self.misp_event.add_object(**pe_object) + self.misp_event.add_object(pe_object) for section in peinfo['sections']['section']: section_object = self.parse_pe_section(section) self.references[pe_object.uuid].append(dict(referenced_uuid=section_object.uuid, relationship_type=relationship)) - self.misp_event.add_object(**section_object) + self.misp_event.add_object(section_object) def parse_pe_section(self, section): section_object = MISPObject('pe-section') for feature, mapping in pe_section_object_mapping.items(): - if section.get(feature): - attribute_type, object_relation = mapping - section_object.add_attribute(object_relation, **{'type': attribute_type, 'value': section[feature], 'to_ids': False}) + if section.get(feature) is not None: + attribute = {'value': section[feature], 'to_ids': False} + attribute.update(mapping) + section_object.add_attribute(**attribute) return section_object def parse_network_interactions(self): @@ -348,10 +476,11 @@ class JoeParser(): if domain['@ip'] != 'unknown': domain_object = MISPObject('domain-ip') for key, mapping in domain_object_mapping.items(): - attribute_type, object_relation = mapping - domain_object.add_attribute(object_relation, - **{'type': attribute_type, 'value': domain[key], 'to_ids': False}) - self.misp_event.add_object(**domain_object) + if domain.get(key) is not None: + attribute = {'value': domain[key], 'to_ids': False} + attribute.update(mapping) + domain_object.add_attribute(**attribute) + self.misp_event.add_object(domain_object) reference = dict(referenced_uuid=domain_object.uuid, relationship_type='contacts') self.add_process_reference(domain['@targetid'], domain['@currentpath'], reference) else: @@ -394,10 +523,19 @@ class JoeParser(): for call in registryactivities[feature]['call']: registry_key = MISPObject('registry-key') for field, mapping in regkey_object_mapping.items(): - attribute_type, object_relation = mapping - registry_key.add_attribute(object_relation, **{'type': attribute_type, 'value': call[field], 'to_ids': False}) - registry_key.add_attribute('data-type', **{'type': 'text', 'value': 'REG_{}'.format(call['type'].upper()), 'to_ids': False}) - self.misp_event.add_object(**registry_key) + if call.get(field) is not None: + attribute = {'value': call[field], 'to_ids': False} + attribute.update(mapping) + registry_key.add_attribute(**attribute) + registry_key.add_attribute( + **{ + 'type': 'text', + 'object_relation': 'data-type', + 'value': f"REG_{call['type'].upper()}", + 'to_ids': False + } + ) + self.misp_event.add_object(registry_key) self.references[process_uuid].append(dict(referenced_uuid=registry_key.uuid, relationship_type=relationship)) @@ -427,8 +565,9 @@ class JoeParser(): @staticmethod def prefetch_attributes_data(connection): - attributes = {} + attributes = [] for field, value in zip(network_behavior_fields, connection): - attribute_type, object_relation = network_connection_object_mapping[field] - attributes[object_relation] = {'type': attribute_type, 'value': value, 'to_ids': False} + attribute = {'value': value, 'to_ids': False} + attribute.update(network_connection_object_mapping[field]) + attributes.append(attribute) return attributes diff --git a/misp_modules/lib/misp-objects b/misp_modules/lib/misp-objects new file mode 160000 index 0000000..9dc7e35 --- /dev/null +++ b/misp_modules/lib/misp-objects @@ -0,0 +1 @@ +Subproject commit 9dc7e3578f2165e32a3b7cdd09e9e552f2d98d36 diff --git a/misp_modules/lib/qintel_helper.py b/misp_modules/lib/qintel_helper.py new file mode 100644 index 0000000..47106f7 --- /dev/null +++ b/misp_modules/lib/qintel_helper.py @@ -0,0 +1,263 @@ +# Copyright (c) 2009-2021 Qintel, LLC +# Licensed under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) + +from urllib.request import Request, urlopen +from urllib.parse import urlencode +from urllib.error import HTTPError +from time import sleep +from json import loads +import os +from copy import deepcopy +from datetime import datetime, timedelta +from gzip import GzipFile + +VERSION = '1.0.1' +USER_AGENT = 'integrations-helper' +MAX_RETRY_ATTEMPTS = 5 + +DEFAULT_HEADERS = { + 'User-Agent': f'{USER_AGENT}/{VERSION}' +} + +REMOTE_MAP = { + 'pmi': 'https://api.pmi.qintel.com', + 'qwatch': 'https://api.qwatch.qintel.com', + 'qauth': 'https://api.qauth.qintel.com', + 'qsentry_feed': 'https://qsentry.qintel.com', + 'qsentry': 'https://api.qsentry.qintel.com' +} + +ENDPOINT_MAP = { + 'pmi': { + 'ping': '/users/me', + 'cve': 'cves' + }, + 'qsentry_feed': { + 'anon': '/files/anonymization', + 'mal_hosting': '/files/malicious_hosting' + }, + 'qsentry': {}, + 'qwatch': { + 'ping': '/users/me', + 'exposures': 'exposures' + }, + 'qauth': {} +} + + +def _get_request_wait_time(attempts): + """ Use Fibonacci numbers for determining the time to wait when rate limits + have been encountered. + """ + + n = attempts + 3 + a, b = 1, 0 + for _ in range(n): + a, b = a + b, a + + return a + + +def _search(**kwargs): + remote = kwargs.get('remote') + max_retries = int(kwargs.get('max_retries', MAX_RETRY_ATTEMPTS)) + params = kwargs.get('params', {}) + headers = _set_headers(**kwargs) + + logger = kwargs.get('logger') + + params = urlencode(params) + url = remote + "?" + params + req = Request(url, headers=headers) + + request_attempts = 1 + while request_attempts < max_retries: + try: + return urlopen(req) + + except HTTPError as e: + response = e + + except Exception as e: + raise Exception('API connection error') from e + + if response.code not in [429, 504]: + raise Exception(f'API connection error: {response}') + + if request_attempts < max_retries: + wait_time = _get_request_wait_time(request_attempts) + + if response.code == 429: + msg = 'rate limit reached on attempt {request_attempts}, ' \ + 'waiting {wait_time} seconds' + + if logger: + logger(msg) + + else: + msg = f'connection timed out, retrying in {wait_time} seconds' + if logger: + logger(msg) + + sleep(wait_time) + + else: + raise Exception('Max API retries exceeded') + + request_attempts += 1 + + +def _set_headers(**kwargs): + headers = deepcopy(DEFAULT_HEADERS) + + if kwargs.get('user_agent'): + headers['User-Agent'] = \ + f"{kwargs['user_agent']}/{USER_AGENT}/{VERSION}" + + # TODO: deprecate + if kwargs.get('client_id') or kwargs.get('client_secret'): + try: + headers['Cf-Access-Client-Id'] = kwargs['client_id'] + headers['Cf-Access-Client-Secret'] = kwargs['client_secret'] + except KeyError: + raise Exception('missing client_id or client_secret') + + if kwargs.get('token'): + headers['x-api-key'] = kwargs['token'] + + return headers + + +def _set_remote(product, query_type, **kwargs): + remote = kwargs.get('remote') + endpoint = kwargs.get('endpoint', ENDPOINT_MAP[product].get(query_type)) + + if not remote: + remote = REMOTE_MAP[product] + + if not endpoint: + raise Exception('invalid search type') + + remote = remote.rstrip('/') + endpoint = endpoint.lstrip('/') + + return f'{remote}/{endpoint}' + + +def _process_qsentry(resp): + if resp.getheader('Content-Encoding', '') == 'gzip': + with GzipFile(fileobj=resp) as file: + for line in file.readlines(): + yield loads(line) + + +def search_pmi(search_term, query_type, **kwargs): + """ + Search PMI + + :param str search_term: Search term + :param str query_type: Query type [cve|ping] + :param dict kwargs: extra client args [remote|token|params] + :return: API JSON response object + :rtype: dict + """ + + kwargs['remote'] = _set_remote('pmi', query_type, **kwargs) + kwargs['token'] = kwargs.get('token', os.getenv('PMI_TOKEN')) + + params = kwargs.get('params', {}) + params.update({'identifier': search_term}) + kwargs['params'] = params + + return loads(_search(**kwargs).read()) + + +def search_qwatch(search_term, search_type, query_type, **kwargs): + """ + Search QWatch for exposed credentials + + :param str search_term: Search term + :param str search_type: Search term type [domain|email] + :param str query_type: Query type [exposures] + :param dict kwargs: extra client args [remote|token|params] + :return: API JSON response object + :rtype: dict + """ + + kwargs['remote'] = _set_remote('qwatch', query_type, **kwargs) + kwargs['token'] = kwargs.get('token', os.getenv('QWATCH_TOKEN')) + + params = kwargs.get('params', {}) + if search_type: + params.update({search_type: search_term}) + kwargs['params'] = params + + return loads(_search(**kwargs).read()) + + +def search_qauth(search_term, **kwargs): + """ + Search QAuth + + :param str search_term: Search term + :param dict kwargs: extra client args [remote|token|params] + :return: API JSON response object + :rtype: dict + """ + + if not kwargs.get('endpoint'): + kwargs['endpoint'] = '/' + + kwargs['remote'] = _set_remote('qauth', None, **kwargs) + kwargs['token'] = kwargs.get('token', os.getenv('QAUTH_TOKEN')) + + params = kwargs.get('params', {}) + params.update({'q': search_term}) + kwargs['params'] = params + + return loads(_search(**kwargs).read()) + + +def search_qsentry(search_term, **kwargs): + """ + Search QSentry + + :param str search_term: Search term + :param dict kwargs: extra client args [remote|token|params] + :return: API JSON response object + :rtype: dict + """ + + if not kwargs.get('endpoint'): + kwargs['endpoint'] = '/' + + kwargs['remote'] = _set_remote('qsentry', None, **kwargs) + kwargs['token'] = kwargs.get('token', os.getenv('QSENTRY_TOKEN')) + + params = kwargs.get('params', {}) + params.update({'q': search_term}) + kwargs['params'] = params + + return loads(_search(**kwargs).read()) + + +def qsentry_feed(query_type='anon', feed_date=datetime.today(), **kwargs): + """ + Fetch the most recent QSentry Feed + + :param str query_type: Feed type [anon|mal_hosting] + :param dict kwargs: extra client args [remote|token|params] + :param datetime feed_date: feed date to fetch + :return: API JSON response object + :rtype: Iterator[dict] + """ + + remote = _set_remote('qsentry_feed', query_type, **kwargs) + kwargs['token'] = kwargs.get('token', os.getenv('QSENTRY_TOKEN')) + + feed_date = (feed_date - timedelta(days=1)).strftime('%Y%m%d') + kwargs['remote'] = f'{remote}/{feed_date}' + + resp = _search(**kwargs) + for r in _process_qsentry(resp): + yield r diff --git a/misp_modules/lib/stix2misp.py b/misp_modules/lib/stix2misp.py new file mode 100644 index 0000000..0e92aed --- /dev/null +++ b/misp_modules/lib/stix2misp.py @@ -0,0 +1,2080 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +# Copyright (C) 2017-2018 CIRCL Computer Incident Response Center Luxembourg (smile gie) +# Copyright (C) 2017-2018 Christian Studer +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +import sys +import json +import os +import time +import io +import pymisp +import stix2misp_mapping +from collections import defaultdict +from copy import deepcopy +from pathlib import Path +_misp_dir = Path(os.path.realpath(__file__)).parents[4] +_misp_objects_path = _misp_dir / 'app' / 'files' / 'misp-objects' / 'objects' +_misp_types = pymisp.AbstractMISP().describe_types.get('types') +from pymisp import MISPEvent, MISPObject, MISPAttribute + +_scripts_path = Path(__file__).resolve().parents[1] +sys.path.insert(0, str(_scripts_path / 'cti-python-stix2')) +import stix2 + + +class StixParser(): + _galaxy_types = ('intrusion-set', 'malware', 'threat-actor', 'tool') + _stix2misp_mapping = {'marking-definition': '_load_marking', + 'relationship': '_load_relationship', + 'report': '_load_report', + 'indicator': '_parse_indicator', + 'observed-data': '_parse_observable', + 'identity': '_load_identity'} + _stix2misp_mapping.update({galaxy_type: '_load_galaxy' for galaxy_type in _galaxy_types}) + _special_mapping = {'attack-pattern': 'parse_attack_pattern', + 'course-of-action': 'parse_course_of_action', + 'vulnerability': 'parse_vulnerability'} + _timeline_mapping = {'indicator': ('valid_from', 'valid_until'), + 'observed-data': ('first_observed', 'last_observed')} + + def __init__(self): + super().__init__() + self.misp_event = MISPEvent() + self.relationship = defaultdict(list) + self.tags = set() + self.galaxy = {} + self.marking_definition = {} + + def handler(self, event, filename, args): + self.filename = filename + self.stix_version = f"STIX {event['spec_version'] if event.get('spec_version') else '2.1'}" + try: + event_distribution = args[0] + if not isinstance(event_distribution, int): + event_distribution = int(event_distribution) if event_distribution.isdigit() else 0 + except IndexError: + event_distribution = 0 + try: + attribute_distribution = args[1] + if attribute_distribution == 'event': + attribute_distribution = 5 + if not isinstance(attribute_distribution, int): + attribute_distribution = int(attribute_distribution) if attribute_distribution.isdigit() else 5 + except IndexError: + attribute_distribution = 5 + synonyms_to_tag_names = args[2] if len(args) > 2 else '/var/www/MISP/app/files/scripts/synonymsToTagNames.json' + with open(synonyms_to_tag_names, 'rt', encoding='utf-8') as f: + self._synonyms_to_tag_names = json.loads(f.read()) + self.parse_event(event) + + def _load_galaxy(self, galaxy): + self.galaxy[galaxy['id'].split('--')[1]] = {'tag_names': self.parse_galaxy(galaxy), 'used': False} + + def _load_identity(self, identity): + try: + self.identity[identity['id'].split('--')[1]] = identity['name'] + except AttributeError: + self.identity = {identity['id'].split('--')[1]: identity['name']} + + def _load_marking(self, marking): + tag = self.parse_marking(marking) + self.marking_definition[marking['id'].split('--')[1]] = {'object': tag, 'used': False} + + def _load_relationship(self, relationship): + target_uuid = relationship.target_ref.split('--')[1] + reference = (target_uuid, relationship.relationship_type) + source_uuid = relationship.source_ref.split('--')[1] + self.relationship[source_uuid].append(reference) + + def _load_report(self, report): + try: + self.report[report['id'].split('--')[1]] = report + except AttributeError: + self.report = {report['id'].split('--')[1]: report} + + def save_file(self): + event = self.misp_event.to_json() + with open(f'{self.filename}.stix2', 'wt', encoding='utf-8') as f: + f.write(event) + + ################################################################################ + ## PARSING FUNCTIONS USED BY BOTH SUBCLASSES. ## + ################################################################################ + + def handle_markings(self): + if hasattr(self, 'marking_refs'): + for attribute in self.misp_event.attributes: + if attribute.uuid in self.marking_refs: + for marking_uuid in self.marking_refs[attribute.uuid]: + attribute.add_tag(self.marking_definition[marking_uuid]['object']) + self.marking_definition[marking_uuid]['used'] = True + if self.marking_definition: + for marking_definition in self.marking_definition.values(): + if not marking_definition['used']: + self.tags.add(marking_definition['object']) + if self.tags: + for tag in self.tags: + self.misp_event.add_tag(tag) + + @staticmethod + def _parse_email_body(body, references): + attributes = [] + for body_multipart in body: + reference = references.pop(body_multipart['body_raw_ref']) + feature = body_multipart['content_disposition'].split(';')[0] + if feature in stix2misp_mapping.email_references_mapping: + attribute = deepcopy(stix2misp_mapping.email_references_mapping[feature]) + else: + print(f'Unknown content disposition in the following email body: {body_multipart}', file=sys.stderr) + continue + if isinstance(reference, stix2.v20.observables.Artifact): + attribute.update({ + 'value': body_multipart['content_disposition'].split('=')[-1].strip("'"), + 'data': reference.payload_bin, + 'to_ids': False + }) + else: + attribute.update({ + 'value': reference.name, + 'to_ids': False + }) + attributes.append(attribute) + return attributes + + @staticmethod + def _parse_email_references(email_message, references): + attributes = [] + if hasattr(email_message, 'from_ref'): + reference = references.pop(email_message.from_ref) + attribute = { + 'value': reference.value, + 'to_ids': False + } + attribute.update(stix2misp_mapping.email_references_mapping['from_ref']) + attributes.append(attribute) + for feature in ('to_refs', 'cc_refs'): + if hasattr(email_message, feature): + for ref_id in getattr(email_message, feature): + reference = references.pop(ref_id) + attribute = { + 'value': reference.value, + 'to_ids': False + } + attribute.update(stix2misp_mapping.email_references_mapping[feature]) + attributes.append(attribute) + return attributes + + def parse_galaxies(self): + for galaxy in self.galaxy.values(): + if not galaxy['used']: + for tag_name in galaxy['tag_names']: + self.tags.add(tag_name) + + @staticmethod + def _parse_network_connection_reference(feature_type, feature, value): + if feature == 'type': + return {type: value.format(feature_type) for type, value in stix2misp_mapping.network_traffic_references_mapping[value].items()} + return {feature: value} + + @staticmethod + def _parse_network_traffic_protocol(protocol): + return {'type': 'text', 'value': protocol, 'to_ids': False, + 'object_relation': f'layer{stix2misp_mapping.connection_protocols[protocol]}-protocol'} + + @staticmethod + def _parse_observable_reference(reference, mapping, feature=None): + attribute = { + 'value': reference.value, + 'to_ids': False + } + if feature is not None: + attribute.update({key: value.format(feature) for key, value in getattr(stix2misp_mapping, mapping)[reference._type].items()}) + return attribute + attribute.update({key: value for key, value in getattr(stix2misp_mapping, mapping)[reference._type].items()}) + return attribute + + def parse_pe(self, extension): + pe_object = MISPObject('pe', misp_objects_path_custom=_misp_objects_path) + self.fill_misp_object(pe_object, extension, 'pe_mapping') + for section in extension['sections']: + section_object = MISPObject('pe-section', misp_objects_path_custom=_misp_objects_path) + self.fill_misp_object(section_object, section, 'pe_section_mapping') + if hasattr(section, 'hashes'): + self.fill_misp_object(section_object, section.hashes, 'pe_section_mapping') + self.misp_event.add_object(section_object) + pe_object.add_reference(section_object.uuid, 'includes') + self.misp_event.add_object(pe_object) + return pe_object.uuid + + def parse_relationships(self): + attribute_uuids = tuple(attribute.uuid for attribute in self.misp_event.attributes) + object_uuids = tuple(object.uuid for object in self.misp_event.objects) + for source, references in self.relationship.items(): + if source in object_uuids: + source_object = self.misp_event.get_object_by_uuid(source) + for reference in references: + target, reference = reference + if target in attribute_uuids or target in object_uuids: + source_object.add_reference(target, reference) + elif source in attribute_uuids: + for attribute in self.misp_event.attributes: + if attribute.uuid == source: + for reference in references: + target, reference = reference + if target in self.galaxy: + for tag_name in self.galaxy[target]['tag_names']: + attribute.add_tag(tag_name) + self.galaxy[target]['used'] = True + break + + def parse_report(self, event_uuid=None): + event_infos = set() + self.misp_event.uuid = event_uuid if event_uuid and len(self.report) > 1 else tuple(self.report.keys())[0] + for report in self.report.values(): + if hasattr(report, 'name') and report.name: + event_infos.add(report.name) + if hasattr(report, 'labels') and report.labels: + for label in report.labels: + self.tags.add(label) + if hasattr(report, 'object_marking_refs') and report.object_marking_refs: + for marking_ref in report.object_marking_refs: + marking_ref = marking_ref.split('--')[1] + try: + self.tags.add(self.marking_definition[marking_ref]['object']) + self.marking_definition[marking_ref]['used'] = True + except KeyError: + continue + if hasattr(report, 'external_references'): + for reference in report.external_references: + self.misp_event.add_attribute(**{'type': 'link', 'value': reference['url']}) + if len(event_infos) == 1: + self.misp_event.info = event_infos.pop() + else: + self.misp_event.info = f'Imported with MISP import script for {self.stix_version}' + + @staticmethod + def _parse_user_account_groups(groups): + attributes = [{'type': 'text', 'object_relation': 'group', 'to_ids': False, + 'disable_correlation': True, 'value': group} for group in groups] + return attributes + + ################################################################################ + ## UTILITY FUNCTIONS. ## + ################################################################################ + + @staticmethod + def _choose_with_priority(container, first_choice, second_choice): + return first_choice if first_choice in container else second_choice + + def filter_main_object(self, observable, main_type, test_function='_standard_test_filter'): + references = {} + main_objects = [] + for key, value in observable.items(): + if getattr(self, test_function)(value, main_type): + main_objects.append(value) + else: + references[key] = value + if len(main_objects) > 1: + print(f'More than one {main_type} objects in this observable: {observable}', file=sys.stderr) + return main_objects[0] if main_objects else None, references + + @staticmethod + def getTimestampfromDate(date): + try: + return int(date.timestamp()) + except AttributeError: + return int(time.mktime(time.strptime(date.split('+')[0], "%Y-%m-%dT%H:%M:%S.%fZ"))) + + @staticmethod + def _handle_data(data): + return io.BytesIO(data.encode()) + + @staticmethod + def parse_marking(marking): + marking_type = marking.definition_type + tag = getattr(marking.definition, marking_type) + return "{}:{}".format(marking_type, tag) + + def parse_timeline(self, stix_object): + misp_object = {'timestamp': self.getTimestampfromDate(stix_object.modified)} + try: + first, last = self._timeline_mapping[stix_object._type] + first_seen = getattr(stix_object, first) + if stix_object.created != first_seen and stix_object.modified != first_seen: + misp_object['first_seen'] = first_seen + if hasattr(stix_object, last): + misp_object['last_seen'] = getattr(stix_object, last) + elif hasattr(stix_object, last): + misp_object.update({'first_seen': first_seen, 'last_seen': getattr(stix_object, last)}) + except KeyError: + pass + return misp_object + + @staticmethod + def _process_test_filter(value, main_type): + _is_main_process = any(feature in value for feature in ('parent_ref', 'child_refs')) + return isinstance(value, getattr(stix2.v20.observables, main_type)) and _is_main_process + + @staticmethod + def _standard_test_filter(value, main_type): + return isinstance(value, getattr(stix2.v20.observables, main_type)) + + def update_marking_refs(self, attribute_uuid, marking_refs): + try: + self.marking_refs[attribute_uuid] = tuple(marking.split('--')[1] for marking in marking_refs) + except AttributeError: + self.marking_refs = {attribute_uuid: tuple(marking.split('--')[1] for marking in marking_refs)} + + +class StixFromMISPParser(StixParser): + def __init__(self): + super().__init__() + self._stix2misp_mapping.update({'custom_object': '_parse_custom'}) + self._stix2misp_mapping.update({special_type: '_parse_undefined' for special_type in ('attack-pattern', 'course-of-action', 'vulnerability')}) + self._custom_objects = tuple(filename.name.replace('_', '-') for filename in _misp_objects_path.glob('*') if '_' in filename.name) + + def parse_event(self, stix_event): + for stix_object in stix_event.objects: + object_type = stix_object['type'] + if object_type.startswith('x-misp-object'): + object_type = 'custom_object' + if object_type in self._stix2misp_mapping: + getattr(self, self._stix2misp_mapping[object_type])(stix_object) + else: + print(f'not found: {object_type}', file=sys.stderr) + if self.relationship: + self.parse_relationships() + if self.galaxy: + self.parse_galaxies() + if hasattr(self, 'report'): + self.parse_report() + self.handle_markings() + + def _parse_custom(self, custom): + if 'from_object' in custom['labels']: + self.parse_custom_object(custom) + else: + self.parse_custom_attribute(custom) + + def _parse_indicator(self, indicator): + if 'from_object' in indicator['labels']: + self.parse_indicator_object(indicator) + else: + self.parse_indicator_attribute(indicator) + + def _parse_observable(self, observable): + if 'from_object' in observable['labels']: + self.parse_observable_object(observable) + else: + self.parse_observable_attribute(observable) + + def _parse_undefined(self, stix_object): + if any(label.startswith('misp-galaxy:') for label in stix_object.get('labels', [])): + self._load_galaxy(stix_object) + else: + getattr(self, self._special_mapping[stix_object._type])(stix_object) + + ################################################################################ + ## PARSING FUNCTIONS. ## + ################################################################################ + + def fill_misp_object(self, misp_object, stix_object, mapping, + to_call='_fill_observable_object_attribute'): + for feature, value in stix_object.items(): + if feature not in getattr(stix2misp_mapping, mapping): + if feature.startswith('x_misp_'): + attribute = self.parse_custom_property(feature) + if isinstance(value, list): + self._fill_misp_object_from_list(misp_object, attribute, value) + continue + else: + continue + else: + attribute = deepcopy(getattr(stix2misp_mapping, mapping)[feature]) + attribute.update(getattr(self, to_call)(feature, value)) + misp_object.add_attribute(**attribute) + + @staticmethod + def _fill_misp_object_from_list(misp_object, mapping, values): + for value in values: + attribute = {'value': value} + attribute.update(mapping) + misp_object.add_attribute(**attribute) + + def parse_attack_pattern(self, attack_pattern): + misp_object, _ = self.create_misp_object(attack_pattern) + if hasattr(attack_pattern, 'external_references'): + for reference in attack_pattern.external_references: + value = reference['external_id'].split('-')[1] if reference['source_name'] == 'capec' else reference['url'] + misp_object.add_attribute(**{ + 'type': 'text', 'object_relation': 'id', + 'value': value + }) + self.fill_misp_object(misp_object, attack_pattern, 'attack_pattern_mapping', + '_fill_observable_object_attribute') + self.misp_event.add_object(**misp_object) + + def parse_course_of_action(self, course_of_action): + misp_object, _ = self.create_misp_object(course_of_action) + self.fill_misp_object(misp_object, course_of_action, 'course_of_action_mapping', + '_fill_observable_object_attribute') + self.misp_event.add_object(**misp_object) + + def parse_custom_attribute(self, custom): + attribute_type = custom['type'].split('x-misp-object-')[1] + if attribute_type not in _misp_types: + replacement = ' ' if attribute_type == 'named-pipe' else '|' + attribute_type = attribute_type.replace('-', replacement) + attribute = {'type': attribute_type, + 'timestamp': self.getTimestampfromDate(custom['modified']), + 'to_ids': bool(custom['labels'][1].split('=')[1]), + 'value': custom['x_misp_value'], + 'category': self.get_misp_category(custom['labels']), + 'uuid': custom['id'].split('--')[1]} + if custom.get('object_marking_refs'): + self.update_marking_refs(attribute['uuid'], custom['object_marking_refs']) + self.misp_event.add_attribute(**attribute) + + def parse_custom_object(self, custom): + name = custom['type'].split('x-misp-object-')[1] + if name in self._custom_objects: + name = name.replace('-', '_') + misp_object = MISPObject(name, misp_objects_path_custom=_misp_objects_path) + misp_object.timestamp = self.getTimestampfromDate(custom['modified']) + misp_object.uuid = custom['id'].split('--')[1] + try: + misp_object.category = custom['category'] + except KeyError: + misp_object.category = self.get_misp_category(custom['labels']) + for key, value in custom['x_misp_values'].items(): + attribute_type, object_relation = key.replace('_DOT_', '.').split('_') + if isinstance(value, list): + for single_value in value: + misp_object.add_attribute(**{'type': attribute_type, 'value': single_value, + 'object_relation': object_relation}) + else: + misp_object.add_attribute(**{'type': attribute_type, 'value': value, + 'object_relation': object_relation}) + self.misp_event.add_object(**misp_object) + + def parse_galaxy(self, galaxy): + if hasattr(galaxy, 'labels'): + return [label for label in galaxy.labels if label.startswith('misp-galaxy:')] + try: + return self._synonyms_to_tag_names[galaxy.name] + except KeyError: + print(f'Unknown {galaxy._type} name: {galaxy.name}', file=sys.stderr) + return [f'misp-galaxy:{galaxy._type}="{galaxy.name}"'] + + def parse_indicator_attribute(self, indicator): + attribute = self.create_attribute_dict(indicator) + attribute['to_ids'] = True + pattern = indicator.pattern.replace('\\\\', '\\') + if attribute['type'] in ('malware-sample', 'attachment'): + value, data = self.parse_attribute_pattern_with_data(pattern) + attribute.update({feature: value for feature, value in zip(('value', 'data'), (value, io.BytesIO(data.encode())))}) + else: + attribute['value'] = self.parse_attribute_pattern(pattern) + self.misp_event.add_attribute(**attribute) + + def parse_indicator_object(self, indicator): + misp_object, object_type = self.create_misp_object(indicator) + pattern = self._handle_pattern(indicator.pattern).replace('\\\\', '\\').split(' AND ') + try: + attributes = getattr(self, stix2misp_mapping.objects_mapping[object_type]['pattern'])(pattern) + except KeyError: + print(f"Unable to map {object_type} object:\n{indicator}", file=sys.stderr) + return + if isinstance(attributes, tuple): + attributes, target_uuid = attributes + misp_object.add_reference(target_uuid, 'includes') + for attribute in attributes: + misp_object.add_attribute(**attribute) + self.misp_event.add_object(misp_object) + + def parse_observable_attribute(self, observable): + attribute = self.create_attribute_dict(observable) + attribute['to_ids'] = False + objects = observable.objects + value = self.parse_single_attribute_observable(objects, attribute['type']) + if isinstance(value, tuple): + value, data = value + attribute['data'] = data + attribute['value'] = value + self.misp_event.add_attribute(**attribute) + + def parse_observable_object(self, observable): + misp_object, object_type = self.create_misp_object(observable) + observable_object = observable.objects + try: + attributes = getattr(self, stix2misp_mapping.objects_mapping[object_type]['observable'])(observable_object) + except KeyError: + print(f"Unable to map {object_type} object:\n{observable}", file=sys.stderr) + return + if isinstance(attributes, tuple): + attributes, target_uuid = attributes + misp_object.add_reference(target_uuid, 'includes') + for attribute in attributes: + misp_object.add_attribute(**attribute) + self.misp_event.add_object(misp_object) + + def parse_vulnerability(self, vulnerability): + attributes = self.fill_observable_attributes(vulnerability, 'vulnerability_mapping') + if hasattr(vulnerability, 'external_references'): + for reference in vulnerability.external_references: + if reference['source_name'] == 'url': + attributes.append({'type': 'link', 'object_relation': 'references', 'value': reference['url']}) + if len(attributes) > 1: + vulnerability_object, _ = self.create_misp_object(vulnerability) + for attribute in attributes: + vulnerability_object.add_attribute(**attribute) + self.misp_event.add_object(**vulnerability_object) + else: + attribute = self.create_attribute_dict(vulnerability) + attribute['value'] = attributes[0]['value'] + self.misp_event.add_attribute(**attribute) + + ################################################################################ + ## OBSERVABLE PARSING FUNCTIONS ## + ################################################################################ + + @staticmethod + def _define_hash_type(hash_type): + if 'sha' in hash_type: + return f'SHA-{hash_type.split("sha")[1]}' + return hash_type.upper() if hash_type == 'md5' else hash_type + + @staticmethod + def _fetch_file_observable(observable_objects): + for key, observable in observable_objects.items(): + if observable['type'] == 'file': + return key + return '0' + + @staticmethod + def _fill_observable_attribute(attribute_type, object_relation, value): + return {'type': attribute_type, + 'object_relation': object_relation, + 'value': value, + 'to_ids': False} + + def fill_observable_attributes(self, observable, object_mapping): + attributes = [] + for key, value in observable.items(): + if key in getattr(stix2misp_mapping, object_mapping): + attribute = deepcopy(getattr(stix2misp_mapping, object_mapping)[key]) + elif key.startswith('x_misp_'): + attribute = self.parse_custom_property(key) + if isinstance(value, list): + for single_value in value: + single_attribute = {'value': single_value, 'to_ids': False} + single_attribute.update(attribute) + attributes.append(single_attribute) + continue + else: + continue + attribute.update({'value': value, 'to_ids': False}) + attributes.append(attribute) + return attributes + + def _handle_multiple_file_fields(self, file): + attributes = [] + for feature, attribute_type in zip(('filename', 'path', 'fullpath'), ('filename', 'text', 'text')): + key = f'x_misp_multiple_{feature}' + if key in file: + attributes.append(self._fill_observable_attribute(attribute_type, feature, file.pop(key))) + elif f'{key}s' in file: + attributes.extend(self._fill_observable_attribute(attribute_type, feature, value) for value in file.pop(key)) + attributes.extend(self.fill_observable_attributes(file, 'file_mapping')) + return attributes + + def parse_asn_observable(self, observable): + attributes = [] + mapping = 'asn_mapping' + for observable_object in observable.values(): + if isinstance(observable_object, stix2.v20.observables.AutonomousSystem): + attributes.extend(self.fill_observable_attributes(observable_object, mapping)) + else: + attributes.append(self._parse_observable_reference(observable_object, mapping)) + return attributes + + def _parse_attachment(self, observable): + if len(observable) > 1: + return self._parse_name(observable, index='1'), self._parse_payload(observable) + return self._parse_name(observable) + + def parse_credential_observable(self, observable): + return self.fill_observable_attributes(observable['0'], 'credential_mapping') + + def _parse_domain_ip_attribute(self, observable): + return f'{self._parse_value(observable)}|{self._parse_value(observable, index="1")}' + + @staticmethod + def parse_domain_ip_observable(observable): + attributes = [] + for observable_object in observable.values(): + attribute = deepcopy(stix2misp_mapping.domain_ip_mapping[observable_object._type]) + attribute.update({'value': observable_object.value, 'to_ids': False}) + attributes.append(attribute) + return attributes + + @staticmethod + def _parse_email_message(observable, attribute_type): + return observable['0'].get(attribute_type.split('-')[1]) + + def parse_email_observable(self, observable): + email, references = self.filter_main_object(observable, 'EmailMessage') + attributes = self.fill_observable_attributes(email, 'email_mapping') + if hasattr(email, 'additional_header_fields'): + attributes.extend(self.fill_observable_attributes(email.additional_header_fields, 'email_mapping')) + attributes.extend(self._parse_email_references(email, references)) + if hasattr(email, 'body_multipart') and email.body_multipart: + attributes.extend(self._parse_email_body(email.body_multipart, references)) + return attributes + + @staticmethod + def _parse_email_reply_to(observable): + return observable['0'].additional_header_fields.get('Reply-To') + + def parse_file_observable(self, observable): + file, references = self.filter_main_object(observable, 'File') + references = {key: {'object': value, 'used': False} for key, value in references.items()} + file = {key: value for key, value in file.items()} + multiple_fields = any(f'x_misp_multiple_{feature}' in file for feature in ('filename', 'path', 'fullpath')) + attributes = self._handle_multiple_file_fields(file) if multiple_fields else self.fill_observable_attributes(file, 'file_mapping') + if 'hashes' in file: + attributes.extend(self.fill_observable_attributes(file['hashes'], 'file_mapping')) + if 'content_ref' in file: + reference = references[file['content_ref']] + value = f'{reference["object"].name}|{reference["object"].hashes["MD5"]}' + attributes.append({'type': 'malware-sample', 'object_relation': 'malware-sample', 'value': value, + 'to_ids': False, 'data': reference['object'].payload_bin}) + reference['used'] = True + if 'parent_directory_ref' in file: + reference = references[file['parent_directory_ref']] + attributes.append({'type': 'text', 'object_relation': 'path', + 'value': reference['object'].path, 'to_ids': False}) + reference['used'] = True + for reference in references.values(): + if not reference['used']: + attributes.append({ + 'type': 'attachment', + 'object_relation': 'attachment', + 'value': reference['object'].name, + 'data': reference['object'].payload_bin, + 'to_ids': False + }) + return attributes + + def _parse_filename_hash(self, observable, attribute_type, index='0'): + hash_type = attribute_type.split('|')[1] + filename = self._parse_name(observable, index=index) + hash_value = self._parse_hash(observable, hash_type, index=index) + return f'{filename}|{hash_value}' + + def _parse_hash(self, observable, attribute_type, index='0'): + hash_type = self._define_hash_type(attribute_type) + return observable[index]['hashes'].get(hash_type) + + def parse_ip_port_observable(self, observable): + network_traffic, references = self.filter_main_object(observable, 'NetworkTraffic') + attributes = [] + for feature in ('src', 'dst'): + port = f'{feature}_port' + if hasattr(network_traffic, port): + attribute = deepcopy(stix2misp_mapping.ip_port_mapping[port]) + attribute.update({'value': getattr(network_traffic, port), 'to_ids': False}) + attributes.append(attribute) + ref = f'{feature}_ref' + if hasattr(network_traffic, ref): + attributes.append(self._parse_observable_reference(references.pop(getattr(network_traffic, ref)), 'ip_port_references_mapping', feature)) + for reference in references.values(): + attribute = deepcopy(stix2misp_mapping.ip_port_references_mapping[reference._type]) + attribute.update({'value': reference.value, 'to_ids': False}) + attributes.append(attribute) + return attributes + + def _parse_malware_sample(self, observable): + if len(observable) > 1: + value = self._parse_filename_hash(observable, 'filename|md5', '1') + return value, self._parse_payload(observable) + return self._parse_filename_hash(observable, 'filename|md5') + + @staticmethod + def _parse_name(observable, index='0'): + return observable[index].get('name') + + def _parse_network_attribute(self, observable): + port = self._parse_port(observable, index='1') + return f'{self._parse_value(observable)}|{port}' + + def parse_network_connection_observable(self, observable): + network_traffic, references = self.filter_main_object(observable, 'NetworkTraffic') + attributes = self._parse_network_traffic(network_traffic, references) + if hasattr(network_traffic, 'protocols'): + attributes.extend(self._parse_network_traffic_protocol(protocol) for protocol in network_traffic.protocols if protocol in stix2misp_mapping.connection_protocols) + if references: + for reference in references.values(): + attributes.append(self._parse_observable_reference(reference, 'domain_ip_mapping')) + return attributes + + def parse_network_socket_observable(self, observable): + network_traffic, references = self.filter_main_object(observable, 'NetworkTraffic') + attributes = self._parse_network_traffic(network_traffic, references) + if hasattr(network_traffic, 'protocols'): + attributes.append({'type': 'text', 'object_relation': 'protocol', 'to_ids': False, + 'value': network_traffic.protocols[0].strip("'")}) + if hasattr(network_traffic, 'extensions') and network_traffic.extensions: + attributes.extend(self._parse_socket_extension(network_traffic.extensions['socket-ext'])) + if references: + for reference in references.values(): + attributes.append(self._parse_observable_reference(reference, 'domain_ip_mapping')) + return attributes + + def _parse_network_traffic(self, network_traffic, references): + attributes = [] + mapping = 'network_traffic_references_mapping' + for feature in ('src', 'dst'): + port = f'{feature}_port' + if hasattr(network_traffic, port): + attribute = deepcopy(stix2misp_mapping.network_traffic_mapping[port]) + attribute.update({'value': getattr(network_traffic, port), 'to_ids': False}) + attributes.append(attribute) + ref = f'{feature}_ref' + if hasattr(network_traffic, ref): + attributes.append(self._parse_observable_reference(references.pop(getattr(network_traffic, ref)), mapping, feature)) + if hasattr(network_traffic, f'{ref}s'): + for ref in getattr(network_traffic, f'{ref}s'): + attributes.append(self._parse_observable_reference(references.pop(ref), mapping, feature)) + return attributes + + @staticmethod + def _parse_number(observable): + return observable['0'].get('number') + + @staticmethod + def _parse_payload(observable): + return observable['0'].payload_bin + + def parse_pe_observable(self, observable): + key = self._fetch_file_observable(observable) + extension = observable[key]['extensions']['windows-pebinary-ext'] + pe_uuid = self.parse_pe(extension) + return self.parse_file_observable(observable), pe_uuid + + @staticmethod + def _parse_port(observable, index='0'): + port_observable = observable[index] + return port_observable['src_port'] if 'src_port' in port_observable else port_observable['dst_port'] + + def parse_process_observable(self, observable): + process, references = self.filter_main_object(observable, 'Process', test_function='_process_test_filter') + attributes = self.fill_observable_attributes(process, 'process_mapping') + if hasattr(process, 'parent_ref'): + attributes.extend(self.fill_observable_attributes(references[process.parent_ref], 'parent_process_reference_mapping')) + if hasattr(process, 'child_refs'): + for reference in process.child_refs: + attributes.extend(self.fill_observable_attributes(references[reference], 'child_process_reference_mapping')) + if hasattr(process, 'binary_ref'): + reference = references[process.binary_ref] + attribute = deepcopy(stix2misp_mapping.process_image_mapping) + attribute.update({'value': reference.name, 'to_ids': False}) + attributes.append(attribute) + return attributes + + @staticmethod + def _parse_regkey_attribute(observable): + return observable['0'].get('key') + + def parse_regkey_observable(self, observable): + attributes = [] + for key, value in observable['0'].items(): + if key in stix2misp_mapping.regkey_mapping: + attribute = deepcopy(stix2misp_mapping.regkey_mapping[key]) + attribute.update({'value': value.replace('\\\\', '\\'), 'to_ids': False}) + attributes.append(attribute) + if 'values' in observable['0']: + attributes.extend(self.fill_observable_attributes(observable['0']['values'][0], 'regkey_mapping')) + return attributes + + def _parse_regkey_value(self, observable): + regkey = self._parse_regkey_attribute(observable) + return f'{regkey}|{observable["0"]["values"][0].get("data")}' + + def parse_single_attribute_observable(self, observable, attribute_type): + if attribute_type in stix2misp_mapping.attributes_type_mapping: + return getattr(self, stix2misp_mapping.attributes_type_mapping[attribute_type])(observable, attribute_type) + return getattr(self, stix2misp_mapping.attributes_mapping[attribute_type])(observable) + + def _parse_socket_extension(self, extension): + attributes = [] + extension = {key: value for key, value in extension.items()} + if 'x_misp_text_address_family' in extension: + extension.pop('address_family') + for element, value in extension.items(): + if element in stix2misp_mapping.network_socket_extension_mapping: + attribute = deepcopy(stix2misp_mapping.network_socket_extension_mapping[element]) + if element in ('is_listening', 'is_blocking'): + if value is False: + continue + value = element.split('_')[1] + elif element.startswith('x_misp_'): + attribute = self.parse_custom_property(element) + else: + continue + attribute.update({'value': value, 'to_ids': False}) + attributes.append(attribute) + return attributes + + @staticmethod + def parse_url_observable(observable): + attributes = [] + for object in observable.values(): + feature = 'dst_port' if isinstance(object, stix2.v20.observables.NetworkTraffic) else 'value' + attribute = deepcopy(stix2misp_mapping.url_mapping[object._type]) + attribute.update({'value': getattr(object, feature), 'to_ids': False}) + attributes.append(attribute) + return attributes + + def parse_user_account_observable(self, observable): + observable = observable['0'] + attributes = self.fill_observable_attributes(observable, 'user_account_mapping') + if 'extensions' in observable and 'unix-account-ext' in observable['extensions']: + extension = observable['extensions']['unix-account-ext'] + if 'groups' in extension: + attributes.extend(self._parse_user_account_groups(extension['groups'])) + attributes.extend(self.fill_observable_attributes(extension, 'user_account_mapping')) + return attributes + + @staticmethod + def _parse_value(observable, index='0'): + return observable[index].get('value') + + def _parse_x509_attribute(self, observable, attribute_type): + hash_type = attribute_type.split('-')[-1] + return self._parse_hash(observable, hash_type) + + def parse_x509_observable(self, observable): + attributes = self.fill_observable_attributes(observable['0'], 'x509_mapping') + if hasattr(observable['0'], 'hashes') and observable['0'].hashes: + attributes.extend(self.fill_observable_attributes(observable['0'].hashes, 'x509_mapping')) + return attributes + + ################################################################################ + ## PATTERN PARSING FUNCTIONS. ## + ################################################################################ + + def fill_pattern_attributes(self, pattern, object_mapping): + attributes = [] + for pattern_part in pattern: + pattern_type, pattern_value = pattern_part.split(' = ') + if pattern_type not in getattr(stix2misp_mapping, object_mapping): + if 'x_misp_' in pattern_type: + attribute = self.parse_custom_property(pattern_type) + attribute['value'] = pattern_value.strip("'") + attributes.append(attribute) + continue + attribute = deepcopy(getattr(stix2misp_mapping, object_mapping)[pattern_type]) + attribute['value'] = pattern_value.strip("'") + attributes.append(attribute) + return attributes + + def parse_asn_pattern(self, pattern): + return self.fill_pattern_attributes(pattern, 'asn_mapping') + + def parse_credential_pattern(self, pattern): + return self.fill_pattern_attributes(pattern, 'credential_mapping') + + def parse_domain_ip_pattern(self, pattern): + return self.fill_pattern_attributes(pattern, 'domain_ip_mapping') + + def parse_email_pattern(self, pattern): + attributes = [] + attachments = defaultdict(dict) + for pattern_part in pattern: + pattern_type, pattern_value = pattern_part.split(' = ') + if 'body_multipart' in pattern_type: + pattern_type = pattern_type.split('.') + feature = 'data' if pattern_type[-1] == 'payload_bin' else 'value' + attachments[pattern_type[0][-2]][feature] = pattern_value.strip("'") + continue + if pattern_type not in stix2misp_mapping.email_mapping: + if 'x_misp_' in pattern_type: + attribute = self.parse_custom_property(pattern_type) + attribute['value'] = pattern_value.strip("'") + attributes.append(attribute) + continue + attribute = deepcopy(stix2misp_mapping.email_mapping[pattern_type]) + attribute['value'] = pattern_value.strip("'") + attributes.append(attribute) + for attachment in attachments.values(): + if 'data' in attachment: + attribute = {'type': 'attachment', 'object_relation': 'screenshot', 'data': attachment['data']} + else: + attribute = {'type': 'email-attachment', 'object_relation': 'attachment'} + attribute['value'] = attachment['value'] + attributes.append(attribute) + return attributes + + def parse_file_pattern(self, pattern): + attributes = [] + attachment = {} + for pattern_part in pattern: + pattern_type, pattern_value = pattern_part.split(' = ') + if pattern_type in stix2misp_mapping.attachment_types: + attachment[pattern_type] = pattern_value.strip("'") + if pattern_type not in stix2misp_mapping.file_mapping: + continue + attribute = deepcopy(stix2misp_mapping.file_mapping[pattern_type]) + attribute['value'] = pattern_value.strip("'") + attributes.append(attribute) + if 'file:content_ref.payload_bin' in attachment: + filename = self._choose_with_priority(attachment, 'file:content_ref.name', 'file:name') + md5 = self._choose_with_priority(attachment, "file:content_ref.hashes.'MD5'", "file:hashes.'MD5'") + attributes.append({ + 'type': 'malware-sample', + 'object_relation': 'malware-sample', + 'value': f'{attachment[filename]}|{attachment[md5]}', + 'data': attachment['file:content_ref.payload_bin'] + }) + if 'artifact:payload_bin' in attachment: + attributes.append({ + 'type': 'attachment', + 'object_relation': 'attachment', + 'value': attachment['artifact:x_misp_text_name'] if 'artifact:x_misp_text_name' in attachment else attachment['file:name'], + 'data': attachment['artifact:payload_bin'] + }) + return attributes + + def parse_ip_port_pattern(self, pattern): + return self.fill_pattern_attributes(pattern, 'ip_port_mapping') + + def parse_network_connection_pattern(self, pattern): + attributes = [] + references = defaultdict(dict) + for pattern_part in pattern: + pattern_type, pattern_value = pattern_part.split(' = ') + if pattern_type not in stix2misp_mapping.network_traffic_mapping: + pattern_value = pattern_value.strip("'") + if pattern_type.startswith('network-traffic:protocols['): + attributes.append({ + 'type': 'text', 'value': pattern_value, + 'object_relation': f'layer{stix2misp_mapping.connection_protocols[pattern_value]}-protocol' + }) + elif any(pattern_type.startswith(f'network-traffic:{feature}_ref') for feature in ('src', 'dst')): + feature_type, ref = pattern_type.split(':')[1].split('_') + ref, feature = ref.split('.') + ref = f"{feature_type}_{'0' if ref == 'ref' else ref.strip('ref[]')}" + references[ref].update(self._parse_network_connection_reference(feature_type, feature, pattern_value)) + continue + attribute = deepcopy(stix2misp_mapping.network_traffic_mapping[pattern_type]) + attribute['value'] = pattern_value.strip("'") + attributes.append(attribute) + attributes.extend(attribute for attribute in references.values()) + return attributes + + def parse_network_socket_pattern(self, pattern): + attributes = [] + references = defaultdict(dict) + for pattern_part in pattern: + pattern_type, pattern_value = pattern_part.split(' = ') + pattern_value = pattern_value.strip("'") + if pattern_type not in stix2misp_mapping.network_traffic_mapping: + if pattern_type in stix2misp_mapping.network_socket_extension_mapping: + attribute = deepcopy(stix2misp_mapping.network_socket_extension_mapping[pattern_type]) + if pattern_type.startswith("network-traffic:extensions.'socket-ext'.is_"): + if pattern_value != 'True': + continue + pattern_value = pattern_type.split('_')[1] + else: + if pattern_type.startswith('network-traffic:protocols['): + attributes.append({'type': 'text', 'object_relation': 'protocol', 'value': pattern_value}) + elif any(pattern_type.startswith(f'network-traffic:{feature}_ref') for feature in ('src', 'dst')): + feature_type, ref = pattern_type.split(':')[1].split('_') + ref, feature = ref.split('.') + ref = f"{feature_type}_{'0' if ref == 'ref' else ref.strip('ref[]')}" + references[ref].update(self._parse_network_connection_reference(feature_type, feature, pattern_value)) + continue + else: + attribute = deepcopy(stix2misp_mapping.network_traffic_mapping[pattern_type]) + attribute['value'] = pattern_value + attributes.append(attribute) + attributes.extend(attribute for attribute in references.values()) + return attributes + + def parse_pe_pattern(self, pattern): + attributes = [] + sections = defaultdict(dict) + pe = MISPObject('pe', misp_objects_path_custom=_misp_objects_path) + for pattern_part in pattern: + pattern_type, pattern_value = pattern_part.split(' = ') + if ':extensions.' in pattern_type: + if '.sections[' in pattern_type: + pattern_type = pattern_type.split('.') + relation = pattern_type[-1].strip("'") + if relation in stix2misp_mapping.pe_section_mapping: + sections[pattern_type[2][-2]][relation] = pattern_value.strip("'") + else: + pattern_type = pattern_type.split('.')[-1] + if pattern_type not in stix2misp_mapping.pe_mapping: + if pattern_type.startswith('x_misp_'): + attribute = self.parse_custom_property(pattern_type) + attribute['value'] = pattern_value.strip("'") + pe.add_attribute(**attribute) + continue + attribute = deepcopy(stix2misp_mapping.pe_mapping[pattern_type]) + attribute['value'] = pattern_value.strip("'") + pe.add_attribute(**attribute) + else: + if pattern_type not in stix2misp_mapping.file_mapping: + if pattern_type.startswith('x_misp_'): + attribute = self.parse_custom_property(pattern_type) + attribute['value'] = pattern_value.strip("'") + attributes.append(attribute) + continue + attribute = deepcopy(stix2misp_mapping.file_mapping[pattern_type]) + attribute['value'] = pattern_value.strip("'") + attributes.append(attribute) + for section in sections.values(): + pe_section = MISPObject('pe-section', misp_objects_path_custom=_misp_objects_path) + for feature, value in section.items(): + attribute = deepcopy(stix2misp_mapping.pe_section_mapping[feature]) + attribute['value'] = value + pe_section.add_attribute(**attribute) + self.misp_event.add_object(pe_section) + pe.add_reference(pe_section.uuid, 'includes') + self.misp_event.add_object(pe) + return attributes, pe.uuid + + def parse_process_pattern(self, pattern): + return self.fill_pattern_attributes(pattern, 'process_mapping') + + def parse_regkey_pattern(self, pattern): + return self.fill_pattern_attributes(pattern, 'regkey_mapping') + + def parse_url_pattern(self, pattern): + return self.fill_pattern_attributes(pattern, 'url_mapping') + + @staticmethod + def parse_user_account_pattern(pattern): + attributes = [] + for pattern_part in pattern: + pattern_type, pattern_value = pattern_part.split(' = ') + pattern_type = pattern_type.split('.')[-1].split('[')[0] if "extensions.'unix-account-ext'" in pattern_type else pattern_type.split(':')[-1] + if pattern_type not in stix2misp_mapping.user_account_mapping: + if pattern_type.startswith('group'): + attributes.append({'type': 'text', 'object_relation': 'group', 'value': pattern_value.strip("'")}) + continue + attribute = deepcopy(stix2misp_mapping.user_account_mapping[pattern_type]) + attribute['value'] = pattern_value.strip("'") + attributes.append(attribute) + return attributes + + def parse_x509_pattern(self, pattern): + return self.fill_pattern_attributes(pattern, 'x509_mapping') + + ################################################################################ + ## UTILITY FUNCTIONS. ## + ################################################################################ + + def create_attribute_dict(self, stix_object): + labels = stix_object['labels'] + attribute_uuid = stix_object.id.split('--')[1] + attribute = {'uuid': attribute_uuid, + 'type': self.get_misp_type(labels), + 'category': self.get_misp_category(labels)} + tags = [{'name': label} for label in labels[3:]] + if tags: + attribute['Tag'] = tags + attribute.update(self.parse_timeline(stix_object)) + if hasattr(stix_object, 'description') and stix_object.description: + attribute['comment'] = stix_object.description + if hasattr(stix_object, 'object_marking_refs'): + self.update_marking_refs(attribute_uuid, stix_object.object_marking_refs) + return attribute + + def create_misp_object(self, stix_object): + labels = stix_object['labels'] + object_type = self.get_misp_type(labels) + misp_object = MISPObject('file' if object_type == 'WindowsPEBinaryFile' else object_type, + misp_objects_path_custom=_misp_objects_path) + misp_object.uuid = stix_object.id.split('--')[1] + if hasattr(stix_object, 'description') and stix_object.description: + misp_object.comment = stix_object.description + misp_object.update(self.parse_timeline(stix_object)) + return misp_object, object_type + + @staticmethod + def _fill_object_attribute(feature, value): + return {'value': str(value) if feature in ('entropy', 'size') else value} + + @staticmethod + def _fill_observable_object_attribute(feature, value): + return {'value': str(value) if feature in ('entropy', 'size') else value, + 'to_ids': False} + + @staticmethod + def get_misp_category(labels): + return labels[1].split('=')[1].strip('"') + + @staticmethod + def get_misp_type(labels): + return labels[0].split('=')[1].strip('"') + + @staticmethod + def parse_attribute_pattern(pattern): + if ' AND ' in pattern: + pattern_parts = pattern.strip('[]').split(' AND ') + if len(pattern_parts) == 3: + _, value1 = pattern_parts[2].split(' = ') + _, value2 = pattern_parts[0].split(' = ') + return '{}|{}'.format(value1.strip("'"), value2.strip("'")) + else: + _, value1 = pattern_parts[0].split(' = ') + _, value2 = pattern_parts[1].split(' = ') + if value1 in ("'ipv4-addr'", "'ipv6-addr'"): + return value2.strip("'") + return '{}|{}'.format(value1.strip("'"), value2.strip("'")) + else: + return pattern.split(' = ')[1].strip("]'") + + def parse_attribute_pattern_with_data(self, pattern): + if 'file:content_ref.payload_bin' not in pattern: + return self.parse_attribute_pattern(pattern) + pattern_parts = pattern.strip('[]').split(' AND ') + if len(pattern_parts) == 3: + filename = pattern_parts[0].split(' = ')[1] + md5 = pattern_parts[1].split(' = ')[1] + return "{}|{}".format(filename.strip("'"), md5.strip("'")), pattern_parts[2].split(' = ')[1].strip("'") + return pattern_parts[0].split(' = ')[1].strip("'"), pattern_parts[1].split(' = ')[1].strip("'") + + @staticmethod + def parse_custom_property(custom_property): + properties = custom_property.split('_') + return {'type': properties[2], 'object_relation': '-'.join(properties[3:])} + + +class ExternalStixParser(StixParser): + def __init__(self): + super().__init__() + self._stix2misp_mapping.update({'attack-pattern': 'parse_attack_pattern', + 'course-of-action': 'parse_course_of_action', + 'vulnerability': 'parse_vulnerability'}) + + ################################################################################ + ## PARSING FUNCTIONS. ## + ################################################################################ + + def parse_event(self, stix_event): + for stix_object in stix_event.objects: + object_type = stix_object['type'] + if object_type in self._stix2misp_mapping: + getattr(self, self._stix2misp_mapping[object_type])(stix_object) + else: + print(f'not found: {object_type}', file=sys.stderr) + if self.relationship: + self.parse_relationships() + if self.galaxy: + self.parse_galaxies() + event_uuid = stix_event.id.split('--')[1] + if hasattr(self, 'report'): + self.parse_report(event_uuid=event_uuid) + else: + self.misp_event.uuid = event_uuid + self.misp_event.info = 'Imported with the STIX to MISP import script.' + self.handle_markings() + + def parse_galaxy(self, galaxy): + galaxy_names = self._check_existing_galaxy_name(galaxy.name) + if galaxy_names is not None: + return galaxy_names + return [f'misp-galaxy:{galaxy._type}="{galaxy.name}"'] + + def _parse_indicator(self, indicator): + pattern = indicator.pattern + if any(relation in pattern for relation in stix2misp_mapping.pattern_forbidden_relations) or all(relation in pattern for relation in (' OR ', ' AND ')): + self.add_stix2_pattern_object(indicator) + separator = ' OR ' if ' OR ' in pattern else ' AND ' + self.parse_usual_indicator(indicator, separator) + + def _parse_observable(self, observable): + types = self._parse_observable_types(observable.objects) + try: + getattr(self, stix2misp_mapping.observable_mapping[types])(observable) + except KeyError: + print(f'Type(s) not supported at the moment: {types}\n', file=sys.stderr) + + def _parse_undefined(self, stix_object): + try: + self.objects_to_parse[stix_object['id'].split('--')[1]] = stix_object + except AttributeError: + self.objects_to_parse = {stix_object['id'].split('--')[1]: stix_object} + + def add_stix2_pattern_object(self, indicator): + misp_object = MISPObject('stix2-pattern', misp_objects_path_custom=_misp_objects_path) + misp_object.uuid = indicator.id.split('--')[1] + misp_object.update(self.parse_timeline(indicator)) + version = f'STIX {indicator.pattern_version}' if hasattr(indicator, 'pattern_version') else 'STIX 2.0' + misp_object.add_attribute(**{'type': 'text', 'object_relation': 'version', 'value': version}) + misp_object.add_attribute(**{'type': 'stix2-pattern', 'object_relation': 'stix2-pattern', + 'value': indicator.pattern}) + self.misp_event.add_object(**misp_object) + + @staticmethod + def fill_misp_object(misp_object, stix_object, mapping): + for key, feature in getattr(stix2misp_mapping, mapping).items(): + if hasattr(stix_object, key): + attribute = deepcopy(feature) + attribute['value'] = getattr(stix_object, key) + misp_object.add_attribute(**attribute) + + @staticmethod + def fill_misp_object_from_dict(misp_object, stix_object, mapping): + for key, feature in getattr(stix2misp_mapping, mapping).items(): + if key in stix_object: + attribute = deepcopy(feature) + attribute['value'] = stix_object[key] + misp_object.add_attribute(**attribute) + + def parse_attack_pattern(self, attack_pattern): + galaxy_names = self._check_existing_galaxy_name(attack_pattern.name) + if galaxy_names is not None: + self.galaxy[attack_pattern['id'].split('--')[1]] = {'tag_names': galaxy_names, 'used': False} + else: + misp_object = self.create_misp_object(attack_pattern) + if hasattr(attack_pattern, 'external_references'): + for reference in attack_pattern.external_references: + source_name = reference['source_name'] + value = reference['external_id'].split('-')[1] if source_name == 'capec' else reference['url'] + attribute = deepcopy(stix2misp_mapping.attack_pattern_references_mapping[source_name]) if source_name in stix2misp_mapping.attack_pattern_references_mapping else stix2misp_mapping.references_attribute_mapping + attribute['value'] = value + misp_object.add_attribute(**attribute) + self.fill_misp_object(misp_object, attack_pattern, 'attack_pattern_mapping') + self.misp_event.add_object(**misp_object) + + def parse_course_of_action(self, course_of_action): + galaxy_names = self._check_existing_galaxy_name(course_of_action.name) + if galaxy_names is not None: + self.galaxy[course_of_action['id'].split('--')[1]] = {'tag_names': galaxy_names, 'used': False} + else: + misp_object = self.create_misp_object(course_of_action) + self.fill_misp_object(misp_object, course_of_action, 'course_of_action_mapping') + self.misp_event.add_object(**misp_object) + + def parse_usual_indicator(self, indicator, separator): + pattern = tuple(part.strip() for part in self._handle_pattern(indicator.pattern).split(separator)) + types = self._parse_pattern_types(pattern) + try: + getattr(self, stix2misp_mapping.pattern_mapping[types])(indicator, separator) + except KeyError: + print(f'Type(s) not supported at the moment: {types}\n', file=sys.stderr) + self.add_stix2_pattern_object(indicator) + + def parse_vulnerability(self, vulnerability): + galaxy_names = self._check_existing_galaxy_name(vulnerability.name) + if galaxy_names is not None: + self.galaxy[vulnerability['id'].split('--')[1]] = {'tag_names': galaxy_names, 'used': False} + else: + attributes = self._get_attributes_from_observable(vulnerability, 'vulnerability_mapping') + if hasattr(vulnerability, 'external_references'): + for reference in vulnerability.external_references: + if reference['source_name'] == 'url': + attribute = deepcopy(stix2misp_mapping.references_attribute_mapping) + attribute['value'] = reference['url'] + attributes.append(attribute) + if len(attributes) == 1 and attributes[0]['object_relation'] == 'id': + attributes[0]['type'] = 'vulnerability' + self.handle_import_case(vulnerability, attributes, 'vulnerability') + + ################################################################################ + ## OBSERVABLE PARSING FUNCTIONS ## + ################################################################################ + + @staticmethod + def _fetch_reference_type(references, object_type): + for key, reference in references.items(): + if isinstance(reference, getattr(stix2.v20.observables, object_type)): + return key + return None + + @staticmethod + def _fetch_user_account_type_observable(observable_objects): + for observable_object in observable_objects.values(): + if hasattr(observable_object, 'extensions') or any(key not in ('user_id', 'credential', 'type') for key in observable_object): + return 'user-account', 'user_account_mapping' + return 'credential', 'credential_mapping' + + @staticmethod + def _get_attributes_from_observable(stix_object, mapping): + attributes = [] + for key, value in stix_object.items(): + if key in getattr(stix2misp_mapping, mapping) and value: + attribute = deepcopy(getattr(stix2misp_mapping, mapping)[key]) + attribute.update({'value': value, 'to_ids': False}) + attributes.append(attribute) + return attributes + + def get_network_traffic_attributes(self, network_traffic, references): + attributes = self._get_attributes_from_observable(network_traffic, 'network_traffic_mapping') + mapping = 'network_traffic_references_mapping' + attributes.extend(self.parse_network_traffic_references(network_traffic, references, mapping)) + if references: + for reference in references.values(): + attributes.append(self._parse_observable_reference(reference, mapping, 'dst')) + return attributes + + @staticmethod + def _handle_attachment_type(stix_object, is_reference, filename): + _has_md5 = hasattr(stix_object, 'hashes') and 'MD5' in stix_object.hashes + if is_reference and _has_md5: + return 'malware-sample', f'{filename}|{stix_object.hashes["MD5"]}' + return 'attachment', filename + + def handle_pe_observable(self, attributes, extension, observable): + pe_uuid = self.parse_pe(extension) + file = self.create_misp_object(observable, 'file') + file.add_reference(pe_uuid, 'includes') + for attribute in attributes: + file.add_attribute(**attribute) + self.misp_event.add_object(file) + + @staticmethod + def _is_reference(network_traffic, reference): + for feature in ('src', 'dst'): + for reference_type in (f'{feature}_{ref}' for ref in ('ref', 'refs')): + if reference in network_traffic.get(reference_type, []): + return True + return False + + @staticmethod + def _network_traffic_has_extension(network_traffic): + if not hasattr(network_traffic, 'extensions'): + return None + if 'socket-ext' in network_traffic.extensions: + return 'parse_socket_extension_observable' + return None + + def parse_asn_observable(self, observable): + autonomous_system, references = self.filter_main_object(observable.objects, 'AutonomousSystem') + mapping = 'asn_mapping' + attributes = self._get_attributes_from_observable(autonomous_system, mapping) + if references: + for reference in references.values(): + attributes.append(self._parse_observable_reference(reference, mapping)) + self.handle_import_case(observable, attributes, 'asn') + + def parse_domain_ip_observable(self, observable): + domain, references = self.filter_main_object(observable.objects, 'DomainName') + mapping = 'domain_ip_mapping' + attributes = [self._parse_observable_reference(domain, mapping)] + if references: + for reference in references.values(): + attributes.append(self._parse_observable_reference(reference, mapping)) + self.handle_import_case(observable, attributes, 'domain-ip') + + def parse_domain_ip_network_traffic_observable(self, observable): + network_traffic, references = self.filter_main_object(observable.objects, 'NetworkTraffic') + extension = self._network_traffic_has_extension(network_traffic) + if extension: + attributes, object_name = getattr(self, extension)(network_traffic, references) + return self.handle_import_case(observable, attributes, object_name) + if self._required_protocols(network_traffic.protocols): + attributes = self.parse_network_connection_object(network_traffic, references) + return self.handle_import_case(observable, attributes, 'network-connection') + attributes, object_name = self.parse_network_traffic_objects(network_traffic, references) + self.handle_import_case(observable, attributes, object_name) + + def parse_domain_network_traffic_observable(self, observable): + network_traffic, references = self.filter_main_object(observable.objects, 'NetworkTraffic') + extension = self._network_traffic_has_extension(network_traffic) + if extension: + attributes, object_name = getattr(self, extension)(network_traffic, references) + return self.handle_import_case(observable, attributes, object_name) + attributes = self.parse_network_connection_object(network_traffic, references) + self.handle_import_case(observable, attributes, 'network-connection') + + def parse_email_address_observable(self, observable): + self.add_attributes_from_observable(observable, 'email-src', 'value') + + def parse_email_observable(self, observable): + email_message, references = self.filter_main_object(observable.objects, 'EmailMessage') + attributes = self._get_attributes_from_observable(email_message, 'email_mapping') + if hasattr(email_message, 'additional_header_fields'): + attributes.extend(self._get_attributes_from_observable(email_message.additional_header_fields, 'email_mapping')) + attributes.extend(self._parse_email_references(email_message, references)) + if hasattr(email_message, 'body_multipart') and email_message.body_multipart: + attributes.extend(self._parse_email_body(email_message.body_multipart, references)) + if references: + print(f'Unable to parse the following observable objects: {references}', file=sys.stderr) + self.handle_import_case(observable, attributes, 'email') + + def parse_file_observable(self, observable): + file_object, references = self.filter_main_object(observable.objects, 'File') + attributes = self._get_attributes_from_observable(file_object, 'file_mapping') + if 'hashes' in file_object: + attributes.extend(self._get_attributes_from_observable(file_object.hashes, 'file_mapping')) + if references: + filename = file_object.name if hasattr(file_object, 'name') else 'unknown_filename' + for key, reference in references.items(): + if isinstance(reference, stix2.v20.observables.Artifact): + _is_content_ref = 'content_ref' in file_object and file_object.content_ref == key + attribute_type, value = self._handle_attachment_type(reference, _is_content_ref, filename) + attribute = { + 'type': attribute_type, + 'object_relation': attribute_type, + 'value': value, + 'to_ids': False + } + if hasattr(reference, 'payload_bin'): + attribute['data'] = reference.payload_bin + attributes.append(attribute) + elif isinstance(reference, stix2.v20.observables.Directory): + attribute = { + 'type': 'text', + 'object_relation': 'path', + 'value': reference.path, + 'to_ids': False + } + attributes.append(attribute) + if hasattr(file_object, 'extensions'): + # Support of more extension types probably in the future + if 'windows-pebinary-ext' in file_object.extensions: + # Here we do not go to the standard route of "handle_import_case" + # because we want to make sure a file object is created + return self.handle_pe_observable(attributes, file_object.extensions['windows-pebinary-ext'], observable) + extension_types = (extension_type for extension_type in file_object.extensions.keys()) + print(f'File extension type(s) not supported at the moment: {", ".join(extension_types)}', file=sys.stderr) + self.handle_import_case(observable, attributes, 'file', _force_object=('file-encoding', 'path')) + + def parse_ip_address_observable(self, observable): + attributes = [] + for observable_object in observable.objects.values(): + attribute = { + 'value': observable_object.value, + 'to_ids': False + } + attribute.update(stix2misp_mapping.ip_attribute_mapping) + attributes.append(attribute) + self.handle_import_case(observable, attributes, 'ip-port') + + def parse_ip_network_traffic_observable(self, observable): + network_traffic, references = self.filter_main_object(observable.objects, 'NetworkTraffic') + extension = self._network_traffic_has_extension(network_traffic) + if extension: + attributes, object_name = getattr(self, extension)(network_traffic, references) + return self.handle_import_case(observable, attributes, object_name) + attributes = self.parse_ip_port_object(network_traffic, references) + self.handle_import_case(observable, attributes, 'ip-port') + + def parse_ip_port_object(self, network_traffic, references): + attributes = self._get_attributes_from_observable(network_traffic, 'network_traffic_mapping') + attributes.extend(self.parse_network_traffic_references(network_traffic, references, 'ip_port_references_mapping')) + if references: + for reference in references.values(): + attributes.append(self._parse_observable_reference(reference, 'domain_ip_mapping')) + return attributes + + def parse_mac_address_observable(self, observable): + self.add_attributes_from_observable(observable, 'mac-address', 'value') + + def parse_network_connection_object(self, network_traffic, references): + attributes = self.get_network_traffic_attributes(network_traffic, references) + attributes.extend(self.parse_protocols(network_traffic.protocols, 'observable object')) + return attributes + + def parse_network_traffic_objects(self, network_traffic, references): + _has_domain = self._fetch_reference_type(references.values(), 'DomainName') + if _has_domain and self._is_reference(network_traffic, _has_domain): + return self.parse_network_connection_object(network_traffic, references), 'network-connection' + return self.parse_ip_port_object(network_traffic, references), 'ip-port' + + def parse_network_traffic_references(self, network_traffic, references, mapping): + attributes = [] + for feature in ('src', 'dst'): + ref = f'{feature}_ref' + if hasattr(network_traffic, ref): + reference = getattr(network_traffic, ref) + attributes.append(self._parse_observable_reference(references.pop(reference), mapping, feature)) + if hasattr(network_traffic, f'{ref}s'): + for reference in getattr(network_traffic, f'{ref}s'): + attributes.append(self._parse_observable_reference(references.pop(reference), mapping, feature)) + return attributes + + def parse_mutex_observable(self, observable): + self.add_attributes_from_observable(observable, 'mutex', 'name') + + def parse_process_observable(self, observable): + process, references = self.filter_main_object(observable.objects, 'Process', test_function='_process_test_filter') + attributes = self._get_attributes_from_observable(process, 'process_mapping') + if hasattr(process, 'parent_ref'): + attributes.extend(self._get_attributes_from_observable(references.pop(process.parent_ref), 'parent_process_reference_mapping')) + if hasattr(process, 'child_refs'): + for reference in process.child_refs: + attributes.extend(self._get_attributes_from_observable(references.pop(reference), 'child_process_reference_mapping')) + if hasattr(process, 'binary_ref'): + reference = references.pop(process.binary_ref) + attribute = { + 'value': reference.name, + 'to_ids': False + } + attribute.update(stix2misp_mapping.process_image_mapping) + attributes.append(attribute) + if references: + print(f'Unable to parse the following observable objects: {references}', file=sys.stderr) + self.handle_import_case(observable, attributes, 'process', _force_object=True) + + def parse_protocols(self, protocols, object_type): + attributes = [] + protocols = (protocol.upper() for protocol in protocols) + for protocol in protocols: + try: + attributes.append(self._parse_network_traffic_protocol(protocol)) + except KeyError: + print(f'Unknown protocol in network-traffic {object_type}: {protocol}', file=sys.stderr) + return attributes + + def parse_regkey_observable(self, observable): + attributes = [] + for observable_object in observable.objects.values(): + attributes.extend(self._get_attributes_from_observable(observable_object, 'regkey_mapping')) + if 'values' in observable_object: + for registry_value in observable_object['values']: + attributes.extend(self._get_attributes_from_observable(registry_value, 'regkey_mapping')) + self.handle_import_case(observable, attributes, 'registry-key') + + def parse_socket_extension_observable(self, network_traffic, references): + attributes = self.get_network_traffic_attributes(network_traffic, references) + for key, value in network_traffic.extensions['socket-ext'].items(): + if key not in stix2misp_mapping.network_socket_extension_mapping: + print(f'Unknown socket extension field in observable object: {key}', file=sys.stderr) + continue + if key.startswith('is_') and not value: + continue + attribute = { + 'value': key.split('_')[1] if key.startswith('is_') else value, + 'to_ids': False + } + attribute.update(stix2misp_mapping.network_socket_extension_mapping[key]) + attributes.append(attribute) + return attributes, 'network-socket' + + def parse_url_observable(self, observable): + network_traffic, references = self.filter_main_object(observable.objects, 'NetworkTraffic') + attributes = self._get_attributes_from_observable(network_traffic, 'network_traffic_mapping') if network_traffic else [] + if references: + for reference in references.values(): + attributes.append(self._parse_observable_reference(reference, 'url_mapping')) + self.handle_import_case(observable, attributes, 'url') + + def parse_user_account_extension(self, extension): + attributes = self._parse_user_account_groups(extension['groups']) if 'groups' in extension else [] + attributes.extend(self._get_attributes_from_observable(extension, 'user_account_mapping')) + return attributes + + def parse_user_account_observable(self, observable): + attributes = [] + object_name, mapping = self._fetch_user_account_type_observable(observable.objects) + for observable_object in observable.objects.values(): + attributes.extend(self._get_attributes_from_observable(observable_object, mapping)) + if hasattr(observable_object, 'extensions') and observable_object.extensions.get('unix-account-ext'): + attributes.extend(self.parse_user_account_extension(observable_object.extensions['unix-account-ext'])) + self.handle_import_case(observable, attributes, object_name) + + def parse_x509_observable(self, observable): + attributes = [] + for observable_object in observable.objects.values(): + attributes.extend(self._get_attributes_from_observable(observable_object, 'x509_mapping')) + if hasattr(observable_object, 'hashes'): + attributes.extend(self._get_attributes_from_observable(observable_object.hashes, 'x509_mapping')) + self.handle_import_case(observable, attributes, 'x509') + + ################################################################################ + ## PATTERN PARSING FUNCTIONS. ## + ################################################################################ + + @staticmethod + def _fetch_user_account_type_pattern(pattern): + for stix_object in pattern: + if 'extensions' in stix_object or all(key not in stix_object for key in ('user_id', 'credential', 'type')): + return 'user-account', 'user_account_mapping' + return 'credential', 'credential_mapping' + + def get_attachment(self, attachment, filename): + attribute = { + 'type': 'attachment', + 'object_relation': 'attachment', + 'value': attachment.pop(filename) + } + data_feature = self._choose_with_priority(attachment, 'file:content_ref.payload_bin', 'artifact:payload_bin') + attribute['data'] = attachment.pop(data_feature) + return attribute + + def get_attributes_from_pattern(self, pattern, mapping, separator): + attributes = [] + for pattern_part in pattern.strip('[]').split(separator): + pattern_type, pattern_value = self.get_type_and_value_from_pattern(pattern_part) + try: + attribute = deepcopy(getattr(stix2misp_mapping, mapping)[pattern_type]) + except KeyError: + print(f'Pattern type not supported at the moment: {pattern_type}', file=sys.stderr) + continue + attribute['value'] = pattern_value + attributes.append(attribute) + return attributes + + def get_malware_sample(self, attachment, filename): + md5_feature = self._choose_with_priority(attachment, "file:content_ref.hashes.'MD5'", "file:hashes.'MD5'") + attribute = { + 'type': 'malware-sample', + 'object_relation': 'malware-sample', + 'value': f'{attachment.pop(filename)}|{attachment.pop(md5_feature)}' + } + data_feature = self._choose_with_priority(attachment, 'file:content_ref.payload_bin', 'artifact:payload_bin') + attribute['data'] = attachment.pop(data_feature) + return attribute + + def _handle_file_attachments(self, attachment): + attributes = [] + if any('content_ref' in feature for feature in attachment.keys()): + attribute_type = 'attachment' + value = attachment['file:name'] if 'file:name' in attachment else 'unknown_filename' + if "file:content_ref.hashes.'MD5'" in attachment: + attribute_type = 'malware-sample' + md5 = attachment.pop("file:content_ref.hashes.'MD5'") + value = f'{value}|{md5}' + data = self._choose_with_priority(attachment, 'file:content_ref.payload_bin', 'artifact:payload_bin') + attribute = { + 'type': attribute_type, + 'object_relation': attribute_type, + 'value': value, + 'data': attachment.pop(data) + } + attributes.append(attribute) + if 'artifact:payload_bin' in attachment: + attribute = { + 'type': 'attachment', + 'object_relation': 'attachment', + 'value': attachment['file:name'], + 'data': attachment.pop('artifact:payload_bin') + } + attributes.append(attribute) + return attributes + + def parse_as_pattern(self, indicator, separator): + attributes = self.get_attributes_from_pattern(indicator.pattern, 'asn_mapping', separator) + self.handle_import_case(indicator, attributes, 'asn') + + def parse_domain_ip_port_pattern(self, indicator, separator): + attributes = [] + references = defaultdict(dict) + for pattern_part in self._handle_pattern(indicator.pattern).split(separator): + pattern_type, pattern_value = self.get_type_and_value_from_pattern(pattern_part) + if pattern_type not in stix2misp_mapping.domain_ip_mapping: + if any(pattern_type.startswith(f'network-traffic:{feature}_ref') for feature in ('src', 'dst')): + feature_type, ref = pattern_type.split(':')[1].split('_') + ref, feature = ref.split('.') + ref = f"{feature_type}_{'0' if ref == 'ref' else ref.strip('ref[]')}" + references[ref].update(self._parse_network_connection_reference(feature_type, feature, pattern_value)) + else: + print(f'Pattern type not currently mapped: {pattern_type}', file=sys.stderr) + continue + attribute = deepcopy(stix2misp_mapping.domain_ip_mapping[pattern_type]) + attribute['value'] = pattern_value + attributes.append(attribute) + if references: + attributes.extend(references.values()) + object_name = 'ip-port' if 'network-traffic' in indicator.pattern else 'domain-ip' + self.handle_import_case(indicator, attributes, object_name) + + def parse_email_address_pattern(self, indicator, separator): + self.add_attributes_from_indicator(indicator, 'email-src', separator) + + def parse_email_message_pattern(self, indicator, separator): + attributes = [] + attachments = defaultdict(dict) + for pattern_part in self._handle_pattern(indicator.pattern).split(separator): + pattern_type, pattern_value = self.get_type_and_value_from_pattern(pattern_part) + if pattern_type not in stix2misp_mapping.email_mapping: + if pattern_type.startswith('email-message:body_multipart'): + features = pattern_type.split('.') + if len(features) == 3 and features[1] == 'body_raw_ref': + index = features[0].split('[')[1].strip(']') if '[' in features[0] else '0' + key = 'data' if features[2] == 'payload_bin' else 'value' + attachments[index][key] = pattern_value + continue + print(f'Pattern type not supported at the moment: {pattern_type}', file=sys.stderr) + continue + attribute = deepcopy(stix2misp_mapping.email_mapping[pattern_type]) + attribute['value'] = pattern_value + attributes.append(attribute) + if attachments: + for attachment in attachments.values(): + attribute = { + 'type': 'attachment', + 'object_relation': 'screenshot' + } if 'data' in attachment else { + 'type': 'email-attachment', + 'object_relation': 'attachment' + } + attribute.update(attachment) + attributes.append(attribute) + self.handle_import_case(indicator, attributes, 'email') + + def parse_file_pattern(self, indicator, separator): + attributes = [] + attachment = {} + extensions = defaultdict(lambda: defaultdict(dict)) + for pattern_part in self._handle_pattern(indicator.pattern).split(separator): + pattern_type, pattern_value = self.get_type_and_value_from_pattern(pattern_part) + if pattern_type in stix2misp_mapping.attachment_types: + attachment[pattern_type] = pattern_value.strip("'") + continue + if pattern_type not in stix2misp_mapping.file_mapping: + if 'extensions' in pattern_type: + features = pattern_type.split('.')[1:] + extension_type = features.pop(0).strip("'") + if 'section' in features[0] and features[0] != 'number_of_sections': + index = features[0].split('[')[1].strip(']') if '[' in features[0] else '0' + extensions[extension_type][f'section_{index}'][features[-1].strip("'")] = pattern_value + else: + extensions[extension_type]['.'.join(features)] = pattern_value + continue + attribute = deepcopy(stix2misp_mapping.file_mapping[pattern_type]) + attribute['value'] = pattern_value + attributes.append(attribute) + if any(key.endswith('payload_bin') for key in attachment.keys()): + attributes.extend(self._handle_file_attachments(attachment)) + if attachment: + for pattern_type, value in attachment.items(): + if pattern_type in stix2misp_mapping.file_mapping: + attribute = deepcopy(stix2misp_mapping.file_mapping[pattern_type]) + attribute['value'] = value + attributes.append(attribute) + if extensions: + file_object = self.create_misp_object(indicator, 'file') + self.parse_file_extension(file_object, attributes, extensions) + else: + self.handle_import_case(indicator, attributes, 'file', _force_object=('file-encoding', 'path')) + + def parse_file_extension(self, file_object, attributes, extensions): + for attribute in attributes: + file_object.add_attribute(**attribute) + if 'windows-pebinary-ext' in extensions: + pe_extension = extensions['windows-pebinary-ext'] + pe_object = MISPObject('pe', misp_objects_path_custom=_misp_objects_path) + sections = self._get_sections(pe_extension) + self.fill_misp_object_from_dict(pe_object, pe_extension, 'pe_mapping') + if sections: + for section in sections: + section_object = MISPObject('pe-section') + self.fill_misp_object_from_dict(section_object, section, 'pe_section_mapping') + self.misp_event.add_object(section_object) + pe_object.add_reference(section_object.uuid, 'includes') + self.misp_event.add_object(pe_object) + file_object.add_reference(pe_object.uuid, 'includes') + self.misp_event.add_object(file_object) + + def parse_ip_address_pattern(self, indicator, separator): + self.add_attributes_from_indicator(indicator, 'ip-dst', separator) + + def parse_mac_address_pattern(self, indicator, separator): + self.add_attributes_from_indicator(indicator, 'mac-address', separator) + + def parse_mutex_pattern(self, indicator, separator): + self.add_attributes_from_indicator(indicator, 'mutex', separator) + + def parse_network_connection_pattern(self, indicator, attributes, references): + attributes.extend(self._parse_network_pattern_references(references, 'network_traffic_references_mapping')) + self.handle_import_case(indicator, attributes, 'network-connection') + + @staticmethod + def _parse_network_pattern_references(references, mapping): + attributes = [] + for feature, reference in references.items(): + feature = feature.split('_')[0] + attribute = {key: value.format(feature) for key, value in getattr(stix2misp_mapping, mapping)[reference['type']].items()} + attribute['value'] = reference['value'] + attributes.append(attribute) + return attributes + + def parse_network_socket_pattern(self, indicator, attributes, references, extension): + attributes.extend(self._parse_network_pattern_references(references, 'network_traffic_references_mapping')) + for key, value in extension.items(): + if key not in stix2misp_mapping.network_socket_extension_mapping: + print(f'Unknown socket extension field in pattern: {key}', file=sys.stderr) + continue + if key.startswith('is_') and not json.loads(value.lower()): + continue + attribute = deepcopy(stix2misp_mapping.network_socket_extension_mapping[key]) + attribute['value'] = key.split('_')[1] if key.startswith('is_') else value + attributes.append(attribute) + self.handle_import_case(indicator, attributes, 'network-socket') + + def parse_network_traffic_pattern(self, indicator, separator): + attributes = [] + protocols = [] + references = defaultdict(dict) + extensions = defaultdict(dict) + for pattern_part in self._handle_pattern(indicator.pattern).split(separator): + pattern_type, pattern_value = self.get_type_and_value_from_pattern(pattern_part) + if pattern_type in stix2misp_mapping.network_traffic_mapping: + attribute = deepcopy(stix2misp_mapping.network_traffic_mapping[pattern_type]) + attribute['value'] = pattern_value.strip("'") + attributes.append(attribute) + continue + if pattern_type.startswith('network-traffic:protocols['): + protocols.append(pattern_value) + elif any(pattern_type.startswith(f'network-traffic:{feature}_ref') for feature in ('src', 'dst')): + feature_type, ref = pattern_type.split(':')[1].split('_') + ref, feature = ref.split('.') + ref = f"{feature_type}_{'0' if ref == 'ref' else ref.strip('ref[]')}" + references[ref].update({feature: pattern_value}) + elif pattern_type.startswith('network-traffic:extensions.'): + _, extension_type, feature = pattern_type.split('.') + extensions[extension_type.strip("'")][feature] = pattern_value + else: + print(f'Pattern type not supported at the moment: {pattern_type}', file=sys.stderr) + if extensions: + if 'socket-ext' in extensions: + return self.parse_network_socket_pattern(indicator, attributes, references, extensions['socket-ext']) + print(f'Unknown network extension(s) in pattern: {", ".join(extensions.keys())}', file=sys.stderr) + if protocols and self._required_protocols(protocols): + attributes.extend(self.parse_protocols(protocols, 'pattern')) + return self.parse_network_connection_pattern(indicator, attributes, references) + attributes.extend(self._parse_network_pattern_references(references, 'ip_port_references_mapping')) + self.handle_import_case(indicator, attributes, 'ip-port') + + def parse_process_pattern(self, indicator, separator): + attributes = [] + parent = {} + child = defaultdict(set) + for pattern_part in self._handle_pattern(indicator.pattern).split(separator): + pattern_type, pattern_value = self.get_type_and_value_from_pattern(pattern_part) + if 'parent_' in pattern_type: + child[pattern_type.split('.')[-1]].add(pattern_value) + elif 'child_' in pattern_type: + parent[pattern_type.split('.')[-1]] = pattern_value + else: + try: + attribute = deepcopy(stix2misp_mapping.process_mapping[pattern_type]) + except KeyError: + print(f'Pattern type not supported at the moment: {pattern_type}', file=sys.stderr) + continue + attribute['value'] = pattern_value + attributes.append(attribute) + if parent: + for key, value in parent.items(): + if key not in stix2misp_mapping.parent_process_reference_mapping: + print(f'Parent process key from pattern not supported at the moment: {key}', file=sys.stderr) + continue + attribute = {'value': value} + attribute.update(stix2misp_mapping.parent_process_reference_mapping[key]) + attributes.append(attribute) + if child: + for key, values in child.items(): + if key not in stix2misp_mapping.child_process_reference_mapping: + print(f'Child process key from pattern not supported at the moment: {key}', file=sys.stderr) + continue + for value in values: + attribute = {'value': value} + attribute.update(stix2misp_mapping.child_process_reference_mapping[key]) + attributes.append(attribute) + self.handle_import_case(indicator, attributes, 'process', _force_object=True) + + def parse_regkey_pattern(self, indicator, separator): + attributes = self.get_attributes_from_pattern(indicator.pattern, 'regkey_mapping', separator) + self.handle_import_case(indicator, attributes, 'registry-key') + + def parse_url_pattern(self, indicator, separator): + attributes = self.get_attributes_from_pattern(indicator.pattern, 'url_mapping', separator) + self.handle_import_case(indicator, attributes, 'url') + + def parse_user_account_pattern(self, indicator, separator): + attributes = [] + pattern = self._handle_pattern(indicator.pattern).split(separator) + object_name, mapping = self._fetch_user_account_type_pattern(pattern) + for pattern_part in pattern: + pattern_type, pattern_value = self.get_type_and_value_from_pattern(pattern_part) + pattern_type = pattern_type.split(':')[1] + if pattern_type.startswith('extensions.'): + pattern_type = pattern_type.split('.')[-1] + if '[' in pattern_type: + pattern_type = pattern_type.split('[')[0] + if pattern_type in ('group', 'groups'): + attributes.append({'type': 'text', 'object_relation': 'group', 'value': pattern_value}) + continue + if pattern_type in getattr(stix2misp_mapping, mapping): + attribute = deepcopy(getattr(stix2misp_mapping, mapping)[pattern_type]) + attribute['value'] = pattern_value + attributes.append(attribute) + self.handle_import_case(indicator, attributes, object_name) + + def parse_x509_pattern(self, indicator, separator): + attributes = self.get_attributes_from_pattern(indicator.pattern, 'x509_mapping', separator) + self.handle_import_case(indicator, attributes, 'x509') + + ################################################################################ + ## UTILITY FUNCTIONS. ## + ################################################################################ + + def add_attributes_from_indicator(self, indicator, attribute_type, separator): + patterns = self._handle_pattern(indicator.pattern).split(separator) + if len(patterns) == 1: + _, value = self.get_type_and_value_from_pattern(patterns[0]) + attribute = MISPAttribute() + attribute.from_dict(**{ + 'uuid': indicator.id.split('--')[1], + 'type': attribute_type, + 'value': value, + 'to_ids': True + }) + attribute.update(self.parse_timeline(indicator)) + self.misp_event.add_attribute(**attribute) + else: + tmp_attribute = self.parse_timeline(indicator) + for pattern in patterns: + _, value = self.get_type_and_value_from_pattern(pattern) + attribute = MISPAttribute() + attribute.from_dict(**{ + 'type': attribute_type, + 'value': value, + 'to_ids': True + }) + attribute.update(tmp_attribute) + self.misp_event.add_attribute(**attribute) + + def add_attributes_from_observable(self, observable, attribute_type, feature): + if len(observable.objects) == 1: + attribute = MISPAttribute() + attribute.from_dict(**{ + 'uuid': observable.id.split('--')[1], + 'type': attribute_type, + 'value': getattr(observable.objects['0'], feature), + 'to_ids': False + }) + attribute.update(self.parse_timeline(observable)) + self.misp_event.add_attribute(**attribute) + else: + tmp_attribute = self.parse_timeline(observable) + for observable_object in observable.objects.values(): + attribute = MISPAttribute() + attribute.from_dict(**{ + 'type': attribute_type, + 'value': getattr(observable_object, feature), + 'to_ids': False + }) + attribute.update(tmp_attribute) + self.misp_event.add_attribute(**attribute) + + def _check_existing_galaxy_name(self, galaxy_name): + if galaxy_name in self._synonyms_to_tag_names: + return self._synonyms_to_tag_names[galaxy_name] + for name, tag_names in self._synonyms_to_tag_names.items(): + if galaxy_name in name: + return tag_names + return None + + def create_misp_object(self, stix_object, name=None): + misp_object = MISPObject(name if name is not None else stix_object.type, + misp_objects_path_custom=_misp_objects_path) + misp_object.uuid = stix_object.id.split('--')[1] + if hasattr(stix_object, 'description') and stix_object.description: + misp_object.comment = stix_object.description + misp_object.update(self.parse_timeline(stix_object)) + return misp_object + + @staticmethod + def _get_sections(pe_extension): + sections = [feature for feature in pe_extension.keys() if feature.startswith('section_')] + return (pe_extension.pop(feature) for feature in sections) + + @staticmethod + def get_type_and_value_from_pattern(pattern): + pattern = pattern.strip('[]') + try: + pattern_type, pattern_value = pattern.split(' = \'') + except ValueError: + pattern_type, pattern_value = pattern.split('=') + return pattern_type.strip(), pattern_value.strip("'") + + def handle_import_case(self, stix_object, attributes, name, _force_object=False): + try: + if len(attributes) > 1 or (_force_object and self._handle_object_forcing(_force_object, attributes[0])): + misp_object = self.create_misp_object(stix_object, name) + for attribute in attributes: + misp_object.add_attribute(**attribute) + self.misp_event.add_object(**misp_object) + else: + attribute = {field: attributes[0][field] for field in stix2misp_mapping.single_attribute_fields if attributes[0].get(field) is not None} + attribute['uuid'] = stix_object.id.split('--')[1] + attribute.update(self.parse_timeline(stix_object)) + if isinstance(stix_object, stix2.v20.Indicator): + attribute['to_ids'] = True + if hasattr(stix_object, 'object_marking_refs'): + self.update_marking_refs(attribute['uuid'], stix_object.object_marking_refs) + self.misp_event.add_attribute(**attribute) + except IndexError: + object_type = 'indicator' if isinstance(stix_object, stix2.Indicator) else 'observable objects' + print(f'No attribute or object could be imported from the following {object_type}: {stix_object}', file=sys.stderr) + + @staticmethod + def _handle_object_forcing(_force_object, attribute): + if isinstance(_force_object, (list, tuple)): + return attribute['object_relation'] in _force_object + return _force_object + + @staticmethod + def _handle_pattern(pattern): + return pattern.strip().strip('[]') + + @staticmethod + def _parse_observable_types(observable_objects): + types = {observable_object._type for observable_object in observable_objects.values()} + return tuple(sorted(types)) + + @staticmethod + def _parse_pattern_types(pattern): + types = {part.split('=')[0].split(':')[0].strip('[') for part in pattern} + return tuple(sorted(types)) + + @staticmethod + def _required_protocols(protocols): + protocols = tuple(protocol.upper() for protocol in protocols) + if any(protocol not in ('TCP', 'IP') for protocol in protocols): + return True + return False + + +def from_misp(stix_objects): + for stix_object in stix_objects: + if stix_object['type'] == "report" and 'misp:tool="misp2stix2"' in stix_object.get('labels', []): + return True + return False + + +def main(args): + filename = args[1] if args[1][0] == '/' else Path(os.path.dirname(args[0]), args[1]) + with open(filename, 'rt', encoding='utf-8') as f: + event = stix2.parse(f.read(), allow_custom=True, interoperability=True) + stix_parser = StixFromMISPParser() if from_misp(event.objects) else ExternalStixParser() + stix_parser.handler(event, filename, args[2:]) + stix_parser.save_file() + print(1) + + +if __name__ == '__main__': + main(sys.argv) diff --git a/misp_modules/lib/stix2misp_mapping.py b/misp_modules/lib/stix2misp_mapping.py new file mode 100644 index 0000000..706d990 --- /dev/null +++ b/misp_modules/lib/stix2misp_mapping.py @@ -0,0 +1,460 @@ +################################################################################ +# ATTRIBUTES AND OBJECTS MAPPING # +################################################################################ + +attributes_mapping = { + 'filename': '_parse_name', + 'ip-src': '_parse_value', + 'ip-dst': '_parse_value', + 'hostname': '_parse_value', + 'domain': '_parse_value', + 'domain|ip': '_parse_domain_ip_attribute', + 'email-src': '_parse_value', + 'email-dst': '_parse_value', + 'email-attachment': '_parse_name', + 'url': '_parse_value', + 'regkey': '_parse_regkey_attribute', + 'regkey|value': '_parse_regkey_value', + 'malware-sample': '_parse_malware_sample', + 'mutex': '_parse_name', + 'uri': '_parse_value', + 'port': '_parse_port', + 'ip-dst|port': '_parse_network_attribute', + 'ip-src|port': '_parse_network_attribute', + 'hostname|port': '_parse_network_attribute', + 'email-reply-to': '_parse_email_reply_to', + 'attachment': '_parse_attachment', + 'mac-address': '_parse_value', + 'AS': '_parse_number' +} + +attributes_type_mapping = { + 'md5': '_parse_hash', + 'sha1': '_parse_hash', + 'sha256': '_parse_hash', + 'filename|md5': '_parse_filename_hash', + 'filename|sha1': '_parse_filename_hash', + 'filename|sha256': '_parse_filename_hash', + 'email-subject': '_parse_email_message', + 'email-body': '_parse_email_message', + 'authentihash': '_parse_hash', + 'ssdeep': '_parse_hash', + 'imphash': '_parse_hash', + 'pehash': '_parse_hash', + 'impfuzzy': '_parse_hash', + 'sha224': '_parse_hash', + 'sha384': '_parse_hash', + 'sha512': '_parse_hash', + 'sha512/224': '_parse_hash', + 'sha512/256': '_parse_hash', + 'tlsh': '_parse_hash', + 'cdhash': '_parse_hash', + 'filename|authentihash': '_parse_filename_hash', + 'filename|ssdeep': '_parse_filename_hash', + 'filename|imphash': '_parse_filename_hash', + 'filename|impfuzzy': '_parse_filename_hash', + 'filename|pehash': '_parse_filename_hash', + 'filename|sha224': '_parse_filename_hash', + 'filename|sha384': '_parse_filename_hash', + 'filename|sha512': '_parse_filename_hash', + 'filename|sha512/224': '_parse_filename_hash', + 'filename|sha512/256': '_parse_filename_hash', + 'filename|tlsh': '_parse_filename_hash', + 'x509-fingerprint-md5': '_parse_x509_attribute', + 'x509-fingerprint-sha1': '_parse_x509_attribute', + 'x509-fingerprint-sha256': '_parse_x509_attribute' +} + +objects_mapping = { + 'asn': { + 'observable': 'parse_asn_observable', + 'pattern': 'parse_asn_pattern'}, + 'credential': { + 'observable': 'parse_credential_observable', + 'pattern': 'parse_credential_pattern'}, + 'domain-ip': { + 'observable': 'parse_domain_ip_observable', + 'pattern': 'parse_domain_ip_pattern'}, + 'email': { + 'observable': 'parse_email_observable', + 'pattern': 'parse_email_pattern'}, + 'file': { + 'observable': 'parse_file_observable', + 'pattern': 'parse_file_pattern'}, + 'ip-port': { + 'observable': 'parse_ip_port_observable', + 'pattern': 'parse_ip_port_pattern'}, + 'network-connection': { + 'observable': 'parse_network_connection_observable', + 'pattern': 'parse_network_connection_pattern'}, + 'network-socket': { + 'observable': 'parse_network_socket_observable', + 'pattern': 'parse_network_socket_pattern'}, + 'process': { + 'observable': 'parse_process_observable', + 'pattern': 'parse_process_pattern'}, + 'registry-key': { + 'observable': 'parse_regkey_observable', + 'pattern': 'parse_regkey_pattern'}, + 'url': { + 'observable': 'parse_url_observable', + 'pattern': 'parse_url_pattern'}, + 'user-account': { + 'observable': 'parse_user_account_observable', + 'pattern': 'parse_user_account_pattern'}, + 'WindowsPEBinaryFile': { + 'observable': 'parse_pe_observable', + 'pattern': 'parse_pe_pattern'}, + 'x509': { + 'observable': 'parse_x509_observable', + 'pattern': 'parse_x509_pattern'} +} + +observable_mapping = { + ('artifact', 'file'): 'parse_file_observable', + ('artifact', 'directory', 'file'): 'parse_file_observable', + ('artifact', 'email-addr', 'email-message', 'file'): 'parse_email_observable', + ('autonomous-system',): 'parse_asn_observable', + ('autonomous-system', 'ipv4-addr'): 'parse_asn_observable', + ('autonomous-system', 'ipv6-addr'): 'parse_asn_observable', + ('autonomous-system', 'ipv4-addr', 'ipv6-addr'): 'parse_asn_observable', + ('directory', 'file'): 'parse_file_observable', + ('domain-name',): 'parse_domain_ip_observable', + ('domain-name', 'ipv4-addr'): 'parse_domain_ip_observable', + ('domain-name', 'ipv6-addr'): 'parse_domain_ip_observable', + ('domain-name', 'ipv4-addr', 'ipv6-addr'): 'parse_domain_ip_observable', + ('domain-name', 'ipv4-addr', 'network-traffic'): 'parse_domain_ip_network_traffic_observable', + ('domain-name', 'ipv6-addr', 'network-traffic'): 'parse_domain_ip_network_traffic_observable', + ('domain-name', 'ipv4-addr', 'ipv6-addr', 'network-traffic'): 'parse_domain_ip_network_traffic_observable', + ('domain-name', 'network-traffic'): 'parse_domain_network_traffic_observable', + ('domain-name', 'network-traffic', 'url'): 'parse_url_observable', + ('email-addr',): 'parse_email_address_observable', + ('email-addr', 'email-message'): 'parse_email_observable', + ('email-addr', 'email-message', 'file'): 'parse_email_observable', + ('email-message',): 'parse_email_observable', + ('file',): 'parse_file_observable', + ('file', 'process'): 'parse_process_observable', + ('ipv4-addr',): 'parse_ip_address_observable', + ('ipv6-addr',): 'parse_ip_address_observable', + ('ipv4-addr', 'network-traffic'): 'parse_ip_network_traffic_observable', + ('ipv6-addr', 'network-traffic'): 'parse_ip_network_traffic_observable', + ('ipv4-addr', 'ipv6-addr', 'network-traffic'): 'parse_ip_network_traffic_observable', + ('mac-addr',): 'parse_mac_address_observable', + ('mutex',): 'parse_mutex_observable', + ('process',): 'parse_process_observable', + ('x509-certificate',): 'parse_x509_observable', + ('url',): 'parse_url_observable', + ('user-account',): 'parse_user_account_observable', + ('windows-registry-key',): 'parse_regkey_observable' +} + +pattern_mapping = { + ('artifact', 'file'): 'parse_file_pattern', + ('artifact', 'directory', 'file'): 'parse_file_pattern', + ('autonomous-system', ): 'parse_as_pattern', + ('autonomous-system', 'ipv4-addr'): 'parse_as_pattern', + ('autonomous-system', 'ipv6-addr'): 'parse_as_pattern', + ('autonomous-system', 'ipv4-addr', 'ipv6-addr'): 'parse_as_pattern', + ('directory',): 'parse_file_pattern', + ('directory', 'file'): 'parse_file_pattern', + ('domain-name',): 'parse_domain_ip_port_pattern', + ('domain-name', 'ipv4-addr'): 'parse_domain_ip_port_pattern', + ('domain-name', 'ipv6-addr'): 'parse_domain_ip_port_pattern', + ('domain-name', 'ipv4-addr', 'ipv6-addr'): 'parse_domain_ip_port_pattern', + ('domain-name', 'ipv4-addr', 'url'): 'parse_url_pattern', + ('domain-name', 'ipv6-addr', 'url'): 'parse_url_pattern', + ('domain-name', 'ipv4-addr', 'ipv6-addr', 'url'): 'parse_url_pattern', + ('domain-name', 'network-traffic'): 'parse_domain_ip_port_pattern', + ('domain-name', 'network-traffic', 'url'): 'parse_url_pattern', + ('email-addr',): 'parse_email_address_pattern', + ('email-message',): 'parse_email_message_pattern', + ('file',): 'parse_file_pattern', + ('ipv4-addr',): 'parse_ip_address_pattern', + ('ipv6-addr',): 'parse_ip_address_pattern', + ('ipv4-addr', 'ipv6-addr'): 'parse_ip_address_pattern', + ('mac-addr',): 'parse_mac_address_pattern', + ('mutex',): 'parse_mutex_pattern', + ('network-traffic',): 'parse_network_traffic_pattern', + ('process',): 'parse_process_pattern', + ('url',): 'parse_url_pattern', + ('user-account',): 'parse_user_account_pattern', + ('windows-registry-key',): 'parse_regkey_pattern', + ('x509-certificate',): 'parse_x509_pattern' +} + +pattern_forbidden_relations = (' LIKE ', ' FOLLOWEDBY ', ' MATCHES ', ' ISSUBSET ', ' ISSUPERSET ', ' REPEATS ') +single_attribute_fields = ('type', 'value', 'to_ids') + + +################################################################################ +# OBSERVABLE OBJECTS AND PATTERNS MAPPING. # +################################################################################ + +address_family_attribute_mapping = {'type': 'text','object_relation': 'address-family'} +as_number_attribute_mapping = {'type': 'AS', 'object_relation': 'asn'} +description_attribute_mapping = {'type': 'text', 'object_relation': 'description'} +asn_subnet_attribute_mapping = {'type': 'ip-src', 'object_relation': 'subnet-announced'} +cc_attribute_mapping = {'type': 'email-dst', 'object_relation': 'cc'} +credential_attribute_mapping = {'type': 'text', 'object_relation': 'password'} +data_attribute_mapping = {'type': 'text', 'object_relation': 'data'} +data_type_attribute_mapping = {'type': 'text', 'object_relation': 'data-type'} +domain_attribute_mapping = {'type': 'domain', 'object_relation': 'domain'} +domain_family_attribute_mapping = {'type': 'text', 'object_relation': 'domain-family'} +dst_port_attribute_mapping = {'type': 'port', 'object_relation': 'dst-port'} +email_attachment_attribute_mapping = {'type': 'email-attachment', 'object_relation': 'attachment'} +email_date_attribute_mapping = {'type': 'datetime', 'object_relation': 'send-date'} +email_subject_attribute_mapping = {'type': 'email-subject', 'object_relation': 'subject'} +encoding_attribute_mapping = {'type': 'text', 'object_relation': 'file-encoding'} +end_datetime_attribute_mapping = {'type': 'datetime', 'object_relation': 'last-seen'} +entropy_mapping = {'type': 'float', 'object_relation': 'entropy'} +filename_attribute_mapping = {'type': 'filename', 'object_relation': 'filename'} +from_attribute_mapping = {'type': 'email-src', 'object_relation': 'from'} +imphash_mapping = {'type': 'imphash', 'object_relation': 'imphash'} +id_attribute_mapping = {'type': 'text', 'object_relation': 'id'} +ip_attribute_mapping = {'type': 'ip-dst', 'object_relation': 'ip'} +issuer_attribute_mapping = {'type': 'text', 'object_relation': 'issuer'} +key_attribute_mapping = {'type': 'regkey', 'object_relation': 'key'} +malware_sample_attribute_mapping = {'type': 'malware-sample', 'object_relation': 'malware-sample'} +mime_type_attribute_mapping = {'type': 'mime-type', 'object_relation': 'mimetype'} +modified_attribute_mapping = {'type': 'datetime', 'object_relation': 'last-modified'} +name_attribute_mapping = {'type': 'text', 'object_relation': 'name'} +network_traffic_ip = {'type': 'ip-{}', 'object_relation': 'ip-{}'} +number_sections_mapping = {'type': 'counter', 'object_relation': 'number-sections'} +password_mapping = {'type': 'text', 'object_relation': 'password'} +path_attribute_mapping = {'type': 'text', 'object_relation': 'path'} +pe_type_mapping = {'type': 'text', 'object_relation': 'type'} +pid_attribute_mapping = {'type': 'text', 'object_relation': 'pid'} +process_command_line_mapping = {'type': 'text', 'object_relation': 'command-line'} +process_creation_time_mapping = {'type': 'datetime', 'object_relation': 'creation-time'} +process_image_mapping = {'type': 'filename', 'object_relation': 'image'} +process_name_mapping = {'type': 'text', 'object_relation': 'name'} +regkey_name_attribute_mapping = {'type': 'text', 'object_relation': 'name'} +references_attribute_mapping = {'type': 'link', 'object_relation': 'references'} +reply_to_attribute_mapping = {'type': 'email-reply-to', 'object_relation': 'reply-to'} +screenshot_attribute_mapping = {'type': 'attachment', 'object_relation': 'screenshot'} +section_name_mapping = {'type': 'text', 'object_relation': 'name'} +serial_number_attribute_mapping = {'type': 'text', 'object_relation': 'serial-number'} +size_attribute_mapping = {'type': 'size-in-bytes', 'object_relation': 'size-in-bytes'} +src_port_attribute_mapping = {'type': 'port', 'object_relation': 'src-port'} +start_datetime_attribute_mapping = {'type': 'datetime', 'object_relation': 'first-seen'} +state_attribute_mapping = {'type': 'text', 'object_relation': 'state'} +summary_attribute_mapping = {'type': 'text', 'object_relation': 'summary'} +to_attribute_mapping = {'type': 'email-dst', 'object_relation': 'to'} +url_attribute_mapping = {'type': 'url', 'object_relation': 'url'} +url_port_attribute_mapping = {'type': 'port', 'object_relation': 'port'} +user_id_mapping = {'type': 'text', 'object_relation': 'username'} +x_mailer_attribute_mapping = {'type': 'email-x-mailer', 'object_relation': 'x-mailer'} +x509_md5_attribute_mapping = {'type': 'x509-fingerprint-md5', 'object_relation': 'x509-fingerprint-md5'} +x509_sha1_attribute_mapping = {'type': 'x509-fingerprint-sha1', 'object_relation': 'x509-fingerprint-sha1'} +x509_sha256_attribute_mapping = {'type': 'x509-fingerprint-sha256', 'object_relation': 'x509-fingerprint-sha256'} +x509_spka_attribute_mapping = {'type': 'text', 'object_relation': 'pubkey-info-algorithm'} # x509 subject public key algorithm +x509_spke_attribute_mapping = {'type': 'text', 'object_relation': 'pubkey-info-exponent'} # x509 subject public key exponent +x509_spkm_attribute_mapping = {'type': 'text', 'object_relation': 'pubkey-info-modulus'} # x509 subject public key modulus +x509_subject_attribute_mapping = {'type': 'text', 'object_relation': 'subject'} +x509_version_attribute_mapping = {'type': 'text', 'object_relation': 'version'} +x509_vna_attribute_mapping = {'type': 'datetime', 'object_relation': 'validity-not-after'} # x509 validity not after +x509_vnb_attribute_mapping = {'type': 'datetime', 'object_relation': 'validity-not-before'} # x509 validity not before + +asn_mapping = {'number': as_number_attribute_mapping, + 'autonomous-system:number': as_number_attribute_mapping, + 'name': description_attribute_mapping, + 'autonomous-system:name': description_attribute_mapping, + 'ipv4-addr': asn_subnet_attribute_mapping, + 'ipv6-addr': asn_subnet_attribute_mapping, + 'ipv4-addr:value': asn_subnet_attribute_mapping, + 'ipv6-addr:value': asn_subnet_attribute_mapping} + +attack_pattern_mapping = {'name': name_attribute_mapping, + 'description': summary_attribute_mapping} + +attack_pattern_references_mapping = {'mitre-attack': references_attribute_mapping, + 'capec': id_attribute_mapping} + +course_of_action_mapping = {'description': description_attribute_mapping, + 'name': name_attribute_mapping} + +credential_mapping = {'credential': credential_attribute_mapping, + 'user-account:credential': credential_attribute_mapping, + 'user_id': user_id_mapping, + 'user-account:user_id': user_id_mapping} + +domain_ip_mapping = {'domain-name': domain_attribute_mapping, + 'domain-name:value': domain_attribute_mapping, + 'ipv4-addr': ip_attribute_mapping, + 'ipv6-addr': ip_attribute_mapping, + 'ipv4-addr:value': ip_attribute_mapping, + 'ipv6-addr:value': ip_attribute_mapping, + 'domain-name:resolves_to_refs[*].value': ip_attribute_mapping, + 'network-traffic:dst_port': dst_port_attribute_mapping, + 'network-traffic:src_port': src_port_attribute_mapping} + +email_mapping = {'date': email_date_attribute_mapping, + 'email-message:date': email_date_attribute_mapping, + 'email-message:to_refs[*].value': to_attribute_mapping, + 'email-message:cc_refs[*].value': cc_attribute_mapping, + 'subject': email_subject_attribute_mapping, + 'email-message:subject': email_subject_attribute_mapping, + 'X-Mailer': x_mailer_attribute_mapping, + 'email-message:additional_header_fields.x_mailer': x_mailer_attribute_mapping, + 'Reply-To': reply_to_attribute_mapping, + 'email-message:additional_header_fields.reply_to': reply_to_attribute_mapping, + 'email-message:from_ref.value': from_attribute_mapping, + 'email-addr:value': to_attribute_mapping} + +email_references_mapping = {'attachment': email_attachment_attribute_mapping, + 'cc_refs': cc_attribute_mapping, + 'from_ref': from_attribute_mapping, + 'screenshot': screenshot_attribute_mapping, + 'to_refs': to_attribute_mapping} + +file_mapping = {'artifact:mime_type': mime_type_attribute_mapping, + 'file:content_ref.mime_type': mime_type_attribute_mapping, + 'mime_type': mime_type_attribute_mapping, + 'file:mime_type': mime_type_attribute_mapping, + 'name': filename_attribute_mapping, + 'file:name': filename_attribute_mapping, + 'name_enc': encoding_attribute_mapping, + 'file:name_enc': encoding_attribute_mapping, + 'file:parent_directory_ref.path': path_attribute_mapping, + 'directory:path': path_attribute_mapping, + 'size': size_attribute_mapping, + 'file:size': size_attribute_mapping} + +network_traffic_mapping = {'dst_port':dst_port_attribute_mapping, + 'src_port': src_port_attribute_mapping, + 'network-traffic:dst_port': dst_port_attribute_mapping, + 'network-traffic:src_port': src_port_attribute_mapping} + +ip_port_mapping = {'value': domain_attribute_mapping, + 'domain-name:value': domain_attribute_mapping, + 'network-traffic:dst_ref.value': {'type': 'ip-dst', 'object_relation': 'ip-dst'}, + 'network-traffic:src_ref.value': {'type': 'ip-src', 'object_relation': 'ip-src'}} +ip_port_mapping.update(network_traffic_mapping) + +ip_port_references_mapping = {'domain-name': domain_attribute_mapping, + 'ipv4-addr': network_traffic_ip, + 'ipv6-addr': network_traffic_ip} + +network_socket_extension_mapping = {'address_family': address_family_attribute_mapping, + "network-traffic:extensions.'socket-ext'.address_family": address_family_attribute_mapping, + 'protocol_family': domain_family_attribute_mapping, + "network-traffic:extensions.'socket-ext'.protocol_family": domain_family_attribute_mapping, + 'is_blocking': state_attribute_mapping, + "network-traffic:extensions.'socket-ext'.is_blocking": state_attribute_mapping, + 'is_listening': state_attribute_mapping, + "network-traffic:extensions.'socket-ext'.is_listening": state_attribute_mapping} + +network_traffic_references_mapping = {'domain-name': {'type': 'hostname', 'object_relation': 'hostname-{}'}, + 'ipv4-addr': network_traffic_ip, + 'ipv6-addr': network_traffic_ip} + +pe_mapping = {'pe_type': pe_type_mapping, 'number_of_sections': number_sections_mapping, 'imphash': imphash_mapping} + +pe_section_mapping = {'name': section_name_mapping, 'size': size_attribute_mapping, 'entropy': entropy_mapping} + +hash_types = ('MD5', 'SHA-1', 'SHA-256', 'SHA-224', 'SHA-384', 'SHA-512', 'ssdeep', 'tlsh') +for hash_type in hash_types: + misp_hash_type = hash_type.replace('-', '').lower() + attribute = {'type': misp_hash_type, 'object_relation': misp_hash_type} + file_mapping[hash_type] = attribute + file_mapping.update({f"file:hashes.'{feature}'": attribute for feature in (hash_type, misp_hash_type)}) + file_mapping.update({f"file:hashes.{feature}": attribute for feature in (hash_type, misp_hash_type)}) + pe_section_mapping[hash_type] = attribute + pe_section_mapping[misp_hash_type] = attribute + +process_mapping = {'name': process_name_mapping, + 'process:name': process_name_mapping, + 'pid': pid_attribute_mapping, + 'process:pid': pid_attribute_mapping, + 'created': process_creation_time_mapping, + 'process:created': process_creation_time_mapping, + 'command_line': process_command_line_mapping, + 'process:command_line': process_command_line_mapping, + 'process:parent_ref.pid': {'type': 'text', 'object_relation': 'parent-pid'}, + 'process:child_refs[*].pid': {'type': 'text', 'object_relation': 'child-pid'}, + 'process:binary_ref.name': process_image_mapping} + +child_process_reference_mapping = {'pid': {'type': 'text', 'object_relation': 'child-pid'}} + +parent_process_reference_mapping = {'command_line': {'type': 'text', 'object_relation': 'parent-command-line'}, + 'pid': {'type': 'text', 'object_relation': 'parent-pid'}, + 'process-name': {'type': 'text', 'object_relation': 'parent-process-name'}} + +regkey_mapping = {'data': data_attribute_mapping, + 'windows-registry-key:values.data': data_attribute_mapping, + 'data_type': data_type_attribute_mapping, + 'windows-registry-key:values.data_type': data_type_attribute_mapping, + 'modified': modified_attribute_mapping, + 'windows-registry-key:modified': modified_attribute_mapping, + 'name': regkey_name_attribute_mapping, + 'windows-registry-key:values.name': regkey_name_attribute_mapping, + 'key': key_attribute_mapping, + 'windows-registry-key:key': key_attribute_mapping, + 'windows-registry-key:value': {'type': 'text', 'object_relation': 'hive'} + } + +url_mapping = {'url': url_attribute_mapping, + 'url:value': url_attribute_mapping, + 'domain-name': domain_attribute_mapping, + 'domain-name:value': domain_attribute_mapping, + 'network-traffic': url_port_attribute_mapping, + 'network-traffic:dst_port': url_port_attribute_mapping, + 'ipv4-addr:value': ip_attribute_mapping, + 'ipv6-addr:value': ip_attribute_mapping + } + +user_account_mapping = {'account_created': {'type': 'datetime', 'object_relation': 'created'}, + 'account_expires': {'type': 'datetime', 'object_relation': 'expires'}, + 'account_first_login': {'type': 'datetime', 'object_relation': 'first_login'}, + 'account_last_login': {'type': 'datetime', 'object_relation': 'last_login'}, + 'account_login': user_id_mapping, + 'account_type': {'type': 'text', 'object_relation': 'account-type'}, + 'can_escalate_privs': {'type': 'boolean', 'object_relation': 'can_escalate_privs'}, + 'credential': credential_attribute_mapping, + 'credential_last_changed': {'type': 'datetime', 'object_relation': 'password_last_changed'}, + 'display_name': {'type': 'text', 'object_relation': 'display-name'}, + 'gid': {'type': 'text', 'object_relation': 'group-id'}, + 'home_dir': {'type': 'text', 'object_relation': 'home_dir'}, + 'is_disabled': {'type': 'boolean', 'object_relation': 'disabled'}, + 'is_privileged': {'type': 'boolean', 'object_relation': 'privileged'}, + 'is_service_account': {'type': 'boolean', 'object_relation': 'is_service_account'}, + 'shell': {'type': 'text', 'object_relation': 'shell'}, + 'user_id': {'type': 'text', 'object_relation': 'user-id'}} + +vulnerability_mapping = {'name': id_attribute_mapping, + 'description': summary_attribute_mapping} + +x509_mapping = {'issuer': issuer_attribute_mapping, + 'x509-certificate:issuer': issuer_attribute_mapping, + 'serial_number': serial_number_attribute_mapping, + 'x509-certificate:serial_number': serial_number_attribute_mapping, + 'subject': x509_subject_attribute_mapping, + 'x509-certificate:subject': x509_subject_attribute_mapping, + 'subject_public_key_algorithm': x509_spka_attribute_mapping, + 'x509-certificate:subject_public_key_algorithm': x509_spka_attribute_mapping, + 'subject_public_key_exponent': x509_spke_attribute_mapping, + 'x509-certificate:subject_public_key_exponent': x509_spke_attribute_mapping, + 'subject_public_key_modulus': x509_spkm_attribute_mapping, + 'x509-certificate:subject_public_key_modulus': x509_spkm_attribute_mapping, + 'validity_not_before': x509_vnb_attribute_mapping, + 'x509-certificate:validity_not_before': x509_vnb_attribute_mapping, + 'validity_not_after': x509_vna_attribute_mapping, + 'x509-certificate:validity_not_after': x509_vna_attribute_mapping, + 'version': x509_version_attribute_mapping, + 'x509-certificate:version': x509_version_attribute_mapping, + 'SHA-1': x509_sha1_attribute_mapping, + "x509-certificate:hashes.'sha1'": x509_sha1_attribute_mapping, + 'SHA-256': x509_sha256_attribute_mapping, + "x509-certificate:hashes.'sha256'": x509_sha256_attribute_mapping, + 'MD5': x509_md5_attribute_mapping, + "x509-certificate:hashes.'md5'": x509_md5_attribute_mapping, + } + +attachment_types = ('file:content_ref.name', 'file:content_ref.payload_bin', + 'artifact:x_misp_text_name', 'artifact:payload_bin', + "file:hashes.'MD5'", "file:content_ref.hashes.'MD5'", + 'file:name') + +connection_protocols = {"IP": "3", "ICMP": "3", "ARP": "3", + "TCP": "4", "UDP": "4", + "HTTP": "7", "HTTPS": "7", "FTP": "7"} diff --git a/misp_modules/lib/synonymsToTagNames.json b/misp_modules/lib/synonymsToTagNames.json new file mode 100644 index 0000000..c3013f3 --- /dev/null +++ b/misp_modules/lib/synonymsToTagNames.json @@ -0,0 +1 @@ +{"Accstealer":["misp-galaxy:android=\"Accstealer\""],"Ackposts":["misp-galaxy:android=\"Ackposts\""],"Acnetdoor":["misp-galaxy:android=\"Acnetdoor\""],"Acnetsteal":["misp-galaxy:android=\"Acnetsteal\""],"Actech":["misp-galaxy:android=\"Actech\""],"AdChina":["misp-galaxy:android=\"AdChina\""],"AdInfo":["misp-galaxy:android=\"AdInfo\""],"AdMarvel":["misp-galaxy:android=\"AdMarvel\""],"AdMob":["misp-galaxy:android=\"AdMob\""],"AdSms":["misp-galaxy:android=\"AdSms\""],"Adfonic":["misp-galaxy:android=\"Adfonic\""],"Adknowledge":["misp-galaxy:android=\"Adknowledge\""],"Adrd":["misp-galaxy:android=\"Adrd\""],"Aduru":["misp-galaxy:android=\"Aduru\""],"Adwhirl":["misp-galaxy:android=\"Adwhirl\""],"Adwind":["misp-galaxy:android=\"Adwind\"","misp-galaxy:mitre-malware=\"jRAT - S0283\"","misp-galaxy:tool=\"Adwind\""],"AlienSpy":["misp-galaxy:android=\"Adwind\"","misp-galaxy:malpedia=\"AdWind\"","misp-galaxy:mitre-malware=\"jRAT - S0283\"","misp-galaxy:rat=\"Adwind RAT\"","misp-galaxy:tool=\"Adwind\""],"Frutas":["misp-galaxy:android=\"Adwind\"","misp-galaxy:malpedia=\"AdWind\"","misp-galaxy:mitre-malware=\"jRAT - S0283\"","misp-galaxy:rat=\"Adwind RAT\"","misp-galaxy:tool=\"Adwind\""],"Unrecom":["misp-galaxy:android=\"Adwind\"","misp-galaxy:mitre-malware=\"jRAT - S0283\"","misp-galaxy:rat=\"Adwind RAT\"","misp-galaxy:tool=\"Adwind\""],"Sockrat":["misp-galaxy:android=\"Adwind\"","misp-galaxy:android=\"Sockrat\"","misp-galaxy:malpedia=\"AdWind\"","misp-galaxy:mitre-malware=\"jRAT - S0283\"","misp-galaxy:tool=\"Adwind\""],"Jsocket":["misp-galaxy:android=\"Adwind\"","misp-galaxy:rat=\"Adwind RAT\""],"jRat":["misp-galaxy:android=\"Adwind\"","misp-galaxy:tool=\"Adwind\""],"Backdoor:Java\/Adwind":["misp-galaxy:android=\"Adwind\"","misp-galaxy:tool=\"Adwind\""],"Adwlauncher":["misp-galaxy:android=\"Adwlauncher\""],"Adwo":["misp-galaxy:android=\"Adwo\""],"Airad":["misp-galaxy:android=\"Airad\""],"Airpush":["misp-galaxy:android=\"Airpush\""],"StopSMS":["misp-galaxy:android=\"Airpush\""],"Alienspy":["misp-galaxy:android=\"Alienspy\""],"AmazonAds":["misp-galaxy:android=\"AmazonAds\""],"Andr\/Dropr-FH":["misp-galaxy:android=\"Andr\/Dropr-FH\""],"GhostCtrl":["misp-galaxy:android=\"Andr\/Dropr-FH\"","misp-galaxy:malpedia=\"GhostCtrl\""],"AndroidOS_HidenAd":["misp-galaxy:android=\"AndroidOS_HidenAd\""],"AndroidOS_HiddenAd":["misp-galaxy:android=\"AndroidOS_HidenAd\""],"Answerbot":["misp-galaxy:android=\"Answerbot\""],"Antammi":["misp-galaxy:android=\"Antammi\""],"Apkmore":["misp-galaxy:android=\"Apkmore\""],"Aplog":["misp-galaxy:android=\"Aplog\""],"AppLovin":["misp-galaxy:android=\"AppLovin\""],"Appenda":["misp-galaxy:android=\"Appenda\""],"Apperhand":["misp-galaxy:android=\"Apperhand\""],"Appleservice":["misp-galaxy:android=\"Appleservice\""],"Arspam":["misp-galaxy:android=\"Arspam\""],"Aurecord":["misp-galaxy:android=\"Aurecord\""],"Backapp":["misp-galaxy:android=\"Backapp\""],"Backdexer":["misp-galaxy:android=\"Backdexer\""],"Backflash":["misp-galaxy:android=\"Backflash\""],"Backscript":["misp-galaxy:android=\"Backscript\""],"Badaccents":["misp-galaxy:android=\"Badaccents\""],"Badpush":["misp-galaxy:android=\"Badpush\""],"Ballonpop":["misp-galaxy:android=\"Ballonpop\""],"BambaPurple":["misp-galaxy:android=\"BambaPurple\""],"BankBot":["misp-galaxy:android=\"BankBot\"","misp-galaxy:malpedia=\"Anubis\"","misp-galaxy:malpedia=\"BankBot\""],"Bankosy":["misp-galaxy:android=\"Bankosy\"","misp-galaxy:android=\"GM Bot\"","misp-galaxy:tool=\"Slempo\""],"Bankun":["misp-galaxy:android=\"Bankun\""],"Basebridge":["misp-galaxy:android=\"Basebridge\""],"Basedao":["misp-galaxy:android=\"Basedao\""],"Batterydoctor":["misp-galaxy:android=\"Batterydoctor\""],"BeNews":["misp-galaxy:android=\"BeNews\""],"Beaglespy":["misp-galaxy:android=\"Beaglespy\""],"BeanBot":["misp-galaxy:android=\"BeanBot\""],"Becuro":["misp-galaxy:android=\"Becuro\""],"Beita":["misp-galaxy:android=\"Beita\""],"Bgserv":["misp-galaxy:android=\"Bgserv\""],"Biigespy":["misp-galaxy:android=\"Biigespy\""],"Bmaster":["misp-galaxy:android=\"Bmaster\""],"Bossefiv":["misp-galaxy:android=\"Bossefiv\""],"Boxpush":["misp-galaxy:android=\"Boxpush\""],"BreadSMS":["misp-galaxy:android=\"BreadSMS\""],"Burstly":["misp-galaxy:android=\"Burstly\""],"BusyGasper":["misp-galaxy:android=\"BusyGasper\"","misp-galaxy:malpedia=\"BusyGasper\""],"Buzzcity":["misp-galaxy:android=\"Buzzcity\""],"ByPush":["misp-galaxy:android=\"ByPush\""],"Cajino":["misp-galaxy:android=\"Cajino\""],"Casee":["misp-galaxy:android=\"Casee\""],"Catchtoken":["misp-galaxy:android=\"Catchtoken\""],"Cauly":["misp-galaxy:android=\"Cauly\""],"Cellshark":["misp-galaxy:android=\"Cellshark\""],"Centero":["misp-galaxy:android=\"Centero\""],"Cepsohord":["misp-galaxy:android=\"Cepsohord\""],"Chamois":["misp-galaxy:android=\"Chamois\"","misp-galaxy:malpedia=\"Chamois\""],"Chuli":["misp-galaxy:android=\"Chuli\""],"Citmo":["misp-galaxy:android=\"Citmo\""],"Claco":["misp-galaxy:android=\"Claco\""],"Clevernet":["misp-galaxy:android=\"Clevernet\""],"Cnappbox":["misp-galaxy:android=\"Cnappbox\""],"Cobblerone":["misp-galaxy:android=\"Cobblerone\""],"Coolpaperleak":["misp-galaxy:android=\"Coolpaperleak\""],"Coolreaper":["misp-galaxy:android=\"Coolreaper\""],"CopyCat":["misp-galaxy:android=\"CopyCat\""],"Cosha":["misp-galaxy:android=\"Cosha\""],"Counterclank":["misp-galaxy:android=\"Counterclank\""],"Crazymedia":["misp-galaxy:android=\"Crazymedia\""],"Crisis":["misp-galaxy:android=\"Crisis\"","misp-galaxy:malpedia=\"RCS\""],"Crusewind":["misp-galaxy:android=\"Crusewind\""],"Dandro":["misp-galaxy:android=\"Dandro\""],"Daoyoudao":["misp-galaxy:android=\"Daoyoudao\""],"Deathring":["misp-galaxy:android=\"Deathring\""],"Deeveemap":["misp-galaxy:android=\"Deeveemap\""],"Dendoroid":["misp-galaxy:android=\"Dendoroid\""],"Dengaru":["misp-galaxy:android=\"Dengaru\""],"Diandong":["misp-galaxy:android=\"Diandong\""],"Dianjin":["misp-galaxy:android=\"Dianjin\""],"Dogowar":["misp-galaxy:android=\"Dogowar\""],"Domob":["misp-galaxy:android=\"Domob\""],"DoubleLocker":["misp-galaxy:android=\"DoubleLocker\"","misp-galaxy:malpedia=\"DoubleLocker\""],"Dougalek":["misp-galaxy:android=\"Dougalek\""],"Dowgin":["misp-galaxy:android=\"Dowgin\""],"Droidsheep":["misp-galaxy:android=\"Droidsheep\""],"Dropdialer":["misp-galaxy:android=\"Dropdialer\""],"Dupvert":["misp-galaxy:android=\"Dupvert\""],"Dynamicit":["misp-galaxy:android=\"Dynamicit\""],"Ecardgrabber":["misp-galaxy:android=\"Ecardgrabber\""],"Ecobatry":["misp-galaxy:android=\"Ecobatry\""],"Enesoluty":["misp-galaxy:android=\"Enesoluty\""],"Everbadge":["misp-galaxy:android=\"Everbadge\""],"Ewalls":["misp-galaxy:android=\"Ewalls\""],"Expensive Wall":["misp-galaxy:android=\"Expensive Wall\""],"ExpensiveWall":["misp-galaxy:android=\"ExpensiveWall\""],"Exprespam":["misp-galaxy:android=\"Exprespam\""],"FakeLookout":["misp-galaxy:android=\"FakeLookout\""],"FakeMart":["misp-galaxy:android=\"FakeMart\""],"Fakealbums":["misp-galaxy:android=\"Fakealbums\""],"Fakeangry":["misp-galaxy:android=\"Fakeangry\""],"Fakeapp":["misp-galaxy:android=\"Fakeapp\""],"Fakebanco":["misp-galaxy:android=\"Fakebanco\""],"Fakebank":["misp-galaxy:android=\"Fakebank\""],"Fakebank.B":["misp-galaxy:android=\"Fakebank.B\""],"Fakebok":["misp-galaxy:android=\"Fakebok\""],"Fakedaum":["misp-galaxy:android=\"Fakedaum\""],"Fakedefender":["misp-galaxy:android=\"Fakedefender\""],"Fakedefender.B":["misp-galaxy:android=\"Fakedefender.B\""],"Fakedown":["misp-galaxy:android=\"Fakedown\""],"Fakeflash":["misp-galaxy:android=\"Fakeflash\""],"Fakegame":["misp-galaxy:android=\"Fakegame\""],"Fakeguard":["misp-galaxy:android=\"Fakeguard\""],"Fakejob":["misp-galaxy:android=\"Fakejob\""],"Fakekakao":["misp-galaxy:android=\"Fakekakao\""],"Fakelemon":["misp-galaxy:android=\"Fakelemon\""],"Fakelicense":["misp-galaxy:android=\"Fakelicense\""],"Fakelogin":["misp-galaxy:android=\"Fakelogin\""],"Fakem Rat":["misp-galaxy:android=\"Fakem Rat\""],"Fakemini":["misp-galaxy:android=\"Fakemini\""],"Fakemrat":["misp-galaxy:android=\"Fakemrat\""],"Fakeneflic":["misp-galaxy:android=\"Fakeneflic\""],"Fakenotify":["misp-galaxy:android=\"Fakenotify\""],"Fakepatch":["misp-galaxy:android=\"Fakepatch\""],"Fakeplay":["misp-galaxy:android=\"Fakeplay\""],"Fakescarav":["misp-galaxy:android=\"Fakescarav\""],"Fakesecsuit":["misp-galaxy:android=\"Fakesecsuit\""],"Fakesucon":["misp-galaxy:android=\"Fakesucon\""],"Faketaobao":["misp-galaxy:android=\"Faketaobao\""],"Faketaobao.B":["misp-galaxy:android=\"Faketaobao.B\""],"Faketoken":["misp-galaxy:android=\"Faketoken\""],"Fakeupdate":["misp-galaxy:android=\"Fakeupdate\""],"Fakevoice":["misp-galaxy:android=\"Fakevoice\""],"Farmbaby":["misp-galaxy:android=\"Farmbaby\""],"Fauxtocopy":["misp-galaxy:android=\"Fauxtocopy\""],"Feiwo":["misp-galaxy:android=\"Feiwo\""],"FindAndCall":["misp-galaxy:android=\"FindAndCall\""],"Finfish":["misp-galaxy:android=\"Finfish\""],"Fireleaker":["misp-galaxy:android=\"Fireleaker\""],"Fitikser":["misp-galaxy:android=\"Fitikser\""],"Flexispy":["misp-galaxy:android=\"Flexispy\""],"Fokonge":["misp-galaxy:android=\"Fokonge\""],"FoncySMS":["misp-galaxy:android=\"FoncySMS\""],"Frogonal":["misp-galaxy:android=\"Frogonal\""],"Ftad":["misp-galaxy:android=\"Ftad\""],"Funtasy":["misp-galaxy:android=\"Funtasy\""],"GM Bot":["misp-galaxy:android=\"GM Bot\""],"Acecard":["misp-galaxy:android=\"GM Bot\"","misp-galaxy:tool=\"Slempo\""],"SlemBunk":["misp-galaxy:android=\"GM Bot\"","misp-galaxy:malpedia=\"Slempo\"","misp-galaxy:tool=\"Slempo\""],"Gaiaphish":["misp-galaxy:android=\"Gaiaphish\""],"GallMe":["misp-galaxy:android=\"GallMe\""],"Gamex":["misp-galaxy:android=\"Gamex\""],"Gappusin":["misp-galaxy:android=\"Gappusin\""],"Gazon":["misp-galaxy:android=\"Gazon\""],"Geinimi":["misp-galaxy:android=\"Geinimi\""],"Generisk":["misp-galaxy:android=\"Generisk\""],"Genheur":["misp-galaxy:android=\"Genheur\""],"Genpush":["misp-galaxy:android=\"Genpush\""],"GeoFake":["misp-galaxy:android=\"GeoFake\""],"Geplook":["misp-galaxy:android=\"Geplook\""],"Getadpush":["misp-galaxy:android=\"Getadpush\""],"Ggtracker":["misp-galaxy:android=\"Ggtracker\""],"Ghost Push":["misp-galaxy:android=\"Ghost Push\"","misp-galaxy:mitre-malware=\"Gooligan - S0290\""],"Ghostpush":["misp-galaxy:android=\"Ghostpush\""],"Gmaster":["misp-galaxy:android=\"Gmaster\""],"Godwon":["misp-galaxy:android=\"Godwon\""],"Golddream":["misp-galaxy:android=\"Golddream\""],"Goldeneagle":["misp-galaxy:android=\"Goldeneagle\""],"Golocker":["misp-galaxy:android=\"Golocker\""],"Gomal":["misp-galaxy:android=\"Gomal\""],"Gonesixty":["misp-galaxy:android=\"Gonesixty\""],"Gonfu":["misp-galaxy:android=\"Gonfu\""],"Gonfu.B":["misp-galaxy:android=\"Gonfu.B\""],"Gonfu.C":["misp-galaxy:android=\"Gonfu.C\""],"Gonfu.D":["misp-galaxy:android=\"Gonfu.D\""],"Gooboot":["misp-galaxy:android=\"Gooboot\""],"Goodadpush":["misp-galaxy:android=\"Goodadpush\""],"Greystripe":["misp-galaxy:android=\"Greystripe\""],"Gugespy":["misp-galaxy:android=\"Gugespy\""],"Gugespy.B":["misp-galaxy:android=\"Gugespy.B\""],"Gupno":["misp-galaxy:android=\"Gupno\""],"Habey":["misp-galaxy:android=\"Habey\""],"Handyclient":["misp-galaxy:android=\"Handyclient\""],"Hehe":["misp-galaxy:android=\"Hehe\""],"HenBox":["misp-galaxy:android=\"HenBox\"","misp-galaxy:threat-actor=\"HenBox\""],"Hesperbot":["misp-galaxy:android=\"Hesperbot\""],"Hippo":["misp-galaxy:android=\"Hippo\""],"Hippo.B":["misp-galaxy:android=\"Hippo.B\""],"HummingBad":["misp-galaxy:android=\"HummingBad\"","misp-galaxy:mitre-malware=\"HummingBad - S0322\"","misp-galaxy:mitre-mobile-attack-malware=\"HummingBad - MOB-S0038\"","misp-galaxy:threat-actor=\"HummingBad\""],"IadPush":["misp-galaxy:android=\"IadPush\""],"IcicleGum":["misp-galaxy:android=\"IcicleGum\"","misp-galaxy:android=\"Igexin\""],"Iconosis":["misp-galaxy:android=\"Iconosis\""],"Iconosys":["misp-galaxy:android=\"Iconosys\""],"Igexin":["misp-galaxy:android=\"Igexin\""],"ImAdPush":["misp-galaxy:android=\"ImAdPush\""],"InMobi":["misp-galaxy:android=\"InMobi\""],"JamSkunk":["misp-galaxy:android=\"JamSkunk\""],"Jifake":["misp-galaxy:android=\"Jifake\""],"Jollyserv":["misp-galaxy:android=\"Jollyserv\""],"Jsmshider":["misp-galaxy:android=\"Jsmshider\""],"Ju6":["misp-galaxy:android=\"Ju6\""],"Judy":["misp-galaxy:android=\"Judy\"","misp-galaxy:mitre-malware=\"Judy - S0325\""],"Jumptap":["misp-galaxy:android=\"Jumptap\""],"Jzmob":["misp-galaxy:android=\"Jzmob\""],"Kabstamper":["misp-galaxy:android=\"Kabstamper\""],"Kemoge":["misp-galaxy:android=\"Kemoge\"","misp-galaxy:mitre-mobile-attack-malware=\"Shedun - MOB-S0010\""],"Kidlogger":["misp-galaxy:android=\"Kidlogger\""],"Kielog":["misp-galaxy:android=\"Kielog\""],"Kituri":["misp-galaxy:android=\"Kituri\""],"KoreFrog":["misp-galaxy:android=\"KoreFrog\""],"Kranxpay":["misp-galaxy:android=\"Kranxpay\""],"Krysanec":["misp-galaxy:android=\"Krysanec\""],"Kuaidian360":["misp-galaxy:android=\"Kuaidian360\""],"Kuguo":["misp-galaxy:android=\"Kuguo\""],"Lastacloud":["misp-galaxy:android=\"Lastacloud\""],"Laucassspy":["misp-galaxy:android=\"Laucassspy\""],"Lifemonspy":["misp-galaxy:android=\"Lifemonspy\""],"Lightdd":["misp-galaxy:android=\"Lightdd\""],"Loaderpush":["misp-galaxy:android=\"Loaderpush\""],"Loapi":["misp-galaxy:android=\"Loapi\""],"Locaspy":["misp-galaxy:android=\"Locaspy\""],"Lockdroid.E":["misp-galaxy:android=\"Lockdroid.E\""],"Lockdroid.F":["misp-galaxy:android=\"Lockdroid.F\""],"Lockdroid.G":["misp-galaxy:android=\"Lockdroid.G\""],"Lockdroid.H":["misp-galaxy:android=\"Lockdroid.H\""],"Lockscreen":["misp-galaxy:android=\"Lockscreen\""],"LogiaAd":["misp-galaxy:android=\"LogiaAd\""],"Loicdos":["misp-galaxy:android=\"Loicdos\""],"LokiBot":["misp-galaxy:android=\"LokiBot\"","misp-galaxy:malpedia=\"Loki Password Stealer (PWS)\"","misp-galaxy:malpedia=\"LokiBot\""],"Loozfon":["misp-galaxy:android=\"Loozfon\""],"Lotoor":["misp-galaxy:android=\"Lotoor\""],"Lovespy":["misp-galaxy:android=\"Lovespy\""],"Lovetrap":["misp-galaxy:android=\"Lovetrap\""],"Luckycat":["misp-galaxy:android=\"Luckycat\""],"Machinleak":["misp-galaxy:android=\"Machinleak\""],"Maistealer":["misp-galaxy:android=\"Maistealer\""],"Malapp":["misp-galaxy:android=\"Malapp\""],"Malebook":["misp-galaxy:android=\"Malebook\""],"Malhome":["misp-galaxy:android=\"Malhome\""],"Malminer":["misp-galaxy:android=\"Malminer\""],"Mania":["misp-galaxy:android=\"Mania\""],"Maxit":["misp-galaxy:android=\"Maxit\""],"MdotM":["misp-galaxy:android=\"MdotM\""],"Medialets":["misp-galaxy:android=\"Medialets\""],"Meshidden":["misp-galaxy:android=\"Meshidden\""],"Mesploit":["misp-galaxy:android=\"Mesploit\""],"Mesprank":["misp-galaxy:android=\"Mesprank\""],"Meswatcherbox":["misp-galaxy:android=\"Meswatcherbox\""],"Miji":["misp-galaxy:android=\"Miji\""],"Milipnot":["misp-galaxy:android=\"Milipnot\""],"MillennialMedia":["misp-galaxy:android=\"MillennialMedia\""],"Mitcad":["misp-galaxy:android=\"Mitcad\""],"MoPub":["misp-galaxy:android=\"MoPub\""],"MobClix":["misp-galaxy:android=\"MobClix\""],"MobFox":["misp-galaxy:android=\"MobFox\""],"MobWin":["misp-galaxy:android=\"MobWin\""],"Mobidisplay":["misp-galaxy:android=\"Mobidisplay\""],"Mobigapp":["misp-galaxy:android=\"Mobigapp\""],"MobileBackup":["misp-galaxy:android=\"MobileBackup\""],"Mobilespy":["misp-galaxy:android=\"Mobilespy\""],"Mobiletx":["misp-galaxy:android=\"Mobiletx\""],"Mobinaspy":["misp-galaxy:android=\"Mobinaspy\""],"Mobus":["misp-galaxy:android=\"Mobus\""],"Mocore":["misp-galaxy:android=\"Mocore\""],"Moghava":["misp-galaxy:android=\"Moghava\""],"Momark":["misp-galaxy:android=\"Momark\""],"Monitorello":["misp-galaxy:android=\"Monitorello\""],"Moolah":["misp-galaxy:android=\"Moolah\""],"Moplus":["misp-galaxy:android=\"Moplus\""],"Morepaks":["misp-galaxy:android=\"Morepaks\""],"MysteryBot":["misp-galaxy:android=\"MysteryBot\"","misp-galaxy:malpedia=\"MysteryBot\""],"Nandrobox":["misp-galaxy:android=\"Nandrobox\""],"Netisend":["misp-galaxy:android=\"Netisend\""],"Nickispy":["misp-galaxy:android=\"Nickispy\""],"Notcompatible":["misp-galaxy:android=\"Notcompatible\""],"Nuhaz":["misp-galaxy:android=\"Nuhaz\""],"Nyearleaker":["misp-galaxy:android=\"Nyearleaker\""],"Obad":["misp-galaxy:android=\"Obad\""],"Oneclickfraud":["misp-galaxy:android=\"Oneclickfraud\""],"Opfake":["misp-galaxy:android=\"Opfake\""],"Opfake.B":["misp-galaxy:android=\"Opfake.B\""],"Ozotshielder":["misp-galaxy:android=\"Ozotshielder\""],"Pafloat":["misp-galaxy:android=\"Pafloat\""],"PandaAds":["misp-galaxy:android=\"PandaAds\""],"Pandbot":["misp-galaxy:android=\"Pandbot\""],"Pdaspy":["misp-galaxy:android=\"Pdaspy\""],"Penetho":["misp-galaxy:android=\"Penetho\""],"Perkel":["misp-galaxy:android=\"Perkel\""],"Phimdropper":["misp-galaxy:android=\"Phimdropper\""],"Phospy":["misp-galaxy:android=\"Phospy\""],"Piddialer":["misp-galaxy:android=\"Piddialer\""],"Pikspam":["misp-galaxy:android=\"Pikspam\""],"Pincer":["misp-galaxy:android=\"Pincer\""],"Pirator":["misp-galaxy:android=\"Pirator\""],"Pjapps":["misp-galaxy:android=\"Pjapps\""],"Pjapps.B":["misp-galaxy:android=\"Pjapps.B\""],"Pletora":["misp-galaxy:android=\"Pletora\""],"Podec":["misp-galaxy:android=\"Podec\"","misp-galaxy:malpedia=\"Podec\""],"Poisoncake":["misp-galaxy:android=\"Poisoncake\""],"Pontiflex":["misp-galaxy:android=\"Pontiflex\""],"Positmob":["misp-galaxy:android=\"Positmob\""],"Premiumtext":["misp-galaxy:android=\"Premiumtext\""],"Pris":["misp-galaxy:android=\"Pris\""],"Qdplugin":["misp-galaxy:android=\"Qdplugin\""],"Qicsomos":["misp-galaxy:android=\"Qicsomos\""],"Qitmo":["misp-galaxy:android=\"Qitmo\""],"Rabbhome":["misp-galaxy:android=\"Rabbhome\""],"Razdel":["misp-galaxy:android=\"Razdel\""],"RedAlert2":["misp-galaxy:android=\"RedAlert2\"","misp-galaxy:malpedia=\"RedAlert2\""],"RedDrop":["misp-galaxy:android=\"RedDrop\"","misp-galaxy:mitre-malware=\"RedDrop - S0326\""],"Repane":["misp-galaxy:android=\"Repane\""],"Reputation.1":["misp-galaxy:android=\"Reputation.1\""],"Reputation.2":["misp-galaxy:android=\"Reputation.2\""],"Reputation.3":["misp-galaxy:android=\"Reputation.3\""],"RevMob":["misp-galaxy:android=\"RevMob\""],"Roidsec":["misp-galaxy:android=\"Roidsec\""],"Rootcager":["misp-galaxy:android=\"Rootcager\""],"Rootnik":["misp-galaxy:android=\"Rootnik\"","misp-galaxy:malpedia=\"Rootnik\""],"Rufraud":["misp-galaxy:android=\"Rufraud\""],"Rusms":["misp-galaxy:android=\"Rusms\""],"SLocker":["misp-galaxy:android=\"SLocker\""],"SMSLocker":["misp-galaxy:android=\"SLocker\""],"SMSReplicator":["misp-galaxy:android=\"SMSReplicator\""],"Samsapo":["misp-galaxy:android=\"Samsapo\""],"Sandorat":["misp-galaxy:android=\"Sandorat\""],"Sberick":["misp-galaxy:android=\"Sberick\""],"Scartibro":["misp-galaxy:android=\"Scartibro\""],"Scipiex":["misp-galaxy:android=\"Scipiex\""],"Selfmite":["misp-galaxy:android=\"Selfmite\""],"Selfmite.B":["misp-galaxy:android=\"Selfmite.B\""],"SellARing":["misp-galaxy:android=\"SellARing\""],"SendDroid":["misp-galaxy:android=\"SendDroid\""],"Simhosy":["misp-galaxy:android=\"Simhosy\""],"Simplocker":["misp-galaxy:android=\"Simplocker\""],"Simplocker.B":["misp-galaxy:android=\"Simplocker.B\""],"Skullkey":["misp-galaxy:android=\"Skullkey\""],"Skygofree":["misp-galaxy:android=\"Skygofree\"","misp-galaxy:malpedia=\"Skygofree\"","misp-galaxy:mitre-malware=\"Skygofree - S0327\""],"Smaato":["misp-galaxy:android=\"Smaato\""],"Smbcheck":["misp-galaxy:android=\"Smbcheck\""],"Smsblocker":["misp-galaxy:android=\"Smsblocker\""],"Smsbomber":["misp-galaxy:android=\"Smsbomber\""],"Smslink":["misp-galaxy:android=\"Smslink\""],"Smspacem":["misp-galaxy:android=\"Smspacem\""],"Smssniffer":["misp-galaxy:android=\"Smssniffer\""],"Smsstealer":["misp-galaxy:android=\"Smsstealer\""],"Smstibook":["misp-galaxy:android=\"Smstibook\""],"Smszombie":["misp-galaxy:android=\"Smszombie\""],"Snadapps":["misp-galaxy:android=\"Snadapps\""],"Sockbot":["misp-galaxy:android=\"Sockbot\""],"Sofacy":["misp-galaxy:android=\"Sofacy\"","misp-galaxy:microsoft-activity-group=\"STRONTIUM\"","misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-malware=\"CORESHELL - S0137\"","misp-galaxy:mitre-mobile-attack-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"APT28 - G0007\"","misp-galaxy:threat-actor=\"Sofacy\"","misp-galaxy:tool=\"CORESHELL\"","misp-galaxy:tool=\"GAMEFISH\"","misp-galaxy:tool=\"SOURFACE\""],"Sosceo":["misp-galaxy:android=\"Sosceo\""],"Spitmo":["misp-galaxy:android=\"Spitmo\""],"Spitmo.B":["misp-galaxy:android=\"Spitmo.B\""],"Spyagent":["misp-galaxy:android=\"Spyagent\""],"Spybubble":["misp-galaxy:android=\"Spybubble\""],"Spydafon":["misp-galaxy:android=\"Spydafon\""],"Spymple":["misp-galaxy:android=\"Spymple\""],"Spyoo":["misp-galaxy:android=\"Spyoo\""],"Spytekcell":["misp-galaxy:android=\"Spytekcell\""],"Spytrack":["misp-galaxy:android=\"Spytrack\""],"Spywaller":["misp-galaxy:android=\"Spywaller\""],"Stealthgenie":["misp-galaxy:android=\"Stealthgenie\""],"Steek":["misp-galaxy:android=\"Steek\""],"Stels":["misp-galaxy:android=\"Stels\""],"Stiniter":["misp-galaxy:android=\"Stiniter\""],"Sumzand":["misp-galaxy:android=\"Sumzand\""],"Svpeng":["misp-galaxy:android=\"Svpeng\"","misp-galaxy:malpedia=\"Svpeng\"","misp-galaxy:tool=\"Svpeng\""],"Invisble Man":["misp-galaxy:android=\"Svpeng\""],"Switcher":["misp-galaxy:android=\"Switcher\"","misp-galaxy:malpedia=\"Switcher\""],"Sysecsms":["misp-galaxy:android=\"Sysecsms\""],"Tanci":["misp-galaxy:android=\"Tanci\""],"Tapjoy":["misp-galaxy:android=\"Tapjoy\""],"Tapsnake":["misp-galaxy:android=\"Tapsnake\""],"Tascudap":["misp-galaxy:android=\"Tascudap\""],"Teelog":["misp-galaxy:android=\"Teelog\""],"Temai":["misp-galaxy:android=\"Temai\""],"Tetus":["misp-galaxy:android=\"Tetus\""],"Tgpush":["misp-galaxy:android=\"Tgpush\""],"Tigerbot":["misp-galaxy:android=\"Tigerbot\""],"Tizi":["misp-galaxy:android=\"Tizi\""],"Tonclank":["misp-galaxy:android=\"Tonclank\""],"Triout":["misp-galaxy:android=\"Triout\"","misp-galaxy:malpedia=\"Triout\""],"Trogle":["misp-galaxy:android=\"Trogle\""],"Twikabot":["misp-galaxy:android=\"Twikabot\""],"Uapush":["misp-galaxy:android=\"Uapush\""],"Umeng":["misp-galaxy:android=\"Umeng\""],"Updtbot":["misp-galaxy:android=\"Updtbot\""],"Upush":["misp-galaxy:android=\"Upush\""],"Uracto":["misp-galaxy:android=\"Uracto\""],"Uranico":["misp-galaxy:android=\"Uranico\""],"Usbcleaver":["misp-galaxy:android=\"Usbcleaver\""],"Utchi":["misp-galaxy:android=\"Utchi\""],"Uten":["misp-galaxy:android=\"Uten\""],"Uupay":["misp-galaxy:android=\"Uupay\""],"Uxipp":["misp-galaxy:android=\"Uxipp\""],"VDopia":["misp-galaxy:android=\"VDopia\""],"VServ":["misp-galaxy:android=\"VServ\""],"Vdloader":["misp-galaxy:android=\"Vdloader\""],"Vibleaker":["misp-galaxy:android=\"Vibleaker\""],"Viking Horde":["misp-galaxy:android=\"Viking Horde\""],"Virusshield":["misp-galaxy:android=\"Virusshield\""],"Walkinwat":["misp-galaxy:android=\"Walkinwat\""],"WannaLocker":["misp-galaxy:android=\"WannaLocker\""],"Waps":["misp-galaxy:android=\"Waps\""],"Waren":["misp-galaxy:android=\"Waren\""],"Windseeker":["misp-galaxy:android=\"Windseeker\""],"Wirex":["misp-galaxy:android=\"Wirex\""],"Wiyun":["misp-galaxy:android=\"Wiyun\""],"Wooboo":["misp-galaxy:android=\"Wooboo\""],"Wqmobile":["misp-galaxy:android=\"Wqmobile\""],"YahooAds":["misp-galaxy:android=\"YahooAds\""],"Yatoot":["misp-galaxy:android=\"Yatoot\""],"Yinhan":["misp-galaxy:android=\"Yinhan\""],"Youmi":["misp-galaxy:android=\"Youmi\""],"YuMe":["misp-galaxy:android=\"YuMe\""],"Zeahache":["misp-galaxy:android=\"Zeahache\""],"ZertSecurity":["misp-galaxy:android=\"ZertSecurity\""],"ZestAdz":["misp-galaxy:android=\"ZestAdz\""],"Zeusmitmo":["misp-galaxy:android=\"Zeusmitmo\""],"iBanking":["misp-galaxy:android=\"iBanking\""],"Rising Sun":["misp-galaxy:backdoor=\"Rising Sun\"","misp-galaxy:malpedia=\"Rising Sun\""],"Rosenbridge":["misp-galaxy:backdoor=\"Rosenbridge\""],"SLUB":["misp-galaxy:backdoor=\"SLUB\"","misp-galaxy:malpedia=\"SLUB\""],"ServHelper":["misp-galaxy:backdoor=\"ServHelper\"","misp-galaxy:malpedia=\"ServHelper\""],"WellMess":["misp-galaxy:backdoor=\"WellMess\"","misp-galaxy:malpedia=\"WellMess\""],"Atmos":["misp-galaxy:banker=\"Atmos\""],"Backswap":["misp-galaxy:banker=\"Backswap\""],"Banjori":["misp-galaxy:banker=\"Banjori\"","misp-galaxy:malpedia=\"Banjori\""],"MultiBanker 2":["misp-galaxy:banker=\"Banjori\"","misp-galaxy:malpedia=\"Banjori\""],"BankPatch":["misp-galaxy:banker=\"Banjori\"","misp-galaxy:malpedia=\"Banjori\""],"BackPatcher":["misp-galaxy:banker=\"Banjori\"","misp-galaxy:malpedia=\"Banjori\""],"Bebloh":["misp-galaxy:banker=\"Bebloh\"","misp-galaxy:malpedia=\"UrlZone\""],"URLZone":["misp-galaxy:banker=\"Bebloh\""],"Shiotob":["misp-galaxy:banker=\"Bebloh\"","misp-galaxy:malpedia=\"UrlZone\""],"CamuBot":["misp-galaxy:banker=\"CamuBot\"","misp-galaxy:malpedia=\"CamuBot\""],"Chthonic":["misp-galaxy:banker=\"Chthonic\"","misp-galaxy:malpedia=\"Chthonic\""],"Chtonic":["misp-galaxy:banker=\"Chthonic\""],"Citadel":["misp-galaxy:banker=\"Citadel\"","misp-galaxy:malpedia=\"Citadel\""],"Corebot":["misp-galaxy:banker=\"Corebot\"","misp-galaxy:malpedia=\"Corebot\""],"DanaBot":["misp-galaxy:banker=\"DanaBot\"","misp-galaxy:malpedia=\"DanaBot\""],"Dok":["misp-galaxy:banker=\"Dok\"","misp-galaxy:malpedia=\"Dok\"","misp-galaxy:mitre-malware=\"Dok - S0281\""],"Dreambot":["misp-galaxy:banker=\"Dreambot\""],"Dridex":["misp-galaxy:banker=\"Dridex\"","misp-galaxy:malpedia=\"Dridex\"","misp-galaxy:tool=\"Dridex\""],"Feodo Version D":["misp-galaxy:banker=\"Dridex\""],"Dyre":["misp-galaxy:banker=\"Dyre\"","misp-galaxy:malpedia=\"Dyre\"","misp-galaxy:mitre-enterprise-attack-malware=\"Dyre - S0024\"","misp-galaxy:mitre-malware=\"Dyre - S0024\""],"Dyreza":["misp-galaxy:banker=\"Dyre\"","misp-galaxy:malpedia=\"Dyre\""],"Feodo":["misp-galaxy:banker=\"Feodo\"","misp-galaxy:malpedia=\"Feodo\""],"Bugat":["misp-galaxy:banker=\"Feodo\"","misp-galaxy:malpedia=\"Bugat\"","misp-galaxy:malpedia=\"Feodo\""],"Cridex":["misp-galaxy:banker=\"Feodo\"","misp-galaxy:malpedia=\"Feodo\"","misp-galaxy:tool=\"Dridex\""],"Fobber":["misp-galaxy:banker=\"Fobber\"","misp-galaxy:malpedia=\"Fobber\""],"Geodo":["misp-galaxy:banker=\"Geodo\"","misp-galaxy:malpedia=\"Emotet\"","misp-galaxy:malpedia=\"Geodo\"","misp-galaxy:mitre-malware=\"Emotet - S0367\"","misp-galaxy:tool=\"Emotet\""],"Feodo Version C":["misp-galaxy:banker=\"Geodo\""],"Emotet":["misp-galaxy:banker=\"Geodo\"","misp-galaxy:malpedia=\"Emotet\"","misp-galaxy:malpedia=\"Geodo\"","misp-galaxy:mitre-malware=\"Emotet - S0367\"","misp-galaxy:tool=\"Emotet\""],"GozNym":["misp-galaxy:banker=\"GozNym\"","misp-galaxy:threat-actor=\"GozNym\""],"Gozi ISFB":["misp-galaxy:banker=\"Gozi ISFB\"","misp-galaxy:malpedia=\"ISFB\""],"Gozi":["misp-galaxy:banker=\"Gozi\"","misp-galaxy:malpedia=\"Gozi\""],"Ursnif":["misp-galaxy:banker=\"Gozi\"","misp-galaxy:malpedia=\"Gozi\"","misp-galaxy:malpedia=\"Snifula\"","misp-galaxy:tool=\"Snifula\""],"CRM":["misp-galaxy:banker=\"Gozi\"","misp-galaxy:malpedia=\"Gozi\""],"Snifula":["misp-galaxy:banker=\"Gozi\"","misp-galaxy:malpedia=\"Gozi\"","misp-galaxy:malpedia=\"Snifula\"","misp-galaxy:tool=\"Snifula\""],"Papras":["misp-galaxy:banker=\"Gozi\"","misp-galaxy:malpedia=\"Gozi\""],"Goziv2":["misp-galaxy:banker=\"Goziv2\""],"Prinimalka":["misp-galaxy:banker=\"Goziv2\""],"GratefulPOS":["misp-galaxy:banker=\"GratefulPOS\"","misp-galaxy:tool=\"GratefulPOS\""],"IAP":["misp-galaxy:banker=\"IAP\"","misp-galaxy:malpedia=\"ISFB\""],"Ice IX":["misp-galaxy:banker=\"Ice IX\"","misp-galaxy:malpedia=\"Ice IX\""],"IcedID":["misp-galaxy:banker=\"IcedID\"","misp-galaxy:malpedia=\"IcedID\""],"Karius":["misp-galaxy:banker=\"Karius\"","misp-galaxy:malpedia=\"Karius\""],"Kronos":["misp-galaxy:banker=\"Kronos\"","misp-galaxy:malpedia=\"Kronos\""],"Licat":["misp-galaxy:banker=\"Licat\""],"Murofet":["misp-galaxy:banker=\"Licat\"","misp-galaxy:malpedia=\"Murofet\""],"Matrix Banker":["misp-galaxy:banker=\"Matrix Banker\"","misp-galaxy:malpedia=\"Matrix Banker\""],"Panda Banker":["misp-galaxy:banker=\"Panda Banker\""],"Zeus Panda":["misp-galaxy:banker=\"Panda Banker\"","misp-galaxy:mitre-malware=\"Zeus Panda - S0330\""],"Qadars":["misp-galaxy:banker=\"Qadars\"","misp-galaxy:malpedia=\"Qadars\""],"Qakbot":["misp-galaxy:banker=\"Qakbot\"","misp-galaxy:tool=\"Akbot\""],"Qbot ":["misp-galaxy:banker=\"Qakbot\""],"Pinkslipbot":["misp-galaxy:banker=\"Qakbot\"","misp-galaxy:malpedia=\"QakBot\""],"Ramnit":["misp-galaxy:banker=\"Ramnit\"","misp-galaxy:botnet=\"Ramnit\"","misp-galaxy:malpedia=\"Ramnit\""],"Nimnul":["misp-galaxy:banker=\"Ramnit\"","misp-galaxy:malpedia=\"Ramnit\""],"Ranbyus":["misp-galaxy:banker=\"Ranbyus\"","misp-galaxy:malpedia=\"Ranbyus\""],"ReactorBot":["misp-galaxy:banker=\"ReactorBot\"","misp-galaxy:malpedia=\"ReactorBot\""],"Retefe":["misp-galaxy:banker=\"Retefe\"","misp-galaxy:malpedia=\"Dok\"","misp-galaxy:mitre-malware=\"Dok - S0281\""],"Tsukuba":["misp-galaxy:banker=\"Retefe\"","misp-galaxy:malpedia=\"Retefe (Windows)\""],"Werdlod":["misp-galaxy:banker=\"Retefe\"","misp-galaxy:malpedia=\"Retefe (Windows)\""],"Sisron":["misp-galaxy:banker=\"Sisron\""],"Skynet":["misp-galaxy:banker=\"Skynet\""],"Smominru":["misp-galaxy:banker=\"Smominru\"","misp-galaxy:malpedia=\"Smominru\""],"Ismo":["misp-galaxy:banker=\"Smominru\"","misp-galaxy:malpedia=\"Smominru\""],"lsmo":["misp-galaxy:banker=\"Smominru\""],"SpyEye":["misp-galaxy:banker=\"SpyEye\""],"Tinba":["misp-galaxy:banker=\"Tinba\"","misp-galaxy:malpedia=\"Tinba\"","misp-galaxy:tool=\"Tinba\""],"Zusy":["misp-galaxy:banker=\"Tinba\"","misp-galaxy:malpedia=\"Tinba\"","misp-galaxy:tool=\"Tinba\""],"TinyBanker":["misp-galaxy:banker=\"Tinba\"","misp-galaxy:malpedia=\"Tinba\"","misp-galaxy:tool=\"Tinba\""],"illi":["misp-galaxy:banker=\"Tinba\""],"TinyNuke":["misp-galaxy:banker=\"TinyNuke\"","misp-galaxy:malpedia=\"TinyNuke\""],"NukeBot":["misp-galaxy:banker=\"TinyNuke\"","misp-galaxy:malpedia=\"TinyNuke\""],"Nuclear Bot":["misp-galaxy:banker=\"TinyNuke\"","misp-galaxy:malpedia=\"TinyNuke\""],"MicroBankingTrojan":["misp-galaxy:banker=\"TinyNuke\"","misp-galaxy:malpedia=\"TinyNuke\""],"Xbot":["misp-galaxy:banker=\"TinyNuke\"","misp-galaxy:malpedia=\"TinyNuke\"","misp-galaxy:malpedia=\"Xbot\"","misp-galaxy:mitre-mobile-attack-tool=\"Xbot - MOB-S0014\"","misp-galaxy:mitre-tool=\"Xbot - S0298\""],"Trickbot":["misp-galaxy:banker=\"Trickbot\""],"Trickster":["misp-galaxy:banker=\"Trickbot\"","misp-galaxy:malpedia=\"TrickBot\""],"Trickloader":["misp-galaxy:banker=\"Trickbot\""],"Vawtrak":["misp-galaxy:banker=\"Vawtrak\"","misp-galaxy:malpedia=\"Vawtrak\"","misp-galaxy:tool=\"Vawtrak\""],"Neverquest":["misp-galaxy:banker=\"Vawtrak\""],"Zeus Gameover":["misp-galaxy:banker=\"Zeus Gameover\""],"Zeus KINS":["misp-galaxy:banker=\"Zeus KINS\""],"Kasper Internet Non-Security":["misp-galaxy:banker=\"Zeus KINS\"","misp-galaxy:malpedia=\"KINS\""],"Maple":["misp-galaxy:banker=\"Zeus KINS\"","misp-galaxy:malpedia=\"KINS\""],"Zeus Sphinx":["misp-galaxy:banker=\"Zeus Sphinx\"","misp-galaxy:malpedia=\"Zeus Sphinx\""],"Zeus VM":["misp-galaxy:banker=\"Zeus VM\""],"VM Zeus":["misp-galaxy:banker=\"Zeus VM\"","misp-galaxy:malpedia=\"VM Zeus\""],"Zeus":["misp-galaxy:banker=\"Zeus\"","misp-galaxy:botnet=\"Zeus\"","misp-galaxy:malpedia=\"Zeus\"","misp-galaxy:tool=\"Zeus\""],"Zbot":["misp-galaxy:banker=\"Zeus\"","misp-galaxy:botnet=\"Zeus\"","misp-galaxy:malpedia=\"Zeus\"","misp-galaxy:tool=\"Zeus\""],"Zitmo":["misp-galaxy:banker=\"Zitmo\""],"Zloader Zeus":["misp-galaxy:banker=\"Zloader Zeus\""],"Zeus Terdot":["misp-galaxy:banker=\"Zloader Zeus\""],"downAndExec":["misp-galaxy:banker=\"downAndExec\""],"ADB.miner":["misp-galaxy:botnet=\"ADB.miner\""],"AESDDoS":["misp-galaxy:botnet=\"AESDDoS\""],"Akbot":["misp-galaxy:botnet=\"Akbot\"","misp-galaxy:tool=\"Akbot\""],"Asprox":["misp-galaxy:botnet=\"Asprox\"","misp-galaxy:malpedia=\"Asprox\""],"Badsrc":["misp-galaxy:botnet=\"Asprox\""],"Aseljo":["misp-galaxy:botnet=\"Asprox\"","misp-galaxy:malpedia=\"Asprox\""],"Danmec":["misp-galaxy:botnet=\"Asprox\""],"Hydraflux":["misp-galaxy:botnet=\"Asprox\""],"Bagle":["misp-galaxy:botnet=\"Bagle\"","misp-galaxy:malpedia=\"Bagle\""],"Beagle":["misp-galaxy:botnet=\"Bagle\""],"Mitglieder":["misp-galaxy:botnet=\"Bagle\""],"Lodeight":["misp-galaxy:botnet=\"Bagle\""],"Bamital":["misp-galaxy:botnet=\"Bamital\""],"Mdrop-CSK":["misp-galaxy:botnet=\"Bamital\""],"Agent-OCF":["misp-galaxy:botnet=\"Bamital\""],"Beebone":["misp-galaxy:botnet=\"Beebone\""],"BetaBot":["misp-galaxy:botnet=\"BetaBot\"","misp-galaxy:malpedia=\"BetaBot\""],"Brain Food":["misp-galaxy:botnet=\"Brain Food\""],"BredoLab":["misp-galaxy:botnet=\"BredoLab\""],"Oficla":["misp-galaxy:botnet=\"BredoLab\"","misp-galaxy:malpedia=\"Sasfis\"","misp-galaxy:tool=\"Oficla\""],"Chalubo":["misp-galaxy:botnet=\"Chalubo\""],"Chameleon":["misp-galaxy:botnet=\"Chameleon\""],"Conficker":["misp-galaxy:botnet=\"Conficker\"","misp-galaxy:malpedia=\"Conficker\""],"DownUp":["misp-galaxy:botnet=\"Conficker\""],"DownAndUp":["misp-galaxy:botnet=\"Conficker\""],"DownAdUp":["misp-galaxy:botnet=\"Conficker\""],"Kido":["misp-galaxy:botnet=\"Conficker\"","misp-galaxy:malpedia=\"Conficker\""],"Cutwail":["misp-galaxy:botnet=\"Cutwail\"","misp-galaxy:malpedia=\"Cutwail\""],"Pandex":["misp-galaxy:botnet=\"Cutwail\""],"Mutant":["misp-galaxy:botnet=\"Cutwail\""],"Donbot":["misp-galaxy:botnet=\"Donbot\""],"Buzus":["misp-galaxy:botnet=\"Donbot\"","misp-galaxy:malpedia=\"Buzus\""],"Bachsoy":["misp-galaxy:botnet=\"Donbot\""],"Festi":["misp-galaxy:botnet=\"Festi\""],"Spamnost":["misp-galaxy:botnet=\"Festi\""],"Gafgyt":["misp-galaxy:botnet=\"Gafgyt\"","misp-galaxy:malpedia=\"Bashlite\"","misp-galaxy:tool=\"Gafgyt\""],"Bashlite":["misp-galaxy:botnet=\"Gafgyt\"","misp-galaxy:malpedia=\"Bashlite\""],"Gheg":["misp-galaxy:botnet=\"Gheg\"","misp-galaxy:malpedia=\"Tofsee\""],"Tofsee":["misp-galaxy:botnet=\"Gheg\"","misp-galaxy:malpedia=\"Tofsee\""],"Mondera":["misp-galaxy:botnet=\"Gheg\""],"Grum":["misp-galaxy:botnet=\"Grum\""],"Tedroo":["misp-galaxy:botnet=\"Grum\""],"Reddyb":["misp-galaxy:botnet=\"Grum\""],"Gumblar":["misp-galaxy:botnet=\"Gumblar\""],"Hajime":["misp-galaxy:botnet=\"Hajime\"","misp-galaxy:malpedia=\"Hajime\""],"Hide and Seek":["misp-galaxy:botnet=\"Hide and Seek\"","misp-galaxy:malpedia=\"Hide and Seek\""],"HNS":["misp-galaxy:botnet=\"Hide and Seek\"","misp-galaxy:malpedia=\"Hide and Seek\""],"Hide 'N Seek":["misp-galaxy:botnet=\"Hide and Seek\""],"Kelihos":["misp-galaxy:botnet=\"Kelihos\"","misp-galaxy:malpedia=\"Kelihos\""],"Hlux":["misp-galaxy:botnet=\"Kelihos\""],"Kraken":["misp-galaxy:botnet=\"Kraken\"","misp-galaxy:botnet=\"Marina Botnet\"","misp-galaxy:malpedia=\"Kraken\""],"Kracken":["misp-galaxy:botnet=\"Kraken\""],"Lethic":["misp-galaxy:botnet=\"Lethic\"","misp-galaxy:malpedia=\"Lethic\""],"LowSec":["misp-galaxy:botnet=\"LowSec\""],"LowSecurity":["misp-galaxy:botnet=\"LowSec\""],"FreeMoney":["misp-galaxy:botnet=\"LowSec\""],"Ring0.Tools":["misp-galaxy:botnet=\"LowSec\""],"Maazben":["misp-galaxy:botnet=\"Maazben\""],"Madmax":["misp-galaxy:botnet=\"Madmax\""],"Mad Max":["misp-galaxy:botnet=\"Madmax\"","misp-galaxy:tool=\"Mad Max\""],"Marina Botnet":["misp-galaxy:botnet=\"Marina Botnet\""],"Damon Briant":["misp-galaxy:botnet=\"Marina Botnet\""],"BOB.dc":["misp-galaxy:botnet=\"Marina Botnet\""],"Cotmonger":["misp-galaxy:botnet=\"Marina Botnet\""],"Hacktool.Spammer":["misp-galaxy:botnet=\"Marina Botnet\""],"Mariposa":["misp-galaxy:botnet=\"Mariposa\""],"Mega-D":["misp-galaxy:botnet=\"Mega-D\""],"Ozdok":["misp-galaxy:botnet=\"Mega-D\""],"Mettle":["misp-galaxy:botnet=\"Mettle\""],"Mirai":["misp-galaxy:botnet=\"Mirai\"","misp-galaxy:tool=\"Mirai\""],"Muhstik":["misp-galaxy:botnet=\"Muhstik\"","misp-galaxy:malpedia=\"Tsunami (ELF)\""],"Nucrypt":["misp-galaxy:botnet=\"Nucrypt\""],"Onewordsub":["misp-galaxy:botnet=\"Onewordsub\""],"Owari":["misp-galaxy:botnet=\"Owari\"","misp-galaxy:malpedia=\"Owari\""],"Persirai":["misp-galaxy:botnet=\"Persirai\"","misp-galaxy:malpedia=\"Persirai\""],"Pontoeb":["misp-galaxy:botnet=\"Pontoeb\""],"N0ise":["misp-galaxy:botnet=\"Pontoeb\""],"Pushdo":["misp-galaxy:botnet=\"Pushdo\"","misp-galaxy:malpedia=\"Pushdo\""],"Rustock":["misp-galaxy:botnet=\"Rustock\"","misp-galaxy:malpedia=\"Rustock\""],"RKRustok":["misp-galaxy:botnet=\"Rustock\""],"Costrat":["misp-galaxy:botnet=\"Rustock\""],"Sality":["misp-galaxy:botnet=\"Sality\"","misp-galaxy:botnet=\"Sality\"","misp-galaxy:malpedia=\"Sality\""],"Sector":["misp-galaxy:botnet=\"Sality\""],"Kuku":["misp-galaxy:botnet=\"Sality\""],"SalLoad":["misp-galaxy:botnet=\"Sality\""],"Kookoo":["misp-galaxy:botnet=\"Sality\""],"SaliCode":["misp-galaxy:botnet=\"Sality\""],"Kukacka":["misp-galaxy:botnet=\"Sality\""],"Satori":["misp-galaxy:botnet=\"Satori\"","misp-galaxy:malpedia=\"Satori\"","misp-galaxy:tool=\"Satori\""],"Okiru":["misp-galaxy:botnet=\"Satori\"","misp-galaxy:tool=\"Satori\""],"Simda":["misp-galaxy:botnet=\"Simda\"","misp-galaxy:malpedia=\"Simda\""],"Sora":["misp-galaxy:botnet=\"Sora\""],"Mirai Sora":["misp-galaxy:botnet=\"Sora\""],"Spamthru":["misp-galaxy:botnet=\"Spamthru\""],"Spam-DComServ":["misp-galaxy:botnet=\"Spamthru\""],"Covesmer":["misp-galaxy:botnet=\"Spamthru\""],"Xmiler":["misp-galaxy:botnet=\"Spamthru\""],"Srizbi":["misp-galaxy:botnet=\"Srizbi\""],"Cbeplay":["misp-galaxy:botnet=\"Srizbi\""],"Exchanger":["misp-galaxy:botnet=\"Srizbi\""],"Storm":["misp-galaxy:botnet=\"Storm\""],"Nuwar":["misp-galaxy:botnet=\"Storm\""],"Peacomm":["misp-galaxy:botnet=\"Storm\""],"Zhelatin":["misp-galaxy:botnet=\"Storm\""],"Dorf":["misp-galaxy:botnet=\"Storm\""],"Ecard":["misp-galaxy:botnet=\"Storm\""],"TDL4":["misp-galaxy:botnet=\"TDL4\""],"TDSS":["misp-galaxy:botnet=\"TDL4\"","misp-galaxy:malpedia=\"Alureon\""],"Alureon":["misp-galaxy:botnet=\"TDL4\"","misp-galaxy:malpedia=\"Alureon\""],"Torii":["misp-galaxy:botnet=\"Torii\"","misp-galaxy:malpedia=\"Torii\""],"Torpig":["misp-galaxy:botnet=\"Torpig\"","misp-galaxy:malpedia=\"Sinowal\""],"Sinowal":["misp-galaxy:botnet=\"Torpig\"","misp-galaxy:malpedia=\"Sinowal\""],"Anserin":["misp-galaxy:botnet=\"Torpig\"","misp-galaxy:malpedia=\"Sinowal\""],"Trik Spam Botnet":["misp-galaxy:botnet=\"Trik Spam Botnet\""],"Trik Trojan":["misp-galaxy:botnet=\"Trik Spam Botnet\""],"Virut":["misp-galaxy:botnet=\"Virut\"","misp-galaxy:malpedia=\"Virut\""],"Vulcanbot":["misp-galaxy:botnet=\"Vulcanbot\""],"Waledac":["misp-galaxy:botnet=\"Waledac\""],"Waled":["misp-galaxy:botnet=\"Waledac\""],"Waledpak":["misp-galaxy:botnet=\"Waledac\""],"Wopla":["misp-galaxy:botnet=\"Wopla\""],"Xarvester":["misp-galaxy:botnet=\"Xarvester\""],"Rlsloup":["misp-galaxy:botnet=\"Xarvester\""],"Pixoliz":["misp-galaxy:botnet=\"Xarvester\""],"XorDDoS":["misp-galaxy:botnet=\"XorDDoS\""],"Zer0n3t":["misp-galaxy:botnet=\"Zer0n3t\"","misp-galaxy:botnet=\"Zer0n3t\""],"Fib3rl0g1c":["misp-galaxy:botnet=\"Zer0n3t\""],"Zer0Log1x":["misp-galaxy:botnet=\"Zer0n3t\""],"ZeuS":["misp-galaxy:botnet=\"Zeus\""],"PRG":["misp-galaxy:botnet=\"Zeus\""],"Wsnpoem":["misp-galaxy:botnet=\"Zeus\""],"Gorhax":["misp-galaxy:botnet=\"Zeus\""],"Kneber":["misp-galaxy:botnet=\"Zeus\""],"BadUSB":["misp-galaxy:branded-vulnerability=\"BadUSB\""],"Badlock":["misp-galaxy:branded-vulnerability=\"Badlock\""],"Blacknurse":["misp-galaxy:branded-vulnerability=\"Blacknurse\""],"BlueKeep":["misp-galaxy:branded-vulnerability=\"BlueKeep\""],"Dirty COW":["misp-galaxy:branded-vulnerability=\"Dirty COW\""],"Ghost":["misp-galaxy:branded-vulnerability=\"Ghost\"","misp-galaxy:rat=\"Ghost\""],"Heartbleed":["misp-galaxy:branded-vulnerability=\"Heartbleed\""],"ImageTragick":["misp-galaxy:branded-vulnerability=\"ImageTragick\""],"Meltdown":["misp-galaxy:branded-vulnerability=\"Meltdown\""],"POODLE":["misp-galaxy:branded-vulnerability=\"POODLE\""],"SPOILER":["misp-galaxy:branded-vulnerability=\"SPOILER\""],"Shellshock":["misp-galaxy:branded-vulnerability=\"Shellshock\""],"Spectre":["misp-galaxy:branded-vulnerability=\"Spectre\""],"Stagefright":["misp-galaxy:branded-vulnerability=\"Stagefright\""],"Constituency":["misp-galaxy:cert-eu-govsector=\"Constituency\""],"EU-Centric":["misp-galaxy:cert-eu-govsector=\"EU-Centric\""],"EU-nearby":["misp-galaxy:cert-eu-govsector=\"EU-nearby\""],"Outside World":["misp-galaxy:cert-eu-govsector=\"Outside World\""],"Unknown":["misp-galaxy:cert-eu-govsector=\"Unknown\"","misp-galaxy:exploit-kit=\"Unknown\"","misp-galaxy:sector=\"Unknown\""],"World-class":["misp-galaxy:cert-eu-govsector=\"World-class\""],"AAD - Dump users and groups with Azure AD":["misp-galaxy:cloud-security=\"AAD - Dump users and groups with Azure AD\""],"AAD - Password Spray: CredKing":["misp-galaxy:cloud-security=\"AAD - Password Spray: CredKing\""],"AAD - Password Spray: MailSniper":["misp-galaxy:cloud-security=\"AAD - Password Spray: MailSniper\""],"End Point - Create Hidden Mailbox Rule":["misp-galaxy:cloud-security=\"End Point - Create Hidden Mailbox Rule\""],"End Point - Persistence throught Outlook Home Page: SensePost Ruler":["misp-galaxy:cloud-security=\"End Point - Persistence throught Outlook Home Page: SensePost Ruler\""],"End Point - Persistence throught custom Outlook form":["misp-galaxy:cloud-security=\"End Point - Persistence throught custom Outlook form\""],"End Point - Search host for Azure Credentials: SharpCloud":["misp-galaxy:cloud-security=\"End Point - Search host for Azure Credentials: SharpCloud\""],"O365 - 2FA MITM Phishing: evilginx2":["misp-galaxy:cloud-security=\"O365 - 2FA MITM Phishing: evilginx2\""],"O365 - Account Takeover: Add-MailboxPermission":["misp-galaxy:cloud-security=\"O365 - Account Takeover: Add-MailboxPermission\""],"O365 - Add Global admin account":["misp-galaxy:cloud-security=\"O365 - Add Global admin account\""],"O365 - Add Mail forwarding rule":["misp-galaxy:cloud-security=\"O365 - Add Mail forwarding rule\""],"O365 - Bruteforce of Autodiscover: SensePost Ruler":["misp-galaxy:cloud-security=\"O365 - Bruteforce of Autodiscover: SensePost Ruler\""],"O365 - Delegate Tenant Admin":["misp-galaxy:cloud-security=\"O365 - Delegate Tenant Admin\""],"O365 - Download documents and email":["misp-galaxy:cloud-security=\"O365 - Download documents and email\""],"O365 - Exchange Tasks for C2: MWR":["misp-galaxy:cloud-security=\"O365 - Exchange Tasks for C2: MWR\""],"O365 - Exfiltration email using EWS APIs with PowerShell":["misp-galaxy:cloud-security=\"O365 - Exfiltration email using EWS APIs with PowerShell\""],"O365 - Find Open Mailboxes: MailSniper":["misp-galaxy:cloud-security=\"O365 - Find Open Mailboxes: MailSniper\""],"O365 - Get Global Address List: MailSniper":["misp-galaxy:cloud-security=\"O365 - Get Global Address List: MailSniper\""],"O365 - MailSniper: Search Mailbox for content":["misp-galaxy:cloud-security=\"O365 - MailSniper: Search Mailbox for content\""],"O365 - MailSniper: Search Mailbox for credentials":["misp-galaxy:cloud-security=\"O365 - MailSniper: Search Mailbox for credentials\""],"O365 - Phishing for credentials":["misp-galaxy:cloud-security=\"O365 - Phishing for credentials\""],"O365 - Phishing using OAuth app":["misp-galaxy:cloud-security=\"O365 - Phishing using OAuth app\""],"O365 - Pivot to On-Prem host: SensePost Ruler":["misp-galaxy:cloud-security=\"O365 - Pivot to On-Prem host: SensePost Ruler\""],"O365 - Search for Content with eDiscovery":["misp-galaxy:cloud-security=\"O365 - Search for Content with eDiscovery\""],"O365 - Send Internal Email":["misp-galaxy:cloud-security=\"O365 - Send Internal Email\""],"O365 - User account enumeration with ActiveSync":["misp-galaxy:cloud-security=\"O365 - User account enumeration with ActiveSync\""],"On-Prem Exchange - Bruteforce of Autodiscover: SensePost Ruler":["misp-galaxy:cloud-security=\"On-Prem Exchange - Bruteforce of Autodiscover: SensePost Ruler\""],"On-Prem Exchange - Delegation":["misp-galaxy:cloud-security=\"On-Prem Exchange - Delegation\""],"On-Prem Exchange - Enumerate domain accounts: FindPeople":["misp-galaxy:cloud-security=\"On-Prem Exchange - Enumerate domain accounts: FindPeople\""],"On-Prem Exchange - Enumerate domain accounts: OWA & Exchange":["misp-galaxy:cloud-security=\"On-Prem Exchange - Enumerate domain accounts: OWA & Exchange\""],"On-Prem Exchange - Enumerate domain accounts: using Skype4B":["misp-galaxy:cloud-security=\"On-Prem Exchange - Enumerate domain accounts: using Skype4B\""],"On-Prem Exchange - OWA version discovery":["misp-galaxy:cloud-security=\"On-Prem Exchange - OWA version discovery\""],"On-Prem Exchange - Password Spray using Invoke-PasswordSprayOWA, EWS":["misp-galaxy:cloud-security=\"On-Prem Exchange - Password Spray using Invoke-PasswordSprayOWA, EWS\""],"On-Prem Exchange - Portal Recon":["misp-galaxy:cloud-security=\"On-Prem Exchange - Portal Recon\""],"On-Prem Exchange - Search Mailboxes with eDiscovery searches (EXO, Teams, SPO, OD4B, Skype4B)":["misp-galaxy:cloud-security=\"On-Prem Exchange - Search Mailboxes with eDiscovery searches (EXO, Teams, SPO, OD4B, Skype4B)\""],"Angler":["misp-galaxy:exploit-kit=\"Angler\""],"XXX":["misp-galaxy:exploit-kit=\"Angler\""],"AEK":["misp-galaxy:exploit-kit=\"Angler\""],"Axpergle":["misp-galaxy:exploit-kit=\"Angler\""],"Archie":["misp-galaxy:exploit-kit=\"Archie\""],"Astrum":["misp-galaxy:exploit-kit=\"Astrum\""],"Stegano EK":["misp-galaxy:exploit-kit=\"Astrum\""],"Bingo":["misp-galaxy:exploit-kit=\"Bingo\""],"Bizarro Sundown":["misp-galaxy:exploit-kit=\"Bizarro Sundown\""],"Sundown-b":["misp-galaxy:exploit-kit=\"Bizarro Sundown\""],"BlackHole":["misp-galaxy:exploit-kit=\"BlackHole\"","misp-galaxy:rat=\"BlackHole\""],"BHEK":["misp-galaxy:exploit-kit=\"BlackHole\""],"Bleeding Life":["misp-galaxy:exploit-kit=\"Bleeding Life\""],"BL":["misp-galaxy:exploit-kit=\"Bleeding Life\""],"BL2":["misp-galaxy:exploit-kit=\"Bleeding Life\""],"Cool":["misp-galaxy:exploit-kit=\"Cool\""],"CEK":["misp-galaxy:exploit-kit=\"Cool\""],"Styxy Cool":["misp-galaxy:exploit-kit=\"Cool\""],"DNSChanger":["misp-galaxy:exploit-kit=\"DNSChanger\""],"RouterEK":["misp-galaxy:exploit-kit=\"DNSChanger\""],"DealersChoice":["misp-galaxy:exploit-kit=\"DealersChoice\"","misp-galaxy:mitre-malware=\"DealersChoice - S0243\""],"Sednit RTF EK":["misp-galaxy:exploit-kit=\"DealersChoice\""],"Disdain":["misp-galaxy:exploit-kit=\"Disdain\""],"Empire":["misp-galaxy:exploit-kit=\"Empire\"","misp-galaxy:mitre-tool=\"Empire - S0363\"","misp-galaxy:tool=\"Empire\""],"RIG-E":["misp-galaxy:exploit-kit=\"Empire\""],"Fallout":["misp-galaxy:exploit-kit=\"Fallout\"","misp-galaxy:exploit-kit=\"Fallout\""],"Fiesta":["misp-galaxy:exploit-kit=\"Fiesta\""],"NeoSploit":["misp-galaxy:exploit-kit=\"Fiesta\""],"Fiexp":["misp-galaxy:exploit-kit=\"Fiesta\""],"FlashPack":["misp-galaxy:exploit-kit=\"FlashPack\""],"FlashEK":["misp-galaxy:exploit-kit=\"FlashPack\""],"SafePack":["misp-galaxy:exploit-kit=\"FlashPack\""],"CritXPack":["misp-galaxy:exploit-kit=\"FlashPack\""],"Vintage Pack":["misp-galaxy:exploit-kit=\"FlashPack\""],"Glazunov":["misp-galaxy:exploit-kit=\"Glazunov\""],"GrandSoft":["misp-galaxy:exploit-kit=\"GrandSoft\""],"StampEK":["misp-galaxy:exploit-kit=\"GrandSoft\""],"SofosFO":["misp-galaxy:exploit-kit=\"GrandSoft\""],"GreenFlash Sundown":["misp-galaxy:exploit-kit=\"GreenFlash Sundown\""],"Sundown-GF":["misp-galaxy:exploit-kit=\"GreenFlash Sundown\""],"HanJuan":["misp-galaxy:exploit-kit=\"HanJuan\""],"Himan":["misp-galaxy:exploit-kit=\"Himan\""],"High Load":["misp-galaxy:exploit-kit=\"Himan\""],"Hunter":["misp-galaxy:exploit-kit=\"Hunter\"","misp-galaxy:tool=\"Tinba\""],"3ROS Exploit Kit":["misp-galaxy:exploit-kit=\"Hunter\""],"Impact":["misp-galaxy:exploit-kit=\"Impact\""],"Infinity":["misp-galaxy:exploit-kit=\"Infinity\""],"Redkit v2.0":["misp-galaxy:exploit-kit=\"Infinity\""],"Goon":["misp-galaxy:exploit-kit=\"Infinity\""],"Kaixin":["misp-galaxy:exploit-kit=\"Kaixin\""],"CK vip":["misp-galaxy:exploit-kit=\"Kaixin\""],"Lightsout":["misp-galaxy:exploit-kit=\"Lightsout\""],"MWI":["misp-galaxy:exploit-kit=\"MWI\""],"Magnitude":["misp-galaxy:exploit-kit=\"Magnitude\""],"Popads EK":["misp-galaxy:exploit-kit=\"Magnitude\""],"TopExp":["misp-galaxy:exploit-kit=\"Magnitude\""],"Nebula":["misp-galaxy:exploit-kit=\"Nebula\""],"Neutrino":["misp-galaxy:exploit-kit=\"Neutrino\"","misp-galaxy:malpedia=\"Neutrino\""],"Job314":["misp-galaxy:exploit-kit=\"Neutrino\""],"Neutrino Rebooted":["misp-galaxy:exploit-kit=\"Neutrino\""],"Neutrino-v":["misp-galaxy:exploit-kit=\"Neutrino\""],"Niteris":["misp-galaxy:exploit-kit=\"Niteris\""],"CottonCastle":["misp-galaxy:exploit-kit=\"Niteris\""],"Novidade":["misp-galaxy:exploit-kit=\"Novidade\""],"DNSGhost":["misp-galaxy:exploit-kit=\"Novidade\""],"Nuclear":["misp-galaxy:exploit-kit=\"Nuclear\""],"NEK":["misp-galaxy:exploit-kit=\"Nuclear\""],"Nuclear Pack":["misp-galaxy:exploit-kit=\"Nuclear\""],"Spartan":["misp-galaxy:exploit-kit=\"Nuclear\""],"Neclu":["misp-galaxy:exploit-kit=\"Nuclear\""],"Phoenix":["misp-galaxy:exploit-kit=\"Phoenix\""],"PEK":["misp-galaxy:exploit-kit=\"Phoenix\""],"Private Exploit Pack":["misp-galaxy:exploit-kit=\"Private Exploit Pack\""],"PEP":["misp-galaxy:exploit-kit=\"Private Exploit Pack\""],"RIG":["misp-galaxy:exploit-kit=\"RIG\""],"RIG 3":["misp-galaxy:exploit-kit=\"RIG\""],"RIG-v":["misp-galaxy:exploit-kit=\"RIG\""],"RIG 4":["misp-galaxy:exploit-kit=\"RIG\""],"Meadgive":["misp-galaxy:exploit-kit=\"RIG\""],"Redkit":["misp-galaxy:exploit-kit=\"Redkit\""],"SPL":["misp-galaxy:exploit-kit=\"SPL\""],"SPL_Data":["misp-galaxy:exploit-kit=\"SPL\""],"SPLNet":["misp-galaxy:exploit-kit=\"SPL\""],"SPL2":["misp-galaxy:exploit-kit=\"SPL\""],"Sakura":["misp-galaxy:exploit-kit=\"Sakura\""],"Sednit EK":["misp-galaxy:exploit-kit=\"Sednit EK\""],"SedKit":["misp-galaxy:exploit-kit=\"Sednit EK\""],"Spelevo":["misp-galaxy:exploit-kit=\"Spelevo\""],"SpelevoEK":["misp-galaxy:exploit-kit=\"SpelevoEK\""],"Styx":["misp-galaxy:exploit-kit=\"Styx\""],"Sundown":["misp-galaxy:exploit-kit=\"Sundown\""],"Beps":["misp-galaxy:exploit-kit=\"Sundown\""],"Xer":["misp-galaxy:exploit-kit=\"Sundown\""],"Beta":["misp-galaxy:exploit-kit=\"Sundown\""],"Sundown-P":["misp-galaxy:exploit-kit=\"Sundown-P\""],"Sundown-Pirate":["misp-galaxy:exploit-kit=\"Sundown-P\""],"CaptainBlack":["misp-galaxy:exploit-kit=\"Sundown-P\""],"Sweet-Orange":["misp-galaxy:exploit-kit=\"Sweet-Orange\""],"SWO":["misp-galaxy:exploit-kit=\"Sweet-Orange\""],"Anogre":["misp-galaxy:exploit-kit=\"Sweet-Orange\""],"Taurus Builder":["misp-galaxy:exploit-kit=\"Taurus Builder\""],"Terror EK":["misp-galaxy:exploit-kit=\"Terror EK\""],"Blaze EK":["misp-galaxy:exploit-kit=\"Terror EK\""],"Neptune EK":["misp-galaxy:exploit-kit=\"Terror EK\""],"ThreadKit":["misp-galaxy:exploit-kit=\"ThreadKit\""],"Underminer":["misp-galaxy:exploit-kit=\"Underminer\""],"Underminer EK":["misp-galaxy:exploit-kit=\"Underminer\""],"VenomKit":["misp-galaxy:exploit-kit=\"VenomKit\""],"Venom":["misp-galaxy:exploit-kit=\"VenomKit\""],"WhiteHole":["misp-galaxy:exploit-kit=\"WhiteHole\""],"ATM Black Box Attack":["misp-galaxy:financial-fraud=\"ATM Black Box Attack\""],"ATM Explosive Attack":["misp-galaxy:financial-fraud=\"ATM Explosive Attack\""],"ATM Jackpotting":["misp-galaxy:financial-fraud=\"ATM Jackpotting\""],"ATM Shimming":["misp-galaxy:financial-fraud=\"ATM Shimming\""],"ATM skimming":["misp-galaxy:financial-fraud=\"ATM skimming\""],"Account-Checking Services":["misp-galaxy:financial-fraud=\"Account-Checking Services\""],"Business Email Compromise":["misp-galaxy:financial-fraud=\"Business Email Compromise\""],"Compromised Account Credentials":["misp-galaxy:financial-fraud=\"Compromised Account Credentials\""],"Compromised Intellectual Property (IP)":["misp-galaxy:financial-fraud=\"Compromised Intellectual Property (IP)\""],"Compromised Payment Cards":["misp-galaxy:financial-fraud=\"Compromised Payment Cards\""],"Compromised Personally Identifiable Information (PII)":["misp-galaxy:financial-fraud=\"Compromised Personally Identifiable Information (PII)\""],"Cryptocurrency Exchange":["misp-galaxy:financial-fraud=\"Cryptocurrency Exchange\""],"CxO Fraud":["misp-galaxy:financial-fraud=\"CxO Fraud\""],"Fund Transfer":["misp-galaxy:financial-fraud=\"Fund Transfer\""],"Insider Trading":["misp-galaxy:financial-fraud=\"Insider Trading\""],"Malware":["misp-galaxy:financial-fraud=\"Malware\""],"Money Mules":["misp-galaxy:financial-fraud=\"Money Mules\""],"POS Skimming":["misp-galaxy:financial-fraud=\"POS Skimming\""],"Phishing":["misp-galaxy:financial-fraud=\"Phishing\""],"Prepaid Cards":["misp-galaxy:financial-fraud=\"Prepaid Cards\""],"Resell Stolen Data":["misp-galaxy:financial-fraud=\"Resell Stolen Data\""],"SWIFT Transaction":["misp-galaxy:financial-fraud=\"SWIFT Transaction\""],"Scam":["misp-galaxy:financial-fraud=\"Scam\""],"Social Media Scams":["misp-galaxy:financial-fraud=\"Social Media Scams\""],"Spear phishing":["misp-galaxy:financial-fraud=\"Spear phishing\""],"Vishing":["misp-galaxy:financial-fraud=\"Vishing\""],"Breach of voters privacy during the casting of votes":["misp-galaxy:guidelines=\"Breach of voters privacy during the casting of votes\""],"Defacement, DoS or overload of websites or other systems used for publication of the results":["misp-galaxy:guidelines=\"Defacement, DoS or overload of websites or other systems used for publication of the results\""],"Deleting or tampering with voter data":["misp-galaxy:guidelines=\"Deleting or tampering with voter data\""],"DoS or overload of government websites":["misp-galaxy:guidelines=\"DoS or overload of government websites\""],"DoS or overload of party\/campaign registration, causing them to miss the deadline":["misp-galaxy:guidelines=\"DoS or overload of party\/campaign registration, causing them to miss the deadline\""],"DoS or overload of voter registration system, suppressing voters":["misp-galaxy:guidelines=\"DoS or overload of voter registration system, suppressing voters\""],"Fabricated signatures from sponsor":["misp-galaxy:guidelines=\"Fabricated signatures from sponsor\""],"Hacking campaign websites (defacement, DoS)":["misp-galaxy:guidelines=\"Hacking campaign websites (defacement, DoS)\""],"Hacking campaign websites, spreading misinformation on the election process, registered parties\/candidates, or results":["misp-galaxy:guidelines=\"Hacking campaign websites, spreading misinformation on the election process, registered parties\/candidates, or results\""],"Hacking candidate laptops or email accounts":["misp-galaxy:guidelines=\"Hacking candidate laptops or email accounts\""],"Hacking of internal systems used by media or press":["misp-galaxy:guidelines=\"Hacking of internal systems used by media or press\""],"Hacking\/misconfiguration of government servers, communication networks, or endpoints":["misp-galaxy:guidelines=\"Hacking\/misconfiguration of government servers, communication networks, or endpoints\""],"Identity fraud during voter registration":["misp-galaxy:guidelines=\"Identity fraud during voter registration\""],"Leak of confidential information":["misp-galaxy:guidelines=\"Leak of confidential information\""],"Misconfiguration of a website":["misp-galaxy:guidelines=\"Misconfiguration of a website\""],"Software bug altering results":["misp-galaxy:guidelines=\"Software bug altering results\""],"Tampering or DoS of communication links uesd to transfer (interim) results":["misp-galaxy:guidelines=\"Tampering or DoS of communication links uesd to transfer (interim) results\""],"Tampering or DoS of voting and\/or vote confidentiality during or after the elections":["misp-galaxy:guidelines=\"Tampering or DoS of voting and\/or vote confidentiality during or after the elections\""],"Tampering with logs\/journals":["misp-galaxy:guidelines=\"Tampering with logs\/journals\""],"Tampering with registrations":["misp-galaxy:guidelines=\"Tampering with registrations\""],"Tampering with supply chain involved in the movement or transfer data":["misp-galaxy:guidelines=\"Tampering with supply chain involved in the movement or transfer data\""],"Tampering, DoS or overload of the systems used for counting or aggregating results":["misp-galaxy:guidelines=\"Tampering, DoS or overload of the systems used for counting or aggregating results\""],"Tampering, DoS, or overload of media communication links":["misp-galaxy:guidelines=\"Tampering, DoS, or overload of media communication links\""],"7ev3n":["misp-galaxy:malpedia=\"7ev3n\"","misp-galaxy:ransomware=\"7ev3n\""],"9002 RAT":["misp-galaxy:malpedia=\"9002 RAT\"","misp-galaxy:mitre-enterprise-attack-malware=\"Hydraq - S0203\"","misp-galaxy:mitre-malware=\"Hydraq - S0203\""],"Hydraq":["misp-galaxy:malpedia=\"9002 RAT\"","misp-galaxy:mitre-enterprise-attack-malware=\"Hydraq - S0203\"","misp-galaxy:mitre-malware=\"Hydraq - S0203\"","misp-galaxy:tool=\"Aurora\""],"McRAT":["misp-galaxy:malpedia=\"9002 RAT\""],"AIRBREAK":["misp-galaxy:malpedia=\"AIRBREAK\"","misp-galaxy:mitre-enterprise-attack-malware=\"Orz - S0229\"","misp-galaxy:mitre-malware=\"Orz - S0229\""],"Orz":["misp-galaxy:malpedia=\"AIRBREAK\"","misp-galaxy:mitre-enterprise-attack-malware=\"Orz - S0229\"","misp-galaxy:mitre-malware=\"Orz - S0229\""],"ALPC Local PrivEsc":["misp-galaxy:malpedia=\"ALPC Local PrivEsc\""],"AMTsol":["misp-galaxy:malpedia=\"AMTsol\""],"Adupihan":["misp-galaxy:malpedia=\"AMTsol\""],"ANTAK":["misp-galaxy:malpedia=\"ANTAK\""],"APT3 Keylogger":["misp-galaxy:malpedia=\"APT3 Keylogger\""],"ARS VBS Loader":["misp-galaxy:malpedia=\"ARS VBS Loader\"","misp-galaxy:rat=\"ARS VBS Loader\""],"ASPC":["misp-galaxy:malpedia=\"ASPC\""],"ATI-Agent":["misp-galaxy:malpedia=\"ATI-Agent\""],"ATMSpitter":["misp-galaxy:malpedia=\"ATMSpitter\""],"ATMii":["misp-galaxy:malpedia=\"ATMii\""],"ATMitch":["misp-galaxy:malpedia=\"ATMitch\""],"AVCrypt":["misp-galaxy:malpedia=\"AVCrypt\""],"AbaddonPOS":["misp-galaxy:malpedia=\"AbaddonPOS\""],"PinkKite":["misp-galaxy:malpedia=\"AbaddonPOS\""],"Abbath Banker":["misp-galaxy:malpedia=\"Abbath Banker\""],"AcridRain":["misp-galaxy:malpedia=\"AcridRain\""],"Acronym":["misp-galaxy:malpedia=\"Acronym\""],"AdKoob":["misp-galaxy:malpedia=\"AdKoob\""],"AdWind":["misp-galaxy:malpedia=\"AdWind\""],"JBifrost":["misp-galaxy:malpedia=\"AdWind\"","misp-galaxy:rat=\"Adwind RAT\""],"JSocket":["misp-galaxy:malpedia=\"AdWind\"","misp-galaxy:mitre-malware=\"jRAT - S0283\"","misp-galaxy:tool=\"Adwind\""],"UNRECOM":["misp-galaxy:malpedia=\"AdWind\"","misp-galaxy:rat=\"Adwind RAT\""],"AdamLocker":["misp-galaxy:malpedia=\"AdamLocker\""],"AdultSwine":["misp-galaxy:malpedia=\"AdultSwine\""],"AdvisorsBot":["misp-galaxy:malpedia=\"AdvisorsBot\""],"Adylkuzz":["misp-galaxy:malpedia=\"Adylkuzz\""],"Agent Tesla":["misp-galaxy:malpedia=\"Agent Tesla\"","misp-galaxy:mitre-malware=\"Agent Tesla - S0331\"","misp-galaxy:tool=\"Agent Tesla\""],"Agent.BTZ":["misp-galaxy:malpedia=\"Agent.BTZ\"","misp-galaxy:tool=\"Agent.BTZ\""],"ComRAT":["misp-galaxy:malpedia=\"Agent.BTZ\"","misp-galaxy:mitre-enterprise-attack-malware=\"ComRAT - S0126\"","misp-galaxy:mitre-malware=\"ComRAT - S0126\"","misp-galaxy:rat=\"ComRAT\""],"Sun rootkit":["misp-galaxy:malpedia=\"Agent.BTZ\""],"Aldibot":["misp-galaxy:malpedia=\"Aldibot\""],"Alina POS":["misp-galaxy:malpedia=\"Alina POS\""],"alina_eagle":["misp-galaxy:malpedia=\"Alina POS\""],"alina_spark":["misp-galaxy:malpedia=\"Alina POS\""],"katrina":["misp-galaxy:malpedia=\"Alina POS\""],"Allaple":["misp-galaxy:malpedia=\"Allaple\""],"Starman":["misp-galaxy:malpedia=\"Allaple\""],"Alma Communicator":["misp-galaxy:malpedia=\"Alma Communicator\""],"AlmaLocker":["misp-galaxy:malpedia=\"AlmaLocker\""],"AlphaLocker":["misp-galaxy:malpedia=\"AlphaLocker\"","misp-galaxy:ransomware=\"Alpha Ransomware\""],"AlphaNC":["misp-galaxy:malpedia=\"AlphaNC\""],"Alphabet Ransomware":["misp-galaxy:malpedia=\"Alphabet Ransomware\"","misp-galaxy:ransomware=\"Alphabet Ransomware\""],"Alreay":["misp-galaxy:malpedia=\"Alreay\""],"Olmarik":["misp-galaxy:malpedia=\"Alureon\""],"Pihar":["misp-galaxy:malpedia=\"Alureon\""],"TDL":["misp-galaxy:malpedia=\"Alureon\""],"Amadey":["misp-galaxy:malpedia=\"Amadey\""],"Anatova Ransomware":["misp-galaxy:malpedia=\"Anatova Ransomware\""],"AndroRAT":["misp-galaxy:malpedia=\"AndroRAT\"","misp-galaxy:mitre-malware=\"AndroRAT - S0292\"","misp-galaxy:mitre-mobile-attack-malware=\"AndroRAT - MOB-S0008\""],"Andromeda":["misp-galaxy:malpedia=\"Andromeda\"","misp-galaxy:tool=\"Gamarue\""],"B106-Gamarue":["misp-galaxy:malpedia=\"Andromeda\""],"B67-SS-Gamarue":["misp-galaxy:malpedia=\"Andromeda\""],"Gamarue":["misp-galaxy:malpedia=\"Andromeda\"","misp-galaxy:tool=\"Gamarue\""],"b66":["misp-galaxy:malpedia=\"Andromeda\""],"Anel":["misp-galaxy:malpedia=\"Anel\""],"Antilam":["misp-galaxy:malpedia=\"Antilam\""],"Latinus":["misp-galaxy:malpedia=\"Antilam\""],"Anubis":["misp-galaxy:malpedia=\"Anubis\""],"AnubisSpy":["misp-galaxy:malpedia=\"AnubisSpy\""],"Apocalipto":["misp-galaxy:malpedia=\"Apocalipto\""],"Apocalypse":["misp-galaxy:malpedia=\"Apocalypse\"","misp-galaxy:ransomware=\"Apocalypse\"","misp-galaxy:rat=\"Apocalypse\""],"AppleJeus":["misp-galaxy:malpedia=\"AppleJeus\""],"ArdaMax":["misp-galaxy:malpedia=\"ArdaMax\""],"Arefty":["misp-galaxy:malpedia=\"Arefty\""],"Arik Keylogger":["misp-galaxy:malpedia=\"Arik Keylogger\""],"Aaron Keylogger":["misp-galaxy:malpedia=\"Arik Keylogger\""],"Arkei Stealer":["misp-galaxy:malpedia=\"Arkei Stealer\""],"Artra Downloader":["misp-galaxy:malpedia=\"Artra Downloader\""],"Asacub":["misp-galaxy:malpedia=\"Asacub\""],"AscentLoader":["misp-galaxy:malpedia=\"AscentLoader\""],"BadSrc":["misp-galaxy:malpedia=\"Asprox\""],"AthenaGo RAT":["misp-galaxy:malpedia=\"AthenaGo RAT\""],"Atmosphere":["misp-galaxy:malpedia=\"Atmosphere\""],"August Stealer":["misp-galaxy:malpedia=\"August Stealer\"","misp-galaxy:tool=\"August\""],"Auriga":["misp-galaxy:malpedia=\"Auriga\""],"Riodrv":["misp-galaxy:malpedia=\"Auriga\""],"Aurora":["misp-galaxy:malpedia=\"Aurora\"","misp-galaxy:mitre-enterprise-attack-malware=\"Hydraq - S0203\"","misp-galaxy:mitre-malware=\"Hydraq - S0203\"","misp-galaxy:tool=\"Aurora\""],"AutoCAD Downloader":["misp-galaxy:malpedia=\"AutoCAD Downloader\""],"Acad.Bursted":["misp-galaxy:malpedia=\"AutoCAD Downloader\""],"Duxfas":["misp-galaxy:malpedia=\"AutoCAD Downloader\""],"AvastDisabler":["misp-galaxy:malpedia=\"AvastDisabler\""],"Ave Maria":["misp-galaxy:malpedia=\"Ave Maria\"","misp-galaxy:stealer=\"Ave Maria\""],"AVE_MARIA":["misp-galaxy:malpedia=\"Ave Maria\""],"Aveo":["misp-galaxy:malpedia=\"Aveo\""],"Avzhan":["misp-galaxy:malpedia=\"Avzhan\""],"Ayegent":["misp-galaxy:malpedia=\"Ayegent\""],"Azorult":["misp-galaxy:malpedia=\"Azorult\"","misp-galaxy:mitre-malware=\"Azorult - S0344\""],"PuffStealer":["misp-galaxy:malpedia=\"Azorult\""],"Rultazo":["misp-galaxy:malpedia=\"Azorult\""],"BABYMETAL":["misp-galaxy:malpedia=\"BABYMETAL\""],"BACKBEND":["misp-galaxy:malpedia=\"BACKBEND\""],"BBSRAT":["misp-galaxy:malpedia=\"BBSRAT\"","misp-galaxy:mitre-enterprise-attack-malware=\"BBSRAT - S0127\"","misp-galaxy:mitre-malware=\"BBSRAT - S0127\""],"BCMPUPnP_Hunter":["misp-galaxy:malpedia=\"BCMPUPnP_Hunter\""],"BELLHOP":["misp-galaxy:malpedia=\"BELLHOP\""],"BKA Trojaner":["misp-galaxy:malpedia=\"BKA Trojaner\""],"bwin3_bka":["misp-galaxy:malpedia=\"BKA Trojaner\""],"BLACKCOFFEE":["misp-galaxy:malpedia=\"BLACKCOFFEE\"","misp-galaxy:mitre-enterprise-attack-malware=\"BLACKCOFFEE - S0069\"","misp-galaxy:mitre-malware=\"BLACKCOFFEE - S0069\""],"BONDUPDATER":["misp-galaxy:malpedia=\"BONDUPDATER\"","misp-galaxy:mitre-malware=\"BONDUPDATER - S0360\"","misp-galaxy:rat=\"BONDUPDATER\""],"Glimpse":["misp-galaxy:malpedia=\"BONDUPDATER\""],"BRAIN":["misp-galaxy:malpedia=\"BRAIN\""],"BS2005":["misp-galaxy:malpedia=\"BS2005\"","misp-galaxy:mitre-enterprise-attack-malware=\"BS2005 - S0014\"","misp-galaxy:mitre-malware=\"BS2005 - S0014\"","misp-galaxy:tool=\"Hoardy\""],"BTCWare":["misp-galaxy:malpedia=\"BTCWare\""],"BUBBLEWRAP":["misp-galaxy:malpedia=\"BUBBLEWRAP\"","misp-galaxy:mitre-enterprise-attack-malware=\"BUBBLEWRAP - S0043\"","misp-galaxy:mitre-malware=\"BUBBLEWRAP - S0043\""],"BYEBY":["misp-galaxy:malpedia=\"BYEBY\""],"Babar":["misp-galaxy:malpedia=\"Babar\"","misp-galaxy:tool=\"Babar\""],"SNOWBALL":["misp-galaxy:malpedia=\"Babar\""],"BabyLon RAT":["misp-galaxy:malpedia=\"BabyLon RAT\""],"BackNet":["misp-galaxy:malpedia=\"BackNet\""],"BackSwap":["misp-galaxy:malpedia=\"BackSwap\""],"BadEncript":["misp-galaxy:malpedia=\"BadEncript\""],"BadNews":["misp-galaxy:malpedia=\"BadNews\""],"Bahamut (Android)":["misp-galaxy:malpedia=\"Bahamut (Android)\""],"Bahamut (Windows)":["misp-galaxy:malpedia=\"Bahamut (Windows)\""],"Baldir":["misp-galaxy:malpedia=\"Baldir\""],"Baldr":["misp-galaxy:malpedia=\"Baldir\""],"Banatrix":["misp-galaxy:malpedia=\"Banatrix\""],"Bankshot":["misp-galaxy:malpedia=\"Bankshot\"","misp-galaxy:mitre-malware=\"Bankshot - S0239\"","misp-galaxy:tool=\"Bankshot\""],"Banload":["misp-galaxy:malpedia=\"Banload\"","misp-galaxy:tool=\"Banload\""],"Bart":["misp-galaxy:malpedia=\"Bart\"","misp-galaxy:ransomware=\"Bart\""],"gayfgt":["misp-galaxy:malpedia=\"Bashlite\""],"lizkebab":["misp-galaxy:malpedia=\"Bashlite\""],"qbot":["misp-galaxy:malpedia=\"Bashlite\""],"torlus":["misp-galaxy:malpedia=\"Bashlite\""],"BatchWiper":["misp-galaxy:malpedia=\"BatchWiper\""],"Batel":["misp-galaxy:malpedia=\"Batel\""],"Bateleur":["misp-galaxy:malpedia=\"Bateleur\"","misp-galaxy:tool=\"Bateleur\""],"Beapy":["misp-galaxy:malpedia=\"Beapy\""],"Bedep":["misp-galaxy:malpedia=\"Bedep\"","misp-galaxy:tool=\"Bedep\""],"Bella":["misp-galaxy:malpedia=\"Bella\""],"Belonard":["misp-galaxy:malpedia=\"Belonard\""],"Berbomthum":["misp-galaxy:malpedia=\"Berbomthum\""],"BernhardPOS":["misp-galaxy:malpedia=\"BernhardPOS\""],"Neurevt":["misp-galaxy:malpedia=\"BetaBot\""],"Bezigate":["misp-galaxy:malpedia=\"Bezigate\""],"BfBot":["misp-galaxy:malpedia=\"BfBot\""],"BianLian":["misp-galaxy:malpedia=\"BianLian\""],"BillGates":["misp-galaxy:malpedia=\"BillGates\""],"BioData":["misp-galaxy:malpedia=\"BioData\""],"Biscuit":["misp-galaxy:malpedia=\"Biscuit\""],"zxdosml":["misp-galaxy:malpedia=\"Biscuit\""],"Bitsran":["misp-galaxy:malpedia=\"Bitsran\""],"Bitter RAT":["misp-galaxy:malpedia=\"Bitter RAT\""],"BlackEnergy":["misp-galaxy:malpedia=\"BlackEnergy\"","misp-galaxy:mitre-enterprise-attack-malware=\"BlackEnergy - S0089\"","misp-galaxy:mitre-malware=\"BlackEnergy - S0089\"","misp-galaxy:threat-actor=\"Sandworm\"","misp-galaxy:tool=\"BlackEnergy\""],"BlackPOS":["misp-galaxy:malpedia=\"BlackPOS\""],"Kaptoxa":["misp-galaxy:malpedia=\"BlackPOS\""],"POSWDS":["misp-galaxy:malpedia=\"BlackPOS\""],"Reedum":["misp-galaxy:malpedia=\"BlackPOS\""],"BlackRevolution":["misp-galaxy:malpedia=\"BlackRevolution\""],"BlackRouter":["misp-galaxy:malpedia=\"BlackRouter\""],"BLACKHEART":["misp-galaxy:malpedia=\"BlackRouter\""],"BlackShades":["misp-galaxy:malpedia=\"BlackShades\""],"Boaxxe":["misp-galaxy:malpedia=\"Boaxxe\""],"Bohmini":["misp-galaxy:malpedia=\"Bohmini\""],"Bolek":["misp-galaxy:malpedia=\"Bolek\""],"KBOT":["misp-galaxy:malpedia=\"Bolek\""],"Bouncer":["misp-galaxy:malpedia=\"Bouncer\""],"Bozok":["misp-galaxy:malpedia=\"Bozok\"","misp-galaxy:rat=\"Bozok\""],"Brambul":["misp-galaxy:malpedia=\"Brambul\"","misp-galaxy:tool=\"Brambul\""],"BravoNC":["misp-galaxy:malpedia=\"BravoNC\""],"BreachRAT":["misp-galaxy:malpedia=\"BreachRAT\""],"Breakthrough":["misp-galaxy:malpedia=\"Breakthrough\""],"Bredolab":["misp-galaxy:malpedia=\"Bredolab\""],"BrickerBot":["misp-galaxy:malpedia=\"BrickerBot\""],"BrushaLoader":["misp-galaxy:malpedia=\"BrushaLoader\""],"BrutPOS":["misp-galaxy:malpedia=\"BrutPOS\""],"Buhtrap":["misp-galaxy:malpedia=\"Buhtrap\""],"Ratopak":["misp-galaxy:malpedia=\"Buhtrap\""],"Bundestrojaner":["misp-galaxy:malpedia=\"Bundestrojaner\""],"0zapftis":["misp-galaxy:malpedia=\"Bundestrojaner\""],"R2D2":["misp-galaxy:malpedia=\"Bundestrojaner\""],"Bunitu":["misp-galaxy:malpedia=\"Bunitu\""],"Buterat":["misp-galaxy:malpedia=\"Buterat\""],"spyvoltar":["misp-galaxy:malpedia=\"Buterat\""],"Yimfoca":["misp-galaxy:malpedia=\"Buzus\""],"CACTUSTORCH":["misp-galaxy:malpedia=\"CACTUSTORCH\""],"CCleaner Backdoor":["misp-galaxy:malpedia=\"CCleaner Backdoor\""],"CDorked":["misp-galaxy:malpedia=\"CDorked\""],"CDorked.A":["misp-galaxy:malpedia=\"CDorked\""],"CHINACHOPPER":["misp-galaxy:malpedia=\"CHINACHOPPER\""],"CMSBrute":["misp-galaxy:malpedia=\"CMSBrute\""],"CMSTAR":["misp-galaxy:malpedia=\"CMSTAR\""],"meciv":["misp-galaxy:malpedia=\"CMSTAR\""],"CREAMSICLE":["misp-galaxy:malpedia=\"CREAMSICLE\""],"CabArt":["misp-galaxy:malpedia=\"CabArt\""],"CadelSpy":["misp-galaxy:malpedia=\"CadelSpy\""],"Cadelle":["misp-galaxy:malpedia=\"CadelSpy\"","misp-galaxy:threat-actor=\"Cadelle\""],"Cannibal Rat":["misp-galaxy:malpedia=\"Cannibal Rat\""],"Cannon":["misp-galaxy:malpedia=\"Cannon\"","misp-galaxy:mitre-malware=\"Cannon - S0351\""],"Carbanak":["misp-galaxy:malpedia=\"Carbanak\"","misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Carbanak - G0008\"","misp-galaxy:mitre-enterprise-attack-malware=\"Carbanak - S0030\"","misp-galaxy:mitre-intrusion-set=\"Carbanak - G0008\"","misp-galaxy:mitre-malware=\"Carbanak - S0030\"","misp-galaxy:threat-actor=\"Anunak\""],"Anunak":["misp-galaxy:malpedia=\"Carbanak\"","misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Carbanak - G0008\"","misp-galaxy:mitre-enterprise-attack-malware=\"Carbanak - S0030\"","misp-galaxy:mitre-intrusion-set=\"Carbanak - G0008\"","misp-galaxy:mitre-malware=\"Carbanak - S0030\"","misp-galaxy:threat-actor=\"Anunak\""],"Carberp":["misp-galaxy:malpedia=\"Carberp\""],"Cardinal RAT":["misp-galaxy:malpedia=\"Cardinal RAT\"","misp-galaxy:mitre-malware=\"Cardinal RAT - S0348\"","misp-galaxy:tool=\"Cardinal RAT\""],"Careto":["misp-galaxy:malpedia=\"Careto\"","misp-galaxy:threat-actor=\"Careto\""],"Appetite":["misp-galaxy:malpedia=\"Careto\""],"Mask":["misp-galaxy:malpedia=\"Careto\"","misp-galaxy:threat-actor=\"Careto\""],"CarrotBat":["misp-galaxy:malpedia=\"CarrotBat\""],"Casper":["misp-galaxy:malpedia=\"Casper\"","misp-galaxy:tool=\"Casper\""],"Catchamas":["misp-galaxy:malpedia=\"Catchamas\"","misp-galaxy:mitre-malware=\"Catchamas - S0261\""],"Catelites":["misp-galaxy:malpedia=\"Catelites\""],"CenterPOS":["misp-galaxy:malpedia=\"CenterPOS\""],"cerebrus":["misp-galaxy:malpedia=\"CenterPOS\""],"Cerber":["misp-galaxy:malpedia=\"Cerber\"","misp-galaxy:ransomware=\"Cerber\""],"Cerbu":["misp-galaxy:malpedia=\"Cerbu\""],"ChChes":["misp-galaxy:malpedia=\"ChChes\"","misp-galaxy:mitre-enterprise-attack-malware=\"ChChes - S0144\"","misp-galaxy:mitre-malware=\"ChChes - S0144\""],"Ham Backdoor":["misp-galaxy:malpedia=\"ChChes\""],"Chainshot":["misp-galaxy:malpedia=\"Chainshot\"","misp-galaxy:tool=\"Chainshot\""],"Chapro":["misp-galaxy:malpedia=\"Chapro\""],"Charger":["misp-galaxy:malpedia=\"Charger\"","misp-galaxy:mitre-malware=\"Charger - S0323\"","misp-galaxy:mitre-mobile-attack-malware=\"Charger - MOB-S0039\""],"CherryPicker POS":["misp-galaxy:malpedia=\"CherryPicker POS\""],"cherry_picker":["misp-galaxy:malpedia=\"CherryPicker POS\""],"cherrypicker":["misp-galaxy:malpedia=\"CherryPicker POS\""],"cherrypickerpos":["misp-galaxy:malpedia=\"CherryPicker POS\""],"ChewBacca":["misp-galaxy:malpedia=\"ChewBacca\""],"Chinad":["misp-galaxy:malpedia=\"Chinad\""],"Chir":["misp-galaxy:malpedia=\"Chir\""],"Chrysaor":["misp-galaxy:malpedia=\"Chrysaor\"","misp-galaxy:mitre-malware=\"Pegasus for Android - S0316\"","misp-galaxy:mitre-mobile-attack-malware=\"Pegasus for Android - MOB-S0032\"","misp-galaxy:tool=\"Chrysaor\""],"JigglyPuff":["misp-galaxy:malpedia=\"Chrysaor\""],"Pegasus":["misp-galaxy:malpedia=\"Chrysaor\"","misp-galaxy:mitre-mobile-attack-malware=\"Pegasus - MOB-S0005\"","misp-galaxy:tool=\"Chrysaor\""],"AndroKINS":["misp-galaxy:malpedia=\"Chthonic\""],"Client Maximus":["misp-galaxy:malpedia=\"Client Maximus\"","misp-galaxy:rat=\"Client Maximus\""],"Clientor":["misp-galaxy:malpedia=\"Clientor\""],"Clipper":["misp-galaxy:malpedia=\"Clipper\""],"Cloud Duke":["misp-galaxy:malpedia=\"Cloud Duke\""],"CoalaBot":["misp-galaxy:malpedia=\"CoalaBot\"","misp-galaxy:tool=\"CoalaBot\""],"CobInt":["misp-galaxy:malpedia=\"CobInt\""],"COOLPANTS":["misp-galaxy:malpedia=\"CobInt\""],"Cobalt Strike":["misp-galaxy:malpedia=\"Cobalt Strike\"","misp-galaxy:mitre-enterprise-attack-tool=\"Cobalt Strike - S0154\"","misp-galaxy:mitre-tool=\"Cobalt Strike - S0154\"","misp-galaxy:rat=\"Cobalt Strike\""],"Cobian RAT":["misp-galaxy:malpedia=\"Cobian RAT\"","misp-galaxy:mitre-malware=\"Cobian RAT - S0338\"","misp-galaxy:rat=\"Cobian RAT\""],"Cobra Carbon System":["misp-galaxy:malpedia=\"Cobra Carbon System\""],"Carbon":["misp-galaxy:malpedia=\"Cobra Carbon System\"","misp-galaxy:mitre-malware=\"Carbon - S0335\""],"CockBlocker":["misp-galaxy:malpedia=\"CockBlocker\""],"CodeKey":["misp-galaxy:malpedia=\"CodeKey\""],"Cohhoc":["misp-galaxy:malpedia=\"Cohhoc\""],"CoinThief":["misp-galaxy:malpedia=\"CoinThief\""],"Coinminer":["misp-galaxy:malpedia=\"Coinminer\""],"Coldroot RAT":["misp-galaxy:malpedia=\"Coldroot RAT\""],"Colony":["misp-galaxy:malpedia=\"Colony\""],"Bandios":["misp-galaxy:malpedia=\"Colony\""],"GrayBird":["misp-galaxy:malpedia=\"Colony\""],"Combojack":["misp-galaxy:malpedia=\"Combojack\""],"Combos":["misp-galaxy:malpedia=\"Combos\""],"CometBot":["misp-galaxy:malpedia=\"CometBot\""],"ComodoSec":["misp-galaxy:malpedia=\"ComodoSec\""],"Computrace":["misp-galaxy:malpedia=\"Computrace\""],"lojack":["misp-galaxy:malpedia=\"Computrace\""],"ComradeCircle":["misp-galaxy:malpedia=\"ComradeCircle\""],"downadup":["misp-galaxy:malpedia=\"Conficker\""],"traffic converter":["misp-galaxy:malpedia=\"Conficker\""],"Confucius":["misp-galaxy:malpedia=\"Confucius\""],"Connic":["misp-galaxy:malpedia=\"Connic\""],"SpyBanker":["misp-galaxy:malpedia=\"Connic\"","misp-galaxy:malpedia=\"SpyBanker\""],"Contopee":["misp-galaxy:malpedia=\"Contopee\""],"CookieBag":["misp-galaxy:malpedia=\"CookieBag\""],"CoreDN":["misp-galaxy:malpedia=\"CoreDN\""],"Coreshell":["misp-galaxy:malpedia=\"Coreshell\""],"CpuMeaner":["misp-galaxy:malpedia=\"CpuMeaner\"","misp-galaxy:tool=\"CpuMeaner\""],"Cpuminer (Android)":["misp-galaxy:malpedia=\"Cpuminer (Android)\""],"Cpuminer (ELF)":["misp-galaxy:malpedia=\"Cpuminer (ELF)\""],"Cr1ptT0r":["misp-galaxy:malpedia=\"Cr1ptT0r\"","misp-galaxy:ransomware=\"Cr1ptT0r\""],"CriptTor":["misp-galaxy:malpedia=\"Cr1ptT0r\""],"CradleCore":["misp-galaxy:malpedia=\"CradleCore\""],"CrashOverride":["misp-galaxy:malpedia=\"CrashOverride\""],"Crash":["misp-galaxy:malpedia=\"CrashOverride\""],"Industroyer":["misp-galaxy:malpedia=\"CrashOverride\""],"CreativeUpdater":["misp-galaxy:malpedia=\"CreativeUpdater\""],"Credraptor":["misp-galaxy:malpedia=\"Credraptor\""],"Crenufs":["misp-galaxy:malpedia=\"Crenufs\""],"Crimson RAT":["misp-galaxy:malpedia=\"Crimson RAT\""],"SEEDOOR":["misp-galaxy:malpedia=\"Crimson RAT\""],"Crimson":["misp-galaxy:malpedia=\"Crimson\"","misp-galaxy:mitre-enterprise-attack-malware=\"Crimson - S0115\"","misp-galaxy:mitre-malware=\"Crimson - S0115\"","misp-galaxy:rat=\"Crimson\"","misp-galaxy:tool=\"Crimson\""],"Crisis (OS X)":["misp-galaxy:malpedia=\"Crisis (OS X)\""],"Crisis (Windows)":["misp-galaxy:malpedia=\"Crisis (Windows)\""],"CrossRAT":["misp-galaxy:malpedia=\"CrossRAT\"","misp-galaxy:mitre-malware=\"CrossRAT - S0235\""],"Trupto":["misp-galaxy:malpedia=\"CrossRAT\""],"Crossrider":["misp-galaxy:malpedia=\"Crossrider\""],"CryLocker":["misp-galaxy:malpedia=\"CryLocker\"","misp-galaxy:ransomware=\"CryLocker\""],"Cryakl":["misp-galaxy:malpedia=\"Cryakl\"","misp-galaxy:ransomware=\"Cryakl\"","misp-galaxy:ransomware=\"Offline ransomware\""],"CrypMic":["misp-galaxy:malpedia=\"CrypMic\""],"Crypt0l0cker":["misp-galaxy:malpedia=\"Crypt0l0cker\""],"CryptXXXX":["misp-galaxy:malpedia=\"CryptXXXX\""],"CryptoFortress":["misp-galaxy:malpedia=\"CryptoFortress\"","misp-galaxy:ransomware=\"CryptoFortress\"","misp-galaxy:ransomware=\"TorrentLocker\""],"CryptoLocker":["misp-galaxy:malpedia=\"CryptoLocker\"","misp-galaxy:ransomware=\"CryptoLocker\""],"CryptoLuck":["misp-galaxy:malpedia=\"CryptoLuck\""],"CryptoMix":["misp-galaxy:malpedia=\"CryptoMix\"","misp-galaxy:ransomware=\"CryptoMix\""],"CryptFile2":["misp-galaxy:malpedia=\"CryptoMix\""],"CryptoNight":["misp-galaxy:malpedia=\"CryptoNight\""],"CryptoRansomeware":["misp-galaxy:malpedia=\"CryptoRansomeware\"","misp-galaxy:ransomware=\"CryptoRansomeware\""],"CryptoShield":["misp-galaxy:malpedia=\"CryptoShield\""],"CryptoShuffler":["misp-galaxy:malpedia=\"CryptoShuffler\""],"CryptoWire":["misp-galaxy:malpedia=\"CryptoWire\"","misp-galaxy:ransomware=\"Owl\""],"Cryptorium":["misp-galaxy:malpedia=\"Cryptorium\""],"Cryptowall":["misp-galaxy:malpedia=\"Cryptowall\""],"CsExt":["misp-galaxy:malpedia=\"CsExt\""],"Cuegoe":["misp-galaxy:malpedia=\"Cuegoe\""],"Windshield?":["misp-galaxy:malpedia=\"Cuegoe\""],"Cueisfry":["misp-galaxy:malpedia=\"Cueisfry\""],"CukieGrab":["misp-galaxy:malpedia=\"CukieGrab\""],"Roblox Trade Assist":["misp-galaxy:malpedia=\"CukieGrab\""],"Cutlet":["misp-galaxy:malpedia=\"Cutlet\""],"CyberGate":["misp-galaxy:malpedia=\"CyberGate\"","misp-galaxy:rat=\"CyberGate\""],"Rebhip":["misp-galaxy:malpedia=\"CyberGate\""],"CyberSplitter":["misp-galaxy:malpedia=\"CyberSplitter\"","misp-galaxy:ransomware=\"Cyber SpLiTTer Vbs\""],"CycBot":["misp-galaxy:malpedia=\"CycBot\""],"DDKONG":["misp-galaxy:malpedia=\"DDKONG\"","misp-galaxy:mitre-malware=\"DDKONG - S0255\"","misp-galaxy:tool=\"DDKONG\""],"DMA Locker":["misp-galaxy:malpedia=\"DMA Locker\""],"DMSniff":["misp-galaxy:malpedia=\"DMSniff\""],"DNSMessenger":["misp-galaxy:malpedia=\"DNSMessenger\"","misp-galaxy:mitre-enterprise-attack-malware=\"POWERSOURCE - S0145\"","misp-galaxy:mitre-enterprise-attack-malware=\"TEXTMATE - S0146\"","misp-galaxy:mitre-malware=\"POWERSOURCE - S0145\"","misp-galaxy:mitre-malware=\"TEXTMATE - S0146\"","misp-galaxy:rat=\"DNSMessenger\""],"TEXTMATE":["misp-galaxy:malpedia=\"DNSMessenger\"","misp-galaxy:mitre-enterprise-attack-malware=\"TEXTMATE - S0146\"","misp-galaxy:mitre-malware=\"TEXTMATE - S0146\""],"DNSRat":["misp-galaxy:malpedia=\"DNSRat\""],"DNSbot":["misp-galaxy:malpedia=\"DNSRat\""],"DNSpionage":["misp-galaxy:malpedia=\"DNSpionage\"","misp-galaxy:threat-actor=\"DNSpionage\""],"Agent Drable":["misp-galaxy:malpedia=\"DNSpionage\""],"Webmask":["misp-galaxy:malpedia=\"DNSpionage\""],"DRIFTPIN":["misp-galaxy:malpedia=\"DRIFTPIN\"","misp-galaxy:tool=\"Agent ORM\""],"Spy.Agent.ORM":["misp-galaxy:malpedia=\"DRIFTPIN\""],"Toshliph":["misp-galaxy:malpedia=\"DRIFTPIN\""],"DROPSHOT":["misp-galaxy:malpedia=\"DROPSHOT\""],"DUBrute":["misp-galaxy:malpedia=\"DUBrute\""],"Dairy":["misp-galaxy:malpedia=\"Dairy\""],"DarkComet":["misp-galaxy:malpedia=\"DarkComet\"","misp-galaxy:mitre-malware=\"DarkComet - S0334\"","misp-galaxy:rat=\"DarkComet\""],"Fynloski":["misp-galaxy:malpedia=\"DarkComet\"","misp-galaxy:mitre-malware=\"DarkComet - S0334\""],"klovbot":["misp-galaxy:malpedia=\"DarkComet\""],"DarkHotel":["misp-galaxy:malpedia=\"DarkHotel\"","misp-galaxy:threat-actor=\"DarkHotel\""],"DarkMegi":["misp-galaxy:malpedia=\"DarkMegi\""],"DarkPulsar":["misp-galaxy:malpedia=\"DarkPulsar\"","misp-galaxy:tool=\"DarkPulsar\""],"DarkShell":["misp-galaxy:malpedia=\"DarkShell\""],"DarkStRat":["misp-galaxy:malpedia=\"DarkStRat\""],"DarkTequila":["misp-galaxy:malpedia=\"DarkTequila\""],"Darkmoon":["misp-galaxy:malpedia=\"Darkmoon\"","misp-galaxy:mitre-enterprise-attack-malware=\"Darkmoon - S0209\"","misp-galaxy:mitre-malware=\"PoisonIvy - S0012\""],"Chymine":["misp-galaxy:malpedia=\"Darkmoon\""],"Darksky":["misp-galaxy:malpedia=\"Darksky\""],"Darktrack RAT":["misp-galaxy:malpedia=\"Darktrack RAT\""],"DarthMiner":["misp-galaxy:malpedia=\"DarthMiner\"","misp-galaxy:tool=\"DarthMiner\""],"Daserf":["misp-galaxy:malpedia=\"Daserf\"","misp-galaxy:mitre-enterprise-attack-malware=\"Daserf - S0187\"","misp-galaxy:mitre-malware=\"Daserf - S0187\""],"Muirim":["misp-galaxy:malpedia=\"Daserf\"","misp-galaxy:mitre-enterprise-attack-malware=\"Daserf - S0187\"","misp-galaxy:mitre-malware=\"Daserf - S0187\""],"Nioupale":["misp-galaxy:malpedia=\"Daserf\"","misp-galaxy:mitre-enterprise-attack-malware=\"Daserf - S0187\"","misp-galaxy:mitre-malware=\"Daserf - S0187\""],"Datper":["misp-galaxy:malpedia=\"Datper\""],"Decebal":["misp-galaxy:malpedia=\"Decebal\""],"Delta(Alfa,Bravo, ...)":["misp-galaxy:malpedia=\"Delta(Alfa,Bravo, ...)\""],"Dented":["misp-galaxy:malpedia=\"Dented\""],"DeputyDog":["misp-galaxy:malpedia=\"DeputyDog\""],"DeriaLock":["misp-galaxy:malpedia=\"DeriaLock\""],"Derusbi":["misp-galaxy:malpedia=\"Derusbi\"","misp-galaxy:mitre-enterprise-attack-malware=\"Derusbi - S0021\"","misp-galaxy:mitre-malware=\"Derusbi - S0021\"","misp-galaxy:tool=\"Derusbi\""],"PHOTO":["misp-galaxy:malpedia=\"Derusbi\"","misp-galaxy:mitre-enterprise-attack-malware=\"Derusbi - S0021\"","misp-galaxy:mitre-malware=\"Derusbi - S0021\""],"Devil's Rat":["misp-galaxy:malpedia=\"Devil's Rat\""],"Dexter":["misp-galaxy:malpedia=\"Dexter\""],"LusyPOS":["misp-galaxy:malpedia=\"Dexter\""],"Dharma":["misp-galaxy:malpedia=\"Dharma\""],"Arena":["misp-galaxy:malpedia=\"Dharma\""],"Crysis":["misp-galaxy:malpedia=\"Dharma\""],"DiamondFox":["misp-galaxy:malpedia=\"DiamondFox\""],"Crystal":["misp-galaxy:malpedia=\"DiamondFox\""],"Gorynch":["misp-galaxy:malpedia=\"DiamondFox\""],"Gorynych":["misp-galaxy:malpedia=\"DiamondFox\""],"Dimnie":["misp-galaxy:malpedia=\"Dimnie\"","misp-galaxy:tool=\"Dimnie\""],"DirCrypt":["misp-galaxy:malpedia=\"DirCrypt\"","misp-galaxy:ransomware=\"DirCrypt\""],"DispenserXFS":["misp-galaxy:malpedia=\"DispenserXFS\""],"DistTrack":["misp-galaxy:malpedia=\"DistTrack\"","misp-galaxy:tool=\"Shamoon\""],"Dockster":["misp-galaxy:malpedia=\"Dockster\""],"DogHousePower":["misp-galaxy:malpedia=\"DogHousePower\""],"Shelma":["misp-galaxy:malpedia=\"DogHousePower\""],"Dorshel":["misp-galaxy:malpedia=\"Dorshel\""],"DoublePulsar":["misp-galaxy:malpedia=\"DoublePulsar\""],"DownPaper":["misp-galaxy:malpedia=\"DownPaper\"","misp-galaxy:mitre-enterprise-attack-malware=\"DownPaper - S0186\"","misp-galaxy:mitre-malware=\"DownPaper - S0186\""],"Downdelph":["misp-galaxy:malpedia=\"Downdelph\"","misp-galaxy:mitre-enterprise-attack-malware=\"Downdelph - S0134\"","misp-galaxy:mitre-malware=\"Downdelph - S0134\"","misp-galaxy:tool=\"Downdelph\""],"DELPHACY":["misp-galaxy:malpedia=\"Downdelph\""],"Downeks":["misp-galaxy:malpedia=\"Downeks\""],"DramNudge":["misp-galaxy:malpedia=\"DramNudge\""],"DreamBot":["misp-galaxy:malpedia=\"DreamBot\""],"DtBackdoor":["misp-galaxy:malpedia=\"DtBackdoor\""],"DuQu":["misp-galaxy:malpedia=\"DuQu\""],"DualToy (Android)":["misp-galaxy:malpedia=\"DualToy (Android)\""],"DualToy (Windows)":["misp-galaxy:malpedia=\"DualToy (Windows)\""],"DualToy (iOS)":["misp-galaxy:malpedia=\"DualToy (iOS)\""],"Dumador":["misp-galaxy:malpedia=\"Dumador\""],"Dummy":["misp-galaxy:malpedia=\"Dummy\""],"Duuzer":["misp-galaxy:malpedia=\"Duuzer\""],"Dvmap":["misp-galaxy:malpedia=\"Dvmap\""],"EDA2":["misp-galaxy:malpedia=\"EDA2\"","misp-galaxy:ransomware=\"HiddenTear\""],"EHDevel":["misp-galaxy:malpedia=\"EHDevel\""],"ELMER":["misp-galaxy:malpedia=\"ELMER\"","misp-galaxy:mitre-enterprise-attack-malware=\"ELMER - S0064\"","misp-galaxy:mitre-malware=\"ELMER - S0064\""],"Elmost":["misp-galaxy:malpedia=\"ELMER\""],"EVILNUM (Javascript)":["misp-galaxy:malpedia=\"EVILNUM (Javascript)\""],"EVILNUM (Windows)":["misp-galaxy:malpedia=\"EVILNUM (Windows)\""],"Ebury":["misp-galaxy:malpedia=\"Ebury\"","misp-galaxy:mitre-malware=\"Ebury - S0377\""],"Eleanor":["misp-galaxy:malpedia=\"Eleanor\""],"ElectricPowder":["misp-galaxy:malpedia=\"ElectricPowder\""],"Elirks":["misp-galaxy:malpedia=\"Elirks\"","misp-galaxy:tool=\"Elirks\""],"Elise":["misp-galaxy:malpedia=\"Elise\"","misp-galaxy:mitre-enterprise-attack-malware=\"Elise - S0081\"","misp-galaxy:mitre-malware=\"Elise - S0081\"","misp-galaxy:threat-actor=\"Lotus Panda\"","misp-galaxy:tool=\"Elise Backdoor\""],"Emdivi":["misp-galaxy:malpedia=\"Emdivi\"","misp-galaxy:threat-actor=\"Blue Termite\"","misp-galaxy:tool=\"Emdivi\""],"Heodo":["misp-galaxy:malpedia=\"Emotet\"","misp-galaxy:malpedia=\"Geodo\""],"Empire Downloader":["misp-galaxy:malpedia=\"Empire Downloader\""],"Enfal":["misp-galaxy:malpedia=\"Enfal\"","misp-galaxy:mitre-enterprise-attack-malware=\"Lurid - S0010\"","misp-galaxy:mitre-malware=\"Lurid - S0010\""],"Lurid":["misp-galaxy:malpedia=\"Enfal\"","misp-galaxy:mitre-enterprise-attack-malware=\"Lurid - S0010\"","misp-galaxy:mitre-malware=\"Lurid - S0010\"","misp-galaxy:threat-actor=\"Mirage\""],"EquationDrug":["misp-galaxy:malpedia=\"EquationDrug\"","misp-galaxy:tool=\"EquationDrug\""],"Equationgroup (Sorting)":["misp-galaxy:malpedia=\"Equationgroup (Sorting)\""],"Erebus (ELF)":["misp-galaxy:malpedia=\"Erebus (ELF)\""],"Erebus (Windows)":["misp-galaxy:malpedia=\"Erebus (Windows)\""],"Eredel":["misp-galaxy:malpedia=\"Eredel\""],"EternalPetya":["misp-galaxy:malpedia=\"EternalPetya\""],"BadRabbit":["misp-galaxy:malpedia=\"EternalPetya\"","misp-galaxy:ransomware=\"Bad Rabbit\""],"Diskcoder.C":["misp-galaxy:malpedia=\"EternalPetya\""],"ExPetr":["misp-galaxy:malpedia=\"EternalPetya\""],"NonPetya":["misp-galaxy:malpedia=\"EternalPetya\""],"NotPetya":["misp-galaxy:malpedia=\"EternalPetya\"","misp-galaxy:mitre-malware=\"NotPetya - S0368\"","misp-galaxy:tool=\"NotPetya\""],"Nyetya":["misp-galaxy:malpedia=\"EternalPetya\"","misp-galaxy:mitre-malware=\"NotPetya - S0368\""],"Petna":["misp-galaxy:malpedia=\"EternalPetya\""],"Pnyetya":["misp-galaxy:malpedia=\"EternalPetya\""],"nPetya":["misp-galaxy:malpedia=\"EternalPetya\""],"EtumBot":["misp-galaxy:malpedia=\"EtumBot\""],"HighTide":["misp-galaxy:malpedia=\"EtumBot\""],"EvilGrab":["misp-galaxy:malpedia=\"EvilGrab\"","misp-galaxy:mitre-enterprise-attack-malware=\"EvilGrab - S0152\"","misp-galaxy:mitre-malware=\"EvilGrab - S0152\"","misp-galaxy:tool=\"EvilGrab\""],"Vidgrab":["misp-galaxy:malpedia=\"EvilGrab\""],"EvilOSX":["misp-galaxy:malpedia=\"EvilOSX\""],"EvilPony":["misp-galaxy:malpedia=\"EvilPony\""],"CREstealer":["misp-galaxy:malpedia=\"EvilPony\""],"Evilbunny":["misp-galaxy:malpedia=\"Evilbunny\""],"Evrial":["misp-galaxy:malpedia=\"Evrial\""],"Excalibur":["misp-galaxy:malpedia=\"Excalibur\""],"Saber":["misp-galaxy:malpedia=\"Excalibur\""],"Sabresac":["misp-galaxy:malpedia=\"Excalibur\""],"Exile RAT":["misp-galaxy:malpedia=\"Exile RAT\""],"ExoBot":["misp-galaxy:malpedia=\"ExoBot\"","misp-galaxy:malpedia=\"Marcher\""],"Exodus":["misp-galaxy:malpedia=\"Exodus\""],"Eye Pyramid":["misp-galaxy:malpedia=\"Eye Pyramid\""],"FBot":["misp-galaxy:malpedia=\"FBot\""],"FEimea RAT":["misp-galaxy:malpedia=\"FEimea RAT\""],"FF RAT":["misp-galaxy:malpedia=\"FF RAT\""],"FLASHFLOOD":["misp-galaxy:malpedia=\"FLASHFLOOD\"","misp-galaxy:mitre-enterprise-attack-malware=\"FLASHFLOOD - S0036\"","misp-galaxy:mitre-malware=\"FLASHFLOOD - S0036\""],"FailyTale":["misp-galaxy:malpedia=\"FailyTale\""],"Fake Pornhub":["misp-galaxy:malpedia=\"Fake Pornhub\""],"FakeDGA":["misp-galaxy:malpedia=\"FakeDGA\""],"WillExec":["misp-galaxy:malpedia=\"FakeDGA\""],"FakeGram":["misp-galaxy:malpedia=\"FakeGram\""],"FakeTGram":["misp-galaxy:malpedia=\"FakeGram\""],"FakeRean":["misp-galaxy:malpedia=\"FakeRean\""],"Braviax":["misp-galaxy:malpedia=\"FakeRean\""],"FakeSpy":["misp-galaxy:malpedia=\"FakeSpy\""],"FakeTC":["misp-galaxy:malpedia=\"FakeTC\""],"Fanny":["misp-galaxy:malpedia=\"Fanny\"","misp-galaxy:tool=\"Fanny\""],"FantomCrypt":["misp-galaxy:malpedia=\"FantomCrypt\""],"Farseer":["misp-galaxy:malpedia=\"Farseer\""],"FastCash":["misp-galaxy:malpedia=\"FastCash\""],"FastPOS":["misp-galaxy:malpedia=\"FastPOS\""],"Felismus":["misp-galaxy:malpedia=\"Felismus\"","misp-galaxy:mitre-enterprise-attack-malware=\"Felismus - S0171\"","misp-galaxy:mitre-malware=\"Felismus - S0171\""],"Felixroot":["misp-galaxy:malpedia=\"Felixroot\""],"FileIce":["misp-galaxy:malpedia=\"FileIce\""],"Filecoder":["misp-galaxy:malpedia=\"Filecoder\""],"FinFisher RAT":["misp-galaxy:malpedia=\"FinFisher RAT\""],"FinSpy":["misp-galaxy:malpedia=\"FinFisher RAT\"","misp-galaxy:mitre-enterprise-attack-malware=\"FinFisher - S0182\"","misp-galaxy:mitre-malware=\"FinFisher - S0182\""],"Final1stSpy":["misp-galaxy:malpedia=\"Final1stSpy\""],"FindPOS":["misp-galaxy:malpedia=\"FindPOS\""],"Poseidon":["misp-galaxy:malpedia=\"FindPOS\""],"FireCrypt":["misp-galaxy:malpedia=\"FireCrypt\"","misp-galaxy:ransomware=\"FireCrypt\""],"FireMalv":["misp-galaxy:malpedia=\"FireMalv\"","misp-galaxy:tool=\"FireMalv\""],"Fireball":["misp-galaxy:malpedia=\"Fireball\"","misp-galaxy:tool=\"Fireball\""],"FirstRansom":["misp-galaxy:malpedia=\"FirstRansom\""],"Flame":["misp-galaxy:malpedia=\"Flame\"","misp-galaxy:mitre-enterprise-attack-malware=\"Flame - S0143\"","misp-galaxy:mitre-malware=\"Flame - S0143\"","misp-galaxy:tool=\"Flame\""],"FlashBack":["misp-galaxy:malpedia=\"FlashBack\""],"FlawedAmmyy":["misp-galaxy:malpedia=\"FlawedAmmyy\"","misp-galaxy:rat=\"FlawedAmmyy\""],"FlawedGrace":["misp-galaxy:malpedia=\"FlawedGrace\"","misp-galaxy:rat=\"FlawedGrace\""],"FlexNet":["misp-galaxy:malpedia=\"FlexNet\""],"gugi":["misp-galaxy:malpedia=\"FlexNet\""],"FlexiSpy (Android)":["misp-galaxy:malpedia=\"FlexiSpy (Android)\""],"FlexiSpy (Windows)":["misp-galaxy:malpedia=\"FlexiSpy (Windows)\""],"FlexiSpy (symbian)":["misp-galaxy:malpedia=\"FlexiSpy (symbian)\""],"FlokiBot":["misp-galaxy:malpedia=\"FlokiBot\""],"FlowerShop":["misp-galaxy:malpedia=\"FlowerShop\""],"Floxif":["misp-galaxy:malpedia=\"Floxif\""],"Flusihoc":["misp-galaxy:malpedia=\"Flusihoc\""],"Formbook":["misp-galaxy:malpedia=\"Formbook\""],"FormerFirstRAT":["misp-galaxy:malpedia=\"FormerFirstRAT\""],"ffrat":["misp-galaxy:malpedia=\"FormerFirstRAT\""],"Freenki Loader":["misp-galaxy:malpedia=\"Freenki Loader\""],"FriedEx":["misp-galaxy:malpedia=\"FriedEx\""],"BitPaymer":["misp-galaxy:malpedia=\"FriedEx\"","misp-galaxy:ransomware=\"BitPaymer\""],"FruitFly":["misp-galaxy:malpedia=\"FruitFly\"","misp-galaxy:mitre-malware=\"FruitFly - S0277\"","misp-galaxy:tool=\"FruitFly\""],"Quimitchin":["misp-galaxy:malpedia=\"FruitFly\""],"Furtim":["misp-galaxy:malpedia=\"Furtim\""],"GEMCUTTER":["misp-galaxy:malpedia=\"GEMCUTTER\""],"GPCode":["misp-galaxy:malpedia=\"GPCode\"","misp-galaxy:ransomware=\"OMG! Ransomware\""],"GPlayed":["misp-galaxy:malpedia=\"GPlayed\""],"GREASE":["misp-galaxy:malpedia=\"GREASE\""],"GROK":["misp-galaxy:malpedia=\"GROK\""],"GalaxyLoader":["misp-galaxy:malpedia=\"GalaxyLoader\""],"Gameover DGA":["misp-galaxy:malpedia=\"Gameover DGA\""],"Gameover P2P":["misp-galaxy:malpedia=\"Gameover P2P\""],"GOZ":["misp-galaxy:malpedia=\"Gameover P2P\""],"ZeuS P2P":["misp-galaxy:malpedia=\"Gameover P2P\""],"Gamotrol":["misp-galaxy:malpedia=\"Gamotrol\""],"Gandcrab":["misp-galaxy:malpedia=\"Gandcrab\""],"GrandCrab":["misp-galaxy:malpedia=\"Gandcrab\""],"Gaudox":["misp-galaxy:malpedia=\"Gaudox\""],"Gauss":["misp-galaxy:malpedia=\"Gauss\""],"Gazer":["misp-galaxy:malpedia=\"Gazer\"","misp-galaxy:mitre-enterprise-attack-malware=\"Gazer - S0168\"","misp-galaxy:mitre-malware=\"Gazer - S0168\""],"WhiteBear":["misp-galaxy:malpedia=\"Gazer\"","misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Turla - G0010\"","misp-galaxy:mitre-enterprise-attack-malware=\"Gazer - S0168\"","misp-galaxy:mitre-intrusion-set=\"Turla - G0010\"","misp-galaxy:mitre-malware=\"Gazer - S0168\""],"GearInformer":["misp-galaxy:malpedia=\"GearInformer\""],"GetMail":["misp-galaxy:malpedia=\"GetMail\""],"GetMyPass":["misp-galaxy:malpedia=\"GetMyPass\""],"getmypos":["misp-galaxy:malpedia=\"GetMyPass\""],"Gh0stnet":["misp-galaxy:malpedia=\"Gh0stnet\""],"Remosh":["misp-galaxy:malpedia=\"Gh0stnet\""],"Ghole":["misp-galaxy:malpedia=\"Ghole\""],"CoreImpact (Modified)":["misp-galaxy:malpedia=\"Ghole\""],"Gholee":["misp-galaxy:malpedia=\"Ghole\""],"Ghost RAT":["misp-galaxy:malpedia=\"Ghost RAT\""],"Gh0st RAT":["misp-galaxy:malpedia=\"Ghost RAT\"","misp-galaxy:rat=\"Gh0st RAT\""],"PCRat":["misp-galaxy:malpedia=\"Ghost RAT\""],"GhostAdmin":["misp-galaxy:malpedia=\"GhostAdmin\"","misp-galaxy:tool=\"GhostAdmin\""],"Ghost iBot":["misp-galaxy:malpedia=\"GhostAdmin\""],"GhostMiner":["misp-galaxy:malpedia=\"GhostMiner\"","misp-galaxy:tool=\"GhostMiner\""],"GlanceLove":["misp-galaxy:malpedia=\"GlanceLove\""],"GlassRAT":["misp-galaxy:malpedia=\"GlassRAT\""],"Glasses":["misp-galaxy:malpedia=\"Glasses\""],"Wordpress Bruteforcer":["misp-galaxy:malpedia=\"Glasses\""],"GlitchPOS":["misp-galaxy:malpedia=\"GlitchPOS\""],"Globe":["misp-galaxy:malpedia=\"Globe\""],"GlobeImposter":["misp-galaxy:malpedia=\"GlobeImposter\"","misp-galaxy:ransomware=\"Fake Globe Ransomware\"","misp-galaxy:ransomware=\"GlobeImposter\""],"GlooxMail":["misp-galaxy:malpedia=\"GlooxMail\""],"Glupteba":["misp-galaxy:malpedia=\"Glupteba\""],"Godzilla Loader":["misp-galaxy:malpedia=\"Godzilla Loader\""],"Goggles":["misp-galaxy:malpedia=\"Goggles\""],"GoldDragon":["misp-galaxy:malpedia=\"GoldDragon\""],"GoldenEye":["misp-galaxy:malpedia=\"GoldenEye\"","misp-galaxy:mitre-malware=\"NotPetya - S0368\""],"Petya\/Mischa":["misp-galaxy:malpedia=\"GoldenEye\""],"GoldenRAT":["misp-galaxy:malpedia=\"GoldenRAT\""],"Golroted":["misp-galaxy:malpedia=\"Golroted\""],"GooPic Drooper":["misp-galaxy:malpedia=\"GooPic Drooper\""],"Goodor":["misp-galaxy:malpedia=\"Goodor\""],"Fuerboos":["misp-galaxy:malpedia=\"Goodor\""],"GoogleDrive RAT":["misp-galaxy:malpedia=\"GoogleDrive RAT\""],"GootKit":["misp-galaxy:malpedia=\"GootKit\"","misp-galaxy:tool=\"GootKit\""],"Xswkit":["misp-galaxy:malpedia=\"GootKit\""],"talalpek":["misp-galaxy:malpedia=\"GootKit\""],"GovRAT":["misp-galaxy:malpedia=\"GovRAT\"","misp-galaxy:rat=\"GovRAT\""],"Gozi CRM":["misp-galaxy:malpedia=\"Gozi\""],"GrabBot":["misp-galaxy:malpedia=\"GrabBot\""],"Graftor":["misp-galaxy:malpedia=\"Graftor\"","misp-galaxy:tool=\"Aumlib\""],"Grateful POS":["misp-galaxy:malpedia=\"Grateful POS\""],"FrameworkPOS":["misp-galaxy:malpedia=\"Grateful POS\""],"trinity":["misp-galaxy:malpedia=\"Grateful POS\""],"Gratem":["misp-galaxy:malpedia=\"Gratem\""],"Gravity RAT":["misp-galaxy:malpedia=\"Gravity RAT\""],"GreenShaitan":["misp-galaxy:malpedia=\"GreenShaitan\""],"eoehttp":["misp-galaxy:malpedia=\"GreenShaitan\""],"GreyEnergy":["misp-galaxy:malpedia=\"GreyEnergy\"","misp-galaxy:mitre-malware=\"GreyEnergy - S0342\"","misp-galaxy:threat-actor=\"GreyEnergy\""],"Griffon":["misp-galaxy:malpedia=\"Griffon\""],"GuiInject":["misp-galaxy:malpedia=\"GuiInject\""],"Gustuff":["misp-galaxy:malpedia=\"Gustuff\""],"H1N1 Loader":["misp-galaxy:malpedia=\"H1N1 Loader\""],"HALFBAKED":["misp-galaxy:malpedia=\"HALFBAKED\"","misp-galaxy:mitre-enterprise-attack-malware=\"HALFBAKED - S0151\"","misp-galaxy:mitre-malware=\"HALFBAKED - S0151\"","misp-galaxy:tool=\"VB Flash\""],"HLUX":["misp-galaxy:malpedia=\"HLUX\""],"HOPLIGHT":["misp-galaxy:malpedia=\"HOPLIGHT\"","misp-galaxy:mitre-malware=\"HOPLIGHT - S0376\""],"HTML5 Encoding":["misp-galaxy:malpedia=\"HTML5 Encoding\""],"HTran":["misp-galaxy:malpedia=\"HTran\"","misp-galaxy:tool=\"Htran\""],"HUC Packet Transmit Tool":["misp-galaxy:malpedia=\"HTran\"","misp-galaxy:mitre-enterprise-attack-tool=\"HTRAN - S0040\"","misp-galaxy:mitre-tool=\"HTRAN - S0040\""],"HackSpy":["misp-galaxy:malpedia=\"HackSpy\""],"Hacksfase":["misp-galaxy:malpedia=\"Hacksfase\""],"Haiduc":["misp-galaxy:malpedia=\"Haiduc\""],"Hakai":["misp-galaxy:malpedia=\"Hakai\""],"Hamweq":["misp-galaxy:malpedia=\"Hamweq\""],"Hancitor":["misp-galaxy:malpedia=\"Hancitor\"","misp-galaxy:tool=\"Hancitor\""],"Chanitor":["misp-galaxy:malpedia=\"Hancitor\"","misp-galaxy:tool=\"Hancitor\""],"HappyLocker (HiddenTear?)":["misp-galaxy:malpedia=\"HappyLocker (HiddenTear?)\""],"Harnig":["misp-galaxy:malpedia=\"Harnig\""],"Piptea":["misp-galaxy:malpedia=\"Harnig\""],"Havex RAT":["misp-galaxy:malpedia=\"Havex RAT\"","misp-galaxy:tool=\"Havex RAT\""],"HawkEye Keylogger":["misp-galaxy:malpedia=\"HawkEye Keylogger\""],"HawkEye Reborn":["misp-galaxy:malpedia=\"HawkEye Keylogger\""],"Predator Pain":["misp-galaxy:malpedia=\"HawkEye Keylogger\"","misp-galaxy:rat=\"Predator Pain\""],"Helauto":["misp-galaxy:malpedia=\"Helauto\""],"Helminth":["misp-galaxy:malpedia=\"Helminth\"","misp-galaxy:mitre-enterprise-attack-malware=\"Helminth - S0170\"","misp-galaxy:mitre-malware=\"Helminth - S0170\""],"Heloag":["misp-galaxy:malpedia=\"Heloag\""],"Herbst":["misp-galaxy:malpedia=\"Herbst\"","misp-galaxy:ransomware=\"Herbst\""],"Heriplor":["misp-galaxy:malpedia=\"Heriplor\""],"Hermes Ransomware":["misp-galaxy:malpedia=\"Hermes Ransomware\"","misp-galaxy:ransomware=\"Hermes Ransomware\""],"Hermes":["misp-galaxy:malpedia=\"Hermes\""],"HeroRAT":["misp-galaxy:malpedia=\"HeroRAT\""],"HerpesBot":["misp-galaxy:malpedia=\"HerpesBot\""],"HesperBot":["misp-galaxy:malpedia=\"HesperBot\""],"Hi-Zor RAT":["misp-galaxy:malpedia=\"Hi-Zor RAT\""],"HiKit":["misp-galaxy:malpedia=\"HiKit\""],"HiddenLotus":["misp-galaxy:malpedia=\"HiddenLotus\""],"HiddenTear":["misp-galaxy:malpedia=\"HiddenTear\"","misp-galaxy:ransomware=\"HiddenTear\""],"HideDRV":["misp-galaxy:malpedia=\"HideDRV\""],"HtBot":["misp-galaxy:malpedia=\"HtBot\""],"HttpBrowser":["misp-galaxy:malpedia=\"HttpBrowser\""],"Hworm":["misp-galaxy:malpedia=\"Hworm\"","misp-galaxy:tool=\"Hworm\""],"houdini":["misp-galaxy:malpedia=\"Hworm\""],"HyperBro":["misp-galaxy:malpedia=\"HyperBro\""],"IDKEY":["misp-galaxy:malpedia=\"IDKEY\""],"IISniff":["misp-galaxy:malpedia=\"IISniff\""],"IRONHALO":["misp-galaxy:malpedia=\"IRONHALO\""],"IRRat":["misp-galaxy:malpedia=\"IRRat\""],"ISFB":["misp-galaxy:malpedia=\"ISFB\""],"Pandemyia":["misp-galaxy:malpedia=\"ISFB\""],"ISMAgent":["misp-galaxy:malpedia=\"ISMAgent\""],"ISMDoor":["misp-galaxy:malpedia=\"ISMDoor\""],"ISR Stealer":["misp-galaxy:malpedia=\"ISR Stealer\""],"IcedID Downloader":["misp-galaxy:malpedia=\"IcedID Downloader\""],"BokBot":["misp-galaxy:malpedia=\"IcedID\""],"Icefog":["misp-galaxy:malpedia=\"Icefog\""],"Imecab":["misp-galaxy:malpedia=\"Imecab\""],"Imminent Monitor RAT":["misp-galaxy:malpedia=\"Imminent Monitor RAT\""],"Infy":["misp-galaxy:malpedia=\"Infy\"","misp-galaxy:threat-actor=\"Infy\""],"Foudre":["misp-galaxy:malpedia=\"Infy\""],"InnaputRAT":["misp-galaxy:malpedia=\"InnaputRAT\"","misp-galaxy:mitre-malware=\"InnaputRAT - S0259\""],"InvisiMole":["misp-galaxy:malpedia=\"InvisiMole\"","misp-galaxy:mitre-malware=\"InvisiMole - S0260\"","misp-galaxy:tool=\"InvisiMole\""],"IoT Reaper":["misp-galaxy:malpedia=\"IoT Reaper\""],"IoTroop":["misp-galaxy:malpedia=\"IoT Reaper\""],"Reaper":["misp-galaxy:malpedia=\"IoT Reaper\"","misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT37 - G0067\"","misp-galaxy:mitre-intrusion-set=\"APT37 - G0067\"","misp-galaxy:threat-actor=\"APT37\""],"Irc16":["misp-galaxy:malpedia=\"Irc16\""],"IsSpace":["misp-galaxy:malpedia=\"IsSpace\"","misp-galaxy:tool=\"IsSpace\""],"IsraBye":["misp-galaxy:malpedia=\"IsraBye\"","misp-galaxy:ransomware=\"IsraBye\""],"JCry":["misp-galaxy:malpedia=\"JCry\""],"JQJSNICKER":["misp-galaxy:malpedia=\"JQJSNICKER\""],"JackPOS":["misp-galaxy:malpedia=\"JackPOS\""],"JadeRAT":["misp-galaxy:malpedia=\"JadeRAT\"","misp-galaxy:rat=\"JadeRAT\""],"Jaff":["misp-galaxy:malpedia=\"Jaff\"","misp-galaxy:ransomware=\"Jaff\""],"Jager Decryptor":["misp-galaxy:malpedia=\"Jager Decryptor\""],"Jaku":["misp-galaxy:malpedia=\"Jaku\""],"C3PRO-RACOON":["misp-galaxy:malpedia=\"Jaku\""],"KCNA Infostealer":["misp-galaxy:malpedia=\"Jaku\""],"Reconcyc":["misp-galaxy:malpedia=\"Jaku\""],"Jasus":["misp-galaxy:malpedia=\"Jasus\""],"JavaDispCash":["misp-galaxy:malpedia=\"JavaDispCash\""],"JenX":["misp-galaxy:malpedia=\"JenX\""],"Jigsaw":["misp-galaxy:malpedia=\"Jigsaw\"","misp-galaxy:ransomware=\"Jigsaw\""],"Jimmy":["misp-galaxy:malpedia=\"Jimmy\"","misp-galaxy:malpedia=\"Neutrino POS\""],"Joanap":["misp-galaxy:malpedia=\"Joanap\""],"Joao":["misp-galaxy:malpedia=\"Joao\"","misp-galaxy:tool=\"Joao\""],"Jolob":["misp-galaxy:malpedia=\"Jolob\"","misp-galaxy:tool=\"Jolob\""],"JripBot":["misp-galaxy:malpedia=\"JripBot\""],"KAgent":["misp-galaxy:malpedia=\"KAgent\""],"KEYMARBLE":["misp-galaxy:malpedia=\"KEYMARBLE\"","misp-galaxy:mitre-malware=\"KEYMARBLE - S0271\"","misp-galaxy:tool=\"KEYMARBLE\""],"KHRAT":["misp-galaxy:malpedia=\"KHRAT\"","misp-galaxy:tool=\"KHRAT\""],"KINS":["misp-galaxy:malpedia=\"KINS\""],"KLRD":["misp-galaxy:malpedia=\"KLRD\""],"KOMPROGO":["misp-galaxy:malpedia=\"KOMPROGO\"","misp-galaxy:mitre-enterprise-attack-malware=\"KOMPROGO - S0156\"","misp-galaxy:mitre-malware=\"KOMPROGO - S0156\""],"KPOT Stealer":["misp-galaxy:malpedia=\"KPOT Stealer\""],"KSL0T":["misp-galaxy:malpedia=\"KSL0T\""],"Kaiten":["misp-galaxy:malpedia=\"Kaiten\""],"STD":["misp-galaxy:malpedia=\"Kaiten\""],"Karagany":["misp-galaxy:malpedia=\"Karagany\""],"Kardon Loader":["misp-galaxy:malpedia=\"Kardon Loader\""],"Karkoff":["misp-galaxy:malpedia=\"Karkoff\"","misp-galaxy:tool=\"Karkoff\""],"KasperAgent":["misp-galaxy:malpedia=\"KasperAgent\""],"Kazuar":["misp-galaxy:malpedia=\"Kazuar\"","misp-galaxy:mitre-malware=\"Kazuar - S0265\"","misp-galaxy:tool=\"Kazuar\""],"KeRanger":["misp-galaxy:malpedia=\"KeRanger\"","misp-galaxy:ransomware=\"KeRanger\""],"Kegotip":["misp-galaxy:malpedia=\"Kegotip\""],"KerrDown":["misp-galaxy:malpedia=\"KerrDown\""],"KevDroid":["misp-galaxy:malpedia=\"KevDroid\""],"KeyBase":["misp-galaxy:malpedia=\"KeyBase\""],"Kibex":["misp-galaxy:malpedia=\"KeyBase\""],"KeyBoy":["misp-galaxy:malpedia=\"KeyBoy\"","misp-galaxy:malpedia=\"Yahoyah\"","misp-galaxy:mitre-intrusion-set=\"Tropic Trooper - G0081\"","misp-galaxy:threat-actor=\"Pirate Panda\"","misp-galaxy:tool=\"KeyBoy\""],"TSSL":["misp-galaxy:malpedia=\"KeyBoy\""],"KeyPass":["misp-galaxy:malpedia=\"KeyPass\"","misp-galaxy:malpedia=\"STOP Ransomware\"","misp-galaxy:ransomware=\"KEYPASS\""],"Keydnap":["misp-galaxy:malpedia=\"Keydnap\"","misp-galaxy:mitre-malware=\"Keydnap - S0276\""],"Kikothac":["misp-galaxy:malpedia=\"Kikothac\""],"KillDisk":["misp-galaxy:malpedia=\"KillDisk\"","misp-galaxy:tool=\"KillDisk Wiper\""],"Kitmos":["misp-galaxy:malpedia=\"Kitmos\""],"KitM":["misp-galaxy:malpedia=\"Kitmos\""],"KleptoParasite Stealer":["misp-galaxy:malpedia=\"KleptoParasite Stealer\""],"Joglog":["misp-galaxy:malpedia=\"KleptoParasite Stealer\""],"Koadic":["misp-galaxy:malpedia=\"Koadic\"","misp-galaxy:mitre-tool=\"Koadic - S0250\"","misp-galaxy:tool=\"Koadic\""],"KokoKrypt":["misp-galaxy:malpedia=\"KokoKrypt\""],"Koler":["misp-galaxy:malpedia=\"Koler\""],"Komplex":["misp-galaxy:malpedia=\"Komplex\"","misp-galaxy:mitre-enterprise-attack-malware=\"Komplex - S0162\"","misp-galaxy:mitre-malware=\"Komplex - S0162\""],"JHUHUGIT":["misp-galaxy:malpedia=\"Komplex\"","misp-galaxy:mitre-enterprise-attack-malware=\"JHUHUGIT - S0044\"","misp-galaxy:mitre-malware=\"JHUHUGIT - S0044\"","misp-galaxy:tool=\"GAMEFISH\""],"JKEYSKW":["misp-galaxy:malpedia=\"Komplex\"","misp-galaxy:mitre-enterprise-attack-malware=\"JHUHUGIT - S0044\"","misp-galaxy:mitre-malware=\"JHUHUGIT - S0044\""],"SedUploader":["misp-galaxy:malpedia=\"Komplex\""],"Konni":["misp-galaxy:malpedia=\"Konni\"","misp-galaxy:rat=\"Konni\""],"KoobFace":["misp-galaxy:malpedia=\"KoobFace\""],"KopiLuwak":["misp-galaxy:malpedia=\"KopiLuwak\""],"Korlia":["misp-galaxy:malpedia=\"Korlia\""],"Bisonal":["misp-galaxy:malpedia=\"Korlia\"","misp-galaxy:mitre-malware=\"Bisonal - S0268\"","misp-galaxy:tool=\"Bisonal\""],"Kovter":["misp-galaxy:malpedia=\"Kovter\""],"KrBanker":["misp-galaxy:malpedia=\"KrBanker\""],"BlackMoon":["misp-galaxy:malpedia=\"KrBanker\""],"KrDownloader":["misp-galaxy:malpedia=\"KrDownloader\""],"Osiris":["misp-galaxy:malpedia=\"Kronos\""],"Kuaibu":["misp-galaxy:malpedia=\"Kuaibu\""],"Barys":["misp-galaxy:malpedia=\"Kuaibu\""],"Gofot":["misp-galaxy:malpedia=\"Kuaibu\""],"Kuaibpy":["misp-galaxy:malpedia=\"Kuaibu\""],"Kuluoz":["misp-galaxy:malpedia=\"Kuluoz\""],"Kurton":["misp-galaxy:malpedia=\"Kurton\""],"Kutaki":["misp-galaxy:malpedia=\"Kutaki\""],"Kwampirs":["misp-galaxy:malpedia=\"Kwampirs\"","misp-galaxy:mitre-malware=\"Kwampirs - S0236\"","misp-galaxy:tool=\"Kwampirs\""],"LOWBALL":["misp-galaxy:malpedia=\"LOWBALL\"","misp-galaxy:mitre-enterprise-attack-malware=\"LOWBALL - S0042\"","misp-galaxy:mitre-malware=\"LOWBALL - S0042\""],"Lady":["misp-galaxy:malpedia=\"Lady\""],"Lambert":["misp-galaxy:malpedia=\"Lambert\""],"Lamdelin":["misp-galaxy:malpedia=\"Lamdelin\""],"Laoshu":["misp-galaxy:malpedia=\"Laoshu\""],"LatentBot":["misp-galaxy:malpedia=\"LatentBot\""],"Lazarus (Android)":["misp-galaxy:malpedia=\"Lazarus (Android)\""],"Lazarus (Windows)":["misp-galaxy:malpedia=\"Lazarus (Windows)\""],"Lazarus ELF Backdoor":["misp-galaxy:malpedia=\"Lazarus ELF Backdoor\""],"Laziok":["misp-galaxy:malpedia=\"Laziok\"","misp-galaxy:tool=\"Trojan.Laziok\""],"LazyCat":["misp-galaxy:malpedia=\"LazyCat\""],"Leash":["misp-galaxy:malpedia=\"Leash\""],"Leouncia":["misp-galaxy:malpedia=\"Leouncia\""],"shoco":["misp-galaxy:malpedia=\"Leouncia\""],"Leverage":["misp-galaxy:malpedia=\"Leverage\""],"LimeRAT":["misp-galaxy:malpedia=\"LimeRAT\""],"Limitail":["misp-galaxy:malpedia=\"Limitail\""],"Listrix":["misp-galaxy:malpedia=\"Listrix\""],"LiteHTTP":["misp-galaxy:malpedia=\"LiteHTTP\""],"LoJax":["misp-galaxy:malpedia=\"LoJax\"","misp-galaxy:tool=\"LoJax\""],"LockPOS":["misp-galaxy:malpedia=\"LockPOS\""],"LockerGoga":["misp-galaxy:malpedia=\"LockerGoga\"","misp-galaxy:ransomware=\"LockerGoga\""],"Locky (Decryptor)":["misp-galaxy:malpedia=\"Locky (Decryptor)\""],"Locky Loader":["misp-galaxy:malpedia=\"Locky Loader\""],"Locky":["misp-galaxy:malpedia=\"Locky\"","misp-galaxy:ransomware=\"Locky\""],"Loda":["misp-galaxy:malpedia=\"Loda\""],"Nymeria":["misp-galaxy:malpedia=\"Loda\""],"LogPOS":["misp-galaxy:malpedia=\"LogPOS\""],"Logedrut":["misp-galaxy:malpedia=\"Logedrut\""],"Loki Password Stealer (PWS)":["misp-galaxy:malpedia=\"Loki Password Stealer (PWS)\""],"Loki":["misp-galaxy:malpedia=\"Loki Password Stealer (PWS)\"","misp-galaxy:malpedia=\"Loki\""],"LokiPWS":["misp-galaxy:malpedia=\"Loki Password Stealer (PWS)\""],"Lordix":["misp-galaxy:malpedia=\"Lordix\""],"LuckyCat":["misp-galaxy:malpedia=\"LuckyCat\""],"Luminosity RAT":["misp-galaxy:malpedia=\"Luminosity RAT\""],"LunchMoney":["misp-galaxy:malpedia=\"LunchMoney\""],"Lurk":["misp-galaxy:malpedia=\"Lurk\""],"Luzo":["misp-galaxy:malpedia=\"Luzo\""],"Lyposit":["misp-galaxy:malpedia=\"Lyposit\""],"Adneukine":["misp-galaxy:malpedia=\"Lyposit\""],"Bomba Locker":["misp-galaxy:malpedia=\"Lyposit\""],"Lucky Locker":["misp-galaxy:malpedia=\"Lyposit\""],"MAPIget":["misp-galaxy:malpedia=\"MAPIget\""],"MBRlock":["misp-galaxy:malpedia=\"MBRlock\""],"DexLocker":["misp-galaxy:malpedia=\"MBRlock\""],"MECHANICAL":["misp-galaxy:malpedia=\"MECHANICAL\""],"MILKMAID":["misp-galaxy:malpedia=\"MILKMAID\""],"MM Core":["misp-galaxy:malpedia=\"MM Core\"","misp-galaxy:tool=\"MM Core\""],"MPKBot":["misp-galaxy:malpedia=\"MPKBot\""],"MPK":["misp-galaxy:malpedia=\"MPKBot\""],"MS Exchange Tool":["misp-galaxy:malpedia=\"MS Exchange Tool\""],"MaMi":["misp-galaxy:malpedia=\"MaMi\""],"MacDownloader":["misp-galaxy:malpedia=\"MacDownloader\"","misp-galaxy:tool=\"MacDownloader\""],"MacInstaller":["misp-galaxy:malpedia=\"MacInstaller\""],"MacRansom":["misp-galaxy:malpedia=\"MacRansom\"","misp-galaxy:ransomware=\"MacRansom\""],"MacSpy":["misp-galaxy:malpedia=\"MacSpy\"","misp-galaxy:mitre-malware=\"MacSpy - S0282\"","misp-galaxy:rat=\"MacSpy\""],"MacVX":["misp-galaxy:malpedia=\"MacVX\""],"Machete":["misp-galaxy:malpedia=\"Machete\"","misp-galaxy:threat-actor=\"El Machete\""],"El Machete":["misp-galaxy:malpedia=\"Machete\"","misp-galaxy:threat-actor=\"El Machete\""],"MadMax":["misp-galaxy:malpedia=\"MadMax\""],"Magala":["misp-galaxy:malpedia=\"Magala\""],"Magniber":["misp-galaxy:malpedia=\"Magniber\""],"Maintools.js":["misp-galaxy:malpedia=\"Maintools.js\""],"MajikPos":["misp-galaxy:malpedia=\"MajikPos\""],"MakLoader":["misp-galaxy:malpedia=\"MakLoader\""],"Makadocs":["misp-galaxy:malpedia=\"Makadocs\""],"Maktub":["misp-galaxy:malpedia=\"Maktub\""],"MalumPOS":["misp-galaxy:malpedia=\"MalumPOS\""],"Mamba":["misp-galaxy:malpedia=\"Mamba\"","misp-galaxy:ransomware=\"HDDCryptor\""],"DiskCryptor":["misp-galaxy:malpedia=\"Mamba\""],"HDDCryptor":["misp-galaxy:malpedia=\"Mamba\"","misp-galaxy:ransomware=\"HDDCryptor\""],"ManItsMe":["misp-galaxy:malpedia=\"ManItsMe\""],"ManameCrypt":["misp-galaxy:malpedia=\"ManameCrypt\""],"CryptoHost":["misp-galaxy:malpedia=\"ManameCrypt\"","misp-galaxy:ransomware=\"CryptoHost\""],"Mangzamel":["misp-galaxy:malpedia=\"Mangzamel\""],"junidor":["misp-galaxy:malpedia=\"Mangzamel\""],"mengkite":["misp-galaxy:malpedia=\"Mangzamel\""],"vedratve":["misp-galaxy:malpedia=\"Mangzamel\""],"Manifestus":["misp-galaxy:malpedia=\"Manifestus\"","misp-galaxy:ransomware=\"EnkripsiPC Ransomware\""],"Marap":["misp-galaxy:malpedia=\"Marap\""],"Marcher":["misp-galaxy:malpedia=\"Marcher\"","misp-galaxy:mitre-malware=\"Marcher - S0317\""],"Masuta":["misp-galaxy:malpedia=\"Masuta\"","misp-galaxy:tool=\"Masuta\""],"PureMasuta":["misp-galaxy:malpedia=\"Masuta\"","misp-galaxy:tool=\"Masuta\""],"Matrix Ransom":["misp-galaxy:malpedia=\"Matrix Ransom\""],"Matryoshka RAT":["misp-galaxy:malpedia=\"Matryoshka RAT\""],"Matsnu":["misp-galaxy:malpedia=\"Matsnu\""],"MazarBot":["misp-galaxy:malpedia=\"MazarBot\""],"Mebromi":["misp-galaxy:malpedia=\"Mebromi\""],"MyBios":["misp-galaxy:malpedia=\"Mebromi\""],"Medre":["misp-galaxy:malpedia=\"Medre\""],"Medusa":["misp-galaxy:malpedia=\"Medusa\""],"Merlin":["misp-galaxy:malpedia=\"Merlin\""],"Metamorfo":["misp-galaxy:malpedia=\"Metamorfo\""],"Casbaneiro":["misp-galaxy:malpedia=\"Metamorfo\""],"Mewsei":["misp-galaxy:malpedia=\"Mewsei\""],"MiKey":["misp-galaxy:malpedia=\"MiKey\""],"Miancha":["misp-galaxy:malpedia=\"Miancha\""],"Micrass":["misp-galaxy:malpedia=\"Micrass\""],"Microcin":["misp-galaxy:malpedia=\"Microcin\"","misp-galaxy:threat-actor=\"Microcin\""],"Micropsia":["misp-galaxy:malpedia=\"Micropsia\"","misp-galaxy:mitre-malware=\"Micropsia - S0339\""],"Mikoponi":["misp-galaxy:malpedia=\"Mikoponi\""],"MimiKatz":["misp-galaxy:malpedia=\"MimiKatz\""],"MiniASP":["misp-galaxy:malpedia=\"MiniASP\""],"Mirage":["misp-galaxy:malpedia=\"Mirage\"","misp-galaxy:mitre-intrusion-set=\"Ke3chang - G0004\"","misp-galaxy:threat-actor=\"Mirage\""],"MirageFox":["misp-galaxy:malpedia=\"MirageFox\"","misp-galaxy:mitre-malware=\"MirageFox - S0280\""],"Mirai (ELF)":["misp-galaxy:malpedia=\"Mirai (ELF)\""],"Mirai (Windows)":["misp-galaxy:malpedia=\"Mirai (Windows)\""],"Misdat":["misp-galaxy:malpedia=\"Misdat\"","misp-galaxy:mitre-enterprise-attack-malware=\"Misdat - S0083\"","misp-galaxy:mitre-malware=\"Misdat - S0083\""],"Misfox":["misp-galaxy:malpedia=\"Misfox\""],"MixFox":["misp-galaxy:malpedia=\"Misfox\""],"ModPack":["misp-galaxy:malpedia=\"Misfox\""],"Miuref":["misp-galaxy:malpedia=\"Miuref\""],"MobiRAT":["misp-galaxy:malpedia=\"MobiRAT\""],"Mocton":["misp-galaxy:malpedia=\"Mocton\""],"ModPOS":["misp-galaxy:malpedia=\"ModPOS\""],"straxbot":["misp-galaxy:malpedia=\"ModPOS\""],"Moker":["misp-galaxy:malpedia=\"Moker\""],"Mokes (ELF)":["misp-galaxy:malpedia=\"Mokes (ELF)\""],"Mokes (OS X)":["misp-galaxy:malpedia=\"Mokes (OS X)\""],"Mokes (Windows)":["misp-galaxy:malpedia=\"Mokes (Windows)\""],"Mole":["misp-galaxy:malpedia=\"Mole\""],"Molerat Loader":["misp-galaxy:malpedia=\"Molerat Loader\""],"Monero Miner":["misp-galaxy:malpedia=\"Monero Miner\""],"CoinMiner":["misp-galaxy:malpedia=\"Monero Miner\"","misp-galaxy:tool=\"CoinMiner\""],"MoonWind":["misp-galaxy:malpedia=\"MoonWind\"","misp-galaxy:mitre-enterprise-attack-malware=\"MoonWind - S0149\"","misp-galaxy:mitre-malware=\"MoonWind - S0149\"","misp-galaxy:rat=\"MoonWind\"","misp-galaxy:tool=\"MoonWind\""],"Moose":["misp-galaxy:malpedia=\"Moose\""],"More_eggs":["misp-galaxy:malpedia=\"More_eggs\"","misp-galaxy:mitre-malware=\"More_eggs - S0284\""],"SpicyOmelette":["misp-galaxy:malpedia=\"More_eggs\"","misp-galaxy:tool=\"SpicyOmelette\""],"Morphine":["misp-galaxy:malpedia=\"Morphine\""],"Morto":["misp-galaxy:malpedia=\"Morto\""],"Mosquito":["misp-galaxy:malpedia=\"Mosquito\"","misp-galaxy:mitre-malware=\"Mosquito - S0256\""],"Moure":["misp-galaxy:malpedia=\"Moure\""],"MrBlack":["misp-galaxy:malpedia=\"MrBlack\""],"Mughthesec":["misp-galaxy:malpedia=\"Mughthesec\"","misp-galaxy:tool=\"Mughthesec\""],"Multigrain POS":["misp-galaxy:malpedia=\"Multigrain POS\""],"Mutabaha":["misp-galaxy:malpedia=\"Mutabaha\""],"MyKings Spreader":["misp-galaxy:malpedia=\"MyKings Spreader\""],"MyloBot":["misp-galaxy:malpedia=\"MyloBot\""],"N40":["misp-galaxy:malpedia=\"N40\""],"NETEAGLE":["misp-galaxy:malpedia=\"NETEAGLE\"","misp-galaxy:mitre-enterprise-attack-malware=\"NETEAGLE - S0034\"","misp-galaxy:mitre-malware=\"NETEAGLE - S0034\""],"ScoutEagle":["misp-galaxy:malpedia=\"NETEAGLE\""],"Nabucur":["misp-galaxy:malpedia=\"Nabucur\""],"Nagini":["misp-galaxy:malpedia=\"Nagini\""],"Naikon":["misp-galaxy:malpedia=\"Naikon\"","misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Naikon - G0019\"","misp-galaxy:mitre-intrusion-set=\"Naikon - G0019\"","misp-galaxy:threat-actor=\"Naikon\""],"NanHaiShu":["misp-galaxy:malpedia=\"NanHaiShu\"","misp-galaxy:mitre-enterprise-attack-malware=\"NanHaiShu - S0228\"","misp-galaxy:mitre-malware=\"NanHaiShu - S0228\"","misp-galaxy:tool=\"NanHaiShu\""],"NanoLocker":["misp-galaxy:malpedia=\"NanoLocker\"","misp-galaxy:ransomware=\"NanoLocker\""],"Nanocore RAT":["misp-galaxy:malpedia=\"Nanocore RAT\""],"Narilam":["misp-galaxy:malpedia=\"Narilam\""],"Nautilus":["misp-galaxy:malpedia=\"Nautilus\"","misp-galaxy:tool=\"Nautilus\""],"NavRAT":["misp-galaxy:malpedia=\"NavRAT\"","misp-galaxy:mitre-malware=\"NavRAT - S0247\"","misp-galaxy:rat=\"NavRAT\""],"Necurs":["misp-galaxy:malpedia=\"Necurs\"","misp-galaxy:tool=\"Necurs\""],"nucurs":["misp-galaxy:malpedia=\"Necurs\""],"Nemim":["misp-galaxy:malpedia=\"Nemim\"","misp-galaxy:threat-actor=\"DarkHotel\""],"Nemain":["misp-galaxy:malpedia=\"Nemim\""],"NetC":["misp-galaxy:malpedia=\"NetC\"","misp-galaxy:mitre-enterprise-attack-malware=\"Net Crawler - S0056\"","misp-galaxy:mitre-malware=\"Net Crawler - S0056\""],"NetSupportManager RAT":["misp-galaxy:malpedia=\"NetSupportManager RAT\""],"NetTraveler":["misp-galaxy:malpedia=\"NetTraveler\"","misp-galaxy:mitre-enterprise-attack-malware=\"NetTraveler - S0033\"","misp-galaxy:mitre-malware=\"NetTraveler - S0033\"","misp-galaxy:threat-actor=\"NetTraveler\"","misp-galaxy:tool=\"NetTraveler\""],"TravNet":["misp-galaxy:malpedia=\"NetTraveler\"","misp-galaxy:threat-actor=\"NetTraveler\"","misp-galaxy:tool=\"NetTraveler\""],"NetWire RC":["misp-galaxy:malpedia=\"NetWire RC\""],"Recam":["misp-galaxy:malpedia=\"NetWire RC\""],"Netrepser":["misp-galaxy:malpedia=\"Netrepser\""],"Neuron":["misp-galaxy:malpedia=\"Neuron\"","misp-galaxy:tool=\"Neuron\""],"Neutrino POS":["misp-galaxy:malpedia=\"Neutrino POS\""],"Kasidet":["misp-galaxy:malpedia=\"Neutrino\"","misp-galaxy:mitre-enterprise-attack-malware=\"Kasidet - S0088\"","misp-galaxy:mitre-malware=\"Kasidet - S0088\""],"NewCT":["misp-galaxy:malpedia=\"NewCT\"","misp-galaxy:tool=\"NewCT\""],"CT":["misp-galaxy:malpedia=\"NewCT\""],"NewCore RAT":["misp-galaxy:malpedia=\"NewCore RAT\""],"NewPosThings":["misp-galaxy:malpedia=\"NewPosThings\""],"NewsReels":["misp-galaxy:malpedia=\"NewsReels\""],"Nexster Bot":["misp-galaxy:malpedia=\"Nexster Bot\""],"NexusLogger":["misp-galaxy:malpedia=\"NexusLogger\""],"Ngioweb":["misp-galaxy:malpedia=\"Ngioweb\""],"NgrBot":["misp-galaxy:malpedia=\"NgrBot\""],"Nitol":["misp-galaxy:malpedia=\"Nitol\""],"NjRAT":["misp-galaxy:malpedia=\"NjRAT\""],"Bladabindi":["misp-galaxy:malpedia=\"NjRAT\"","misp-galaxy:tool=\"njRAT\""],"Nocturnal Stealer":["misp-galaxy:malpedia=\"Nocturnal Stealer\"","misp-galaxy:stealer=\"Nocturnal Stealer\""],"Nokki":["misp-galaxy:malpedia=\"Nokki\""],"Nozelesn (Decryptor)":["misp-galaxy:malpedia=\"Nozelesn (Decryptor)\""],"Nymaim":["misp-galaxy:malpedia=\"Nymaim\"","misp-galaxy:tool=\"Nymaim\""],"nymain":["misp-galaxy:malpedia=\"Nymaim\""],"Nymaim2":["misp-galaxy:malpedia=\"Nymaim2\""],"OLDBAIT":["misp-galaxy:malpedia=\"OLDBAIT\"","misp-galaxy:mitre-enterprise-attack-malware=\"OLDBAIT - S0138\"","misp-galaxy:mitre-malware=\"OLDBAIT - S0138\"","misp-galaxy:tool=\"OLDBAIT\""],"Sasfis":["misp-galaxy:malpedia=\"OLDBAIT\"","misp-galaxy:malpedia=\"Sasfis\"","misp-galaxy:mitre-enterprise-attack-malware=\"OLDBAIT - S0138\"","misp-galaxy:mitre-malware=\"OLDBAIT - S0138\"","misp-galaxy:tool=\"OLDBAIT\""],"ONHAT":["misp-galaxy:malpedia=\"ONHAT\""],"ORANGEADE":["misp-galaxy:malpedia=\"ORANGEADE\""],"OceanLotus":["misp-galaxy:malpedia=\"OceanLotus\"","misp-galaxy:mitre-intrusion-set=\"APT32 - G0050\"","misp-galaxy:threat-actor=\"APT32\""],"Oceansalt":["misp-galaxy:malpedia=\"Oceansalt\""],"Octopus":["misp-galaxy:malpedia=\"Octopus\"","misp-galaxy:mitre-malware=\"Octopus - S0340\""],"OddJob":["misp-galaxy:malpedia=\"OddJob\""],"Odinaff":["misp-galaxy:malpedia=\"Odinaff\"","misp-galaxy:tool=\"Odinaff\""],"OilRig":["misp-galaxy:malpedia=\"OilRig\"","misp-galaxy:mitre-enterprise-attack-intrusion-set=\"OilRig - G0049\"","misp-galaxy:mitre-intrusion-set=\"OilRig - G0049\"","misp-galaxy:threat-actor=\"CHRYSENE\"","misp-galaxy:threat-actor=\"OilRig\""],"Olympic Destroyer":["misp-galaxy:malpedia=\"Olympic Destroyer\"","misp-galaxy:mitre-malware=\"Olympic Destroyer - S0365\"","misp-galaxy:tool=\"Olympic Destroyer\""],"Olyx":["misp-galaxy:malpedia=\"Olyx\""],"OmniRAT":["misp-galaxy:malpedia=\"OmniRAT\"","misp-galaxy:rat=\"OmniRAT\""],"OneKeyLocker":["misp-galaxy:malpedia=\"OneKeyLocker\""],"OnionDuke":["misp-galaxy:malpedia=\"OnionDuke\"","misp-galaxy:mitre-enterprise-attack-malware=\"OnionDuke - S0052\"","misp-galaxy:mitre-malware=\"OnionDuke - S0052\""],"OnlinerSpambot":["misp-galaxy:malpedia=\"OnlinerSpambot\""],"Onliner":["misp-galaxy:malpedia=\"OnlinerSpambot\""],"SBot":["misp-galaxy:malpedia=\"OnlinerSpambot\""],"OopsIE":["misp-galaxy:malpedia=\"OopsIE\"","misp-galaxy:mitre-malware=\"OopsIE - S0264\""],"OpBlockBuster":["misp-galaxy:malpedia=\"OpBlockBuster\""],"OpGhoul":["misp-galaxy:malpedia=\"OpGhoul\""],"Opachki":["misp-galaxy:malpedia=\"Opachki\""],"OrcaRAT":["misp-galaxy:malpedia=\"OrcaRAT\""],"Orcus RAT":["misp-galaxy:malpedia=\"Orcus RAT\""],"Ordinypt":["misp-galaxy:malpedia=\"Ordinypt\"","misp-galaxy:tool=\"Ordinypt\""],"Outlook Backdoor":["misp-galaxy:malpedia=\"Outlook Backdoor\""],"Overlay RAT":["misp-galaxy:malpedia=\"Overlay RAT\""],"OvidiyStealer":["misp-galaxy:malpedia=\"OvidiyStealer\""],"PAS":["misp-galaxy:malpedia=\"PAS\""],"PC Surveillance System":["misp-galaxy:malpedia=\"PC Surveillance System\""],"PSS":["misp-galaxy:malpedia=\"PC Surveillance System\""],"PHOREAL":["misp-galaxy:malpedia=\"PHOREAL\"","misp-galaxy:mitre-enterprise-attack-malware=\"PHOREAL - S0158\"","misp-galaxy:mitre-malware=\"PHOREAL - S0158\""],"Rizzo":["misp-galaxy:malpedia=\"PHOREAL\""],"PLAINTEE":["misp-galaxy:malpedia=\"PLAINTEE\"","misp-galaxy:mitre-malware=\"PLAINTEE - S0254\"","misp-galaxy:tool=\"PLAINTEE\""],"PLEAD":["misp-galaxy:malpedia=\"PLEAD\"","misp-galaxy:tool=\"PLEAD\""],"TSCookie":["misp-galaxy:malpedia=\"PLEAD\"","misp-galaxy:tool=\"TSCookie\""],"POSHSPY":["misp-galaxy:malpedia=\"POSHSPY\"","misp-galaxy:mitre-enterprise-attack-malware=\"POSHSPY - S0150\"","misp-galaxy:mitre-malware=\"POSHSPY - S0150\""],"POWERPIPE":["misp-galaxy:malpedia=\"POWERPIPE\""],"POWERSOURCE":["misp-galaxy:malpedia=\"POWERSOURCE\"","misp-galaxy:mitre-enterprise-attack-malware=\"POWERSOURCE - S0145\"","misp-galaxy:mitre-malware=\"POWERSOURCE - S0145\""],"POWERSTATS":["misp-galaxy:malpedia=\"POWERSTATS\"","misp-galaxy:mitre-enterprise-attack-malware=\"POWERSTATS - S0223\"","misp-galaxy:mitre-malware=\"POWERSTATS - S0223\""],"Valyria":["misp-galaxy:malpedia=\"POWERSTATS\""],"POWRUNER":["misp-galaxy:malpedia=\"POWRUNER\"","misp-galaxy:mitre-enterprise-attack-malware=\"POWRUNER - S0184\"","misp-galaxy:mitre-malware=\"POWRUNER - S0184\""],"PadCrypt":["misp-galaxy:malpedia=\"PadCrypt\"","misp-galaxy:ransomware=\"PadCrypt\""],"PandaBanker":["misp-galaxy:malpedia=\"PandaBanker\""],"ZeusPanda":["misp-galaxy:malpedia=\"PandaBanker\""],"Patcher":["misp-galaxy:malpedia=\"Patcher\"","misp-galaxy:ransomware=\"FileCoder\"","misp-galaxy:ransomware=\"Patcher\""],"FileCoder":["misp-galaxy:malpedia=\"Patcher\"","misp-galaxy:ransomware=\"FileCoder\""],"Findzip":["misp-galaxy:malpedia=\"Patcher\""],"Peepy RAT":["misp-galaxy:malpedia=\"Peepy RAT\""],"Penco":["misp-galaxy:malpedia=\"Penco\""],"Penquin Turla":["misp-galaxy:malpedia=\"Penquin Turla\""],"PerlBot":["misp-galaxy:malpedia=\"PerlBot\""],"DDoS Perl IrcBot":["misp-galaxy:malpedia=\"PerlBot\""],"ShellBot":["misp-galaxy:malpedia=\"PerlBot\""],"PetrWrap":["misp-galaxy:malpedia=\"PetrWrap\""],"Petya":["misp-galaxy:malpedia=\"Petya\"","misp-galaxy:ransomware=\"Petya\""],"PhanDoor":["misp-galaxy:malpedia=\"PhanDoor\""],"Philadephia Ransom":["misp-galaxy:malpedia=\"Philadephia Ransom\""],"Phorpiex":["misp-galaxy:malpedia=\"Phorpiex\""],"Trik":["misp-galaxy:malpedia=\"Phorpiex\""],"PintSized":["misp-galaxy:malpedia=\"PintSized\""],"Pirrit":["misp-galaxy:malpedia=\"Pirrit\""],"Pitou":["misp-galaxy:malpedia=\"Pitou\""],"PittyTiger RAT":["misp-galaxy:malpedia=\"PittyTiger RAT\""],"Pkybot":["misp-galaxy:malpedia=\"Pkybot\""],"Bublik":["misp-galaxy:malpedia=\"Pkybot\""],"Pykbot":["misp-galaxy:malpedia=\"Pkybot\""],"TBag":["misp-galaxy:malpedia=\"Pkybot\""],"Plexor":["misp-galaxy:malpedia=\"Plexor\"","misp-galaxy:tool=\"Plexor\""],"Ploutus ATM":["misp-galaxy:malpedia=\"Ploutus ATM\""],"PlugX":["misp-galaxy:malpedia=\"PlugX\"","misp-galaxy:mitre-enterprise-attack-malware=\"PlugX - S0013\"","misp-galaxy:mitre-malware=\"PlugX - S0013\"","misp-galaxy:rat=\"PlugX\"","misp-galaxy:tool=\"PlugX\""],"Korplug":["misp-galaxy:malpedia=\"PlugX\"","misp-galaxy:mitre-enterprise-attack-malware=\"PlugX - S0013\"","misp-galaxy:mitre-malware=\"PlugX - S0013\"","misp-galaxy:rat=\"PlugX\"","misp-galaxy:tool=\"PlugX\""],"Poison Ivy":["misp-galaxy:malpedia=\"Poison Ivy\"","misp-galaxy:mitre-enterprise-attack-malware=\"PoisonIvy - S0012\"","misp-galaxy:mitre-malware=\"PoisonIvy - S0012\"","misp-galaxy:rat=\"PoisonIvy\"","misp-galaxy:tool=\"Poison Ivy\""],"pivy":["misp-galaxy:malpedia=\"Poison Ivy\""],"poisonivy":["misp-galaxy:malpedia=\"Poison Ivy\"","misp-galaxy:tool=\"poisonivy\""],"Polyglot":["misp-galaxy:malpedia=\"Polyglot\"","misp-galaxy:ransomware=\"Polyglot\""],"Pony":["misp-galaxy:malpedia=\"Pony\"","misp-galaxy:tool=\"Hancitor\""],"Fareit":["misp-galaxy:malpedia=\"Pony\"","misp-galaxy:tool=\"Fareit\""],"Siplog":["misp-galaxy:malpedia=\"Pony\""],"PoohMilk Loader":["misp-galaxy:malpedia=\"PoohMilk Loader\""],"Popcorn Time":["misp-galaxy:malpedia=\"Popcorn Time\""],"PoshC2":["misp-galaxy:malpedia=\"PoshC2\"","misp-galaxy:mitre-tool=\"PoshC2 - S0378\""],"Poweliks Dropper":["misp-galaxy:malpedia=\"Poweliks Dropper\""],"PowerDuke":["misp-galaxy:malpedia=\"PowerDuke\"","misp-galaxy:mitre-enterprise-attack-malware=\"PowerDuke - S0139\"","misp-galaxy:mitre-malware=\"PowerDuke - S0139\""],"PowerPool":["misp-galaxy:malpedia=\"PowerPool\"","misp-galaxy:threat-actor=\"PowerPool\""],"PowerRatankba":["misp-galaxy:malpedia=\"PowerRatankba\"","misp-galaxy:tool=\"PowerRatankba\""],"PowerSpritz":["misp-galaxy:malpedia=\"PowerSpritz\"","misp-galaxy:tool=\"PowerSpritz\""],"PowerWare":["misp-galaxy:malpedia=\"PowerWare\"","misp-galaxy:ransomware=\"PowerWare\""],"Powersniff":["misp-galaxy:malpedia=\"Powersniff\""],"Powmet":["misp-galaxy:malpedia=\"Powmet\""],"Predator The Thief":["misp-galaxy:malpedia=\"Predator The Thief\""],"Premier RAT":["misp-galaxy:malpedia=\"Premier RAT\""],"PresFox":["misp-galaxy:malpedia=\"PresFox\""],"Prikorma":["misp-galaxy:malpedia=\"Prikorma\""],"Prilex":["misp-galaxy:malpedia=\"Prilex\""],"PrincessLocker":["misp-galaxy:malpedia=\"PrincessLocker\""],"Project Alice":["misp-galaxy:malpedia=\"Project Alice\""],"AliceATM":["misp-galaxy:malpedia=\"Project Alice\""],"PrAlice":["misp-galaxy:malpedia=\"Project Alice\""],"Proton RAT":["misp-galaxy:malpedia=\"Proton RAT\""],"Calisto":["misp-galaxy:malpedia=\"Proton RAT\"","misp-galaxy:mitre-malware=\"Calisto - S0274\""],"PsiX":["misp-galaxy:malpedia=\"PsiX\""],"Pteranodon":["misp-galaxy:malpedia=\"Pteranodon\"","misp-galaxy:mitre-enterprise-attack-malware=\"Pteranodon - S0147\"","misp-galaxy:mitre-malware=\"Pteranodon - S0147\""],"PubNubRAT":["misp-galaxy:malpedia=\"PubNubRAT\""],"Punkey POS":["misp-galaxy:malpedia=\"Punkey POS\""],"Putabmow":["misp-galaxy:malpedia=\"Putabmow\""],"PvzOut":["misp-galaxy:malpedia=\"PvzOut\""],"Pwnet":["misp-galaxy:malpedia=\"Pwnet\"","misp-galaxy:tool=\"Pwnet\""],"PyLocky":["misp-galaxy:malpedia=\"PyLocky\""],"Locky Locker":["misp-galaxy:malpedia=\"PyLocky\""],"Pykspa":["misp-galaxy:malpedia=\"Pykspa\""],"QHost":["misp-galaxy:malpedia=\"QHost\""],"Tolouge":["misp-galaxy:malpedia=\"QHost\""],"QRat":["misp-galaxy:malpedia=\"QRat\""],"Quaverse RAT":["misp-galaxy:malpedia=\"QRat\""],"QUADAGENT":["misp-galaxy:malpedia=\"QUADAGENT\"","misp-galaxy:mitre-malware=\"QUADAGENT - S0269\""],"Qaccel":["misp-galaxy:malpedia=\"Qaccel\""],"QakBot":["misp-galaxy:malpedia=\"QakBot\""],"Qbot":["misp-galaxy:malpedia=\"QakBot\"","misp-galaxy:tool=\"Akbot\""],"Qarallax RAT":["misp-galaxy:malpedia=\"Qarallax RAT\""],"Qealler":["misp-galaxy:malpedia=\"Qealler\""],"QtBot":["misp-galaxy:malpedia=\"QtBot\""],"qtproject":["misp-galaxy:malpedia=\"QtBot\""],"Quant Loader":["misp-galaxy:malpedia=\"Quant Loader\"","misp-galaxy:tool=\"Quant Loader\""],"Quasar RAT":["misp-galaxy:malpedia=\"Quasar RAT\"","misp-galaxy:rat=\"Quasar RAT\""],"Qulab":["misp-galaxy:malpedia=\"Qulab\""],"RCS":["misp-galaxy:malpedia=\"RCS\""],"Remote Control System":["misp-galaxy:malpedia=\"RCS\""],"RGDoor":["misp-galaxy:malpedia=\"RGDoor\"","misp-galaxy:mitre-malware=\"RGDoor - S0258\""],"RMS":["misp-galaxy:malpedia=\"RMS\""],"Remote Manipulator System":["misp-galaxy:malpedia=\"RMS\""],"RTM":["misp-galaxy:malpedia=\"RTM\"","misp-galaxy:mitre-enterprise-attack-intrusion-set=\"RTM - G0048\"","misp-galaxy:mitre-enterprise-attack-malware=\"RTM - S0148\"","misp-galaxy:mitre-intrusion-set=\"RTM - G0048\"","misp-galaxy:mitre-malware=\"RTM - S0148\"","misp-galaxy:threat-actor=\"RTM\""],"RadRAT":["misp-galaxy:malpedia=\"RadRAT\"","misp-galaxy:rat=\"RadRAT\""],"Radamant":["misp-galaxy:malpedia=\"Radamant\"","misp-galaxy:ransomware=\"Radamant\""],"Rakhni":["misp-galaxy:malpedia=\"Rakhni\"","misp-galaxy:ransomware=\"Bandarchor\"","misp-galaxy:ransomware=\"Rakhni\""],"Rakos":["misp-galaxy:malpedia=\"Rakos\""],"Rambo":["misp-galaxy:malpedia=\"Rambo\""],"brebsd":["misp-galaxy:malpedia=\"Rambo\""],"Ramdo":["misp-galaxy:malpedia=\"Ramdo\""],"Ranscam":["misp-galaxy:malpedia=\"Ranscam\"","misp-galaxy:ransomware=\"CryptoFinancial\""],"Ransoc":["misp-galaxy:malpedia=\"Ransoc\"","misp-galaxy:ransomware=\"Ransoc\""],"Ransomlock":["misp-galaxy:malpedia=\"Ransomlock\""],"WinLock":["misp-galaxy:malpedia=\"Ransomlock\""],"Rapid Ransom":["misp-galaxy:malpedia=\"Rapid Ransom\""],"RapidStealer":["misp-galaxy:malpedia=\"RapidStealer\""],"Rarog":["misp-galaxy:malpedia=\"Rarog\""],"RatabankaPOS":["misp-galaxy:malpedia=\"RatabankaPOS\""],"Ratty":["misp-galaxy:malpedia=\"Ratty\"","misp-galaxy:rat=\"Ratty\""],"RawPOS":["misp-galaxy:malpedia=\"RawPOS\"","misp-galaxy:mitre-enterprise-attack-malware=\"RawPOS - S0169\"","misp-galaxy:mitre-malware=\"RawPOS - S0169\""],"Raxir":["misp-galaxy:malpedia=\"Raxir\""],"Reaver":["misp-galaxy:malpedia=\"Reaver\"","misp-galaxy:mitre-enterprise-attack-malware=\"Reaver - S0172\"","misp-galaxy:mitre-malware=\"Reaver - S0172\"","misp-galaxy:tool=\"Reaver\""],"Red Alert":["misp-galaxy:malpedia=\"Red Alert\"","misp-galaxy:ransomware=\"Red Alert\""],"Red Gambler":["misp-galaxy:malpedia=\"Red Gambler\""],"RedAlpha":["misp-galaxy:malpedia=\"RedAlpha\"","misp-galaxy:threat-actor=\"RedAlpha\""],"RedLeaves":["misp-galaxy:malpedia=\"RedLeaves\"","misp-galaxy:mitre-enterprise-attack-malware=\"RedLeaves - S0153\"","misp-galaxy:mitre-malware=\"RedLeaves - S0153\"","misp-galaxy:rat=\"RedLeaves\""],"Redaman":["misp-galaxy:malpedia=\"Redaman\""],"Redyms":["misp-galaxy:malpedia=\"Redyms\""],"Regin":["misp-galaxy:malpedia=\"Regin\"","misp-galaxy:mitre-enterprise-attack-malware=\"Regin - S0019\"","misp-galaxy:mitre-malware=\"Regin - S0019\"","misp-galaxy:tool=\"Regin\""],"Remcos":["misp-galaxy:malpedia=\"Remcos\"","misp-galaxy:mitre-tool=\"Remcos - S0332\"","misp-galaxy:rat=\"Remcos\""],"Remexi":["misp-galaxy:malpedia=\"Remexi\"","misp-galaxy:mitre-malware=\"Remexi - S0375\""],"Remsec":["misp-galaxy:malpedia=\"Remsec\"","misp-galaxy:mitre-enterprise-attack-malware=\"Remsec - S0125\"","misp-galaxy:mitre-malware=\"Remsec - S0125\""],"Remy":["misp-galaxy:malpedia=\"Remy\""],"Rerdom":["misp-galaxy:malpedia=\"Rerdom\""],"Retadup":["misp-galaxy:malpedia=\"Retadup\""],"Retefe (Android)":["misp-galaxy:malpedia=\"Retefe (Android)\""],"Retefe (Windows)":["misp-galaxy:malpedia=\"Retefe (Windows)\""],"Revenge RAT":["misp-galaxy:malpedia=\"Revenge RAT\""],"Revetrat":["misp-galaxy:malpedia=\"Revenge RAT\""],"Rex":["misp-galaxy:malpedia=\"Rex\""],"Rietspoof":["misp-galaxy:malpedia=\"Rietspoof\""],"Rifdoor":["misp-galaxy:malpedia=\"Rifdoor\""],"Rikamanu":["misp-galaxy:malpedia=\"Rikamanu\""],"Rincux":["misp-galaxy:malpedia=\"Rincux\""],"Ripper ATM":["misp-galaxy:malpedia=\"Ripper ATM\""],"Roaming Mantis":["misp-galaxy:malpedia=\"Roaming Mantis\"","misp-galaxy:threat-actor=\"Roaming Mantis\"","misp-galaxy:tool=\"Roaming Mantis\""],"Rockloader":["misp-galaxy:malpedia=\"Rockloader\""],"Rofin":["misp-galaxy:malpedia=\"Rofin\""],"RogueRobin":["misp-galaxy:malpedia=\"RogueRobin\"","misp-galaxy:mitre-malware=\"RogueRobin - S0270\""],"RogueRobinNET":["misp-galaxy:malpedia=\"RogueRobinNET\""],"RokRAT":["misp-galaxy:malpedia=\"RokRAT\""],"Rokku":["misp-galaxy:malpedia=\"Rokku\"","misp-galaxy:ransomware=\"Rokku\""],"Rombertik":["misp-galaxy:malpedia=\"Rombertik\""],"CarbonGrabber":["misp-galaxy:malpedia=\"Rombertik\""],"Romeo(Alfa,Bravo, ...)":["misp-galaxy:malpedia=\"Romeo(Alfa,Bravo, ...)\""],"Roopirs":["misp-galaxy:malpedia=\"Roopirs\""],"Roseam":["misp-galaxy:malpedia=\"Roseam\""],"RotorCrypt":["misp-galaxy:malpedia=\"RotorCrypt\"","misp-galaxy:ransomware=\"RotorCrypt(RotoCrypt, Tar) Ransomware\""],"RotoCrypt":["misp-galaxy:malpedia=\"RotorCrypt\"","misp-galaxy:ransomware=\"RotorCrypt(RotoCrypt, Tar) Ransomware\""],"Rotor":["misp-galaxy:malpedia=\"RotorCrypt\"","misp-galaxy:ransomware=\"Rakhni\""],"Rover":["misp-galaxy:malpedia=\"Rover\"","misp-galaxy:mitre-enterprise-attack-malware=\"Rover - S0090\"","misp-galaxy:mitre-malware=\"Rover - S0090\""],"Rovnix":["misp-galaxy:malpedia=\"Rovnix\"","misp-galaxy:tool=\"Rovnix\""],"BkLoader":["misp-galaxy:malpedia=\"Rovnix\""],"Cidox":["misp-galaxy:malpedia=\"Rovnix\""],"Mayachok":["misp-galaxy:malpedia=\"Rovnix\""],"Royal DNS":["misp-galaxy:malpedia=\"Royal DNS\""],"RoyalCli":["misp-galaxy:malpedia=\"RoyalCli\"","misp-galaxy:tool=\"RoyalCli\""],"Rozena":["misp-galaxy:malpedia=\"Rozena\""],"Ruckguv":["misp-galaxy:malpedia=\"Ruckguv\"","misp-galaxy:tool=\"Ruckguv\""],"Rumish":["misp-galaxy:malpedia=\"Rumish\""],"Rurktar":["misp-galaxy:malpedia=\"Rurktar\"","misp-galaxy:rat=\"Rurktar\""],"RCSU":["misp-galaxy:malpedia=\"Rurktar\""],"Ryuk":["misp-galaxy:malpedia=\"Ryuk\""],"SAGE":["misp-galaxy:malpedia=\"SAGE\""],"Saga":["misp-galaxy:malpedia=\"SAGE\""],"SHAPESHIFT":["misp-galaxy:malpedia=\"SHAPESHIFT\""],"SHARPKNOT":["misp-galaxy:malpedia=\"SHARPKNOT\"","misp-galaxy:tool=\"SHARPKNOT\""],"Bitrep":["misp-galaxy:malpedia=\"SHARPKNOT\""],"SHIPSHAPE":["misp-galaxy:malpedia=\"SHIPSHAPE\"","misp-galaxy:mitre-enterprise-attack-malware=\"SHIPSHAPE - S0028\"","misp-galaxy:mitre-malware=\"SHIPSHAPE - S0028\""],"SMSspy":["misp-galaxy:malpedia=\"SMSspy\""],"SNEEPY":["misp-galaxy:malpedia=\"SNEEPY\""],"ByeByeShell":["misp-galaxy:malpedia=\"SNEEPY\""],"SNS Locker":["misp-galaxy:malpedia=\"SNS Locker\""],"SOUNDBITE":["misp-galaxy:malpedia=\"SOUNDBITE\"","misp-galaxy:mitre-enterprise-attack-malware=\"SOUNDBITE - S0157\"","misp-galaxy:mitre-malware=\"SOUNDBITE - S0157\""],"denis":["misp-galaxy:malpedia=\"SOUNDBITE\""],"SPACESHIP":["misp-galaxy:malpedia=\"SPACESHIP\"","misp-galaxy:mitre-enterprise-attack-malware=\"SPACESHIP - S0035\"","misp-galaxy:mitre-malware=\"SPACESHIP - S0035\""],"SQLRat":["misp-galaxy:malpedia=\"SQLRat\""],"SSHDoor":["misp-galaxy:malpedia=\"SSHDoor\"","misp-galaxy:tool=\"SSHDoor\""],"STOP Ransomware":["misp-galaxy:malpedia=\"STOP Ransomware\"","misp-galaxy:ransomware=\"STOP Ransomware\""],"Djvu":["misp-galaxy:malpedia=\"STOP Ransomware\"","misp-galaxy:ransomware=\"Djvu\""],"Sakula RAT":["misp-galaxy:malpedia=\"Sakula RAT\""],"Sakurel":["misp-galaxy:malpedia=\"Sakula RAT\"","misp-galaxy:mitre-enterprise-attack-malware=\"Sakula - S0074\"","misp-galaxy:mitre-malware=\"Sakula - S0074\"","misp-galaxy:rat=\"Sakula\"","misp-galaxy:tool=\"Sakula\""],"Salgorea":["misp-galaxy:malpedia=\"Salgorea\""],"SamSam":["misp-galaxy:malpedia=\"SamSam\"","misp-galaxy:mitre-malware=\"SamSam - S0370\"","misp-galaxy:ransomware=\"Samas-Samsam\""],"Sanny":["misp-galaxy:malpedia=\"Sanny\""],"Daws":["misp-galaxy:malpedia=\"Sanny\""],"Saphyra":["misp-galaxy:malpedia=\"Saphyra\""],"SappyCache":["misp-galaxy:malpedia=\"SappyCache\""],"Sarhust":["misp-galaxy:malpedia=\"Sarhust\""],"Hussarini":["misp-galaxy:malpedia=\"Sarhust\""],"Satan Ransomware":["misp-galaxy:malpedia=\"Satan Ransomware\"","misp-galaxy:ransomware=\"Satan Ransomware\""],"DBGer":["misp-galaxy:malpedia=\"Satan Ransomware\""],"Lucky Ransomware":["misp-galaxy:malpedia=\"Satan Ransomware\"","misp-galaxy:ransomware=\"Lucky Ransomware\""],"Satana":["misp-galaxy:malpedia=\"Satana\"","misp-galaxy:ransomware=\"Satana\""],"Sathurbot":["misp-galaxy:malpedia=\"Sathurbot\"","misp-galaxy:tool=\"Sathurbot\""],"Sauron Locker":["misp-galaxy:malpedia=\"Sauron Locker\""],"ScanPOS":["misp-galaxy:malpedia=\"ScanPOS\""],"Schneiken":["misp-galaxy:malpedia=\"Schneiken\""],"Scote":["misp-galaxy:malpedia=\"Scote\""],"ScreenLocker":["misp-galaxy:malpedia=\"ScreenLocker\""],"SeDll":["misp-galaxy:malpedia=\"SeDll\""],"SeaDaddy":["misp-galaxy:malpedia=\"SeaDaddy\"","misp-galaxy:mitre-enterprise-attack-malware=\"SeaDuke - S0053\"","misp-galaxy:mitre-malware=\"SeaDuke - S0053\""],"SeaSalt":["misp-galaxy:malpedia=\"SeaSalt\""],"Sedreco":["misp-galaxy:malpedia=\"Sedreco\"","misp-galaxy:mitre-enterprise-attack-malware=\"ADVSTORESHELL - S0045\"","misp-galaxy:mitre-malware=\"ADVSTORESHELL - S0045\"","misp-galaxy:tool=\"EVILTOSS\""],"azzy":["misp-galaxy:malpedia=\"Sedreco\""],"eviltoss":["misp-galaxy:malpedia=\"Sedreco\""],"Seduploader":["misp-galaxy:malpedia=\"Seduploader\"","misp-galaxy:mitre-enterprise-attack-malware=\"JHUHUGIT - S0044\"","misp-galaxy:mitre-malware=\"JHUHUGIT - S0044\"","misp-galaxy:tool=\"GAMEFISH\""],"carberplike":["misp-galaxy:malpedia=\"Seduploader\""],"downrage":["misp-galaxy:malpedia=\"Seduploader\""],"jhuhugit":["misp-galaxy:malpedia=\"Seduploader\""],"jkeyskw":["misp-galaxy:malpedia=\"Seduploader\""],"SendSafe":["misp-galaxy:malpedia=\"SendSafe\""],"Serpico":["misp-galaxy:malpedia=\"Serpico\"","misp-galaxy:ransomware=\"Serpico\""],"ShadowPad":["misp-galaxy:malpedia=\"ShadowPad\"","misp-galaxy:tool=\"ShadowPad\""],"XShellGhost":["misp-galaxy:malpedia=\"ShadowPad\""],"Shakti":["misp-galaxy:malpedia=\"Shakti\""],"ShellBind":["misp-galaxy:malpedia=\"ShellBind\""],"ShellLocker":["misp-galaxy:malpedia=\"ShellLocker\""],"Shifu":["misp-galaxy:malpedia=\"Shifu\"","misp-galaxy:tool=\"Shifu\""],"Shim RAT":["misp-galaxy:malpedia=\"Shim RAT\""],"Shishiga":["misp-galaxy:malpedia=\"Shishiga\""],"Shujin":["misp-galaxy:malpedia=\"Shujin\"","misp-galaxy:ransomware=\"Shujin\""],"Shurl0ckr":["misp-galaxy:malpedia=\"Shurl0ckr\""],"Shylock":["misp-galaxy:malpedia=\"Shylock\""],"Caphaw":["misp-galaxy:malpedia=\"Shylock\""],"SideWinder":["misp-galaxy:malpedia=\"SideWinder\""],"Sierra(Alfa,Bravo, ...)":["misp-galaxy:malpedia=\"Sierra(Alfa,Bravo, ...)\""],"Destover":["misp-galaxy:malpedia=\"Sierra(Alfa,Bravo, ...)\""],"Siggen6":["misp-galaxy:malpedia=\"Siggen6\""],"Silence DDoS":["misp-galaxy:malpedia=\"Silence DDoS\""],"Silence":["misp-galaxy:malpedia=\"Silence\"","misp-galaxy:threat-actor=\"Silence group\"","misp-galaxy:tool=\"Silence\""],"TrueBot":["misp-galaxy:malpedia=\"Silence\""],"Silon":["misp-galaxy:malpedia=\"Silon\""],"Siluhdur":["misp-galaxy:malpedia=\"Siluhdur\""],"iBank":["misp-galaxy:malpedia=\"Simda\""],"Mebroot":["misp-galaxy:malpedia=\"Sinowal\""],"Quarian":["misp-galaxy:malpedia=\"Sinowal\""],"Theola":["misp-galaxy:malpedia=\"Sinowal\""],"Sisfader":["misp-galaxy:malpedia=\"Sisfader\"","misp-galaxy:rat=\"Sisfader\""],"Skarab Ransom":["misp-galaxy:malpedia=\"Skarab Ransom\""],"Skyplex":["misp-galaxy:malpedia=\"Skyplex\""],"Slave":["misp-galaxy:malpedia=\"Slave\""],"Slempo":["misp-galaxy:malpedia=\"Slempo\"","misp-galaxy:tool=\"Slempo\""],"Slingshot":["misp-galaxy:malpedia=\"Slingshot\"","misp-galaxy:threat-actor=\"Slingshot\""],"Slocker":["misp-galaxy:malpedia=\"Slocker\""],"SmokeLoader":["misp-galaxy:malpedia=\"SmokeLoader\"","misp-galaxy:tool=\"Smoke Loader\""],"Dofoil":["misp-galaxy:malpedia=\"SmokeLoader\"","misp-galaxy:mitre-enterprise-attack-malware=\"Smoke Loader - S0226\"","misp-galaxy:mitre-malware=\"Smoke Loader - S0226\""],"Smrss32 Ransomware":["misp-galaxy:malpedia=\"Smrss32 Ransomware\""],"SnatchLoader":["misp-galaxy:malpedia=\"SnatchLoader\""],"Snojan":["misp-galaxy:malpedia=\"Snojan\""],"Sobaken":["misp-galaxy:malpedia=\"Sobaken\""],"Socks5 Systemz":["misp-galaxy:malpedia=\"Socks5 Systemz\""],"SocksBot":["misp-galaxy:malpedia=\"SocksBot\""],"BIRDDOG":["misp-galaxy:malpedia=\"SocksBot\""],"Nadrac":["misp-galaxy:malpedia=\"SocksBot\""],"Solarbot":["misp-galaxy:malpedia=\"Solarbot\""],"Napolar":["misp-galaxy:malpedia=\"Solarbot\""],"Sorgu":["misp-galaxy:malpedia=\"Sorgu\""],"Spamtorte":["misp-galaxy:malpedia=\"Spamtorte\""],"SpeakUp":["misp-galaxy:malpedia=\"SpeakUp\"","misp-galaxy:mitre-malware=\"SpeakUp - S0374\""],"Spedear":["misp-galaxy:malpedia=\"Spedear\""],"Spora":["misp-galaxy:malpedia=\"Spora\""],"SpyBot":["misp-galaxy:malpedia=\"SpyBot\""],"SpyNote":["misp-galaxy:malpedia=\"SpyNote\"","misp-galaxy:rat=\"SpyNote\""],"SquirtDanger":["misp-galaxy:malpedia=\"SquirtDanger\""],"SslMM":["misp-galaxy:malpedia=\"SslMM\"","misp-galaxy:mitre-enterprise-attack-malware=\"SslMM - S0058\"","misp-galaxy:mitre-malware=\"SslMM - S0058\""],"Stabuniq":["misp-galaxy:malpedia=\"Stabuniq\""],"Stampedo":["misp-galaxy:malpedia=\"Stampedo\""],"Stantinko":["misp-galaxy:malpedia=\"Stantinko\""],"StarCruft":["misp-galaxy:malpedia=\"StarCruft\"","misp-galaxy:threat-actor=\"APT37\""],"StarLoader":["misp-galaxy:malpedia=\"StarLoader\""],"StarsyPound":["misp-galaxy:malpedia=\"StarsyPound\""],"StartPage":["misp-galaxy:malpedia=\"StartPage\""],"Easy Television Access Now":["misp-galaxy:malpedia=\"StartPage\""],"Stealth Mango":["misp-galaxy:malpedia=\"Stealth Mango\"","misp-galaxy:mitre-malware=\"Stealth Mango - S0328\""],"StealthAgent":["misp-galaxy:malpedia=\"StealthAgent\""],"StealthWorker Go":["misp-galaxy:malpedia=\"StealthWorker Go\""],"StegoLoader":["misp-galaxy:malpedia=\"StegoLoader\""],"Stinger":["misp-galaxy:malpedia=\"Stinger\""],"Stration":["misp-galaxy:malpedia=\"Stration\""],"Stresspaint":["misp-galaxy:malpedia=\"Stresspaint\""],"StrongPity":["misp-galaxy:malpedia=\"StrongPity\"","misp-galaxy:threat-actor=\"PROMETHIUM\""],"Stuxnet":["misp-galaxy:malpedia=\"Stuxnet\"","misp-galaxy:tool=\"Stuxnet\""],"SunOrcal":["misp-galaxy:malpedia=\"SunOrcal\"","misp-galaxy:tool=\"SunOrcal\""],"Sunless":["misp-galaxy:malpedia=\"Sunless\""],"SuppoBox":["misp-galaxy:malpedia=\"SuppoBox\""],"Bayrob":["misp-galaxy:malpedia=\"SuppoBox\""],"Nivdort":["misp-galaxy:malpedia=\"SuppoBox\""],"SupremeBot":["misp-galaxy:malpedia=\"SupremeBot\""],"BlazeBot":["misp-galaxy:malpedia=\"SupremeBot\""],"Swift?":["misp-galaxy:malpedia=\"Swift?\""],"Sword":["misp-galaxy:malpedia=\"Sword\""],"SynAck":["misp-galaxy:malpedia=\"SynAck\"","misp-galaxy:mitre-malware=\"SynAck - S0242\"","misp-galaxy:ransomware=\"SynAck\""],"SynFlooder":["misp-galaxy:malpedia=\"SynFlooder\""],"SyncCrypt":["misp-galaxy:malpedia=\"SyncCrypt\"","misp-galaxy:ransomware=\"SyncCrypt\""],"Synth Loader":["misp-galaxy:malpedia=\"Synth Loader\""],"Sys10":["misp-galaxy:malpedia=\"Sys10\"","misp-galaxy:mitre-enterprise-attack-malware=\"Sys10 - S0060\"","misp-galaxy:mitre-malware=\"Sys10 - S0060\""],"SysGet":["misp-galaxy:malpedia=\"SysGet\""],"SysScan":["misp-galaxy:malpedia=\"SysScan\""],"Syscon":["misp-galaxy:malpedia=\"Syscon\""],"Sysraw Stealer":["misp-galaxy:malpedia=\"Sysraw Stealer\""],"Clipsa":["misp-galaxy:malpedia=\"Sysraw Stealer\""],"Szribi":["misp-galaxy:malpedia=\"Szribi\""],"TDTESS":["misp-galaxy:malpedia=\"TDTESS\"","misp-galaxy:mitre-enterprise-attack-malware=\"TDTESS - S0164\"","misp-galaxy:mitre-malware=\"TDTESS - S0164\""],"TURNEDUP":["misp-galaxy:malpedia=\"TURNEDUP\"","misp-galaxy:mitre-enterprise-attack-malware=\"TURNEDUP - S0199\"","misp-galaxy:mitre-malware=\"TURNEDUP - S0199\""],"TabMsgSQL":["misp-galaxy:malpedia=\"TabMsgSQL\""],"TalentRAT":["misp-galaxy:malpedia=\"TalentRAT\""],"Assassin RAT":["misp-galaxy:malpedia=\"TalentRAT\""],"Taleret":["misp-galaxy:malpedia=\"Taleret\""],"Tandfuy":["misp-galaxy:malpedia=\"Tandfuy\""],"Tapaoux":["misp-galaxy:malpedia=\"Tapaoux\"","misp-galaxy:threat-actor=\"DarkHotel\""],"Tarsip":["misp-galaxy:malpedia=\"Tarsip\""],"Tater PrivEsc":["misp-galaxy:malpedia=\"Tater PrivEsc\""],"TeamBot":["misp-galaxy:malpedia=\"TeamBot\""],"FINTEAM":["misp-galaxy:malpedia=\"TeamBot\""],"TefoSteal":["misp-galaxy:malpedia=\"TefoSteal\""],"TeleBot":["misp-galaxy:malpedia=\"TeleBot\""],"TeleDoor":["misp-galaxy:malpedia=\"TeleDoor\""],"TeleRAT":["misp-galaxy:malpedia=\"TeleRAT\""],"Tempedreve":["misp-galaxy:malpedia=\"Tempedreve\""],"TemptingCedar Spyware":["misp-galaxy:malpedia=\"TemptingCedar Spyware\""],"Terminator RAT":["misp-galaxy:malpedia=\"Terminator RAT\""],"Fakem RAT":["misp-galaxy:malpedia=\"Terminator RAT\"","misp-galaxy:tool=\"Fakem RAT\""],"Termite":["misp-galaxy:malpedia=\"Termite\""],"TeslaCrypt":["misp-galaxy:malpedia=\"TeslaCrypt\""],"cryptesla":["misp-galaxy:malpedia=\"TeslaCrypt\""],"Thanatos Ransomware":["misp-galaxy:malpedia=\"Thanatos Ransomware\""],"Thanatos":["misp-galaxy:malpedia=\"Thanatos\"","misp-galaxy:ransomware=\"Thanatos\""],"Alphabot":["misp-galaxy:malpedia=\"Thanatos\""],"ThreeByte":["misp-galaxy:malpedia=\"ThreeByte\""],"ThumbThief":["misp-galaxy:malpedia=\"ThumbThief\""],"ThunderShell":["misp-galaxy:malpedia=\"ThunderShell\""],"Thunker":["misp-galaxy:malpedia=\"Thunker\""],"Tidepool":["misp-galaxy:malpedia=\"Tidepool\""],"Illi":["misp-galaxy:malpedia=\"Tinba\""],"TinyLoader":["misp-galaxy:malpedia=\"TinyLoader\""],"TinyMet":["misp-galaxy:malpedia=\"TinyMet\""],"TiniMet":["misp-galaxy:malpedia=\"TinyMet\""],"TinyTyphon":["misp-galaxy:malpedia=\"TinyTyphon\"","misp-galaxy:tool=\"TinyTyphon\""],"TinyZ":["misp-galaxy:malpedia=\"TinyZ\""],"Catelites Android Bot":["misp-galaxy:malpedia=\"TinyZ\""],"MarsElite Android Bot":["misp-galaxy:malpedia=\"TinyZ\""],"TinyZbot":["misp-galaxy:malpedia=\"TinyZbot\""],"Tiop":["misp-galaxy:malpedia=\"Tiop\""],"Titan":["misp-galaxy:malpedia=\"Titan\""],"TorrentLocker":["misp-galaxy:malpedia=\"TorrentLocker\"","misp-galaxy:ransomware=\"TorrentLocker\""],"TreasureHunter":["misp-galaxy:malpedia=\"TreasureHunter\""],"huntpos":["misp-galaxy:malpedia=\"TreasureHunter\""],"Triada":["misp-galaxy:malpedia=\"Triada\""],"TrickBot":["misp-galaxy:malpedia=\"TrickBot\"","misp-galaxy:mitre-malware=\"TrickBot - S0266\"","misp-galaxy:tool=\"Trick Bot\""],"TheTrick":["misp-galaxy:malpedia=\"TrickBot\""],"TrickLoader":["misp-galaxy:malpedia=\"TrickBot\"","misp-galaxy:tool=\"Trick Bot\""],"Triton":["misp-galaxy:malpedia=\"Triton\""],"HatMan":["misp-galaxy:malpedia=\"Triton\""],"Trisis":["misp-galaxy:malpedia=\"Triton\""],"Trochilus RAT":["misp-galaxy:malpedia=\"Trochilus RAT\""],"Troldesh":["misp-galaxy:malpedia=\"Troldesh\""],"Shade":["misp-galaxy:malpedia=\"Troldesh\""],"Trump Bot":["misp-galaxy:malpedia=\"Trump Bot\""],"Trump Ransom":["misp-galaxy:malpedia=\"Trump Ransom\""],"Tsifiri":["misp-galaxy:malpedia=\"Tsifiri\""],"Tsunami (ELF)":["misp-galaxy:malpedia=\"Tsunami (ELF)\""],"Amnesia":["misp-galaxy:malpedia=\"Tsunami (ELF)\"","misp-galaxy:malpedia=\"Tsunami\""],"Radiation":["misp-galaxy:malpedia=\"Tsunami (ELF)\"","misp-galaxy:malpedia=\"Tsunami\""],"Tsunami (OS X)":["misp-galaxy:malpedia=\"Tsunami (OS X)\""],"Tsunami":["misp-galaxy:malpedia=\"Tsunami\""],"Turla RAT":["misp-galaxy:malpedia=\"Turla RAT\""],"TwoFace":["misp-galaxy:malpedia=\"TwoFace\"","misp-galaxy:tool=\"TwoFace\""],"HyperShell":["misp-galaxy:malpedia=\"TwoFace\""],"Tyupkin":["misp-galaxy:malpedia=\"Tyupkin\""],"UACMe":["misp-galaxy:malpedia=\"UACMe\"","misp-galaxy:mitre-enterprise-attack-tool=\"UACMe - S0116\"","misp-galaxy:mitre-tool=\"UACMe - S0116\""],"Akagi":["misp-galaxy:malpedia=\"UACMe\""],"UDPoS":["misp-galaxy:malpedia=\"UDPoS\""],"UFR Stealer":["misp-galaxy:malpedia=\"UFR Stealer\""],"Usteal":["misp-galaxy:malpedia=\"UFR Stealer\""],"UPAS":["misp-galaxy:malpedia=\"UPAS\""],"Rombrast":["misp-galaxy:malpedia=\"UPAS\""],"Uiwix":["misp-galaxy:malpedia=\"Uiwix\""],"Umbreon":["misp-galaxy:malpedia=\"Umbreon\"","misp-galaxy:mitre-enterprise-attack-malware=\"Umbreon - S0221\"","misp-galaxy:mitre-malware=\"Umbreon - S0221\"","misp-galaxy:tool=\"Umbreon\""],"Espeon":["misp-galaxy:malpedia=\"Umbreon\""],"Unidentified 001":["misp-galaxy:malpedia=\"Unidentified 001\""],"Unidentified 003":["misp-galaxy:malpedia=\"Unidentified 003\""],"Unidentified 006":["misp-galaxy:malpedia=\"Unidentified 006\""],"Unidentified 013 (Korean)":["misp-galaxy:malpedia=\"Unidentified 013 (Korean)\""],"Unidentified 020 (Vault7)":["misp-galaxy:malpedia=\"Unidentified 020 (Vault7)\""],"Unidentified 022 (Ransom)":["misp-galaxy:malpedia=\"Unidentified 022 (Ransom)\""],"Unidentified 023":["misp-galaxy:malpedia=\"Unidentified 023\""],"Unidentified 024 (Ransomware)":["misp-galaxy:malpedia=\"Unidentified 024 (Ransomware)\""],"Unidentified 025 (Clickfraud)":["misp-galaxy:malpedia=\"Unidentified 025 (Clickfraud)\""],"Unidentified 028":["misp-galaxy:malpedia=\"Unidentified 028\""],"Unidentified 029":["misp-galaxy:malpedia=\"Unidentified 029\""],"Unidentified 031":["misp-galaxy:malpedia=\"Unidentified 031\""],"Unidentified 032":["misp-galaxy:malpedia=\"Unidentified 032\""],"Unidentified 033":["misp-galaxy:malpedia=\"Unidentified 033\""],"Unidentified 035":["misp-galaxy:malpedia=\"Unidentified 035\""],"Unidentified 037":["misp-galaxy:malpedia=\"Unidentified 037\""],"Unidentified 038":["misp-galaxy:malpedia=\"Unidentified 038\""],"Unidentified 039":["misp-galaxy:malpedia=\"Unidentified 039\""],"Unidentified 041":["misp-galaxy:malpedia=\"Unidentified 041\""],"Unidentified 042":["misp-galaxy:malpedia=\"Unidentified 042\""],"Unidentified 044":["misp-galaxy:malpedia=\"Unidentified 044\""],"Unidentified 045":["misp-galaxy:malpedia=\"Unidentified 045\""],"Unidentified 046":["misp-galaxy:malpedia=\"Unidentified 046\""],"Unidentified 047":["misp-galaxy:malpedia=\"Unidentified 047\""],"Unidentified 048 (Lazarus?)":["misp-galaxy:malpedia=\"Unidentified 048 (Lazarus?)\""],"Unidentified 049 (Lazarus\/RAT)":["misp-galaxy:malpedia=\"Unidentified 049 (Lazarus\/RAT)\""],"Unidentified 050 (APT32 Profiler)":["misp-galaxy:malpedia=\"Unidentified 050 (APT32 Profiler)\""],"Unidentified 051":["misp-galaxy:malpedia=\"Unidentified 051\""],"Unidentified 052":["misp-galaxy:malpedia=\"Unidentified 052\""],"Unidentified 053 (Wonknu?)":["misp-galaxy:malpedia=\"Unidentified 053 (Wonknu?)\""],"Unidentified 055":["misp-galaxy:malpedia=\"Unidentified 055\""],"Unidentified 057":["misp-galaxy:malpedia=\"Unidentified 057\""],"Unidentified 058":["misp-galaxy:malpedia=\"Unidentified 058\""],"Unidentified APK 001":["misp-galaxy:malpedia=\"Unidentified APK 001\""],"Unidentified APK 002":["misp-galaxy:malpedia=\"Unidentified APK 002\""],"Unidentified ASP 001 (Webshell)":["misp-galaxy:malpedia=\"Unidentified ASP 001 (Webshell)\""],"Unlock92":["misp-galaxy:malpedia=\"Unlock92\""],"Upatre":["misp-galaxy:malpedia=\"Upatre\"","misp-galaxy:tool=\"Upatre\""],"Urausy":["misp-galaxy:malpedia=\"Urausy\""],"UrlZone":["misp-galaxy:malpedia=\"UrlZone\""],"Uroburos (OS X)":["misp-galaxy:malpedia=\"Uroburos (OS X)\""],"Uroburos (Windows)":["misp-galaxy:malpedia=\"Uroburos (Windows)\""],"Snake":["misp-galaxy:malpedia=\"Uroburos (Windows)\"","misp-galaxy:mitre-intrusion-set=\"Turla - G0010\"","misp-galaxy:threat-actor=\"Turla Group\"","misp-galaxy:tool=\"Turla\""],"VMzeus":["misp-galaxy:malpedia=\"VM Zeus\""],"Zberp":["misp-galaxy:malpedia=\"VM Zeus\""],"ZeusVM":["misp-galaxy:malpedia=\"VM Zeus\""],"Catch":["misp-galaxy:malpedia=\"Vawtrak\""],"NeverQuest":["misp-galaxy:malpedia=\"Vawtrak\""],"grabnew":["misp-galaxy:malpedia=\"Vawtrak\""],"VegaLocker":["misp-galaxy:malpedia=\"VegaLocker\""],"Vega":["misp-galaxy:malpedia=\"VegaLocker\""],"Velso Ransomware":["misp-galaxy:malpedia=\"Velso Ransomware\""],"Venus Locker":["misp-galaxy:malpedia=\"Venus Locker\""],"Vermin":["misp-galaxy:malpedia=\"Vermin\""],"Vflooder":["misp-galaxy:malpedia=\"Vflooder\""],"Viper RAT":["misp-galaxy:malpedia=\"Viper RAT\""],"Vobfus":["misp-galaxy:malpedia=\"Vobfus\""],"Volgmer":["misp-galaxy:malpedia=\"Volgmer\"","misp-galaxy:mitre-enterprise-attack-malware=\"Volgmer - S0180\"","misp-galaxy:mitre-malware=\"Volgmer - S0180\"","misp-galaxy:tool=\"Volgmer\""],"FALLCHILL":["misp-galaxy:malpedia=\"Volgmer\"","misp-galaxy:mitre-enterprise-attack-malware=\"FALLCHILL - S0181\"","misp-galaxy:mitre-malware=\"FALLCHILL - S0181\"","misp-galaxy:rat=\"FALLCHILL\""],"Manuscrypt":["misp-galaxy:malpedia=\"Volgmer\""],"Vreikstadi":["misp-galaxy:malpedia=\"Vreikstadi\""],"WMI Ghost":["misp-galaxy:malpedia=\"WMI Ghost\""],"Syndicasec":["misp-galaxy:malpedia=\"WMI Ghost\""],"Wimmie":["misp-galaxy:malpedia=\"WMI Ghost\""],"WMImplant":["misp-galaxy:malpedia=\"WMImplant\""],"WSCSPL":["misp-galaxy:malpedia=\"WSCSPL\""],"WSO":["misp-galaxy:malpedia=\"WSO\""],"Webshell by Orb":["misp-galaxy:malpedia=\"WSO\""],"WallyShack":["misp-galaxy:malpedia=\"WallyShack\""],"WannaCryptor":["misp-galaxy:malpedia=\"WannaCryptor\""],"Wana Decrypt0r":["misp-galaxy:malpedia=\"WannaCryptor\""],"WannaCry":["misp-galaxy:malpedia=\"WannaCryptor\"","misp-galaxy:mitre-malware=\"WannaCry - S0366\"","misp-galaxy:ransomware=\"WannaCry\"","misp-galaxy:ransomware=\"WannaCry\""],"Wcry":["misp-galaxy:malpedia=\"WannaCryptor\""],"WaterMiner":["misp-galaxy:malpedia=\"WaterMiner\""],"WaterSpout":["misp-galaxy:malpedia=\"WaterSpout\""],"WebC2-AdSpace":["misp-galaxy:malpedia=\"WebC2-AdSpace\""],"WebC2-Ausov":["misp-galaxy:malpedia=\"WebC2-Ausov\""],"WebC2-Bolid":["misp-galaxy:malpedia=\"WebC2-Bolid\""],"WebC2-Cson":["misp-galaxy:malpedia=\"WebC2-Cson\""],"WebC2-DIV":["misp-galaxy:malpedia=\"WebC2-DIV\""],"WebC2-GreenCat":["misp-galaxy:malpedia=\"WebC2-GreenCat\""],"WebC2-Head":["misp-galaxy:malpedia=\"WebC2-Head\""],"WebC2-Kt3":["misp-galaxy:malpedia=\"WebC2-Kt3\""],"WebC2-Qbp":["misp-galaxy:malpedia=\"WebC2-Qbp\""],"WebC2-Rave":["misp-galaxy:malpedia=\"WebC2-Rave\""],"WebC2-Table":["misp-galaxy:malpedia=\"WebC2-Table\""],"WebC2-UGX":["misp-galaxy:malpedia=\"WebC2-UGX\""],"WebC2-Yahoo":["misp-galaxy:malpedia=\"WebC2-Yahoo\""],"WebMonitor RAT":["misp-galaxy:malpedia=\"WebMonitor RAT\""],"WildFire":["misp-galaxy:malpedia=\"WildFire\""],"WinMM":["misp-galaxy:malpedia=\"WinMM\"","misp-galaxy:mitre-enterprise-attack-malware=\"WinMM - S0059\"","misp-galaxy:mitre-malware=\"WinMM - S0059\""],"WinPot":["misp-galaxy:malpedia=\"WinPot\""],"ATMPot":["misp-galaxy:malpedia=\"WinPot\""],"WindTail":["misp-galaxy:malpedia=\"WindTail\""],"Winnti (OS X)":["misp-galaxy:malpedia=\"Winnti (OS X)\""],"Winnti (Windows)":["misp-galaxy:malpedia=\"Winnti (Windows)\""],"Winsloader":["misp-galaxy:malpedia=\"Winsloader\""],"Wipbot":["misp-galaxy:malpedia=\"Wipbot\"","misp-galaxy:mitre-enterprise-attack-malware=\"Epic - S0091\"","misp-galaxy:mitre-malware=\"Epic - S0091\"","misp-galaxy:tool=\"Wipbot\""],"WireLurker (OS X)":["misp-galaxy:malpedia=\"WireLurker (OS X)\""],"WireLurker (iOS)":["misp-galaxy:malpedia=\"WireLurker (iOS)\""],"WireX":["misp-galaxy:malpedia=\"WireX\""],"Wirenet (ELF)":["misp-galaxy:malpedia=\"Wirenet (ELF)\""],"Wirenet (OS X)":["misp-galaxy:malpedia=\"Wirenet (OS X)\""],"WndTest":["misp-galaxy:malpedia=\"WndTest\""],"Wonknu":["misp-galaxy:malpedia=\"Wonknu\""],"Woolger":["misp-galaxy:malpedia=\"Woolger\""],"WoolenLogger":["misp-galaxy:malpedia=\"Woolger\""],"X-Agent (Android)":["misp-galaxy:malpedia=\"X-Agent (Android)\""],"Popr-d30":["misp-galaxy:malpedia=\"X-Agent (Android)\""],"X-Agent (ELF)":["misp-galaxy:malpedia=\"X-Agent (ELF)\""],"chopstick":["misp-galaxy:malpedia=\"X-Agent (ELF)\"","misp-galaxy:malpedia=\"X-Agent (Windows)\""],"fysbis":["misp-galaxy:malpedia=\"X-Agent (ELF)\""],"splm":["misp-galaxy:malpedia=\"X-Agent (ELF)\"","misp-galaxy:malpedia=\"X-Agent (Windows)\""],"X-Agent (OS X)":["misp-galaxy:malpedia=\"X-Agent (OS X)\""],"X-Agent (Windows)":["misp-galaxy:malpedia=\"X-Agent (Windows)\""],"X-Tunnel (.NET)":["misp-galaxy:malpedia=\"X-Tunnel (.NET)\""],"X-Tunnel":["misp-galaxy:malpedia=\"X-Tunnel\"","misp-galaxy:mitre-enterprise-attack-malware=\"XTunnel - S0117\"","misp-galaxy:mitre-malware=\"XTunnel - S0117\"","misp-galaxy:tool=\"X-Tunnel\""],"xaps":["misp-galaxy:malpedia=\"X-Tunnel\""],"XBTL":["misp-galaxy:malpedia=\"XBTL\""],"XBot POS":["misp-galaxy:malpedia=\"XBot POS\""],"XLoader":["misp-galaxy:malpedia=\"XLoader\"","misp-galaxy:mitre-malware=\"XLoader - S0318\""],"XOR DDoS":["misp-galaxy:malpedia=\"XOR DDoS\""],"XP PrivEsc (CVE-2014-4076)":["misp-galaxy:malpedia=\"XP PrivEsc (CVE-2014-4076)\""],"XPCTRA":["misp-galaxy:malpedia=\"XPCTRA\""],"Expectra":["misp-galaxy:malpedia=\"XPCTRA\""],"XRat":["misp-galaxy:malpedia=\"XRat\""],"XSLCmd":["misp-galaxy:malpedia=\"XSLCmd\""],"Xaynnalc":["misp-galaxy:malpedia=\"Xaynnalc\""],"Xbash":["misp-galaxy:malpedia=\"Xbash\"","misp-galaxy:mitre-malware=\"Xbash - S0341\"","misp-galaxy:tool=\"Xbash\""],"Xpan":["misp-galaxy:malpedia=\"Xpan\""],"Xtreme RAT":["misp-galaxy:malpedia=\"Xtreme RAT\""],"ExtRat":["misp-galaxy:malpedia=\"Xtreme RAT\""],"Xwo":["misp-galaxy:malpedia=\"Xwo\""],"Yahoyah":["misp-galaxy:malpedia=\"Yahoyah\"","misp-galaxy:tool=\"Yahoyah\""],"YellYouth":["misp-galaxy:malpedia=\"YellYouth\""],"Yort":["misp-galaxy:malpedia=\"Yort\""],"YoungLotus":["misp-galaxy:malpedia=\"YoungLotus\""],"DarkShare":["misp-galaxy:malpedia=\"YoungLotus\""],"ZXShell":["misp-galaxy:malpedia=\"ZXShell\"","misp-galaxy:tool=\"ZXShell\""],"Sensocode":["misp-galaxy:malpedia=\"ZXShell\""],"Zebrocy (AutoIT)":["misp-galaxy:malpedia=\"Zebrocy (AutoIT)\""],"Zebrocy":["misp-galaxy:malpedia=\"Zebrocy\"","misp-galaxy:mitre-malware=\"Zebrocy - S0251\"","misp-galaxy:tool=\"Zebrocy\""],"Zekapab":["misp-galaxy:malpedia=\"Zebrocy\"","misp-galaxy:tool=\"Zebrocy\""],"Zedhou":["misp-galaxy:malpedia=\"Zedhou\""],"Zen":["misp-galaxy:malpedia=\"Zen\""],"ZeroAccess":["misp-galaxy:malpedia=\"ZeroAccess\""],"Max++":["misp-galaxy:malpedia=\"ZeroAccess\""],"Sirefef":["misp-galaxy:malpedia=\"ZeroAccess\"","misp-galaxy:tool=\"Sirefef\""],"Smiscer":["misp-galaxy:malpedia=\"ZeroAccess\""],"ZeroEvil":["misp-galaxy:malpedia=\"ZeroEvil\""],"ZeroT":["misp-galaxy:malpedia=\"ZeroT\"","misp-galaxy:mitre-enterprise-attack-malware=\"ZeroT - S0230\"","misp-galaxy:mitre-malware=\"ZeroT - S0230\"","misp-galaxy:tool=\"ZeroT\""],"Zeus MailSniffer":["misp-galaxy:malpedia=\"Zeus MailSniffer\""],"Zeus OpenSSL":["misp-galaxy:malpedia=\"Zeus OpenSSL\""],"XSphinx":["misp-galaxy:malpedia=\"Zeus OpenSSL\""],"Zezin":["misp-galaxy:malpedia=\"Zezin\""],"ZhCat":["misp-galaxy:malpedia=\"ZhCat\""],"ZhMimikatz":["misp-galaxy:malpedia=\"ZhMimikatz\""],"Zloader":["misp-galaxy:malpedia=\"Zloader\""],"DELoader":["misp-galaxy:malpedia=\"Zloader\""],"Terdot":["misp-galaxy:malpedia=\"Zloader\""],"Zollard":["misp-galaxy:malpedia=\"Zollard\""],"darlloz":["misp-galaxy:malpedia=\"Zollard\""],"ZooPark":["misp-galaxy:malpedia=\"ZooPark\"","misp-galaxy:threat-actor=\"ZooPark\""],"ZoxPNG":["misp-galaxy:malpedia=\"ZoxPNG\""],"gresim":["misp-galaxy:malpedia=\"ZoxPNG\""],"Ztorg":["misp-galaxy:malpedia=\"Ztorg\""],"Qysly":["misp-galaxy:malpedia=\"Ztorg\""],"Zyklon":["misp-galaxy:malpedia=\"Zyklon\"","misp-galaxy:ransomware=\"Zyklon\""],"abantes":["misp-galaxy:malpedia=\"abantes\""],"backspace":["misp-galaxy:malpedia=\"backspace\""],"badflick":["misp-galaxy:malpedia=\"badflick\""],"bangat":["misp-galaxy:malpedia=\"bangat\""],"beendoor":["misp-galaxy:malpedia=\"beendoor\""],"c0d0so0":["misp-galaxy:malpedia=\"c0d0so0\""],"concealment_troy":["misp-galaxy:malpedia=\"concealment_troy\""],"elf.vpnfilter":["misp-galaxy:malpedia=\"elf.vpnfilter\""],"elf.wellmess":["misp-galaxy:malpedia=\"elf.wellmess\""],"ext4":["misp-galaxy:malpedia=\"ext4\""],"gamapos":["misp-galaxy:malpedia=\"gamapos\""],"pios":["misp-galaxy:malpedia=\"gamapos\""],"gcman":["misp-galaxy:malpedia=\"gcman\""],"gsecdump":["misp-galaxy:malpedia=\"gsecdump\"","misp-galaxy:mitre-enterprise-attack-tool=\"gsecdump - S0008\"","misp-galaxy:mitre-tool=\"gsecdump - S0008\""],"himan":["misp-galaxy:malpedia=\"himan\""],"homefry":["misp-galaxy:malpedia=\"homefry\""],"htpRAT":["misp-galaxy:malpedia=\"htpRAT\"","misp-galaxy:rat=\"htpRAT\""],"http_troy":["misp-galaxy:malpedia=\"http_troy\""],"httpdropper":["misp-galaxy:malpedia=\"httpdropper\""],"httpdr0pper":["misp-galaxy:malpedia=\"httpdropper\""],"iMuler":["misp-galaxy:malpedia=\"iMuler\""],"Revir":["misp-galaxy:malpedia=\"iMuler\""],"iSpy Keylogger":["misp-galaxy:malpedia=\"iSpy Keylogger\""],"jRAT":["misp-galaxy:malpedia=\"jRAT\"","misp-galaxy:mitre-malware=\"jRAT - S0283\"","misp-galaxy:rat=\"jRAT\""],"Jacksbot":["misp-galaxy:malpedia=\"jRAT\""],"jSpy":["misp-galaxy:malpedia=\"jSpy\"","misp-galaxy:rat=\"jSpy\""],"magecart":["misp-galaxy:malpedia=\"magecart\""],"mozart":["misp-galaxy:malpedia=\"mozart\""],"murkytop":["misp-galaxy:malpedia=\"murkytop\""],"nRansom":["misp-galaxy:malpedia=\"nRansom\""],"nitlove":["misp-galaxy:malpedia=\"nitlove\""],"owaauth":["misp-galaxy:malpedia=\"owaauth\""],"luckyowa":["misp-galaxy:malpedia=\"owaauth\""],"paladin":["misp-galaxy:malpedia=\"paladin\""],"parasite_http":["misp-galaxy:malpedia=\"parasite_http\""],"pgift":["misp-galaxy:malpedia=\"pgift\""],"ReRol":["misp-galaxy:malpedia=\"pgift\""],"pipcreat":["misp-galaxy:malpedia=\"pipcreat\""],"pirpi":["misp-galaxy:malpedia=\"pirpi\""],"playwork":["misp-galaxy:malpedia=\"playwork\""],"ployx":["misp-galaxy:malpedia=\"ployx\""],"pngdowner":["misp-galaxy:malpedia=\"pngdowner\"","misp-galaxy:mitre-enterprise-attack-malware=\"pngdowner - S0067\"","misp-galaxy:mitre-malware=\"pngdowner - S0067\""],"portless":["misp-galaxy:malpedia=\"portless\""],"poscardstealer":["misp-galaxy:malpedia=\"poscardstealer\""],"powerkatz":["misp-galaxy:malpedia=\"powerkatz\""],"prb_backdoor":["misp-galaxy:malpedia=\"prb_backdoor\""],"pupy (ELF)":["misp-galaxy:malpedia=\"pupy (ELF)\""],"pupy (Python)":["misp-galaxy:malpedia=\"pupy (Python)\""],"pupy (Windows)":["misp-galaxy:malpedia=\"pupy (Windows)\""],"pupy":["misp-galaxy:malpedia=\"pupy\""],"pwnpos":["misp-galaxy:malpedia=\"pwnpos\""],"r2r2":["misp-galaxy:malpedia=\"r2r2\""],"r980":["misp-galaxy:malpedia=\"r980\""],"rarstar":["misp-galaxy:malpedia=\"rarstar\""],"rdasrv":["misp-galaxy:malpedia=\"rdasrv\""],"reGeorg":["misp-galaxy:malpedia=\"reGeorg\"","misp-galaxy:tool=\"reGeorg\""],"rock":["misp-galaxy:malpedia=\"rock\""],"yellowalbatross":["misp-galaxy:malpedia=\"rock\""],"rtpos":["misp-galaxy:malpedia=\"rtpos\""],"running_rat":["misp-galaxy:malpedia=\"running_rat\""],"sLoad":["misp-galaxy:malpedia=\"sLoad\""],"scanbox":["misp-galaxy:malpedia=\"scanbox\""],"shadowhammer":["misp-galaxy:malpedia=\"shadowhammer\""],"shareip":["misp-galaxy:malpedia=\"shareip\""],"remotecmd":["misp-galaxy:malpedia=\"shareip\""],"smac":["misp-galaxy:malpedia=\"smac\""],"speccom":["misp-galaxy:malpedia=\"smac\""],"soraya":["misp-galaxy:malpedia=\"soraya\""],"sykipot":["misp-galaxy:malpedia=\"sykipot\""],"getkys":["misp-galaxy:malpedia=\"sykipot\""],"systemd":["misp-galaxy:malpedia=\"systemd\""],"tDiscoverer":["misp-galaxy:malpedia=\"tDiscoverer\""],"tRat":["misp-galaxy:malpedia=\"tRat\""],"taidoor":["misp-galaxy:malpedia=\"taidoor\""],"simbot":["misp-galaxy:malpedia=\"taidoor\""],"vSkimmer":["misp-galaxy:malpedia=\"vSkimmer\""],"vidar":["misp-galaxy:malpedia=\"vidar\""],"virdetdoor":["misp-galaxy:malpedia=\"virdetdoor\""],"w32times":["misp-galaxy:malpedia=\"w32times\""],"win.spynet_rat":["misp-galaxy:malpedia=\"win.spynet_rat\""],"win.unidentified_005":["misp-galaxy:malpedia=\"win.unidentified_005\""],"witchcoven":["misp-galaxy:malpedia=\"witchcoven\""],"woody":["misp-galaxy:malpedia=\"woody\""],"xsPlus":["misp-galaxy:malpedia=\"xsPlus\""],"nokian":["misp-galaxy:malpedia=\"xsPlus\""],"xxmm":["misp-galaxy:malpedia=\"xxmm\""],"ShadowWalker":["misp-galaxy:malpedia=\"xxmm\""],"yayih":["misp-galaxy:malpedia=\"yayih\""],"aumlib":["misp-galaxy:malpedia=\"yayih\""],"bbsinfo":["misp-galaxy:malpedia=\"yayih\""],"yty":["misp-galaxy:malpedia=\"yty\"","misp-galaxy:mitre-malware=\"yty - S0248\""],"BARIUM":["misp-galaxy:microsoft-activity-group=\"BARIUM\""],"DUBNIUM":["misp-galaxy:microsoft-activity-group=\"DUBNIUM\"","misp-galaxy:threat-actor=\"DarkHotel\""],"darkhotel":["misp-galaxy:microsoft-activity-group=\"DUBNIUM\""],"LEAD":["misp-galaxy:microsoft-activity-group=\"LEAD\""],"NEODYMIUM":["misp-galaxy:microsoft-activity-group=\"NEODYMIUM\"","misp-galaxy:mitre-enterprise-attack-intrusion-set=\"NEODYMIUM - G0055\"","misp-galaxy:mitre-intrusion-set=\"NEODYMIUM - G0055\"","misp-galaxy:threat-actor=\"NEODYMIUM\""],"PLATINUM":["misp-galaxy:microsoft-activity-group=\"PLATINUM\"","misp-galaxy:mitre-enterprise-attack-intrusion-set=\"PLATINUM - G0068\"","misp-galaxy:mitre-intrusion-set=\"PLATINUM - G0068\"","misp-galaxy:threat-actor=\"PLATINUM\""],"PROMETHIUM":["misp-galaxy:microsoft-activity-group=\"PROMETHIUM\"","misp-galaxy:mitre-enterprise-attack-intrusion-set=\"PROMETHIUM - G0056\"","misp-galaxy:mitre-intrusion-set=\"PROMETHIUM - G0056\"","misp-galaxy:threat-actor=\"PROMETHIUM\""],"STRONTIUM":["misp-galaxy:microsoft-activity-group=\"STRONTIUM\"","misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-mobile-attack-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"APT28 - G0007\"","misp-galaxy:threat-actor=\"Sofacy\""],"APT 28":["misp-galaxy:microsoft-activity-group=\"STRONTIUM\"","misp-galaxy:threat-actor=\"Sofacy\""],"APT28":["misp-galaxy:microsoft-activity-group=\"STRONTIUM\"","misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-mobile-attack-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"APT28 - G0007\"","misp-galaxy:threat-actor=\"Sofacy\""],"Pawn Storm":["misp-galaxy:microsoft-activity-group=\"STRONTIUM\"","misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-mobile-attack-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"APT28 - G0007\"","misp-galaxy:threat-actor=\"Sofacy\""],"Fancy Bear":["misp-galaxy:microsoft-activity-group=\"STRONTIUM\"","misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-mobile-attack-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"APT28 - G0007\"","misp-galaxy:threat-actor=\"Sofacy\""],"Sednit":["misp-galaxy:microsoft-activity-group=\"STRONTIUM\"","misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-enterprise-attack-malware=\"JHUHUGIT - S0044\"","misp-galaxy:mitre-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-malware=\"JHUHUGIT - S0044\"","misp-galaxy:mitre-mobile-attack-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"APT28 - G0007\"","misp-galaxy:threat-actor=\"Sofacy\"","misp-galaxy:tool=\"GAMEFISH\""],"TsarTeam":["misp-galaxy:microsoft-activity-group=\"STRONTIUM\"","misp-galaxy:threat-actor=\"Sofacy\""],"TG-4127":["misp-galaxy:microsoft-activity-group=\"STRONTIUM\"","misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-mobile-attack-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"APT28 - G0007\"","misp-galaxy:threat-actor=\"Sofacy\""],"Group-4127":["misp-galaxy:microsoft-activity-group=\"STRONTIUM\"","misp-galaxy:threat-actor=\"Sofacy\""],"Grey-Cloud":["misp-galaxy:microsoft-activity-group=\"STRONTIUM\""],"TERBIUM":["misp-galaxy:microsoft-activity-group=\"TERBIUM\"","misp-galaxy:threat-actor=\"TERBIUM\""],"ZIRCONIUM":["misp-galaxy:microsoft-activity-group=\"ZIRCONIUM\"","misp-galaxy:threat-actor=\"APT31\""],"https:\/\/www.cfr.org\/interactive\/cyber-operations\/mythic-leopard":["misp-galaxy:microsoft-activity-group=\"https:\/\/www.cfr.org\/interactive\/cyber-operations\/mythic-leopard\""],"C-Major":["misp-galaxy:microsoft-activity-group=\"https:\/\/www.cfr.org\/interactive\/cyber-operations\/mythic-leopard\"","misp-galaxy:threat-actor=\"Operation C-Major\""],"Transparent Tribe":["misp-galaxy:microsoft-activity-group=\"https:\/\/www.cfr.org\/interactive\/cyber-operations\/mythic-leopard\"","misp-galaxy:threat-actor=\"Operation C-Major\""],".bash_profile and .bashrc - T1156":["misp-galaxy:mitre-attack-pattern=\".bash_profile and .bashrc - T1156\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\".bash_profile and .bashrc - T1156\""],"Abuse Accessibility Features - T1453":["misp-galaxy:mitre-attack-pattern=\"Abuse Accessibility Features - T1453\""],"Abuse Device Administrator Access to Prevent Removal - T1401":["misp-galaxy:mitre-attack-pattern=\"Abuse Device Administrator Access to Prevent Removal - T1401\""],"Abuse of iOS Enterprise App Signing Key - T1445":["misp-galaxy:mitre-attack-pattern=\"Abuse of iOS Enterprise App Signing Key - T1445\""],"Access Calendar Entries - T1435":["misp-galaxy:mitre-attack-pattern=\"Access Calendar Entries - T1435\""],"Access Call Log - T1433":["misp-galaxy:mitre-attack-pattern=\"Access Call Log - T1433\""],"Access Contact List - T1432":["misp-galaxy:mitre-attack-pattern=\"Access Contact List - T1432\""],"Access Sensitive Data in Device Logs - T1413":["misp-galaxy:mitre-attack-pattern=\"Access Sensitive Data in Device Logs - T1413\""],"Access Sensitive Data or Credentials in Files - T1409":["misp-galaxy:mitre-attack-pattern=\"Access Sensitive Data or Credentials in Files - T1409\""],"Access Token Manipulation - T1134":["misp-galaxy:mitre-attack-pattern=\"Access Token Manipulation - T1134\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Access Token Manipulation - T1134\""],"Accessibility Features - T1015":["misp-galaxy:mitre-attack-pattern=\"Accessibility Features - T1015\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Accessibility Features - T1015\""],"Account Discovery - T1087":["misp-galaxy:mitre-attack-pattern=\"Account Discovery - T1087\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Account Discovery - T1087\""],"Account Manipulation - T1098":["misp-galaxy:mitre-attack-pattern=\"Account Manipulation - T1098\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Account Manipulation - T1098\""],"Acquire OSINT data sets and information - T1247":["misp-galaxy:mitre-attack-pattern=\"Acquire OSINT data sets and information - T1247\""],"Acquire OSINT data sets and information - T1266":["misp-galaxy:mitre-attack-pattern=\"Acquire OSINT data sets and information - T1266\""],"Acquire OSINT data sets and information - T1277":["misp-galaxy:mitre-attack-pattern=\"Acquire OSINT data sets and information - T1277\""],"Acquire and\/or use 3rd party infrastructure services - T1307":["misp-galaxy:mitre-attack-pattern=\"Acquire and\/or use 3rd party infrastructure services - T1307\""],"Acquire and\/or use 3rd party infrastructure services - T1329":["misp-galaxy:mitre-attack-pattern=\"Acquire and\/or use 3rd party infrastructure services - T1329\""],"Acquire and\/or use 3rd party software services - T1308":["misp-galaxy:mitre-attack-pattern=\"Acquire and\/or use 3rd party software services - T1308\""],"Acquire and\/or use 3rd party software services - T1330":["misp-galaxy:mitre-attack-pattern=\"Acquire and\/or use 3rd party software services - T1330\""],"Acquire or compromise 3rd party signing certificates - T1310":["misp-galaxy:mitre-attack-pattern=\"Acquire or compromise 3rd party signing certificates - T1310\""],"Acquire or compromise 3rd party signing certificates - T1332":["misp-galaxy:mitre-attack-pattern=\"Acquire or compromise 3rd party signing certificates - T1332\""],"Aggregate individual's digital footprint - T1275":["misp-galaxy:mitre-attack-pattern=\"Aggregate individual's digital footprint - T1275\""],"Alternate Network Mediums - T1438":["misp-galaxy:mitre-attack-pattern=\"Alternate Network Mediums - T1438\""],"Analyze application security posture - T1293":["misp-galaxy:mitre-attack-pattern=\"Analyze application security posture - T1293\""],"Analyze architecture and configuration posture - T1288":["misp-galaxy:mitre-attack-pattern=\"Analyze architecture and configuration posture - T1288\""],"Analyze business processes - T1301":["misp-galaxy:mitre-attack-pattern=\"Analyze business processes - T1301\""],"Analyze data collected - T1287":["misp-galaxy:mitre-attack-pattern=\"Analyze data collected - T1287\""],"Analyze hardware\/software security defensive capabilities - T1294":["misp-galaxy:mitre-attack-pattern=\"Analyze hardware\/software security defensive capabilities - T1294\""],"Analyze organizational skillsets and deficiencies - T1289":["misp-galaxy:mitre-attack-pattern=\"Analyze organizational skillsets and deficiencies - T1289\""],"Analyze organizational skillsets and deficiencies - T1297":["misp-galaxy:mitre-attack-pattern=\"Analyze organizational skillsets and deficiencies - T1297\""],"Analyze organizational skillsets and deficiencies - T1300":["misp-galaxy:mitre-attack-pattern=\"Analyze organizational skillsets and deficiencies - T1300\""],"Analyze presence of outsourced capabilities - T1303":["misp-galaxy:mitre-attack-pattern=\"Analyze presence of outsourced capabilities - T1303\""],"Analyze social and business relationships, interests, and affiliations - T1295":["misp-galaxy:mitre-attack-pattern=\"Analyze social and business relationships, interests, and affiliations - T1295\""],"Android Intent Hijacking - T1416":["misp-galaxy:mitre-attack-pattern=\"Android Intent Hijacking - T1416\""],"Anonymity services - T1306":["misp-galaxy:mitre-attack-pattern=\"Anonymity services - T1306\""],"App Auto-Start at Device Boot - T1402":["misp-galaxy:mitre-attack-pattern=\"App Auto-Start at Device Boot - T1402\""],"App Delivered via Email Attachment - T1434":["misp-galaxy:mitre-attack-pattern=\"App Delivered via Email Attachment - T1434\""],"App Delivered via Web Download - T1431":["misp-galaxy:mitre-attack-pattern=\"App Delivered via Web Download - T1431\""],"AppCert DLLs - T1182":["misp-galaxy:mitre-attack-pattern=\"AppCert DLLs - T1182\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"AppCert DLLs - T1182\""],"AppInit DLLs - T1103":["misp-galaxy:mitre-attack-pattern=\"AppInit DLLs - T1103\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"AppInit DLLs - T1103\""],"AppleScript - T1155":["misp-galaxy:mitre-attack-pattern=\"AppleScript - T1155\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"AppleScript - T1155\""],"Application Deployment Software - T1017":["misp-galaxy:mitre-attack-pattern=\"Application Deployment Software - T1017\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Application Deployment Software - T1017\""],"Application Discovery - T1418":["misp-galaxy:mitre-attack-pattern=\"Application Discovery - T1418\""],"Application Shimming - T1138":["misp-galaxy:mitre-attack-pattern=\"Application Shimming - T1138\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Application Shimming - T1138\""],"Application Window Discovery - T1010":["misp-galaxy:mitre-attack-pattern=\"Application Window Discovery - T1010\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Application Window Discovery - T1010\""],"Assess KITs\/KIQs benefits - T1229":["misp-galaxy:mitre-attack-pattern=\"Assess KITs\/KIQs benefits - T1229\""],"Assess current holdings, needs, and wants - T1236":["misp-galaxy:mitre-attack-pattern=\"Assess current holdings, needs, and wants - T1236\""],"Assess leadership areas of interest - T1224":["misp-galaxy:mitre-attack-pattern=\"Assess leadership areas of interest - T1224\""],"Assess opportunities created by business deals - T1299":["misp-galaxy:mitre-attack-pattern=\"Assess opportunities created by business deals - T1299\""],"Assess security posture of physical locations - T1302":["misp-galaxy:mitre-attack-pattern=\"Assess security posture of physical locations - T1302\""],"Assess targeting options - T1296":["misp-galaxy:mitre-attack-pattern=\"Assess targeting options - T1296\""],"Assess vulnerability of 3rd party vendors - T1298":["misp-galaxy:mitre-attack-pattern=\"Assess vulnerability of 3rd party vendors - T1298\""],"Assign KITs, KIQs, and\/or intelligence requirements - T1238":["misp-galaxy:mitre-attack-pattern=\"Assign KITs, KIQs, and\/or intelligence requirements - T1238\""],"Assign KITs\/KIQs into categories - T1228":["misp-galaxy:mitre-attack-pattern=\"Assign KITs\/KIQs into categories - T1228\""],"Attack PC via USB Connection - T1427":["misp-galaxy:mitre-attack-pattern=\"Attack PC via USB Connection - T1427\""],"Audio Capture - T1123":["misp-galaxy:mitre-attack-pattern=\"Audio Capture - T1123\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Audio Capture - T1123\""],"Authentication Package - T1131":["misp-galaxy:mitre-attack-pattern=\"Authentication Package - T1131\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Authentication Package - T1131\""],"Authentication attempt - T1381":["misp-galaxy:mitre-attack-pattern=\"Authentication attempt - T1381\""],"Authorized user performs requested cyber action - T1386":["misp-galaxy:mitre-attack-pattern=\"Authorized user performs requested cyber action - T1386\""],"Automated Collection - T1119":["misp-galaxy:mitre-attack-pattern=\"Automated Collection - T1119\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Automated Collection - T1119\""],"Automated Exfiltration - T1020":["misp-galaxy:mitre-attack-pattern=\"Automated Exfiltration - T1020\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Automated Exfiltration - T1020\""],"Automated system performs requested action - T1384":["misp-galaxy:mitre-attack-pattern=\"Automated system performs requested action - T1384\""],"BITS Jobs - T1197":["misp-galaxy:mitre-attack-pattern=\"BITS Jobs - T1197\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"BITS Jobs - T1197\""],"Bash History - T1139":["misp-galaxy:mitre-attack-pattern=\"Bash History - T1139\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Bash History - T1139\""],"Binary Padding - T1009":["misp-galaxy:mitre-attack-pattern=\"Binary Padding - T1009\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Binary Padding - T1009\""],"Biometric Spoofing - T1460":["misp-galaxy:mitre-attack-pattern=\"Biometric Spoofing - T1460\""],"Bootkit - T1067":["misp-galaxy:mitre-attack-pattern=\"Bootkit - T1067\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Bootkit - T1067\""],"Browser Bookmark Discovery - T1217":["misp-galaxy:mitre-attack-pattern=\"Browser Bookmark Discovery - T1217\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Browser Bookmark Discovery - T1217\""],"Browser Extensions - T1176":["misp-galaxy:mitre-attack-pattern=\"Browser Extensions - T1176\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Browser Extensions - T1176\""],"Brute Force - T1110":["misp-galaxy:mitre-attack-pattern=\"Brute Force - T1110\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Brute Force - T1110\""],"Build and configure delivery systems - T1347":["misp-galaxy:mitre-attack-pattern=\"Build and configure delivery systems - T1347\""],"Build or acquire exploits - T1349":["misp-galaxy:mitre-attack-pattern=\"Build or acquire exploits - T1349\""],"Build social network persona - T1341":["misp-galaxy:mitre-attack-pattern=\"Build social network persona - T1341\""],"Buy domain name - T1328":["misp-galaxy:mitre-attack-pattern=\"Buy domain name - T1328\""],"Bypass User Account Control - T1088":["misp-galaxy:mitre-attack-pattern=\"Bypass User Account Control - T1088\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Bypass User Account Control - T1088\""],"C2 protocol development - T1352":["misp-galaxy:mitre-attack-pattern=\"C2 protocol development - T1352\""],"CMSTP - T1191":["misp-galaxy:mitre-attack-pattern=\"CMSTP - T1191\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"CMSTP - T1191\""],"Capture Clipboard Data - T1414":["misp-galaxy:mitre-attack-pattern=\"Capture Clipboard Data - T1414\""],"Capture SMS Messages - T1412":["misp-galaxy:mitre-attack-pattern=\"Capture SMS Messages - T1412\""],"Change Default File Association - T1042":["misp-galaxy:mitre-attack-pattern=\"Change Default File Association - T1042\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Change Default File Association - T1042\""],"Choose pre-compromised mobile app developer account credentials or signing keys - T1391":["misp-galaxy:mitre-attack-pattern=\"Choose pre-compromised mobile app developer account credentials or signing keys - T1391\""],"Choose pre-compromised persona and affiliated accounts - T1343":["misp-galaxy:mitre-attack-pattern=\"Choose pre-compromised persona and affiliated accounts - T1343\""],"Clear Command History - T1146":["misp-galaxy:mitre-attack-pattern=\"Clear Command History - T1146\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Clear Command History - T1146\""],"Clipboard Data - T1115":["misp-galaxy:mitre-attack-pattern=\"Clipboard Data - T1115\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Clipboard Data - T1115\""],"Code Signing - T1116":["misp-galaxy:mitre-attack-pattern=\"Code Signing - T1116\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Code Signing - T1116\""],"Command-Line Interface - T1059":["misp-galaxy:mitre-attack-pattern=\"Command-Line Interface - T1059\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Command-Line Interface - T1059\""],"Common, high volume protocols and software - T1321":["misp-galaxy:mitre-attack-pattern=\"Common, high volume protocols and software - T1321\""],"Commonly Used Port - T1043":["misp-galaxy:mitre-attack-pattern=\"Commonly Used Port - T1043\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Commonly Used Port - T1043\""],"Commonly Used Port - T1436":["misp-galaxy:mitre-attack-pattern=\"Commonly Used Port - T1436\""],"Communication Through Removable Media - T1092":["misp-galaxy:mitre-attack-pattern=\"Communication Through Removable Media - T1092\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Communication Through Removable Media - T1092\""],"Compile After Delivery - T1500":["misp-galaxy:mitre-attack-pattern=\"Compile After Delivery - T1500\""],"Compiled HTML File - T1223":["misp-galaxy:mitre-attack-pattern=\"Compiled HTML File - T1223\""],"Component Firmware - T1109":["misp-galaxy:mitre-attack-pattern=\"Component Firmware - T1109\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Component Firmware - T1109\""],"Component Object Model Hijacking - T1122":["misp-galaxy:mitre-attack-pattern=\"Component Object Model Hijacking - T1122\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Component Object Model Hijacking - T1122\""],"Compromise 3rd party infrastructure to support delivery - T1312":["misp-galaxy:mitre-attack-pattern=\"Compromise 3rd party infrastructure to support delivery - T1312\""],"Compromise 3rd party infrastructure to support delivery - T1334":["misp-galaxy:mitre-attack-pattern=\"Compromise 3rd party infrastructure to support delivery - T1334\""],"Compromise 3rd party or closed-source vulnerability\/exploit information - T1354":["misp-galaxy:mitre-attack-pattern=\"Compromise 3rd party or closed-source vulnerability\/exploit information - T1354\""],"Compromise of externally facing system - T1388":["misp-galaxy:mitre-attack-pattern=\"Compromise of externally facing system - T1388\""],"Conduct active scanning - T1254":["misp-galaxy:mitre-attack-pattern=\"Conduct active scanning - T1254\""],"Conduct cost\/benefit analysis - T1226":["misp-galaxy:mitre-attack-pattern=\"Conduct cost\/benefit analysis - T1226\""],"Conduct passive scanning - T1253":["misp-galaxy:mitre-attack-pattern=\"Conduct passive scanning - T1253\""],"Conduct social engineering - T1249":["misp-galaxy:mitre-attack-pattern=\"Conduct social engineering - T1249\""],"Conduct social engineering - T1268":["misp-galaxy:mitre-attack-pattern=\"Conduct social engineering - T1268\""],"Conduct social engineering - T1279":["misp-galaxy:mitre-attack-pattern=\"Conduct social engineering - T1279\""],"Conduct social engineering or HUMINT operation - T1376":["misp-galaxy:mitre-attack-pattern=\"Conduct social engineering or HUMINT operation - T1376\""],"Confirmation of launched compromise achieved - T1383":["misp-galaxy:mitre-attack-pattern=\"Confirmation of launched compromise achieved - T1383\""],"Connection Proxy - T1090":["misp-galaxy:mitre-attack-pattern=\"Connection Proxy - T1090\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Connection Proxy - T1090\""],"Control Panel Items - T1196":["misp-galaxy:mitre-attack-pattern=\"Control Panel Items - T1196\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Control Panel Items - T1196\""],"Create Account - T1136":["misp-galaxy:mitre-attack-pattern=\"Create Account - T1136\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Create Account - T1136\""],"Create backup infrastructure - T1339":["misp-galaxy:mitre-attack-pattern=\"Create backup infrastructure - T1339\""],"Create custom payloads - T1345":["misp-galaxy:mitre-attack-pattern=\"Create custom payloads - T1345\""],"Create implementation plan - T1232":["misp-galaxy:mitre-attack-pattern=\"Create implementation plan - T1232\""],"Create infected removable media - T1355":["misp-galaxy:mitre-attack-pattern=\"Create infected removable media - T1355\""],"Create strategic plan - T1231":["misp-galaxy:mitre-attack-pattern=\"Create strategic plan - T1231\""],"Credential Dumping - T1003":["misp-galaxy:mitre-attack-pattern=\"Credential Dumping - T1003\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Credential Dumping - T1003\""],"Credential pharming - T1374":["misp-galaxy:mitre-attack-pattern=\"Credential pharming - T1374\""],"Credentials in Files - T1081":["misp-galaxy:mitre-attack-pattern=\"Credentials in Files - T1081\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Credentials in Files - T1081\""],"Credentials in Registry - T1214":["misp-galaxy:mitre-attack-pattern=\"Credentials in Registry - T1214\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Credentials in Registry - T1214\""],"Custom Command and Control Protocol - T1094":["misp-galaxy:mitre-attack-pattern=\"Custom Command and Control Protocol - T1094\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Custom Command and Control Protocol - T1094\""],"Custom Cryptographic Protocol - T1024":["misp-galaxy:mitre-attack-pattern=\"Custom Cryptographic Protocol - T1024\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Custom Cryptographic Protocol - T1024\""],"DCShadow - T1207":["misp-galaxy:mitre-attack-pattern=\"DCShadow - T1207\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"DCShadow - T1207\""],"DLL Search Order Hijacking - T1038":["misp-galaxy:mitre-attack-pattern=\"DLL Search Order Hijacking - T1038\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"DLL Search Order Hijacking - T1038\""],"DLL Side-Loading - T1073":["misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1073\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"DLL Side-Loading - T1073\""],"DNS poisoning - T1382":["misp-galaxy:mitre-attack-pattern=\"DNS poisoning - T1382\""],"DNSCalc - T1324":["misp-galaxy:mitre-attack-pattern=\"DNSCalc - T1324\""],"Data Compressed - T1002":["misp-galaxy:mitre-attack-pattern=\"Data Compressed - T1002\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Data Compressed - T1002\""],"Data Destruction - T1485":["misp-galaxy:mitre-attack-pattern=\"Data Destruction - T1485\""],"Data Encoding - T1132":["misp-galaxy:mitre-attack-pattern=\"Data Encoding - T1132\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Data Encoding - T1132\""],"Data Encrypted - T1022":["misp-galaxy:mitre-attack-pattern=\"Data Encrypted - T1022\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Data Encrypted - T1022\""],"Data Encrypted for Impact - T1486":["misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\""],"Data Hiding - T1320":["misp-galaxy:mitre-attack-pattern=\"Data Hiding - T1320\""],"Data Obfuscation - T1001":["misp-galaxy:mitre-attack-pattern=\"Data Obfuscation - T1001\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Data Obfuscation - T1001\""],"Data Staged - T1074":["misp-galaxy:mitre-attack-pattern=\"Data Staged - T1074\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Data Staged - T1074\""],"Data Transfer Size Limits - T1030":["misp-galaxy:mitre-attack-pattern=\"Data Transfer Size Limits - T1030\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Data Transfer Size Limits - T1030\""],"Data from Information Repositories - T1213":["misp-galaxy:mitre-attack-pattern=\"Data from Information Repositories - T1213\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Data from Information Repositories - T1213\""],"Data from Local System - T1005":["misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Data from Local System - T1005\""],"Data from Network Shared Drive - T1039":["misp-galaxy:mitre-attack-pattern=\"Data from Network Shared Drive - T1039\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Data from Network Shared Drive - T1039\""],"Data from Removable Media - T1025":["misp-galaxy:mitre-attack-pattern=\"Data from Removable Media - T1025\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Data from Removable Media - T1025\""],"Defacement - T1491":["misp-galaxy:mitre-attack-pattern=\"Defacement - T1491\""],"Deliver Malicious App via Authorized App Store - T1475":["misp-galaxy:mitre-attack-pattern=\"Deliver Malicious App via Authorized App Store - T1475\""],"Deliver Malicious App via Other Means - T1476":["misp-galaxy:mitre-attack-pattern=\"Deliver Malicious App via Other Means - T1476\""],"Deobfuscate\/Decode Files or Information - T1140":["misp-galaxy:mitre-attack-pattern=\"Deobfuscate\/Decode Files or Information - T1140\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Deobfuscate\/Decode Files or Information - T1140\""],"Deploy exploit using advertising - T1380":["misp-galaxy:mitre-attack-pattern=\"Deploy exploit using advertising - T1380\""],"Derive intelligence requirements - T1230":["misp-galaxy:mitre-attack-pattern=\"Derive intelligence requirements - T1230\""],"Detect App Analysis Environment - T1440":["misp-galaxy:mitre-attack-pattern=\"Detect App Analysis Environment - T1440\""],"Determine 3rd party infrastructure services - T1260":["misp-galaxy:mitre-attack-pattern=\"Determine 3rd party infrastructure services - T1260\""],"Determine 3rd party infrastructure services - T1284":["misp-galaxy:mitre-attack-pattern=\"Determine 3rd party infrastructure services - T1284\""],"Determine approach\/attack vector - T1245":["misp-galaxy:mitre-attack-pattern=\"Determine approach\/attack vector - T1245\""],"Determine centralization of IT management - T1285":["misp-galaxy:mitre-attack-pattern=\"Determine centralization of IT management - T1285\""],"Determine domain and IP address space - T1250":["misp-galaxy:mitre-attack-pattern=\"Determine domain and IP address space - T1250\""],"Determine external network trust dependencies - T1259":["misp-galaxy:mitre-attack-pattern=\"Determine external network trust dependencies - T1259\""],"Determine firmware version - T1258":["misp-galaxy:mitre-attack-pattern=\"Determine firmware version - T1258\""],"Determine highest level tactical element - T1243":["misp-galaxy:mitre-attack-pattern=\"Determine highest level tactical element - T1243\""],"Determine operational element - T1242":["misp-galaxy:mitre-attack-pattern=\"Determine operational element - T1242\""],"Determine physical locations - T1282":["misp-galaxy:mitre-attack-pattern=\"Determine physical locations - T1282\""],"Determine secondary level tactical element - T1244":["misp-galaxy:mitre-attack-pattern=\"Determine secondary level tactical element - T1244\""],"Determine strategic target - T1241":["misp-galaxy:mitre-attack-pattern=\"Determine strategic target - T1241\""],"Develop KITs\/KIQs - T1227":["misp-galaxy:mitre-attack-pattern=\"Develop KITs\/KIQs - T1227\""],"Develop social network persona digital footprint - T1342":["misp-galaxy:mitre-attack-pattern=\"Develop social network persona digital footprint - T1342\""],"Device Type Discovery - T1419":["misp-galaxy:mitre-attack-pattern=\"Device Type Discovery - T1419\""],"Device Unlock Code Guessing or Brute Force - T1459":["misp-galaxy:mitre-attack-pattern=\"Device Unlock Code Guessing or Brute Force - T1459\""],"Disabling Security Tools - T1089":["misp-galaxy:mitre-attack-pattern=\"Disabling Security Tools - T1089\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Disabling Security Tools - T1089\""],"Discover new exploits and monitor exploit-provider forums - T1350":["misp-galaxy:mitre-attack-pattern=\"Discover new exploits and monitor exploit-provider forums - T1350\""],"Discover target logon\/email address format - T1255":["misp-galaxy:mitre-attack-pattern=\"Discover target logon\/email address format - T1255\""],"Disguise Root\/Jailbreak Indicators - T1408":["misp-galaxy:mitre-attack-pattern=\"Disguise Root\/Jailbreak Indicators - T1408\""],"Disk Content Wipe - T1488":["misp-galaxy:mitre-attack-pattern=\"Disk Content Wipe - T1488\""],"Disk Structure Wipe - T1487":["misp-galaxy:mitre-attack-pattern=\"Disk Structure Wipe - T1487\""],"Disseminate removable media - T1379":["misp-galaxy:mitre-attack-pattern=\"Disseminate removable media - T1379\""],"Distribute malicious software development tools - T1394":["misp-galaxy:mitre-attack-pattern=\"Distribute malicious software development tools - T1394\""],"Distributed Component Object Model - T1175":["misp-galaxy:mitre-attack-pattern=\"Distributed Component Object Model - T1175\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Distributed Component Object Model - T1175\""],"Domain Fronting - T1172":["misp-galaxy:mitre-attack-pattern=\"Domain Fronting - T1172\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Domain Fronting - T1172\""],"Domain Generation Algorithms (DGA) - T1323":["misp-galaxy:mitre-attack-pattern=\"Domain Generation Algorithms (DGA) - T1323\""],"Domain Generation Algorithms - T1483":["misp-galaxy:mitre-attack-pattern=\"Domain Generation Algorithms - T1483\""],"Domain Trust Discovery - T1482":["misp-galaxy:mitre-attack-pattern=\"Domain Trust Discovery - T1482\""],"Domain registration hijacking - T1326":["misp-galaxy:mitre-attack-pattern=\"Domain registration hijacking - T1326\""],"Downgrade to Insecure Protocols - T1466":["misp-galaxy:mitre-attack-pattern=\"Downgrade to Insecure Protocols - T1466\""],"Download New Code at Runtime - T1407":["misp-galaxy:mitre-attack-pattern=\"Download New Code at Runtime - T1407\""],"Drive-by Compromise - T1189":["misp-galaxy:mitre-attack-pattern=\"Drive-by Compromise - T1189\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Drive-by Compromise - T1189\""],"Drive-by Compromise - T1456":["misp-galaxy:mitre-attack-pattern=\"Drive-by Compromise - T1456\""],"Dumpster dive - T1286":["misp-galaxy:mitre-attack-pattern=\"Dumpster dive - T1286\""],"Dylib Hijacking - T1157":["misp-galaxy:mitre-attack-pattern=\"Dylib Hijacking - T1157\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Dylib Hijacking - T1157\""],"Dynamic DNS - T1311":["misp-galaxy:mitre-attack-pattern=\"Dynamic DNS - T1311\""],"Dynamic DNS - T1333":["misp-galaxy:mitre-attack-pattern=\"Dynamic DNS - T1333\""],"Dynamic Data Exchange - T1173":["misp-galaxy:mitre-attack-pattern=\"Dynamic Data Exchange - T1173\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Dynamic Data Exchange - T1173\""],"Eavesdrop on Insecure Network Communication - T1439":["misp-galaxy:mitre-attack-pattern=\"Eavesdrop on Insecure Network Communication - T1439\""],"Email Collection - T1114":["misp-galaxy:mitre-attack-pattern=\"Email Collection - T1114\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Email Collection - T1114\""],"Encrypt Files - T1471":["misp-galaxy:mitre-attack-pattern=\"Encrypt Files - T1471\""],"Encrypt Files for Ransom - T1471":["misp-galaxy:mitre-attack-pattern=\"Encrypt Files for Ransom - T1471\""],"Endpoint Denial of Service - T1499":["misp-galaxy:mitre-attack-pattern=\"Endpoint Denial of Service - T1499\""],"Enumerate client configurations - T1262":["misp-galaxy:mitre-attack-pattern=\"Enumerate client configurations - T1262\""],"Enumerate externally facing software applications technologies, languages, and dependencies - T1261":["misp-galaxy:mitre-attack-pattern=\"Enumerate externally facing software applications technologies, languages, and dependencies - T1261\""],"Execution Guardrails - T1480":["misp-galaxy:mitre-attack-pattern=\"Execution Guardrails - T1480\""],"Execution through API - T1106":["misp-galaxy:mitre-attack-pattern=\"Execution through API - T1106\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Execution through API - T1106\""],"Execution through Module Load - T1129":["misp-galaxy:mitre-attack-pattern=\"Execution through Module Load - T1129\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Execution through Module Load - T1129\""],"Exfiltration Over Alternative Protocol - T1048":["misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Alternative Protocol - T1048\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Exfiltration Over Alternative Protocol - T1048\""],"Exfiltration Over Command and Control Channel - T1041":["misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Command and Control Channel - T1041\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Exfiltration Over Command and Control Channel - T1041\""],"Exfiltration Over Other Network Medium - T1011":["misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Other Network Medium - T1011\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Exfiltration Over Other Network Medium - T1011\""],"Exfiltration Over Physical Medium - T1052":["misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Physical Medium - T1052\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Exfiltration Over Physical Medium - T1052\""],"Exploit Baseband Vulnerability - T1455":["misp-galaxy:mitre-attack-pattern=\"Exploit Baseband Vulnerability - T1455\""],"Exploit Enterprise Resources - T1428":["misp-galaxy:mitre-attack-pattern=\"Exploit Enterprise Resources - T1428\""],"Exploit OS Vulnerability - T1404":["misp-galaxy:mitre-attack-pattern=\"Exploit OS Vulnerability - T1404\""],"Exploit Public-Facing Application - T1190":["misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Exploit Public-Facing Application - T1190\""],"Exploit SS7 to Redirect Phone Calls\/SMS - T1449":["misp-galaxy:mitre-attack-pattern=\"Exploit SS7 to Redirect Phone Calls\/SMS - T1449\""],"Exploit SS7 to Track Device Location - T1450":["misp-galaxy:mitre-attack-pattern=\"Exploit SS7 to Track Device Location - T1450\""],"Exploit TEE Vulnerability - T1405":["misp-galaxy:mitre-attack-pattern=\"Exploit TEE Vulnerability - T1405\""],"Exploit public-facing application - T1377":["misp-galaxy:mitre-attack-pattern=\"Exploit public-facing application - T1377\""],"Exploit via Charging Station or PC - T1458":["misp-galaxy:mitre-attack-pattern=\"Exploit via Charging Station or PC - T1458\""],"Exploit via Radio Interfaces - T1477":["misp-galaxy:mitre-attack-pattern=\"Exploit via Radio Interfaces - T1477\""],"Exploitation for Client Execution - T1203":["misp-galaxy:mitre-attack-pattern=\"Exploitation for Client Execution - T1203\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Exploitation for Client Execution - T1203\""],"Exploitation for Credential Access - T1212":["misp-galaxy:mitre-attack-pattern=\"Exploitation for Credential Access - T1212\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Exploitation for Credential Access - T1212\""],"Exploitation for Defense Evasion - T1211":["misp-galaxy:mitre-attack-pattern=\"Exploitation for Defense Evasion - T1211\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Exploitation for Defense Evasion - T1211\""],"Exploitation for Privilege Escalation - T1068":["misp-galaxy:mitre-attack-pattern=\"Exploitation for Privilege Escalation - T1068\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Exploitation for Privilege Escalation - T1068\""],"Exploitation of Remote Services - T1210":["misp-galaxy:mitre-attack-pattern=\"Exploitation of Remote Services - T1210\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Exploitation of Remote Services - T1210\""],"External Remote Services - T1133":["misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"External Remote Services - T1133\""],"Extra Window Memory Injection - T1181":["misp-galaxy:mitre-attack-pattern=\"Extra Window Memory Injection - T1181\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Extra Window Memory Injection - T1181\""],"Fake Developer Accounts - T1442":["misp-galaxy:mitre-attack-pattern=\"Fake Developer Accounts - T1442\""],"Fallback Channels - T1008":["misp-galaxy:mitre-attack-pattern=\"Fallback Channels - T1008\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Fallback Channels - T1008\""],"Fast Flux DNS - T1325":["misp-galaxy:mitre-attack-pattern=\"Fast Flux DNS - T1325\""],"File Deletion - T1107":["misp-galaxy:mitre-attack-pattern=\"File Deletion - T1107\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"File Deletion - T1107\""],"File Permissions Modification - T1222":["misp-galaxy:mitre-attack-pattern=\"File Permissions Modification - T1222\""],"File System Logical Offsets - T1006":["misp-galaxy:mitre-attack-pattern=\"File System Logical Offsets - T1006\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"File System Logical Offsets - T1006\""],"File System Permissions Weakness - T1044":["misp-galaxy:mitre-attack-pattern=\"File System Permissions Weakness - T1044\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"File System Permissions Weakness - T1044\""],"File and Directory Discovery - T1083":["misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"File and Directory Discovery - T1083\""],"File and Directory Discovery - T1420":["misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1420\""],"Firmware Corruption - T1495":["misp-galaxy:mitre-attack-pattern=\"Firmware Corruption - T1495\""],"Forced Authentication - T1187":["misp-galaxy:mitre-attack-pattern=\"Forced Authentication - T1187\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Forced Authentication - T1187\""],"Friend\/Follow\/Connect to targets of interest - T1344":["misp-galaxy:mitre-attack-pattern=\"Friend\/Follow\/Connect to targets of interest - T1344\""],"Friend\/Follow\/Connect to targets of interest - T1364":["misp-galaxy:mitre-attack-pattern=\"Friend\/Follow\/Connect to targets of interest - T1364\""],"Gatekeeper Bypass - T1144":["misp-galaxy:mitre-attack-pattern=\"Gatekeeper Bypass - T1144\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Gatekeeper Bypass - T1144\""],"Generate Fraudulent Advertising Revenue - T1472":["misp-galaxy:mitre-attack-pattern=\"Generate Fraudulent Advertising Revenue - T1472\""],"Generate analyst intelligence requirements - T1234":["misp-galaxy:mitre-attack-pattern=\"Generate analyst intelligence requirements - T1234\""],"Graphical User Interface - T1061":["misp-galaxy:mitre-attack-pattern=\"Graphical User Interface - T1061\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Graphical User Interface - T1061\""],"Group Policy Modification - T1484":["misp-galaxy:mitre-attack-pattern=\"Group Policy Modification - T1484\""],"HISTCONTROL - T1148":["misp-galaxy:mitre-attack-pattern=\"HISTCONTROL - T1148\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"HISTCONTROL - T1148\""],"Hardware Additions - T1200":["misp-galaxy:mitre-attack-pattern=\"Hardware Additions - T1200\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Hardware Additions - T1200\""],"Hardware or software supply chain implant - T1365":["misp-galaxy:mitre-attack-pattern=\"Hardware or software supply chain implant - T1365\""],"Hidden Files and Directories - T1158":["misp-galaxy:mitre-attack-pattern=\"Hidden Files and Directories - T1158\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Hidden Files and Directories - T1158\""],"Hidden Users - T1147":["misp-galaxy:mitre-attack-pattern=\"Hidden Users - T1147\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Hidden Users - T1147\""],"Hidden Window - T1143":["misp-galaxy:mitre-attack-pattern=\"Hidden Window - T1143\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Hidden Window - T1143\""],"Hooking - T1179":["misp-galaxy:mitre-attack-pattern=\"Hooking - T1179\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Hooking - T1179\""],"Host-based hiding techniques - T1314":["misp-galaxy:mitre-attack-pattern=\"Host-based hiding techniques - T1314\""],"Human performs requested action of physical nature - T1385":["misp-galaxy:mitre-attack-pattern=\"Human performs requested action of physical nature - T1385\""],"Hypervisor - T1062":["misp-galaxy:mitre-attack-pattern=\"Hypervisor - T1062\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Hypervisor - T1062\""],"Identify analyst level gaps - T1233":["misp-galaxy:mitre-attack-pattern=\"Identify analyst level gaps - T1233\""],"Identify business processes\/tempo - T1280":["misp-galaxy:mitre-attack-pattern=\"Identify business processes\/tempo - T1280\""],"Identify business relationships - T1272":["misp-galaxy:mitre-attack-pattern=\"Identify business relationships - T1272\""],"Identify business relationships - T1283":["misp-galaxy:mitre-attack-pattern=\"Identify business relationships - T1283\""],"Identify gap areas - T1225":["misp-galaxy:mitre-attack-pattern=\"Identify gap areas - T1225\""],"Identify groups\/roles - T1270":["misp-galaxy:mitre-attack-pattern=\"Identify groups\/roles - T1270\""],"Identify job postings and needs\/gaps - T1248":["misp-galaxy:mitre-attack-pattern=\"Identify job postings and needs\/gaps - T1248\""],"Identify job postings and needs\/gaps - T1267":["misp-galaxy:mitre-attack-pattern=\"Identify job postings and needs\/gaps - T1267\""],"Identify job postings and needs\/gaps - T1278":["misp-galaxy:mitre-attack-pattern=\"Identify job postings and needs\/gaps - T1278\""],"Identify people of interest - T1269":["misp-galaxy:mitre-attack-pattern=\"Identify people of interest - T1269\""],"Identify personnel with an authority\/privilege - T1271":["misp-galaxy:mitre-attack-pattern=\"Identify personnel with an authority\/privilege - T1271\""],"Identify resources required to build capabilities - T1348":["misp-galaxy:mitre-attack-pattern=\"Identify resources required to build capabilities - T1348\""],"Identify security defensive capabilities - T1263":["misp-galaxy:mitre-attack-pattern=\"Identify security defensive capabilities - T1263\""],"Identify sensitive personnel information - T1274":["misp-galaxy:mitre-attack-pattern=\"Identify sensitive personnel information - T1274\""],"Identify supply chains - T1246":["misp-galaxy:mitre-attack-pattern=\"Identify supply chains - T1246\""],"Identify supply chains - T1265":["misp-galaxy:mitre-attack-pattern=\"Identify supply chains - T1265\""],"Identify supply chains - T1276":["misp-galaxy:mitre-attack-pattern=\"Identify supply chains - T1276\""],"Identify technology usage patterns - T1264":["misp-galaxy:mitre-attack-pattern=\"Identify technology usage patterns - T1264\""],"Identify vulnerabilities in third-party software libraries - T1389":["misp-galaxy:mitre-attack-pattern=\"Identify vulnerabilities in third-party software libraries - T1389\""],"Identify web defensive services - T1256":["misp-galaxy:mitre-attack-pattern=\"Identify web defensive services - T1256\""],"Image File Execution Options Injection - T1183":["misp-galaxy:mitre-attack-pattern=\"Image File Execution Options Injection - T1183\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Image File Execution Options Injection - T1183\""],"Indicator Blocking - T1054":["misp-galaxy:mitre-attack-pattern=\"Indicator Blocking - T1054\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Indicator Blocking - T1054\""],"Indicator Removal from Tools - T1066":["misp-galaxy:mitre-attack-pattern=\"Indicator Removal from Tools - T1066\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Indicator Removal from Tools - T1066\""],"Indicator Removal on Host - T1070":["misp-galaxy:mitre-attack-pattern=\"Indicator Removal on Host - T1070\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Indicator Removal on Host - T1070\""],"Indirect Command Execution - T1202":["misp-galaxy:mitre-attack-pattern=\"Indirect Command Execution - T1202\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Indirect Command Execution - T1202\""],"Inhibit System Recovery - T1490":["misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\""],"Input Capture - T1056":["misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Input Capture - T1056\""],"Input Prompt - T1141":["misp-galaxy:mitre-attack-pattern=\"Input Prompt - T1141\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Input Prompt - T1141\""],"Insecure Third-Party Libraries - T1425":["misp-galaxy:mitre-attack-pattern=\"Insecure Third-Party Libraries - T1425\""],"Install Insecure or Malicious Configuration - T1478":["misp-galaxy:mitre-attack-pattern=\"Install Insecure or Malicious Configuration - T1478\""],"Install Root Certificate - T1130":["misp-galaxy:mitre-attack-pattern=\"Install Root Certificate - T1130\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Install Root Certificate - T1130\""],"Install and configure hardware, network, and systems - T1336":["misp-galaxy:mitre-attack-pattern=\"Install and configure hardware, network, and systems - T1336\""],"InstallUtil - T1118":["misp-galaxy:mitre-attack-pattern=\"InstallUtil - T1118\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"InstallUtil - T1118\""],"Jamming or Denial of Service - T1464":["misp-galaxy:mitre-attack-pattern=\"Jamming or Denial of Service - T1464\""],"Kerberoasting - T1208":["misp-galaxy:mitre-attack-pattern=\"Kerberoasting - T1208\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Kerberoasting - T1208\""],"Kernel Modules and Extensions - T1215":["misp-galaxy:mitre-attack-pattern=\"Kernel Modules and Extensions - T1215\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Kernel Modules and Extensions - T1215\""],"Keychain - T1142":["misp-galaxy:mitre-attack-pattern=\"Keychain - T1142\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Keychain - T1142\""],"LC_LOAD_DYLIB Addition - T1161":["misp-galaxy:mitre-attack-pattern=\"LC_LOAD_DYLIB Addition - T1161\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"LC_LOAD_DYLIB Addition - T1161\""],"LC_MAIN Hijacking - T1149":["misp-galaxy:mitre-attack-pattern=\"LC_MAIN Hijacking - T1149\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"LC_MAIN Hijacking - T1149\""],"LLMNR\/NBT-NS Poisoning - T1171":["misp-galaxy:mitre-attack-pattern=\"LLMNR\/NBT-NS Poisoning - T1171\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"LLMNR\/NBT-NS Poisoning - T1171\""],"LLMNR\/NBT-NS Poisoning and Relay - T1171":["misp-galaxy:mitre-attack-pattern=\"LLMNR\/NBT-NS Poisoning and Relay - T1171\""],"LSASS Driver - T1177":["misp-galaxy:mitre-attack-pattern=\"LSASS Driver - T1177\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"LSASS Driver - T1177\""],"Launch Agent - T1159":["misp-galaxy:mitre-attack-pattern=\"Launch Agent - T1159\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Launch Agent - T1159\""],"Launch Daemon - T1160":["misp-galaxy:mitre-attack-pattern=\"Launch Daemon - T1160\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Launch Daemon - T1160\""],"Launchctl - T1152":["misp-galaxy:mitre-attack-pattern=\"Launchctl - T1152\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Launchctl - T1152\""],"Leverage compromised 3rd party resources - T1375":["misp-galaxy:mitre-attack-pattern=\"Leverage compromised 3rd party resources - T1375\""],"Local Job Scheduling - T1168":["misp-galaxy:mitre-attack-pattern=\"Local Job Scheduling - T1168\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Local Job Scheduling - T1168\""],"Local Network Configuration Discovery - T1422":["misp-galaxy:mitre-attack-pattern=\"Local Network Configuration Discovery - T1422\""],"Local Network Connections Discovery - T1421":["misp-galaxy:mitre-attack-pattern=\"Local Network Connections Discovery - T1421\""],"Location Tracking - T1430":["misp-galaxy:mitre-attack-pattern=\"Location Tracking - T1430\""],"Lock User Out of Device - T1446":["misp-galaxy:mitre-attack-pattern=\"Lock User Out of Device - T1446\""],"Lockscreen Bypass - T1461":["misp-galaxy:mitre-attack-pattern=\"Lockscreen Bypass - T1461\""],"Login Item - T1162":["misp-galaxy:mitre-attack-pattern=\"Login Item - T1162\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Login Item - T1162\""],"Logon Scripts - T1037":["misp-galaxy:mitre-attack-pattern=\"Logon Scripts - T1037\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Logon Scripts - T1037\""],"Malicious Media Content - T1457":["misp-galaxy:mitre-attack-pattern=\"Malicious Media Content - T1457\""],"Malicious SMS Message - T1454":["misp-galaxy:mitre-attack-pattern=\"Malicious SMS Message - T1454\""],"Malicious Software Development Tools - T1462":["misp-galaxy:mitre-attack-pattern=\"Malicious Software Development Tools - T1462\""],"Malicious Third Party Keyboard App - T1417":["misp-galaxy:mitre-attack-pattern=\"Malicious Third Party Keyboard App - T1417\""],"Malicious or Vulnerable Built-in Device Functionality - T1473":["misp-galaxy:mitre-attack-pattern=\"Malicious or Vulnerable Built-in Device Functionality - T1473\""],"Man in the Browser - T1185":["misp-galaxy:mitre-attack-pattern=\"Man in the Browser - T1185\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Man in the Browser - T1185\""],"Manipulate App Store Rankings or Ratings - T1452":["misp-galaxy:mitre-attack-pattern=\"Manipulate App Store Rankings or Ratings - T1452\""],"Manipulate Device Communication - T1463":["misp-galaxy:mitre-attack-pattern=\"Manipulate Device Communication - T1463\""],"Map network topology - T1252":["misp-galaxy:mitre-attack-pattern=\"Map network topology - T1252\""],"Masquerading - T1036":["misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Masquerading - T1036\""],"Microphone or Camera Recordings - T1429":["misp-galaxy:mitre-attack-pattern=\"Microphone or Camera Recordings - T1429\""],"Mine social media - T1273":["misp-galaxy:mitre-attack-pattern=\"Mine social media - T1273\""],"Mine technical blogs\/forums - T1257":["misp-galaxy:mitre-attack-pattern=\"Mine technical blogs\/forums - T1257\""],"Misattributable credentials - T1322":["misp-galaxy:mitre-attack-pattern=\"Misattributable credentials - T1322\""],"Modify Existing Service - T1031":["misp-galaxy:mitre-attack-pattern=\"Modify Existing Service - T1031\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Modify Existing Service - T1031\""],"Modify OS Kernel or Boot Partition - T1398":["misp-galaxy:mitre-attack-pattern=\"Modify OS Kernel or Boot Partition - T1398\""],"Modify Registry - T1112":["misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Modify Registry - T1112\""],"Modify System Partition - T1400":["misp-galaxy:mitre-attack-pattern=\"Modify System Partition - T1400\""],"Modify Trusted Execution Environment - T1399":["misp-galaxy:mitre-attack-pattern=\"Modify Trusted Execution Environment - T1399\""],"Modify cached executable code - T1403":["misp-galaxy:mitre-attack-pattern=\"Modify cached executable code - T1403\""],"Mshta - T1170":["misp-galaxy:mitre-attack-pattern=\"Mshta - T1170\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Mshta - T1170\""],"Multi-Stage Channels - T1104":["misp-galaxy:mitre-attack-pattern=\"Multi-Stage Channels - T1104\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Multi-Stage Channels - T1104\""],"Multi-hop Proxy - T1188":["misp-galaxy:mitre-attack-pattern=\"Multi-hop Proxy - T1188\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Multi-hop Proxy - T1188\""],"Multiband Communication - T1026":["misp-galaxy:mitre-attack-pattern=\"Multiband Communication - T1026\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Multiband Communication - T1026\""],"Multilayer Encryption - T1079":["misp-galaxy:mitre-attack-pattern=\"Multilayer Encryption - T1079\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Multilayer Encryption - T1079\""],"NTFS File Attributes - T1096":["misp-galaxy:mitre-attack-pattern=\"NTFS File Attributes - T1096\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"NTFS File Attributes - T1096\""],"Netsh Helper DLL - T1128":["misp-galaxy:mitre-attack-pattern=\"Netsh Helper DLL - T1128\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Netsh Helper DLL - T1128\""],"Network Denial of Service - T1498":["misp-galaxy:mitre-attack-pattern=\"Network Denial of Service - T1498\""],"Network Service Scanning - T1046":["misp-galaxy:mitre-attack-pattern=\"Network Service Scanning - T1046\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Network Service Scanning - T1046\""],"Network Service Scanning - T1423":["misp-galaxy:mitre-attack-pattern=\"Network Service Scanning - T1423\""],"Network Share Connection Removal - T1126":["misp-galaxy:mitre-attack-pattern=\"Network Share Connection Removal - T1126\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Network Share Connection Removal - T1126\""],"Network Share Discovery - T1135":["misp-galaxy:mitre-attack-pattern=\"Network Share Discovery - T1135\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Network Share Discovery - T1135\""],"Network Sniffing - T1040":["misp-galaxy:mitre-attack-pattern=\"Network Sniffing - T1040\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Network Sniffing - T1040\""],"Network Traffic Capture or Redirection - T1410":["misp-galaxy:mitre-attack-pattern=\"Network Traffic Capture or Redirection - T1410\""],"Network-based hiding techniques - T1315":["misp-galaxy:mitre-attack-pattern=\"Network-based hiding techniques - T1315\""],"New Service - T1050":["misp-galaxy:mitre-attack-pattern=\"New Service - T1050\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"New Service - T1050\""],"Non-traditional or less attributable payment options - T1316":["misp-galaxy:mitre-attack-pattern=\"Non-traditional or less attributable payment options - T1316\""],"OS-vendor provided communication channels - T1390":["misp-galaxy:mitre-attack-pattern=\"OS-vendor provided communication channels - T1390\""],"Obfuscate infrastructure - T1309":["misp-galaxy:mitre-attack-pattern=\"Obfuscate infrastructure - T1309\""],"Obfuscate infrastructure - T1331":["misp-galaxy:mitre-attack-pattern=\"Obfuscate infrastructure - T1331\""],"Obfuscate operational infrastructure - T1318":["misp-galaxy:mitre-attack-pattern=\"Obfuscate operational infrastructure - T1318\""],"Obfuscate or encrypt code - T1319":["misp-galaxy:mitre-attack-pattern=\"Obfuscate or encrypt code - T1319\""],"Obfuscated Files or Information - T1027":["misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Obfuscated Files or Information - T1027\""],"Obfuscated Files or Information - T1406":["misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1406\""],"Obfuscated or Encrypted Payload - T1406":["misp-galaxy:mitre-attack-pattern=\"Obfuscated or Encrypted Payload - T1406\""],"Obfuscation or cryptography - T1313":["misp-galaxy:mitre-attack-pattern=\"Obfuscation or cryptography - T1313\""],"Obtain Apple iOS enterprise distribution key pair and certificate - T1392":["misp-galaxy:mitre-attack-pattern=\"Obtain Apple iOS enterprise distribution key pair and certificate - T1392\""],"Obtain Device Cloud Backups - T1470":["misp-galaxy:mitre-attack-pattern=\"Obtain Device Cloud Backups - T1470\""],"Obtain booter\/stressor subscription - T1396":["misp-galaxy:mitre-attack-pattern=\"Obtain booter\/stressor subscription - T1396\""],"Obtain domain\/IP registration information - T1251":["misp-galaxy:mitre-attack-pattern=\"Obtain domain\/IP registration information - T1251\""],"Obtain templates\/branding materials - T1281":["misp-galaxy:mitre-attack-pattern=\"Obtain templates\/branding materials - T1281\""],"Obtain\/re-use payloads - T1346":["misp-galaxy:mitre-attack-pattern=\"Obtain\/re-use payloads - T1346\""],"Office Application Startup - T1137":["misp-galaxy:mitre-attack-pattern=\"Office Application Startup - T1137\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Office Application Startup - T1137\""],"Pass the Hash - T1075":["misp-galaxy:mitre-attack-pattern=\"Pass the Hash - T1075\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Pass the Hash - T1075\""],"Pass the Ticket - T1097":["misp-galaxy:mitre-attack-pattern=\"Pass the Ticket - T1097\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Pass the Ticket - T1097\""],"Password Filter DLL - T1174":["misp-galaxy:mitre-attack-pattern=\"Password Filter DLL - T1174\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Password Filter DLL - T1174\""],"Password Policy Discovery - T1201":["misp-galaxy:mitre-attack-pattern=\"Password Policy Discovery - T1201\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Password Policy Discovery - T1201\""],"Path Interception - T1034":["misp-galaxy:mitre-attack-pattern=\"Path Interception - T1034\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Path Interception - T1034\""],"Peripheral Device Discovery - T1120":["misp-galaxy:mitre-attack-pattern=\"Peripheral Device Discovery - T1120\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Peripheral Device Discovery - T1120\""],"Permission Groups Discovery - T1069":["misp-galaxy:mitre-attack-pattern=\"Permission Groups Discovery - T1069\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Permission Groups Discovery - T1069\""],"Plist Modification - T1150":["misp-galaxy:mitre-attack-pattern=\"Plist Modification - T1150\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Plist Modification - T1150\""],"Port Knocking - T1205":["misp-galaxy:mitre-attack-pattern=\"Port Knocking - T1205\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Port Knocking - T1205\""],"Port Monitors - T1013":["misp-galaxy:mitre-attack-pattern=\"Port Monitors - T1013\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Port Monitors - T1013\""],"Port redirector - T1363":["misp-galaxy:mitre-attack-pattern=\"Port redirector - T1363\""],"Post compromise tool development - T1353":["misp-galaxy:mitre-attack-pattern=\"Post compromise tool development - T1353\""],"PowerShell - T1086":["misp-galaxy:mitre-attack-pattern=\"PowerShell - T1086\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"PowerShell - T1086\""],"Premium SMS Toll Fraud - T1448":["misp-galaxy:mitre-attack-pattern=\"Premium SMS Toll Fraud - T1448\""],"Private Keys - T1145":["misp-galaxy:mitre-attack-pattern=\"Private Keys - T1145\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Private Keys - T1145\""],"Private whois services - T1305":["misp-galaxy:mitre-attack-pattern=\"Private whois services - T1305\""],"Process Discovery - T1057":["misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Process Discovery - T1057\""],"Process Discovery - T1424":["misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1424\""],"Process Doppelg\u00e4nging - T1186":["misp-galaxy:mitre-attack-pattern=\"Process Doppelg\u00e4nging - T1186\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Process Doppelg\u00e4nging - T1186\""],"Process Hollowing - T1093":["misp-galaxy:mitre-attack-pattern=\"Process Hollowing - T1093\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Process Hollowing - T1093\""],"Process Injection - T1055":["misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Process Injection - T1055\""],"Procure required equipment and software - T1335":["misp-galaxy:mitre-attack-pattern=\"Procure required equipment and software - T1335\""],"Proxy\/protocol relays - T1304":["misp-galaxy:mitre-attack-pattern=\"Proxy\/protocol relays - T1304\""],"Push-notification client-side exploit - T1373":["misp-galaxy:mitre-attack-pattern=\"Push-notification client-side exploit - T1373\""],"Query Registry - T1012":["misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Query Registry - T1012\""],"Rc.common - T1163":["misp-galaxy:mitre-attack-pattern=\"Rc.common - T1163\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Rc.common - T1163\""],"Re-opened Applications - T1164":["misp-galaxy:mitre-attack-pattern=\"Re-opened Applications - T1164\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Re-opened Applications - T1164\""],"Receive KITs\/KIQs and determine requirements - T1239":["misp-galaxy:mitre-attack-pattern=\"Receive KITs\/KIQs and determine requirements - T1239\""],"Receive operator KITs\/KIQs tasking - T1235":["misp-galaxy:mitre-attack-pattern=\"Receive operator KITs\/KIQs tasking - T1235\""],"Redundant Access - T1108":["misp-galaxy:mitre-attack-pattern=\"Redundant Access - T1108\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Redundant Access - T1108\""],"Registry Run Keys \/ Startup Folder - T1060":["misp-galaxy:mitre-attack-pattern=\"Registry Run Keys \/ Startup Folder - T1060\""],"Regsvcs\/Regasm - T1121":["misp-galaxy:mitre-attack-pattern=\"Regsvcs\/Regasm - T1121\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Regsvcs\/Regasm - T1121\""],"Regsvr32 - T1117":["misp-galaxy:mitre-attack-pattern=\"Regsvr32 - T1117\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Regsvr32 - T1117\""],"Remote Access Tools - T1219":["misp-galaxy:mitre-attack-pattern=\"Remote Access Tools - T1219\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Remote Access Tools - T1219\""],"Remote Desktop Protocol - T1076":["misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1076\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Remote Desktop Protocol - T1076\""],"Remote File Copy - T1105":["misp-galaxy:mitre-attack-pattern=\"Remote File Copy - T1105\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Remote File Copy - T1105\""],"Remote Services - T1021":["misp-galaxy:mitre-attack-pattern=\"Remote Services - T1021\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Remote Services - T1021\""],"Remote System Discovery - T1018":["misp-galaxy:mitre-attack-pattern=\"Remote System Discovery - T1018\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Remote System Discovery - T1018\""],"Remote access tool development - T1351":["misp-galaxy:mitre-attack-pattern=\"Remote access tool development - T1351\""],"Remotely Install Application - T1443":["misp-galaxy:mitre-attack-pattern=\"Remotely Install Application - T1443\""],"Remotely Track Device Without Authorization - T1468":["misp-galaxy:mitre-attack-pattern=\"Remotely Track Device Without Authorization - T1468\""],"Remotely Wipe Data Without Authorization - T1469":["misp-galaxy:mitre-attack-pattern=\"Remotely Wipe Data Without Authorization - T1469\""],"Repackaged Application - T1444":["misp-galaxy:mitre-attack-pattern=\"Repackaged Application - T1444\""],"Replace legitimate binary with malware - T1378":["misp-galaxy:mitre-attack-pattern=\"Replace legitimate binary with malware - T1378\""],"Replication Through Removable Media - T1091":["misp-galaxy:mitre-attack-pattern=\"Replication Through Removable Media - T1091\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Replication Through Removable Media - T1091\""],"Research relevant vulnerabilities\/CVEs - T1291":["misp-galaxy:mitre-attack-pattern=\"Research relevant vulnerabilities\/CVEs - T1291\""],"Research visibility gap of security vendors - T1290":["misp-galaxy:mitre-attack-pattern=\"Research visibility gap of security vendors - T1290\""],"Resource Hijacking - T1496":["misp-galaxy:mitre-attack-pattern=\"Resource Hijacking - T1496\""],"Review logs and residual traces - T1358":["misp-galaxy:mitre-attack-pattern=\"Review logs and residual traces - T1358\""],"Rogue Cellular Base Station - T1467":["misp-galaxy:mitre-attack-pattern=\"Rogue Cellular Base Station - T1467\""],"Rogue Wi-Fi Access Points - T1465":["misp-galaxy:mitre-attack-pattern=\"Rogue Wi-Fi Access Points - T1465\""],"Rootkit - T1014":["misp-galaxy:mitre-attack-pattern=\"Rootkit - T1014\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Rootkit - T1014\""],"Rundll32 - T1085":["misp-galaxy:mitre-attack-pattern=\"Rundll32 - T1085\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Rundll32 - T1085\""],"Runtime Data Manipulation - T1494":["misp-galaxy:mitre-attack-pattern=\"Runtime Data Manipulation - T1494\""],"Runtime code download and execution - T1395":["misp-galaxy:mitre-attack-pattern=\"Runtime code download and execution - T1395\""],"SID-History Injection - T1178":["misp-galaxy:mitre-attack-pattern=\"SID-History Injection - T1178\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"SID-History Injection - T1178\""],"SIM Card Swap - T1451":["misp-galaxy:mitre-attack-pattern=\"SIM Card Swap - T1451\""],"SIP and Trust Provider Hijacking - T1198":["misp-galaxy:mitre-attack-pattern=\"SIP and Trust Provider Hijacking - T1198\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"SIP and Trust Provider Hijacking - T1198\""],"SSH Hijacking - T1184":["misp-galaxy:mitre-attack-pattern=\"SSH Hijacking - T1184\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"SSH Hijacking - T1184\""],"SSL certificate acquisition for domain - T1337":["misp-galaxy:mitre-attack-pattern=\"SSL certificate acquisition for domain - T1337\""],"SSL certificate acquisition for trust breaking - T1338":["misp-galaxy:mitre-attack-pattern=\"SSL certificate acquisition for trust breaking - T1338\""],"Scheduled Task - T1053":["misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Scheduled Task - T1053\""],"Scheduled Transfer - T1029":["misp-galaxy:mitre-attack-pattern=\"Scheduled Transfer - T1029\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Scheduled Transfer - T1029\""],"Screen Capture - T1113":["misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Screen Capture - T1113\""],"Screensaver - T1180":["misp-galaxy:mitre-attack-pattern=\"Screensaver - T1180\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Screensaver - T1180\""],"Scripting - T1064":["misp-galaxy:mitre-attack-pattern=\"Scripting - T1064\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Scripting - T1064\""],"Secure and protect infrastructure - T1317":["misp-galaxy:mitre-attack-pattern=\"Secure and protect infrastructure - T1317\""],"Security Software Discovery - T1063":["misp-galaxy:mitre-attack-pattern=\"Security Software Discovery - T1063\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Security Software Discovery - T1063\""],"Security Support Provider - T1101":["misp-galaxy:mitre-attack-pattern=\"Security Support Provider - T1101\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Security Support Provider - T1101\""],"Securityd Memory - T1167":["misp-galaxy:mitre-attack-pattern=\"Securityd Memory - T1167\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Securityd Memory - T1167\""],"Service Execution - T1035":["misp-galaxy:mitre-attack-pattern=\"Service Execution - T1035\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Service Execution - T1035\""],"Service Registry Permissions Weakness - T1058":["misp-galaxy:mitre-attack-pattern=\"Service Registry Permissions Weakness - T1058\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Service Registry Permissions Weakness - T1058\""],"Service Stop - T1489":["misp-galaxy:mitre-attack-pattern=\"Service Stop - T1489\""],"Setuid and Setgid - T1166":["misp-galaxy:mitre-attack-pattern=\"Setuid and Setgid - T1166\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Setuid and Setgid - T1166\""],"Shadow DNS - T1340":["misp-galaxy:mitre-attack-pattern=\"Shadow DNS - T1340\""],"Shared Webroot - T1051":["misp-galaxy:mitre-attack-pattern=\"Shared Webroot - T1051\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Shared Webroot - T1051\""],"Shortcut Modification - T1023":["misp-galaxy:mitre-attack-pattern=\"Shortcut Modification - T1023\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Shortcut Modification - T1023\""],"Signed Binary Proxy Execution - T1218":["misp-galaxy:mitre-attack-pattern=\"Signed Binary Proxy Execution - T1218\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Signed Binary Proxy Execution - T1218\""],"Signed Script Proxy Execution - T1216":["misp-galaxy:mitre-attack-pattern=\"Signed Script Proxy Execution - T1216\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Signed Script Proxy Execution - T1216\""],"Software Packing - T1045":["misp-galaxy:mitre-attack-pattern=\"Software Packing - T1045\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Software Packing - T1045\""],"Source - T1153":["misp-galaxy:mitre-attack-pattern=\"Source - T1153\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Source - T1153\""],"Space after Filename - T1151":["misp-galaxy:mitre-attack-pattern=\"Space after Filename - T1151\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Space after Filename - T1151\""],"Spear phishing messages with malicious attachments - T1367":["misp-galaxy:mitre-attack-pattern=\"Spear phishing messages with malicious attachments - T1367\""],"Spear phishing messages with malicious links - T1369":["misp-galaxy:mitre-attack-pattern=\"Spear phishing messages with malicious links - T1369\""],"Spear phishing messages with text only - T1368":["misp-galaxy:mitre-attack-pattern=\"Spear phishing messages with text only - T1368\""],"Spearphishing Attachment - T1193":["misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1193\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Attachment - T1193\""],"Spearphishing Link - T1192":["misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1192\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Link - T1192\""],"Spearphishing for Information - T1397":["misp-galaxy:mitre-attack-pattern=\"Spearphishing for Information - T1397\""],"Spearphishing via Service - T1194":["misp-galaxy:mitre-attack-pattern=\"Spearphishing via Service - T1194\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing via Service - T1194\""],"Standard Application Layer Protocol - T1071":["misp-galaxy:mitre-attack-pattern=\"Standard Application Layer Protocol - T1071\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Standard Application Layer Protocol - T1071\""],"Standard Application Layer Protocol - T1437":["misp-galaxy:mitre-attack-pattern=\"Standard Application Layer Protocol - T1437\""],"Standard Cryptographic Protocol - T1032":["misp-galaxy:mitre-attack-pattern=\"Standard Cryptographic Protocol - T1032\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Standard Cryptographic Protocol - T1032\""],"Standard Non-Application Layer Protocol - T1095":["misp-galaxy:mitre-attack-pattern=\"Standard Non-Application Layer Protocol - T1095\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Standard Non-Application Layer Protocol - T1095\""],"Startup Items - T1165":["misp-galaxy:mitre-attack-pattern=\"Startup Items - T1165\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Startup Items - T1165\""],"Stolen Developer Credentials or Signing Keys - T1441":["misp-galaxy:mitre-attack-pattern=\"Stolen Developer Credentials or Signing Keys - T1441\""],"Stored Data Manipulation - T1492":["misp-galaxy:mitre-attack-pattern=\"Stored Data Manipulation - T1492\""],"Submit KITs, KIQs, and intelligence requirements - T1237":["misp-galaxy:mitre-attack-pattern=\"Submit KITs, KIQs, and intelligence requirements - T1237\""],"Sudo - T1169":["misp-galaxy:mitre-attack-pattern=\"Sudo - T1169\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Sudo - T1169\""],"Sudo Caching - T1206":["misp-galaxy:mitre-attack-pattern=\"Sudo Caching - T1206\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Sudo Caching - T1206\""],"Supply Chain Compromise - T1195":["misp-galaxy:mitre-attack-pattern=\"Supply Chain Compromise - T1195\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Supply Chain Compromise - T1195\""],"Supply Chain Compromise - T1474":["misp-galaxy:mitre-attack-pattern=\"Supply Chain Compromise - T1474\""],"System Firmware - T1019":["misp-galaxy:mitre-attack-pattern=\"System Firmware - T1019\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"System Firmware - T1019\""],"System Information Discovery - T1082":["misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"System Information Discovery - T1082\""],"System Information Discovery - T1426":["misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1426\""],"System Network Configuration Discovery - T1016":["misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"System Network Configuration Discovery - T1016\""],"System Network Configuration Discovery - T1422":["misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1422\""],"System Network Connections Discovery - T1049":["misp-galaxy:mitre-attack-pattern=\"System Network Connections Discovery - T1049\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"System Network Connections Discovery - T1049\""],"System Network Connections Discovery - T1421":["misp-galaxy:mitre-attack-pattern=\"System Network Connections Discovery - T1421\""],"System Owner\/User Discovery - T1033":["misp-galaxy:mitre-attack-pattern=\"System Owner\/User Discovery - T1033\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"System Owner\/User Discovery - T1033\""],"System Service Discovery - T1007":["misp-galaxy:mitre-attack-pattern=\"System Service Discovery - T1007\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"System Service Discovery - T1007\""],"System Time Discovery - T1124":["misp-galaxy:mitre-attack-pattern=\"System Time Discovery - T1124\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"System Time Discovery - T1124\""],"Systemd Service - T1501":["misp-galaxy:mitre-attack-pattern=\"Systemd Service - T1501\""],"Taint Shared Content - T1080":["misp-galaxy:mitre-attack-pattern=\"Taint Shared Content - T1080\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Taint Shared Content - T1080\""],"Targeted client-side exploitation - T1371":["misp-galaxy:mitre-attack-pattern=\"Targeted client-side exploitation - T1371\""],"Targeted social media phishing - T1366":["misp-galaxy:mitre-attack-pattern=\"Targeted social media phishing - T1366\""],"Task requirements - T1240":["misp-galaxy:mitre-attack-pattern=\"Task requirements - T1240\""],"Template Injection - T1221":["misp-galaxy:mitre-attack-pattern=\"Template Injection - T1221\""],"Test ability to evade automated mobile application security analysis performed by app stores - T1393":["misp-galaxy:mitre-attack-pattern=\"Test ability to evade automated mobile application security analysis performed by app stores - T1393\""],"Test callback functionality - T1356":["misp-galaxy:mitre-attack-pattern=\"Test callback functionality - T1356\""],"Test malware in various execution environments - T1357":["misp-galaxy:mitre-attack-pattern=\"Test malware in various execution environments - T1357\""],"Test malware to evade detection - T1359":["misp-galaxy:mitre-attack-pattern=\"Test malware to evade detection - T1359\""],"Test physical access - T1360":["misp-galaxy:mitre-attack-pattern=\"Test physical access - T1360\""],"Test signature detection - T1292":["misp-galaxy:mitre-attack-pattern=\"Test signature detection - T1292\""],"Test signature detection for file upload\/email filters - T1361":["misp-galaxy:mitre-attack-pattern=\"Test signature detection for file upload\/email filters - T1361\""],"Third-party Software - T1072":["misp-galaxy:mitre-attack-pattern=\"Third-party Software - T1072\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Third-party Software - T1072\""],"Time Providers - T1209":["misp-galaxy:mitre-attack-pattern=\"Time Providers - T1209\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Time Providers - T1209\""],"Timestomp - T1099":["misp-galaxy:mitre-attack-pattern=\"Timestomp - T1099\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Timestomp - T1099\""],"Transmitted Data Manipulation - T1493":["misp-galaxy:mitre-attack-pattern=\"Transmitted Data Manipulation - T1493\""],"Trap - T1154":["misp-galaxy:mitre-attack-pattern=\"Trap - T1154\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Trap - T1154\""],"Trusted Developer Utilities - T1127":["misp-galaxy:mitre-attack-pattern=\"Trusted Developer Utilities - T1127\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Trusted Developer Utilities - T1127\""],"Trusted Relationship - T1199":["misp-galaxy:mitre-attack-pattern=\"Trusted Relationship - T1199\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Trusted Relationship - T1199\""],"Two-Factor Authentication Interception - T1111":["misp-galaxy:mitre-attack-pattern=\"Two-Factor Authentication Interception - T1111\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Two-Factor Authentication Interception - T1111\""],"URL Scheme Hijacking - T1415":["misp-galaxy:mitre-attack-pattern=\"URL Scheme Hijacking - T1415\""],"Unauthorized user introduces compromise delivery mechanism - T1387":["misp-galaxy:mitre-attack-pattern=\"Unauthorized user introduces compromise delivery mechanism - T1387\""],"Uncommonly Used Port - T1065":["misp-galaxy:mitre-attack-pattern=\"Uncommonly Used Port - T1065\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Uncommonly Used Port - T1065\""],"Unconditional client-side exploitation\/Injected Website\/Driveby - T1372":["misp-galaxy:mitre-attack-pattern=\"Unconditional client-side exploitation\/Injected Website\/Driveby - T1372\""],"Untargeted client-side exploitation - T1370":["misp-galaxy:mitre-attack-pattern=\"Untargeted client-side exploitation - T1370\""],"Upload, install, and configure software\/tools - T1362":["misp-galaxy:mitre-attack-pattern=\"Upload, install, and configure software\/tools - T1362\""],"Use multiple DNS infrastructures - T1327":["misp-galaxy:mitre-attack-pattern=\"Use multiple DNS infrastructures - T1327\""],"User Execution - T1204":["misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"User Execution - T1204\""],"User Interface Spoofing - T1411":["misp-galaxy:mitre-attack-pattern=\"User Interface Spoofing - T1411\""],"Valid Accounts - T1078":["misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Valid Accounts - T1078\""],"Video Capture - T1125":["misp-galaxy:mitre-attack-pattern=\"Video Capture - T1125\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Video Capture - T1125\""],"Virtualization\/Sandbox Evasion - T1497":["misp-galaxy:mitre-attack-pattern=\"Virtualization\/Sandbox Evasion - T1497\""],"Web Service - T1102":["misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Web Service - T1102\""],"Web Service - T1481":["misp-galaxy:mitre-attack-pattern=\"Web Service - T1481\""],"Web Shell - T1100":["misp-galaxy:mitre-attack-pattern=\"Web Shell - T1100\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Web Shell - T1100\""],"Windows Admin Shares - T1077":["misp-galaxy:mitre-attack-pattern=\"Windows Admin Shares - T1077\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Windows Admin Shares - T1077\""],"Windows Management Instrumentation - T1047":["misp-galaxy:mitre-attack-pattern=\"Windows Management Instrumentation - T1047\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Windows Management Instrumentation - T1047\""],"Windows Management Instrumentation Event Subscription - T1084":["misp-galaxy:mitre-attack-pattern=\"Windows Management Instrumentation Event Subscription - T1084\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Windows Management Instrumentation Event Subscription - T1084\""],"Windows Remote Management - T1028":["misp-galaxy:mitre-attack-pattern=\"Windows Remote Management - T1028\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Windows Remote Management - T1028\""],"Winlogon Helper DLL - T1004":["misp-galaxy:mitre-attack-pattern=\"Winlogon Helper DLL - T1004\"","misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Winlogon Helper DLL - T1004\""],"Wipe Device Data - T1447":["misp-galaxy:mitre-attack-pattern=\"Wipe Device Data - T1447\""],"XSL Script Processing - T1220":["misp-galaxy:mitre-attack-pattern=\"XSL Script Processing - T1220\""],".bash_profile and .bashrc Mitigation - T1156":["misp-galaxy:mitre-course-of-action=\".bash_profile and .bashrc Mitigation - T1156\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\".bash_profile and .bashrc Mitigation - T1156\""],"Access Token Manipulation Mitigation - T1134":["misp-galaxy:mitre-course-of-action=\"Access Token Manipulation Mitigation - T1134\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Access Token Manipulation Mitigation - T1134\""],"Accessibility Features Mitigation - T1015":["misp-galaxy:mitre-course-of-action=\"Accessibility Features Mitigation - T1015\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Accessibility Features Mitigation - T1015\""],"Account Discovery Mitigation - T1087":["misp-galaxy:mitre-course-of-action=\"Account Discovery Mitigation - T1087\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Account Discovery Mitigation - T1087\""],"Account Manipulation Mitigation - T1098":["misp-galaxy:mitre-course-of-action=\"Account Manipulation Mitigation - T1098\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Account Manipulation Mitigation - T1098\""],"AppCert DLLs Mitigation - T1182":["misp-galaxy:mitre-course-of-action=\"AppCert DLLs Mitigation - T1182\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"AppCert DLLs Mitigation - T1182\""],"AppInit DLLs Mitigation - T1103":["misp-galaxy:mitre-course-of-action=\"AppInit DLLs Mitigation - T1103\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"AppInit DLLs Mitigation - T1103\""],"AppleScript Mitigation - T1155":["misp-galaxy:mitre-course-of-action=\"AppleScript Mitigation - T1155\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"AppleScript Mitigation - T1155\""],"Application Deployment Software Mitigation - T1017":["misp-galaxy:mitre-course-of-action=\"Application Deployment Software Mitigation - T1017\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Application Deployment Software Mitigation - T1017\""],"Application Developer Guidance - M1013":["misp-galaxy:mitre-course-of-action=\"Application Developer Guidance - M1013\""],"Application Shimming Mitigation - T1138":["misp-galaxy:mitre-course-of-action=\"Application Shimming Mitigation - T1138\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Application Shimming Mitigation - T1138\""],"Application Vetting - M1005":["misp-galaxy:mitre-course-of-action=\"Application Vetting - M1005\""],"Application Window Discovery Mitigation - T1010":["misp-galaxy:mitre-course-of-action=\"Application Window Discovery Mitigation - T1010\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Application Window Discovery Mitigation - T1010\""],"Attestation - M1002":["misp-galaxy:mitre-course-of-action=\"Attestation - M1002\""],"Audio Capture Mitigation - T1123":["misp-galaxy:mitre-course-of-action=\"Audio Capture Mitigation - T1123\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Audio Capture Mitigation - T1123\""],"Authentication Package Mitigation - T1131":["misp-galaxy:mitre-course-of-action=\"Authentication Package Mitigation - T1131\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Authentication Package Mitigation - T1131\""],"Automated Collection Mitigation - T1119":["misp-galaxy:mitre-course-of-action=\"Automated Collection Mitigation - T1119\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Automated Collection Mitigation - T1119\""],"Automated Exfiltration Mitigation - T1020":["misp-galaxy:mitre-course-of-action=\"Automated Exfiltration Mitigation - T1020\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Automated Exfiltration Mitigation - T1020\""],"BITS Jobs Mitigation - T1197":["misp-galaxy:mitre-course-of-action=\"BITS Jobs Mitigation - T1197\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"BITS Jobs Mitigation - T1197\""],"Bash History Mitigation - T1139":["misp-galaxy:mitre-course-of-action=\"Bash History Mitigation - T1139\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Bash History Mitigation - T1139\""],"Binary Padding Mitigation - T1009":["misp-galaxy:mitre-course-of-action=\"Binary Padding Mitigation - T1009\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Binary Padding Mitigation - T1009\""],"Bootkit Mitigation - T1067":["misp-galaxy:mitre-course-of-action=\"Bootkit Mitigation - T1067\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Bootkit Mitigation - T1067\""],"Browser Bookmark Discovery Mitigation - T1217":["misp-galaxy:mitre-course-of-action=\"Browser Bookmark Discovery Mitigation - T1217\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Browser Bookmark Discovery Mitigation - T1217\""],"Browser Extensions Mitigation - T1176":["misp-galaxy:mitre-course-of-action=\"Browser Extensions Mitigation - T1176\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Browser Extensions Mitigation - T1176\""],"Brute Force Mitigation - T1110":["misp-galaxy:mitre-course-of-action=\"Brute Force Mitigation - T1110\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Brute Force Mitigation - T1110\""],"Bypass User Account Control Mitigation - T1088":["misp-galaxy:mitre-course-of-action=\"Bypass User Account Control Mitigation - T1088\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Bypass User Account Control Mitigation - T1088\""],"CMSTP Mitigation - T1191":["misp-galaxy:mitre-course-of-action=\"CMSTP Mitigation - T1191\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"CMSTP Mitigation - T1191\""],"Caution with Device Administrator Access - M1007":["misp-galaxy:mitre-course-of-action=\"Caution with Device Administrator Access - M1007\""],"Change Default File Association Mitigation - T1042":["misp-galaxy:mitre-course-of-action=\"Change Default File Association Mitigation - T1042\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Change Default File Association Mitigation - T1042\""],"Clear Command History Mitigation - T1146":["misp-galaxy:mitre-course-of-action=\"Clear Command History Mitigation - T1146\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Clear Command History Mitigation - T1146\""],"Clipboard Data Mitigation - T1115":["misp-galaxy:mitre-course-of-action=\"Clipboard Data Mitigation - T1115\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Clipboard Data Mitigation - T1115\""],"Code Signing Mitigation - T1116":["misp-galaxy:mitre-course-of-action=\"Code Signing Mitigation - T1116\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Code Signing Mitigation - T1116\""],"Command-Line Interface Mitigation - T1059":["misp-galaxy:mitre-course-of-action=\"Command-Line Interface Mitigation - T1059\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Command-Line Interface Mitigation - T1059\""],"Commonly Used Port Mitigation - T1043":["misp-galaxy:mitre-course-of-action=\"Commonly Used Port Mitigation - T1043\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Commonly Used Port Mitigation - T1043\""],"Communication Through Removable Media Mitigation - T1092":["misp-galaxy:mitre-course-of-action=\"Communication Through Removable Media Mitigation - T1092\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Communication Through Removable Media Mitigation - T1092\""],"Compile After Delivery Mitigation - T1502":["misp-galaxy:mitre-course-of-action=\"Compile After Delivery Mitigation - T1502\""],"Compiled HTML File Mitigation - T1223":["misp-galaxy:mitre-course-of-action=\"Compiled HTML File Mitigation - T1223\""],"Component Firmware Mitigation - T1109":["misp-galaxy:mitre-course-of-action=\"Component Firmware Mitigation - T1109\""],"Component Object Model Hijacking Mitigation - T1122":["misp-galaxy:mitre-course-of-action=\"Component Object Model Hijacking Mitigation - T1122\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Component Object Model Hijacking Mitigation - T1122\""],"Connection Proxy Mitigation - T1090":["misp-galaxy:mitre-course-of-action=\"Connection Proxy Mitigation - T1090\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Connection Proxy Mitigation - T1090\""],"Control Panel Items Mitigation - T1196":["misp-galaxy:mitre-course-of-action=\"Control Panel Items Mitigation - T1196\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Control Panel Items Mitigation - T1196\""],"Create Account Mitigation - T1136":["misp-galaxy:mitre-course-of-action=\"Create Account Mitigation - T1136\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Create Account Mitigation - T1136\""],"Credential Dumping Mitigation - T1003":["misp-galaxy:mitre-course-of-action=\"Credential Dumping Mitigation - T1003\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Credential Dumping Mitigation - T1003\""],"Credentials in Files Mitigation - T1081":["misp-galaxy:mitre-course-of-action=\"Credentials in Files Mitigation - T1081\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Credentials in Files Mitigation - T1081\""],"Credentials in Registry Mitigation - T1214":["misp-galaxy:mitre-course-of-action=\"Credentials in Registry Mitigation - T1214\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Credentials in Registry Mitigation - T1214\""],"Custom Command and Control Protocol Mitigation - T1094":["misp-galaxy:mitre-course-of-action=\"Custom Command and Control Protocol Mitigation - T1094\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Custom Command and Control Protocol Mitigation - T1094\""],"Custom Cryptographic Protocol Mitigation - T1024":["misp-galaxy:mitre-course-of-action=\"Custom Cryptographic Protocol Mitigation - T1024\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Custom Cryptographic Protocol Mitigation - T1024\""],"DCShadow Mitigation - T1207":["misp-galaxy:mitre-course-of-action=\"DCShadow Mitigation - T1207\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"DCShadow Mitigation - T1207\""],"DLL Search Order Hijacking Mitigation - T1038":["misp-galaxy:mitre-course-of-action=\"DLL Search Order Hijacking Mitigation - T1038\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"DLL Search Order Hijacking Mitigation - T1038\""],"DLL Side-Loading Mitigation - T1073":["misp-galaxy:mitre-course-of-action=\"DLL Side-Loading Mitigation - T1073\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"DLL Side-Loading Mitigation - T1073\""],"Data Compressed Mitigation - T1002":["misp-galaxy:mitre-course-of-action=\"Data Compressed Mitigation - T1002\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Data Compressed Mitigation - T1002\""],"Data Destruction Mitigation - T1488":["misp-galaxy:mitre-course-of-action=\"Data Destruction Mitigation - T1488\""],"Data Encoding Mitigation - T1132":["misp-galaxy:mitre-course-of-action=\"Data Encoding Mitigation - T1132\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Data Encoding Mitigation - T1132\""],"Data Encrypted Mitigation - T1022":["misp-galaxy:mitre-course-of-action=\"Data Encrypted Mitigation - T1022\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Data Encrypted Mitigation - T1022\""],"Data Encrypted for Impact Mitigation - T1486":["misp-galaxy:mitre-course-of-action=\"Data Encrypted for Impact Mitigation - T1486\""],"Data Obfuscation Mitigation - T1001":["misp-galaxy:mitre-course-of-action=\"Data Obfuscation Mitigation - T1001\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Data Obfuscation Mitigation - T1001\""],"Data Staged Mitigation - T1074":["misp-galaxy:mitre-course-of-action=\"Data Staged Mitigation - T1074\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Data Staged Mitigation - T1074\""],"Data Transfer Size Limits Mitigation - T1030":["misp-galaxy:mitre-course-of-action=\"Data Transfer Size Limits Mitigation - T1030\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Data Transfer Size Limits Mitigation - T1030\""],"Data from Information Repositories Mitigation - T1213":["misp-galaxy:mitre-course-of-action=\"Data from Information Repositories Mitigation - T1213\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Data from Information Repositories Mitigation - T1213\""],"Data from Local System Mitigation - T1005":["misp-galaxy:mitre-course-of-action=\"Data from Local System Mitigation - T1005\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Data from Local System Mitigation - T1005\""],"Data from Network Shared Drive Mitigation - T1039":["misp-galaxy:mitre-course-of-action=\"Data from Network Shared Drive Mitigation - T1039\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Data from Network Shared Drive Mitigation - T1039\""],"Data from Removable Media Mitigation - T1025":["misp-galaxy:mitre-course-of-action=\"Data from Removable Media Mitigation - T1025\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Data from Removable Media Mitigation - T1025\""],"Defacement Mitigation - T1491":["misp-galaxy:mitre-course-of-action=\"Defacement Mitigation - T1491\""],"Deobfuscate\/Decode Files or Information Mitigation - T1140":["misp-galaxy:mitre-course-of-action=\"Deobfuscate\/Decode Files or Information Mitigation - T1140\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Deobfuscate\/Decode Files or Information Mitigation - T1140\""],"Deploy Compromised Device Detection Method - M1010":["misp-galaxy:mitre-course-of-action=\"Deploy Compromised Device Detection Method - M1010\""],"Disabling Security Tools Mitigation - T1089":["misp-galaxy:mitre-course-of-action=\"Disabling Security Tools Mitigation - T1089\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Disabling Security Tools Mitigation - T1089\""],"Distributed Component Object Model Mitigation - T1175":["misp-galaxy:mitre-course-of-action=\"Distributed Component Object Model Mitigation - T1175\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Distributed Component Object Model Mitigation - T1175\""],"Domain Fronting Mitigation - T1172":["misp-galaxy:mitre-course-of-action=\"Domain Fronting Mitigation - T1172\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Domain Fronting Mitigation - T1172\""],"Domain Generation Algorithms Mitigation - T1483":["misp-galaxy:mitre-course-of-action=\"Domain Generation Algorithms Mitigation - T1483\""],"Domain Trust Discovery Mitigation - T1482":["misp-galaxy:mitre-course-of-action=\"Domain Trust Discovery Mitigation - T1482\""],"Drive-by Compromise Mitigation - T1189":["misp-galaxy:mitre-course-of-action=\"Drive-by Compromise Mitigation - T1189\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Drive-by Compromise Mitigation - T1189\""],"Dylib Hijacking Mitigation - T1157":["misp-galaxy:mitre-course-of-action=\"Dylib Hijacking Mitigation - T1157\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Dylib Hijacking Mitigation - T1157\""],"Dynamic Data Exchange Mitigation - T1173":["misp-galaxy:mitre-course-of-action=\"Dynamic Data Exchange Mitigation - T1173\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Dynamic Data Exchange Mitigation - T1173\""],"Email Collection Mitigation - T1114":["misp-galaxy:mitre-course-of-action=\"Email Collection Mitigation - T1114\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Email Collection Mitigation - T1114\""],"Encrypt Network Traffic - M1009":["misp-galaxy:mitre-course-of-action=\"Encrypt Network Traffic - M1009\""],"Endpoint Denial of Service Mitigation - T1499":["misp-galaxy:mitre-course-of-action=\"Endpoint Denial of Service Mitigation - T1499\""],"Enterprise Policy - M1012":["misp-galaxy:mitre-course-of-action=\"Enterprise Policy - M1012\""],"Environmental Keying Mitigation - T1480":["misp-galaxy:mitre-course-of-action=\"Environmental Keying Mitigation - T1480\""],"Execution through API Mitigation - T1106":["misp-galaxy:mitre-course-of-action=\"Execution through API Mitigation - T1106\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Execution through API Mitigation - T1106\""],"Execution through Module Load Mitigation - T1129":["misp-galaxy:mitre-course-of-action=\"Execution through Module Load Mitigation - T1129\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Execution through Module Load Mitigation - T1129\""],"Exfiltration Over Alternative Protocol Mitigation - T1048":["misp-galaxy:mitre-course-of-action=\"Exfiltration Over Alternative Protocol Mitigation - T1048\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Exfiltration Over Alternative Protocol Mitigation - T1048\""],"Exfiltration Over Command and Control Channel Mitigation - T1041":["misp-galaxy:mitre-course-of-action=\"Exfiltration Over Command and Control Channel Mitigation - T1041\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Exfiltration Over Command and Control Channel Mitigation - T1041\""],"Exfiltration Over Other Network Medium Mitigation - T1011":["misp-galaxy:mitre-course-of-action=\"Exfiltration Over Other Network Medium Mitigation - T1011\""],"Exfiltration Over Physical Medium Mitigation - T1052":["misp-galaxy:mitre-course-of-action=\"Exfiltration Over Physical Medium Mitigation - T1052\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Exfiltration Over Physical Medium Mitigation - T1052\""],"Exploit Public-Facing Application Mitigation - T1190":["misp-galaxy:mitre-course-of-action=\"Exploit Public-Facing Application Mitigation - T1190\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Exploit Public-Facing Application Mitigation - T1190\""],"Exploitation for Client Execution Mitigation - T1203":["misp-galaxy:mitre-course-of-action=\"Exploitation for Client Execution Mitigation - T1203\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Exploitation for Client Execution Mitigation - T1203\""],"Exploitation for Credential Access Mitigation - T1212":["misp-galaxy:mitre-course-of-action=\"Exploitation for Credential Access Mitigation - T1212\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Exploitation for Credential Access Mitigation - T1212\""],"Exploitation for Defense Evasion Mitigation - T1211":["misp-galaxy:mitre-course-of-action=\"Exploitation for Defense Evasion Mitigation - T1211\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Exploitation for Defense Evasion Mitigation - T1211\""],"Exploitation for Privilege Escalation Mitigation - T1068":["misp-galaxy:mitre-course-of-action=\"Exploitation for Privilege Escalation Mitigation - T1068\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Exploitation for Privilege Escalation Mitigation - T1068\""],"Exploitation of Remote Services Mitigation - T1210":["misp-galaxy:mitre-course-of-action=\"Exploitation of Remote Services Mitigation - T1210\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Exploitation of Remote Services Mitigation - T1210\""],"External Remote Services Mitigation - T1133":["misp-galaxy:mitre-course-of-action=\"External Remote Services Mitigation - T1133\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"External Remote Services Mitigation - T1133\""],"Extra Window Memory Injection Mitigation - T1181":["misp-galaxy:mitre-course-of-action=\"Extra Window Memory Injection Mitigation - T1181\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Extra Window Memory Injection Mitigation - T1181\""],"Fallback Channels Mitigation - T1008":["misp-galaxy:mitre-course-of-action=\"Fallback Channels Mitigation - T1008\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Fallback Channels Mitigation - T1008\""],"File Deletion Mitigation - T1107":["misp-galaxy:mitre-course-of-action=\"File Deletion Mitigation - T1107\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"File Deletion Mitigation - T1107\""],"File Permissions Modification Mitigation - T1222":["misp-galaxy:mitre-course-of-action=\"File Permissions Modification Mitigation - T1222\""],"File System Logical Offsets Mitigation - T1006":["misp-galaxy:mitre-course-of-action=\"File System Logical Offsets Mitigation - T1006\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"File System Logical Offsets Mitigation - T1006\""],"File System Permissions Weakness Mitigation - T1044":["misp-galaxy:mitre-course-of-action=\"File System Permissions Weakness Mitigation - T1044\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"File System Permissions Weakness Mitigation - T1044\""],"File and Directory Discovery Mitigation - T1083":["misp-galaxy:mitre-course-of-action=\"File and Directory Discovery Mitigation - T1083\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"File and Directory Discovery Mitigation - T1083\""],"Firmware Corruption Mitigation - T1495":["misp-galaxy:mitre-course-of-action=\"Firmware Corruption Mitigation - T1495\""],"Forced Authentication Mitigation - T1187":["misp-galaxy:mitre-course-of-action=\"Forced Authentication Mitigation - T1187\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Forced Authentication Mitigation - T1187\""],"Gatekeeper Bypass Mitigation - T1144":["misp-galaxy:mitre-course-of-action=\"Gatekeeper Bypass Mitigation - T1144\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Gatekeeper Bypass Mitigation - T1144\""],"Graphical User Interface Mitigation - T1061":["misp-galaxy:mitre-course-of-action=\"Graphical User Interface Mitigation - T1061\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Graphical User Interface Mitigation - T1061\""],"Group Policy Modification Mitigation - T1484":["misp-galaxy:mitre-course-of-action=\"Group Policy Modification Mitigation - T1484\""],"HISTCONTROL Mitigation - T1148":["misp-galaxy:mitre-course-of-action=\"HISTCONTROL Mitigation - T1148\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"HISTCONTROL Mitigation - T1148\""],"Hardware Additions Mitigation - T1200":["misp-galaxy:mitre-course-of-action=\"Hardware Additions Mitigation - T1200\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Hardware Additions Mitigation - T1200\""],"Hidden Files and Directories Mitigation - T1158":["misp-galaxy:mitre-course-of-action=\"Hidden Files and Directories Mitigation - T1158\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Hidden Files and Directories Mitigation - T1158\""],"Hidden Users Mitigation - T1147":["misp-galaxy:mitre-course-of-action=\"Hidden Users Mitigation - T1147\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Hidden Users Mitigation - T1147\""],"Hidden Window Mitigation - T1143":["misp-galaxy:mitre-course-of-action=\"Hidden Window Mitigation - T1143\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Hidden Window Mitigation - T1143\""],"Hooking Mitigation - T1179":["misp-galaxy:mitre-course-of-action=\"Hooking Mitigation - T1179\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Hooking Mitigation - T1179\""],"Hypervisor Mitigation - T1062":["misp-galaxy:mitre-course-of-action=\"Hypervisor Mitigation - T1062\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Hypervisor Mitigation - T1062\""],"Image File Execution Options Injection Mitigation - T1183":["misp-galaxy:mitre-course-of-action=\"Image File Execution Options Injection Mitigation - T1183\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Image File Execution Options Injection Mitigation - T1183\""],"Indicator Blocking Mitigation - T1054":["misp-galaxy:mitre-course-of-action=\"Indicator Blocking Mitigation - T1054\""],"Indicator Removal from Tools Mitigation - T1066":["misp-galaxy:mitre-course-of-action=\"Indicator Removal from Tools Mitigation - T1066\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Indicator Removal from Tools Mitigation - T1066\""],"Indicator Removal on Host Mitigation - T1070":["misp-galaxy:mitre-course-of-action=\"Indicator Removal on Host Mitigation - T1070\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Indicator Removal on Host Mitigation - T1070\""],"Indirect Command Execution Mitigation - T1202":["misp-galaxy:mitre-course-of-action=\"Indirect Command Execution Mitigation - T1202\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Indirect Command Execution Mitigation - T1202\""],"Inhibit System Recovery Mitigation - T1490":["misp-galaxy:mitre-course-of-action=\"Inhibit System Recovery Mitigation - T1490\""],"Input Capture Mitigation - T1056":["misp-galaxy:mitre-course-of-action=\"Input Capture Mitigation - T1056\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Input Capture Mitigation - T1056\""],"Input Prompt Mitigation - T1141":["misp-galaxy:mitre-course-of-action=\"Input Prompt Mitigation - T1141\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Input Prompt Mitigation - T1141\""],"Install Root Certificate Mitigation - T1130":["misp-galaxy:mitre-course-of-action=\"Install Root Certificate Mitigation - T1130\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Install Root Certificate Mitigation - T1130\""],"InstallUtil Mitigation - T1118":["misp-galaxy:mitre-course-of-action=\"InstallUtil Mitigation - T1118\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"InstallUtil Mitigation - T1118\""],"Interconnection Filtering - M1014":["misp-galaxy:mitre-course-of-action=\"Interconnection Filtering - M1014\""],"Kerberoasting Mitigation - T1208":["misp-galaxy:mitre-course-of-action=\"Kerberoasting Mitigation - T1208\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Kerberoasting Mitigation - T1208\""],"Kernel Modules and Extensions Mitigation - T1215":["misp-galaxy:mitre-course-of-action=\"Kernel Modules and Extensions Mitigation - T1215\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Kernel Modules and Extensions Mitigation - T1215\""],"Keychain Mitigation - T1142":["misp-galaxy:mitre-course-of-action=\"Keychain Mitigation - T1142\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Keychain Mitigation - T1142\""],"LC_LOAD_DYLIB Addition Mitigation - T1161":["misp-galaxy:mitre-course-of-action=\"LC_LOAD_DYLIB Addition Mitigation - T1161\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"LC_LOAD_DYLIB Addition Mitigation - T1161\""],"LC_MAIN Hijacking Mitigation - T1149":["misp-galaxy:mitre-course-of-action=\"LC_MAIN Hijacking Mitigation - T1149\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"LC_MAIN Hijacking Mitigation - T1149\""],"LLMNR\/NBT-NS Poisoning Mitigation - T1171":["misp-galaxy:mitre-course-of-action=\"LLMNR\/NBT-NS Poisoning Mitigation - T1171\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"LLMNR\/NBT-NS Poisoning Mitigation - T1171\""],"LSASS Driver Mitigation - T1177":["misp-galaxy:mitre-course-of-action=\"LSASS Driver Mitigation - T1177\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"LSASS Driver Mitigation - T1177\""],"Launch Agent Mitigation - T1159":["misp-galaxy:mitre-course-of-action=\"Launch Agent Mitigation - T1159\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Launch Agent Mitigation - T1159\""],"Launch Daemon Mitigation - T1160":["misp-galaxy:mitre-course-of-action=\"Launch Daemon Mitigation - T1160\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Launch Daemon Mitigation - T1160\""],"Launchctl Mitigation - T1152":["misp-galaxy:mitre-course-of-action=\"Launchctl Mitigation - T1152\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Launchctl Mitigation - T1152\""],"Local Job Scheduling Mitigation - T1168":["misp-galaxy:mitre-course-of-action=\"Local Job Scheduling Mitigation - T1168\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Local Job Scheduling Mitigation - T1168\""],"Lock Bootloader - M1003":["misp-galaxy:mitre-course-of-action=\"Lock Bootloader - M1003\""],"Login Item Mitigation - T1162":["misp-galaxy:mitre-course-of-action=\"Login Item Mitigation - T1162\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Login Item Mitigation - T1162\""],"Logon Scripts Mitigation - T1037":["misp-galaxy:mitre-course-of-action=\"Logon Scripts Mitigation - T1037\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Logon Scripts Mitigation - T1037\""],"Man in the Browser Mitigation - T1185":["misp-galaxy:mitre-course-of-action=\"Man in the Browser Mitigation - T1185\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Man in the Browser Mitigation - T1185\""],"Masquerading Mitigation - T1036":["misp-galaxy:mitre-course-of-action=\"Masquerading Mitigation - T1036\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Masquerading Mitigation - T1036\""],"Modify Existing Service Mitigation - T1031":["misp-galaxy:mitre-course-of-action=\"Modify Existing Service Mitigation - T1031\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Modify Existing Service Mitigation - T1031\""],"Modify Registry Mitigation - T1112":["misp-galaxy:mitre-course-of-action=\"Modify Registry Mitigation - T1112\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Modify Registry Mitigation - T1112\""],"Mshta Mitigation - T1170":["misp-galaxy:mitre-course-of-action=\"Mshta Mitigation - T1170\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Mshta Mitigation - T1170\""],"Multi-Stage Channels Mitigation - T1104":["misp-galaxy:mitre-course-of-action=\"Multi-Stage Channels Mitigation - T1104\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Multi-Stage Channels Mitigation - T1104\""],"Multi-hop Proxy Mitigation - T1188":["misp-galaxy:mitre-course-of-action=\"Multi-hop Proxy Mitigation - T1188\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Multi-hop Proxy Mitigation - T1188\""],"Multiband Communication Mitigation - T1026":["misp-galaxy:mitre-course-of-action=\"Multiband Communication Mitigation - T1026\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Multiband Communication Mitigation - T1026\""],"Multilayer Encryption Mitigation - T1079":["misp-galaxy:mitre-course-of-action=\"Multilayer Encryption Mitigation - T1079\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Multilayer Encryption Mitigation - T1079\""],"NTFS File Attributes Mitigation - T1096":["misp-galaxy:mitre-course-of-action=\"NTFS File Attributes Mitigation - T1096\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"NTFS File Attributes Mitigation - T1096\""],"Netsh Helper DLL Mitigation - T1128":["misp-galaxy:mitre-course-of-action=\"Netsh Helper DLL Mitigation - T1128\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Netsh Helper DLL Mitigation - T1128\""],"Network Denial of Service Mitigation - T1498":["misp-galaxy:mitre-course-of-action=\"Network Denial of Service Mitigation - T1498\""],"Network Service Scanning Mitigation - T1046":["misp-galaxy:mitre-course-of-action=\"Network Service Scanning Mitigation - T1046\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Network Service Scanning Mitigation - T1046\""],"Network Share Connection Removal Mitigation - T1126":["misp-galaxy:mitre-course-of-action=\"Network Share Connection Removal Mitigation - T1126\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Network Share Connection Removal Mitigation - T1126\""],"Network Share Discovery Mitigation - T1135":["misp-galaxy:mitre-course-of-action=\"Network Share Discovery Mitigation - T1135\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Network Share Discovery Mitigation - T1135\""],"Network Sniffing Mitigation - T1040":["misp-galaxy:mitre-course-of-action=\"Network Sniffing Mitigation - T1040\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Network Sniffing Mitigation - T1040\""],"New Service Mitigation - T1050":["misp-galaxy:mitre-course-of-action=\"New Service Mitigation - T1050\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"New Service Mitigation - T1050\""],"Obfuscated Files or Information Mitigation - T1027":["misp-galaxy:mitre-course-of-action=\"Obfuscated Files or Information Mitigation - T1027\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Obfuscated Files or Information Mitigation - T1027\""],"Office Application Startup Mitigation - T1137":["misp-galaxy:mitre-course-of-action=\"Office Application Startup Mitigation - T1137\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Office Application Startup Mitigation - T1137\""],"Pass the Hash Mitigation - T1075":["misp-galaxy:mitre-course-of-action=\"Pass the Hash Mitigation - T1075\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Pass the Hash Mitigation - T1075\""],"Pass the Ticket Mitigation - T1097":["misp-galaxy:mitre-course-of-action=\"Pass the Ticket Mitigation - T1097\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Pass the Ticket Mitigation - T1097\""],"Password Filter DLL Mitigation - T1174":["misp-galaxy:mitre-course-of-action=\"Password Filter DLL Mitigation - T1174\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Password Filter DLL Mitigation - T1174\""],"Password Policy Discovery Mitigation - T1201":["misp-galaxy:mitre-course-of-action=\"Password Policy Discovery Mitigation - T1201\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Password Policy Discovery Mitigation - T1201\""],"Path Interception Mitigation - T1034":["misp-galaxy:mitre-course-of-action=\"Path Interception Mitigation - T1034\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Path Interception Mitigation - T1034\""],"Peripheral Device Discovery Mitigation - T1120":["misp-galaxy:mitre-course-of-action=\"Peripheral Device Discovery Mitigation - T1120\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Peripheral Device Discovery Mitigation - T1120\""],"Permission Groups Discovery Mitigation - T1069":["misp-galaxy:mitre-course-of-action=\"Permission Groups Discovery Mitigation - T1069\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Permission Groups Discovery Mitigation - T1069\""],"Plist Modification Mitigation - T1150":["misp-galaxy:mitre-course-of-action=\"Plist Modification Mitigation - T1150\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Plist Modification Mitigation - T1150\""],"Port Knocking Mitigation - T1205":["misp-galaxy:mitre-course-of-action=\"Port Knocking Mitigation - T1205\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Port Knocking Mitigation - T1205\""],"Port Monitors Mitigation - T1013":["misp-galaxy:mitre-course-of-action=\"Port Monitors Mitigation - T1013\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Port Monitors Mitigation - T1013\""],"PowerShell Mitigation - T1086":["misp-galaxy:mitre-course-of-action=\"PowerShell Mitigation - T1086\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"PowerShell Mitigation - T1086\""],"Private Keys Mitigation - T1145":["misp-galaxy:mitre-course-of-action=\"Private Keys Mitigation - T1145\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Private Keys Mitigation - T1145\""],"Process Discovery Mitigation - T1057":["misp-galaxy:mitre-course-of-action=\"Process Discovery Mitigation - T1057\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Process Discovery Mitigation - T1057\""],"Process Doppelg\u00e4nging Mitigation - T1186":["misp-galaxy:mitre-course-of-action=\"Process Doppelg\u00e4nging Mitigation - T1186\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Process Doppelg\u00e4nging Mitigation - T1186\""],"Process Hollowing Mitigation - T1093":["misp-galaxy:mitre-course-of-action=\"Process Hollowing Mitigation - T1093\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Process Hollowing Mitigation - T1093\""],"Process Injection Mitigation - T1055":["misp-galaxy:mitre-course-of-action=\"Process Injection Mitigation - T1055\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Process Injection Mitigation - T1055\""],"Query Registry Mitigation - T1012":["misp-galaxy:mitre-course-of-action=\"Query Registry Mitigation - T1012\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Query Registry Mitigation - T1012\""],"Rc.common Mitigation - T1163":["misp-galaxy:mitre-course-of-action=\"Rc.common Mitigation - T1163\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Rc.common Mitigation - T1163\""],"Re-opened Applications Mitigation - T1164":["misp-galaxy:mitre-course-of-action=\"Re-opened Applications Mitigation - T1164\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Re-opened Applications Mitigation - T1164\""],"Redundant Access Mitigation - T1108":["misp-galaxy:mitre-course-of-action=\"Redundant Access Mitigation - T1108\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Redundant Access Mitigation - T1108\""],"Registry Run Keys \/ Startup Folder Mitigation - T1060":["misp-galaxy:mitre-course-of-action=\"Registry Run Keys \/ Startup Folder Mitigation - T1060\""],"Regsvcs\/Regasm Mitigation - T1121":["misp-galaxy:mitre-course-of-action=\"Regsvcs\/Regasm Mitigation - T1121\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Regsvcs\/Regasm Mitigation - T1121\""],"Regsvr32 Mitigation - T1117":["misp-galaxy:mitre-course-of-action=\"Regsvr32 Mitigation - T1117\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Regsvr32 Mitigation - T1117\""],"Remote Access Tools Mitigation - T1219":["misp-galaxy:mitre-course-of-action=\"Remote Access Tools Mitigation - T1219\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Remote Access Tools Mitigation - T1219\""],"Remote Desktop Protocol Mitigation - T1076":["misp-galaxy:mitre-course-of-action=\"Remote Desktop Protocol Mitigation - T1076\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Remote Desktop Protocol Mitigation - T1076\""],"Remote File Copy Mitigation - T1105":["misp-galaxy:mitre-course-of-action=\"Remote File Copy Mitigation - T1105\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Remote File Copy Mitigation - T1105\""],"Remote Services Mitigation - T1021":["misp-galaxy:mitre-course-of-action=\"Remote Services Mitigation - T1021\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Remote Services Mitigation - T1021\""],"Remote System Discovery Mitigation - T1018":["misp-galaxy:mitre-course-of-action=\"Remote System Discovery Mitigation - T1018\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Remote System Discovery Mitigation - T1018\""],"Replication Through Removable Media Mitigation - T1091":["misp-galaxy:mitre-course-of-action=\"Replication Through Removable Media Mitigation - T1091\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Replication Through Removable Media Mitigation - T1091\""],"Resource Hijacking Mitigation - T1496":["misp-galaxy:mitre-course-of-action=\"Resource Hijacking Mitigation - T1496\""],"Rootkit Mitigation - T1014":["misp-galaxy:mitre-course-of-action=\"Rootkit Mitigation - T1014\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Rootkit Mitigation - T1014\""],"Rundll32 Mitigation - T1085":["misp-galaxy:mitre-course-of-action=\"Rundll32 Mitigation - T1085\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Rundll32 Mitigation - T1085\""],"Runtime Data Manipulation Mitigation - T1494":["misp-galaxy:mitre-course-of-action=\"Runtime Data Manipulation Mitigation - T1494\""],"SID-History Injection Mitigation - T1178":["misp-galaxy:mitre-course-of-action=\"SID-History Injection Mitigation - T1178\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"SID-History Injection Mitigation - T1178\""],"SIP and Trust Provider Hijacking Mitigation - T1198":["misp-galaxy:mitre-course-of-action=\"SIP and Trust Provider Hijacking Mitigation - T1198\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"SIP and Trust Provider Hijacking Mitigation - T1198\""],"SSH Hijacking Mitigation - T1184":["misp-galaxy:mitre-course-of-action=\"SSH Hijacking Mitigation - T1184\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"SSH Hijacking Mitigation - T1184\""],"Scheduled Task Mitigation - T1053":["misp-galaxy:mitre-course-of-action=\"Scheduled Task Mitigation - T1053\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Scheduled Task Mitigation - T1053\""],"Scheduled Transfer Mitigation - T1029":["misp-galaxy:mitre-course-of-action=\"Scheduled Transfer Mitigation - T1029\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Scheduled Transfer Mitigation - T1029\""],"Screen Capture Mitigation - T1113":["misp-galaxy:mitre-course-of-action=\"Screen Capture Mitigation - T1113\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Screen Capture Mitigation - T1113\""],"Screensaver Mitigation - T1180":["misp-galaxy:mitre-course-of-action=\"Screensaver Mitigation - T1180\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Screensaver Mitigation - T1180\""],"Scripting Mitigation - T1064":["misp-galaxy:mitre-course-of-action=\"Scripting Mitigation - T1064\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Scripting Mitigation - T1064\""],"Security Software Discovery Mitigation - T1063":["misp-galaxy:mitre-course-of-action=\"Security Software Discovery Mitigation - T1063\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Security Software Discovery Mitigation - T1063\""],"Security Support Provider Mitigation - T1101":["misp-galaxy:mitre-course-of-action=\"Security Support Provider Mitigation - T1101\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Security Support Provider Mitigation - T1101\""],"Security Updates - M1001":["misp-galaxy:mitre-course-of-action=\"Security Updates - M1001\""],"Service Execution Mitigation - T1035":["misp-galaxy:mitre-course-of-action=\"Service Execution Mitigation - T1035\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Service Execution Mitigation - T1035\""],"Service Registry Permissions Weakness Mitigation - T1058":["misp-galaxy:mitre-course-of-action=\"Service Registry Permissions Weakness Mitigation - T1058\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Service Registry Permissions Weakness Mitigation - T1058\""],"Service Stop Mitigation - T1489":["misp-galaxy:mitre-course-of-action=\"Service Stop Mitigation - T1489\""],"Setuid and Setgid Mitigation - T1166":["misp-galaxy:mitre-course-of-action=\"Setuid and Setgid Mitigation - T1166\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Setuid and Setgid Mitigation - T1166\""],"Shared Webroot Mitigation - T1051":["misp-galaxy:mitre-course-of-action=\"Shared Webroot Mitigation - T1051\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Shared Webroot Mitigation - T1051\""],"Shortcut Modification Mitigation - T1023":["misp-galaxy:mitre-course-of-action=\"Shortcut Modification Mitigation - T1023\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Shortcut Modification Mitigation - T1023\""],"Signed Binary Proxy Execution Mitigation - T1218":["misp-galaxy:mitre-course-of-action=\"Signed Binary Proxy Execution Mitigation - T1218\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Signed Binary Proxy Execution Mitigation - T1218\""],"Signed Script Proxy Execution Mitigation - T1216":["misp-galaxy:mitre-course-of-action=\"Signed Script Proxy Execution Mitigation - T1216\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Signed Script Proxy Execution Mitigation - T1216\""],"Software Packing Mitigation - T1045":["misp-galaxy:mitre-course-of-action=\"Software Packing Mitigation - T1045\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Software Packing Mitigation - T1045\""],"Source Mitigation - T1153":["misp-galaxy:mitre-course-of-action=\"Source Mitigation - T1153\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Source Mitigation - T1153\""],"Space after Filename Mitigation - T1151":["misp-galaxy:mitre-course-of-action=\"Space after Filename Mitigation - T1151\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Space after Filename Mitigation - T1151\""],"Spearphishing Attachment Mitigation - T1193":["misp-galaxy:mitre-course-of-action=\"Spearphishing Attachment Mitigation - T1193\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Spearphishing Attachment Mitigation - T1193\""],"Spearphishing Link Mitigation - T1192":["misp-galaxy:mitre-course-of-action=\"Spearphishing Link Mitigation - T1192\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Spearphishing Link Mitigation - T1192\""],"Spearphishing via Service Mitigation - T1194":["misp-galaxy:mitre-course-of-action=\"Spearphishing via Service Mitigation - T1194\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Spearphishing via Service Mitigation - T1194\""],"Standard Application Layer Protocol Mitigation - T1071":["misp-galaxy:mitre-course-of-action=\"Standard Application Layer Protocol Mitigation - T1071\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Standard Application Layer Protocol Mitigation - T1071\""],"Standard Cryptographic Protocol Mitigation - T1032":["misp-galaxy:mitre-course-of-action=\"Standard Cryptographic Protocol Mitigation - T1032\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Standard Cryptographic Protocol Mitigation - T1032\""],"Standard Non-Application Layer Protocol Mitigation - T1095":["misp-galaxy:mitre-course-of-action=\"Standard Non-Application Layer Protocol Mitigation - T1095\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Standard Non-Application Layer Protocol Mitigation - T1095\""],"Startup Items Mitigation - T1165":["misp-galaxy:mitre-course-of-action=\"Startup Items Mitigation - T1165\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Startup Items Mitigation - T1165\""],"Stored Data Manipulation Mitigation - T1492":["misp-galaxy:mitre-course-of-action=\"Stored Data Manipulation Mitigation - T1492\""],"Sudo Caching Mitigation - T1206":["misp-galaxy:mitre-course-of-action=\"Sudo Caching Mitigation - T1206\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Sudo Caching Mitigation - T1206\""],"Sudo Mitigation - T1169":["misp-galaxy:mitre-course-of-action=\"Sudo Mitigation - T1169\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Sudo Mitigation - T1169\""],"Supply Chain Compromise Mitigation - T1195":["misp-galaxy:mitre-course-of-action=\"Supply Chain Compromise Mitigation - T1195\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Supply Chain Compromise Mitigation - T1195\""],"System Firmware Mitigation - T1019":["misp-galaxy:mitre-course-of-action=\"System Firmware Mitigation - T1019\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"System Firmware Mitigation - T1019\""],"System Information Discovery Mitigation - T1082":["misp-galaxy:mitre-course-of-action=\"System Information Discovery Mitigation - T1082\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"System Information Discovery Mitigation - T1082\""],"System Network Configuration Discovery Mitigation - T1016":["misp-galaxy:mitre-course-of-action=\"System Network Configuration Discovery Mitigation - T1016\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"System Network Configuration Discovery Mitigation - T1016\""],"System Network Connections Discovery Mitigation - T1049":["misp-galaxy:mitre-course-of-action=\"System Network Connections Discovery Mitigation - T1049\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"System Network Connections Discovery Mitigation - T1049\""],"System Owner\/User Discovery Mitigation - T1033":["misp-galaxy:mitre-course-of-action=\"System Owner\/User Discovery Mitigation - T1033\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"System Owner\/User Discovery Mitigation - T1033\""],"System Owner\/User Discovery Mitigation - T1482":["misp-galaxy:mitre-course-of-action=\"System Owner\/User Discovery Mitigation - T1482\""],"System Partition Integrity - M1004":["misp-galaxy:mitre-course-of-action=\"System Partition Integrity - M1004\""],"System Service Discovery Mitigation - T1007":["misp-galaxy:mitre-course-of-action=\"System Service Discovery Mitigation - T1007\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"System Service Discovery Mitigation - T1007\""],"System Time Discovery Mitigation - T1124":["misp-galaxy:mitre-course-of-action=\"System Time Discovery Mitigation - T1124\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"System Time Discovery Mitigation - T1124\""],"Systemd Service Mitigation - T1501":["misp-galaxy:mitre-course-of-action=\"Systemd Service Mitigation - T1501\""],"Taint Shared Content Mitigation - T1080":["misp-galaxy:mitre-course-of-action=\"Taint Shared Content Mitigation - T1080\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Taint Shared Content Mitigation - T1080\""],"Template Injection Mitigation - T1221":["misp-galaxy:mitre-course-of-action=\"Template Injection Mitigation - T1221\""],"Third-party Software Mitigation - T1072":["misp-galaxy:mitre-course-of-action=\"Third-party Software Mitigation - T1072\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Third-party Software Mitigation - T1072\""],"Time Providers Mitigation - T1209":["misp-galaxy:mitre-course-of-action=\"Time Providers Mitigation - T1209\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Time Providers Mitigation - T1209\""],"Timestomp Mitigation - T1099":["misp-galaxy:mitre-course-of-action=\"Timestomp Mitigation - T1099\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Timestomp Mitigation - T1099\""],"Transmitted Data Manipulation Mitigation - T1493":["misp-galaxy:mitre-course-of-action=\"Transmitted Data Manipulation Mitigation - T1493\""],"Trap Mitigation - T1154":["misp-galaxy:mitre-course-of-action=\"Trap Mitigation - T1154\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Trap Mitigation - T1154\""],"Trusted Developer Utilities Mitigation - T1127":["misp-galaxy:mitre-course-of-action=\"Trusted Developer Utilities Mitigation - T1127\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Trusted Developer Utilities Mitigation - T1127\""],"Trusted Relationship Mitigation - T1199":["misp-galaxy:mitre-course-of-action=\"Trusted Relationship Mitigation - T1199\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Trusted Relationship Mitigation - T1199\""],"Two-Factor Authentication Interception Mitigation - T1111":["misp-galaxy:mitre-course-of-action=\"Two-Factor Authentication Interception Mitigation - T1111\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Two-Factor Authentication Interception Mitigation - T1111\""],"Uncommonly Used Port Mitigation - T1065":["misp-galaxy:mitre-course-of-action=\"Uncommonly Used Port Mitigation - T1065\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Uncommonly Used Port Mitigation - T1065\""],"Use Device-Provided Credential Storage - M1008":["misp-galaxy:mitre-course-of-action=\"Use Device-Provided Credential Storage - M1008\""],"Use Recent OS Version - M1006":["misp-galaxy:mitre-course-of-action=\"Use Recent OS Version - M1006\""],"User Execution Mitigation - T1204":["misp-galaxy:mitre-course-of-action=\"User Execution Mitigation - T1204\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"User Execution Mitigation - T1204\""],"User Guidance - M1011":["misp-galaxy:mitre-course-of-action=\"User Guidance - M1011\""],"Valid Accounts Mitigation - T1078":["misp-galaxy:mitre-course-of-action=\"Valid Accounts Mitigation - T1078\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Valid Accounts Mitigation - T1078\""],"Video Capture Mitigation - T1125":["misp-galaxy:mitre-course-of-action=\"Video Capture Mitigation - T1125\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Video Capture Mitigation - T1125\""],"Virtualization\/Sandbox Evasion Mitigation - T1497":["misp-galaxy:mitre-course-of-action=\"Virtualization\/Sandbox Evasion Mitigation - T1497\""],"Web Service Mitigation - T1102":["misp-galaxy:mitre-course-of-action=\"Web Service Mitigation - T1102\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Web Service Mitigation - T1102\""],"Web Shell Mitigation - T1100":["misp-galaxy:mitre-course-of-action=\"Web Shell Mitigation - T1100\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Web Shell Mitigation - T1100\""],"Windows Admin Shares Mitigation - T1077":["misp-galaxy:mitre-course-of-action=\"Windows Admin Shares Mitigation - T1077\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Windows Admin Shares Mitigation - T1077\""],"Windows Management Instrumentation Event Subscription Mitigation - T1084":["misp-galaxy:mitre-course-of-action=\"Windows Management Instrumentation Event Subscription Mitigation - T1084\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Windows Management Instrumentation Event Subscription Mitigation - T1084\""],"Windows Management Instrumentation Mitigation - T1047":["misp-galaxy:mitre-course-of-action=\"Windows Management Instrumentation Mitigation - T1047\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Windows Management Instrumentation Mitigation - T1047\""],"Windows Remote Management Mitigation - T1028":["misp-galaxy:mitre-course-of-action=\"Windows Remote Management Mitigation - T1028\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Windows Remote Management Mitigation - T1028\""],"Winlogon Helper DLL Mitigation - T1004":["misp-galaxy:mitre-course-of-action=\"Winlogon Helper DLL Mitigation - T1004\"","misp-galaxy:mitre-enterprise-attack-course-of-action=\"Winlogon Helper DLL Mitigation - T1004\""],"XSL Script Processing Mitigation - T1220":["misp-galaxy:mitre-course-of-action=\"XSL Script Processing Mitigation - T1220\""],"Registry Run Keys \/ Start Folder - T1060":["misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Registry Run Keys \/ Start Folder - T1060\""],"Registry Run Keys \/ Start Folder Mitigation - T1060":["misp-galaxy:mitre-enterprise-attack-course-of-action=\"Registry Run Keys \/ Start Folder Mitigation - T1060\""],"APT1 - G0006":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT1 - G0006\"","misp-galaxy:mitre-intrusion-set=\"APT1 - G0006\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"APT1 - G0006\""],"APT1":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT1 - G0006\"","misp-galaxy:mitre-intrusion-set=\"APT1 - G0006\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"APT1 - G0006\"","misp-galaxy:threat-actor=\"Comment Crew\""],"Comment Crew":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT1 - G0006\"","misp-galaxy:mitre-intrusion-set=\"APT1 - G0006\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"APT1 - G0006\"","misp-galaxy:threat-actor=\"Comment Crew\""],"Comment Group":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT1 - G0006\"","misp-galaxy:mitre-intrusion-set=\"APT1 - G0006\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"APT1 - G0006\"","misp-galaxy:threat-actor=\"Comment Crew\""],"Comment Panda":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT1 - G0006\"","misp-galaxy:mitre-intrusion-set=\"APT1 - G0006\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"APT1 - G0006\"","misp-galaxy:threat-actor=\"Comment Crew\""],"APT12 - G0005":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT12 - G0005\"","misp-galaxy:mitre-intrusion-set=\"APT12 - G0005\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"APT12 - G0005\""],"APT12":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT12 - G0005\"","misp-galaxy:mitre-intrusion-set=\"APT12 - G0005\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"APT12 - G0005\"","misp-galaxy:threat-actor=\"IXESHE\""],"IXESHE":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT12 - G0005\"","misp-galaxy:mitre-intrusion-set=\"APT12 - G0005\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"APT12 - G0005\"","misp-galaxy:threat-actor=\"IXESHE\""],"DynCalc":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT12 - G0005\"","misp-galaxy:mitre-intrusion-set=\"APT12 - G0005\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"APT12 - G0005\"","misp-galaxy:threat-actor=\"IXESHE\""],"Numbered Panda":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT12 - G0005\"","misp-galaxy:mitre-intrusion-set=\"APT12 - G0005\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"APT12 - G0005\"","misp-galaxy:threat-actor=\"IXESHE\""],"DNSCALC":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT12 - G0005\"","misp-galaxy:mitre-intrusion-set=\"APT12 - G0005\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"APT12 - G0005\""],"APT16 - G0023":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT16 - G0023\"","misp-galaxy:mitre-intrusion-set=\"APT16 - G0023\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"APT16 - G0023\""],"APT16":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT16 - G0023\"","misp-galaxy:mitre-intrusion-set=\"APT16 - G0023\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"APT16 - G0023\"","misp-galaxy:threat-actor=\"APT 16\""],"APT17 - G0025":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT17 - G0025\"","misp-galaxy:mitre-intrusion-set=\"APT17 - G0025\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"APT17 - G0025\""],"APT17":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT17 - G0025\"","misp-galaxy:mitre-intrusion-set=\"APT17 - G0025\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"APT17 - G0025\"","misp-galaxy:threat-actor=\"Aurora Panda\"","misp-galaxy:threat-actor=\"Axiom\""],"Deputy Dog":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT17 - G0025\"","misp-galaxy:mitre-intrusion-set=\"APT17 - G0025\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"APT17 - G0025\"","misp-galaxy:threat-actor=\"Aurora Panda\"","misp-galaxy:threat-actor=\"Axiom\""],"APT18 - G0026":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT18 - G0026\"","misp-galaxy:mitre-intrusion-set=\"APT18 - G0026\""],"APT18":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT18 - G0026\"","misp-galaxy:mitre-intrusion-set=\"APT18 - G0026\"","misp-galaxy:threat-actor=\"Wekby\""],"Threat Group-0416":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT18 - G0026\"","misp-galaxy:mitre-intrusion-set=\"APT18 - G0026\""],"TG-0416":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT18 - G0026\"","misp-galaxy:mitre-intrusion-set=\"APT18 - G0026\"","misp-galaxy:threat-actor=\"Wekby\""],"Dynamite Panda":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT18 - G0026\"","misp-galaxy:mitre-intrusion-set=\"APT18 - G0026\"","misp-galaxy:threat-actor=\"Wekby\""],"APT28 - G0007":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-mobile-attack-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"APT28 - G0007\""],"Tsar Team":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-mobile-attack-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"APT28 - G0007\"","misp-galaxy:threat-actor=\"Sofacy\""],"Threat Group-4127":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-mobile-attack-intrusion-set=\"APT28 - G0007\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"APT28 - G0007\""],"APT29 - G0016":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT29 - G0016\"","misp-galaxy:mitre-intrusion-set=\"APT29 - G0016\""],"APT29":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT29 - G0016\"","misp-galaxy:mitre-intrusion-set=\"APT29 - G0016\"","misp-galaxy:threat-actor=\"APT 29\""],"The Dukes":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT29 - G0016\"","misp-galaxy:mitre-intrusion-set=\"APT29 - G0016\"","misp-galaxy:threat-actor=\"APT 29\""],"Cozy Bear":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT29 - G0016\"","misp-galaxy:mitre-intrusion-set=\"APT29 - G0016\"","misp-galaxy:threat-actor=\"APT 29\""],"CozyDuke":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT29 - G0016\"","misp-galaxy:mitre-enterprise-attack-malware=\"CozyCar - S0046\"","misp-galaxy:mitre-intrusion-set=\"APT29 - G0016\"","misp-galaxy:mitre-malware=\"CozyCar - S0046\"","misp-galaxy:threat-actor=\"APT 29\""],"APT3 - G0022":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT3 - G0022\"","misp-galaxy:mitre-intrusion-set=\"APT3 - G0022\""],"APT3":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT3 - G0022\"","misp-galaxy:mitre-intrusion-set=\"APT3 - G0022\"","misp-galaxy:threat-actor=\"UPS\""],"Gothic Panda":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT3 - G0022\"","misp-galaxy:mitre-intrusion-set=\"APT3 - G0022\"","misp-galaxy:threat-actor=\"UPS\""],"Pirpi":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT3 - G0022\"","misp-galaxy:mitre-enterprise-attack-malware=\"SHOTPUT - S0063\"","misp-galaxy:mitre-intrusion-set=\"APT3 - G0022\"","misp-galaxy:mitre-malware=\"SHOTPUT - S0063\"","misp-galaxy:tool=\"Pirpi\""],"UPS Team":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT3 - G0022\"","misp-galaxy:mitre-intrusion-set=\"APT3 - G0022\"","misp-galaxy:threat-actor=\"UPS\""],"Buckeye":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT3 - G0022\"","misp-galaxy:mitre-intrusion-set=\"APT3 - G0022\"","misp-galaxy:threat-actor=\"UPS\""],"Threat Group-0110":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT3 - G0022\"","misp-galaxy:mitre-intrusion-set=\"APT3 - G0022\""],"TG-0110":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT3 - G0022\"","misp-galaxy:mitre-intrusion-set=\"APT3 - G0022\"","misp-galaxy:threat-actor=\"UPS\""],"APT30 - G0013":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT30 - G0013\"","misp-galaxy:mitre-intrusion-set=\"APT30 - G0013\""],"APT30":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT30 - G0013\"","misp-galaxy:mitre-intrusion-set=\"APT30 - G0013\"","misp-galaxy:threat-actor=\"APT 30\"","misp-galaxy:threat-actor=\"Naikon\""],"APT32 - G0050":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT32 - G0050\"","misp-galaxy:mitre-intrusion-set=\"APT32 - G0050\""],"APT32":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT32 - G0050\"","misp-galaxy:mitre-intrusion-set=\"APT32 - G0050\"","misp-galaxy:threat-actor=\"APT32\""],"OceanLotus Group":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT32 - G0050\"","misp-galaxy:threat-actor=\"APT32\""],"APT33 - G0064":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT33 - G0064\"","misp-galaxy:mitre-intrusion-set=\"APT33 - G0064\""],"APT33":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT33 - G0064\"","misp-galaxy:mitre-intrusion-set=\"APT33 - G0064\"","misp-galaxy:threat-actor=\"APT33\"","misp-galaxy:threat-actor=\"MAGNALLIUM\""],"APT34 - G0057":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT34 - G0057\"","misp-galaxy:mitre-intrusion-set=\"APT34 - G0057\""],"APT34":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT34 - G0057\"","misp-galaxy:mitre-intrusion-set=\"OilRig - G0049\"","misp-galaxy:threat-actor=\"APT34\"","misp-galaxy:threat-actor=\"OilRig\""],"APT37 - G0067":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT37 - G0067\"","misp-galaxy:mitre-intrusion-set=\"APT37 - G0067\""],"APT37":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT37 - G0067\"","misp-galaxy:mitre-intrusion-set=\"APT37 - G0067\"","misp-galaxy:threat-actor=\"APT37\""],"ScarCruft":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT37 - G0067\"","misp-galaxy:mitre-intrusion-set=\"APT37 - G0067\"","misp-galaxy:threat-actor=\"ScarCruft\""],"Group123":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT37 - G0067\"","misp-galaxy:mitre-intrusion-set=\"APT37 - G0067\"","misp-galaxy:threat-actor=\"APT37\""],"TEMP.Reaper":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT37 - G0067\"","misp-galaxy:mitre-intrusion-set=\"APT37 - G0067\""],"Axiom - G0001":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Axiom - G0001\"","misp-galaxy:mitre-intrusion-set=\"Axiom - G0001\""],"Axiom":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Axiom - G0001\"","misp-galaxy:mitre-intrusion-set=\"Axiom - G0001\"","misp-galaxy:threat-actor=\"Axiom\""],"Group 72":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Axiom - G0001\"","misp-galaxy:mitre-intrusion-set=\"Axiom - G0001\"","misp-galaxy:threat-actor=\"Axiom\""],"BRONZE BUTLER - G0060":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"BRONZE BUTLER - G0060\"","misp-galaxy:mitre-intrusion-set=\"BRONZE BUTLER - G0060\""],"BRONZE BUTLER":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"BRONZE BUTLER - G0060\"","misp-galaxy:mitre-intrusion-set=\"BRONZE BUTLER - G0060\""],"REDBALDKNIGHT":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"BRONZE BUTLER - G0060\"","misp-galaxy:mitre-intrusion-set=\"BRONZE BUTLER - G0060\""],"Tick":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"BRONZE BUTLER - G0060\"","misp-galaxy:mitre-intrusion-set=\"BRONZE BUTLER - G0060\"","misp-galaxy:threat-actor=\"Tick\""],"BlackOasis - G0063":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"BlackOasis - G0063\"","misp-galaxy:mitre-intrusion-set=\"BlackOasis - G0063\""],"BlackOasis":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"BlackOasis - G0063\"","misp-galaxy:mitre-intrusion-set=\"BlackOasis - G0063\"","misp-galaxy:threat-actor=\"BlackOasis\"","misp-galaxy:tool=\"FINSPY\""],"Carbanak - G0008":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Carbanak - G0008\"","misp-galaxy:mitre-intrusion-set=\"Carbanak - G0008\""],"Carbon Spider":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Carbanak - G0008\"","misp-galaxy:mitre-intrusion-set=\"Carbanak - G0008\"","misp-galaxy:threat-actor=\"Anunak\""],"Charming Kitten - G0058":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Charming Kitten - G0058\"","misp-galaxy:mitre-intrusion-set=\"Charming Kitten - G0058\""],"Charming Kitten":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Charming Kitten - G0058\"","misp-galaxy:mitre-intrusion-set=\"Charming Kitten - G0058\"","misp-galaxy:threat-actor=\"Charming Kitten\""],"Cleaver - G0003":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Cleaver - G0003\"","misp-galaxy:mitre-intrusion-set=\"Cleaver - G0003\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"Cleaver - G0003\""],"Cleaver":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Cleaver - G0003\"","misp-galaxy:mitre-intrusion-set=\"Cleaver - G0003\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"Cleaver - G0003\"","misp-galaxy:threat-actor=\"Cleaver\""],"TG-2889":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Cleaver - G0003\"","misp-galaxy:mitre-intrusion-set=\"Cleaver - G0003\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"Cleaver - G0003\"","misp-galaxy:threat-actor=\"Cleaver\"","misp-galaxy:threat-actor=\"Cutting Kitten\""],"Threat Group 2889":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Cleaver - G0003\"","misp-galaxy:mitre-intrusion-set=\"Cleaver - G0003\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"Cleaver - G0003\"","misp-galaxy:threat-actor=\"Cutting Kitten\""],"CopyKittens - G0052":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"CopyKittens - G0052\"","misp-galaxy:mitre-intrusion-set=\"CopyKittens - G0052\""],"CopyKittens":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"CopyKittens - G0052\"","misp-galaxy:mitre-intrusion-set=\"CopyKittens - G0052\"","misp-galaxy:threat-actor=\"CopyKittens\""],"Darkhotel - G0012":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Darkhotel - G0012\"","misp-galaxy:mitre-intrusion-set=\"Darkhotel - G0012\""],"Darkhotel":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Darkhotel - G0012\"","misp-galaxy:mitre-intrusion-set=\"Darkhotel - G0012\""],"Deep Panda - G0009":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Deep Panda - G0009\"","misp-galaxy:mitre-intrusion-set=\"Deep Panda - G0009\""],"Deep Panda":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Deep Panda - G0009\"","misp-galaxy:mitre-intrusion-set=\"Deep Panda - G0009\"","misp-galaxy:threat-actor=\"Shell Crew\""],"Shell Crew":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Deep Panda - G0009\"","misp-galaxy:mitre-intrusion-set=\"Deep Panda - G0009\"","misp-galaxy:threat-actor=\"Shell Crew\""],"WebMasters":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Deep Panda - G0009\"","misp-galaxy:mitre-intrusion-set=\"Deep Panda - G0009\"","misp-galaxy:threat-actor=\"Shell Crew\""],"KungFu Kittens":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Deep Panda - G0009\"","misp-galaxy:mitre-intrusion-set=\"Deep Panda - G0009\"","misp-galaxy:threat-actor=\"Shell Crew\""],"PinkPanther":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Deep Panda - G0009\"","misp-galaxy:mitre-intrusion-set=\"Deep Panda - G0009\"","misp-galaxy:threat-actor=\"Shell Crew\""],"Black Vine":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Deep Panda - G0009\"","misp-galaxy:mitre-intrusion-set=\"Deep Panda - G0009\"","misp-galaxy:threat-actor=\"Hurricane Panda\"","misp-galaxy:threat-actor=\"Shell Crew\""],"DragonOK - G0017":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"DragonOK - G0017\"","misp-galaxy:mitre-intrusion-set=\"DragonOK - G0017\""],"DragonOK":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"DragonOK - G0017\"","misp-galaxy:mitre-intrusion-set=\"DragonOK - G0017\"","misp-galaxy:threat-actor=\"DragonOK\""],"Dragonfly - G0035":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Dragonfly - G0035\"","misp-galaxy:mitre-intrusion-set=\"Dragonfly - G0035\""],"Dragonfly":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Dragonfly - G0035\"","misp-galaxy:mitre-intrusion-set=\"Dragonfly - G0035\"","misp-galaxy:threat-actor=\"Energetic Bear\""],"Energetic Bear":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Dragonfly - G0035\"","misp-galaxy:mitre-intrusion-set=\"Dragonfly - G0035\"","misp-galaxy:threat-actor=\"Energetic Bear\""],"Dust Storm - G0031":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Dust Storm - G0031\"","misp-galaxy:mitre-intrusion-set=\"Dust Storm - G0031\""],"Dust Storm":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Dust Storm - G0031\"","misp-galaxy:mitre-intrusion-set=\"Dust Storm - G0031\"","misp-galaxy:threat-actor=\"Dust Storm\""],"Elderwood - G0066":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Elderwood - G0066\"","misp-galaxy:mitre-intrusion-set=\"Elderwood - G0066\""],"Elderwood":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Elderwood - G0066\"","misp-galaxy:mitre-intrusion-set=\"Elderwood - G0066\"","misp-galaxy:threat-actor=\"Beijing Group\""],"Elderwood Gang":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Elderwood - G0066\"","misp-galaxy:mitre-intrusion-set=\"Elderwood - G0066\"","misp-galaxy:threat-actor=\"Beijing Group\""],"Beijing Group":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Elderwood - G0066\"","misp-galaxy:mitre-intrusion-set=\"Elderwood - G0066\"","misp-galaxy:threat-actor=\"Beijing Group\""],"Sneaky Panda":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Elderwood - G0066\"","misp-galaxy:mitre-intrusion-set=\"Elderwood - G0066\"","misp-galaxy:threat-actor=\"Beijing Group\""],"Equation - G0020":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Equation - G0020\"","misp-galaxy:mitre-intrusion-set=\"Equation - G0020\""],"Equation":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Equation - G0020\"","misp-galaxy:mitre-intrusion-set=\"Equation - G0020\""],"FIN10 - G0051":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"FIN10 - G0051\"","misp-galaxy:mitre-intrusion-set=\"FIN10 - G0051\""],"FIN10":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"FIN10 - G0051\"","misp-galaxy:mitre-intrusion-set=\"FIN10 - G0051\"","misp-galaxy:threat-actor=\"FIN10\""],"FIN5 - G0053":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"FIN5 - G0053\"","misp-galaxy:mitre-intrusion-set=\"FIN5 - G0053\""],"FIN5":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"FIN5 - G0053\"","misp-galaxy:mitre-intrusion-set=\"FIN5 - G0053\"","misp-galaxy:threat-actor=\"FIN5\""],"FIN6 - G0037":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"FIN6 - G0037\"","misp-galaxy:mitre-intrusion-set=\"FIN6 - G0037\""],"FIN6":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"FIN6 - G0037\"","misp-galaxy:mitre-intrusion-set=\"FIN6 - G0037\"","misp-galaxy:threat-actor=\"FIN6\""],"FIN7 - G0046":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"FIN7 - G0046\"","misp-galaxy:mitre-intrusion-set=\"FIN7 - G0046\""],"FIN7":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"FIN7 - G0046\"","misp-galaxy:mitre-intrusion-set=\"FIN7 - G0046\"","misp-galaxy:threat-actor=\"Anunak\""],"FIN8 - G0061":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"FIN8 - G0061\"","misp-galaxy:mitre-intrusion-set=\"FIN8 - G0061\""],"FIN8":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"FIN8 - G0061\"","misp-galaxy:mitre-intrusion-set=\"FIN8 - G0061\"","misp-galaxy:threat-actor=\"FIN8\""],"GCMAN - G0036":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"GCMAN - G0036\"","misp-galaxy:mitre-intrusion-set=\"GCMAN - G0036\""],"GCMAN":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"GCMAN - G0036\"","misp-galaxy:mitre-intrusion-set=\"GCMAN - G0036\"","misp-galaxy:threat-actor=\"GCMAN\""],"Gamaredon Group - G0047":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Gamaredon Group - G0047\"","misp-galaxy:mitre-intrusion-set=\"Gamaredon Group - G0047\""],"Gamaredon Group":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Gamaredon Group - G0047\"","misp-galaxy:mitre-intrusion-set=\"Gamaredon Group - G0047\"","misp-galaxy:threat-actor=\"Gamaredon Group\""],"Group5 - G0043":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Group5 - G0043\"","misp-galaxy:mitre-intrusion-set=\"Group5 - G0043\""],"Group5":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Group5 - G0043\"","misp-galaxy:mitre-intrusion-set=\"Group5 - G0043\"","misp-galaxy:threat-actor=\"Group5\""],"Ke3chang - G0004":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Ke3chang - G0004\"","misp-galaxy:mitre-intrusion-set=\"Ke3chang - G0004\""],"Ke3chang":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Ke3chang - G0004\"","misp-galaxy:mitre-intrusion-set=\"Ke3chang - G0004\""],"Lazarus Group - G0032":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Lazarus Group - G0032\"","misp-galaxy:mitre-intrusion-set=\"Lazarus Group - G0032\""],"Lazarus Group":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Lazarus Group - G0032\"","misp-galaxy:mitre-intrusion-set=\"Lazarus Group - G0032\"","misp-galaxy:threat-actor=\"Lazarus Group\""],"HIDDEN COBRA":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Lazarus Group - G0032\"","misp-galaxy:mitre-intrusion-set=\"Lazarus Group - G0032\""],"Guardians of Peace":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Lazarus Group - G0032\"","misp-galaxy:mitre-intrusion-set=\"Lazarus Group - G0032\""],"ZINC":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Lazarus Group - G0032\"","misp-galaxy:mitre-intrusion-set=\"Lazarus Group - G0032\""],"NICKEL ACADEMY":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Lazarus Group - G0032\"","misp-galaxy:mitre-intrusion-set=\"Lazarus Group - G0032\""],"Leviathan - G0065":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Leviathan - G0065\"","misp-galaxy:mitre-intrusion-set=\"Leviathan - G0065\""],"Leviathan":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Leviathan - G0065\"","misp-galaxy:mitre-intrusion-set=\"Leviathan - G0065\"","misp-galaxy:threat-actor=\"Leviathan\""],"TEMP.Periscope":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Leviathan - G0065\"","misp-galaxy:mitre-intrusion-set=\"Leviathan - G0065\"","misp-galaxy:threat-actor=\"Leviathan\""],"Lotus Blossom - G0030":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Lotus Blossom - G0030\"","misp-galaxy:mitre-intrusion-set=\"Lotus Blossom - G0030\""],"Lotus Blossom":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Lotus Blossom - G0030\"","misp-galaxy:mitre-intrusion-set=\"Lotus Blossom - G0030\"","misp-galaxy:threat-actor=\"Lotus Blossom\""],"Spring Dragon":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Lotus Blossom - G0030\"","misp-galaxy:mitre-intrusion-set=\"Lotus Blossom - G0030\"","misp-galaxy:threat-actor=\"Lotus Blossom\""],"MONSOON - G0042":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"MONSOON - G0042\"","misp-galaxy:mitre-intrusion-set=\"MONSOON - G0042\""],"Magic Hound - G0059":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Magic Hound - G0059\"","misp-galaxy:mitre-intrusion-set=\"Magic Hound - G0059\""],"Magic Hound":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Magic Hound - G0059\"","misp-galaxy:mitre-intrusion-set=\"Magic Hound - G0059\"","misp-galaxy:threat-actor=\"Cleaver\""],"Rocket Kitten":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Magic Hound - G0059\"","misp-galaxy:mitre-intrusion-set=\"Magic Hound - G0059\"","misp-galaxy:threat-actor=\"Rocket Kitten\""],"Operation Saffron Rose":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Magic Hound - G0059\"","misp-galaxy:mitre-intrusion-set=\"Magic Hound - G0059\""],"Ajax Security Team":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Magic Hound - G0059\"","misp-galaxy:mitre-intrusion-set=\"Magic Hound - G0059\"","misp-galaxy:threat-actor=\"Flying Kitten\""],"Operation Woolen-Goldfish":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Magic Hound - G0059\"","misp-galaxy:mitre-intrusion-set=\"Magic Hound - G0059\"","misp-galaxy:threat-actor=\"Rocket Kitten\""],"Newscaster":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Magic Hound - G0059\"","misp-galaxy:mitre-intrusion-set=\"Magic Hound - G0059\"","misp-galaxy:threat-actor=\"Charming Kitten\""],"Cobalt Gypsy":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Magic Hound - G0059\"","misp-galaxy:mitre-intrusion-set=\"Magic Hound - G0059\"","misp-galaxy:threat-actor=\"Cleaver\"","misp-galaxy:threat-actor=\"OilRig\""],"Moafee - G0002":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Moafee - G0002\"","misp-galaxy:mitre-intrusion-set=\"Moafee - G0002\""],"Moafee":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Moafee - G0002\"","misp-galaxy:mitre-intrusion-set=\"Moafee - G0002\"","misp-galaxy:threat-actor=\"DragonOK\""],"Molerats - G0021":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Molerats - G0021\"","misp-galaxy:mitre-intrusion-set=\"Molerats - G0021\""],"Molerats":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Molerats - G0021\"","misp-galaxy:mitre-intrusion-set=\"Molerats - G0021\"","misp-galaxy:threat-actor=\"Molerats\""],"Operation Molerats":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Molerats - G0021\"","misp-galaxy:mitre-intrusion-set=\"Molerats - G0021\"","misp-galaxy:threat-actor=\"Molerats\""],"Gaza Cybergang":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Molerats - G0021\"","misp-galaxy:mitre-intrusion-set=\"Molerats - G0021\"","misp-galaxy:threat-actor=\"Molerats\""],"MuddyWater - G0069":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"MuddyWater - G0069\"","misp-galaxy:mitre-intrusion-set=\"MuddyWater - G0069\""],"MuddyWater":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"MuddyWater - G0069\"","misp-galaxy:mitre-intrusion-set=\"MuddyWater - G0069\"","misp-galaxy:threat-actor=\"MuddyWater\""],"TEMP.Zagros":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"MuddyWater - G0069\"","misp-galaxy:mitre-intrusion-set=\"MuddyWater - G0069\"","misp-galaxy:threat-actor=\"MuddyWater\""],"NEODYMIUM - G0055":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"NEODYMIUM - G0055\"","misp-galaxy:mitre-intrusion-set=\"NEODYMIUM - G0055\""],"Naikon - G0019":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Naikon - G0019\"","misp-galaxy:mitre-intrusion-set=\"Naikon - G0019\""],"Night Dragon - G0014":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Night Dragon - G0014\"","misp-galaxy:mitre-intrusion-set=\"Night Dragon - G0014\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"Night Dragon - G0014\""],"Night Dragon":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Night Dragon - G0014\"","misp-galaxy:mitre-intrusion-set=\"Night Dragon - G0014\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"Night Dragon - G0014\"","misp-galaxy:threat-actor=\"Night Dragon\""],"Musical Chairs":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Night Dragon - G0014\"","misp-galaxy:mitre-pre-attack-intrusion-set=\"Night Dragon - G0014\""],"OilRig - G0049":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"OilRig - G0049\"","misp-galaxy:mitre-intrusion-set=\"OilRig - G0049\""],"PLATINUM - G0068":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"PLATINUM - G0068\"","misp-galaxy:mitre-intrusion-set=\"PLATINUM - G0068\""],"PROMETHIUM - G0056":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"PROMETHIUM - G0056\"","misp-galaxy:mitre-intrusion-set=\"PROMETHIUM - G0056\""],"Patchwork - G0040":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Patchwork - G0040\"","misp-galaxy:mitre-intrusion-set=\"Patchwork - G0040\""],"Patchwork":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Patchwork - G0040\"","misp-galaxy:mitre-intrusion-set=\"Patchwork - G0040\"","misp-galaxy:threat-actor=\"Dropping Elephant\""],"Dropping Elephant":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Patchwork - G0040\"","misp-galaxy:mitre-intrusion-set=\"Patchwork - G0040\"","misp-galaxy:threat-actor=\"Dropping Elephant\""],"Chinastrats":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Patchwork - G0040\"","misp-galaxy:mitre-intrusion-set=\"Patchwork - G0040\"","misp-galaxy:threat-actor=\"Dropping Elephant\""],"MONSOON":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Patchwork - G0040\"","misp-galaxy:mitre-intrusion-set=\"Patchwork - G0040\""],"Operation Hangover":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Patchwork - G0040\"","misp-galaxy:mitre-intrusion-set=\"Patchwork - G0040\""],"PittyTiger - G0011":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"PittyTiger - G0011\"","misp-galaxy:mitre-intrusion-set=\"PittyTiger - G0011\""],"PittyTiger":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"PittyTiger - G0011\"","misp-galaxy:mitre-intrusion-set=\"PittyTiger - G0011\"","misp-galaxy:threat-actor=\"Pitty Panda\""],"Poseidon Group - G0033":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Poseidon Group - G0033\"","misp-galaxy:mitre-intrusion-set=\"Poseidon Group - G0033\""],"Poseidon Group":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Poseidon Group - G0033\"","misp-galaxy:mitre-intrusion-set=\"Poseidon Group - G0033\"","misp-galaxy:threat-actor=\"Poseidon Group\""],"Putter Panda - G0024":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Putter Panda - G0024\"","misp-galaxy:mitre-intrusion-set=\"Putter Panda - G0024\""],"Putter Panda":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Putter Panda - G0024\"","misp-galaxy:mitre-intrusion-set=\"Putter Panda - G0024\"","misp-galaxy:threat-actor=\"Putter Panda\""],"APT2":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Putter Panda - G0024\"","misp-galaxy:mitre-intrusion-set=\"Putter Panda - G0024\"","misp-galaxy:threat-actor=\"Putter Panda\""],"MSUpdater":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Putter Panda - G0024\"","misp-galaxy:mitre-intrusion-set=\"Putter Panda - G0024\"","misp-galaxy:threat-actor=\"Putter Panda\"","misp-galaxy:tool=\"MSUpdater\""],"RTM - G0048":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"RTM - G0048\"","misp-galaxy:mitre-intrusion-set=\"RTM - G0048\""],"Sandworm Team - G0034":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Sandworm Team - G0034\"","misp-galaxy:mitre-intrusion-set=\"Sandworm Team - G0034\""],"Sandworm Team":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Sandworm Team - G0034\"","misp-galaxy:mitre-intrusion-set=\"Sandworm Team - G0034\"","misp-galaxy:threat-actor=\"Sandworm\""],"Quedagh":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Sandworm Team - G0034\"","misp-galaxy:mitre-intrusion-set=\"Sandworm Team - G0034\"","misp-galaxy:threat-actor=\"Sandworm\""],"Scarlet Mimic - G0029":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Scarlet Mimic - G0029\"","misp-galaxy:mitre-intrusion-set=\"Scarlet Mimic - G0029\""],"Scarlet Mimic":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Scarlet Mimic - G0029\"","misp-galaxy:mitre-intrusion-set=\"Scarlet Mimic - G0029\"","misp-galaxy:threat-actor=\"Scarlet Mimic\""],"Sowbug - G0054":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Sowbug - G0054\"","misp-galaxy:mitre-intrusion-set=\"Sowbug - G0054\""],"Sowbug":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Sowbug - G0054\"","misp-galaxy:mitre-intrusion-set=\"Sowbug - G0054\"","misp-galaxy:threat-actor=\"Sowbug\""],"Stealth Falcon - G0038":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Stealth Falcon - G0038\"","misp-galaxy:mitre-intrusion-set=\"Stealth Falcon - G0038\""],"Stealth Falcon":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Stealth Falcon - G0038\"","misp-galaxy:mitre-intrusion-set=\"Stealth Falcon - G0038\"","misp-galaxy:threat-actor=\"Stealth Falcon\""],"Strider - G0041":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Strider - G0041\"","misp-galaxy:mitre-intrusion-set=\"Strider - G0041\""],"Strider":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Strider - G0041\"","misp-galaxy:mitre-intrusion-set=\"Strider - G0041\"","misp-galaxy:threat-actor=\"ProjectSauron\""],"ProjectSauron":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Strider - G0041\"","misp-galaxy:mitre-enterprise-attack-malware=\"Remsec - S0125\"","misp-galaxy:mitre-intrusion-set=\"Strider - G0041\"","misp-galaxy:mitre-malware=\"Remsec - S0125\"","misp-galaxy:threat-actor=\"ProjectSauron\""],"Suckfly - G0039":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Suckfly - G0039\"","misp-galaxy:mitre-intrusion-set=\"Suckfly - G0039\""],"Suckfly":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Suckfly - G0039\"","misp-galaxy:mitre-intrusion-set=\"Suckfly - G0039\"","misp-galaxy:threat-actor=\"Suckfly\""],"TA459 - G0062":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"TA459 - G0062\"","misp-galaxy:mitre-intrusion-set=\"TA459 - G0062\""],"TA459":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"TA459 - G0062\"","misp-galaxy:mitre-intrusion-set=\"TA459 - G0062\"","misp-galaxy:threat-actor=\"TA459\""],"Taidoor - G0015":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Taidoor - G0015\"","misp-galaxy:mitre-intrusion-set=\"Taidoor - G0015\""],"Taidoor":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Taidoor - G0015\"","misp-galaxy:mitre-enterprise-attack-malware=\"Taidoor - S0011\"","misp-galaxy:mitre-intrusion-set=\"Taidoor - G0015\"","misp-galaxy:mitre-malware=\"Taidoor - S0011\"","misp-galaxy:threat-actor=\"Taidoor\"","misp-galaxy:tool=\"Taidoor\""],"Threat Group-1314 - G0028":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Threat Group-1314 - G0028\"","misp-galaxy:mitre-intrusion-set=\"Threat Group-1314 - G0028\""],"Threat Group-1314":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Threat Group-1314 - G0028\"","misp-galaxy:mitre-intrusion-set=\"Threat Group-1314 - G0028\""],"TG-1314":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Threat Group-1314 - G0028\"","misp-galaxy:mitre-intrusion-set=\"Threat Group-1314 - G0028\""],"Threat Group-3390 - G0027":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Threat Group-3390 - G0027\"","misp-galaxy:mitre-intrusion-set=\"Threat Group-3390 - G0027\""],"Threat Group-3390":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Threat Group-3390 - G0027\"","misp-galaxy:mitre-intrusion-set=\"Threat Group-3390 - G0027\"","misp-galaxy:threat-actor=\"Threat Group-3390\""],"TG-3390":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Threat Group-3390 - G0027\"","misp-galaxy:mitre-intrusion-set=\"Threat Group-3390 - G0027\"","misp-galaxy:threat-actor=\"Emissary Panda\"","misp-galaxy:threat-actor=\"LuckyMouse\"","misp-galaxy:threat-actor=\"Threat Group-3390\""],"Emissary Panda":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Threat Group-3390 - G0027\"","misp-galaxy:mitre-intrusion-set=\"Threat Group-3390 - G0027\"","misp-galaxy:threat-actor=\"Emissary Panda\"","misp-galaxy:threat-actor=\"LuckyMouse\"","misp-galaxy:threat-actor=\"Threat Group-3390\""],"BRONZE UNION":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Threat Group-3390 - G0027\"","misp-galaxy:mitre-intrusion-set=\"Threat Group-3390 - G0027\"","misp-galaxy:threat-actor=\"Emissary Panda\""],"Turla - G0010":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Turla - G0010\"","misp-galaxy:mitre-intrusion-set=\"Turla - G0010\""],"Turla":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Turla - G0010\"","misp-galaxy:mitre-intrusion-set=\"Turla - G0010\"","misp-galaxy:threat-actor=\"Turla Group\"","misp-galaxy:tool=\"Turla\""],"Waterbug":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Turla - G0010\"","misp-galaxy:mitre-intrusion-set=\"Turla - G0010\"","misp-galaxy:threat-actor=\"Turla Group\""],"Winnti Group - G0044":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Winnti Group - G0044\"","misp-galaxy:mitre-intrusion-set=\"Winnti Group - G0044\""],"Winnti Group":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Winnti Group - G0044\"","misp-galaxy:mitre-intrusion-set=\"Winnti Group - G0044\"","misp-galaxy:threat-actor=\"Axiom\""],"Blackfly":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Winnti Group - G0044\"","misp-galaxy:mitre-intrusion-set=\"Winnti Group - G0044\"","misp-galaxy:threat-actor=\"Axiom\""],"admin@338 - G0018":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"admin@338 - G0018\"","misp-galaxy:mitre-intrusion-set=\"admin@338 - G0018\""],"admin@338":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"admin@338 - G0018\"","misp-galaxy:mitre-intrusion-set=\"admin@338 - G0018\"","misp-galaxy:threat-actor=\"Temper Panda\""],"menuPass - G0045":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"menuPass - G0045\"","misp-galaxy:mitre-intrusion-set=\"menuPass - G0045\""],"menuPass":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"menuPass - G0045\"","misp-galaxy:mitre-intrusion-set=\"menuPass - G0045\"","misp-galaxy:threat-actor=\"Stone Panda\""],"Stone Panda":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"menuPass - G0045\"","misp-galaxy:mitre-intrusion-set=\"menuPass - G0045\"","misp-galaxy:threat-actor=\"Stone Panda\""],"APT10":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"menuPass - G0045\"","misp-galaxy:mitre-intrusion-set=\"menuPass - G0045\"","misp-galaxy:threat-actor=\"Stone Panda\""],"Red Apollo":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"menuPass - G0045\"","misp-galaxy:mitre-intrusion-set=\"menuPass - G0045\"","misp-galaxy:threat-actor=\"Stone Panda\""],"CVNX":["misp-galaxy:mitre-enterprise-attack-intrusion-set=\"menuPass - G0045\"","misp-galaxy:mitre-intrusion-set=\"menuPass - G0045\"","misp-galaxy:threat-actor=\"Stone Panda\""],"3PARA RAT - S0066":["misp-galaxy:mitre-enterprise-attack-malware=\"3PARA RAT - S0066\"","misp-galaxy:mitre-malware=\"3PARA RAT - S0066\""],"3PARA RAT":["misp-galaxy:mitre-enterprise-attack-malware=\"3PARA RAT - S0066\"","misp-galaxy:mitre-malware=\"3PARA RAT - S0066\"","misp-galaxy:rat=\"3PARA RAT\""],"4H RAT - S0065":["misp-galaxy:mitre-enterprise-attack-malware=\"4H RAT - S0065\"","misp-galaxy:mitre-malware=\"4H RAT - S0065\""],"4H RAT":["misp-galaxy:mitre-enterprise-attack-malware=\"4H RAT - S0065\"","misp-galaxy:mitre-malware=\"4H RAT - S0065\"","misp-galaxy:rat=\"4H RAT\""],"ADVSTORESHELL - S0045":["misp-galaxy:mitre-enterprise-attack-malware=\"ADVSTORESHELL - S0045\"","misp-galaxy:mitre-malware=\"ADVSTORESHELL - S0045\""],"ADVSTORESHELL":["misp-galaxy:mitre-enterprise-attack-malware=\"ADVSTORESHELL - S0045\"","misp-galaxy:mitre-malware=\"ADVSTORESHELL - S0045\"","misp-galaxy:tool=\"EVILTOSS\""],"NETUI":["misp-galaxy:mitre-enterprise-attack-malware=\"ADVSTORESHELL - S0045\"","misp-galaxy:mitre-malware=\"ADVSTORESHELL - S0045\"","misp-galaxy:tool=\"EVILTOSS\""],"EVILTOSS":["misp-galaxy:mitre-enterprise-attack-malware=\"ADVSTORESHELL - S0045\"","misp-galaxy:mitre-malware=\"ADVSTORESHELL - S0045\"","misp-galaxy:tool=\"EVILTOSS\""],"AZZY":["misp-galaxy:mitre-enterprise-attack-malware=\"ADVSTORESHELL - S0045\"","misp-galaxy:mitre-malware=\"ADVSTORESHELL - S0045\"","misp-galaxy:tool=\"EVILTOSS\""],"ASPXSpy - S0073":["misp-galaxy:mitre-enterprise-attack-malware=\"ASPXSpy - S0073\"","misp-galaxy:mitre-malware=\"ASPXSpy - S0073\""],"ASPXSpy":["misp-galaxy:mitre-enterprise-attack-malware=\"ASPXSpy - S0073\"","misp-galaxy:mitre-malware=\"ASPXSpy - S0073\""],"ASPXTool":["misp-galaxy:mitre-enterprise-attack-malware=\"ASPXSpy - S0073\"","misp-galaxy:mitre-malware=\"ASPXSpy - S0073\""],"Agent.btz - S0092":["misp-galaxy:mitre-enterprise-attack-malware=\"Agent.btz - S0092\"","misp-galaxy:mitre-malware=\"Agent.btz - S0092\""],"Agent.btz":["misp-galaxy:mitre-enterprise-attack-malware=\"Agent.btz - S0092\"","misp-galaxy:mitre-malware=\"Agent.btz - S0092\""],"AutoIt backdoor - S0129":["misp-galaxy:mitre-enterprise-attack-malware=\"AutoIt backdoor - S0129\"","misp-galaxy:mitre-malware=\"AutoIt backdoor - S0129\""],"AutoIt backdoor":["misp-galaxy:mitre-enterprise-attack-malware=\"AutoIt backdoor - S0129\"","misp-galaxy:mitre-malware=\"AutoIt backdoor - S0129\""],"BACKSPACE - S0031":["misp-galaxy:mitre-enterprise-attack-malware=\"BACKSPACE - S0031\"","misp-galaxy:mitre-malware=\"BACKSPACE - S0031\""],"BACKSPACE":["misp-galaxy:mitre-enterprise-attack-malware=\"BACKSPACE - S0031\"","misp-galaxy:mitre-malware=\"BACKSPACE - S0031\""],"Lecna":["misp-galaxy:mitre-enterprise-attack-malware=\"BACKSPACE - S0031\"","misp-galaxy:mitre-malware=\"BACKSPACE - S0031\"","misp-galaxy:tool=\"Backspace\""],"BADNEWS - S0128":["misp-galaxy:mitre-enterprise-attack-malware=\"BADNEWS - S0128\"","misp-galaxy:mitre-malware=\"BADNEWS - S0128\""],"BADNEWS":["misp-galaxy:mitre-enterprise-attack-malware=\"BADNEWS - S0128\"","misp-galaxy:mitre-malware=\"BADNEWS - S0128\""],"BBSRAT - S0127":["misp-galaxy:mitre-enterprise-attack-malware=\"BBSRAT - S0127\"","misp-galaxy:mitre-malware=\"BBSRAT - S0127\""],"BISCUIT - S0017":["misp-galaxy:mitre-enterprise-attack-malware=\"BISCUIT - S0017\"","misp-galaxy:mitre-malware=\"BISCUIT - S0017\""],"BISCUIT":["misp-galaxy:mitre-enterprise-attack-malware=\"BISCUIT - S0017\"","misp-galaxy:mitre-malware=\"BISCUIT - S0017\"","misp-galaxy:tool=\"BISCUIT\""],"BLACKCOFFEE - S0069":["misp-galaxy:mitre-enterprise-attack-malware=\"BLACKCOFFEE - S0069\"","misp-galaxy:mitre-malware=\"BLACKCOFFEE - S0069\""],"BOOTRASH - S0114":["misp-galaxy:mitre-enterprise-attack-malware=\"BOOTRASH - S0114\"","misp-galaxy:mitre-malware=\"BOOTRASH - S0114\""],"BOOTRASH":["misp-galaxy:mitre-enterprise-attack-malware=\"BOOTRASH - S0114\"","misp-galaxy:mitre-malware=\"BOOTRASH - S0114\""],"BS2005 - S0014":["misp-galaxy:mitre-enterprise-attack-malware=\"BS2005 - S0014\"","misp-galaxy:mitre-malware=\"BS2005 - S0014\""],"BUBBLEWRAP - S0043":["misp-galaxy:mitre-enterprise-attack-malware=\"BUBBLEWRAP - S0043\"","misp-galaxy:mitre-malware=\"BUBBLEWRAP - S0043\""],"Backdoor.APT.FakeWinHTTPHelper":["misp-galaxy:mitre-enterprise-attack-malware=\"BUBBLEWRAP - S0043\"","misp-galaxy:mitre-malware=\"BUBBLEWRAP - S0043\""],"Backdoor.Oldrea - S0093":["misp-galaxy:mitre-enterprise-attack-malware=\"Backdoor.Oldrea - S0093\"","misp-galaxy:mitre-malware=\"Backdoor.Oldrea - S0093\""],"Backdoor.Oldrea":["misp-galaxy:mitre-enterprise-attack-malware=\"Backdoor.Oldrea - S0093\"","misp-galaxy:mitre-malware=\"Backdoor.Oldrea - S0093\""],"Havex":["misp-galaxy:mitre-enterprise-attack-malware=\"Backdoor.Oldrea - S0093\"","misp-galaxy:mitre-malware=\"Backdoor.Oldrea - S0093\"","misp-galaxy:threat-actor=\"Energetic Bear\"","misp-galaxy:tool=\"Havex RAT\""],"BlackEnergy - S0089":["misp-galaxy:mitre-enterprise-attack-malware=\"BlackEnergy - S0089\"","misp-galaxy:mitre-malware=\"BlackEnergy - S0089\""],"Black Energy":["misp-galaxy:mitre-enterprise-attack-malware=\"BlackEnergy - S0089\"","misp-galaxy:mitre-malware=\"BlackEnergy - S0089\"","misp-galaxy:threat-actor=\"Sandworm\""],"Briba - S0204":["misp-galaxy:mitre-enterprise-attack-malware=\"Briba - S0204\"","misp-galaxy:mitre-malware=\"Briba - S0204\""],"Briba":["misp-galaxy:mitre-enterprise-attack-malware=\"Briba - S0204\"","misp-galaxy:mitre-malware=\"Briba - S0204\""],"CALENDAR - S0025":["misp-galaxy:mitre-enterprise-attack-malware=\"CALENDAR - S0025\"","misp-galaxy:mitre-malware=\"CALENDAR - S0025\""],"CALENDAR":["misp-galaxy:mitre-enterprise-attack-malware=\"CALENDAR - S0025\"","misp-galaxy:mitre-malware=\"CALENDAR - S0025\"","misp-galaxy:tool=\"CALENDAR\""],"CCBkdr - S0222":["misp-galaxy:mitre-enterprise-attack-malware=\"CCBkdr - S0222\"","misp-galaxy:mitre-malware=\"CCBkdr - S0222\""],"CCBkdr":["misp-galaxy:mitre-enterprise-attack-malware=\"CCBkdr - S0222\"","misp-galaxy:mitre-malware=\"CCBkdr - S0222\""],"CHOPSTICK - S0023":["misp-galaxy:mitre-enterprise-attack-malware=\"CHOPSTICK - S0023\"","misp-galaxy:mitre-malware=\"CHOPSTICK - S0023\""],"CHOPSTICK":["misp-galaxy:mitre-enterprise-attack-malware=\"CHOPSTICK - S0023\"","misp-galaxy:mitre-malware=\"CHOPSTICK - S0023\"","misp-galaxy:tool=\"CHOPSTICK\""],"SPLM":["misp-galaxy:mitre-enterprise-attack-malware=\"CHOPSTICK - S0023\"","misp-galaxy:mitre-malware=\"CHOPSTICK - S0023\"","misp-galaxy:tool=\"CHOPSTICK\""],"Xagent":["misp-galaxy:mitre-enterprise-attack-malware=\"CHOPSTICK - S0023\"","misp-galaxy:mitre-malware=\"CHOPSTICK - S0023\""],"X-Agent":["misp-galaxy:mitre-enterprise-attack-malware=\"CHOPSTICK - S0023\"","misp-galaxy:mitre-malware=\"CHOPSTICK - S0023\"","misp-galaxy:mitre-mobile-attack-malware=\"X-Agent - MOB-S0030\"","misp-galaxy:tool=\"X-Agent\""],"webhp":["misp-galaxy:mitre-enterprise-attack-malware=\"CHOPSTICK - S0023\"","misp-galaxy:mitre-malware=\"CHOPSTICK - S0023\"","misp-galaxy:tool=\"CHOPSTICK\""],"CORALDECK - S0212":["misp-galaxy:mitre-enterprise-attack-malware=\"CORALDECK - S0212\"","misp-galaxy:mitre-malware=\"CORALDECK - S0212\""],"CORALDECK":["misp-galaxy:mitre-enterprise-attack-malware=\"CORALDECK - S0212\"","misp-galaxy:mitre-malware=\"CORALDECK - S0212\"","misp-galaxy:tool=\"CORALDECK\""],"CORESHELL - S0137":["misp-galaxy:mitre-enterprise-attack-malware=\"CORESHELL - S0137\"","misp-galaxy:mitre-malware=\"CORESHELL - S0137\""],"CORESHELL":["misp-galaxy:mitre-enterprise-attack-malware=\"CORESHELL - S0137\"","misp-galaxy:mitre-malware=\"CORESHELL - S0137\"","misp-galaxy:tool=\"CORESHELL\""],"SOURFACE":["misp-galaxy:mitre-enterprise-attack-malware=\"CORESHELL - S0137\"","misp-galaxy:mitre-malware=\"CORESHELL - S0137\"","misp-galaxy:tool=\"SOURFACE\""],"CallMe - S0077":["misp-galaxy:mitre-enterprise-attack-malware=\"CallMe - S0077\"","misp-galaxy:mitre-malware=\"CallMe - S0077\""],"CallMe":["misp-galaxy:mitre-enterprise-attack-malware=\"CallMe - S0077\"","misp-galaxy:mitre-malware=\"CallMe - S0077\""],"Carbanak - S0030":["misp-galaxy:mitre-enterprise-attack-malware=\"Carbanak - S0030\"","misp-galaxy:mitre-malware=\"Carbanak - S0030\""],"ChChes - S0144":["misp-galaxy:mitre-enterprise-attack-malware=\"ChChes - S0144\"","misp-galaxy:mitre-malware=\"ChChes - S0144\""],"Scorpion":["misp-galaxy:mitre-enterprise-attack-malware=\"ChChes - S0144\"","misp-galaxy:mitre-malware=\"ChChes - S0144\""],"HAYMAKER":["misp-galaxy:mitre-enterprise-attack-malware=\"ChChes - S0144\"","misp-galaxy:mitre-malware=\"ChChes - S0144\"","misp-galaxy:tool=\"HAYMAKER\""],"Chaos - S0220":["misp-galaxy:mitre-enterprise-attack-malware=\"Chaos - S0220\"","misp-galaxy:mitre-malware=\"Chaos - S0220\""],"Chaos":["misp-galaxy:mitre-enterprise-attack-malware=\"Chaos - S0220\"","misp-galaxy:mitre-malware=\"Chaos - S0220\""],"Cherry Picker - S0107":["misp-galaxy:mitre-enterprise-attack-malware=\"Cherry Picker - S0107\"","misp-galaxy:mitre-malware=\"Cherry Picker - S0107\""],"Cherry Picker":["misp-galaxy:mitre-enterprise-attack-malware=\"Cherry Picker - S0107\"","misp-galaxy:mitre-malware=\"Cherry Picker - S0107\""],"China Chopper - S0020":["misp-galaxy:mitre-enterprise-attack-malware=\"China Chopper - S0020\"","misp-galaxy:mitre-malware=\"China Chopper - S0020\""],"China Chopper":["misp-galaxy:mitre-enterprise-attack-malware=\"China Chopper - S0020\"","misp-galaxy:mitre-malware=\"China Chopper - S0020\"","misp-galaxy:tool=\"China Chopper\""],"CloudDuke - S0054":["misp-galaxy:mitre-enterprise-attack-malware=\"CloudDuke - S0054\"","misp-galaxy:mitre-malware=\"CloudDuke - S0054\""],"CloudDuke":["misp-galaxy:mitre-enterprise-attack-malware=\"CloudDuke - S0054\"","misp-galaxy:mitre-malware=\"CloudDuke - S0054\""],"MiniDionis":["misp-galaxy:mitre-enterprise-attack-malware=\"CloudDuke - S0054\"","misp-galaxy:mitre-malware=\"CloudDuke - S0054\""],"CloudLook":["misp-galaxy:mitre-enterprise-attack-malware=\"CloudDuke - S0054\"","misp-galaxy:mitre-malware=\"CloudDuke - S0054\""],"ComRAT - S0126":["misp-galaxy:mitre-enterprise-attack-malware=\"ComRAT - S0126\"","misp-galaxy:mitre-malware=\"ComRAT - S0126\""],"CosmicDuke - S0050":["misp-galaxy:mitre-enterprise-attack-malware=\"CosmicDuke - S0050\"","misp-galaxy:mitre-malware=\"CosmicDuke - S0050\""],"CosmicDuke":["misp-galaxy:mitre-enterprise-attack-malware=\"CosmicDuke - S0050\"","misp-galaxy:mitre-malware=\"CosmicDuke - S0050\""],"TinyBaron":["misp-galaxy:mitre-enterprise-attack-malware=\"CosmicDuke - S0050\"","misp-galaxy:mitre-malware=\"CosmicDuke - S0050\""],"BotgenStudios":["misp-galaxy:mitre-enterprise-attack-malware=\"CosmicDuke - S0050\"","misp-galaxy:mitre-malware=\"CosmicDuke - S0050\""],"NemesisGemina":["misp-galaxy:mitre-enterprise-attack-malware=\"CosmicDuke - S0050\"","misp-galaxy:mitre-malware=\"CosmicDuke - S0050\""],"CozyCar - S0046":["misp-galaxy:mitre-enterprise-attack-malware=\"CozyCar - S0046\"","misp-galaxy:mitre-malware=\"CozyCar - S0046\""],"CozyCar":["misp-galaxy:mitre-enterprise-attack-malware=\"CozyCar - S0046\"","misp-galaxy:mitre-malware=\"CozyCar - S0046\"","misp-galaxy:threat-actor=\"APT 29\""],"CozyBear":["misp-galaxy:mitre-enterprise-attack-malware=\"CozyCar - S0046\"","misp-galaxy:mitre-malware=\"CozyCar - S0046\"","misp-galaxy:threat-actor=\"APT 29\""],"Cozer":["misp-galaxy:mitre-enterprise-attack-malware=\"CozyCar - S0046\"","misp-galaxy:mitre-malware=\"CozyCar - S0046\"","misp-galaxy:threat-actor=\"APT 29\""],"EuroAPT":["misp-galaxy:mitre-enterprise-attack-malware=\"CozyCar - S0046\"","misp-galaxy:mitre-malware=\"CozyCar - S0046\"","misp-galaxy:threat-actor=\"APT 29\""],"Crimson - S0115":["misp-galaxy:mitre-enterprise-attack-malware=\"Crimson - S0115\"","misp-galaxy:mitre-malware=\"Crimson - S0115\""],"MSIL\/Crimson":["misp-galaxy:mitre-enterprise-attack-malware=\"Crimson - S0115\"","misp-galaxy:mitre-malware=\"Crimson - S0115\""],"DOGCALL - S0213":["misp-galaxy:mitre-enterprise-attack-malware=\"DOGCALL - S0213\"","misp-galaxy:mitre-malware=\"DOGCALL - S0213\""],"DOGCALL":["misp-galaxy:mitre-enterprise-attack-malware=\"DOGCALL - S0213\"","misp-galaxy:mitre-malware=\"DOGCALL - S0213\"","misp-galaxy:tool=\"DOGCALL\""],"Darkmoon - S0209":["misp-galaxy:mitre-enterprise-attack-malware=\"Darkmoon - S0209\"","misp-galaxy:mitre-malware=\"Darkmoon - S0209\""],"Daserf - S0187":["misp-galaxy:mitre-enterprise-attack-malware=\"Daserf - S0187\"","misp-galaxy:mitre-malware=\"Daserf - S0187\""],"Derusbi - S0021":["misp-galaxy:mitre-enterprise-attack-malware=\"Derusbi - S0021\"","misp-galaxy:mitre-malware=\"Derusbi - S0021\""],"Dipsind - S0200":["misp-galaxy:mitre-enterprise-attack-malware=\"Dipsind - S0200\"","misp-galaxy:mitre-malware=\"Dipsind - S0200\""],"Dipsind":["misp-galaxy:mitre-enterprise-attack-malware=\"Dipsind - S0200\"","misp-galaxy:mitre-malware=\"Dipsind - S0200\""],"DownPaper - S0186":["misp-galaxy:mitre-enterprise-attack-malware=\"DownPaper - S0186\"","misp-galaxy:mitre-malware=\"DownPaper - S0186\""],"Downdelph - S0134":["misp-galaxy:mitre-enterprise-attack-malware=\"Downdelph - S0134\"","misp-galaxy:mitre-malware=\"Downdelph - S0134\""],"Delphacy":["misp-galaxy:mitre-enterprise-attack-malware=\"Downdelph - S0134\"","misp-galaxy:mitre-malware=\"Downdelph - S0134\""],"Duqu - S0038":["misp-galaxy:mitre-enterprise-attack-malware=\"Duqu - S0038\"","misp-galaxy:mitre-malware=\"Duqu - S0038\""],"Duqu":["misp-galaxy:mitre-enterprise-attack-malware=\"Duqu - S0038\"","misp-galaxy:mitre-malware=\"Duqu - S0038\"","misp-galaxy:tool=\"Duqu\""],"DustySky - S0062":["misp-galaxy:mitre-enterprise-attack-malware=\"DustySky - S0062\"","misp-galaxy:mitre-malware=\"DustySky - S0062\""],"DustySky":["misp-galaxy:mitre-enterprise-attack-malware=\"DustySky - S0062\"","misp-galaxy:mitre-malware=\"DustySky - S0062\""],"NeD Worm":["misp-galaxy:mitre-enterprise-attack-malware=\"DustySky - S0062\"","misp-galaxy:mitre-malware=\"DustySky - S0062\"","misp-galaxy:tool=\"NeD Worm\""],"Dyre - S0024":["misp-galaxy:mitre-enterprise-attack-malware=\"Dyre - S0024\"","misp-galaxy:mitre-malware=\"Dyre - S0024\""],"ELMER - S0064":["misp-galaxy:mitre-enterprise-attack-malware=\"ELMER - S0064\"","misp-galaxy:mitre-malware=\"ELMER - S0064\""],"Elise - S0081":["misp-galaxy:mitre-enterprise-attack-malware=\"Elise - S0081\"","misp-galaxy:mitre-malware=\"Elise - S0081\""],"BKDR_ESILE":["misp-galaxy:mitre-enterprise-attack-malware=\"Elise - S0081\"","misp-galaxy:mitre-malware=\"Elise - S0081\""],"Page":["misp-galaxy:mitre-enterprise-attack-malware=\"Elise - S0081\"","misp-galaxy:mitre-malware=\"Elise - S0081\""],"Emissary - S0082":["misp-galaxy:mitre-enterprise-attack-malware=\"Emissary - S0082\"","misp-galaxy:mitre-malware=\"Emissary - S0082\""],"Emissary":["misp-galaxy:mitre-enterprise-attack-malware=\"Emissary - S0082\"","misp-galaxy:mitre-malware=\"Emissary - S0082\""],"Epic - S0091":["misp-galaxy:mitre-enterprise-attack-malware=\"Epic - S0091\"","misp-galaxy:mitre-malware=\"Epic - S0091\""],"Epic":["misp-galaxy:mitre-enterprise-attack-malware=\"Epic - S0091\"","misp-galaxy:mitre-malware=\"Epic - S0091\""],"Tavdig":["misp-galaxy:mitre-enterprise-attack-malware=\"Epic - S0091\"","misp-galaxy:mitre-malware=\"Epic - S0091\"","misp-galaxy:tool=\"Wipbot\""],"WorldCupSec":["misp-galaxy:mitre-enterprise-attack-malware=\"Epic - S0091\"","misp-galaxy:mitre-malware=\"Epic - S0091\"","misp-galaxy:tool=\"Wipbot\""],"TadjMakhal":["misp-galaxy:mitre-enterprise-attack-malware=\"Epic - S0091\"","misp-galaxy:mitre-malware=\"Epic - S0091\"","misp-galaxy:tool=\"Wipbot\""],"EvilGrab - S0152":["misp-galaxy:mitre-enterprise-attack-malware=\"EvilGrab - S0152\"","misp-galaxy:mitre-malware=\"EvilGrab - S0152\""],"FALLCHILL - S0181":["misp-galaxy:mitre-enterprise-attack-malware=\"FALLCHILL - S0181\"","misp-galaxy:mitre-malware=\"FALLCHILL - S0181\""],"FLASHFLOOD - S0036":["misp-galaxy:mitre-enterprise-attack-malware=\"FLASHFLOOD - S0036\"","misp-galaxy:mitre-malware=\"FLASHFLOOD - S0036\""],"FLIPSIDE - S0173":["misp-galaxy:mitre-enterprise-attack-malware=\"FLIPSIDE - S0173\"","misp-galaxy:mitre-malware=\"FLIPSIDE - S0173\""],"FLIPSIDE":["misp-galaxy:mitre-enterprise-attack-malware=\"FLIPSIDE - S0173\"","misp-galaxy:mitre-malware=\"FLIPSIDE - S0173\""],"FakeM - S0076":["misp-galaxy:mitre-enterprise-attack-malware=\"FakeM - S0076\"","misp-galaxy:mitre-malware=\"FakeM - S0076\""],"FakeM":["misp-galaxy:mitre-enterprise-attack-malware=\"FakeM - S0076\"","misp-galaxy:mitre-malware=\"FakeM - S0076\""],"Felismus - S0171":["misp-galaxy:mitre-enterprise-attack-malware=\"Felismus - S0171\"","misp-galaxy:mitre-malware=\"Felismus - S0171\""],"FinFisher - S0182":["misp-galaxy:mitre-enterprise-attack-malware=\"FinFisher - S0182\"","misp-galaxy:mitre-malware=\"FinFisher - S0182\""],"FinFisher":["misp-galaxy:mitre-enterprise-attack-malware=\"FinFisher - S0182\"","misp-galaxy:mitre-malware=\"FinFisher - S0182\""],"Flame - S0143":["misp-galaxy:mitre-enterprise-attack-malware=\"Flame - S0143\"","misp-galaxy:mitre-malware=\"Flame - S0143\""],"Flamer":["misp-galaxy:mitre-enterprise-attack-malware=\"Flame - S0143\"","misp-galaxy:mitre-malware=\"Flame - S0143\""],"sKyWIper":["misp-galaxy:mitre-enterprise-attack-malware=\"Flame - S0143\"","misp-galaxy:mitre-malware=\"Flame - S0143\""],"GLOOXMAIL - S0026":["misp-galaxy:mitre-enterprise-attack-malware=\"GLOOXMAIL - S0026\"","misp-galaxy:mitre-malware=\"GLOOXMAIL - S0026\""],"GLOOXMAIL":["misp-galaxy:mitre-enterprise-attack-malware=\"GLOOXMAIL - S0026\"","misp-galaxy:mitre-malware=\"GLOOXMAIL - S0026\"","misp-galaxy:tool=\"GLOOXMAIL\""],"Trojan.GTALK":["misp-galaxy:mitre-enterprise-attack-malware=\"GLOOXMAIL - S0026\"","misp-galaxy:mitre-malware=\"GLOOXMAIL - S0026\""],"Gazer - S0168":["misp-galaxy:mitre-enterprise-attack-malware=\"Gazer - S0168\"","misp-galaxy:mitre-malware=\"Gazer - S0168\""],"GeminiDuke - S0049":["misp-galaxy:mitre-enterprise-attack-malware=\"GeminiDuke - S0049\"","misp-galaxy:mitre-malware=\"GeminiDuke - S0049\""],"GeminiDuke":["misp-galaxy:mitre-enterprise-attack-malware=\"GeminiDuke - S0049\"","misp-galaxy:mitre-malware=\"GeminiDuke - S0049\"","misp-galaxy:tool=\"GeminiDuke\""],"H1N1 - S0132":["misp-galaxy:mitre-enterprise-attack-malware=\"H1N1 - S0132\"","misp-galaxy:mitre-malware=\"H1N1 - S0132\""],"H1N1":["misp-galaxy:mitre-enterprise-attack-malware=\"H1N1 - S0132\"","misp-galaxy:mitre-malware=\"H1N1 - S0132\""],"HALFBAKED - S0151":["misp-galaxy:mitre-enterprise-attack-malware=\"HALFBAKED - S0151\"","misp-galaxy:mitre-malware=\"HALFBAKED - S0151\""],"HAMMERTOSS - S0037":["misp-galaxy:mitre-enterprise-attack-malware=\"HAMMERTOSS - S0037\"","misp-galaxy:mitre-malware=\"HAMMERTOSS - S0037\""],"HAMMERTOSS":["misp-galaxy:mitre-enterprise-attack-malware=\"HAMMERTOSS - S0037\"","misp-galaxy:mitre-malware=\"HAMMERTOSS - S0037\""],"HammerDuke":["misp-galaxy:mitre-enterprise-attack-malware=\"HAMMERTOSS - S0037\"","misp-galaxy:mitre-malware=\"HAMMERTOSS - S0037\""],"NetDuke":["misp-galaxy:mitre-enterprise-attack-malware=\"HAMMERTOSS - S0037\"","misp-galaxy:mitre-malware=\"HAMMERTOSS - S0037\""],"HAPPYWORK - S0214":["misp-galaxy:mitre-enterprise-attack-malware=\"HAPPYWORK - S0214\"","misp-galaxy:mitre-malware=\"HAPPYWORK - S0214\""],"HAPPYWORK":["misp-galaxy:mitre-enterprise-attack-malware=\"HAPPYWORK - S0214\"","misp-galaxy:mitre-malware=\"HAPPYWORK - S0214\"","misp-galaxy:tool=\"HAPPYWORK\""],"HDoor - S0061":["misp-galaxy:mitre-enterprise-attack-malware=\"HDoor - S0061\"","misp-galaxy:mitre-malware=\"HDoor - S0061\""],"HDoor":["misp-galaxy:mitre-enterprise-attack-malware=\"HDoor - S0061\"","misp-galaxy:mitre-malware=\"HDoor - S0061\""],"Custom HDoor":["misp-galaxy:mitre-enterprise-attack-malware=\"HDoor - S0061\"","misp-galaxy:mitre-malware=\"HDoor - S0061\""],"HIDEDRV - S0135":["misp-galaxy:mitre-enterprise-attack-malware=\"HIDEDRV - S0135\"","misp-galaxy:mitre-malware=\"HIDEDRV - S0135\""],"HIDEDRV":["misp-galaxy:mitre-enterprise-attack-malware=\"HIDEDRV - S0135\"","misp-galaxy:mitre-malware=\"HIDEDRV - S0135\""],"HOMEFRY - S0232":["misp-galaxy:mitre-enterprise-attack-malware=\"HOMEFRY - S0232\"","misp-galaxy:mitre-malware=\"HOMEFRY - S0232\""],"HOMEFRY":["misp-galaxy:mitre-enterprise-attack-malware=\"HOMEFRY - S0232\"","misp-galaxy:mitre-malware=\"HOMEFRY - S0232\""],"HTTPBrowser - S0070":["misp-galaxy:mitre-enterprise-attack-malware=\"HTTPBrowser - S0070\"","misp-galaxy:mitre-malware=\"HTTPBrowser - S0070\""],"HTTPBrowser":["misp-galaxy:mitre-enterprise-attack-malware=\"HTTPBrowser - S0070\"","misp-galaxy:mitre-malware=\"HTTPBrowser - S0070\"","misp-galaxy:tool=\"HTTPBrowser\""],"Token Control":["misp-galaxy:mitre-enterprise-attack-malware=\"HTTPBrowser - S0070\"","misp-galaxy:mitre-malware=\"HTTPBrowser - S0070\""],"HttpDump":["misp-galaxy:mitre-enterprise-attack-malware=\"HTTPBrowser - S0070\"","misp-galaxy:mitre-malware=\"HTTPBrowser - S0070\""],"Hacking Team UEFI Rootkit - S0047":["misp-galaxy:mitre-enterprise-attack-malware=\"Hacking Team UEFI Rootkit - S0047\"","misp-galaxy:mitre-malware=\"Hacking Team UEFI Rootkit - S0047\""],"Hacking Team UEFI Rootkit":["misp-galaxy:mitre-enterprise-attack-malware=\"Hacking Team UEFI Rootkit - S0047\"","misp-galaxy:mitre-malware=\"Hacking Team UEFI Rootkit - S0047\""],"Helminth - S0170":["misp-galaxy:mitre-enterprise-attack-malware=\"Helminth - S0170\"","misp-galaxy:mitre-malware=\"Helminth - S0170\""],"Hi-Zor - S0087":["misp-galaxy:mitre-enterprise-attack-malware=\"Hi-Zor - S0087\"","misp-galaxy:mitre-malware=\"Hi-Zor - S0087\""],"Hi-Zor":["misp-galaxy:mitre-enterprise-attack-malware=\"Hi-Zor - S0087\"","misp-galaxy:mitre-malware=\"Hi-Zor - S0087\"","misp-galaxy:rat=\"Hi-Zor\""],"Hikit - S0009":["misp-galaxy:mitre-enterprise-attack-malware=\"Hikit - S0009\"","misp-galaxy:mitre-malware=\"Hikit - S0009\""],"Hikit":["misp-galaxy:mitre-enterprise-attack-malware=\"Hikit - S0009\"","misp-galaxy:mitre-malware=\"Hikit - S0009\"","misp-galaxy:tool=\"Hikit\""],"Hydraq - S0203":["misp-galaxy:mitre-enterprise-attack-malware=\"Hydraq - S0203\"","misp-galaxy:mitre-malware=\"Hydraq - S0203\""],"ISMInjector - S0189":["misp-galaxy:mitre-enterprise-attack-malware=\"ISMInjector - S0189\"","misp-galaxy:mitre-malware=\"ISMInjector - S0189\""],"ISMInjector":["misp-galaxy:mitre-enterprise-attack-malware=\"ISMInjector - S0189\"","misp-galaxy:mitre-malware=\"ISMInjector - S0189\""],"Ixeshe - S0015":["misp-galaxy:mitre-enterprise-attack-malware=\"Ixeshe - S0015\"","misp-galaxy:mitre-malware=\"Ixeshe - S0015\""],"Ixeshe":["misp-galaxy:mitre-enterprise-attack-malware=\"Ixeshe - S0015\"","misp-galaxy:mitre-malware=\"Ixeshe - S0015\""],"JHUHUGIT - S0044":["misp-galaxy:mitre-enterprise-attack-malware=\"JHUHUGIT - S0044\"","misp-galaxy:mitre-malware=\"JHUHUGIT - S0044\""],"GAMEFISH":["misp-galaxy:mitre-enterprise-attack-malware=\"JHUHUGIT - S0044\"","misp-galaxy:mitre-malware=\"JHUHUGIT - S0044\"","misp-galaxy:tool=\"GAMEFISH\""],"SofacyCarberp":["misp-galaxy:mitre-enterprise-attack-malware=\"JHUHUGIT - S0044\"","misp-galaxy:mitre-malware=\"JHUHUGIT - S0044\""],"JPIN - S0201":["misp-galaxy:mitre-enterprise-attack-malware=\"JPIN - S0201\"","misp-galaxy:mitre-malware=\"JPIN - S0201\""],"JPIN":["misp-galaxy:mitre-enterprise-attack-malware=\"JPIN - S0201\"","misp-galaxy:mitre-malware=\"JPIN - S0201\""],"Janicab - S0163":["misp-galaxy:mitre-enterprise-attack-malware=\"Janicab - S0163\"","misp-galaxy:mitre-malware=\"Janicab - S0163\""],"Janicab":["misp-galaxy:mitre-enterprise-attack-malware=\"Janicab - S0163\"","misp-galaxy:mitre-malware=\"Janicab - S0163\"","misp-galaxy:tool=\"Janicab\""],"KARAE - S0215":["misp-galaxy:mitre-enterprise-attack-malware=\"KARAE - S0215\"","misp-galaxy:mitre-malware=\"KARAE - S0215\""],"KARAE":["misp-galaxy:mitre-enterprise-attack-malware=\"KARAE - S0215\"","misp-galaxy:mitre-malware=\"KARAE - S0215\"","misp-galaxy:tool=\"KARAE\""],"KOMPROGO - S0156":["misp-galaxy:mitre-enterprise-attack-malware=\"KOMPROGO - S0156\"","misp-galaxy:mitre-malware=\"KOMPROGO - S0156\""],"Kasidet - S0088":["misp-galaxy:mitre-enterprise-attack-malware=\"Kasidet - S0088\"","misp-galaxy:mitre-malware=\"Kasidet - S0088\""],"Komplex - S0162":["misp-galaxy:mitre-enterprise-attack-malware=\"Komplex - S0162\"","misp-galaxy:mitre-malware=\"Komplex - S0162\""],"LOWBALL - S0042":["misp-galaxy:mitre-enterprise-attack-malware=\"LOWBALL - S0042\"","misp-galaxy:mitre-malware=\"LOWBALL - S0042\""],"Linfo - S0211":["misp-galaxy:mitre-enterprise-attack-malware=\"Linfo - S0211\"","misp-galaxy:mitre-malware=\"Linfo - S0211\""],"Linfo":["misp-galaxy:mitre-enterprise-attack-malware=\"Linfo - S0211\"","misp-galaxy:mitre-malware=\"Linfo - S0211\""],"Lurid - S0010":["misp-galaxy:mitre-enterprise-attack-malware=\"Lurid - S0010\"","misp-galaxy:mitre-malware=\"Lurid - S0010\""],"MURKYTOP - S0233":["misp-galaxy:mitre-enterprise-attack-malware=\"MURKYTOP - S0233\"","misp-galaxy:mitre-malware=\"MURKYTOP - S0233\""],"MURKYTOP":["misp-galaxy:mitre-enterprise-attack-malware=\"MURKYTOP - S0233\"","misp-galaxy:mitre-malware=\"MURKYTOP - S0233\""],"Matroyshka - S0167":["misp-galaxy:mitre-enterprise-attack-malware=\"Matroyshka - S0167\"","misp-galaxy:mitre-malware=\"Matroyshka - S0167\""],"Matroyshka":["misp-galaxy:mitre-enterprise-attack-malware=\"Matroyshka - S0167\"","misp-galaxy:mitre-malware=\"Matroyshka - S0167\""],"Miner-C - S0133":["misp-galaxy:mitre-enterprise-attack-malware=\"Miner-C - S0133\"","misp-galaxy:mitre-malware=\"Miner-C - S0133\""],"Miner-C":["misp-galaxy:mitre-enterprise-attack-malware=\"Miner-C - S0133\"","misp-galaxy:mitre-malware=\"Miner-C - S0133\""],"Mal\/Miner-C":["misp-galaxy:mitre-enterprise-attack-malware=\"Miner-C - S0133\"","misp-galaxy:mitre-malware=\"Miner-C - S0133\""],"PhotoMiner":["misp-galaxy:mitre-enterprise-attack-malware=\"Miner-C - S0133\"","misp-galaxy:mitre-malware=\"Miner-C - S0133\""],"MiniDuke - S0051":["misp-galaxy:mitre-enterprise-attack-malware=\"MiniDuke - S0051\"","misp-galaxy:mitre-malware=\"MiniDuke - S0051\""],"MiniDuke":["misp-galaxy:mitre-enterprise-attack-malware=\"MiniDuke - S0051\"","misp-galaxy:mitre-malware=\"MiniDuke - S0051\""],"Mis-Type - S0084":["misp-galaxy:mitre-enterprise-attack-malware=\"Mis-Type - S0084\"","misp-galaxy:mitre-malware=\"Mis-Type - S0084\""],"Mis-Type":["misp-galaxy:mitre-enterprise-attack-malware=\"Mis-Type - S0084\"","misp-galaxy:mitre-malware=\"Mis-Type - S0084\""],"Misdat - S0083":["misp-galaxy:mitre-enterprise-attack-malware=\"Misdat - S0083\"","misp-galaxy:mitre-malware=\"Misdat - S0083\""],"Mivast - S0080":["misp-galaxy:mitre-enterprise-attack-malware=\"Mivast - S0080\"","misp-galaxy:mitre-malware=\"Mivast - S0080\""],"Mivast":["misp-galaxy:mitre-enterprise-attack-malware=\"Mivast - S0080\"","misp-galaxy:mitre-malware=\"Mivast - S0080\""],"MobileOrder - S0079":["misp-galaxy:mitre-enterprise-attack-malware=\"MobileOrder - S0079\"","misp-galaxy:mitre-malware=\"MobileOrder - S0079\""],"MobileOrder":["misp-galaxy:mitre-enterprise-attack-malware=\"MobileOrder - S0079\"","misp-galaxy:mitre-malware=\"MobileOrder - S0079\""],"MoonWind - S0149":["misp-galaxy:mitre-enterprise-attack-malware=\"MoonWind - S0149\"","misp-galaxy:mitre-malware=\"MoonWind - S0149\""],"NETEAGLE - S0034":["misp-galaxy:mitre-enterprise-attack-malware=\"NETEAGLE - S0034\"","misp-galaxy:mitre-malware=\"NETEAGLE - S0034\""],"NETWIRE - S0198":["misp-galaxy:mitre-enterprise-attack-malware=\"NETWIRE - S0198\"","misp-galaxy:mitre-malware=\"NETWIRE - S0198\""],"NETWIRE":["misp-galaxy:mitre-enterprise-attack-malware=\"NETWIRE - S0198\"","misp-galaxy:mitre-malware=\"NETWIRE - S0198\""],"Naid - S0205":["misp-galaxy:mitre-enterprise-attack-malware=\"Naid - S0205\"","misp-galaxy:mitre-malware=\"Naid - S0205\""],"Naid":["misp-galaxy:mitre-enterprise-attack-malware=\"Naid - S0205\"","misp-galaxy:mitre-malware=\"Naid - S0205\"","misp-galaxy:tool=\"Trojan.Naid\""],"NanHaiShu - S0228":["misp-galaxy:mitre-enterprise-attack-malware=\"NanHaiShu - S0228\"","misp-galaxy:mitre-malware=\"NanHaiShu - S0228\""],"Nerex - S0210":["misp-galaxy:mitre-enterprise-attack-malware=\"Nerex - S0210\"","misp-galaxy:mitre-malware=\"Nerex - S0210\""],"Nerex":["misp-galaxy:mitre-enterprise-attack-malware=\"Nerex - S0210\"","misp-galaxy:mitre-malware=\"Nerex - S0210\""],"Net Crawler - S0056":["misp-galaxy:mitre-enterprise-attack-malware=\"Net Crawler - S0056\"","misp-galaxy:mitre-malware=\"Net Crawler - S0056\""],"Net Crawler":["misp-galaxy:mitre-enterprise-attack-malware=\"Net Crawler - S0056\"","misp-galaxy:mitre-malware=\"Net Crawler - S0056\""],"NetTraveler - S0033":["misp-galaxy:mitre-enterprise-attack-malware=\"NetTraveler - S0033\"","misp-galaxy:mitre-malware=\"NetTraveler - S0033\""],"Nidiran - S0118":["misp-galaxy:mitre-enterprise-attack-malware=\"Nidiran - S0118\"","misp-galaxy:mitre-malware=\"Nidiran - S0118\""],"Nidiran":["misp-galaxy:mitre-enterprise-attack-malware=\"Nidiran - S0118\"","misp-galaxy:mitre-malware=\"Nidiran - S0118\""],"Backdoor.Nidiran":["misp-galaxy:mitre-enterprise-attack-malware=\"Nidiran - S0118\"","misp-galaxy:mitre-malware=\"Nidiran - S0118\""],"OLDBAIT - S0138":["misp-galaxy:mitre-enterprise-attack-malware=\"OLDBAIT - S0138\"","misp-galaxy:mitre-malware=\"OLDBAIT - S0138\""],"OSInfo - S0165":["misp-galaxy:mitre-enterprise-attack-malware=\"OSInfo - S0165\"","misp-galaxy:mitre-malware=\"OSInfo - S0165\""],"OSInfo":["misp-galaxy:mitre-enterprise-attack-malware=\"OSInfo - S0165\"","misp-galaxy:mitre-malware=\"OSInfo - S0165\""],"OnionDuke - S0052":["misp-galaxy:mitre-enterprise-attack-malware=\"OnionDuke - S0052\"","misp-galaxy:mitre-malware=\"OnionDuke - S0052\""],"Orz - S0229":["misp-galaxy:mitre-enterprise-attack-malware=\"Orz - S0229\"","misp-galaxy:mitre-malware=\"Orz - S0229\""],"OwaAuth - S0072":["misp-galaxy:mitre-enterprise-attack-malware=\"OwaAuth - S0072\"","misp-galaxy:mitre-malware=\"OwaAuth - S0072\""],"OwaAuth":["misp-galaxy:mitre-enterprise-attack-malware=\"OwaAuth - S0072\"","misp-galaxy:mitre-malware=\"OwaAuth - S0072\""],"P2P ZeuS - S0016":["misp-galaxy:mitre-enterprise-attack-malware=\"P2P ZeuS - S0016\"","misp-galaxy:mitre-malware=\"P2P ZeuS - S0016\""],"P2P ZeuS":["misp-galaxy:mitre-enterprise-attack-malware=\"P2P ZeuS - S0016\"","misp-galaxy:mitre-malware=\"P2P ZeuS - S0016\""],"Peer-to-Peer ZeuS":["misp-galaxy:mitre-enterprise-attack-malware=\"P2P ZeuS - S0016\"","misp-galaxy:mitre-malware=\"P2P ZeuS - S0016\""],"Gameover ZeuS":["misp-galaxy:mitre-enterprise-attack-malware=\"P2P ZeuS - S0016\"","misp-galaxy:mitre-malware=\"P2P ZeuS - S0016\""],"PHOREAL - S0158":["misp-galaxy:mitre-enterprise-attack-malware=\"PHOREAL - S0158\"","misp-galaxy:mitre-malware=\"PHOREAL - S0158\""],"POORAIM - S0216":["misp-galaxy:mitre-enterprise-attack-malware=\"POORAIM - S0216\"","misp-galaxy:mitre-malware=\"POORAIM - S0216\""],"POORAIM":["misp-galaxy:mitre-enterprise-attack-malware=\"POORAIM - S0216\"","misp-galaxy:mitre-malware=\"POORAIM - S0216\"","misp-galaxy:tool=\"POORAIM\""],"POSHSPY - S0150":["misp-galaxy:mitre-enterprise-attack-malware=\"POSHSPY - S0150\"","misp-galaxy:mitre-malware=\"POSHSPY - S0150\""],"POWERSOURCE - S0145":["misp-galaxy:mitre-enterprise-attack-malware=\"POWERSOURCE - S0145\"","misp-galaxy:mitre-malware=\"POWERSOURCE - S0145\""],"POWERSTATS - S0223":["misp-galaxy:mitre-enterprise-attack-malware=\"POWERSTATS - S0223\"","misp-galaxy:mitre-malware=\"POWERSTATS - S0223\""],"POWRUNER - S0184":["misp-galaxy:mitre-enterprise-attack-malware=\"POWRUNER - S0184\"","misp-galaxy:mitre-malware=\"POWRUNER - S0184\""],"PUNCHBUGGY - S0196":["misp-galaxy:mitre-enterprise-attack-malware=\"PUNCHBUGGY - S0196\"","misp-galaxy:mitre-malware=\"PUNCHBUGGY - S0196\""],"PUNCHBUGGY":["misp-galaxy:mitre-enterprise-attack-malware=\"PUNCHBUGGY - S0196\"","misp-galaxy:mitre-malware=\"PUNCHBUGGY - S0196\""],"PUNCHTRACK - S0197":["misp-galaxy:mitre-enterprise-attack-malware=\"PUNCHTRACK - S0197\"","misp-galaxy:mitre-malware=\"PUNCHTRACK - S0197\""],"PUNCHTRACK":["misp-galaxy:mitre-enterprise-attack-malware=\"PUNCHTRACK - S0197\"","misp-galaxy:mitre-malware=\"PUNCHTRACK - S0197\""],"PSVC":["misp-galaxy:mitre-enterprise-attack-malware=\"PUNCHTRACK - S0197\"","misp-galaxy:mitre-malware=\"PUNCHTRACK - S0197\""],"Pasam - S0208":["misp-galaxy:mitre-enterprise-attack-malware=\"Pasam - S0208\"","misp-galaxy:mitre-malware=\"Pasam - S0208\""],"Pasam":["misp-galaxy:mitre-enterprise-attack-malware=\"Pasam - S0208\"","misp-galaxy:mitre-malware=\"Pasam - S0208\""],"PinchDuke - S0048":["misp-galaxy:mitre-enterprise-attack-malware=\"PinchDuke - S0048\"","misp-galaxy:mitre-malware=\"PinchDuke - S0048\""],"PinchDuke":["misp-galaxy:mitre-enterprise-attack-malware=\"PinchDuke - S0048\"","misp-galaxy:mitre-malware=\"PinchDuke - S0048\""],"Pisloader - S0124":["misp-galaxy:mitre-enterprise-attack-malware=\"Pisloader - S0124\"","misp-galaxy:mitre-malware=\"Pisloader - S0124\""],"Pisloader":["misp-galaxy:mitre-enterprise-attack-malware=\"Pisloader - S0124\"","misp-galaxy:mitre-malware=\"Pisloader - S0124\""],"PlugX - S0013":["misp-galaxy:mitre-enterprise-attack-malware=\"PlugX - S0013\"","misp-galaxy:mitre-malware=\"PlugX - S0013\""],"Sogu":["misp-galaxy:mitre-enterprise-attack-malware=\"PlugX - S0013\"","misp-galaxy:mitre-malware=\"PlugX - S0013\""],"Kaba":["misp-galaxy:mitre-enterprise-attack-malware=\"PlugX - S0013\"","misp-galaxy:mitre-malware=\"PlugX - S0013\""],"PoisonIvy - S0012":["misp-galaxy:mitre-enterprise-attack-malware=\"PoisonIvy - S0012\"","misp-galaxy:mitre-malware=\"PoisonIvy - S0012\""],"PoisonIvy":["misp-galaxy:mitre-enterprise-attack-malware=\"PoisonIvy - S0012\"","misp-galaxy:mitre-malware=\"PoisonIvy - S0012\"","misp-galaxy:rat=\"PoisonIvy\""],"Power Loader - S0177":["misp-galaxy:mitre-enterprise-attack-malware=\"Power Loader - S0177\"","misp-galaxy:mitre-malware=\"Power Loader - S0177\""],"Power Loader":["misp-galaxy:mitre-enterprise-attack-malware=\"Power Loader - S0177\"","misp-galaxy:mitre-malware=\"Power Loader - S0177\""],"Win32\/Agent.UAW":["misp-galaxy:mitre-enterprise-attack-malware=\"Power Loader - S0177\"","misp-galaxy:mitre-malware=\"Power Loader - S0177\""],"PowerDuke - S0139":["misp-galaxy:mitre-enterprise-attack-malware=\"PowerDuke - S0139\"","misp-galaxy:mitre-malware=\"PowerDuke - S0139\""],"Prikormka - S0113":["misp-galaxy:mitre-enterprise-attack-malware=\"Prikormka - S0113\"","misp-galaxy:mitre-malware=\"Prikormka - S0113\""],"Prikormka":["misp-galaxy:mitre-enterprise-attack-malware=\"Prikormka - S0113\"","misp-galaxy:mitre-malware=\"Prikormka - S0113\"","misp-galaxy:tool=\"Prikormka\""],"Psylo - S0078":["misp-galaxy:mitre-enterprise-attack-malware=\"Psylo - S0078\"","misp-galaxy:mitre-malware=\"Psylo - S0078\""],"Psylo":["misp-galaxy:mitre-enterprise-attack-malware=\"Psylo - S0078\"","misp-galaxy:mitre-malware=\"Psylo - S0078\""],"Pteranodon - S0147":["misp-galaxy:mitre-enterprise-attack-malware=\"Pteranodon - S0147\"","misp-galaxy:mitre-malware=\"Pteranodon - S0147\""],"RARSTONE - S0055":["misp-galaxy:mitre-enterprise-attack-malware=\"RARSTONE - S0055\"","misp-galaxy:mitre-malware=\"RARSTONE - S0055\""],"RARSTONE":["misp-galaxy:mitre-enterprise-attack-malware=\"RARSTONE - S0055\"","misp-galaxy:mitre-malware=\"RARSTONE - S0055\"","misp-galaxy:tool=\"RARSTONE\""],"RIPTIDE - S0003":["misp-galaxy:mitre-enterprise-attack-malware=\"RIPTIDE - S0003\"","misp-galaxy:mitre-malware=\"RIPTIDE - S0003\""],"RIPTIDE":["misp-galaxy:mitre-enterprise-attack-malware=\"RIPTIDE - S0003\"","misp-galaxy:mitre-malware=\"RIPTIDE - S0003\"","misp-galaxy:tool=\"Etumbot\""],"ROCKBOOT - S0112":["misp-galaxy:mitre-enterprise-attack-malware=\"ROCKBOOT - S0112\"","misp-galaxy:mitre-malware=\"ROCKBOOT - S0112\""],"ROCKBOOT":["misp-galaxy:mitre-enterprise-attack-malware=\"ROCKBOOT - S0112\"","misp-galaxy:mitre-malware=\"ROCKBOOT - S0112\""],"RTM - S0148":["misp-galaxy:mitre-enterprise-attack-malware=\"RTM - S0148\"","misp-galaxy:mitre-malware=\"RTM - S0148\""],"RawPOS - S0169":["misp-galaxy:mitre-enterprise-attack-malware=\"RawPOS - S0169\"","misp-galaxy:mitre-malware=\"RawPOS - S0169\""],"FIENDCRY":["misp-galaxy:mitre-enterprise-attack-malware=\"RawPOS - S0169\"","misp-galaxy:mitre-malware=\"RawPOS - S0169\""],"DUEBREW":["misp-galaxy:mitre-enterprise-attack-malware=\"RawPOS - S0169\"","misp-galaxy:mitre-malware=\"RawPOS - S0169\""],"DRIFTWOOD":["misp-galaxy:mitre-enterprise-attack-malware=\"RawPOS - S0169\"","misp-galaxy:mitre-malware=\"RawPOS - S0169\""],"Reaver - S0172":["misp-galaxy:mitre-enterprise-attack-malware=\"Reaver - S0172\"","misp-galaxy:mitre-malware=\"Reaver - S0172\""],"RedLeaves - S0153":["misp-galaxy:mitre-enterprise-attack-malware=\"RedLeaves - S0153\"","misp-galaxy:mitre-malware=\"RedLeaves - S0153\""],"BUGJUICE":["misp-galaxy:mitre-enterprise-attack-malware=\"RedLeaves - S0153\"","misp-galaxy:mitre-malware=\"RedLeaves - S0153\"","misp-galaxy:tool=\"BUGJUICE\""],"Regin - S0019":["misp-galaxy:mitre-enterprise-attack-malware=\"Regin - S0019\"","misp-galaxy:mitre-malware=\"Regin - S0019\""],"RemoteCMD - S0166":["misp-galaxy:mitre-enterprise-attack-malware=\"RemoteCMD - S0166\"","misp-galaxy:mitre-malware=\"RemoteCMD - S0166\""],"RemoteCMD":["misp-galaxy:mitre-enterprise-attack-malware=\"RemoteCMD - S0166\"","misp-galaxy:mitre-malware=\"RemoteCMD - S0166\""],"Remsec - S0125":["misp-galaxy:mitre-enterprise-attack-malware=\"Remsec - S0125\"","misp-galaxy:mitre-malware=\"Remsec - S0125\""],"Backdoor.Remsec":["misp-galaxy:mitre-enterprise-attack-malware=\"Remsec - S0125\"","misp-galaxy:mitre-malware=\"Remsec - S0125\""],"Rover - S0090":["misp-galaxy:mitre-enterprise-attack-malware=\"Rover - S0090\"","misp-galaxy:mitre-malware=\"Rover - S0090\""],"S-Type - S0085":["misp-galaxy:mitre-enterprise-attack-malware=\"S-Type - S0085\"","misp-galaxy:mitre-malware=\"S-Type - S0085\""],"S-Type":["misp-galaxy:mitre-enterprise-attack-malware=\"S-Type - S0085\"","misp-galaxy:mitre-malware=\"S-Type - S0085\""],"SEASHARPEE - S0185":["misp-galaxy:mitre-enterprise-attack-malware=\"SEASHARPEE - S0185\"","misp-galaxy:mitre-malware=\"SEASHARPEE - S0185\""],"SEASHARPEE":["misp-galaxy:mitre-enterprise-attack-malware=\"SEASHARPEE - S0185\"","misp-galaxy:mitre-malware=\"SEASHARPEE - S0185\""],"SHIPSHAPE - S0028":["misp-galaxy:mitre-enterprise-attack-malware=\"SHIPSHAPE - S0028\"","misp-galaxy:mitre-malware=\"SHIPSHAPE - S0028\""],"SHOTPUT - S0063":["misp-galaxy:mitre-enterprise-attack-malware=\"SHOTPUT - S0063\"","misp-galaxy:mitre-malware=\"SHOTPUT - S0063\""],"SHOTPUT":["misp-galaxy:mitre-enterprise-attack-malware=\"SHOTPUT - S0063\"","misp-galaxy:mitre-malware=\"SHOTPUT - S0063\""],"Backdoor.APT.CookieCutter":["misp-galaxy:mitre-enterprise-attack-malware=\"SHOTPUT - S0063\"","misp-galaxy:mitre-malware=\"SHOTPUT - S0063\""],"SHUTTERSPEED - S0217":["misp-galaxy:mitre-enterprise-attack-malware=\"SHUTTERSPEED - S0217\"","misp-galaxy:mitre-malware=\"SHUTTERSPEED - S0217\""],"SHUTTERSPEED":["misp-galaxy:mitre-enterprise-attack-malware=\"SHUTTERSPEED - S0217\"","misp-galaxy:mitre-malware=\"SHUTTERSPEED - S0217\"","misp-galaxy:tool=\"SHUTTERSPEED\""],"SLOWDRIFT - S0218":["misp-galaxy:mitre-enterprise-attack-malware=\"SLOWDRIFT - S0218\"","misp-galaxy:mitre-malware=\"SLOWDRIFT - S0218\""],"SLOWDRIFT":["misp-galaxy:mitre-enterprise-attack-malware=\"SLOWDRIFT - S0218\"","misp-galaxy:mitre-malware=\"SLOWDRIFT - S0218\"","misp-galaxy:tool=\"SLOWDRIFT\""],"SNUGRIDE - S0159":["misp-galaxy:mitre-enterprise-attack-malware=\"SNUGRIDE - S0159\"","misp-galaxy:mitre-malware=\"SNUGRIDE - S0159\""],"SNUGRIDE":["misp-galaxy:mitre-enterprise-attack-malware=\"SNUGRIDE - S0159\"","misp-galaxy:mitre-malware=\"SNUGRIDE - S0159\"","misp-galaxy:tool=\"SNUGRIDE\""],"SOUNDBITE - S0157":["misp-galaxy:mitre-enterprise-attack-malware=\"SOUNDBITE - S0157\"","misp-galaxy:mitre-malware=\"SOUNDBITE - S0157\""],"SPACESHIP - S0035":["misp-galaxy:mitre-enterprise-attack-malware=\"SPACESHIP - S0035\"","misp-galaxy:mitre-malware=\"SPACESHIP - S0035\""],"Sakula - S0074":["misp-galaxy:mitre-enterprise-attack-malware=\"Sakula - S0074\"","misp-galaxy:mitre-malware=\"Sakula - S0074\""],"Sakula":["misp-galaxy:mitre-enterprise-attack-malware=\"Sakula - S0074\"","misp-galaxy:mitre-malware=\"Sakula - S0074\"","misp-galaxy:rat=\"Sakula\"","misp-galaxy:tool=\"Sakula\""],"VIPER":["misp-galaxy:mitre-enterprise-attack-malware=\"Sakula - S0074\"","misp-galaxy:mitre-malware=\"Sakula - S0074\"","misp-galaxy:rat=\"Sakula\""],"SeaDuke - S0053":["misp-galaxy:mitre-enterprise-attack-malware=\"SeaDuke - S0053\"","misp-galaxy:mitre-malware=\"SeaDuke - S0053\""],"SeaDuke":["misp-galaxy:mitre-enterprise-attack-malware=\"SeaDuke - S0053\"","misp-galaxy:mitre-malware=\"SeaDuke - S0053\"","misp-galaxy:threat-actor=\"APT 29\""],"SeaDesk":["misp-galaxy:mitre-enterprise-attack-malware=\"SeaDuke - S0053\"","misp-galaxy:mitre-malware=\"SeaDuke - S0053\""],"Shamoon - S0140":["misp-galaxy:mitre-enterprise-attack-malware=\"Shamoon - S0140\"","misp-galaxy:mitre-malware=\"Shamoon - S0140\""],"Shamoon":["misp-galaxy:mitre-enterprise-attack-malware=\"Shamoon - S0140\"","misp-galaxy:mitre-malware=\"Shamoon - S0140\"","misp-galaxy:tool=\"Shamoon\""],"Disttrack":["misp-galaxy:mitre-enterprise-attack-malware=\"Shamoon - S0140\"","misp-galaxy:mitre-malware=\"Shamoon - S0140\""],"Skeleton Key - S0007":["misp-galaxy:mitre-enterprise-attack-malware=\"Skeleton Key - S0007\"","misp-galaxy:mitre-malware=\"Skeleton Key - S0007\""],"Skeleton Key":["misp-galaxy:mitre-enterprise-attack-malware=\"Skeleton Key - S0007\"","misp-galaxy:mitre-malware=\"Skeleton Key - S0007\""],"Smoke Loader - S0226":["misp-galaxy:mitre-enterprise-attack-malware=\"Smoke Loader - S0226\"","misp-galaxy:mitre-malware=\"Smoke Loader - S0226\""],"Smoke Loader":["misp-galaxy:mitre-enterprise-attack-malware=\"Smoke Loader - S0226\"","misp-galaxy:mitre-malware=\"Smoke Loader - S0226\"","misp-galaxy:tool=\"Smoke Loader\""],"SslMM - S0058":["misp-galaxy:mitre-enterprise-attack-malware=\"SslMM - S0058\"","misp-galaxy:mitre-malware=\"SslMM - S0058\""],"Starloader - S0188":["misp-galaxy:mitre-enterprise-attack-malware=\"Starloader - S0188\"","misp-galaxy:mitre-malware=\"Starloader - S0188\""],"Starloader":["misp-galaxy:mitre-enterprise-attack-malware=\"Starloader - S0188\"","misp-galaxy:mitre-malware=\"Starloader - S0188\""],"StreamEx - S0142":["misp-galaxy:mitre-enterprise-attack-malware=\"StreamEx - S0142\"","misp-galaxy:mitre-malware=\"StreamEx - S0142\""],"StreamEx":["misp-galaxy:mitre-enterprise-attack-malware=\"StreamEx - S0142\"","misp-galaxy:mitre-malware=\"StreamEx - S0142\"","misp-galaxy:tool=\"StreamEx\""],"Sykipot - S0018":["misp-galaxy:mitre-enterprise-attack-malware=\"Sykipot - S0018\"","misp-galaxy:mitre-malware=\"Sykipot - S0018\""],"Sykipot":["misp-galaxy:mitre-enterprise-attack-malware=\"Sykipot - S0018\"","misp-galaxy:mitre-malware=\"Sykipot - S0018\"","misp-galaxy:threat-actor=\"Maverick Panda\""],"Sys10 - S0060":["misp-galaxy:mitre-enterprise-attack-malware=\"Sys10 - S0060\"","misp-galaxy:mitre-malware=\"Sys10 - S0060\""],"T9000 - S0098":["misp-galaxy:mitre-enterprise-attack-malware=\"T9000 - S0098\"","misp-galaxy:mitre-malware=\"T9000 - S0098\""],"T9000":["misp-galaxy:mitre-enterprise-attack-malware=\"T9000 - S0098\"","misp-galaxy:mitre-malware=\"T9000 - S0098\"","misp-galaxy:tool=\"T9000\""],"TDTESS - S0164":["misp-galaxy:mitre-enterprise-attack-malware=\"TDTESS - S0164\"","misp-galaxy:mitre-malware=\"TDTESS - S0164\""],"TEXTMATE - S0146":["misp-galaxy:mitre-enterprise-attack-malware=\"TEXTMATE - S0146\"","misp-galaxy:mitre-malware=\"TEXTMATE - S0146\""],"TINYTYPHON - S0131":["misp-galaxy:mitre-enterprise-attack-malware=\"TINYTYPHON - S0131\"","misp-galaxy:mitre-malware=\"TINYTYPHON - S0131\""],"TINYTYPHON":["misp-galaxy:mitre-enterprise-attack-malware=\"TINYTYPHON - S0131\"","misp-galaxy:mitre-malware=\"TINYTYPHON - S0131\""],"TURNEDUP - S0199":["misp-galaxy:mitre-enterprise-attack-malware=\"TURNEDUP - S0199\"","misp-galaxy:mitre-malware=\"TURNEDUP - S0199\""],"Taidoor - S0011":["misp-galaxy:mitre-enterprise-attack-malware=\"Taidoor - S0011\"","misp-galaxy:mitre-malware=\"Taidoor - S0011\""],"TinyZBot - S0004":["misp-galaxy:mitre-enterprise-attack-malware=\"TinyZBot - S0004\"","misp-galaxy:mitre-malware=\"TinyZBot - S0004\""],"TinyZBot":["misp-galaxy:mitre-enterprise-attack-malware=\"TinyZBot - S0004\"","misp-galaxy:mitre-malware=\"TinyZBot - S0004\"","misp-galaxy:tool=\"TinyZBot\""],"Trojan.Karagany - S0094":["misp-galaxy:mitre-enterprise-attack-malware=\"Trojan.Karagany - S0094\"","misp-galaxy:mitre-malware=\"Trojan.Karagany - S0094\""],"Trojan.Karagany":["misp-galaxy:mitre-enterprise-attack-malware=\"Trojan.Karagany - S0094\"","misp-galaxy:mitre-malware=\"Trojan.Karagany - S0094\""],"Trojan.Mebromi - S0001":["misp-galaxy:mitre-enterprise-attack-malware=\"Trojan.Mebromi - S0001\"","misp-galaxy:mitre-malware=\"Trojan.Mebromi - S0001\""],"Trojan.Mebromi":["misp-galaxy:mitre-enterprise-attack-malware=\"Trojan.Mebromi - S0001\"","misp-galaxy:mitre-malware=\"Trojan.Mebromi - S0001\""],"Truvasys - S0178":["misp-galaxy:mitre-enterprise-attack-malware=\"Truvasys - S0178\"","misp-galaxy:mitre-malware=\"Truvasys - S0178\""],"Truvasys":["misp-galaxy:mitre-enterprise-attack-malware=\"Truvasys - S0178\"","misp-galaxy:mitre-malware=\"Truvasys - S0178\""],"USBStealer - S0136":["misp-galaxy:mitre-enterprise-attack-malware=\"USBStealer - S0136\"","misp-galaxy:mitre-malware=\"USBStealer - S0136\""],"USBStealer":["misp-galaxy:mitre-enterprise-attack-malware=\"USBStealer - S0136\"","misp-galaxy:mitre-malware=\"USBStealer - S0136\"","misp-galaxy:tool=\"USBStealer\""],"USB Stealer":["misp-galaxy:mitre-enterprise-attack-malware=\"USBStealer - S0136\"","misp-galaxy:mitre-malware=\"USBStealer - S0136\""],"Win32\/USBStealer":["misp-galaxy:mitre-enterprise-attack-malware=\"USBStealer - S0136\"","misp-galaxy:mitre-malware=\"USBStealer - S0136\""],"Umbreon - S0221":["misp-galaxy:mitre-enterprise-attack-malware=\"Umbreon - S0221\"","misp-galaxy:mitre-malware=\"Umbreon - S0221\""],"Unknown Logger - S0130":["misp-galaxy:mitre-enterprise-attack-malware=\"Unknown Logger - S0130\"","misp-galaxy:mitre-malware=\"Unknown Logger - S0130\""],"Unknown Logger":["misp-galaxy:mitre-enterprise-attack-malware=\"Unknown Logger - S0130\"","misp-galaxy:mitre-malware=\"Unknown Logger - S0130\""],"Uroburos - S0022":["misp-galaxy:mitre-enterprise-attack-malware=\"Uroburos - S0022\"","misp-galaxy:mitre-malware=\"Uroburos - S0022\""],"Uroburos":["misp-galaxy:mitre-enterprise-attack-malware=\"Uroburos - S0022\"","misp-galaxy:mitre-malware=\"Uroburos - S0022\"","misp-galaxy:threat-actor=\"Turla Group\"","misp-galaxy:tool=\"Turla\""],"Vasport - S0207":["misp-galaxy:mitre-enterprise-attack-malware=\"Vasport - S0207\"","misp-galaxy:mitre-malware=\"Vasport - S0207\""],"Vasport":["misp-galaxy:mitre-enterprise-attack-malware=\"Vasport - S0207\"","misp-galaxy:mitre-malware=\"Vasport - S0207\""],"Volgmer - S0180":["misp-galaxy:mitre-enterprise-attack-malware=\"Volgmer - S0180\"","misp-galaxy:mitre-malware=\"Volgmer - S0180\""],"WEBC2 - S0109":["misp-galaxy:mitre-enterprise-attack-malware=\"WEBC2 - S0109\"","misp-galaxy:mitre-malware=\"WEBC2 - S0109\""],"WEBC2":["misp-galaxy:mitre-enterprise-attack-malware=\"WEBC2 - S0109\"","misp-galaxy:mitre-malware=\"WEBC2 - S0109\"","misp-galaxy:tool=\"WEBC2\""],"WINDSHIELD - S0155":["misp-galaxy:mitre-enterprise-attack-malware=\"WINDSHIELD - S0155\"","misp-galaxy:mitre-malware=\"WINDSHIELD - S0155\""],"WINDSHIELD":["misp-galaxy:mitre-enterprise-attack-malware=\"WINDSHIELD - S0155\"","misp-galaxy:mitre-malware=\"WINDSHIELD - S0155\""],"WINERACK - S0219":["misp-galaxy:mitre-enterprise-attack-malware=\"WINERACK - S0219\"","misp-galaxy:mitre-malware=\"WINERACK - S0219\""],"WINERACK":["misp-galaxy:mitre-enterprise-attack-malware=\"WINERACK - S0219\"","misp-galaxy:mitre-malware=\"WINERACK - S0219\"","misp-galaxy:tool=\"WINERACK\""],"Wiarp - S0206":["misp-galaxy:mitre-enterprise-attack-malware=\"Wiarp - S0206\"","misp-galaxy:mitre-malware=\"Wiarp - S0206\""],"Wiarp":["misp-galaxy:mitre-enterprise-attack-malware=\"Wiarp - S0206\"","misp-galaxy:mitre-malware=\"Wiarp - S0206\""],"WinMM - S0059":["misp-galaxy:mitre-enterprise-attack-malware=\"WinMM - S0059\"","misp-galaxy:mitre-malware=\"WinMM - S0059\""],"Wingbird - S0176":["misp-galaxy:mitre-enterprise-attack-malware=\"Wingbird - S0176\"","misp-galaxy:mitre-malware=\"Wingbird - S0176\""],"Wingbird":["misp-galaxy:mitre-enterprise-attack-malware=\"Wingbird - S0176\"","misp-galaxy:mitre-malware=\"Wingbird - S0176\""],"Winnti - S0141":["misp-galaxy:mitre-enterprise-attack-malware=\"Winnti - S0141\"","misp-galaxy:mitre-malware=\"Winnti - S0141\""],"Winnti":["misp-galaxy:mitre-enterprise-attack-malware=\"Winnti - S0141\"","misp-galaxy:mitre-malware=\"Winnti - S0141\"","misp-galaxy:tool=\"Winnti\""],"Wiper - S0041":["misp-galaxy:mitre-enterprise-attack-malware=\"Wiper - S0041\"","misp-galaxy:mitre-malware=\"Wiper - S0041\""],"Wiper":["misp-galaxy:mitre-enterprise-attack-malware=\"Wiper - S0041\"","misp-galaxy:mitre-malware=\"Wiper - S0041\""],"XAgentOSX - S0161":["misp-galaxy:mitre-enterprise-attack-malware=\"XAgentOSX - S0161\"","misp-galaxy:mitre-malware=\"XAgentOSX - S0161\""],"XAgentOSX":["misp-galaxy:mitre-enterprise-attack-malware=\"XAgentOSX - S0161\"","misp-galaxy:mitre-malware=\"XAgentOSX - S0161\""],"XTunnel - S0117":["misp-galaxy:mitre-enterprise-attack-malware=\"XTunnel - S0117\"","misp-galaxy:mitre-malware=\"XTunnel - S0117\""],"XTunnel":["misp-galaxy:mitre-enterprise-attack-malware=\"XTunnel - S0117\"","misp-galaxy:mitre-malware=\"XTunnel - S0117\"","misp-galaxy:tool=\"X-Tunnel\""],"XAPS":["misp-galaxy:mitre-enterprise-attack-malware=\"XTunnel - S0117\"","misp-galaxy:mitre-malware=\"XTunnel - S0117\""],"ZLib - S0086":["misp-galaxy:mitre-enterprise-attack-malware=\"ZLib - S0086\"","misp-galaxy:mitre-malware=\"ZLib - S0086\""],"ZLib":["misp-galaxy:mitre-enterprise-attack-malware=\"ZLib - S0086\"","misp-galaxy:mitre-malware=\"ZLib - S0086\""],"ZeroT - S0230":["misp-galaxy:mitre-enterprise-attack-malware=\"ZeroT - S0230\"","misp-galaxy:mitre-malware=\"ZeroT - S0230\""],"Zeroaccess - S0027":["misp-galaxy:mitre-enterprise-attack-malware=\"Zeroaccess - S0027\"","misp-galaxy:mitre-malware=\"Zeroaccess - S0027\""],"Zeroaccess":["misp-galaxy:mitre-enterprise-attack-malware=\"Zeroaccess - S0027\"","misp-galaxy:mitre-malware=\"Zeroaccess - S0027\""],"Trojan.Zeroaccess":["misp-galaxy:mitre-enterprise-attack-malware=\"Zeroaccess - S0027\"","misp-galaxy:mitre-malware=\"Zeroaccess - S0027\""],"adbupd - S0202":["misp-galaxy:mitre-enterprise-attack-malware=\"adbupd - S0202\"","misp-galaxy:mitre-malware=\"adbupd - S0202\""],"adbupd":["misp-galaxy:mitre-enterprise-attack-malware=\"adbupd - S0202\"","misp-galaxy:mitre-malware=\"adbupd - S0202\""],"gh0st - S0032":["misp-galaxy:mitre-enterprise-attack-malware=\"gh0st - S0032\"","misp-galaxy:mitre-malware=\"gh0st - S0032\""],"gh0st":["misp-galaxy:mitre-enterprise-attack-malware=\"gh0st - S0032\"","misp-galaxy:mitre-malware=\"gh0st - S0032\"","misp-galaxy:tool=\"gh0st\""],"hcdLoader - S0071":["misp-galaxy:mitre-enterprise-attack-malware=\"hcdLoader - S0071\"","misp-galaxy:mitre-malware=\"hcdLoader - S0071\""],"hcdLoader":["misp-galaxy:mitre-enterprise-attack-malware=\"hcdLoader - S0071\"","misp-galaxy:mitre-malware=\"hcdLoader - S0071\"","misp-galaxy:rat=\"hcdLoader\""],"httpclient - S0068":["misp-galaxy:mitre-enterprise-attack-malware=\"httpclient - S0068\"","misp-galaxy:mitre-malware=\"httpclient - S0068\""],"httpclient":["misp-galaxy:mitre-enterprise-attack-malware=\"httpclient - S0068\"","misp-galaxy:mitre-malware=\"httpclient - S0068\""],"pngdowner - S0067":["misp-galaxy:mitre-enterprise-attack-malware=\"pngdowner - S0067\"","misp-galaxy:mitre-malware=\"pngdowner - S0067\""],"Arp - S0099":["misp-galaxy:mitre-enterprise-attack-tool=\"Arp - S0099\"","misp-galaxy:mitre-tool=\"Arp - S0099\""],"Arp":["misp-galaxy:mitre-enterprise-attack-tool=\"Arp - S0099\"","misp-galaxy:mitre-tool=\"Arp - S0099\""],"arp.exe":["misp-galaxy:mitre-enterprise-attack-tool=\"Arp - S0099\"","misp-galaxy:mitre-tool=\"Arp - S0099\""],"BITSAdmin - S0190":["misp-galaxy:mitre-enterprise-attack-tool=\"BITSAdmin - S0190\"","misp-galaxy:mitre-tool=\"BITSAdmin - S0190\""],"BITSAdmin":["misp-galaxy:mitre-enterprise-attack-tool=\"BITSAdmin - S0190\"","misp-galaxy:mitre-tool=\"BITSAdmin - S0190\""],"Cachedump - S0119":["misp-galaxy:mitre-enterprise-attack-tool=\"Cachedump - S0119\"","misp-galaxy:mitre-tool=\"Cachedump - S0119\""],"Cachedump":["misp-galaxy:mitre-enterprise-attack-tool=\"Cachedump - S0119\"","misp-galaxy:mitre-tool=\"Cachedump - S0119\""],"Cobalt Strike - S0154":["misp-galaxy:mitre-enterprise-attack-tool=\"Cobalt Strike - S0154\"","misp-galaxy:mitre-tool=\"Cobalt Strike - S0154\""],"FTP - S0095":["misp-galaxy:mitre-enterprise-attack-tool=\"FTP - S0095\"","misp-galaxy:mitre-tool=\"FTP - S0095\""],"FTP":["misp-galaxy:mitre-enterprise-attack-tool=\"FTP - S0095\"","misp-galaxy:mitre-tool=\"FTP - S0095\""],"ftp.exe":["misp-galaxy:mitre-enterprise-attack-tool=\"FTP - S0095\"","misp-galaxy:mitre-tool=\"FTP - S0095\""],"Fgdump - S0120":["misp-galaxy:mitre-enterprise-attack-tool=\"Fgdump - S0120\"","misp-galaxy:mitre-tool=\"Fgdump - S0120\""],"Fgdump":["misp-galaxy:mitre-enterprise-attack-tool=\"Fgdump - S0120\"","misp-galaxy:mitre-tool=\"Fgdump - S0120\""],"Forfiles - S0193":["misp-galaxy:mitre-enterprise-attack-tool=\"Forfiles - S0193\"","misp-galaxy:mitre-tool=\"Forfiles - S0193\""],"Forfiles":["misp-galaxy:mitre-enterprise-attack-tool=\"Forfiles - S0193\"","misp-galaxy:mitre-tool=\"Forfiles - S0193\""],"HTRAN - S0040":["misp-galaxy:mitre-enterprise-attack-tool=\"HTRAN - S0040\"","misp-galaxy:mitre-tool=\"HTRAN - S0040\""],"HTRAN":["misp-galaxy:mitre-enterprise-attack-tool=\"HTRAN - S0040\"","misp-galaxy:mitre-tool=\"HTRAN - S0040\""],"Havij - S0224":["misp-galaxy:mitre-enterprise-attack-tool=\"Havij - S0224\"","misp-galaxy:mitre-tool=\"Havij - S0224\""],"Havij":["misp-galaxy:mitre-enterprise-attack-tool=\"Havij - S0224\"","misp-galaxy:mitre-tool=\"Havij - S0224\""],"Invoke-PSImage - S0231":["misp-galaxy:mitre-enterprise-attack-tool=\"Invoke-PSImage - S0231\"","misp-galaxy:mitre-tool=\"Invoke-PSImage - S0231\""],"Invoke-PSImage":["misp-galaxy:mitre-enterprise-attack-tool=\"Invoke-PSImage - S0231\"","misp-galaxy:mitre-tool=\"Invoke-PSImage - S0231\""],"Lslsass - S0121":["misp-galaxy:mitre-enterprise-attack-tool=\"Lslsass - S0121\"","misp-galaxy:mitre-tool=\"Lslsass - S0121\""],"Lslsass":["misp-galaxy:mitre-enterprise-attack-tool=\"Lslsass - S0121\"","misp-galaxy:mitre-tool=\"Lslsass - S0121\""],"MimiPenguin - S0179":["misp-galaxy:mitre-enterprise-attack-tool=\"MimiPenguin - S0179\"","misp-galaxy:mitre-tool=\"MimiPenguin - S0179\""],"MimiPenguin":["misp-galaxy:mitre-enterprise-attack-tool=\"MimiPenguin - S0179\"","misp-galaxy:mitre-tool=\"MimiPenguin - S0179\""],"Mimikatz - S0002":["misp-galaxy:mitre-enterprise-attack-tool=\"Mimikatz - S0002\"","misp-galaxy:mitre-tool=\"Mimikatz - S0002\""],"Mimikatz":["misp-galaxy:mitre-enterprise-attack-tool=\"Mimikatz - S0002\"","misp-galaxy:mitre-tool=\"Mimikatz - S0002\"","misp-galaxy:tool=\"Mimikatz\""],"Net - S0039":["misp-galaxy:mitre-enterprise-attack-tool=\"Net - S0039\"","misp-galaxy:mitre-tool=\"Net - S0039\""],"Net":["misp-galaxy:mitre-enterprise-attack-tool=\"Net - S0039\"","misp-galaxy:mitre-tool=\"Net - S0039\""],"net.exe":["misp-galaxy:mitre-enterprise-attack-tool=\"Net - S0039\"","misp-galaxy:mitre-tool=\"Net - S0039\""],"Pass-The-Hash Toolkit - S0122":["misp-galaxy:mitre-enterprise-attack-tool=\"Pass-The-Hash Toolkit - S0122\"","misp-galaxy:mitre-tool=\"Pass-The-Hash Toolkit - S0122\""],"Pass-The-Hash Toolkit":["misp-galaxy:mitre-enterprise-attack-tool=\"Pass-The-Hash Toolkit - S0122\"","misp-galaxy:mitre-tool=\"Pass-The-Hash Toolkit - S0122\""],"Ping - S0097":["misp-galaxy:mitre-enterprise-attack-tool=\"Ping - S0097\"","misp-galaxy:mitre-tool=\"Ping - S0097\""],"Ping":["misp-galaxy:mitre-enterprise-attack-tool=\"Ping - S0097\"","misp-galaxy:mitre-tool=\"Ping - S0097\""],"ping.exe":["misp-galaxy:mitre-enterprise-attack-tool=\"Ping - S0097\"","misp-galaxy:mitre-tool=\"Ping - S0097\""],"PowerSploit - S0194":["misp-galaxy:mitre-enterprise-attack-tool=\"PowerSploit - S0194\"","misp-galaxy:mitre-tool=\"PowerSploit - S0194\""],"PowerSploit":["misp-galaxy:mitre-enterprise-attack-tool=\"PowerSploit - S0194\"","misp-galaxy:mitre-tool=\"PowerSploit - S0194\""],"PsExec - S0029":["misp-galaxy:mitre-enterprise-attack-tool=\"PsExec - S0029\"","misp-galaxy:mitre-tool=\"PsExec - S0029\""],"PsExec":["misp-galaxy:mitre-enterprise-attack-tool=\"PsExec - S0029\"","misp-galaxy:mitre-tool=\"PsExec - S0029\"","misp-galaxy:tool=\"PsExec\""],"Pupy - S0192":["misp-galaxy:mitre-enterprise-attack-tool=\"Pupy - S0192\"","misp-galaxy:mitre-tool=\"Pupy - S0192\""],"Pupy":["misp-galaxy:mitre-enterprise-attack-tool=\"Pupy - S0192\"","misp-galaxy:mitre-tool=\"Pupy - S0192\"","misp-galaxy:rat=\"Pupy\""],"Reg - S0075":["misp-galaxy:mitre-enterprise-attack-tool=\"Reg - S0075\"","misp-galaxy:mitre-tool=\"Reg - S0075\""],"Reg":["misp-galaxy:mitre-enterprise-attack-tool=\"Reg - S0075\"","misp-galaxy:mitre-tool=\"Reg - S0075\""],"reg.exe":["misp-galaxy:mitre-enterprise-attack-tool=\"Reg - S0075\"","misp-galaxy:mitre-tool=\"Reg - S0075\""],"Responder - S0174":["misp-galaxy:mitre-enterprise-attack-tool=\"Responder - S0174\"","misp-galaxy:mitre-tool=\"Responder - S0174\""],"Responder":["misp-galaxy:mitre-enterprise-attack-tool=\"Responder - S0174\"","misp-galaxy:mitre-tool=\"Responder - S0174\""],"SDelete - S0195":["misp-galaxy:mitre-enterprise-attack-tool=\"SDelete - S0195\"","misp-galaxy:mitre-tool=\"SDelete - S0195\""],"SDelete":["misp-galaxy:mitre-enterprise-attack-tool=\"SDelete - S0195\"","misp-galaxy:mitre-tool=\"SDelete - S0195\""],"Systeminfo - S0096":["misp-galaxy:mitre-enterprise-attack-tool=\"Systeminfo - S0096\"","misp-galaxy:mitre-tool=\"Systeminfo - S0096\""],"Systeminfo":["misp-galaxy:mitre-enterprise-attack-tool=\"Systeminfo - S0096\"","misp-galaxy:mitre-tool=\"Systeminfo - S0096\""],"systeminfo.exe":["misp-galaxy:mitre-enterprise-attack-tool=\"Systeminfo - S0096\"","misp-galaxy:mitre-tool=\"Systeminfo - S0096\""],"Tasklist - S0057":["misp-galaxy:mitre-enterprise-attack-tool=\"Tasklist - S0057\"","misp-galaxy:mitre-tool=\"Tasklist - S0057\""],"Tasklist":["misp-galaxy:mitre-enterprise-attack-tool=\"Tasklist - S0057\"","misp-galaxy:mitre-tool=\"Tasklist - S0057\""],"Tor - S0183":["misp-galaxy:mitre-enterprise-attack-tool=\"Tor - S0183\"","misp-galaxy:mitre-tool=\"Tor - S0183\""],"Tor":["misp-galaxy:mitre-enterprise-attack-tool=\"Tor - S0183\"","misp-galaxy:mitre-tool=\"Tor - S0183\""],"UACMe - S0116":["misp-galaxy:mitre-enterprise-attack-tool=\"UACMe - S0116\"","misp-galaxy:mitre-tool=\"UACMe - S0116\""],"Windows Credential Editor - S0005":["misp-galaxy:mitre-enterprise-attack-tool=\"Windows Credential Editor - S0005\"","misp-galaxy:mitre-tool=\"Windows Credential Editor - S0005\""],"Windows Credential Editor":["misp-galaxy:mitre-enterprise-attack-tool=\"Windows Credential Editor - S0005\"","misp-galaxy:mitre-tool=\"Windows Credential Editor - S0005\""],"WCE":["misp-galaxy:mitre-enterprise-attack-tool=\"Windows Credential Editor - S0005\"","misp-galaxy:mitre-tool=\"Windows Credential Editor - S0005\""],"Winexe - S0191":["misp-galaxy:mitre-enterprise-attack-tool=\"Winexe - S0191\"","misp-galaxy:mitre-tool=\"Winexe - S0191\""],"Winexe":["misp-galaxy:mitre-enterprise-attack-tool=\"Winexe - S0191\"","misp-galaxy:mitre-tool=\"Winexe - S0191\"","misp-galaxy:tool=\"Winexe\""],"at - S0110":["misp-galaxy:mitre-enterprise-attack-tool=\"at - S0110\"","misp-galaxy:mitre-tool=\"at - S0110\""],"at":["misp-galaxy:mitre-enterprise-attack-tool=\"at - S0110\"","misp-galaxy:mitre-tool=\"at - S0110\""],"at.exe":["misp-galaxy:mitre-enterprise-attack-tool=\"at - S0110\"","misp-galaxy:mitre-tool=\"at - S0110\""],"certutil - S0160":["misp-galaxy:mitre-enterprise-attack-tool=\"certutil - S0160\"","misp-galaxy:mitre-tool=\"certutil - S0160\""],"certutil":["misp-galaxy:mitre-enterprise-attack-tool=\"certutil - S0160\"","misp-galaxy:mitre-tool=\"certutil - S0160\""],"certutil.exe":["misp-galaxy:mitre-enterprise-attack-tool=\"certutil - S0160\"","misp-galaxy:mitre-tool=\"certutil - S0160\""],"cmd - S0106":["misp-galaxy:mitre-enterprise-attack-tool=\"cmd - S0106\"","misp-galaxy:mitre-tool=\"cmd - S0106\""],"cmd":["misp-galaxy:mitre-enterprise-attack-tool=\"cmd - S0106\"","misp-galaxy:mitre-tool=\"cmd - S0106\""],"cmd.exe":["misp-galaxy:mitre-enterprise-attack-tool=\"cmd - S0106\"","misp-galaxy:mitre-tool=\"cmd - S0106\""],"dsquery - S0105":["misp-galaxy:mitre-enterprise-attack-tool=\"dsquery - S0105\"","misp-galaxy:mitre-tool=\"dsquery - S0105\""],"dsquery":["misp-galaxy:mitre-enterprise-attack-tool=\"dsquery - S0105\"","misp-galaxy:mitre-tool=\"dsquery - S0105\""],"dsquery.exe":["misp-galaxy:mitre-enterprise-attack-tool=\"dsquery - S0105\"","misp-galaxy:mitre-tool=\"dsquery - S0105\""],"gsecdump - S0008":["misp-galaxy:mitre-enterprise-attack-tool=\"gsecdump - S0008\"","misp-galaxy:mitre-tool=\"gsecdump - S0008\""],"ifconfig - S0101":["misp-galaxy:mitre-enterprise-attack-tool=\"ifconfig - S0101\"","misp-galaxy:mitre-tool=\"ifconfig - S0101\""],"ifconfig":["misp-galaxy:mitre-enterprise-attack-tool=\"ifconfig - S0101\"","misp-galaxy:mitre-tool=\"ifconfig - S0101\""],"ipconfig - S0100":["misp-galaxy:mitre-enterprise-attack-tool=\"ipconfig - S0100\"","misp-galaxy:mitre-tool=\"ipconfig - S0100\""],"ipconfig":["misp-galaxy:mitre-enterprise-attack-tool=\"ipconfig - S0100\"","misp-galaxy:mitre-tool=\"ipconfig - S0100\""],"ipconfig.exe":["misp-galaxy:mitre-enterprise-attack-tool=\"ipconfig - S0100\"","misp-galaxy:mitre-tool=\"ipconfig - S0100\""],"meek - S0175":["misp-galaxy:mitre-enterprise-attack-tool=\"meek - S0175\"","misp-galaxy:mitre-tool=\"meek - S0175\""],"meek":["misp-galaxy:mitre-enterprise-attack-tool=\"meek - S0175\"","misp-galaxy:mitre-tool=\"meek - S0175\""],"nbtstat - S0102":["misp-galaxy:mitre-enterprise-attack-tool=\"nbtstat - S0102\"","misp-galaxy:mitre-tool=\"nbtstat - S0102\""],"nbtstat":["misp-galaxy:mitre-enterprise-attack-tool=\"nbtstat - S0102\"","misp-galaxy:mitre-tool=\"nbtstat - S0102\""],"nbtstat.exe":["misp-galaxy:mitre-enterprise-attack-tool=\"nbtstat - S0102\"","misp-galaxy:mitre-tool=\"nbtstat - S0102\""],"netsh - S0108":["misp-galaxy:mitre-enterprise-attack-tool=\"netsh - S0108\"","misp-galaxy:mitre-tool=\"netsh - S0108\""],"netsh":["misp-galaxy:mitre-enterprise-attack-tool=\"netsh - S0108\"","misp-galaxy:mitre-tool=\"netsh - S0108\""],"netsh.exe":["misp-galaxy:mitre-enterprise-attack-tool=\"netsh - S0108\"","misp-galaxy:mitre-tool=\"netsh - S0108\""],"netstat - S0104":["misp-galaxy:mitre-enterprise-attack-tool=\"netstat - S0104\"","misp-galaxy:mitre-tool=\"netstat - S0104\""],"netstat":["misp-galaxy:mitre-enterprise-attack-tool=\"netstat - S0104\"","misp-galaxy:mitre-tool=\"netstat - S0104\""],"netstat.exe":["misp-galaxy:mitre-enterprise-attack-tool=\"netstat - S0104\"","misp-galaxy:mitre-tool=\"netstat - S0104\""],"pwdump - S0006":["misp-galaxy:mitre-enterprise-attack-tool=\"pwdump - S0006\"","misp-galaxy:mitre-tool=\"pwdump - S0006\""],"pwdump":["misp-galaxy:mitre-enterprise-attack-tool=\"pwdump - S0006\"","misp-galaxy:mitre-tool=\"pwdump - S0006\""],"route - S0103":["misp-galaxy:mitre-enterprise-attack-tool=\"route - S0103\"","misp-galaxy:mitre-tool=\"route - S0103\""],"route":["misp-galaxy:mitre-enterprise-attack-tool=\"route - S0103\"","misp-galaxy:mitre-tool=\"route - S0103\""],"route.exe":["misp-galaxy:mitre-enterprise-attack-tool=\"route - S0103\"","misp-galaxy:mitre-tool=\"route - S0103\""],"schtasks - S0111":["misp-galaxy:mitre-enterprise-attack-tool=\"schtasks - S0111\"","misp-galaxy:mitre-tool=\"schtasks - S0111\""],"schtasks":["misp-galaxy:mitre-enterprise-attack-tool=\"schtasks - S0111\"","misp-galaxy:mitre-tool=\"schtasks - S0111\""],"schtasks.exe":["misp-galaxy:mitre-enterprise-attack-tool=\"schtasks - S0111\"","misp-galaxy:mitre-tool=\"schtasks - S0111\""],"spwebmember - S0227":["misp-galaxy:mitre-enterprise-attack-tool=\"spwebmember - S0227\"","misp-galaxy:mitre-tool=\"spwebmember - S0227\""],"spwebmember":["misp-galaxy:mitre-enterprise-attack-tool=\"spwebmember - S0227\"","misp-galaxy:mitre-tool=\"spwebmember - S0227\""],"sqlmap - S0225":["misp-galaxy:mitre-enterprise-attack-tool=\"sqlmap - S0225\"","misp-galaxy:mitre-tool=\"sqlmap - S0225\""],"sqlmap":["misp-galaxy:mitre-enterprise-attack-tool=\"sqlmap - S0225\"","misp-galaxy:mitre-tool=\"sqlmap - S0225\""],"xCmd - S0123":["misp-galaxy:mitre-enterprise-attack-tool=\"xCmd - S0123\"","misp-galaxy:mitre-tool=\"xCmd - S0123\""],"xCmd":["misp-galaxy:mitre-enterprise-attack-tool=\"xCmd - S0123\"","misp-galaxy:mitre-tool=\"xCmd - S0123\""],"APT19 - G0073":["misp-galaxy:mitre-intrusion-set=\"APT19 - G0073\""],"APT19":["misp-galaxy:mitre-intrusion-set=\"APT19 - G0073\"","misp-galaxy:threat-actor=\"Codoso\""],"Codoso":["misp-galaxy:mitre-intrusion-set=\"APT19 - G0073\"","misp-galaxy:threat-actor=\"Codoso\""],"C0d0so0":["misp-galaxy:mitre-intrusion-set=\"APT19 - G0073\""],"Codoso Team":["misp-galaxy:mitre-intrusion-set=\"APT19 - G0073\""],"Sunshop Group":["misp-galaxy:mitre-intrusion-set=\"APT19 - G0073\"","misp-galaxy:threat-actor=\"Codoso\""],"SNAKEMACKEREL":["misp-galaxy:mitre-intrusion-set=\"APT28 - G0007\"","misp-galaxy:threat-actor=\"Sofacy\""],"Swallowtail":["misp-galaxy:mitre-intrusion-set=\"APT28 - G0007\"","misp-galaxy:threat-actor=\"Sofacy\""],"Group 74":["misp-galaxy:mitre-intrusion-set=\"APT28 - G0007\"","misp-galaxy:threat-actor=\"Sofacy\""],"YTTRIUM":["misp-galaxy:mitre-intrusion-set=\"APT29 - G0016\"","misp-galaxy:threat-actor=\"APT 29\""],"SeaLotus":["misp-galaxy:mitre-intrusion-set=\"APT32 - G0050\"","misp-galaxy:threat-actor=\"APT32\""],"APT-C-00":["misp-galaxy:mitre-intrusion-set=\"APT32 - G0050\"","misp-galaxy:threat-actor=\"APT32\""],"Elfin":["misp-galaxy:mitre-intrusion-set=\"APT33 - G0064\"","misp-galaxy:threat-actor=\"APT33\""],"APT38 - G0082":["misp-galaxy:mitre-intrusion-set=\"APT38 - G0082\""],"APT38":["misp-galaxy:mitre-intrusion-set=\"APT38 - G0082\"","misp-galaxy:threat-actor=\"Lazarus Group\""],"APT39 - G0087":["misp-galaxy:mitre-intrusion-set=\"APT39 - G0087\""],"APT39":["misp-galaxy:mitre-intrusion-set=\"APT39 - G0087\"","misp-galaxy:threat-actor=\"APT39\""],"Chafer":["misp-galaxy:mitre-intrusion-set=\"APT39 - G0087\"","misp-galaxy:threat-actor=\"APT39\"","misp-galaxy:threat-actor=\"Chafer\""],"Cobalt Group - G0080":["misp-galaxy:mitre-intrusion-set=\"Cobalt Group - G0080\""],"Cobalt Group":["misp-galaxy:mitre-intrusion-set=\"Cobalt Group - G0080\"","misp-galaxy:threat-actor=\"Cobalt\""],"Cobalt Gang":["misp-galaxy:mitre-intrusion-set=\"Cobalt Group - G0080\"","misp-galaxy:threat-actor=\"Cobalt\""],"Cobalt Spider":["misp-galaxy:mitre-intrusion-set=\"Cobalt Group - G0080\"","misp-galaxy:threat-actor=\"Cobalt\""],"Dark Caracal - G0070":["misp-galaxy:mitre-intrusion-set=\"Dark Caracal - G0070\""],"Dark Caracal":["misp-galaxy:mitre-intrusion-set=\"Dark Caracal - G0070\"","misp-galaxy:threat-actor=\"Dark Caracal\""],"DarkHydrus - G0079":["misp-galaxy:mitre-intrusion-set=\"DarkHydrus - G0079\""],"DarkHydrus":["misp-galaxy:mitre-intrusion-set=\"DarkHydrus - G0079\"","misp-galaxy:threat-actor=\"DarkHydrus\""],"Dragonfly 2.0 - G0074":["misp-galaxy:mitre-intrusion-set=\"Dragonfly 2.0 - G0074\""],"Dragonfly 2.0":["misp-galaxy:mitre-intrusion-set=\"Dragonfly 2.0 - G0074\"","misp-galaxy:threat-actor=\"DYMALLOY\""],"Berserk Bear":["misp-galaxy:mitre-intrusion-set=\"Dragonfly 2.0 - G0074\"","misp-galaxy:threat-actor=\"Berserk Bear\"","misp-galaxy:threat-actor=\"TeamSpy Crew\""],"FIN4 - G0085":["misp-galaxy:mitre-intrusion-set=\"FIN4 - G0085\""],"FIN4":["misp-galaxy:mitre-intrusion-set=\"FIN4 - G0085\"","misp-galaxy:threat-actor=\"Wolf Spider\""],"Gallmaker - G0084":["misp-galaxy:mitre-intrusion-set=\"Gallmaker - G0084\""],"Gallmaker":["misp-galaxy:mitre-intrusion-set=\"Gallmaker - G0084\"","misp-galaxy:threat-actor=\"Gallmaker\""],"Gorgon Group - G0078":["misp-galaxy:mitre-intrusion-set=\"Gorgon Group - G0078\""],"Gorgon Group":["misp-galaxy:mitre-intrusion-set=\"Gorgon Group - G0078\"","misp-galaxy:threat-actor=\"The Gorgon Group\""],"Honeybee - G0072":["misp-galaxy:mitre-intrusion-set=\"Honeybee - G0072\""],"Honeybee":["misp-galaxy:mitre-intrusion-set=\"Honeybee - G0072\"","misp-galaxy:threat-actor=\"Honeybee\""],"APT15":["misp-galaxy:mitre-intrusion-set=\"Ke3chang - G0004\"","misp-galaxy:threat-actor=\"Mirage\""],"Vixen Panda":["misp-galaxy:mitre-intrusion-set=\"Ke3chang - G0004\"","misp-galaxy:threat-actor=\"Mirage\""],"GREF":["misp-galaxy:mitre-intrusion-set=\"Ke3chang - G0004\"","misp-galaxy:threat-actor=\"Mirage\""],"Playful Dragon":["misp-galaxy:mitre-intrusion-set=\"Ke3chang - G0004\"","misp-galaxy:threat-actor=\"Mirage\""],"RoyalAPT":["misp-galaxy:mitre-intrusion-set=\"Ke3chang - G0004\""],"Leafminer - G0077":["misp-galaxy:mitre-intrusion-set=\"Leafminer - G0077\""],"Leafminer":["misp-galaxy:mitre-intrusion-set=\"Leafminer - G0077\""],"Raspite":["misp-galaxy:mitre-intrusion-set=\"Leafminer - G0077\"","misp-galaxy:threat-actor=\"RASPITE\""],"TEMP.Jumper":["misp-galaxy:mitre-intrusion-set=\"Leviathan - G0065\"","misp-galaxy:threat-actor=\"Leviathan\""],"APT40":["misp-galaxy:mitre-intrusion-set=\"Leviathan - G0065\"","misp-galaxy:threat-actor=\"Leviathan\""],"DRAGONFISH":["misp-galaxy:mitre-intrusion-set=\"Lotus Blossom - G0030\"","misp-galaxy:threat-actor=\"Lotus Blossom\""],"APT35":["misp-galaxy:mitre-intrusion-set=\"Magic Hound - G0059\"","misp-galaxy:threat-actor=\"APT35\"","misp-galaxy:threat-actor=\"Cleaver\""],"Seedworm":["misp-galaxy:mitre-intrusion-set=\"MuddyWater - G0069\"","misp-galaxy:threat-actor=\"MuddyWater\""],"IRN2":["misp-galaxy:mitre-intrusion-set=\"OilRig - G0049\"","misp-galaxy:threat-actor=\"OilRig\""],"HELIX KITTEN":["misp-galaxy:mitre-intrusion-set=\"OilRig - G0049\""],"Orangeworm - G0071":["misp-galaxy:mitre-intrusion-set=\"Orangeworm - G0071\""],"Orangeworm":["misp-galaxy:mitre-intrusion-set=\"Orangeworm - G0071\"","misp-galaxy:threat-actor=\"Orangeworm\""],"Rancor - G0075":["misp-galaxy:mitre-intrusion-set=\"Rancor - G0075\""],"Rancor":["misp-galaxy:mitre-intrusion-set=\"Rancor - G0075\"","misp-galaxy:threat-actor=\"RANCOR\""],"VOODOO BEAR":["misp-galaxy:mitre-intrusion-set=\"Sandworm Team - G0034\""],"SilverTerrier - G0083":["misp-galaxy:mitre-intrusion-set=\"SilverTerrier - G0083\""],"SilverTerrier":["misp-galaxy:mitre-intrusion-set=\"SilverTerrier - G0083\"","misp-galaxy:threat-actor=\"SilverTerrier\""],"Stolen Pencil - G0086":["misp-galaxy:mitre-intrusion-set=\"Stolen Pencil - G0086\""],"Stolen Pencil":["misp-galaxy:mitre-intrusion-set=\"Stolen Pencil - G0086\""],"TEMP.Veles - G0088":["misp-galaxy:mitre-intrusion-set=\"TEMP.Veles - G0088\""],"TEMP.Veles":["misp-galaxy:mitre-intrusion-set=\"TEMP.Veles - G0088\"","misp-galaxy:threat-actor=\"TEMP.Veles\""],"XENOTIME":["misp-galaxy:mitre-intrusion-set=\"TEMP.Veles - G0088\"","misp-galaxy:threat-actor=\"XENOTIME\""],"APT27":["misp-galaxy:mitre-intrusion-set=\"Threat Group-3390 - G0027\"","misp-galaxy:threat-actor=\"Emissary Panda\"","misp-galaxy:threat-actor=\"LuckyMouse\""],"Iron Tiger":["misp-galaxy:mitre-intrusion-set=\"Threat Group-3390 - G0027\"","misp-galaxy:threat-actor=\"LuckyMouse\""],"LuckyMouse":["misp-galaxy:mitre-intrusion-set=\"Threat Group-3390 - G0027\"","misp-galaxy:threat-actor=\"LuckyMouse\""],"Thrip - G0076":["misp-galaxy:mitre-intrusion-set=\"Thrip - G0076\""],"Thrip":["misp-galaxy:mitre-intrusion-set=\"Thrip - G0076\"","misp-galaxy:threat-actor=\"Thrip\""],"Tropic Trooper - G0081":["misp-galaxy:mitre-intrusion-set=\"Tropic Trooper - G0081\""],"Tropic Trooper":["misp-galaxy:mitre-intrusion-set=\"Tropic Trooper - G0081\"","misp-galaxy:threat-actor=\"Tropic Trooper\""],"VENOMOUS BEAR":["misp-galaxy:mitre-intrusion-set=\"Turla - G0010\""],"Krypton":["misp-galaxy:mitre-intrusion-set=\"Turla - G0010\""],"HOGFISH":["misp-galaxy:mitre-intrusion-set=\"menuPass - G0045\"","misp-galaxy:threat-actor=\"Stone Panda\""],"ANDROIDOS_ANSERVER.A - S0310":["misp-galaxy:mitre-malware=\"ANDROIDOS_ANSERVER.A - S0310\""],"ANDROIDOS_ANSERVER.A":["misp-galaxy:mitre-malware=\"ANDROIDOS_ANSERVER.A - S0310\"","misp-galaxy:mitre-mobile-attack-malware=\"ANDROIDOS_ANSERVER.A - MOB-S0026\""],"Adups - S0309":["misp-galaxy:mitre-malware=\"Adups - S0309\""],"Adups":["misp-galaxy:mitre-malware=\"Adups - S0309\"","misp-galaxy:mitre-mobile-attack-malware=\"Adups - MOB-S0025\""],"Agent Tesla - S0331":["misp-galaxy:mitre-malware=\"Agent Tesla - S0331\""],"Allwinner - S0319":["misp-galaxy:mitre-malware=\"Allwinner - S0319\""],"Allwinner":["misp-galaxy:mitre-malware=\"Allwinner - S0319\""],"AndroRAT - S0292":["misp-galaxy:mitre-malware=\"AndroRAT - S0292\""],"Android Overlay Malware - S0296":["misp-galaxy:mitre-malware=\"Android Overlay Malware - S0296\""],"Android Overlay Malware":["misp-galaxy:mitre-malware=\"Android Overlay Malware - S0296\""],"Android\/Chuli.A - S0304":["misp-galaxy:mitre-malware=\"Android\/Chuli.A - S0304\""],"Android\/Chuli.A":["misp-galaxy:mitre-malware=\"Android\/Chuli.A - S0304\"","misp-galaxy:mitre-mobile-attack-malware=\"Android\/Chuli.A - MOB-S0020\""],"Astaroth - S0373":["misp-galaxy:mitre-malware=\"Astaroth - S0373\""],"Astaroth":["misp-galaxy:mitre-malware=\"Astaroth - S0373\""],"AuditCred - S0347":["misp-galaxy:mitre-malware=\"AuditCred - S0347\""],"AuditCred":["misp-galaxy:mitre-malware=\"AuditCred - S0347\""],"Roptimizer":["misp-galaxy:mitre-malware=\"AuditCred - S0347\""],"Azorult - S0344":["misp-galaxy:mitre-malware=\"Azorult - S0344\""],"BADCALL - S0245":["misp-galaxy:mitre-malware=\"BADCALL - S0245\""],"BADCALL":["misp-galaxy:mitre-malware=\"BADCALL - S0245\""],"BONDUPDATER - S0360":["misp-galaxy:mitre-malware=\"BONDUPDATER - S0360\""],"BadPatch - S0337":["misp-galaxy:mitre-malware=\"BadPatch - S0337\""],"BadPatch":["misp-galaxy:mitre-malware=\"BadPatch - S0337\""],"Bandook - S0234":["misp-galaxy:mitre-malware=\"Bandook - S0234\""],"Bandook":["misp-galaxy:mitre-malware=\"Bandook - S0234\""],"Bankshot - S0239":["misp-galaxy:mitre-malware=\"Bankshot - S0239\""],"Trojan Manuscript":["misp-galaxy:mitre-malware=\"Bankshot - S0239\""],"Bisonal - S0268":["misp-galaxy:mitre-malware=\"Bisonal - S0268\""],"BrainTest - S0293":["misp-galaxy:mitre-malware=\"BrainTest - S0293\""],"BrainTest":["misp-galaxy:mitre-malware=\"BrainTest - S0293\"","misp-galaxy:mitre-mobile-attack-malware=\"BrainTest - MOB-S0009\""],"Brave Prince - S0252":["misp-galaxy:mitre-malware=\"Brave Prince - S0252\""],"Brave Prince":["misp-galaxy:mitre-malware=\"Brave Prince - S0252\""],"Backdoor.SofacyX":["misp-galaxy:mitre-malware=\"CHOPSTICK - S0023\""],"Calisto - S0274":["misp-galaxy:mitre-malware=\"Calisto - S0274\""],"Cannon - S0351":["misp-galaxy:mitre-malware=\"Cannon - S0351\""],"Carbon - S0335":["misp-galaxy:mitre-malware=\"Carbon - S0335\""],"Cardinal RAT - S0348":["misp-galaxy:mitre-malware=\"Cardinal RAT - S0348\""],"Catchamas - S0261":["misp-galaxy:mitre-malware=\"Catchamas - S0261\""],"Charger - S0323":["misp-galaxy:mitre-malware=\"Charger - S0323\""],"Cobian RAT - S0338":["misp-galaxy:mitre-malware=\"Cobian RAT - S0338\""],"CoinTicker - S0369":["misp-galaxy:mitre-malware=\"CoinTicker - S0369\""],"CoinTicker":["misp-galaxy:mitre-malware=\"CoinTicker - S0369\""],"Comnie - S0244":["misp-galaxy:mitre-malware=\"Comnie - S0244\""],"Comnie":["misp-galaxy:mitre-malware=\"Comnie - S0244\"","misp-galaxy:rat=\"Comnie\"","misp-galaxy:threat-actor=\"Blackgear\""],"CrossRAT - S0235":["misp-galaxy:mitre-malware=\"CrossRAT - S0235\""],"DDKONG - S0255":["misp-galaxy:mitre-malware=\"DDKONG - S0255\""],"DarkComet - S0334":["misp-galaxy:mitre-malware=\"DarkComet - S0334\""],"DarkKomet":["misp-galaxy:mitre-malware=\"DarkComet - S0334\""],"Krademok":["misp-galaxy:mitre-malware=\"DarkComet - S0334\""],"FYNLOS":["misp-galaxy:mitre-malware=\"DarkComet - S0334\""],"DealersChoice - S0243":["misp-galaxy:mitre-malware=\"DealersChoice - S0243\""],"Dendroid - S0301":["misp-galaxy:mitre-malware=\"Dendroid - S0301\""],"Dendroid":["misp-galaxy:mitre-malware=\"Dendroid - S0301\"","misp-galaxy:mitre-mobile-attack-malware=\"Dendroid - MOB-S0017\"","misp-galaxy:rat=\"Dendroid\""],"Denis - S0354":["misp-galaxy:mitre-malware=\"Denis - S0354\""],"Denis":["misp-galaxy:mitre-malware=\"Denis - S0354\""],"Dok - S0281":["misp-galaxy:mitre-malware=\"Dok - S0281\""],"DressCode - S0300":["misp-galaxy:mitre-malware=\"DressCode - S0300\""],"DressCode":["misp-galaxy:mitre-malware=\"DressCode - S0300\"","misp-galaxy:mitre-mobile-attack-malware=\"DressCode - MOB-S0016\""],"DroidJack - S0320":["misp-galaxy:mitre-malware=\"DroidJack - S0320\""],"DroidJack":["misp-galaxy:mitre-malware=\"DroidJack - S0320\"","misp-galaxy:rat=\"DroidJack\""],"DualToy - S0315":["misp-galaxy:mitre-malware=\"DualToy - S0315\""],"DualToy":["misp-galaxy:mitre-malware=\"DualToy - S0315\"","misp-galaxy:mitre-mobile-attack-malware=\"DualToy - MOB-S0031\""],"Ebury - S0377":["misp-galaxy:mitre-malware=\"Ebury - S0377\""],"Emotet - S0367":["misp-galaxy:mitre-malware=\"Emotet - S0367\""],"Exaramel - S0343":["misp-galaxy:mitre-malware=\"Exaramel - S0343\""],"Exaramel":["misp-galaxy:mitre-malware=\"Exaramel - S0343\""],"FELIXROOT - S0267":["misp-galaxy:mitre-malware=\"FELIXROOT - S0267\""],"FELIXROOT":["misp-galaxy:mitre-malware=\"FELIXROOT - S0267\""],"GreyEnergy mini":["misp-galaxy:mitre-malware=\"FELIXROOT - S0267\""],"Final1stspy - S0355":["misp-galaxy:mitre-malware=\"Final1stspy - S0355\""],"Final1stspy":["misp-galaxy:mitre-malware=\"Final1stspy - S0355\""],"FruitFly - S0277":["misp-galaxy:mitre-malware=\"FruitFly - S0277\""],"Gold Dragon - S0249":["misp-galaxy:mitre-malware=\"Gold Dragon - S0249\""],"Gold Dragon":["misp-galaxy:mitre-malware=\"Gold Dragon - S0249\""],"Gooligan - S0290":["misp-galaxy:mitre-malware=\"Gooligan - S0290\""],"Gooligan":["misp-galaxy:mitre-malware=\"Gooligan - S0290\"","misp-galaxy:mitre-mobile-attack-malware=\"Gooligan - MOB-S0006\""],"GravityRAT - S0237":["misp-galaxy:mitre-malware=\"GravityRAT - S0237\""],"GravityRAT":["misp-galaxy:mitre-malware=\"GravityRAT - S0237\"","misp-galaxy:rat=\"GravityRAT\""],"GreyEnergy - S0342":["misp-galaxy:mitre-malware=\"GreyEnergy - S0342\""],"HARDRAIN - S0246":["misp-galaxy:mitre-malware=\"HARDRAIN - S0246\""],"HARDRAIN":["misp-galaxy:mitre-malware=\"HARDRAIN - S0246\""],"HOPLIGHT - S0376":["misp-galaxy:mitre-malware=\"HOPLIGHT - S0376\""],"HummingBad - S0322":["misp-galaxy:mitre-malware=\"HummingBad - S0322\""],"HummingWhale - S0321":["misp-galaxy:mitre-malware=\"HummingWhale - S0321\""],"HummingWhale":["misp-galaxy:mitre-malware=\"HummingWhale - S0321\"","misp-galaxy:mitre-mobile-attack-malware=\"HummingWhale - MOB-S0037\""],"InnaputRAT - S0259":["misp-galaxy:mitre-malware=\"InnaputRAT - S0259\""],"InvisiMole - S0260":["misp-galaxy:mitre-malware=\"InvisiMole - S0260\""],"Trojan.Sofacy":["misp-galaxy:mitre-malware=\"JHUHUGIT - S0044\""],"Judy - S0325":["misp-galaxy:mitre-malware=\"Judy - S0325\""],"KEYMARBLE - S0271":["misp-galaxy:mitre-malware=\"KEYMARBLE - S0271\""],"KONNI - S0356":["misp-galaxy:mitre-malware=\"KONNI - S0356\""],"KONNI":["misp-galaxy:mitre-malware=\"KONNI - S0356\"","misp-galaxy:rat=\"Konni\"","misp-galaxy:tool=\"KONNI\""],"Kazuar - S0265":["misp-galaxy:mitre-malware=\"Kazuar - S0265\""],"KeyRaider - S0288":["misp-galaxy:mitre-malware=\"KeyRaider - S0288\""],"KeyRaider":["misp-galaxy:mitre-malware=\"KeyRaider - S0288\"","misp-galaxy:mitre-mobile-attack-malware=\"KeyRaider - MOB-S0004\""],"Keydnap - S0276":["misp-galaxy:mitre-malware=\"Keydnap - S0276\""],"OSX\/Keydnap":["misp-galaxy:mitre-malware=\"Keydnap - S0276\""],"Kwampirs - S0236":["misp-galaxy:mitre-malware=\"Kwampirs - S0236\""],"Linux Rabbit - S0362":["misp-galaxy:mitre-malware=\"Linux Rabbit - S0362\""],"Linux Rabbit":["misp-galaxy:mitre-malware=\"Linux Rabbit - S0362\""],"LockerGoga - S0372":["misp-galaxy:mitre-malware=\"LockerGoga - S0372\""],"LockerGoga ":["misp-galaxy:mitre-malware=\"LockerGoga - S0372\""],"MacSpy - S0282":["misp-galaxy:mitre-malware=\"MacSpy - S0282\""],"Marcher - S0317":["misp-galaxy:mitre-malware=\"Marcher - S0317\""],"MazarBOT - S0303":["misp-galaxy:mitre-malware=\"MazarBOT - S0303\""],"MazarBOT":["misp-galaxy:mitre-malware=\"MazarBOT - S0303\"","misp-galaxy:mitre-mobile-attack-malware=\"MazarBOT - MOB-S0019\""],"Micropsia - S0339":["misp-galaxy:mitre-malware=\"Micropsia - S0339\""],"MirageFox - S0280":["misp-galaxy:mitre-malware=\"MirageFox - S0280\""],"More_eggs - S0284":["misp-galaxy:mitre-malware=\"More_eggs - S0284\""],"Mosquito - S0256":["misp-galaxy:mitre-malware=\"Mosquito - S0256\""],"NDiskMonitor - S0272":["misp-galaxy:mitre-malware=\"NDiskMonitor - S0272\""],"NDiskMonitor":["misp-galaxy:mitre-malware=\"NDiskMonitor - S0272\""],"NOKKI - S0353":["misp-galaxy:mitre-malware=\"NOKKI - S0353\""],"NOKKI":["misp-galaxy:mitre-malware=\"NOKKI - S0353\"","misp-galaxy:tool=\"NOKKI\""],"NanoCore - S0336":["misp-galaxy:mitre-malware=\"NanoCore - S0336\""],"NanoCore":["misp-galaxy:mitre-malware=\"NanoCore - S0336\"","misp-galaxy:rat=\"NanoCore\"","misp-galaxy:tool=\"NanoCoreRAT\""],"NavRAT - S0247":["misp-galaxy:mitre-malware=\"NavRAT - S0247\""],"NotCompatible - S0299":["misp-galaxy:mitre-malware=\"NotCompatible - S0299\""],"NotCompatible":["misp-galaxy:mitre-malware=\"NotCompatible - S0299\"","misp-galaxy:mitre-mobile-attack-malware=\"NotCompatible - MOB-S0015\""],"NotPetya - S0368":["misp-galaxy:mitre-malware=\"NotPetya - S0368\""],"Petrwrap":["misp-galaxy:mitre-malware=\"NotPetya - S0368\""],"OBAD - S0286":["misp-galaxy:mitre-malware=\"OBAD - S0286\""],"OBAD":["misp-galaxy:mitre-malware=\"OBAD - S0286\"","misp-galaxy:mitre-mobile-attack-malware=\"OBAD - MOB-S0002\""],"OSX_OCEANLOTUS.D - S0352":["misp-galaxy:mitre-malware=\"OSX_OCEANLOTUS.D - S0352\""],"OSX_OCEANLOTUS.D":["misp-galaxy:mitre-malware=\"OSX_OCEANLOTUS.D - S0352\""],"OceanSalt - S0346":["misp-galaxy:mitre-malware=\"OceanSalt - S0346\""],"OceanSalt":["misp-galaxy:mitre-malware=\"OceanSalt - S0346\""],"Octopus - S0340":["misp-galaxy:mitre-malware=\"Octopus - S0340\""],"OldBoot - S0285":["misp-galaxy:mitre-malware=\"OldBoot - S0285\""],"OldBoot":["misp-galaxy:mitre-malware=\"OldBoot - S0285\"","misp-galaxy:mitre-mobile-attack-malware=\"OldBoot - MOB-S0001\""],"Olympic Destroyer - S0365":["misp-galaxy:mitre-malware=\"Olympic Destroyer - S0365\""],"OopsIE - S0264":["misp-galaxy:mitre-malware=\"OopsIE - S0264\""],"PJApps - S0291":["misp-galaxy:mitre-malware=\"PJApps - S0291\""],"PJApps":["misp-galaxy:mitre-malware=\"PJApps - S0291\"","misp-galaxy:mitre-mobile-attack-malware=\"PJApps - MOB-S0007\""],"PLAINTEE - S0254":["misp-galaxy:mitre-malware=\"PLAINTEE - S0254\""],"Powermud":["misp-galaxy:mitre-malware=\"POWERSTATS - S0223\""],"POWERTON - S0371":["misp-galaxy:mitre-malware=\"POWERTON - S0371\""],"POWERTON":["misp-galaxy:mitre-malware=\"POWERTON - S0371\""],"Pegasus for Android - S0316":["misp-galaxy:mitre-malware=\"Pegasus for Android - S0316\""],"Pegasus for Android":["misp-galaxy:mitre-malware=\"Pegasus for Android - S0316\"","misp-galaxy:mitre-mobile-attack-malware=\"Pegasus for Android - MOB-S0032\""],"Pegasus for iOS - S0289":["misp-galaxy:mitre-malware=\"Pegasus for iOS - S0289\""],"Pegasus for iOS":["misp-galaxy:mitre-malware=\"Pegasus for iOS - S0289\""],"DestroyRAT":["misp-galaxy:mitre-malware=\"PlugX - S0013\""],"Proton - S0279":["misp-galaxy:mitre-malware=\"Proton - S0279\""],"Proton":["misp-galaxy:mitre-malware=\"Proton - S0279\"","misp-galaxy:tool=\"Proton\""],"Proxysvc - S0238":["misp-galaxy:mitre-malware=\"Proxysvc - S0238\""],"Proxysvc":["misp-galaxy:mitre-malware=\"Proxysvc - S0238\"","misp-galaxy:tool=\"Proxysvc\""],"QUADAGENT - S0269":["misp-galaxy:mitre-malware=\"QUADAGENT - S0269\""],"RATANKBA - S0241":["misp-galaxy:mitre-malware=\"RATANKBA - S0241\""],"RATANKBA":["misp-galaxy:mitre-malware=\"RATANKBA - S0241\""],"RCSAndroid - S0295":["misp-galaxy:mitre-malware=\"RCSAndroid - S0295\""],"RCSAndroid":["misp-galaxy:mitre-malware=\"RCSAndroid - S0295\"","misp-galaxy:mitre-mobile-attack-malware=\"RCSAndroid - MOB-S0011\""],"RGDoor - S0258":["misp-galaxy:mitre-malware=\"RGDoor - S0258\""],"ROKRAT - S0240":["misp-galaxy:mitre-malware=\"ROKRAT - S0240\""],"ROKRAT":["misp-galaxy:mitre-malware=\"ROKRAT - S0240\"","misp-galaxy:rat=\"rokrat\""],"RedDrop - S0326":["misp-galaxy:mitre-malware=\"RedDrop - S0326\""],"Remexi - S0375":["misp-galaxy:mitre-malware=\"Remexi - S0375\""],"RogueRobin - S0270":["misp-galaxy:mitre-malware=\"RogueRobin - S0270\""],"RuMMS - S0313":["misp-galaxy:mitre-malware=\"RuMMS - S0313\""],"RuMMS":["misp-galaxy:mitre-malware=\"RuMMS - S0313\"","misp-galaxy:mitre-mobile-attack-malware=\"RuMMS - MOB-S0029\""],"RunningRAT - S0253":["misp-galaxy:mitre-malware=\"RunningRAT - S0253\""],"RunningRAT":["misp-galaxy:mitre-malware=\"RunningRAT - S0253\""],"SamSam - S0370":["misp-galaxy:mitre-malware=\"SamSam - S0370\""],"Samas":["misp-galaxy:mitre-malware=\"SamSam - S0370\""],"Seasalt - S0345":["misp-galaxy:mitre-malware=\"Seasalt - S0345\""],"Seasalt":["misp-galaxy:mitre-malware=\"Seasalt - S0345\""],"ShiftyBug - S0294":["misp-galaxy:mitre-malware=\"ShiftyBug - S0294\""],"ShiftyBug":["misp-galaxy:mitre-malware=\"ShiftyBug - S0294\"","misp-galaxy:mitre-mobile-attack-malware=\"Shedun - MOB-S0010\""],"Skygofree - S0327":["misp-galaxy:mitre-malware=\"Skygofree - S0327\""],"Socksbot - S0273":["misp-galaxy:mitre-malware=\"Socksbot - S0273\""],"Socksbot":["misp-galaxy:mitre-malware=\"Socksbot - S0273\""],"SpeakUp - S0374":["misp-galaxy:mitre-malware=\"SpeakUp - S0374\""],"SpyDealer - S0324":["misp-galaxy:mitre-malware=\"SpyDealer - S0324\""],"SpyDealer":["misp-galaxy:mitre-malware=\"SpyDealer - S0324\"","misp-galaxy:tool=\"SpyDealer\""],"SpyNote RAT - S0305":["misp-galaxy:mitre-malware=\"SpyNote RAT - S0305\""],"SpyNote RAT":["misp-galaxy:mitre-malware=\"SpyNote RAT - S0305\"","misp-galaxy:mitre-mobile-attack-malware=\"SpyNote RAT - MOB-S0021\""],"Stealth Mango - S0328":["misp-galaxy:mitre-malware=\"Stealth Mango - S0328\""],"SynAck - S0242":["misp-galaxy:mitre-malware=\"SynAck - S0242\""],"TYPEFRAME - S0263":["misp-galaxy:mitre-malware=\"TYPEFRAME - S0263\""],"TYPEFRAME":["misp-galaxy:mitre-malware=\"TYPEFRAME - S0263\"","misp-galaxy:tool=\"TYPEFRAME\""],"Tangelo - S0329":["misp-galaxy:mitre-malware=\"Tangelo - S0329\""],"Tangelo":["misp-galaxy:mitre-malware=\"Tangelo - S0329\""],"TrickBot - S0266":["misp-galaxy:mitre-malware=\"TrickBot - S0266\""],"Totbrick":["misp-galaxy:mitre-malware=\"TrickBot - S0266\""],"TSPY_TRICKLOAD":["misp-galaxy:mitre-malware=\"TrickBot - S0266\""],"Trojan-SMS.AndroidOS.Agent.ao - S0307":["misp-galaxy:mitre-malware=\"Trojan-SMS.AndroidOS.Agent.ao - S0307\""],"Trojan-SMS.AndroidOS.Agent.ao":["misp-galaxy:mitre-malware=\"Trojan-SMS.AndroidOS.Agent.ao - S0307\"","misp-galaxy:mitre-mobile-attack-malware=\"Trojan-SMS.AndroidOS.Agent.ao - MOB-S0023\""],"Trojan-SMS.AndroidOS.FakeInst.a - S0306":["misp-galaxy:mitre-malware=\"Trojan-SMS.AndroidOS.FakeInst.a - S0306\""],"Trojan-SMS.AndroidOS.FakeInst.a":["misp-galaxy:mitre-malware=\"Trojan-SMS.AndroidOS.FakeInst.a - S0306\"","misp-galaxy:mitre-mobile-attack-malware=\"Trojan-SMS.AndroidOS.FakeInst.a - MOB-S0022\""],"Trojan-SMS.AndroidOS.OpFake.a - S0308":["misp-galaxy:mitre-malware=\"Trojan-SMS.AndroidOS.OpFake.a - S0308\""],"Trojan-SMS.AndroidOS.OpFake.a":["misp-galaxy:mitre-malware=\"Trojan-SMS.AndroidOS.OpFake.a - S0308\"","misp-galaxy:mitre-mobile-attack-malware=\"Trojan-SMS.AndroidOS.OpFake.a - MOB-S0024\""],"Twitoor - S0302":["misp-galaxy:mitre-malware=\"Twitoor - S0302\""],"Twitoor":["misp-galaxy:mitre-malware=\"Twitoor - S0302\"","misp-galaxy:mitre-mobile-attack-malware=\"Twitoor - MOB-S0018\""],"UBoatRAT - S0333":["misp-galaxy:mitre-malware=\"UBoatRAT - S0333\""],"UBoatRAT":["misp-galaxy:mitre-malware=\"UBoatRAT - S0333\"","misp-galaxy:rat=\"UBoatRAT\""],"UPPERCUT - S0275":["misp-galaxy:mitre-malware=\"UPPERCUT - S0275\""],"UPPERCUT":["misp-galaxy:mitre-malware=\"UPPERCUT - S0275\"","misp-galaxy:tool=\"ANEL\""],"ANEL":["misp-galaxy:mitre-malware=\"UPPERCUT - S0275\"","misp-galaxy:tool=\"ANEL\""],"VERMIN - S0257":["misp-galaxy:mitre-malware=\"VERMIN - S0257\""],"VERMIN":["misp-galaxy:mitre-malware=\"VERMIN - S0257\""],"WannaCry - S0366":["misp-galaxy:mitre-malware=\"WannaCry - S0366\""],"WanaCry":["misp-galaxy:mitre-malware=\"WannaCry - S0366\""],"WanaCrypt":["misp-galaxy:mitre-malware=\"WannaCry - S0366\""],"WanaCrypt0r":["misp-galaxy:mitre-malware=\"WannaCry - S0366\"","misp-galaxy:ransomware=\"WannaCry\""],"WCry":["misp-galaxy:mitre-malware=\"WannaCry - S0366\""],"WireLurker - S0312":["misp-galaxy:mitre-malware=\"WireLurker - S0312\""],"WireLurker":["misp-galaxy:mitre-malware=\"WireLurker - S0312\"","misp-galaxy:mitre-mobile-attack-malware=\"WireLurker - MOB-S0028\""],"X-Agent for Android - S0314":["misp-galaxy:mitre-malware=\"X-Agent for Android - S0314\""],"X-Agent for Android":["misp-galaxy:mitre-malware=\"X-Agent for Android - S0314\""],"OSX.Sofacy":["misp-galaxy:mitre-malware=\"XAgentOSX - S0161\""],"XLoader - S0318":["misp-galaxy:mitre-malware=\"XLoader - S0318\""],"Trojan.Shunnael":["misp-galaxy:mitre-malware=\"XTunnel - S0117\""],"Xbash - S0341":["misp-galaxy:mitre-malware=\"Xbash - S0341\""],"XcodeGhost - S0297":["misp-galaxy:mitre-malware=\"XcodeGhost - S0297\""],"XcodeGhost":["misp-galaxy:mitre-malware=\"XcodeGhost - S0297\"","misp-galaxy:mitre-mobile-attack-malware=\"XcodeGhost - MOB-S0013\""],"YiSpecter - S0311":["misp-galaxy:mitre-malware=\"YiSpecter - S0311\""],"YiSpecter":["misp-galaxy:mitre-malware=\"YiSpecter - S0311\"","misp-galaxy:mitre-mobile-attack-malware=\"YiSpecter - MOB-S0027\""],"Zebrocy - S0251":["misp-galaxy:mitre-malware=\"Zebrocy - S0251\""],"ZergHelper - S0287":["misp-galaxy:mitre-malware=\"ZergHelper - S0287\""],"ZergHelper":["misp-galaxy:mitre-malware=\"ZergHelper - S0287\"","misp-galaxy:mitre-mobile-attack-malware=\"ZergHelper - MOB-S0003\""],"Zeus Panda - S0330":["misp-galaxy:mitre-malware=\"Zeus Panda - S0330\""],"gh0st RAT - S0032":["misp-galaxy:mitre-malware=\"gh0st RAT - S0032\""],"gh0st RAT":["misp-galaxy:mitre-malware=\"gh0st RAT - S0032\""],"iKitten - S0278":["misp-galaxy:mitre-malware=\"iKitten - S0278\""],"iKitten":["misp-galaxy:mitre-malware=\"iKitten - S0278\"","misp-galaxy:tool=\"MacDownloader\""],"OSX\/MacDownloader":["misp-galaxy:mitre-malware=\"iKitten - S0278\""],"jRAT - S0283":["misp-galaxy:mitre-malware=\"jRAT - S0283\""],"jFrutas":["misp-galaxy:mitre-malware=\"jRAT - S0283\""],"jBiFrost":["misp-galaxy:mitre-malware=\"jRAT - S0283\""],"Trojan.Maljava":["misp-galaxy:mitre-malware=\"jRAT - S0283\""],"yty - S0248":["misp-galaxy:mitre-malware=\"yty - S0248\""],"zwShell - S0350":["misp-galaxy:mitre-malware=\"zwShell - S0350\""],"zwShell":["misp-galaxy:mitre-malware=\"zwShell - S0350\""],"Abuse Accessibility Features - MOB-T1056":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Abuse Accessibility Features - MOB-T1056\""],"Abuse Device Administrator Access to Prevent Removal - MOB-T1004":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Abuse Device Administrator Access to Prevent Removal - MOB-T1004\""],"Abuse of iOS Enterprise App Signing Key - MOB-T1048":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Abuse of iOS Enterprise App Signing Key - MOB-T1048\""],"Access Calendar Entries - MOB-T1038":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Access Calendar Entries - MOB-T1038\""],"Access Call Log - MOB-T1036":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Access Call Log - MOB-T1036\""],"Access Contact List - MOB-T1035":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Access Contact List - MOB-T1035\""],"Access Sensitive Data in Device Logs - MOB-T1016":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Access Sensitive Data in Device Logs - MOB-T1016\""],"Access Sensitive Data or Credentials in Files - MOB-T1012":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Access Sensitive Data or Credentials in Files - MOB-T1012\""],"Alternate Network Mediums - MOB-T1041":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Alternate Network Mediums - MOB-T1041\""],"Android Intent Hijacking - MOB-T1019":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Android Intent Hijacking - MOB-T1019\""],"App Auto-Start at Device Boot - MOB-T1005":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"App Auto-Start at Device Boot - MOB-T1005\""],"App Delivered via Email Attachment - MOB-T1037":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"App Delivered via Email Attachment - MOB-T1037\""],"App Delivered via Web Download - MOB-T1034":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"App Delivered via Web Download - MOB-T1034\""],"Application Discovery - MOB-T1021":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Application Discovery - MOB-T1021\""],"Attack PC via USB Connection - MOB-T1030":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Attack PC via USB Connection - MOB-T1030\""],"Biometric Spoofing - MOB-T1063":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Biometric Spoofing - MOB-T1063\""],"Capture Clipboard Data - MOB-T1017":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Capture Clipboard Data - MOB-T1017\""],"Capture SMS Messages - MOB-T1015":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Capture SMS Messages - MOB-T1015\""],"Commonly Used Port - MOB-T1039":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Commonly Used Port - MOB-T1039\""],"Detect App Analysis Environment - MOB-T1043":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Detect App Analysis Environment - MOB-T1043\""],"Device Type Discovery - MOB-T1022":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Device Type Discovery - MOB-T1022\""],"Device Unlock Code Guessing or Brute Force - MOB-T1062":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Device Unlock Code Guessing or Brute Force - MOB-T1062\""],"Disguise Root\/Jailbreak Indicators - MOB-T1011":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Disguise Root\/Jailbreak Indicators - MOB-T1011\""],"Downgrade to Insecure Protocols - MOB-T1069":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Downgrade to Insecure Protocols - MOB-T1069\""],"Download New Code at Runtime - MOB-T1010":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Download New Code at Runtime - MOB-T1010\""],"Eavesdrop on Insecure Network Communication - MOB-T1042":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Eavesdrop on Insecure Network Communication - MOB-T1042\""],"Encrypt Files for Ransom - MOB-T1074":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Encrypt Files for Ransom - MOB-T1074\""],"Exploit Baseband Vulnerability - MOB-T1058":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Exploit Baseband Vulnerability - MOB-T1058\""],"Exploit Enterprise Resources - MOB-T1031":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Exploit Enterprise Resources - MOB-T1031\""],"Exploit OS Vulnerability - MOB-T1007":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Exploit OS Vulnerability - MOB-T1007\""],"Exploit SS7 to Redirect Phone Calls\/SMS - MOB-T1052":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Exploit SS7 to Redirect Phone Calls\/SMS - MOB-T1052\""],"Exploit SS7 to Track Device Location - MOB-T1053":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Exploit SS7 to Track Device Location - MOB-T1053\""],"Exploit TEE Vulnerability - MOB-T1008":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Exploit TEE Vulnerability - MOB-T1008\""],"Exploit via Charging Station or PC - MOB-T1061":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Exploit via Charging Station or PC - MOB-T1061\""],"Fake Developer Accounts - MOB-T1045":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Fake Developer Accounts - MOB-T1045\""],"File and Directory Discovery - MOB-T1023":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"File and Directory Discovery - MOB-T1023\""],"Generate Fraudulent Advertising Revenue - MOB-T1075":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Generate Fraudulent Advertising Revenue - MOB-T1075\""],"Insecure Third-Party Libraries - MOB-T1028":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Insecure Third-Party Libraries - MOB-T1028\""],"Jamming or Denial of Service - MOB-T1067":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Jamming or Denial of Service - MOB-T1067\""],"Local Network Configuration Discovery - MOB-T1025":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Local Network Configuration Discovery - MOB-T1025\""],"Local Network Connections Discovery - MOB-T1024":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Local Network Connections Discovery - MOB-T1024\""],"Location Tracking - MOB-T1033":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Location Tracking - MOB-T1033\""],"Lock User Out of Device - MOB-T1049":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Lock User Out of Device - MOB-T1049\""],"Lockscreen Bypass - MOB-T1064":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Lockscreen Bypass - MOB-T1064\""],"Malicious Media Content - MOB-T1060":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Malicious Media Content - MOB-T1060\""],"Malicious SMS Message - MOB-T1057":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Malicious SMS Message - MOB-T1057\""],"Malicious Software Development Tools - MOB-T1065":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Malicious Software Development Tools - MOB-T1065\""],"Malicious Third Party Keyboard App - MOB-T1020":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Malicious Third Party Keyboard App - MOB-T1020\""],"Malicious Web Content - MOB-T1059":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Malicious Web Content - MOB-T1059\""],"Malicious or Vulnerable Built-in Device Functionality - MOB-T1076":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Malicious or Vulnerable Built-in Device Functionality - MOB-T1076\""],"Manipulate App Store Rankings or Ratings - MOB-T1055":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Manipulate App Store Rankings or Ratings - MOB-T1055\""],"Manipulate Device Communication - MOB-T1066":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Manipulate Device Communication - MOB-T1066\""],"Microphone or Camera Recordings - MOB-T1032":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Microphone or Camera Recordings - MOB-T1032\""],"Modify OS Kernel or Boot Partition - MOB-T1001":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Modify OS Kernel or Boot Partition - MOB-T1001\""],"Modify System Partition - MOB-T1003":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Modify System Partition - MOB-T1003\""],"Modify Trusted Execution Environment - MOB-T1002":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Modify Trusted Execution Environment - MOB-T1002\""],"Modify cached executable code - MOB-T1006":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Modify cached executable code - MOB-T1006\""],"Network Service Scanning - MOB-T1026":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Network Service Scanning - MOB-T1026\""],"Network Traffic Capture or Redirection - MOB-T1013":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Network Traffic Capture or Redirection - MOB-T1013\""],"Obfuscated or Encrypted Payload - MOB-T1009":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Obfuscated or Encrypted Payload - MOB-T1009\""],"Obtain Device Cloud Backups - MOB-T1073":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Obtain Device Cloud Backups - MOB-T1073\""],"Premium SMS Toll Fraud - MOB-T1051":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Premium SMS Toll Fraud - MOB-T1051\""],"Process Discovery - MOB-T1027":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Process Discovery - MOB-T1027\""],"Remotely Install Application - MOB-T1046":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Remotely Install Application - MOB-T1046\""],"Remotely Track Device Without Authorization - MOB-T1071":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Remotely Track Device Without Authorization - MOB-T1071\""],"Remotely Wipe Data Without Authorization - MOB-T1072":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Remotely Wipe Data Without Authorization - MOB-T1072\""],"Repackaged Application - MOB-T1047":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Repackaged Application - MOB-T1047\""],"Rogue Cellular Base Station - MOB-T1070":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Rogue Cellular Base Station - MOB-T1070\""],"Rogue Wi-Fi Access Points - MOB-T1068":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Rogue Wi-Fi Access Points - MOB-T1068\""],"SIM Card Swap - MOB-T1054":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"SIM Card Swap - MOB-T1054\""],"Standard Application Layer Protocol - MOB-T1040":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Standard Application Layer Protocol - MOB-T1040\""],"Stolen Developer Credentials or Signing Keys - MOB-T1044":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Stolen Developer Credentials or Signing Keys - MOB-T1044\""],"System Information Discovery - MOB-T1029":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"System Information Discovery - MOB-T1029\""],"URL Scheme Hijacking - MOB-T1018":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"URL Scheme Hijacking - MOB-T1018\""],"User Interface Spoofing - MOB-T1014":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"User Interface Spoofing - MOB-T1014\""],"Wipe Device Data - MOB-T1050":["misp-galaxy:mitre-mobile-attack-attack-pattern=\"Wipe Device Data - MOB-T1050\""],"Application Developer Guidance - MOB-M1013":["misp-galaxy:mitre-mobile-attack-course-of-action=\"Application Developer Guidance - MOB-M1013\""],"Application Vetting - MOB-M1005":["misp-galaxy:mitre-mobile-attack-course-of-action=\"Application Vetting - MOB-M1005\""],"Attestation - MOB-M1002":["misp-galaxy:mitre-mobile-attack-course-of-action=\"Attestation - MOB-M1002\""],"Caution with Device Administrator Access - MOB-M1007":["misp-galaxy:mitre-mobile-attack-course-of-action=\"Caution with Device Administrator Access - MOB-M1007\""],"Deploy Compromised Device Detection Method - MOB-M1010":["misp-galaxy:mitre-mobile-attack-course-of-action=\"Deploy Compromised Device Detection Method - MOB-M1010\""],"Encrypt Network Traffic - MOB-M1009":["misp-galaxy:mitre-mobile-attack-course-of-action=\"Encrypt Network Traffic - MOB-M1009\""],"Enterprise Policy - MOB-M1012":["misp-galaxy:mitre-mobile-attack-course-of-action=\"Enterprise Policy - MOB-M1012\""],"Interconnection Filtering - MOB-M1014":["misp-galaxy:mitre-mobile-attack-course-of-action=\"Interconnection Filtering - MOB-M1014\""],"Lock Bootloader - MOB-M1003":["misp-galaxy:mitre-mobile-attack-course-of-action=\"Lock Bootloader - MOB-M1003\""],"Security Updates - MOB-M1001":["misp-galaxy:mitre-mobile-attack-course-of-action=\"Security Updates - MOB-M1001\""],"System Partition Integrity - MOB-M1004":["misp-galaxy:mitre-mobile-attack-course-of-action=\"System Partition Integrity - MOB-M1004\""],"Use Device-Provided Credential Storage - MOB-M1008":["misp-galaxy:mitre-mobile-attack-course-of-action=\"Use Device-Provided Credential Storage - MOB-M1008\""],"Use Recent OS Version - MOB-M1006":["misp-galaxy:mitre-mobile-attack-course-of-action=\"Use Recent OS Version - MOB-M1006\""],"User Guidance - MOB-M1011":["misp-galaxy:mitre-mobile-attack-course-of-action=\"User Guidance - MOB-M1011\""],"ANDROIDOS_ANSERVER.A - MOB-S0026":["misp-galaxy:mitre-mobile-attack-malware=\"ANDROIDOS_ANSERVER.A - MOB-S0026\""],"Adups - MOB-S0025":["misp-galaxy:mitre-mobile-attack-malware=\"Adups - MOB-S0025\""],"AndroRAT - MOB-S0008":["misp-galaxy:mitre-mobile-attack-malware=\"AndroRAT - MOB-S0008\""],"Android\/Chuli.A - MOB-S0020":["misp-galaxy:mitre-mobile-attack-malware=\"Android\/Chuli.A - MOB-S0020\""],"AndroidOverlayMalware - MOB-S0012":["misp-galaxy:mitre-mobile-attack-malware=\"AndroidOverlayMalware - MOB-S0012\""],"AndroidOverlayMalware":["misp-galaxy:mitre-mobile-attack-malware=\"AndroidOverlayMalware - MOB-S0012\""],"BrainTest - MOB-S0009":["misp-galaxy:mitre-mobile-attack-malware=\"BrainTest - MOB-S0009\""],"Charger - MOB-S0039":["misp-galaxy:mitre-mobile-attack-malware=\"Charger - MOB-S0039\""],"Dendroid - MOB-S0017":["misp-galaxy:mitre-mobile-attack-malware=\"Dendroid - MOB-S0017\""],"DressCode - MOB-S0016":["misp-galaxy:mitre-mobile-attack-malware=\"DressCode - MOB-S0016\""],"DroidJack RAT - MOB-S0036":["misp-galaxy:mitre-mobile-attack-malware=\"DroidJack RAT - MOB-S0036\""],"DroidJack RAT":["misp-galaxy:mitre-mobile-attack-malware=\"DroidJack RAT - MOB-S0036\""],"DualToy - MOB-S0031":["misp-galaxy:mitre-mobile-attack-malware=\"DualToy - MOB-S0031\""],"Gooligan - MOB-S0006":["misp-galaxy:mitre-mobile-attack-malware=\"Gooligan - MOB-S0006\""],"HummingBad - MOB-S0038":["misp-galaxy:mitre-mobile-attack-malware=\"HummingBad - MOB-S0038\""],"HummingWhale - MOB-S0037":["misp-galaxy:mitre-mobile-attack-malware=\"HummingWhale - MOB-S0037\""],"KeyRaider - MOB-S0004":["misp-galaxy:mitre-mobile-attack-malware=\"KeyRaider - MOB-S0004\""],"MazarBOT - MOB-S0019":["misp-galaxy:mitre-mobile-attack-malware=\"MazarBOT - MOB-S0019\""],"NotCompatible - MOB-S0015":["misp-galaxy:mitre-mobile-attack-malware=\"NotCompatible - MOB-S0015\""],"OBAD - MOB-S0002":["misp-galaxy:mitre-mobile-attack-malware=\"OBAD - MOB-S0002\""],"OldBoot - MOB-S0001":["misp-galaxy:mitre-mobile-attack-malware=\"OldBoot - MOB-S0001\""],"PJApps - MOB-S0007":["misp-galaxy:mitre-mobile-attack-malware=\"PJApps - MOB-S0007\""],"Pegasus - MOB-S0005":["misp-galaxy:mitre-mobile-attack-malware=\"Pegasus - MOB-S0005\""],"Pegasus for Android - MOB-S0032":["misp-galaxy:mitre-mobile-attack-malware=\"Pegasus for Android - MOB-S0032\""],"RCSAndroid - MOB-S0011":["misp-galaxy:mitre-mobile-attack-malware=\"RCSAndroid - MOB-S0011\""],"RuMMS - MOB-S0029":["misp-galaxy:mitre-mobile-attack-malware=\"RuMMS - MOB-S0029\""],"Shedun - MOB-S0010":["misp-galaxy:mitre-mobile-attack-malware=\"Shedun - MOB-S0010\""],"Shedun":["misp-galaxy:mitre-mobile-attack-malware=\"Shedun - MOB-S0010\""],"Shuanet":["misp-galaxy:mitre-mobile-attack-malware=\"Shedun - MOB-S0010\""],"SpyNote RAT - MOB-S0021":["misp-galaxy:mitre-mobile-attack-malware=\"SpyNote RAT - MOB-S0021\""],"Trojan-SMS.AndroidOS.Agent.ao - MOB-S0023":["misp-galaxy:mitre-mobile-attack-malware=\"Trojan-SMS.AndroidOS.Agent.ao - MOB-S0023\""],"Trojan-SMS.AndroidOS.FakeInst.a - MOB-S0022":["misp-galaxy:mitre-mobile-attack-malware=\"Trojan-SMS.AndroidOS.FakeInst.a - MOB-S0022\""],"Trojan-SMS.AndroidOS.OpFake.a - MOB-S0024":["misp-galaxy:mitre-mobile-attack-malware=\"Trojan-SMS.AndroidOS.OpFake.a - MOB-S0024\""],"Twitoor - MOB-S0018":["misp-galaxy:mitre-mobile-attack-malware=\"Twitoor - MOB-S0018\""],"WireLurker - MOB-S0028":["misp-galaxy:mitre-mobile-attack-malware=\"WireLurker - MOB-S0028\""],"X-Agent - MOB-S0030":["misp-galaxy:mitre-mobile-attack-malware=\"X-Agent - MOB-S0030\""],"XcodeGhost - MOB-S0013":["misp-galaxy:mitre-mobile-attack-malware=\"XcodeGhost - MOB-S0013\""],"YiSpecter - MOB-S0027":["misp-galaxy:mitre-mobile-attack-malware=\"YiSpecter - MOB-S0027\""],"ZergHelper - MOB-S0003":["misp-galaxy:mitre-mobile-attack-malware=\"ZergHelper - MOB-S0003\""],"Xbot - MOB-S0014":["misp-galaxy:mitre-mobile-attack-tool=\"Xbot - MOB-S0014\""],"Acquire OSINT data sets and information - PRE-T1024":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Acquire OSINT data sets and information - PRE-T1024\""],"Acquire OSINT data sets and information - PRE-T1043":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Acquire OSINT data sets and information - PRE-T1043\""],"Acquire OSINT data sets and information - PRE-T1054":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Acquire OSINT data sets and information - PRE-T1054\""],"Acquire and\/or use 3rd party infrastructure services - PRE-T1084":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Acquire and\/or use 3rd party infrastructure services - PRE-T1084\""],"Acquire and\/or use 3rd party infrastructure services - PRE-T1106":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Acquire and\/or use 3rd party infrastructure services - PRE-T1106\""],"Acquire and\/or use 3rd party software services - PRE-T1085":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Acquire and\/or use 3rd party software services - PRE-T1085\""],"Acquire and\/or use 3rd party software services - PRE-T1107":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Acquire and\/or use 3rd party software services - PRE-T1107\""],"Acquire or compromise 3rd party signing certificates - PRE-T1087":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Acquire or compromise 3rd party signing certificates - PRE-T1087\""],"Acquire or compromise 3rd party signing certificates - PRE-T1109":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Acquire or compromise 3rd party signing certificates - PRE-T1109\""],"Aggregate individual's digital footprint - PRE-T1052":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Aggregate individual's digital footprint - PRE-T1052\""],"Analyze application security posture - PRE-T1070":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Analyze application security posture - PRE-T1070\""],"Analyze architecture and configuration posture - PRE-T1065":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Analyze architecture and configuration posture - PRE-T1065\""],"Analyze business processes - PRE-T1078":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Analyze business processes - PRE-T1078\""],"Analyze data collected - PRE-T1064":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Analyze data collected - PRE-T1064\""],"Analyze hardware\/software security defensive capabilities - PRE-T1071":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Analyze hardware\/software security defensive capabilities - PRE-T1071\""],"Analyze organizational skillsets and deficiencies - PRE-T1066":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Analyze organizational skillsets and deficiencies - PRE-T1066\""],"Analyze organizational skillsets and deficiencies - PRE-T1074":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Analyze organizational skillsets and deficiencies - PRE-T1074\""],"Analyze organizational skillsets and deficiencies - PRE-T1077":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Analyze organizational skillsets and deficiencies - PRE-T1077\""],"Analyze presence of outsourced capabilities - PRE-T1080":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Analyze presence of outsourced capabilities - PRE-T1080\""],"Analyze social and business relationships, interests, and affiliations - PRE-T1072":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Analyze social and business relationships, interests, and affiliations - PRE-T1072\""],"Anonymity services - PRE-T1083":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Anonymity services - PRE-T1083\""],"Assess KITs\/KIQs benefits - PRE-T1006":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Assess KITs\/KIQs benefits - PRE-T1006\""],"Assess current holdings, needs, and wants - PRE-T1013":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Assess current holdings, needs, and wants - PRE-T1013\""],"Assess leadership areas of interest - PRE-T1001":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Assess leadership areas of interest - PRE-T1001\""],"Assess opportunities created by business deals - PRE-T1076":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Assess opportunities created by business deals - PRE-T1076\""],"Assess security posture of physical locations - PRE-T1079":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Assess security posture of physical locations - PRE-T1079\""],"Assess targeting options - PRE-T1073":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Assess targeting options - PRE-T1073\""],"Assess vulnerability of 3rd party vendors - PRE-T1075":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Assess vulnerability of 3rd party vendors - PRE-T1075\""],"Assign KITs, KIQs, and\/or intelligence requirements - PRE-T1015":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Assign KITs, KIQs, and\/or intelligence requirements - PRE-T1015\""],"Assign KITs\/KIQs into categories - PRE-T1005":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Assign KITs\/KIQs into categories - PRE-T1005\""],"Authentication attempt - PRE-T1158":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Authentication attempt - PRE-T1158\""],"Authorized user performs requested cyber action - PRE-T1163":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Authorized user performs requested cyber action - PRE-T1163\""],"Automated system performs requested action - PRE-T1161":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Automated system performs requested action - PRE-T1161\""],"Build and configure delivery systems - PRE-T1124":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Build and configure delivery systems - PRE-T1124\""],"Build or acquire exploits - PRE-T1126":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Build or acquire exploits - PRE-T1126\""],"Build social network persona - PRE-T1118":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Build social network persona - PRE-T1118\""],"Buy domain name - PRE-T1105":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Buy domain name - PRE-T1105\""],"C2 protocol development - PRE-T1129":["misp-galaxy:mitre-pre-attack-attack-pattern=\"C2 protocol development - PRE-T1129\""],"Choose pre-compromised mobile app developer account credentials or signing keys - PRE-T1168":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Choose pre-compromised mobile app developer account credentials or signing keys - PRE-T1168\""],"Choose pre-compromised persona and affiliated accounts - PRE-T1120":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Choose pre-compromised persona and affiliated accounts - PRE-T1120\""],"Common, high volume protocols and software - PRE-T1098":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Common, high volume protocols and software - PRE-T1098\""],"Compromise 3rd party infrastructure to support delivery - PRE-T1089":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Compromise 3rd party infrastructure to support delivery - PRE-T1089\""],"Compromise 3rd party infrastructure to support delivery - PRE-T1111":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Compromise 3rd party infrastructure to support delivery - PRE-T1111\""],"Compromise 3rd party or closed-source vulnerability\/exploit information - PRE-T1131":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Compromise 3rd party or closed-source vulnerability\/exploit information - PRE-T1131\""],"Compromise of externally facing system - PRE-T1165":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Compromise of externally facing system - PRE-T1165\""],"Conduct active scanning - PRE-T1031":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Conduct active scanning - PRE-T1031\""],"Conduct cost\/benefit analysis - PRE-T1003":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Conduct cost\/benefit analysis - PRE-T1003\""],"Conduct passive scanning - PRE-T1030":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Conduct passive scanning - PRE-T1030\""],"Conduct social engineering - PRE-T1026":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Conduct social engineering - PRE-T1026\""],"Conduct social engineering - PRE-T1045":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Conduct social engineering - PRE-T1045\""],"Conduct social engineering - PRE-T1056":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Conduct social engineering - PRE-T1056\""],"Conduct social engineering or HUMINT operation - PRE-T1153":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Conduct social engineering or HUMINT operation - PRE-T1153\""],"Confirmation of launched compromise achieved - PRE-T1160":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Confirmation of launched compromise achieved - PRE-T1160\""],"Create backup infrastructure - PRE-T1116":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Create backup infrastructure - PRE-T1116\""],"Create custom payloads - PRE-T1122":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Create custom payloads - PRE-T1122\""],"Create implementation plan - PRE-T1009":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Create implementation plan - PRE-T1009\""],"Create infected removable media - PRE-T1132":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Create infected removable media - PRE-T1132\""],"Create strategic plan - PRE-T1008":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Create strategic plan - PRE-T1008\""],"Credential pharming - PRE-T1151":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Credential pharming - PRE-T1151\""],"DNS poisoning - PRE-T1159":["misp-galaxy:mitre-pre-attack-attack-pattern=\"DNS poisoning - PRE-T1159\""],"DNSCalc - PRE-T1101":["misp-galaxy:mitre-pre-attack-attack-pattern=\"DNSCalc - PRE-T1101\""],"Data Hiding - PRE-T1097":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Data Hiding - PRE-T1097\""],"Deploy exploit using advertising - PRE-T1157":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Deploy exploit using advertising - PRE-T1157\""],"Derive intelligence requirements - PRE-T1007":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Derive intelligence requirements - PRE-T1007\""],"Determine 3rd party infrastructure services - PRE-T1037":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Determine 3rd party infrastructure services - PRE-T1037\""],"Determine 3rd party infrastructure services - PRE-T1061":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Determine 3rd party infrastructure services - PRE-T1061\""],"Determine approach\/attack vector - PRE-T1022":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Determine approach\/attack vector - PRE-T1022\""],"Determine centralization of IT management - PRE-T1062":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Determine centralization of IT management - PRE-T1062\""],"Determine domain and IP address space - PRE-T1027":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Determine domain and IP address space - PRE-T1027\""],"Determine external network trust dependencies - PRE-T1036":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Determine external network trust dependencies - PRE-T1036\""],"Determine firmware version - PRE-T1035":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Determine firmware version - PRE-T1035\""],"Determine highest level tactical element - PRE-T1020":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Determine highest level tactical element - PRE-T1020\""],"Determine operational element - PRE-T1019":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Determine operational element - PRE-T1019\""],"Determine physical locations - PRE-T1059":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Determine physical locations - PRE-T1059\""],"Determine secondary level tactical element - PRE-T1021":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Determine secondary level tactical element - PRE-T1021\""],"Determine strategic target - PRE-T1018":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Determine strategic target - PRE-T1018\""],"Develop KITs\/KIQs - PRE-T1004":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Develop KITs\/KIQs - PRE-T1004\""],"Develop social network persona digital footprint - PRE-T1119":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Develop social network persona digital footprint - PRE-T1119\""],"Discover new exploits and monitor exploit-provider forums - PRE-T1127":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Discover new exploits and monitor exploit-provider forums - PRE-T1127\""],"Discover target logon\/email address format - PRE-T1032":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Discover target logon\/email address format - PRE-T1032\""],"Disseminate removable media - PRE-T1156":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Disseminate removable media - PRE-T1156\""],"Distribute malicious software development tools - PRE-T1171":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Distribute malicious software development tools - PRE-T1171\""],"Domain Generation Algorithms (DGA) - PRE-T1100":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Domain Generation Algorithms (DGA) - PRE-T1100\""],"Domain registration hijacking - PRE-T1103":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Domain registration hijacking - PRE-T1103\""],"Dumpster dive - PRE-T1063":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Dumpster dive - PRE-T1063\""],"Dynamic DNS - PRE-T1088":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Dynamic DNS - PRE-T1088\""],"Dynamic DNS - PRE-T1110":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Dynamic DNS - PRE-T1110\""],"Enumerate client configurations - PRE-T1039":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Enumerate client configurations - PRE-T1039\""],"Enumerate externally facing software applications technologies, languages, and dependencies - PRE-T1038":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Enumerate externally facing software applications technologies, languages, and dependencies - PRE-T1038\""],"Exploit public-facing application - PRE-T1154":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Exploit public-facing application - PRE-T1154\""],"Fast Flux DNS - PRE-T1102":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Fast Flux DNS - PRE-T1102\""],"Friend\/Follow\/Connect to targets of interest - PRE-T1121":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Friend\/Follow\/Connect to targets of interest - PRE-T1121\""],"Friend\/Follow\/Connect to targets of interest - PRE-T1141":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Friend\/Follow\/Connect to targets of interest - PRE-T1141\""],"Generate analyst intelligence requirements - PRE-T1011":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Generate analyst intelligence requirements - PRE-T1011\""],"Hardware or software supply chain implant - PRE-T1142":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Hardware or software supply chain implant - PRE-T1142\""],"Host-based hiding techniques - PRE-T1091":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Host-based hiding techniques - PRE-T1091\""],"Human performs requested action of physical nature - PRE-T1162":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Human performs requested action of physical nature - PRE-T1162\""],"Identify analyst level gaps - PRE-T1010":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Identify analyst level gaps - PRE-T1010\""],"Identify business processes\/tempo - PRE-T1057":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Identify business processes\/tempo - PRE-T1057\""],"Identify business relationships - PRE-T1049":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Identify business relationships - PRE-T1049\""],"Identify business relationships - PRE-T1060":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Identify business relationships - PRE-T1060\""],"Identify gap areas - PRE-T1002":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Identify gap areas - PRE-T1002\""],"Identify groups\/roles - PRE-T1047":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Identify groups\/roles - PRE-T1047\""],"Identify job postings and needs\/gaps - PRE-T1025":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Identify job postings and needs\/gaps - PRE-T1025\""],"Identify job postings and needs\/gaps - PRE-T1044":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Identify job postings and needs\/gaps - PRE-T1044\""],"Identify job postings and needs\/gaps - PRE-T1055":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Identify job postings and needs\/gaps - PRE-T1055\""],"Identify people of interest - PRE-T1046":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Identify people of interest - PRE-T1046\""],"Identify personnel with an authority\/privilege - PRE-T1048":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Identify personnel with an authority\/privilege - PRE-T1048\""],"Identify resources required to build capabilities - PRE-T1125":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Identify resources required to build capabilities - PRE-T1125\""],"Identify security defensive capabilities - PRE-T1040":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Identify security defensive capabilities - PRE-T1040\""],"Identify sensitive personnel information - PRE-T1051":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Identify sensitive personnel information - PRE-T1051\""],"Identify supply chains - PRE-T1023":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Identify supply chains - PRE-T1023\""],"Identify supply chains - PRE-T1042":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Identify supply chains - PRE-T1042\""],"Identify supply chains - PRE-T1053":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Identify supply chains - PRE-T1053\""],"Identify technology usage patterns - PRE-T1041":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Identify technology usage patterns - PRE-T1041\""],"Identify vulnerabilities in third-party software libraries - PRE-T1166":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Identify vulnerabilities in third-party software libraries - PRE-T1166\""],"Identify web defensive services - PRE-T1033":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Identify web defensive services - PRE-T1033\""],"Install and configure hardware, network, and systems - PRE-T1113":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Install and configure hardware, network, and systems - PRE-T1113\""],"Leverage compromised 3rd party resources - PRE-T1152":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Leverage compromised 3rd party resources - PRE-T1152\""],"Map network topology - PRE-T1029":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Map network topology - PRE-T1029\""],"Mine social media - PRE-T1050":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Mine social media - PRE-T1050\""],"Mine technical blogs\/forums - PRE-T1034":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Mine technical blogs\/forums - PRE-T1034\""],"Misattributable credentials - PRE-T1099":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Misattributable credentials - PRE-T1099\""],"Network-based hiding techniques - PRE-T1092":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Network-based hiding techniques - PRE-T1092\""],"Non-traditional or less attributable payment options - PRE-T1093":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Non-traditional or less attributable payment options - PRE-T1093\""],"OS-vendor provided communication channels - PRE-T1167":["misp-galaxy:mitre-pre-attack-attack-pattern=\"OS-vendor provided communication channels - PRE-T1167\""],"Obfuscate infrastructure - PRE-T1086":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Obfuscate infrastructure - PRE-T1086\""],"Obfuscate infrastructure - PRE-T1108":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Obfuscate infrastructure - PRE-T1108\""],"Obfuscate operational infrastructure - PRE-T1095":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Obfuscate operational infrastructure - PRE-T1095\""],"Obfuscate or encrypt code - PRE-T1096":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Obfuscate or encrypt code - PRE-T1096\""],"Obfuscation or cryptography - PRE-T1090":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Obfuscation or cryptography - PRE-T1090\""],"Obtain Apple iOS enterprise distribution key pair and certificate - PRE-T1169":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Obtain Apple iOS enterprise distribution key pair and certificate - PRE-T1169\""],"Obtain booter\/stressor subscription - PRE-T1173":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Obtain booter\/stressor subscription - PRE-T1173\""],"Obtain domain\/IP registration information - PRE-T1028":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Obtain domain\/IP registration information - PRE-T1028\""],"Obtain templates\/branding materials - PRE-T1058":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Obtain templates\/branding materials - PRE-T1058\""],"Obtain\/re-use payloads - PRE-T1123":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Obtain\/re-use payloads - PRE-T1123\""],"Port redirector - PRE-T1140":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Port redirector - PRE-T1140\""],"Post compromise tool development - PRE-T1130":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Post compromise tool development - PRE-T1130\""],"Private whois services - PRE-T1082":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Private whois services - PRE-T1082\""],"Procure required equipment and software - PRE-T1112":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Procure required equipment and software - PRE-T1112\""],"Proxy\/protocol relays - PRE-T1081":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Proxy\/protocol relays - PRE-T1081\""],"Push-notification client-side exploit - PRE-T1150":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Push-notification client-side exploit - PRE-T1150\""],"Receive KITs\/KIQs and determine requirements - PRE-T1016":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Receive KITs\/KIQs and determine requirements - PRE-T1016\""],"Receive operator KITs\/KIQs tasking - PRE-T1012":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Receive operator KITs\/KIQs tasking - PRE-T1012\""],"Remote access tool development - PRE-T1128":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Remote access tool development - PRE-T1128\""],"Replace legitimate binary with malware - PRE-T1155":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Replace legitimate binary with malware - PRE-T1155\""],"Research relevant vulnerabilities\/CVEs - PRE-T1068":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Research relevant vulnerabilities\/CVEs - PRE-T1068\""],"Research visibility gap of security vendors - PRE-T1067":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Research visibility gap of security vendors - PRE-T1067\""],"Review logs and residual traces - PRE-T1135":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Review logs and residual traces - PRE-T1135\""],"Runtime code download and execution - PRE-T1172":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Runtime code download and execution - PRE-T1172\""],"SSL certificate acquisition for domain - PRE-T1114":["misp-galaxy:mitre-pre-attack-attack-pattern=\"SSL certificate acquisition for domain - PRE-T1114\""],"SSL certificate acquisition for trust breaking - PRE-T1115":["misp-galaxy:mitre-pre-attack-attack-pattern=\"SSL certificate acquisition for trust breaking - PRE-T1115\""],"Secure and protect infrastructure - PRE-T1094":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Secure and protect infrastructure - PRE-T1094\""],"Shadow DNS - PRE-T1117":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Shadow DNS - PRE-T1117\""],"Spear phishing messages with malicious attachments - PRE-T1144":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Spear phishing messages with malicious attachments - PRE-T1144\""],"Spear phishing messages with malicious links - PRE-T1146":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Spear phishing messages with malicious links - PRE-T1146\""],"Spear phishing messages with text only - PRE-T1145":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Spear phishing messages with text only - PRE-T1145\""],"Spearphishing for Information - PRE-T1174":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Spearphishing for Information - PRE-T1174\""],"Submit KITs, KIQs, and intelligence requirements - PRE-T1014":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Submit KITs, KIQs, and intelligence requirements - PRE-T1014\""],"Targeted client-side exploitation - PRE-T1148":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Targeted client-side exploitation - PRE-T1148\""],"Targeted social media phishing - PRE-T1143":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Targeted social media phishing - PRE-T1143\""],"Task requirements - PRE-T1017":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Task requirements - PRE-T1017\""],"Test ability to evade automated mobile application security analysis performed by app stores - PRE-T1170":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Test ability to evade automated mobile application security analysis performed by app stores - PRE-T1170\""],"Test callback functionality - PRE-T1133":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Test callback functionality - PRE-T1133\""],"Test malware in various execution environments - PRE-T1134":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Test malware in various execution environments - PRE-T1134\""],"Test malware to evade detection - PRE-T1136":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Test malware to evade detection - PRE-T1136\""],"Test physical access - PRE-T1137":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Test physical access - PRE-T1137\""],"Test signature detection - PRE-T1069":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Test signature detection - PRE-T1069\""],"Test signature detection for file upload\/email filters - PRE-T1138":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Test signature detection for file upload\/email filters - PRE-T1138\""],"Unauthorized user introduces compromise delivery mechanism - PRE-T1164":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Unauthorized user introduces compromise delivery mechanism - PRE-T1164\""],"Unconditional client-side exploitation\/Injected Website\/Driveby - PRE-T1149":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Unconditional client-side exploitation\/Injected Website\/Driveby - PRE-T1149\""],"Untargeted client-side exploitation - PRE-T1147":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Untargeted client-side exploitation - PRE-T1147\""],"Upload, install, and configure software\/tools - PRE-T1139":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Upload, install, and configure software\/tools - PRE-T1139\""],"Use multiple DNS infrastructures - PRE-T1104":["misp-galaxy:mitre-pre-attack-attack-pattern=\"Use multiple DNS infrastructures - PRE-T1104\""],"Empire - S0363":["misp-galaxy:mitre-tool=\"Empire - S0363\""],"EmPyre":["misp-galaxy:mitre-tool=\"Empire - S0363\""],"PowerShell Empire":["misp-galaxy:mitre-tool=\"Empire - S0363\""],"Expand - S0361":["misp-galaxy:mitre-tool=\"Expand - S0361\""],"Expand":["misp-galaxy:mitre-tool=\"Expand - S0361\""],"Impacket - S0357":["misp-galaxy:mitre-tool=\"Impacket - S0357\""],"Impacket":["misp-galaxy:mitre-tool=\"Impacket - S0357\""],"Koadic - S0250":["misp-galaxy:mitre-tool=\"Koadic - S0250\""],"LaZagne - S0349":["misp-galaxy:mitre-tool=\"LaZagne - S0349\""],"LaZagne":["misp-galaxy:mitre-tool=\"LaZagne - S0349\""],"Nltest - S0359":["misp-galaxy:mitre-tool=\"Nltest - S0359\""],"Nltest":["misp-galaxy:mitre-tool=\"Nltest - S0359\""],"PoshC2 - S0378":["misp-galaxy:mitre-tool=\"PoshC2 - S0378\""],"QuasarRAT - S0262":["misp-galaxy:mitre-tool=\"QuasarRAT - S0262\""],"QuasarRAT":["misp-galaxy:mitre-tool=\"QuasarRAT - S0262\""],"xRAT":["misp-galaxy:mitre-tool=\"QuasarRAT - S0262\"","misp-galaxy:rat=\"xRAT\""],"RawDisk - S0364":["misp-galaxy:mitre-tool=\"RawDisk - S0364\""],"RawDisk":["misp-galaxy:mitre-tool=\"RawDisk - S0364\""],"Remcos - S0332":["misp-galaxy:mitre-tool=\"Remcos - S0332\""],"Ruler - S0358":["misp-galaxy:mitre-tool=\"Ruler - S0358\""],"Ruler":["misp-galaxy:mitre-tool=\"Ruler - S0358\""],"Xbot - S0298":["misp-galaxy:mitre-tool=\"Xbot - S0298\""],"ACL":["misp-galaxy:preventive-measure=\"ACL\""],"Backup and Restore Process":["misp-galaxy:preventive-measure=\"Backup and Restore Process\""],"Blacklist-phone-numbers":["misp-galaxy:preventive-measure=\"Blacklist-phone-numbers\""],"Block Macros":["misp-galaxy:preventive-measure=\"Block Macros\""],"Change Default \"Open With\" to Notepad":["misp-galaxy:preventive-measure=\"Change Default \"Open With\" to Notepad\""],"Disable WSH":["misp-galaxy:preventive-measure=\"Disable WSH\""],"EMET":["misp-galaxy:preventive-measure=\"EMET\""],"Enforce UAC Prompt":["misp-galaxy:preventive-measure=\"Enforce UAC Prompt\""],"Execution Prevention":["misp-galaxy:preventive-measure=\"Execution Prevention\""],"File Screening":["misp-galaxy:preventive-measure=\"File Screening\""],"Filter Attachments Level 1":["misp-galaxy:preventive-measure=\"Filter Attachments Level 1\""],"Filter Attachments Level 2":["misp-galaxy:preventive-measure=\"Filter Attachments Level 2\""],"Remove Admin Privileges":["misp-galaxy:preventive-measure=\"Remove Admin Privileges\""],"Restrict Workstation Communication":["misp-galaxy:preventive-measure=\"Restrict Workstation Communication\""],"Restrict program execution #2":["misp-galaxy:preventive-measure=\"Restrict program execution #2\""],"Restrict program execution":["misp-galaxy:preventive-measure=\"Restrict program execution\""],"Sandboxing Email Input":["misp-galaxy:preventive-measure=\"Sandboxing Email Input\""],"Show File Extensions":["misp-galaxy:preventive-measure=\"Show File Extensions\""],"Sysmon":["misp-galaxy:preventive-measure=\"Sysmon\""],"\"prepending (enc) ransomware\" (Not an official name)":["misp-galaxy:ransomware=\"\"prepending (enc) ransomware\" (Not an official name)\""],".CryptoHasYou.":["misp-galaxy:ransomware=\".CryptoHasYou.\""],"777":["misp-galaxy:ransomware=\"777\""],"Sevleg":["misp-galaxy:ransomware=\"777\""],"7Zipper Ransomware":["misp-galaxy:ransomware=\"7Zipper Ransomware\""],"7ev3n-HONE$T":["misp-galaxy:ransomware=\"7ev3n\""],"8lock8":["misp-galaxy:ransomware=\"8lock8\""],"AES-NI Ransomware ":["misp-galaxy:ransomware=\"AES-NI Ransomware \""],"AES_KEY_GEN_ASSIST Ransomware":["misp-galaxy:ransomware=\"AES_KEY_GEN_ASSIST Ransomware\""],"ALFA Ransomware":["misp-galaxy:ransomware=\"ALFA Ransomware\""],"AMBA":["misp-galaxy:ransomware=\"AMBA\""],"APT Ransomware v.2":["misp-galaxy:ransomware=\"APT Ransomware v.2\""],"ASN1 Encoder Ransomware":["misp-galaxy:ransomware=\"ASN1 Encoder Ransomware\""],"Acroware Cryptolocker Ransomware":["misp-galaxy:ransomware=\"Acroware Cryptolocker Ransomware\""],"Acroware Screenlocker":["misp-galaxy:ransomware=\"Acroware Cryptolocker Ransomware\""],"AdamLocker Ransomware":["misp-galaxy:ransomware=\"AdamLocker Ransomware\""],"AiraCrop Ransomware":["misp-galaxy:ransomware=\"AiraCrop Ransomware\""],"AiraCrop":["misp-galaxy:ransomware=\"AiraCrop\""],"Al-Namrood":["misp-galaxy:ransomware=\"Al-Namrood\""],"Alcatraz Locker Ransomware":["misp-galaxy:ransomware=\"Alcatraz Locker Ransomware\""],"All_Your_Documents Ransomware":["misp-galaxy:ransomware=\"All_Your_Documents Ransomware\""],"Alma Ransomware":["misp-galaxy:ransomware=\"Alma Ransomware\""],"Alpha Ransomware":["misp-galaxy:ransomware=\"Alpha Ransomware\""],"Angela Merkel Ransomware":["misp-galaxy:ransomware=\"Angela Merkel Ransomware\""],"AngleWare":["misp-galaxy:ransomware=\"AngleWare\""],"AngryDuck Ransomware":["misp-galaxy:ransomware=\"AngryDuck Ransomware\""],"Anony":["misp-galaxy:ransomware=\"Anony\""],"ngocanh":["misp-galaxy:ransomware=\"Anony\""],"Antihacker2017 Ransomware":["misp-galaxy:ransomware=\"Antihacker2017 Ransomware\""],"Antix Ransomware":["misp-galaxy:ransomware=\"Antix Ransomware\""],"Anubis Ransomware":["misp-galaxy:ransomware=\"Anubis Ransomware\""],"Fabiansomeware":["misp-galaxy:ransomware=\"Apocalypse\""],"ApocalypseVM":["misp-galaxy:ransomware=\"ApocalypseVM\""],"Aurora Ransomware":["misp-galaxy:ransomware=\"Aurora Ransomware\""],"Zorro Ransomware":["misp-galaxy:ransomware=\"Aurora Ransomware\""],"AutoLocky":["misp-galaxy:ransomware=\"AutoLocky\""],"AvastVirusinfo Ransomware":["misp-galaxy:ransomware=\"AvastVirusinfo Ransomware\""],"Aw3s0m3Sc0t7":["misp-galaxy:ransomware=\"Aw3s0m3Sc0t7\""],"B2DR Ransomware":["misp-galaxy:ransomware=\"B2DR Ransomware\""],"BTCLocker Ransomware":["misp-galaxy:ransomware=\"BTCLocker Ransomware\""],"BTC Ransomware":["misp-galaxy:ransomware=\"BTCLocker Ransomware\""],"BTCWare Related to \/ new version of CryptXXX":["misp-galaxy:ransomware=\"BTCWare Related to \/ new version of CryptXXX\""],"BTCamant Ransomware":["misp-galaxy:ransomware=\"BTCamant Ransomware\""],"Bad Rabbit":["misp-galaxy:ransomware=\"Bad Rabbit\""],"Bad-Rabbit":["misp-galaxy:ransomware=\"Bad Rabbit\""],"BadBlock":["misp-galaxy:ransomware=\"BadBlock\""],"BadEncript Ransomware":["misp-galaxy:ransomware=\"BadEncript Ransomware\""],"BaksoCrypt":["misp-galaxy:ransomware=\"BaksoCrypt\""],"Bandarchor":["misp-galaxy:ransomware=\"Bandarchor\"","misp-galaxy:ransomware=\"Rakhni\""],"BansomQare Manna Ransomware":["misp-galaxy:ransomware=\"BansomQare Manna Ransomware\""],"BarRax Ransomware":["misp-galaxy:ransomware=\"BarRax Ransomware\""],"BarRaxCrypt Ransomware":["misp-galaxy:ransomware=\"BarRax Ransomware\""],"Barack Obama's Everlasting Blue Blackmail Virus Ransomware":["misp-galaxy:ransomware=\"Barack Obama's Everlasting Blue Blackmail Virus Ransomware\""],"Barack Obama's Blackmail Virus Ransomware":["misp-galaxy:ransomware=\"Barack Obama's Everlasting Blue Blackmail Virus Ransomware\""],"BaCrypt":["misp-galaxy:ransomware=\"Bart\""],"BigBobRoss":["misp-galaxy:ransomware=\"BigBobRoss\""],"BitCryptor":["misp-galaxy:ransomware=\"BitCryptor\""],"BitStak":["misp-galaxy:ransomware=\"BitStak\""],"Black Ruby":["misp-galaxy:ransomware=\"Black Ruby\""],"BlackShades Crypter":["misp-galaxy:ransomware=\"BlackShades Crypter\""],"SilentShade":["misp-galaxy:ransomware=\"BlackShades Crypter\""],"BlackWorm":["misp-galaxy:ransomware=\"BlackWorm\""],"BleedGreen Ransomware":["misp-galaxy:ransomware=\"BleedGreen Ransomware\""],"FireCrypt Ransomware":["misp-galaxy:ransomware=\"BleedGreen Ransomware\""],"Blocatto":["misp-galaxy:ransomware=\"Blocatto\""],"Booyah":["misp-galaxy:ransomware=\"Booyah\"","misp-galaxy:ransomware=\"MM Locker\""],"Salami":["misp-galaxy:ransomware=\"Booyah\""],"BrLock":["misp-galaxy:ransomware=\"BrLock\""],"BrainCrypt Ransomware":["misp-galaxy:ransomware=\"BrainCrypt Ransomware\""],"Brazilian Globe":["misp-galaxy:ransomware=\"Brazilian Globe\""],"Brazilian":["misp-galaxy:ransomware=\"Brazilian\""],"Browlock":["misp-galaxy:ransomware=\"Browlock\""],"Bucbi":["misp-galaxy:ransomware=\"Bucbi\""],"BuyUnlockCode":["misp-galaxy:ransomware=\"BuyUnlockCode\""],"CIA Special Agent 767 Ransomware (FAKE!!!)":["misp-galaxy:ransomware=\"CIA Special Agent 767 Ransomware (FAKE!!!)\""],"CSGO Ransomware":["misp-galaxy:ransomware=\"CSGO Ransomware\""],"CTB-Faker":["misp-galaxy:ransomware=\"CTB-Faker\""],"Citroni":["misp-galaxy:ransomware=\"CTB-Faker\""],"CTB-Locker WEB":["misp-galaxy:ransomware=\"CTB-Locker WEB\""],"CYR-Locker Ransomware (FAKE)":["misp-galaxy:ransomware=\"CYR-Locker Ransomware (FAKE)\""],"Cancer Ransomware FAKE":["misp-galaxy:ransomware=\"Cancer Ransomware FAKE\""],"Cassetto Ransomware":["misp-galaxy:ransomware=\"Cassetto Ransomware\""],"Central Security Treatment Organization":["misp-galaxy:ransomware=\"Central Security Treatment Organization\"","misp-galaxy:ransomware=\"CryLocker\""],"CRBR ENCRYPTOR":["misp-galaxy:ransomware=\"Cerber\""],"CerberTear Ransomware":["misp-galaxy:ransomware=\"CerberTear Ransomware\""],"Chartwig Ransomware":["misp-galaxy:ransomware=\"Chartwig Ransomware\""],"Chimera":["misp-galaxy:ransomware=\"Chimera\""],"Chip Ransomware":["misp-galaxy:ransomware=\"Chip Ransomware\""],"ChipLocker Ransomware":["misp-galaxy:ransomware=\"Chip Ransomware\""],"Click Me Ransomware":["misp-galaxy:ransomware=\"Click Me Ransomware\""],"Clock":["misp-galaxy:ransomware=\"Clock\""],"CloudSword Ransomware":["misp-galaxy:ransomware=\"CloudSword Ransomware\""],"CockBlocker Ransomware":["misp-galaxy:ransomware=\"CockBlocker Ransomware\""],"Code Virus Ransomware ":["misp-galaxy:ransomware=\"Code Virus Ransomware \""],"CoinVault":["misp-galaxy:ransomware=\"CoinVault\""],"CommonRansom":["misp-galaxy:ransomware=\"CommonRansom\""],"Comrade Circle Ransomware":["misp-galaxy:ransomware=\"Comrade Circle Ransomware\""],"ConsoleApplication1 Ransomware":["misp-galaxy:ransomware=\"ConsoleApplication1 Ransomware\""],"Coverton":["misp-galaxy:ransomware=\"Coverton\""],"Criptt0r":["misp-galaxy:ransomware=\"Cr1ptT0r\""],"Cr1pt0r":["misp-galaxy:ransomware=\"Cr1ptT0r\""],"Cripttor":["misp-galaxy:ransomware=\"Cr1ptT0r\""],"CreamPie Ransomware":["misp-galaxy:ransomware=\"CreamPie Ransomware\""],"Crptxxx Ransomware":["misp-galaxy:ransomware=\"Crptxxx Ransomware\""],"CryBrazil":["misp-galaxy:ransomware=\"CryBrazil\""],"CryFile":["misp-galaxy:ransomware=\"CryFile\""],"Cry":["misp-galaxy:ransomware=\"CryLocker\""],"CSTO":["misp-galaxy:ransomware=\"CryLocker\""],"CryPy":["misp-galaxy:ransomware=\"CryPy\""],"Cryaki":["misp-galaxy:ransomware=\"Cryaki\""],"Crybola":["misp-galaxy:ransomware=\"Crybola\""],"CrypMIC":["misp-galaxy:ransomware=\"CrypMIC\""],"Crypren":["misp-galaxy:ransomware=\"Crypren\""],"Crypt0saur":["misp-galaxy:ransomware=\"Crypt0saur\""],"Crypt38":["misp-galaxy:ransomware=\"Crypt38\""],"CryptConsole 2.0 Ransomware":["misp-galaxy:ransomware=\"CryptConsole 2.0 Ransomware\""],"CryptConsole":["misp-galaxy:ransomware=\"CryptConsole\""],"CryptFIle2":["misp-galaxy:ransomware=\"CryptFIle2\""],"CryptInfinite":["misp-galaxy:ransomware=\"CryptInfinite\""],"CryptXXX 2.0":["misp-galaxy:ransomware=\"CryptXXX 2.0\""],"CryptProjectXXX":["misp-galaxy:ransomware=\"CryptXXX 2.0\"","misp-galaxy:ransomware=\"CryptXXX\""],"CryptXXX 3.0":["misp-galaxy:ransomware=\"CryptXXX 3.0\""],"UltraDeCrypter":["misp-galaxy:ransomware=\"CryptXXX 3.0\""],"UltraCrypter":["misp-galaxy:ransomware=\"CryptXXX 3.0\""],"CryptXXX 3.1":["misp-galaxy:ransomware=\"CryptXXX 3.1\""],"CryptXXX":["misp-galaxy:ransomware=\"CryptXXX\""],"Crypter":["misp-galaxy:ransomware=\"Crypter\""],"CryptoBit":["misp-galaxy:ransomware=\"CryptoBit\"","misp-galaxy:ransomware=\"Mobef\""],"CryptoBlock Ransomware ":["misp-galaxy:ransomware=\"CryptoBlock Ransomware \""],"CryptoDefense":["misp-galaxy:ransomware=\"CryptoDefense\""],"CryptoDevil Ransomware":["misp-galaxy:ransomware=\"CryptoDevil Ransomware\""],"CryptoFinancial":["misp-galaxy:ransomware=\"CryptoFinancial\""],"CryptoGraphic Locker":["misp-galaxy:ransomware=\"CryptoGraphic Locker\""],"Manamecrypt":["misp-galaxy:ransomware=\"CryptoHost\""],"Telograph":["misp-galaxy:ransomware=\"CryptoHost\""],"ROI Locker":["misp-galaxy:ransomware=\"CryptoHost\""],"CryptoJacky Ransomware":["misp-galaxy:ransomware=\"CryptoJacky Ransomware\""],"CryptoJoker":["misp-galaxy:ransomware=\"CryptoJoker\""],"CryptoKill Ransomware":["misp-galaxy:ransomware=\"CryptoKill Ransomware\""],"CryptoLocker 1.0.0":["misp-galaxy:ransomware=\"CryptoLocker 1.0.0\""],"CryptoLocker 5.1":["misp-galaxy:ransomware=\"CryptoLocker 5.1\""],"CryptoLocker by NTK Ransomware":["misp-galaxy:ransomware=\"CryptoLocker by NTK Ransomware\""],"CryptoLocker3 Ransomware":["misp-galaxy:ransomware=\"CryptoLocker3 Ransomware\""],"Fake CryptoLocker":["misp-galaxy:ransomware=\"CryptoLocker3 Ransomware\""],"CryptoLuck Ransomware":["misp-galaxy:ransomware=\"CryptoLuck Ransomware\""],"YafunnLocker":["misp-galaxy:ransomware=\"CryptoLuck Ransomware\""],"CryptoMeister Ransomware":["misp-galaxy:ransomware=\"CryptoMeister Ransomware\""],"Zeta":["misp-galaxy:ransomware=\"CryptoMix\""],"CryptoNar":["misp-galaxy:ransomware=\"CryptoNar\""],"CryptoRoger":["misp-galaxy:ransomware=\"CryptoRoger\""],"CryptoShadow":["misp-galaxy:ransomware=\"CryptoShadow\""],"CryptoShield 1.0 Ransomware":["misp-galaxy:ransomware=\"CryptoShield 1.0 Ransomware\""],"CryptoShocker":["misp-galaxy:ransomware=\"CryptoShocker\""],"CryptoSweetTooth Ransomware":["misp-galaxy:ransomware=\"CryptoSweetTooth Ransomware\""],"CryptoTorLocker2015":["misp-galaxy:ransomware=\"CryptoTorLocker2015\""],"CryptoTrooper":["misp-galaxy:ransomware=\"CryptoTrooper\""],"CryptoWall 1":["misp-galaxy:ransomware=\"CryptoWall 1\""],"CryptoWall 2":["misp-galaxy:ransomware=\"CryptoWall 2\""],"CryptoWall 3":["misp-galaxy:ransomware=\"CryptoWall 3\""],"CryptoWall 4":["misp-galaxy:ransomware=\"CryptoWall 4\""],"CryptoWire Ransomeware":["misp-galaxy:ransomware=\"CryptoWire Ransomeware\""],"Crypton Ransomware":["misp-galaxy:ransomware=\"Crypton Ransomware\""],"Nemesis":["misp-galaxy:ransomware=\"Crypton Ransomware\""],"X3M":["misp-galaxy:ransomware=\"Crypton Ransomware\""],"Cryptorium (Fake Ransomware)":["misp-galaxy:ransomware=\"Cryptorium (Fake Ransomware)\""],"Crypute Ransomware":["misp-galaxy:ransomware=\"Crypute Ransomware\""],"m0on Ransomware":["misp-galaxy:ransomware=\"Crypute Ransomware\""],"CuteRansomware":["misp-galaxy:ransomware=\"CuteRansomware\""],"my-Little-Ransomware":["misp-galaxy:ransomware=\"CuteRansomware\""],"Cyber Drill Exercise ":["misp-galaxy:ransomware=\"Cyber Drill Exercise \""],"Ransomuhahawhere":["misp-galaxy:ransomware=\"Cyber Drill Exercise \""],"Cyber SpLiTTer Vbs":["misp-galaxy:ransomware=\"Cyber SpLiTTer Vbs\""],"Cyron":["misp-galaxy:ransomware=\"Cyron\""],"DBGer Ransomware":["misp-galaxy:ransomware=\"DBGer Ransomware\""],"DEDCryptor":["misp-galaxy:ransomware=\"DEDCryptor\""],"DMALocker 3.0":["misp-galaxy:ransomware=\"DMALocker 3.0\""],"DMALocker":["misp-galaxy:ransomware=\"DMALocker\""],"DN":["misp-galaxy:ransomware=\"DN\""],"Fake":["misp-galaxy:ransomware=\"DN\""],"DNRansomware":["misp-galaxy:ransomware=\"DNRansomware\""],"DUMB Ransomware":["misp-galaxy:ransomware=\"DUMB Ransomware\""],"DXXD":["misp-galaxy:ransomware=\"DXXD\""],"Dablio Ransomware":["misp-galaxy:ransomware=\"Dablio Ransomware\""],"Dale Ransomware":["misp-galaxy:ransomware=\"Dale Ransomware\""],"DaleLocker Ransomware":["misp-galaxy:ransomware=\"Dale Ransomware\""],"Damage Ransomware":["misp-galaxy:ransomware=\"Damage Ransomware\""],"Dangerous Ransomware":["misp-galaxy:ransomware=\"Dangerous Ransomware\""],"DeCrypt Protect":["misp-galaxy:ransomware=\"DeCrypt Protect\""],"DeLpHiMoRix":["misp-galaxy:ransomware=\"DeLpHiMoRix\""],"DelphiMorix":["misp-galaxy:ransomware=\"DeLpHiMoRix\""],"Deadly Ransomware":["misp-galaxy:ransomware=\"Deadly Ransomware\""],"Deadly for a Good Purpose Ransomware":["misp-galaxy:ransomware=\"Deadly Ransomware\""],"Death Bitches":["misp-galaxy:ransomware=\"Death Bitches\""],"DecryptFox Ransomware":["misp-galaxy:ransomware=\"DecryptFox Ransomware\""],"Demo":["misp-galaxy:ransomware=\"Demo\""],"DeriaLock Ransomware":["misp-galaxy:ransomware=\"DeriaLock Ransomware\""],"DetoxCrypto":["misp-galaxy:ransomware=\"DetoxCrypto\""],"Dharma Ransomware":["misp-galaxy:ransomware=\"Dharma Ransomware\""],"Digisom":["misp-galaxy:ransomware=\"Digisom\""],"DirtyDecrypt":["misp-galaxy:ransomware=\"DirtyDecrypt\""],"DiskDoctor":["misp-galaxy:ransomware=\"DiskDoctor\""],"Scarab-DiskDoctor":["misp-galaxy:ransomware=\"DiskDoctor\""],"DoNotChange":["misp-galaxy:ransomware=\"DoNotChange\""],"Domino":["misp-galaxy:ransomware=\"Domino\""],"Donald Trump 2 Ransomware":["misp-galaxy:ransomware=\"Donald Trump 2 Ransomware\""],"Donut":["misp-galaxy:ransomware=\"Donut\""],"DotRansomware":["misp-galaxy:ransomware=\"DotRansomware\""],"DummyEncrypter Ransomware":["misp-galaxy:ransomware=\"DummyEncrypter Ransomware\""],"DummyLocker":["misp-galaxy:ransomware=\"DummyLocker\""],"DynA-Crypt Ransomware":["misp-galaxy:ransomware=\"DynA-Crypt Ransomware\""],"DynA CryptoLocker Ransomware":["misp-galaxy:ransomware=\"DynA-Crypt Ransomware\""],"EQ Ransomware":["misp-galaxy:ransomware=\"EQ Ransomware\""],"EdgeLocker":["misp-galaxy:ransomware=\"EdgeLocker\""],"EduCrypt":["misp-galaxy:ransomware=\"EduCrypt\""],"EduCrypter":["misp-galaxy:ransomware=\"EduCrypt\""],"EiTest":["misp-galaxy:ransomware=\"EiTest\""],"El-Polocker":["misp-galaxy:ransomware=\"El-Polocker\""],"Los Pollos Hermanos":["misp-galaxy:ransomware=\"El-Polocker\""],"Encoder.xxxx":["misp-galaxy:ransomware=\"Encoder.xxxx\""],"Trojan.Encoder.6491":["misp-galaxy:ransomware=\"Encoder.xxxx\"","misp-galaxy:ransomware=\"Windows_Security Ransonware\""],"EncrypTile Ransomware":["misp-galaxy:ransomware=\"EncrypTile Ransomware\""],"Encryptss77 Ransomware":["misp-galaxy:ransomware=\"Encryptss77 Ransomware\""],"SFX Monster Ransomware":["misp-galaxy:ransomware=\"Encryptss77 Ransomware\""],"Enigma 2 Ransomware":["misp-galaxy:ransomware=\"Enigma 2 Ransomware\""],"Enigma":["misp-galaxy:ransomware=\"Enigma\""],"Enjey":["misp-galaxy:ransomware=\"Enjey\""],"EnjeyCrypter Ransomware":["misp-galaxy:ransomware=\"EnjeyCrypter Ransomware\""],"EnkripsiPC Ransomware":["misp-galaxy:ransomware=\"EnkripsiPC Ransomware\""],"IDRANSOMv3":["misp-galaxy:ransomware=\"EnkripsiPC Ransomware\""],"EnyBeny Nuclear Ransomware":["misp-galaxy:ransomware=\"EnyBeny Nuclear Ransomware\""],"EnyBenyHorsuke Ransomware":["misp-galaxy:ransomware=\"EnyBenyHorsuke Ransomware\""],"Erebus 2017 Ransomware":["misp-galaxy:ransomware=\"Erebus 2017 Ransomware\""],"Erebus Ransomware":["misp-galaxy:ransomware=\"Erebus Ransomware\""],"Esmeralda Ransomware":["misp-galaxy:ransomware=\"Esmeralda Ransomware\""],"Everbe Ransomware":["misp-galaxy:ransomware=\"Everbe Ransomware\""],"Evil Ransomware":["misp-galaxy:ransomware=\"Evil Ransomware\""],"File0Locked KZ Ransomware":["misp-galaxy:ransomware=\"Evil Ransomware\""],"Exotic Ransomware":["misp-galaxy:ransomware=\"Exotic Ransomware\""],"FILE FROZR":["misp-galaxy:ransomware=\"FILE FROZR\""],"FLKR Ransomware":["misp-galaxy:ransomware=\"FLKR Ransomware\""],"FSociety":["misp-galaxy:ransomware=\"FSociety\""],"FabSysCrypto Ransomware":["misp-galaxy:ransomware=\"FabSysCrypto Ransomware\""],"Fadesoft Ransomware":["misp-galaxy:ransomware=\"Fadesoft Ransomware\""],"Fairware":["misp-galaxy:ransomware=\"Fairware\""],"Fakben":["misp-galaxy:ransomware=\"Fakben\""],"Fake Globe Ransomware":["misp-galaxy:ransomware=\"Fake Globe Ransomware\""],"Globe Imposter":["misp-galaxy:ransomware=\"Fake Globe Ransomware\""],"Fake Locky Ransomware":["misp-galaxy:ransomware=\"Fake Locky Ransomware\""],"Locky Impersonator Ransomware":["misp-galaxy:ransomware=\"Fake Locky Ransomware\""],"FakeCryptoLocker":["misp-galaxy:ransomware=\"FakeCryptoLocker\""],"Fantom":["misp-galaxy:ransomware=\"Fantom\""],"Comrad Circle":["misp-galaxy:ransomware=\"Fantom\""],"FenixLocker":["misp-galaxy:ransomware=\"FenixLocker\""],"File Spider":["misp-galaxy:ransomware=\"File Spider\""],"File-Locker":["misp-galaxy:ransomware=\"File-Locker\""],"FindZip":["misp-galaxy:ransomware=\"FileCoder\""],"FileLocker":["misp-galaxy:ransomware=\"FileLocker\""],"Fileice Ransomware Survey Ransomware":["misp-galaxy:ransomware=\"Fileice Ransomware Survey Ransomware\""],"First":["misp-galaxy:ransomware=\"First\""],"FlatChestWare":["misp-galaxy:ransomware=\"FlatChestWare\""],"Flotera Ransomware":["misp-galaxy:ransomware=\"Flotera Ransomware\""],"Flyper":["misp-galaxy:ransomware=\"Flyper\""],"Fonco":["misp-galaxy:ransomware=\"Fonco\""],"Forma Ransomware":["misp-galaxy:ransomware=\"Forma Ransomware\""],"FortuneCookie ":["misp-galaxy:ransomware=\"FortuneCookie \""],"FortuneCookie":["misp-galaxy:ransomware=\"FortuneCookie\""],"Free-Freedom":["misp-galaxy:ransomware=\"Free-Freedom\""],"Roga":["misp-galaxy:ransomware=\"Free-Freedom\"","misp-galaxy:ransomware=\"Roga\""],"Fs0ciety Locker Ransomware":["misp-galaxy:ransomware=\"Fs0ciety Locker Ransomware\""],"FuckSociety Ransomware":["misp-galaxy:ransomware=\"FuckSociety Ransomware\""],"FunFact Ransomware":["misp-galaxy:ransomware=\"FunFact Ransomware\""],"Fury":["misp-galaxy:ransomware=\"Fury\""],"Fusob":["misp-galaxy:ransomware=\"Fusob\""],"GC47 Ransomware":["misp-galaxy:ransomware=\"GC47 Ransomware\""],"GG Ransomware":["misp-galaxy:ransomware=\"GG Ransomware\""],"GNL Locker":["misp-galaxy:ransomware=\"GNL Locker\"","misp-galaxy:ransomware=\"Zyklon\""],"GOG Ransomware":["misp-galaxy:ransomware=\"GOG Ransomware\""],"GandCrab":["misp-galaxy:ransomware=\"GandCrab\""],"GarryWeber Ransomware":["misp-galaxy:ransomware=\"GarryWeber Ransomware\""],"Gerber Ransomware 1.0":["misp-galaxy:ransomware=\"Gerber Ransomware 1.0\""],"Gerber Ransomware 3.0":["misp-galaxy:ransomware=\"Gerber Ransomware 3.0\""],"GetCrypt":["misp-galaxy:ransomware=\"GetCrypt\""],"GhostCrypt":["misp-galaxy:ransomware=\"GhostCrypt\""],"Gingerbread":["misp-galaxy:ransomware=\"Gingerbread\""],"Globe v1":["misp-galaxy:ransomware=\"Globe v1\""],"Purge":["misp-galaxy:ransomware=\"Globe v1\""],"Globe2 Ransomware":["misp-galaxy:ransomware=\"Globe2 Ransomware\""],"Purge Ransomware":["misp-galaxy:ransomware=\"Globe2 Ransomware\"","misp-galaxy:ransomware=\"Globe3 Ransomware\""],"Globe3 Ransomware":["misp-galaxy:ransomware=\"Globe3 Ransomware\""],"God Crypt Joke Ransomware":["misp-galaxy:ransomware=\"God Crypt Joke Ransomware\""],"Godsomware v1.0":["misp-galaxy:ransomware=\"God Crypt Joke Ransomware\""],"Ransomware God Crypt":["misp-galaxy:ransomware=\"God Crypt Joke Ransomware\""],"GoldenEye Ransomware":["misp-galaxy:ransomware=\"GoldenEye Ransomware\""],"Gomasom":["misp-galaxy:ransomware=\"Gomasom\""],"Goopic":["misp-galaxy:ransomware=\"Goopic\""],"Gopher":["misp-galaxy:ransomware=\"Gopher\""],"Gremit Ransomware":["misp-galaxy:ransomware=\"Gremit Ransomware\""],"Guster Ransomware":["misp-galaxy:ransomware=\"Guster Ransomware\""],"HC6":["misp-galaxy:ransomware=\"HC6\""],"HC7":["misp-galaxy:ransomware=\"HC7\""],"HPE iLO 4 Ransomware":["misp-galaxy:ransomware=\"HPE iLO 4 Ransomware\""],"HTCryptor":["misp-galaxy:ransomware=\"HTCryptor\""],"Hacked":["misp-galaxy:ransomware=\"Hacked\""],"HackedLocker Ransomware":["misp-galaxy:ransomware=\"HackedLocker Ransomware\""],"Halloware":["misp-galaxy:ransomware=\"Halloware\""],"HappyDayzz":["misp-galaxy:ransomware=\"HappyDayzz\""],"Harasom":["misp-galaxy:ransomware=\"Harasom\""],"Havoc":["misp-galaxy:ransomware=\"Havoc\""],"HavocCrypt Ransomware":["misp-galaxy:ransomware=\"Havoc\""],"Haxerboi Ransomware":["misp-galaxy:ransomware=\"Haxerboi Ransomware\""],"Heimdall":["misp-galaxy:ransomware=\"Heimdall\""],"Help_dcfile":["misp-galaxy:ransomware=\"Help_dcfile\""],"Hi Buddy!":["misp-galaxy:ransomware=\"Hi Buddy!\""],"Cryptear":["misp-galaxy:ransomware=\"HiddenTear\""],"Hidden Tear":["misp-galaxy:ransomware=\"HiddenTear\""],"Hitler":["misp-galaxy:ransomware=\"Hitler\""],"Hollycrypt Ransomware":["misp-galaxy:ransomware=\"Hollycrypt Ransomware\""],"HolyCrypt":["misp-galaxy:ransomware=\"HolyCrypt\""],"Hucky Ransomware":["misp-galaxy:ransomware=\"Hucky Ransomware\""],"Hungarian Locky Ransomware":["misp-galaxy:ransomware=\"Hucky Ransomware\""],"HugeMe Ransomware":["misp-galaxy:ransomware=\"HugeMe Ransomware\""],"HydraCrypt":["misp-galaxy:ransomware=\"HydraCrypt\""],"IFN643 Ransomware":["misp-galaxy:ransomware=\"IFN643 Ransomware\""],"International Police Association":["misp-galaxy:ransomware=\"International Police Association\""],"Iron":["misp-galaxy:ransomware=\"Iron\""],"Ishtar Ransomware":["misp-galaxy:ransomware=\"Ishtar Ransomware\""],"JackPot Ransomware":["misp-galaxy:ransomware=\"JackPot Ransomware\""],"Jack.Pot Ransomware":["misp-galaxy:ransomware=\"JackPot Ransomware\""],"JagerDecryptor":["misp-galaxy:ransomware=\"JagerDecryptor\""],"JapanLocker Ransomware":["misp-galaxy:ransomware=\"JapanLocker Ransomware\""],"SHC Ransomware":["misp-galaxy:ransomware=\"JapanLocker Ransomware\""],"SHCLocker":["misp-galaxy:ransomware=\"JapanLocker Ransomware\""],"SyNcryption":["misp-galaxy:ransomware=\"JapanLocker Ransomware\""],"Jeff the Ransomware":["misp-galaxy:ransomware=\"Jeff the Ransomware\""],"Jeiphoos":["misp-galaxy:ransomware=\"Jeiphoos\""],"Encryptor RaaS":["misp-galaxy:ransomware=\"Jeiphoos\""],"Sarento":["misp-galaxy:ransomware=\"Jeiphoos\""],"Jhon Woddy":["misp-galaxy:ransomware=\"Jhon Woddy\""],"CryptoHitMan":["misp-galaxy:ransomware=\"Jigsaw\""],"Job Crypter":["misp-galaxy:ransomware=\"Job Crypter\""],"JohnyCryptor":["misp-galaxy:ransomware=\"JohnyCryptor\""],"Jokeroo":["misp-galaxy:ransomware=\"Jokeroo\""],"Fake GandCrab":["misp-galaxy:ransomware=\"Jokeroo\""],"JungleSec":["misp-galaxy:ransomware=\"JungleSec\""],"KEYHolder":["misp-galaxy:ransomware=\"KEYHolder\""],"KEYPASS":["misp-galaxy:ransomware=\"KEYPASS\""],"KRider Ransomware":["misp-galaxy:ransomware=\"KRider Ransomware\""],"Kaandsona Ransomware":["misp-galaxy:ransomware=\"Kaandsona Ransomware\""],"RansomTroll Ransomware":["misp-galaxy:ransomware=\"Kaandsona Ransomware\""],"K\u00e4\u00e4nds\u00f5na Ransomware":["misp-galaxy:ransomware=\"Kaandsona Ransomware\""],"Kaenlupuf Ransomware":["misp-galaxy:ransomware=\"Kaenlupuf Ransomware\""],"Kangaroo Ransomware":["misp-galaxy:ransomware=\"Kangaroo Ransomware\""],"Kappa":["misp-galaxy:ransomware=\"Kappa\""],"Karma Ransomware":["misp-galaxy:ransomware=\"Karma Ransomware\""],"Karmen Ransomware":["misp-galaxy:ransomware=\"Karmen Ransomware\""],"Kasiski Ransomware":["misp-galaxy:ransomware=\"Kasiski Ransomware\""],"KawaiiLocker":["misp-galaxy:ransomware=\"KawaiiLocker\""],"KeyBTC":["misp-galaxy:ransomware=\"KeyBTC\""],"KillDisk Ransomware":["misp-galaxy:ransomware=\"KillDisk Ransomware\""],"KillerLocker":["misp-galaxy:ransomware=\"KillerLocker\""],"KimcilWare":["misp-galaxy:ransomware=\"KimcilWare\""],"Kirk Ransomware & Spock Decryptor":["misp-galaxy:ransomware=\"Kirk Ransomware & Spock Decryptor\""],"KoKoKrypt Ransomware":["misp-galaxy:ransomware=\"KoKoKrypt Ransomware\""],"KokoLocker Ransomware":["misp-galaxy:ransomware=\"KoKoKrypt Ransomware\""],"Kolobo Ransomware":["misp-galaxy:ransomware=\"Kolobo Ransomware\""],"Kolobocheg Ransomware":["misp-galaxy:ransomware=\"Kolobo Ransomware\""],"Koolova Ransomware":["misp-galaxy:ransomware=\"Koolova Ransomware\""],"Korean":["misp-galaxy:ransomware=\"Korean\""],"Kostya Ransomware":["misp-galaxy:ransomware=\"Kostya Ransomware\""],"Kozy.Jozy":["misp-galaxy:ransomware=\"Kozy.Jozy\""],"QC":["misp-galaxy:ransomware=\"Kozy.Jozy\""],"Kraken Cryptor Ransomware":["misp-galaxy:ransomware=\"Kraken Cryptor Ransomware\""],"Kraken Ransomware":["misp-galaxy:ransomware=\"Kraken Ransomware\""],"KratosCrypt":["misp-galaxy:ransomware=\"KratosCrypt\""],"KryptoLocker":["misp-galaxy:ransomware=\"KryptoLocker\""],"L33TAF Locker Ransomware":["misp-galaxy:ransomware=\"L33TAF Locker Ransomware\""],"LK Encryption":["misp-galaxy:ransomware=\"LK Encryption\""],"LLTP Locker":["misp-galaxy:ransomware=\"LLTP Locker\""],"LambdaLocker Ransomware":["misp-galaxy:ransomware=\"LambdaLocker Ransomware\""],"LanRan":["misp-galaxy:ransomware=\"LanRan\""],"LeChiffre":["misp-galaxy:ransomware=\"LeChiffre\""],"Lick":["misp-galaxy:ransomware=\"Lick\""],"Linux.Encoder":["misp-galaxy:ransomware=\"Linux.Encoder\""],"Linux.Encoder.{0,3}":["misp-galaxy:ransomware=\"Linux.Encoder\""],"Lock2017 Ransomware":["misp-galaxy:ransomware=\"Lock2017 Ransomware\""],"Lock93 Ransomware":["misp-galaxy:ransomware=\"Lock93 Ransomware\""],"LockCrypt":["misp-galaxy:ransomware=\"LockCrypt\""],"LockLock":["misp-galaxy:ransomware=\"LockLock\""],"Locked-In Ransomware or NoValid Ransomware":["misp-galaxy:ransomware=\"Locked-In Ransomware or NoValid Ransomware\""],"Locker":["misp-galaxy:ransomware=\"Locker\""],"Lomix Ransomware":["misp-galaxy:ransomware=\"Lomix Ransomware\""],"Lortok":["misp-galaxy:ransomware=\"Lortok\""],"LoveLock Ransomware or Love2Lock Ransomware":["misp-galaxy:ransomware=\"LoveLock Ransomware or Love2Lock Ransomware\""],"LoveServer Ransomware ":["misp-galaxy:ransomware=\"LoveServer Ransomware \""],"LowLevel04":["misp-galaxy:ransomware=\"LowLevel04\""],"M4N1F3STO Ransomware (FAKE!!!!!)":["misp-galaxy:ransomware=\"M4N1F3STO Ransomware (FAKE!!!!!)\""],"M4N1F3STO":["misp-galaxy:ransomware=\"M4N1F3STO\""],"M@r1a ransomware":["misp-galaxy:ransomware=\"M@r1a ransomware\""],"M@r1a":["misp-galaxy:ransomware=\"M@r1a ransomware\""],"BlackHeart":["misp-galaxy:ransomware=\"M@r1a ransomware\""],"MC Ransomware":["misp-galaxy:ransomware=\"MC Ransomware\""],"MIRCOP":["misp-galaxy:ransomware=\"MIRCOP\""],"Crypt888":["misp-galaxy:ransomware=\"MIRCOP\""],"MM Locker":["misp-galaxy:ransomware=\"MM Locker\""],"MOTD Ransomware":["misp-galaxy:ransomware=\"MOTD Ransomware\""],"MSN CryptoLocker Ransomware":["misp-galaxy:ransomware=\"MSN CryptoLocker Ransomware\""],"MVP Ransomware":["misp-galaxy:ransomware=\"MVP Ransomware\""],"Mabouia":["misp-galaxy:ransomware=\"Mabouia\""],"MacAndChess":["misp-galaxy:ransomware=\"MacAndChess\""],"MafiaWare Ransomware":["misp-galaxy:ransomware=\"MafiaWare Ransomware\""],"Depsex Ransomware":["misp-galaxy:ransomware=\"MafiaWare Ransomware\""],"Magic":["misp-galaxy:ransomware=\"Magic\""],"Magniber Ransomware":["misp-galaxy:ransomware=\"Magniber Ransomware\""],"MaktubLocker":["misp-galaxy:ransomware=\"MaktubLocker\""],"Manifestus Ransomware ":["misp-galaxy:ransomware=\"Manifestus Ransomware \""],"Marlboro Ransomware":["misp-galaxy:ransomware=\"Marlboro Ransomware\""],"MarsJoke":["misp-galaxy:ransomware=\"MarsJoke\""],"MasterBuster Ransomware":["misp-galaxy:ransomware=\"MasterBuster Ransomware\""],"Matrix":["misp-galaxy:ransomware=\"Matrix\""],"Malta Ransomware":["misp-galaxy:ransomware=\"Matrix\""],"Matrix Ransomware":["misp-galaxy:ransomware=\"Matrix\""],"Meister":["misp-galaxy:ransomware=\"Meister\""],"Mercury Ransomware":["misp-galaxy:ransomware=\"Mercury Ransomware\""],"Merry Christmas":["misp-galaxy:ransomware=\"Merry Christmas\""],"Merry X-Mas":["misp-galaxy:ransomware=\"Merry Christmas\""],"MRCR":["misp-galaxy:ransomware=\"Merry Christmas\""],"Meteoritan":["misp-galaxy:ransomware=\"Meteoritan\""],"MireWare":["misp-galaxy:ransomware=\"MireWare\""],"Mischa":["misp-galaxy:ransomware=\"Mischa\""],"\"Petya's little brother\"":["misp-galaxy:ransomware=\"Mischa\""],"Mobef":["misp-galaxy:ransomware=\"Mobef\""],"Yakes":["misp-galaxy:ransomware=\"Mobef\""],"Mongo Lock":["misp-galaxy:ransomware=\"Mongo Lock\""],"Monument":["misp-galaxy:ransomware=\"Monument\""],"N-Splitter":["misp-galaxy:ransomware=\"N-Splitter\""],"NCrypt Ransomware":["misp-galaxy:ransomware=\"NCrypt Ransomware\""],"NMCRYPT Ransomware":["misp-galaxy:ransomware=\"NMCRYPT Ransomware\""],"NMoreia 2.0 Ransomware":["misp-galaxy:ransomware=\"NMoreia 2.0 Ransomware\""],"HakunaMatataRansomware":["misp-galaxy:ransomware=\"NMoreia 2.0 Ransomware\""],"NMoreira Ransomware":["misp-galaxy:ransomware=\"NMoreira Ransomware\""],"Fake Maktub Ransomware":["misp-galaxy:ransomware=\"NMoreira Ransomware\""],"NMoreira":["misp-galaxy:ransomware=\"NMoreira\""],"XRatTeam":["misp-galaxy:ransomware=\"NMoreira\""],"XPan":["misp-galaxy:ransomware=\"NMoreira\""],"Nagini Ransomware":["misp-galaxy:ransomware=\"Nagini Ransomware\""],"Voldemort Ransomware":["misp-galaxy:ransomware=\"Nagini Ransomware\""],"NemeS1S Ransomware":["misp-galaxy:ransomware=\"NemeS1S Ransomware\""],"Nemesis Ransomware":["misp-galaxy:ransomware=\"Nemesis Ransomware\""],"Nemucod":["misp-galaxy:ransomware=\"Nemucod\""],"Netflix Ransomware":["misp-galaxy:ransomware=\"Netflix Ransomware\""],"Netix":["misp-galaxy:ransomware=\"Netix\""],"RANSOM_NETIX.A":["misp-galaxy:ransomware=\"Netix\""],"Nhtnwcuf Ransomware (Fake)":["misp-galaxy:ransomware=\"Nhtnwcuf Ransomware (Fake)\""],"Nhtnwcuf":["misp-galaxy:ransomware=\"Nhtnwcuf\""],"NoobCrypt":["misp-galaxy:ransomware=\"NoobCrypt\""],"Nuke":["misp-galaxy:ransomware=\"Nuke\""],"Nullbyte":["misp-galaxy:ransomware=\"Nullbyte\""],"ODCODC":["misp-galaxy:ransomware=\"ODCODC\""],"OMG! Ransomware":["misp-galaxy:ransomware=\"OMG! Ransomware\""],"ONYX Ransomeware":["misp-galaxy:ransomware=\"ONYX Ransomeware\""],"OXAR":["misp-galaxy:ransomware=\"OXAR\""],"Ocelot Ransomware (FAKE RANSOMWARE)":["misp-galaxy:ransomware=\"Ocelot Ransomware (FAKE RANSOMWARE)\""],"Ocelot Locker Ransomware":["misp-galaxy:ransomware=\"Ocelot Ransomware (FAKE RANSOMWARE)\""],"Offline ransomware":["misp-galaxy:ransomware=\"Offline ransomware\""],"Vipasana":["misp-galaxy:ransomware=\"Offline ransomware\""],"Operation Global III":["misp-galaxy:ransomware=\"Operation Global III\""],"Outsider":["misp-galaxy:ransomware=\"Outsider\""],"Owl":["misp-galaxy:ransomware=\"Owl\""],"OzozaLocker Ransomware":["misp-galaxy:ransomware=\"OzozaLocker Ransomware\""],"PClock3 Ransomware":["misp-galaxy:ransomware=\"PClock3 Ransomware\""],"PClock SuppTeam Ransomware":["misp-galaxy:ransomware=\"PClock3 Ransomware\""],"WinPlock":["misp-galaxy:ransomware=\"PClock3 Ransomware\""],"CryptoLocker clone":["misp-galaxy:ransomware=\"PClock3 Ransomware\""],"PClock4 Ransomware":["misp-galaxy:ransomware=\"PClock4 Ransomware\""],"PClock SysGop Ransomware":["misp-galaxy:ransomware=\"PClock4 Ransomware\""],"PGPSnippet Ransomware":["misp-galaxy:ransomware=\"PGPSnippet Ransomware\""],"PICO Ransomware":["misp-galaxy:ransomware=\"PICO Ransomware\""],"Pico Ransomware":["misp-galaxy:ransomware=\"PICO Ransomware\""],"PRISM":["misp-galaxy:ransomware=\"PRISM\""],"PUBG Ransomware":["misp-galaxy:ransomware=\"PUBG Ransomware\""],"Padlock Screenlocker":["misp-galaxy:ransomware=\"Padlock Screenlocker\""],"Paradise Ransomware":["misp-galaxy:ransomware=\"Paradise Ransomware\""],"PayDOS Ransomware":["misp-galaxy:ransomware=\"PayDOS Ransomware\""],"Serpent Ransomware":["misp-galaxy:ransomware=\"PayDOS Ransomware\""],"PayDay Ransomware ":["misp-galaxy:ransomware=\"PayDay Ransomware \""],"PaySafeGen (German) Ransomware":["misp-galaxy:ransomware=\"PaySafeGen (German) Ransomware\""],"Paysafecard Generator 2016":["misp-galaxy:ransomware=\"PaySafeGen (German) Ransomware\""],"Pedcont":["misp-galaxy:ransomware=\"Pedcont\""],"PetrWrap Ransomware":["misp-galaxy:ransomware=\"PetrWrap Ransomware\""],"Goldeneye":["misp-galaxy:ransomware=\"Petya\""],"Philadelphia":["misp-galaxy:ransomware=\"Philadelphia\""],"Phobos":["misp-galaxy:ransomware=\"Phobos\""],"PicklesRansomware":["misp-galaxy:ransomware=\"PicklesRansomware\""],"PizzaCrypts":["misp-galaxy:ransomware=\"PizzaCrypts\""],"Planetary":["misp-galaxy:ransomware=\"Planetary\""],"PleaseRead Ransomware":["misp-galaxy:ransomware=\"PleaseRead Ransomware\""],"VHDLocker Ransomware":["misp-galaxy:ransomware=\"PleaseRead Ransomware\""],"PokemonGO":["misp-galaxy:ransomware=\"PokemonGO\""],"Polski Ransomware":["misp-galaxy:ransomware=\"Polski Ransomware\""],"PopCorn Time Ransomware":["misp-galaxy:ransomware=\"PopCorn Time Ransomware\""],"Potato Ransomware":["misp-galaxy:ransomware=\"Potato Ransomware\""],"PoshCoder":["misp-galaxy:ransomware=\"PowerWare\""],"PowerWorm":["misp-galaxy:ransomware=\"PowerWorm\""],"Princess Evolution":["misp-galaxy:ransomware=\"Princess Evolution\""],"Princess Locker":["misp-galaxy:ransomware=\"Princess Locker\""],"Project34 Ransomware":["misp-galaxy:ransomware=\"Project34 Ransomware\""],"ProposalCrypt Ransomware":["misp-galaxy:ransomware=\"ProposalCrypt Ransomware\""],"Ps2exe":["misp-galaxy:ransomware=\"Ps2exe\""],"PyCL Ransomware":["misp-galaxy:ransomware=\"PyCL Ransomware\""],"PyL33T Ransomware":["misp-galaxy:ransomware=\"PyL33T Ransomware\""],"Qwerty Ransomware":["misp-galaxy:ransomware=\"Qwerty Ransomware\""],"R":["misp-galaxy:ransomware=\"R\""],"R980":["misp-galaxy:ransomware=\"R980\""],"RAA encryptor":["misp-galaxy:ransomware=\"RAA encryptor\""],"RAA":["misp-galaxy:ransomware=\"RAA encryptor\""],"RASTAKHIZ":["misp-galaxy:ransomware=\"RASTAKHIZ\""],"RIP (Phoenix) Ransomware":["misp-galaxy:ransomware=\"RIP (Phoenix) Ransomware\""],"RSAUtil":["misp-galaxy:ransomware=\"RSAUtil\""],"Vagger":["misp-galaxy:ransomware=\"RSAUtil\""],"DONTSLIP":["misp-galaxy:ransomware=\"RSAUtil\""],"Rabion":["misp-galaxy:ransomware=\"Rabion\""],"Agent.iih":["misp-galaxy:ransomware=\"Rakhni\""],"Aura":["misp-galaxy:ransomware=\"Rakhni\""],"Autoit":["misp-galaxy:ransomware=\"Rakhni\""],"Pletor":["misp-galaxy:ransomware=\"Rakhni\""],"Lamer":["misp-galaxy:ransomware=\"Rakhni\""],"Isda":["misp-galaxy:ransomware=\"Rakhni\""],"Cryptokluchen":["misp-galaxy:ransomware=\"Rakhni\""],"Ramsomeer":["misp-galaxy:ransomware=\"Ramsomeer\""],"RanRan":["misp-galaxy:ransomware=\"RanRan\""],"Ranion RaasRansomware":["misp-galaxy:ransomware=\"Ranion RaasRansomware\""],"Rannoh":["misp-galaxy:ransomware=\"Rannoh\""],"Ransom32":["misp-galaxy:ransomware=\"Ransom32\""],"RansomLock":["misp-galaxy:ransomware=\"RansomLock\""],"RansomPlus":["misp-galaxy:ransomware=\"RansomPlus\""],"RarVault":["misp-galaxy:ransomware=\"RarVault\""],"Razy":["misp-galaxy:ransomware=\"Razy\""],"Rector":["misp-galaxy:ransomware=\"Rector\""],"RedAnts Ransomware":["misp-galaxy:ransomware=\"RedAnts Ransomware\""],"RedEye":["misp-galaxy:ransomware=\"RedEye\""],"RektLocker":["misp-galaxy:ransomware=\"RektLocker\""],"Rektware":["misp-galaxy:ransomware=\"Rektware\""],"RemindMe":["misp-galaxy:ransomware=\"RemindMe\""],"RenLocker Ransomware (FAKE)":["misp-galaxy:ransomware=\"RenLocker Ransomware (FAKE)\""],"Revenge Ransomware":["misp-galaxy:ransomware=\"Revenge Ransomware\""],"Reveton ransomware":["misp-galaxy:ransomware=\"Reveton ransomware\""],"RoshaLock":["misp-galaxy:ransomware=\"RoshaLock\""],"RotorCrypt(RotoCrypt, Tar) Ransomware":["misp-galaxy:ransomware=\"RotorCrypt(RotoCrypt, Tar) Ransomware\""],"Tar Ransomware":["misp-galaxy:ransomware=\"RotorCrypt(RotoCrypt, Tar) Ransomware\""],"RozaLocker Ransomware":["misp-galaxy:ransomware=\"RozaLocker Ransomware\""],"Runsomewere":["misp-galaxy:ransomware=\"Runsomewere\""],"Russian Globe Ransomware":["misp-galaxy:ransomware=\"Russian Globe Ransomware\""],"RussianRoulette":["misp-galaxy:ransomware=\"RussianRoulette\""],"Ryuk ransomware":["misp-galaxy:ransomware=\"Ryuk ransomware\""],"SADStory":["misp-galaxy:ransomware=\"SADStory\""],"SAVEfiles":["misp-galaxy:ransomware=\"SAVEfiles\""],"SNSLocker":["misp-galaxy:ransomware=\"SNSLocker\""],"SOREBRECT":["misp-galaxy:ransomware=\"SOREBRECT\""],"SQ_ Ransomware":["misp-galaxy:ransomware=\"SQ_ Ransomware\""],"VO_ Ransomware":["misp-galaxy:ransomware=\"SQ_ Ransomware\""],"SZFLocker":["misp-galaxy:ransomware=\"SZFLocker\""],"Sage 2.0 Ransomware":["misp-galaxy:ransomware=\"Sage 2.0 Ransomware\""],"Sage 2.2":["misp-galaxy:ransomware=\"Sage 2.2\""],"Sage Ransomware":["misp-galaxy:ransomware=\"Sage Ransomware\""],"Samas-Samsam":["misp-galaxy:ransomware=\"Samas-Samsam\""],"samsam.exe":["misp-galaxy:ransomware=\"Samas-Samsam\""],"MIKOPONI.exe":["misp-galaxy:ransomware=\"Samas-Samsam\""],"RikiRafael.exe":["misp-galaxy:ransomware=\"Samas-Samsam\""],"showmehowto.exe":["misp-galaxy:ransomware=\"Samas-Samsam\""],"SamSam Ransomware":["misp-galaxy:ransomware=\"Samas-Samsam\""],"Samsam":["misp-galaxy:ransomware=\"Samas-Samsam\""],"Sanction":["misp-galaxy:ransomware=\"Sanction\""],"Sanctions":["misp-galaxy:ransomware=\"Sanctions\""],"Sardoninir":["misp-galaxy:ransomware=\"Sardoninir\""],"Satan666 Ransomware":["misp-galaxy:ransomware=\"Satan666 Ransomware\""],"Scarab":["misp-galaxy:ransomware=\"Scarab\""],"Scraper":["misp-galaxy:ransomware=\"Scraper\""],"Seoirse Ransomware":["misp-galaxy:ransomware=\"Seoirse Ransomware\""],"SerbRansom 2017 Ransomware":["misp-galaxy:ransomware=\"SerbRansom 2017 Ransomware\""],"Serpent 2017 Ransomware":["misp-galaxy:ransomware=\"Serpent 2017 Ransomware\""],"Serpent Danish Ransomware":["misp-galaxy:ransomware=\"Serpent 2017 Ransomware\""],"Shark":["misp-galaxy:ransomware=\"Shark\"","misp-galaxy:rat=\"SharK\""],"Atom":["misp-galaxy:ransomware=\"Shark\""],"ShellLocker Ransomware":["misp-galaxy:ransomware=\"ShellLocker Ransomware\""],"ShinoLocker":["misp-galaxy:ransomware=\"ShinoLocker\""],"KinCrypt":["misp-galaxy:ransomware=\"Shujin\""],"ShurL0ckr":["misp-galaxy:ransomware=\"ShurL0ckr\""],"Sigma Ransomware":["misp-galaxy:ransomware=\"Sigma Ransomware\""],"Sigrun Ransomware":["misp-galaxy:ransomware=\"Sigrun Ransomware\""],"Simple_Encoder":["misp-galaxy:ransomware=\"Simple_Encoder\""],"SkidLocker":["misp-galaxy:ransomware=\"SkidLocker\""],"Pompous":["misp-galaxy:ransomware=\"SkidLocker\""],"SkyFile":["misp-galaxy:ransomware=\"SkyFile\""],"SkyName Ransomware":["misp-galaxy:ransomware=\"SkyName Ransomware\""],"Blablabla Ransomware":["misp-galaxy:ransomware=\"SkyName Ransomware\""],"Slimhem Ransomware":["misp-galaxy:ransomware=\"Slimhem Ransomware\""],"Smash!":["misp-galaxy:ransomware=\"Smash!\""],"Smrss32":["misp-galaxy:ransomware=\"Smrss32\""],"Sodinokibi":["misp-galaxy:ransomware=\"Sodinokibi\""],"Spartacus Ransomware":["misp-galaxy:ransomware=\"Spartacus Ransomware\""],"Spora Ransomware":["misp-galaxy:ransomware=\"Spora Ransomware\""],"Sport":["misp-galaxy:ransomware=\"Sport\"","misp-galaxy:sector=\"Sport\""],"Stampado":["misp-galaxy:ransomware=\"Stampado\""],"StorageCrypt":["misp-galaxy:ransomware=\"StorageCrypt\""],"StorageCrypter":["misp-galaxy:ransomware=\"StorageCrypter\""],"Strictor":["misp-galaxy:ransomware=\"Strictor\""],"SuchSecurity Ransomware":["misp-galaxy:ransomware=\"SuchSecurity Ransomware\""],"SureRansom Ransomeware (Fake)":["misp-galaxy:ransomware=\"SureRansom Ransomeware (Fake)\""],"Surprise":["misp-galaxy:ransomware=\"Surprise\""],"Survey":["misp-galaxy:ransomware=\"Survey\""],"Syn Ack":["misp-galaxy:ransomware=\"SynAck\""],"SynoLocker":["misp-galaxy:ransomware=\"SynoLocker\""],"TYRANT":["misp-galaxy:ransomware=\"TYRANT\""],"Crypto Tyrant":["misp-galaxy:ransomware=\"TYRANT\""],"TeamXrat":["misp-galaxy:ransomware=\"TeamXrat\""],"Telecrypt Ransomware":["misp-galaxy:ransomware=\"Telecrypt Ransomware\""],"Tellyouthepass":["misp-galaxy:ransomware=\"Tellyouthepass\""],"Termite Ransomware":["misp-galaxy:ransomware=\"Termite Ransomware\""],"TeslaCrypt 0.x - 2.2.0":["misp-galaxy:ransomware=\"TeslaCrypt 0.x - 2.2.0\""],"AlphaCrypt":["misp-galaxy:ransomware=\"TeslaCrypt 0.x - 2.2.0\""],"TeslaCrypt 3.0+":["misp-galaxy:ransomware=\"TeslaCrypt 3.0+\""],"TeslaCrypt 4.1A":["misp-galaxy:ransomware=\"TeslaCrypt 4.1A\""],"TeslaCrypt 4.2":["misp-galaxy:ransomware=\"TeslaCrypt 4.2\""],"Thanksgiving Ransomware":["misp-galaxy:ransomware=\"Thanksgiving Ransomware\""],"Threat Finder":["misp-galaxy:ransomware=\"Threat Finder\""],"Crypt0L0cker":["misp-galaxy:ransomware=\"TorrentLocker\""],"Teerac":["misp-galaxy:ransomware=\"TorrentLocker\""],"TowerWeb":["misp-galaxy:ransomware=\"TowerWeb\""],"Toxcrypt":["misp-galaxy:ransomware=\"Toxcrypt\""],"Trojan Dz":["misp-galaxy:ransomware=\"Trojan Dz\""],"Trojan":["misp-galaxy:ransomware=\"Trojan\""],"BrainCrypt":["misp-galaxy:ransomware=\"Trojan\""],"Troldesh orShade, XTBL":["misp-galaxy:ransomware=\"Troldesh orShade, XTBL\""],"Tron ransomware":["misp-galaxy:ransomware=\"Tron ransomware\""],"TrueCrypter":["misp-galaxy:ransomware=\"TrueCrypter\""],"TrumpLocker Ransomware":["misp-galaxy:ransomware=\"TrumpLocker Ransomware\""],"Turkish FileEncryptor Ransomware":["misp-galaxy:ransomware=\"Turkish FileEncryptor Ransomware\""],"Fake CTB-Locker":["misp-galaxy:ransomware=\"Turkish FileEncryptor Ransomware\""],"Turkish Ransom":["misp-galaxy:ransomware=\"Turkish Ransom\""],"Turkish":["misp-galaxy:ransomware=\"Turkish\""],"Uiwix Ransomware":["misp-galaxy:ransomware=\"Uiwix Ransomware\""],"UltraLocker Ransomware":["misp-galaxy:ransomware=\"UltraLocker Ransomware\""],"UmbreCrypt":["misp-galaxy:ransomware=\"UmbreCrypt\""],"UnblockUPC":["misp-galaxy:ransomware=\"UnblockUPC\""],"Ungluk":["misp-galaxy:ransomware=\"Ungluk\""],"Unlock26 Ransomware":["misp-galaxy:ransomware=\"Unlock26 Ransomware\""],"Unlock92 ":["misp-galaxy:ransomware=\"Unlock92 \""],"Unnamed Android Ransomware":["misp-galaxy:ransomware=\"Unnamed Android Ransomware\""],"Unnamed ramsomware 1":["misp-galaxy:ransomware=\"Unnamed ramsomware 1\""],"Unnamed ramsomware 2":["misp-galaxy:ransomware=\"Unnamed ramsomware 2\""],"UpdateHost Ransomware":["misp-galaxy:ransomware=\"UpdateHost Ransomware\""],"UserFilesLocker Ransomware":["misp-galaxy:ransomware=\"UserFilesLocker Ransomware\""],"CzechoSlovak Ransomware":["misp-galaxy:ransomware=\"UserFilesLocker Ransomware\""],"V8Locker Ransomware":["misp-galaxy:ransomware=\"V8Locker Ransomware\""],"VBRANSOM 7":["misp-galaxy:ransomware=\"VBRANSOM 7\""],"Vanguard Ransomware":["misp-galaxy:ransomware=\"Vanguard Ransomware\""],"VapeLauncher":["misp-galaxy:ransomware=\"VapeLauncher\""],"Vapor Ransomware":["misp-galaxy:ransomware=\"Vapor Ransomware\""],"VaultCrypt":["misp-galaxy:ransomware=\"VaultCrypt\"","misp-galaxy:ransomware=\"Zlader\""],"CrypVault":["misp-galaxy:ransomware=\"VaultCrypt\"","misp-galaxy:ransomware=\"Zlader\""],"Zlader":["misp-galaxy:ransomware=\"VaultCrypt\"","misp-galaxy:ransomware=\"Zlader\""],"Venis Ransomware":["misp-galaxy:ransomware=\"Venis Ransomware\""],"VenusLocker":["misp-galaxy:ransomware=\"VenusLocker\""],"VindowsLocker Ransomware":["misp-galaxy:ransomware=\"VindowsLocker Ransomware\""],"Virlock":["misp-galaxy:ransomware=\"Virlock\""],"Virus-Encoder":["misp-galaxy:ransomware=\"Virus-Encoder\""],"CrySiS":["misp-galaxy:ransomware=\"Virus-Encoder\""],"Vortex Ransomware":["misp-galaxy:ransomware=\"Vortex Ransomware\""],"\u0166l\u0e4ft\u0454\u0433\u0e04 \u0433\u0e04\u0e20\u0e23\u0e4f\u0e53\u0e2c\u0e04\u0433\u0454":["misp-galaxy:ransomware=\"Vortex Ransomware\""],"Vurten":["misp-galaxy:ransomware=\"Vurten\""],"VxLock Ransomware":["misp-galaxy:ransomware=\"VxLock Ransomware\""],"WannaCrypt":["misp-galaxy:ransomware=\"WannaCry\""],"WCrypt":["misp-galaxy:ransomware=\"WannaCry\""],"WCRY":["misp-galaxy:ransomware=\"WannaCry\""],"WannaSmile":["misp-galaxy:ransomware=\"WannaSmile\""],"Wcry Ransomware":["misp-galaxy:ransomware=\"Wcry Ransomware\""],"WeChat Ransom":["misp-galaxy:ransomware=\"WeChat Ransom\""],"UNNAMED1989":["misp-galaxy:ransomware=\"WeChat Ransom\""],"WhiteRose":["misp-galaxy:ransomware=\"WhiteRose\""],"WickedLocker HT Ransomware":["misp-galaxy:ransomware=\"WickedLocker HT Ransomware\""],"WildFire Locker":["misp-galaxy:ransomware=\"WildFire Locker\""],"Hades Locker":["misp-galaxy:ransomware=\"WildFire Locker\""],"WinRarer Ransomware":["misp-galaxy:ransomware=\"WinRarer Ransomware\""],"Windows_Security Ransonware":["misp-galaxy:ransomware=\"Windows_Security Ransonware\""],"WS Go Ransonware":["misp-galaxy:ransomware=\"Windows_Security Ransonware\""],"Winnix Cryptor Ransomware":["misp-galaxy:ransomware=\"Winnix Cryptor Ransomware\""],"X-Files":["misp-galaxy:ransomware=\"X-Files\""],"X3M Ransomware":["misp-galaxy:ransomware=\"X3M Ransomware\""],"XCrypt Ransomware":["misp-galaxy:ransomware=\"XCrypt Ransomware\""],"XRTN ":["misp-galaxy:ransomware=\"XRTN \""],"XTPLocker 5.0 Ransomware":["misp-galaxy:ransomware=\"XTPLocker 5.0 Ransomware\""],"XYZWare Ransomware":["misp-galaxy:ransomware=\"XYZWare Ransomware\""],"XiaoBa ransomware":["misp-galaxy:ransomware=\"XiaoBa ransomware\""],"Xolzsec":["misp-galaxy:ransomware=\"Xolzsec\""],"Xorist":["misp-galaxy:ransomware=\"Xorist\""],"YYTO Ransomware":["misp-galaxy:ransomware=\"YYTO Ransomware\""],"You Have Been Hacked!!!":["misp-galaxy:ransomware=\"You Have Been Hacked!!!\""],"YouAreFucked Ransomware":["misp-galaxy:ransomware=\"YouAreFucked Ransomware\""],"YourRansom Ransomware":["misp-galaxy:ransomware=\"YourRansom Ransomware\""],"ZXZ Ramsomware":["misp-galaxy:ransomware=\"ZXZ Ramsomware\""],"Zcrypt":["misp-galaxy:ransomware=\"Zcrypt\""],"Zcryptor":["misp-galaxy:ransomware=\"Zcrypt\""],"ZekwaCrypt Ransomware":["misp-galaxy:ransomware=\"ZekwaCrypt Ransomware\""],"Zenis Ransomware":["misp-galaxy:ransomware=\"Zenis Ransomware\""],"ZeroCrypt Ransomware":["misp-galaxy:ransomware=\"ZeroCrypt Ransomware\""],"Zimbra":["misp-galaxy:ransomware=\"Zimbra\""],"ZinoCrypt Ransomware":["misp-galaxy:ransomware=\"ZinoCrypt Ransomware\""],"Russian":["misp-galaxy:ransomware=\"Zlader\""],"Zorro":["misp-galaxy:ransomware=\"Zorro\""],"Zyka Ransomware":["misp-galaxy:ransomware=\"Zyka Ransomware\""],"encryptoJJS":["misp-galaxy:ransomware=\"encryptoJJS\""],"garrantydecrypt":["misp-galaxy:ransomware=\"garrantydecrypt\""],"iLock":["misp-galaxy:ransomware=\"iLock\""],"iLockLight":["misp-galaxy:ransomware=\"iLockLight\""],"iRansom":["misp-galaxy:ransomware=\"iRansom\""],"n1n1n1":["misp-galaxy:ransomware=\"n1n1n1\""],"of Ransomware: OpenToYou (Formerly known as OpenToDecrypt)":["misp-galaxy:ransomware=\"of Ransomware: OpenToYou (Formerly known as OpenToDecrypt)\""],"qkG":["misp-galaxy:ransomware=\"qkG\""],"vxLock":["misp-galaxy:ransomware=\"vxLock\""],"zScreenLocker Ransomware":["misp-galaxy:ransomware=\"zScreenLocker Ransomware\""],"5p00f3r.N$ RAT":["misp-galaxy:rat=\"5p00f3r.N$ RAT\""],"9002":["misp-galaxy:rat=\"9002\""],"A32s RAT":["misp-galaxy:rat=\"A32s RAT\""],"A4Zeta":["misp-galaxy:rat=\"A4Zeta\""],"Adwind RAT":["misp-galaxy:rat=\"Adwind RAT\""],"UNiversal REmote COntrol Multi-Platform":["misp-galaxy:rat=\"Adwind RAT\""],"Adzok":["misp-galaxy:rat=\"Adzok\""],"AeroAdmin":["misp-galaxy:rat=\"AeroAdmin\""],"AhNyth Android":["misp-galaxy:rat=\"AhNyth Android\""],"Ahtapod":["misp-galaxy:rat=\"Ahtapod\""],"Albertino Advanced RAT":["misp-galaxy:rat=\"Albertino Advanced RAT\""],"Ammyy Admin":["misp-galaxy:rat=\"Ammyy Admin\""],"Ammyy":["misp-galaxy:rat=\"Ammyy Admin\""],"Androrat":["misp-galaxy:rat=\"Androrat\""],"AnyDesk":["misp-galaxy:rat=\"AnyDesk\""],"Arabian-Attacker RAT":["misp-galaxy:rat=\"Arabian-Attacker RAT\""],"Archelaus Beta":["misp-galaxy:rat=\"Archelaus Beta\""],"Arcom":["misp-galaxy:rat=\"Arcom\""],"Arctic R.A.T.":["misp-galaxy:rat=\"Arctic R.A.T.\""],"Artic":["misp-galaxy:rat=\"Arctic R.A.T.\""],"Assassin":["misp-galaxy:rat=\"Assassin\""],"Atelier Web Remote Commander":["misp-galaxy:rat=\"Atelier Web Remote Commander\""],"BBS RAT":["misp-galaxy:rat=\"BBS RAT\""],"BD Y3K RAT":["misp-galaxy:rat=\"BD Y3K RAT\""],"Back Door Y3K RAT":["misp-galaxy:rat=\"BD Y3K RAT\""],"Y3k":["misp-galaxy:rat=\"BD Y3K RAT\""],"BX":["misp-galaxy:rat=\"BX\""],"Babylon":["misp-galaxy:rat=\"Babylon\""],"Back Orifice 2000":["misp-galaxy:rat=\"Back Orifice 2000\""],"BO2k":["misp-galaxy:rat=\"Back Orifice 2000\""],"Back Orifice":["misp-galaxy:rat=\"Back Orifice\""],"BO":["misp-galaxy:rat=\"Back Orifice\""],"Bandook RAT":["misp-galaxy:rat=\"Bandook RAT\""],"Batch NET":["misp-galaxy:rat=\"Batch NET\""],"BeamYourScreen":["misp-galaxy:rat=\"BeamYourScreen\""],"Beast Trojan":["misp-galaxy:rat=\"Beast Trojan\""],"Bifrost":["misp-galaxy:rat=\"Bifrost\""],"Biodox":["misp-galaxy:rat=\"Biodox\""],"BlackNix":["misp-galaxy:rat=\"BlackNix\""],"Blackshades":["misp-galaxy:rat=\"Blackshades\"","misp-galaxy:tool=\"Blackshades\""],"Blizzard":["misp-galaxy:rat=\"Blizzard\""],"Blue Banana":["misp-galaxy:rat=\"Blue Banana\""],"Brat":["misp-galaxy:rat=\"Brat\""],"CIA RAT":["misp-galaxy:rat=\"CIA RAT\""],"CTOS":["misp-galaxy:rat=\"CTOS\""],"Caesar RAT":["misp-galaxy:rat=\"Caesar RAT\""],"Cardinal":["misp-galaxy:rat=\"Cardinal\""],"Casa RAT":["misp-galaxy:rat=\"Casa RAT\""],"Cerberus RAT":["misp-galaxy:rat=\"Cerberus RAT\""],"Char0n":["misp-galaxy:rat=\"Char0n\""],"Chrome Remote Desktop":["misp-galaxy:rat=\"Chrome Remote Desktop\""],"ClientMesh":["misp-galaxy:rat=\"ClientMesh\""],"Coldroot":["misp-galaxy:rat=\"Coldroot\""],"Comodo Unite":["misp-galaxy:rat=\"Comodo Unite\""],"CrossRat":["misp-galaxy:rat=\"CrossRat\""],"Cyber Eye RAT":["misp-galaxy:rat=\"Cyber Eye RAT\""],"DameWare Mini Remote Control":["misp-galaxy:rat=\"DameWare Mini Remote Control\""],"dameware":["misp-galaxy:rat=\"DameWare Mini Remote Control\""],"Dark DDoSeR":["misp-galaxy:rat=\"Dark DDoSeR\""],"Dark Comet":["misp-galaxy:rat=\"DarkComet\"","misp-galaxy:tool=\"Dark Comet\""],"DarkMoon":["misp-galaxy:rat=\"DarkMoon\""],"Dark Moon":["misp-galaxy:rat=\"DarkMoon\""],"DarkRat":["misp-galaxy:rat=\"DarkRat\""],"DarkRAT":["misp-galaxy:rat=\"DarkRat\""],"DarkTrack":["misp-galaxy:rat=\"DarkTrack\""],"Darknet RAT":["misp-galaxy:rat=\"Darknet RAT\""],"Dark NET RAT":["misp-galaxy:rat=\"Darknet RAT\""],"Deeper RAT":["misp-galaxy:rat=\"Deeper RAT\""],"DesktopNow":["misp-galaxy:rat=\"DesktopNow\""],"Erebus":["misp-galaxy:rat=\"Erebus\""],"FINSPY":["misp-galaxy:rat=\"FINSPY\"","misp-galaxy:tool=\"FINSPY\""],"Felipe":["misp-galaxy:rat=\"Felipe\""],"Felismus RAT":["misp-galaxy:rat=\"Felismus RAT\""],"FlawedAmmy":["misp-galaxy:rat=\"FlawedAmmy\""],"GOlden Phoenix":["misp-galaxy:rat=\"GOlden Phoenix\""],"Ucul":["misp-galaxy:rat=\"Ghost\""],"GraphicBooting":["misp-galaxy:rat=\"GraphicBooting\""],"Greame":["misp-galaxy:rat=\"Greame\""],"Greek Hackers RAT":["misp-galaxy:rat=\"Greek Hackers RAT\""],"H-w0rm":["misp-galaxy:rat=\"H-w0rm\""],"H-worm":["misp-galaxy:rat=\"H-worm\""],"HTTP WEB BACKDOOR":["misp-galaxy:rat=\"HTTP WEB BACKDOOR\""],"Hallaj PRO RAT":["misp-galaxy:rat=\"Hallaj PRO RAT\""],"Hav-RAT":["misp-galaxy:rat=\"Hav-RAT\""],"HawkEye":["misp-galaxy:rat=\"HawkEye\""],"Heseber":["misp-galaxy:rat=\"Heseber\""],"Imminent Monitor":["misp-galaxy:rat=\"Imminent Monitor\""],"Indetectables RAT":["misp-galaxy:rat=\"Indetectables RAT\""],"JCage":["misp-galaxy:rat=\"JCage\""],"Jfect":["misp-galaxy:rat=\"Jfect\""],"Kazybot":["misp-galaxy:rat=\"Kazybot\""],"KhRAT":["misp-galaxy:rat=\"KhRAT\""],"Kiler RAT":["misp-galaxy:rat=\"Kiler RAT\""],"Njw0rm":["misp-galaxy:rat=\"Kiler RAT\"","misp-galaxy:rat=\"NJRat\""],"Killer RAT":["misp-galaxy:rat=\"Killer RAT\""],"KjW0rm":["misp-galaxy:rat=\"KjW0rm\"","misp-galaxy:tool=\"KjW0rm\""],"Lanfiltrator":["misp-galaxy:rat=\"Lanfiltrator\""],"LeGeNd":["misp-galaxy:rat=\"LeGeNd\""],"LiteManager":["misp-galaxy:rat=\"LiteManager\""],"Loki RAT":["misp-galaxy:rat=\"Loki RAT\""],"LokiTech":["misp-galaxy:rat=\"LokiTech\""],"Lost Door":["misp-galaxy:rat=\"Lost Door\""],"LostDoor":["misp-galaxy:rat=\"Lost Door\""],"Luminosity Link":["misp-galaxy:rat=\"Luminosity Link\""],"LuxNET":["misp-galaxy:rat=\"LuxNET\""],"MINI-MO":["misp-galaxy:rat=\"MINI-MO\""],"MLRat":["misp-galaxy:rat=\"MLRat\""],"MRA RAT":["misp-galaxy:rat=\"MRA RAT\""],"MadRAT":["misp-galaxy:rat=\"MadRAT\""],"Mangit":["misp-galaxy:rat=\"Mangit\""],"Matryoshka":["misp-galaxy:rat=\"Matryoshka\"","misp-galaxy:tool=\"Matryoshka\""],"Mega":["misp-galaxy:rat=\"Mega\""],"MegaTrojan":["misp-galaxy:rat=\"MegaTrojan\""],"Minimo":["misp-galaxy:rat=\"Minimo\""],"MoSucker":["misp-galaxy:rat=\"MoSucker\""],"MofoTro":["misp-galaxy:rat=\"MofoTro\""],"NET-MONITOR PRO":["misp-galaxy:rat=\"NET-MONITOR PRO\""],"NJRat":["misp-galaxy:rat=\"NJRat\""],"Net Devil":["misp-galaxy:rat=\"Net Devil\""],"NetDevil":["misp-galaxy:rat=\"Net Devil\"","misp-galaxy:rat=\"NetDevil\""],"Netbus":["misp-galaxy:rat=\"Netbus\""],"NetBus":["misp-galaxy:rat=\"Netbus\""],"Netsupport Manager":["misp-galaxy:rat=\"Netsupport Manager\""],"Netwire":["misp-galaxy:rat=\"Netwire\""],"NewCore":["misp-galaxy:rat=\"NewCore\""],"Nova":["misp-galaxy:rat=\"Nova\""],"Nuclear RAT":["misp-galaxy:rat=\"Nuclear RAT\""],"NukeSped":["misp-galaxy:rat=\"NukeSped\""],"Nytro":["misp-galaxy:rat=\"Nytro\""],"Offence":["misp-galaxy:rat=\"Offence\""],"Optix Pro":["misp-galaxy:rat=\"Optix Pro\""],"Orcus":["misp-galaxy:rat=\"Orcus\""],"Ozone":["misp-galaxy:rat=\"Ozone\""],"P. Storrie RAT":["misp-galaxy:rat=\"P. Storrie RAT\""],"P.Storrie RAT":["misp-galaxy:rat=\"P. Storrie RAT\""],"Pain RAT":["misp-galaxy:rat=\"Pain RAT\""],"Pandora":["misp-galaxy:rat=\"Pandora\""],"Paradox":["misp-galaxy:rat=\"Paradox\""],"Parasite-HTTP-RAT":["misp-galaxy:rat=\"Parasite-HTTP-RAT\""],"PentagonRAT":["misp-galaxy:rat=\"PentagonRAT\""],"Plasma RAT":["misp-galaxy:rat=\"Plasma RAT\""],"Pocket RAT":["misp-galaxy:rat=\"Pocket RAT\""],"Backdoor.Win32.PoisonIvy":["misp-galaxy:rat=\"PoisonIvy\"","misp-galaxy:tool=\"Poison Ivy\""],"Gen:Trojan.Heur.PT":["misp-galaxy:rat=\"PoisonIvy\"","misp-galaxy:tool=\"Poison Ivy\""],"PowerRAT":["misp-galaxy:rat=\"PowerRAT\""],"PredatorPain":["misp-galaxy:rat=\"Predator Pain\""],"ProRat":["misp-galaxy:rat=\"ProRat\""],"Punisher RAT":["misp-galaxy:rat=\"Punisher RAT\""],"Qarallax":["misp-galaxy:rat=\"Qarallax\""],"qrat":["misp-galaxy:rat=\"Qarallax\"","misp-galaxy:tool=\"qrat\""],"Quaverse":["misp-galaxy:rat=\"Quaverse\""],"QRAT":["misp-galaxy:rat=\"Quaverse\""],"RATAttack":["misp-galaxy:rat=\"RATAttack\""],"RWX RAT":["misp-galaxy:rat=\"RWX RAT\""],"RaTRon":["misp-galaxy:rat=\"RaTRon\""],"RealVNC":["misp-galaxy:rat=\"RealVNC\""],"VNC Connect":["misp-galaxy:rat=\"RealVNC\""],"VNC Viewer":["misp-galaxy:rat=\"RealVNC\""],"Remote Utilities":["misp-galaxy:rat=\"Remote Utilities\""],"RemotePC":["misp-galaxy:rat=\"RemotePC\""],"RevCode":["misp-galaxy:rat=\"RevCode\""],"Revenge-RAT":["misp-galaxy:rat=\"Revenge-RAT\""],"Rottie3":["misp-galaxy:rat=\"Rottie3\""],"Sandro RAT":["misp-galaxy:rat=\"Sandro RAT\""],"Schwarze-Sonne-RAT":["misp-galaxy:rat=\"Schwarze-Sonne-RAT\""],"SS-RAT":["misp-galaxy:rat=\"Schwarze-Sonne-RAT\""],"Schwarze Sonne":["misp-galaxy:rat=\"Schwarze-Sonne-RAT\""],"Seecreen":["misp-galaxy:rat=\"Seecreen\""],"Firnass":["misp-galaxy:rat=\"Seecreen\""],"Seed RAT":["misp-galaxy:rat=\"Seed RAT\""],"Setro":["misp-galaxy:rat=\"Setro\""],"SharK":["misp-galaxy:rat=\"SharK\""],"SHARK":["misp-galaxy:rat=\"SharK\""],"SharpBot":["misp-galaxy:rat=\"SharpBot\""],"SharpEye":["misp-galaxy:rat=\"SharpEye\""],"ShowMyPC":["misp-galaxy:rat=\"ShowMyPC\""],"Sky Wyder":["misp-galaxy:rat=\"Sky Wyder\""],"Small-Net":["misp-galaxy:rat=\"Small-Net\""],"SmallNet":["misp-galaxy:rat=\"Small-Net\""],"Snoopy":["misp-galaxy:rat=\"Snoopy\""],"Snowdoor":["misp-galaxy:rat=\"Snowdoor\""],"Backdoor.Blizzard":["misp-galaxy:rat=\"Snowdoor\""],"Backdoor.Fxdoor":["misp-galaxy:rat=\"Snowdoor\""],"Backdoor.Snowdoor":["misp-galaxy:rat=\"Snowdoor\""],"Backdoor:Win32\/Snowdoor":["misp-galaxy:rat=\"Snowdoor\""],"Socket23":["misp-galaxy:rat=\"Socket23\""],"SocketPlayer":["misp-galaxy:rat=\"SocketPlayer\""],"Sparta RAT":["misp-galaxy:rat=\"Sparta RAT\""],"SpyCronic":["misp-galaxy:rat=\"SpyCronic\""],"SpyGate":["misp-galaxy:rat=\"SpyGate\""],"Spymaster Pro":["misp-galaxy:rat=\"Spymaster Pro\""],"Spynet":["misp-galaxy:rat=\"Spynet\""],"Sub7":["misp-galaxy:rat=\"Sub7\""],"SubSeven":["misp-galaxy:rat=\"Sub7\""],"Sub7Server":["misp-galaxy:rat=\"Sub7\""],"Syla":["misp-galaxy:rat=\"Syla\""],"Syndrome RAT":["misp-galaxy:rat=\"Syndrome RAT\""],"TINY":["misp-galaxy:rat=\"TINY\""],"TSCookieRAT":["misp-galaxy:rat=\"TSCookieRAT\""],"TeamViewer":["misp-galaxy:rat=\"TeamViewer\""],"Tequila Bandita":["misp-galaxy:rat=\"Tequila Bandita\""],"TheFat RAT":["misp-galaxy:rat=\"TheFat RAT\""],"TheOneSpy":["misp-galaxy:rat=\"TheOneSpy\""],"Theef":["misp-galaxy:rat=\"Theef\""],"Toquito Bandito":["misp-galaxy:rat=\"Toquito Bandito\""],"TorCT PHP RAT":["misp-galaxy:rat=\"TorCT PHP RAT\""],"Trochilus":["misp-galaxy:rat=\"Trochilus\"","misp-galaxy:tool=\"Trochilus\""],"Turkojan":["misp-galaxy:rat=\"Turkojan\""],"UNITEDRAKE":["misp-galaxy:rat=\"UNITEDRAKE\""],"Ultra VNC":["misp-galaxy:rat=\"Ultra VNC\""],"Vanguard":["misp-galaxy:rat=\"Vanguard\""],"Vantom":["misp-galaxy:rat=\"Vantom\""],"Venomous Ivy":["misp-galaxy:rat=\"Venomous Ivy\""],"Virus RAT":["misp-galaxy:rat=\"Virus RAT\""],"VorteX":["misp-galaxy:rat=\"VorteX\""],"Vortex":["misp-galaxy:rat=\"Vortex\""],"WiRAT":["misp-galaxy:rat=\"WiRAT\""],"Win32.HsIdir":["misp-galaxy:rat=\"Win32.HsIdir\""],"Windows Remote Desktop":["misp-galaxy:rat=\"Windows Remote Desktop\""],"Xanity":["misp-galaxy:rat=\"Xanity\""],"Xena":["misp-galaxy:rat=\"Xena\""],"Xpert":["misp-galaxy:rat=\"Xpert\""],"Xploit":["misp-galaxy:rat=\"Xploit\""],"Xsser":["misp-galaxy:rat=\"Xsser\""],"mRAT":["misp-galaxy:rat=\"Xsser\""],"XtremeRAT":["misp-galaxy:rat=\"XtremeRAT\""],"Xyligan":["misp-galaxy:rat=\"Xyligan\""],"ZOMBIE SLAYER":["misp-galaxy:rat=\"ZOMBIE SLAYER\""],"death":["misp-galaxy:rat=\"death\""],"drat":["misp-galaxy:rat=\"drat\""],"JacksBot":["misp-galaxy:rat=\"jRAT\""],"joanap":["misp-galaxy:rat=\"joanap\""],"join.me":["misp-galaxy:rat=\"join.me\""],"miniRAT":["misp-galaxy:rat=\"miniRAT\""],"rokrat":["misp-galaxy:rat=\"rokrat\""],"vjw0rm 0.1":["misp-galaxy:rat=\"vjw0rm 0.1\""],"xHacker Pro RAT":["misp-galaxy:rat=\"xHacker Pro RAT\""],"Academia - University":["misp-galaxy:sector=\"Academia - University\""],"Accounting":["misp-galaxy:sector=\"Accounting\""],"Activists":["misp-galaxy:sector=\"Activists\""],"Advertising":["misp-galaxy:sector=\"Advertising\""],"Aerospace":["misp-galaxy:sector=\"Aerospace\""],"Agriculture":["misp-galaxy:sector=\"Agriculture\""],"Arts":["misp-galaxy:sector=\"Arts\""],"Automotive":["misp-galaxy:sector=\"Automotive\""],"Bank":["misp-galaxy:sector=\"Bank\""],"Biomedical":["misp-galaxy:sector=\"Biomedical\""],"Casino":["misp-galaxy:sector=\"Casino\""],"Chemical":["misp-galaxy:sector=\"Chemical\""],"Citizens":["misp-galaxy:sector=\"Citizens\""],"Civil Aviation":["misp-galaxy:sector=\"Civil Aviation\""],"Civil society":["misp-galaxy:sector=\"Civil society\""],"Communication equipment":["misp-galaxy:sector=\"Communication equipment\""],"Construction":["misp-galaxy:sector=\"Construction\""],"Consulting":["misp-galaxy:sector=\"Consulting\""],"Country":["misp-galaxy:sector=\"Country\""],"Culture":["misp-galaxy:sector=\"Culture\""],"DNS service provider":["misp-galaxy:sector=\"DNS service provider\""],"Data Broker":["misp-galaxy:sector=\"Data Broker\""],"Defense":["misp-galaxy:sector=\"Defense\""],"Development":["misp-galaxy:sector=\"Development\""],"Digital infrastructure":["misp-galaxy:sector=\"Digital infrastructure\""],"Digital services":["misp-galaxy:sector=\"Digital services\""],"Diplomacy":["misp-galaxy:sector=\"Diplomacy\""],"Dissidents":["misp-galaxy:sector=\"Dissidents\""],"Education":["misp-galaxy:sector=\"Education\""],"Electric":["misp-galaxy:sector=\"Electric\""],"Electronic":["misp-galaxy:sector=\"Electronic\""],"Employment":["misp-galaxy:sector=\"Employment\""],"Energy":["misp-galaxy:sector=\"Energy\""],"Entertainment":["misp-galaxy:sector=\"Entertainment\""],"Environment":["misp-galaxy:sector=\"Environment\""],"Finance":["misp-galaxy:sector=\"Finance\""],"Food":["misp-galaxy:sector=\"Food\""],"Game":["misp-galaxy:sector=\"Game\""],"Gas":["misp-galaxy:sector=\"Gas\""],"Government, Administration":["misp-galaxy:sector=\"Government, Administration\""],"Health":["misp-galaxy:sector=\"Health\""],"High tech":["misp-galaxy:sector=\"High tech\""],"Higher education":["misp-galaxy:sector=\"Higher education\""],"Hospitality":["misp-galaxy:sector=\"Hospitality\""],"Hotels":["misp-galaxy:sector=\"Hotels\""],"IT - Hacker":["misp-galaxy:sector=\"IT - Hacker\""],"IT - ISP":["misp-galaxy:sector=\"IT - ISP\""],"IT - Security":["misp-galaxy:sector=\"IT - Security\""],"IT":["misp-galaxy:sector=\"IT\""],"Immigration":["misp-galaxy:sector=\"Immigration\""],"Industrial":["misp-galaxy:sector=\"Industrial\""],"Infrastructure":["misp-galaxy:sector=\"Infrastructure\""],"Insurance":["misp-galaxy:sector=\"Insurance\""],"Intelligence":["misp-galaxy:sector=\"Intelligence\""],"Investment":["misp-galaxy:sector=\"Investment\""],"Islamic forums":["misp-galaxy:sector=\"Islamic forums\""],"Islamic organisation":["misp-galaxy:sector=\"Islamic organisation\""],"Journalist":["misp-galaxy:sector=\"Journalist\""],"Justice":["misp-galaxy:sector=\"Justice\""],"Lawyers":["misp-galaxy:sector=\"Lawyers\""],"Legal":["misp-galaxy:sector=\"Legal\""],"Life science":["misp-galaxy:sector=\"Life science\""],"Logistic":["misp-galaxy:sector=\"Logistic\""],"Managed Services Provider":["misp-galaxy:sector=\"Managed Services Provider\""],"Manufacturing":["misp-galaxy:sector=\"Manufacturing\""],"Maritime":["misp-galaxy:sector=\"Maritime\""],"Marketing":["misp-galaxy:sector=\"Marketing\""],"Metal":["misp-galaxy:sector=\"Metal\""],"Military":["misp-galaxy:sector=\"Military\""],"Mining":["misp-galaxy:sector=\"Mining\""],"Multi-sector":["misp-galaxy:sector=\"Multi-sector\""],"NGO":["misp-galaxy:sector=\"NGO\""],"News - Media":["misp-galaxy:sector=\"News - Media\""],"Oil":["misp-galaxy:sector=\"Oil\""],"Online marketplace":["misp-galaxy:sector=\"Online marketplace\""],"Opposition":["misp-galaxy:sector=\"Opposition\""],"Other":["misp-galaxy:sector=\"Other\""],"Payment":["misp-galaxy:sector=\"Payment\""],"Petrochemical":["misp-galaxy:sector=\"Petrochemical\""],"Pharmacy":["misp-galaxy:sector=\"Pharmacy\""],"Police - Law enforcement":["misp-galaxy:sector=\"Police - Law enforcement\""],"Political party":["misp-galaxy:sector=\"Political party\""],"Programming":["misp-galaxy:sector=\"Programming\""],"Publishing industry":["misp-galaxy:sector=\"Publishing industry\""],"Railway":["misp-galaxy:sector=\"Railway\""],"Research - Innovation":["misp-galaxy:sector=\"Research - Innovation\""],"Restaurant":["misp-galaxy:sector=\"Restaurant\""],"Retail":["misp-galaxy:sector=\"Retail\""],"Satellite navigation":["misp-galaxy:sector=\"Satellite navigation\""],"Security Service":["misp-galaxy:sector=\"Security Service\""],"Security actors":["misp-galaxy:sector=\"Security actors\""],"Security systems":["misp-galaxy:sector=\"Security systems\""],"Semi-conductors":["misp-galaxy:sector=\"Semi-conductors\""],"Separatists":["misp-galaxy:sector=\"Separatists\""],"Shipping":["misp-galaxy:sector=\"Shipping\""],"Smart meter":["misp-galaxy:sector=\"Smart meter\""],"Social networks":["misp-galaxy:sector=\"Social networks\""],"Space":["misp-galaxy:sector=\"Space\""],"Steel":["misp-galaxy:sector=\"Steel\""],"Streaming service":["misp-galaxy:sector=\"Streaming service\""],"Tax firm":["misp-galaxy:sector=\"Tax firm\""],"Technology":["misp-galaxy:sector=\"Technology\""],"Telecoms":["misp-galaxy:sector=\"Telecoms\""],"Television broadcast":["misp-galaxy:sector=\"Television broadcast\""],"Think Tanks":["misp-galaxy:sector=\"Think Tanks\""],"Tourism":["misp-galaxy:sector=\"Tourism\""],"Trade":["misp-galaxy:sector=\"Trade\""],"Transport":["misp-galaxy:sector=\"Transport\""],"Travel":["misp-galaxy:sector=\"Travel\""],"Turbine":["misp-galaxy:sector=\"Turbine\""],"Veterinary":["misp-galaxy:sector=\"Veterinary\""],"Video Sharing":["misp-galaxy:sector=\"Video Sharing\""],"Water":["misp-galaxy:sector=\"Water\""],"eCommerce":["misp-galaxy:sector=\"eCommerce\""],"engineering":["misp-galaxy:sector=\"engineering\""],"AZORult":["misp-galaxy:stealer=\"AZORult\""],"TeleGrab":["misp-galaxy:stealer=\"TeleGrab\""],"Vidar":["misp-galaxy:stealer=\"Vidar\""],"BlackHat TDS":["misp-galaxy:tds=\"BlackHat TDS\""],"BlackTDS":["misp-galaxy:tds=\"BlackTDS\""],"BossTDS":["misp-galaxy:tds=\"BossTDS\""],"Futuristic TDS":["misp-galaxy:tds=\"Futuristic TDS\""],"Keitaro":["misp-galaxy:tds=\"Keitaro\""],"Orchid TDS":["misp-galaxy:tds=\"Orchid TDS\""],"ShadowTDS":["misp-galaxy:tds=\"ShadowTDS\""],"SimpleTDS":["misp-galaxy:tds=\"SimpleTDS\""],"Stds":["misp-galaxy:tds=\"SimpleTDS\""],"Sutra":["misp-galaxy:tds=\"Sutra\""],"zTDS":["misp-galaxy:tds=\"zTDS\""]," Stealth Mango and Tangelo ":["misp-galaxy:threat-actor=\" Stealth Mango and Tangelo \""],"ALLANITE":["misp-galaxy:threat-actor=\"ALLANITE\""],"Palmetto Fusion":["misp-galaxy:threat-actor=\"ALLANITE\""],"Allanite":["misp-galaxy:threat-actor=\"ALLANITE\""],"APT 16":["misp-galaxy:threat-actor=\"APT 16\""],"SVCMONDR":["misp-galaxy:threat-actor=\"APT 16\"","misp-galaxy:threat-actor=\"SVCMONDR\""],"APT 22":["misp-galaxy:threat-actor=\"APT 22\""],"APT22":["misp-galaxy:threat-actor=\"APT 22\""],"APT 26":["misp-galaxy:threat-actor=\"APT 26\""],"APT26":["misp-galaxy:threat-actor=\"APT 26\""],"Hippo Team":["misp-galaxy:threat-actor=\"APT 26\"","misp-galaxy:threat-actor=\"Turla Group\""],"JerseyMikes":["misp-galaxy:threat-actor=\"APT 26\""],"Turbine Panda":["misp-galaxy:threat-actor=\"APT 26\""],"APT 29":["misp-galaxy:threat-actor=\"APT 29\""],"Dukes":["misp-galaxy:threat-actor=\"APT 29\""],"Group 100":["misp-galaxy:threat-actor=\"APT 29\""],"Cozy Duke":["misp-galaxy:threat-actor=\"APT 29\""],"Office Monkeys":["misp-galaxy:threat-actor=\"APT 29\""],"OfficeMonkeys":["misp-galaxy:threat-actor=\"APT 29\""],"Minidionis":["misp-galaxy:threat-actor=\"APT 29\""],"Hammer Toss":["misp-galaxy:threat-actor=\"APT 29\""],"Iron Hemlock":["misp-galaxy:threat-actor=\"APT 29\""],"Grizzly Steppe":["misp-galaxy:threat-actor=\"APT 29\"","misp-galaxy:threat-actor=\"Sofacy\""],"APT 30":["misp-galaxy:threat-actor=\"APT 30\"","misp-galaxy:threat-actor=\"Naikon\""],"APT 6":["misp-galaxy:threat-actor=\"APT 6\""],"1.php Group":["misp-galaxy:threat-actor=\"APT 6\""],"APT6":["misp-galaxy:threat-actor=\"APT 6\""],"APT-C-27":["misp-galaxy:threat-actor=\"APT-C-27\""],"GoldMouse":["misp-galaxy:threat-actor=\"APT-C-27\""],"APT-C-35":["misp-galaxy:threat-actor=\"APT-C-35\"","misp-galaxy:threat-actor=\"APT-C-35\""],"DoNot Team":["misp-galaxy:threat-actor=\"APT-C-35\""],"Donot Team":["misp-galaxy:threat-actor=\"APT-C-35\""],"APT-C-36":["misp-galaxy:threat-actor=\"APT-C-36\""],"Blind Eagle":["misp-galaxy:threat-actor=\"APT-C-36\""],"APT.3102":["misp-galaxy:threat-actor=\"APT.3102\""],"APT31":["misp-galaxy:threat-actor=\"APT31\"","misp-galaxy:threat-actor=\"Hurricane Panda\""],"APT 31":["misp-galaxy:threat-actor=\"APT31\"","misp-galaxy:threat-actor=\"Hurricane Panda\""],"Ocean Lotus":["misp-galaxy:threat-actor=\"APT32\""],"Cobalt Kitty":["misp-galaxy:threat-actor=\"APT32\""],"Sea Lotus":["misp-galaxy:threat-actor=\"APT32\""],"APT-32":["misp-galaxy:threat-actor=\"APT32\""],"APT 32":["misp-galaxy:threat-actor=\"APT32\""],"Ocean Buffalo":["misp-galaxy:threat-actor=\"APT32\""],"APT 33":["misp-galaxy:threat-actor=\"APT33\""],"MAGNALLIUM":["misp-galaxy:threat-actor=\"APT33\"","misp-galaxy:threat-actor=\"MAGNALLIUM\""],"Refined Kitten":["misp-galaxy:threat-actor=\"APT33\""],"APT 34":["misp-galaxy:threat-actor=\"APT34\"","misp-galaxy:threat-actor=\"OilRig\""],"APT 35":["misp-galaxy:threat-actor=\"APT35\"","misp-galaxy:threat-actor=\"Cleaver\""],"Newscaster Team":["misp-galaxy:threat-actor=\"APT35\""],"APT 37":["misp-galaxy:threat-actor=\"APT37\""],"Group 123":["misp-galaxy:threat-actor=\"APT37\""],"Starcruft":["misp-galaxy:threat-actor=\"APT37\""],"Reaper Group":["misp-galaxy:threat-actor=\"APT37\""],"Red Eyes":["misp-galaxy:threat-actor=\"APT37\""],"Ricochet Chollima":["misp-galaxy:threat-actor=\"APT37\""],"Operation Daybreak":["misp-galaxy:threat-actor=\"APT37\"","misp-galaxy:threat-actor=\"ScarCruft\""],"Operation Erebus":["misp-galaxy:threat-actor=\"APT37\"","misp-galaxy:threat-actor=\"ScarCruft\""],"Venus 121":["misp-galaxy:threat-actor=\"APT37\""],"APT 39":["misp-galaxy:threat-actor=\"APT39\""],"APT5":["misp-galaxy:threat-actor=\"APT5\""],"Anchor Panda":["misp-galaxy:threat-actor=\"Anchor Panda\"","misp-galaxy:tool=\"Torn RAT\""],"APT14":["misp-galaxy:threat-actor=\"Anchor Panda\""],"APT 14":["misp-galaxy:threat-actor=\"Anchor Panda\""],"QAZTeam":["misp-galaxy:threat-actor=\"Anchor Panda\""],"ALUMINUM":["misp-galaxy:threat-actor=\"Anchor Panda\""],"Andromeda Spider":["misp-galaxy:threat-actor=\"Andromeda Spider\""],"AridViper":["misp-galaxy:threat-actor=\"AridViper\""],"Desert Falcon":["misp-galaxy:threat-actor=\"AridViper\""],"Arid Viper":["misp-galaxy:threat-actor=\"AridViper\""],"APT-C-23":["misp-galaxy:threat-actor=\"AridViper\""],"Aslan Neferler Tim":["misp-galaxy:threat-actor=\"Aslan Neferler Tim\""],"Lion Soldiers Team":["misp-galaxy:threat-actor=\"Aslan Neferler Tim\""],"Phantom Turk":["misp-galaxy:threat-actor=\"Aslan Neferler Tim\""],"Aurora Panda":["misp-galaxy:threat-actor=\"Aurora Panda\""],"APT 17":["misp-galaxy:threat-actor=\"Aurora Panda\"","misp-galaxy:threat-actor=\"Axiom\""],"Group 8":["misp-galaxy:threat-actor=\"Aurora Panda\""],"Hidden Lynx":["misp-galaxy:threat-actor=\"Aurora Panda\""],"Tailgater Team":["misp-galaxy:threat-actor=\"Aurora Panda\"","misp-galaxy:threat-actor=\"Axiom\""],"Dogfish":["misp-galaxy:threat-actor=\"Aurora Panda\"","misp-galaxy:threat-actor=\"Axiom\""],"Group72":["misp-galaxy:threat-actor=\"Axiom\""],"Tailgater":["misp-galaxy:threat-actor=\"Axiom\""],"Ragebeast":["misp-galaxy:threat-actor=\"Axiom\""],"Lead":["misp-galaxy:threat-actor=\"Axiom\""],"Wicked Spider":["misp-galaxy:threat-actor=\"Axiom\""],"Wicked Panda":["misp-galaxy:threat-actor=\"Axiom\""],"Barium":["misp-galaxy:threat-actor=\"Axiom\""],"Ayy\u0131ld\u0131z Tim":["misp-galaxy:threat-actor=\"Ayy\u0131ld\u0131z Tim\""],"Crescent and Star":["misp-galaxy:threat-actor=\"Ayy\u0131ld\u0131z Tim\""],"Bahamut":["misp-galaxy:threat-actor=\"Bahamut\""],"SIG22":["misp-galaxy:threat-actor=\"Beijing Group\""],"Big Panda":["misp-galaxy:threat-actor=\"Big Panda\""],"BlackTech":["misp-galaxy:threat-actor=\"BlackTech\""],"Blackgear":["misp-galaxy:threat-actor=\"Blackgear\""],"Topgear":["misp-galaxy:threat-actor=\"Blackgear\""],"BLACKGEAR":["misp-galaxy:threat-actor=\"Blackgear\""],"Blue Termite":["misp-galaxy:threat-actor=\"Blue Termite\""],"Cloudy Omega":["misp-galaxy:threat-actor=\"Blue Termite\""],"Boss Spider":["misp-galaxy:threat-actor=\"Boss Spider\""],"Boulder Bear":["misp-galaxy:threat-actor=\"Boulder Bear\""],"BuhTrap":["misp-galaxy:threat-actor=\"BuhTrap\""],"CHRYSENE":["misp-galaxy:threat-actor=\"CHRYSENE\""],"Greenbug":["misp-galaxy:threat-actor=\"CHRYSENE\"","misp-galaxy:threat-actor=\"Greenbug\""],"COBALT DICKENS":["misp-galaxy:threat-actor=\"COBALT DICKENS\"","misp-galaxy:threat-actor=\"Silent Librarian\""],"Cobalt Dickens":["misp-galaxy:threat-actor=\"COBALT DICKENS\""],"COVELLITE":["misp-galaxy:threat-actor=\"COVELLITE\""],"Lazarus":["misp-galaxy:threat-actor=\"COVELLITE\""],"Hidden Cobra":["misp-galaxy:threat-actor=\"COVELLITE\"","misp-galaxy:threat-actor=\"Lazarus Group\""],"Callisto":["misp-galaxy:threat-actor=\"Callisto\""],"The Mask":["misp-galaxy:threat-actor=\"Careto\""],"Ugly Face":["misp-galaxy:threat-actor=\"Careto\""],"Parastoo":["misp-galaxy:threat-actor=\"Charming Kitten\""],"iKittens":["misp-galaxy:threat-actor=\"Charming Kitten\""],"Group 83":["misp-galaxy:threat-actor=\"Charming Kitten\""],"Newsbeef":["misp-galaxy:threat-actor=\"Charming Kitten\""],"NewsBeef":["misp-galaxy:threat-actor=\"Charming Kitten\""],"Operation Cleaver":["misp-galaxy:threat-actor=\"Cleaver\""],"Tarh Andishan":["misp-galaxy:threat-actor=\"Cleaver\""],"Alibaba":["misp-galaxy:threat-actor=\"Cleaver\""],"2889":["misp-galaxy:threat-actor=\"Cleaver\""],"Rocket_Kitten":["misp-galaxy:threat-actor=\"Cleaver\""],"Cutting Kitten":["misp-galaxy:threat-actor=\"Cleaver\"","misp-galaxy:threat-actor=\"Cutting Kitten\""],"Group 41":["misp-galaxy:threat-actor=\"Cleaver\"","misp-galaxy:threat-actor=\"Clever Kitten\""],"TEMP.Beanie":["misp-galaxy:threat-actor=\"Cleaver\"","misp-galaxy:threat-actor=\"Rocket Kitten\""],"Ghambar":["misp-galaxy:threat-actor=\"Cleaver\"","misp-galaxy:threat-actor=\"Cutting Kitten\""],"Clever Kitten":["misp-galaxy:threat-actor=\"Clever Kitten\""],"Cloud Atlas":["misp-galaxy:threat-actor=\"Cloud Atlas\""],"Cobalt":["misp-galaxy:threat-actor=\"Cobalt\""],"Cobalt group":["misp-galaxy:threat-actor=\"Cobalt\""],"Cobalt gang":["misp-galaxy:threat-actor=\"Cobalt\""],"GOLD KINGSWOOD":["misp-galaxy:threat-actor=\"Cobalt\""],"C0d0so":["misp-galaxy:threat-actor=\"Codoso\""],"APT 19":["misp-galaxy:threat-actor=\"Codoso\"","misp-galaxy:threat-actor=\"Shell Crew\""],"Cold River":["misp-galaxy:threat-actor=\"Cold River\""],"Nahr Elbard":["misp-galaxy:threat-actor=\"Cold River\""],"Nahr el bared":["misp-galaxy:threat-actor=\"Cold River\""],"PLA Unit 61398":["misp-galaxy:threat-actor=\"Comment Crew\""],"APT 1":["misp-galaxy:threat-actor=\"Comment Crew\""],"Advanced Persistent Threat 1":["misp-galaxy:threat-actor=\"Comment Crew\""],"Byzantine Candor":["misp-galaxy:threat-actor=\"Comment Crew\""],"Group 3":["misp-galaxy:threat-actor=\"Comment Crew\""],"TG-8223":["misp-galaxy:threat-actor=\"Comment Crew\""],"Brown Fox":["misp-galaxy:threat-actor=\"Comment Crew\""],"GIF89a":["misp-galaxy:threat-actor=\"Comment Crew\""],"ShadyRAT":["misp-galaxy:threat-actor=\"Comment Crew\""],"Shanghai Group":["misp-galaxy:threat-actor=\"Comment Crew\""],"Slayer Kitten":["misp-galaxy:threat-actor=\"CopyKittens\""],"Corsair Jackal":["misp-galaxy:threat-actor=\"Corsair Jackal\""],"TunisianCyberArmy":["misp-galaxy:threat-actor=\"Corsair Jackal\""],"ITSecTeam":["misp-galaxy:threat-actor=\"Cutting Kitten\""],"Cyber Berkut":["misp-galaxy:threat-actor=\"Cyber Berkut\""],"Cyber Caliphate Army":["misp-galaxy:threat-actor=\"Cyber Caliphate Army\""],"Islamic State Hacking Division":["misp-galaxy:threat-actor=\"Cyber Caliphate Army\""],"CCA":["misp-galaxy:threat-actor=\"Cyber Caliphate Army\""],"United Cyber Caliphate":["misp-galaxy:threat-actor=\"Cyber Caliphate Army\""],"UUC":["misp-galaxy:threat-actor=\"Cyber Caliphate Army\""],"CyberCaliphate":["misp-galaxy:threat-actor=\"Cyber Caliphate Army\""],"Cyber fighters of Izz Ad-Din Al Qassam":["misp-galaxy:threat-actor=\"Cyber fighters of Izz Ad-Din Al Qassam\""],"Fraternal Jackal":["misp-galaxy:threat-actor=\"Cyber fighters of Izz Ad-Din Al Qassam\""],"DYMALLOY":["misp-galaxy:threat-actor=\"DYMALLOY\""],"Dragonfly2":["misp-galaxy:threat-actor=\"DYMALLOY\""],"Berserker Bear":["misp-galaxy:threat-actor=\"DYMALLOY\""],"Danti":["misp-galaxy:threat-actor=\"Danti\""],"Fallout Team":["misp-galaxy:threat-actor=\"DarkHotel\""],"Karba":["misp-galaxy:threat-actor=\"DarkHotel\""],"Luder":["misp-galaxy:threat-actor=\"DarkHotel\""],"Nemin":["misp-galaxy:threat-actor=\"DarkHotel\""],"Pioneer":["misp-galaxy:threat-actor=\"DarkHotel\""],"Shadow Crane":["misp-galaxy:threat-actor=\"DarkHotel\""],"APT-C-06":["misp-galaxy:threat-actor=\"DarkHotel\""],"SIG25":["misp-galaxy:threat-actor=\"DarkHotel\""],"LazyMeerkat":["misp-galaxy:threat-actor=\"DarkHydrus\""],"DarkVishnya":["misp-galaxy:threat-actor=\"DarkVishnya\""],"Deadeye Jackal":["misp-galaxy:threat-actor=\"Deadeye Jackal\""],"SyrianElectronicArmy":["misp-galaxy:threat-actor=\"Deadeye Jackal\""],"SEA":["misp-galaxy:threat-actor=\"Deadeye Jackal\""],"Dextorous Spider":["misp-galaxy:threat-actor=\"Dextorous Spider\""],"Dizzy Panda":["misp-galaxy:threat-actor=\"Dizzy Panda\""],"LadyBoyle":["misp-galaxy:threat-actor=\"Dizzy Panda\""],"Domestic Kitten":["misp-galaxy:threat-actor=\"Domestic Kitten\""],"Monsoon":["misp-galaxy:threat-actor=\"Dropping Elephant\""],"Sarit":["misp-galaxy:threat-actor=\"Dropping Elephant\""],"Quilted Tiger":["misp-galaxy:threat-actor=\"Dropping Elephant\""],"APT-C-09":["misp-galaxy:threat-actor=\"Dropping Elephant\""],"Dungeon Spider":["misp-galaxy:threat-actor=\"Dungeon Spider\""],"ELECTRUM":["misp-galaxy:threat-actor=\"ELECTRUM\""],"Sandworm":["misp-galaxy:threat-actor=\"ELECTRUM\"","misp-galaxy:threat-actor=\"Sandworm\"","misp-galaxy:threat-actor=\"TeleBots\""],"Electric Panda":["misp-galaxy:threat-actor=\"Electric Panda\""],"Eloquent Panda":["misp-galaxy:threat-actor=\"Eloquent Panda\""],"APT 27":["misp-galaxy:threat-actor=\"Emissary Panda\"","misp-galaxy:threat-actor=\"LuckyMouse\""],"TEMP.Hippo":["misp-galaxy:threat-actor=\"Emissary Panda\"","misp-galaxy:threat-actor=\"LuckyMouse\""],"Group 35":["misp-galaxy:threat-actor=\"Emissary Panda\"","misp-galaxy:threat-actor=\"LuckyMouse\""],"Bronze Union":["misp-galaxy:threat-actor=\"Emissary Panda\"","misp-galaxy:threat-actor=\"LuckyMouse\""],"ZipToken":["misp-galaxy:threat-actor=\"Emissary Panda\"","misp-galaxy:threat-actor=\"LuckyMouse\""],"HIPPOTeam":["misp-galaxy:threat-actor=\"Emissary Panda\""],"Operation Iron Tiger":["misp-galaxy:threat-actor=\"Emissary Panda\""],"Iron Tiger APT":["misp-galaxy:threat-actor=\"Emissary Panda\""],"Crouching Yeti":["misp-galaxy:threat-actor=\"Energetic Bear\""],"Group 24":["misp-galaxy:threat-actor=\"Energetic Bear\""],"CrouchingYeti":["misp-galaxy:threat-actor=\"Energetic Bear\""],"Koala Team":["misp-galaxy:threat-actor=\"Energetic Bear\""],"Equation Group":["misp-galaxy:threat-actor=\"Equation Group\""],"Tilded Team":["misp-galaxy:threat-actor=\"Equation Group\""],"Lamberts":["misp-galaxy:threat-actor=\"Equation Group\"","misp-galaxy:threat-actor=\"Longhorn\""],"EQGRP":["misp-galaxy:threat-actor=\"Equation Group\""],"Longhorn":["misp-galaxy:threat-actor=\"Equation Group\"","misp-galaxy:threat-actor=\"Longhorn\""],"EvilPost":["misp-galaxy:threat-actor=\"EvilPost\""],"EvilTraffic":["misp-galaxy:threat-actor=\"EvilTraffic\""],"Operation EvilTraffic":["misp-galaxy:threat-actor=\"EvilTraffic\""],"FASTCash":["misp-galaxy:threat-actor=\"FASTCash\"","misp-galaxy:tool=\"FASTCash\""],"Skeleton Spider":["misp-galaxy:threat-actor=\"FIN6\"","misp-galaxy:threat-actor=\"Skeleton Spider\""],"Flash Kitten":["misp-galaxy:threat-actor=\"Flash Kitten\""],"Flying Kitten":["misp-galaxy:threat-actor=\"Flying Kitten\""],"SaffronRose":["misp-galaxy:threat-actor=\"Flying Kitten\""],"Saffron Rose":["misp-galaxy:threat-actor=\"Flying Kitten\""],"AjaxSecurityTeam":["misp-galaxy:threat-actor=\"Flying Kitten\""],"Group 26":["misp-galaxy:threat-actor=\"Flying Kitten\""],"Sayad":["misp-galaxy:threat-actor=\"Flying Kitten\""],"Foxy Panda":["misp-galaxy:threat-actor=\"Foxy Panda\""],"Fxmsp":["misp-galaxy:threat-actor=\"Fxmsp\""],"GC01":["misp-galaxy:threat-actor=\"GC01\""],"Golden Chickens":["misp-galaxy:threat-actor=\"GC01\"","misp-galaxy:threat-actor=\"GC02\""],"Golden Chickens01":["misp-galaxy:threat-actor=\"GC01\""],"Golden Chickens 01":["misp-galaxy:threat-actor=\"GC01\""],"GC02":["misp-galaxy:threat-actor=\"GC02\""],"Golden Chickens02":["misp-galaxy:threat-actor=\"GC02\""],"Golden Chickens 02":["misp-galaxy:threat-actor=\"GC02\""],"GRIM SPIDER":["misp-galaxy:threat-actor=\"GRIM SPIDER\""],"Ghost Jackal":["misp-galaxy:threat-actor=\"Ghost Jackal\""],"GhostNet":["misp-galaxy:threat-actor=\"GhostNet\""],"Snooping Dragon":["misp-galaxy:threat-actor=\"GhostNet\""],"Gibberish Panda":["misp-galaxy:threat-actor=\"Gibberish Panda\""],"Gnosticplayers":["misp-galaxy:threat-actor=\"Gnosticplayers\""],"Groundbait":["misp-galaxy:threat-actor=\"Groundbait\""],"Group 27":["misp-galaxy:threat-actor=\"Group 27\""],"Guru Spider":["misp-galaxy:threat-actor=\"Guru Spider\""],"Hacking Team":["misp-galaxy:threat-actor=\"Hacking Team\""],"Hammer Panda":["misp-galaxy:threat-actor=\"Hammer Panda\""],"Zhenbao":["misp-galaxy:threat-actor=\"Hammer Panda\""],"TEMP.Zhenbao":["misp-galaxy:threat-actor=\"Hammer Panda\""],"Hellsing":["misp-galaxy:threat-actor=\"Hellsing\"","misp-galaxy:threat-actor=\"Naikon\""],"Goblin Panda":["misp-galaxy:threat-actor=\"Hellsing\""],"Cycldek":["misp-galaxy:threat-actor=\"Hellsing\""],"HookAds":["misp-galaxy:threat-actor=\"HookAds\""],"Hurricane Panda":["misp-galaxy:threat-actor=\"Hurricane Panda\""],"TEMP.Avengers":["misp-galaxy:threat-actor=\"Hurricane Panda\""],"Zirconium":["misp-galaxy:threat-actor=\"Hurricane Panda\""],"INDRIK SPIDER":["misp-galaxy:threat-actor=\"INDRIK SPIDER\""],"IRIDIUM":["misp-galaxy:threat-actor=\"IRIDIUM\""],"TG-2754":["misp-galaxy:threat-actor=\"IXESHE\""],"BeeBus":["misp-galaxy:threat-actor=\"IXESHE\""],"Group 22":["misp-galaxy:threat-actor=\"IXESHE\""],"Calc Team":["misp-galaxy:threat-actor=\"IXESHE\""],"DNSCalc":["misp-galaxy:threat-actor=\"IXESHE\""],"Crimson Iron":["misp-galaxy:threat-actor=\"IXESHE\""],"APT 12":["misp-galaxy:threat-actor=\"IXESHE\""],"Ice Fog":["misp-galaxy:threat-actor=\"Ice Fog\""],"IceFog":["misp-galaxy:threat-actor=\"Ice Fog\""],"Dagger Panda":["misp-galaxy:threat-actor=\"Ice Fog\""],"Impersonating Panda":["misp-galaxy:threat-actor=\"Impersonating Panda\""],"Inception Framework":["misp-galaxy:threat-actor=\"Inception Framework\""],"Operation Mermaid":["misp-galaxy:threat-actor=\"Infy\""],"Prince of Persia":["misp-galaxy:threat-actor=\"Infy\""],"Iron Group":["misp-galaxy:threat-actor=\"Iron Group\""],"Iron Cyber Group":["misp-galaxy:threat-actor=\"Iron Group\""],"Judgment Panda":["misp-galaxy:threat-actor=\"Judgment Panda\""],"Karma Panda":["misp-galaxy:threat-actor=\"Karma Panda\""],"Keyhole Panda":["misp-galaxy:threat-actor=\"Keyhole Panda\""],"temp.bottle":["misp-galaxy:threat-actor=\"Keyhole Panda\""],"Kimsuki":["misp-galaxy:threat-actor=\"Kimsuki\""],"Kimsuky":["misp-galaxy:threat-actor=\"Kimsuki\""],"Velvet Chollima":["misp-galaxy:threat-actor=\"Kimsuki\""],"Kryptonite Panda":["misp-galaxy:threat-actor=\"Kryptonite Panda\""],"Operation DarkSeoul":["misp-galaxy:threat-actor=\"Lazarus Group\""],"Dark Seoul":["misp-galaxy:threat-actor=\"Lazarus Group\""],"Hastati Group":["misp-galaxy:threat-actor=\"Lazarus Group\""],"Andariel":["misp-galaxy:threat-actor=\"Lazarus Group\"","misp-galaxy:threat-actor=\"Silent Chollima\""],"Unit 121":["misp-galaxy:threat-actor=\"Lazarus Group\""],"Bureau 121":["misp-galaxy:threat-actor=\"Lazarus Group\""],"NewRomanic Cyber Army Team":["misp-galaxy:threat-actor=\"Lazarus Group\""],"Bluenoroff":["misp-galaxy:threat-actor=\"Lazarus Group\""],"Subgroup: Bluenoroff":["misp-galaxy:threat-actor=\"Lazarus Group\""],"Group 77":["misp-galaxy:threat-actor=\"Lazarus Group\""],"Labyrinth Chollima":["misp-galaxy:threat-actor=\"Lazarus Group\""],"Operation Troy":["misp-galaxy:threat-actor=\"Lazarus Group\""],"Operation GhostSecret":["misp-galaxy:threat-actor=\"Lazarus Group\""],"Operation AppleJeus":["misp-galaxy:threat-actor=\"Lazarus Group\""],"APT 38":["misp-galaxy:threat-actor=\"Lazarus Group\""],"Stardust Chollima":["misp-galaxy:threat-actor=\"Lazarus Group\""],"Whois Hacking Team":["misp-galaxy:threat-actor=\"Lazarus Group\""],"Zinc":["misp-galaxy:threat-actor=\"Lazarus Group\""],"Appleworm":["misp-galaxy:threat-actor=\"Lazarus Group\""],"Nickel Academy":["misp-galaxy:threat-actor=\"Lazarus Group\""],"APT-C-26":["misp-galaxy:threat-actor=\"Lazarus Group\""],"APT 40":["misp-galaxy:threat-actor=\"Leviathan\""],"BRONZE MOHAWK":["misp-galaxy:threat-actor=\"Leviathan\""],"Libyan Scorpions":["misp-galaxy:threat-actor=\"Libyan Scorpions\""],"the Lamberts":["misp-galaxy:threat-actor=\"Longhorn\""],"ST Group":["misp-galaxy:threat-actor=\"Lotus Blossom\""],"Esile":["misp-galaxy:threat-actor=\"Lotus Blossom\""],"Lotus Panda":["misp-galaxy:threat-actor=\"Lotus Panda\"","misp-galaxy:threat-actor=\"Naikon\""],"Lucky Cat":["misp-galaxy:threat-actor=\"Lucky Cat\""],"Threat Group 3390":["misp-galaxy:threat-actor=\"LuckyMouse\""],"Lunar Spider":["misp-galaxy:threat-actor=\"Lunar Spider\""],"MUMMY SPIDER":["misp-galaxy:threat-actor=\"MUMMY SPIDER\""],"TA542":["misp-galaxy:threat-actor=\"MUMMY SPIDER\""],"Mummy Spider":["misp-galaxy:threat-actor=\"MUMMY SPIDER\""],"Madi":["misp-galaxy:threat-actor=\"Madi\""],"MageCart":["misp-galaxy:threat-actor=\"MageCart\""],"Magic Kitten":["misp-galaxy:threat-actor=\"Magic Kitten\""],"Group 42":["misp-galaxy:threat-actor=\"Magic Kitten\""],"Magnetic Spider":["misp-galaxy:threat-actor=\"Magnetic Spider\""],"Malware reusers":["misp-galaxy:threat-actor=\"Malware reusers\"","misp-galaxy:threat-actor=\"Volatile Cedar\""],"Reuse team":["misp-galaxy:threat-actor=\"Malware reusers\"","misp-galaxy:threat-actor=\"Volatile Cedar\""],"Dancing Salome":["misp-galaxy:threat-actor=\"Malware reusers\"","misp-galaxy:threat-actor=\"Volatile Cedar\""],"Mana Team":["misp-galaxy:threat-actor=\"Mana Team\""],"Maverick Panda":["misp-galaxy:threat-actor=\"Maverick Panda\""],"PLA Navy":["misp-galaxy:threat-actor=\"Maverick Panda\"","misp-galaxy:threat-actor=\"Samurai Panda\"","misp-galaxy:threat-actor=\"Wekby\""],"Ke3Chang":["misp-galaxy:threat-actor=\"Mirage\""],"APT 15":["misp-galaxy:threat-actor=\"Mirage\""],"Metushy":["misp-galaxy:threat-actor=\"Mirage\""],"Social Network Team":["misp-galaxy:threat-actor=\"Mirage\""],"Royal APT":["misp-galaxy:threat-actor=\"Mirage\""],"Mofang":["misp-galaxy:threat-actor=\"Mofang\""],"Superman":["misp-galaxy:threat-actor=\"Mofang\""],"Gaza Hackers Team":["misp-galaxy:threat-actor=\"Molerats\""],"Gaza cybergang":["misp-galaxy:threat-actor=\"Molerats\""],"Extreme Jackal":["misp-galaxy:threat-actor=\"Molerats\""],"Moonlight":["misp-galaxy:threat-actor=\"Molerats\""],"MoneyTaker":["misp-galaxy:threat-actor=\"MoneyTaker\""],"Static Kitten":["misp-galaxy:threat-actor=\"MuddyWater\""],"Mustang Panda":["misp-galaxy:threat-actor=\"Mustang Panda\""],"PLA Unit 78020":["misp-galaxy:threat-actor=\"Naikon\""],"Override Panda":["misp-galaxy:threat-actor=\"Naikon\""],"Camerashy":["misp-galaxy:threat-actor=\"Naikon\""],"APT.Naikon":["misp-galaxy:threat-actor=\"Naikon\""],"APT 21":["misp-galaxy:threat-actor=\"NetTraveler\""],"APT21":["misp-galaxy:threat-actor=\"NetTraveler\""],"Nexus Zeta":["misp-galaxy:threat-actor=\"Nexus Zeta\""],"Nightshade Panda":["misp-galaxy:threat-actor=\"Nightshade Panda\""],"APT 9":["misp-galaxy:threat-actor=\"Nightshade Panda\""],"Flowerlady\/Flowershow":["misp-galaxy:threat-actor=\"Nightshade Panda\""],"Flowerlady":["misp-galaxy:threat-actor=\"Nightshade Panda\""],"Flowershow":["misp-galaxy:threat-actor=\"Nightshade Panda\""],"Nitro":["misp-galaxy:threat-actor=\"Nitro\""],"Covert Grove":["misp-galaxy:threat-actor=\"Nitro\""],"Nomad Panda":["misp-galaxy:threat-actor=\"Nomad Panda\""],"Twisted Kitten":["misp-galaxy:threat-actor=\"OilRig\""],"Crambus":["misp-galaxy:threat-actor=\"OilRig\""],"Helix Kitten":["misp-galaxy:threat-actor=\"OilRig\""],"OnionDog":["misp-galaxy:threat-actor=\"OnionDog\""],"Operation BugDrop":["misp-galaxy:threat-actor=\"Operation BugDrop\""],"Operation C-Major":["misp-galaxy:threat-actor=\"Operation C-Major\""],"Mythic Leopard":["misp-galaxy:threat-actor=\"Operation C-Major\""],"ProjectM":["misp-galaxy:threat-actor=\"Operation C-Major\""],"APT36":["misp-galaxy:threat-actor=\"Operation C-Major\""],"APT 36":["misp-galaxy:threat-actor=\"Operation C-Major\""],"TMP.Lapis":["misp-galaxy:threat-actor=\"Operation C-Major\""],"Operation Comando":["misp-galaxy:threat-actor=\"Operation Comando\""],"Operation Kabar Cobra":["misp-galaxy:threat-actor=\"Operation Kabar Cobra\""],"Operation Parliament":["misp-galaxy:threat-actor=\"Operation Parliament\""],"Operation Poison Needles":["misp-galaxy:threat-actor=\"Operation Poison Needles\""],"Operation ShadowHammer":["misp-galaxy:threat-actor=\"Operation ShadowHammer\""],"Operation Sharpshooter":["misp-galaxy:threat-actor=\"Operation Sharpshooter\""],"OurMine":["misp-galaxy:threat-actor=\"OurMine\""],"TwoForOne":["misp-galaxy:threat-actor=\"PLATINUM\""],"Pacha Group":["misp-galaxy:threat-actor=\"Pacha Group\""],"Pacifier APT":["misp-galaxy:threat-actor=\"Pacifier APT\"","misp-galaxy:threat-actor=\"Turla Group\""],"Skipper":["misp-galaxy:threat-actor=\"Pacifier APT\""],"Popeye":["misp-galaxy:threat-actor=\"Pacifier APT\"","misp-galaxy:threat-actor=\"Turla Group\""],"Packrat":["misp-galaxy:threat-actor=\"Packrat\""],"Pale Panda":["misp-galaxy:threat-actor=\"Pale Panda\""],"PassCV":["misp-galaxy:threat-actor=\"PassCV\""],"Pinchy Spider":["misp-galaxy:threat-actor=\"Pinchy Spider\""],"Pirate Panda":["misp-galaxy:threat-actor=\"Pirate Panda\""],"APT23":["misp-galaxy:threat-actor=\"Pirate Panda\""],"APT 23":["misp-galaxy:threat-actor=\"Pirate Panda\""],"Pitty Panda":["misp-galaxy:threat-actor=\"Pitty Panda\""],"MANGANESE":["misp-galaxy:threat-actor=\"Pitty Panda\""],"Pizzo Spider":["misp-galaxy:threat-actor=\"Pizzo Spider\""],"DD4BC":["misp-galaxy:threat-actor=\"Pizzo Spider\""],"Ambiorx":["misp-galaxy:threat-actor=\"Pizzo Spider\""],"Poisonous Panda":["misp-galaxy:threat-actor=\"Poisonous Panda\""],"Predator Panda":["misp-galaxy:threat-actor=\"Predator Panda\""],"Sauron":["misp-galaxy:threat-actor=\"ProjectSauron\""],"Project Sauron":["misp-galaxy:threat-actor=\"ProjectSauron\""],"PLA Unit 61486":["misp-galaxy:threat-actor=\"Putter Panda\""],"APT 2":["misp-galaxy:threat-actor=\"Putter Panda\""],"Group 36":["misp-galaxy:threat-actor=\"Putter Panda\""],"APT-2":["misp-galaxy:threat-actor=\"Putter Panda\""],"4HCrew":["misp-galaxy:threat-actor=\"Putter Panda\""],"SULPHUR":["misp-galaxy:threat-actor=\"Putter Panda\""],"SearchFire":["misp-galaxy:threat-actor=\"Putter Panda\""],"TG-6952":["misp-galaxy:threat-actor=\"Putter Panda\""],"RANCOR":["misp-galaxy:threat-actor=\"RANCOR\""],"Rancor group":["misp-galaxy:threat-actor=\"RANCOR\""],"Rancor Group":["misp-galaxy:threat-actor=\"RANCOR\""],"RASPITE":["misp-galaxy:threat-actor=\"RASPITE\""],"LeafMiner":["misp-galaxy:threat-actor=\"RASPITE\""],"Radio Panda":["misp-galaxy:threat-actor=\"Radio Panda\""],"Shrouded Crossbow":["misp-galaxy:threat-actor=\"Radio Panda\""],"Ratpak Spider":["misp-galaxy:threat-actor=\"Ratpak Spider\""],"Rebel Jackal":["misp-galaxy:threat-actor=\"Rebel Jackal\""],"FallagaTeam":["misp-galaxy:threat-actor=\"Rebel Jackal\""],"Red October":["misp-galaxy:threat-actor=\"Red October\""],"the Rocra":["misp-galaxy:threat-actor=\"Red October\""],"Roaming Mantis Group":["misp-galaxy:threat-actor=\"Roaming Mantis\""],"Roaming Tiger":["misp-galaxy:threat-actor=\"Roaming Tiger\""],"Rocke":["misp-galaxy:threat-actor=\"Rocke\""],"Operation Woolen Goldfish":["misp-galaxy:threat-actor=\"Rocket Kitten\""],"Thamar Reservoir":["misp-galaxy:threat-actor=\"Rocket Kitten\""],"Timberworm":["misp-galaxy:threat-actor=\"Rocket Kitten\""],"SNOWGLOBE":["misp-galaxy:threat-actor=\"SNOWGLOBE\""],"Animal Farm":["misp-galaxy:threat-actor=\"SNOWGLOBE\""],"Snowglobe":["misp-galaxy:threat-actor=\"SNOWGLOBE\""],"STARDUST CHOLLIMA":["misp-galaxy:threat-actor=\"STARDUST CHOLLIMA\""],"STOLEN PENCIL":["misp-galaxy:threat-actor=\"STOLEN PENCIL\""],"Sabre Panda":["misp-galaxy:threat-actor=\"Sabre Panda\""],"Salty Spider":["misp-galaxy:threat-actor=\"Salty Spider\""],"Samurai Panda":["misp-galaxy:threat-actor=\"Samurai Panda\""],"APT4":["misp-galaxy:threat-actor=\"Samurai Panda\""],"APT 4":["misp-galaxy:threat-actor=\"Samurai Panda\""],"Wisp Team":["misp-galaxy:threat-actor=\"Samurai Panda\""],"Getkys":["misp-galaxy:threat-actor=\"Samurai Panda\""],"SykipotGroup":["misp-galaxy:threat-actor=\"Samurai Panda\""],"Wkysol":["misp-galaxy:threat-actor=\"Samurai Panda\""],"SandCat":["misp-galaxy:threat-actor=\"SandCat\""],"Sands Casino":["misp-galaxy:threat-actor=\"Sands Casino\""],"Voodoo Bear":["misp-galaxy:threat-actor=\"Sandworm\""],"TEMP.Noble":["misp-galaxy:threat-actor=\"Sandworm\""],"Iron Viking":["misp-galaxy:threat-actor=\"Sandworm\""],"Sath-\u0131 M\u00fcdafaa":["misp-galaxy:threat-actor=\"Sath-\u0131 M\u00fcdafaa\""],"Sea Turtle":["misp-galaxy:threat-actor=\"Sea Turtle\""],"Shadow Network":["misp-galaxy:threat-actor=\"Shadow Network\""],"Shark Spider":["misp-galaxy:threat-actor=\"Shark Spider\""],"Group 13":["misp-galaxy:threat-actor=\"Shell Crew\""],"Sh3llCr3w":["misp-galaxy:threat-actor=\"Shell Crew\""],"Siesta":["misp-galaxy:threat-actor=\"Siesta\""],"Silence group":["misp-galaxy:threat-actor=\"Silence group\""],"Silent Chollima":["misp-galaxy:threat-actor=\"Silent Chollima\""],"OperationTroy":["misp-galaxy:threat-actor=\"Silent Chollima\""],"Guardian of Peace":["misp-galaxy:threat-actor=\"Silent Chollima\""],"GOP":["misp-galaxy:threat-actor=\"Silent Chollima\""],"WHOis Team":["misp-galaxy:threat-actor=\"Silent Chollima\""],"Subgroup: Andariel":["misp-galaxy:threat-actor=\"Silent Chollima\""],"Silent Librarian":["misp-galaxy:threat-actor=\"Silent Librarian\""],"Mabna Institute":["misp-galaxy:threat-actor=\"Silent Librarian\""],"Sima":["misp-galaxy:threat-actor=\"Sima\""],"Singing Spider":["misp-galaxy:threat-actor=\"Singing Spider\""],"Snake Wine":["misp-galaxy:threat-actor=\"Snake Wine\""],"PawnStorm":["misp-galaxy:threat-actor=\"Sofacy\""],"TAG_0700":["misp-galaxy:threat-actor=\"Sofacy\""],"IRON TWILIGHT":["misp-galaxy:threat-actor=\"Sofacy\""],"SIG40":["misp-galaxy:threat-actor=\"Sofacy\""],"Spicy Panda":["misp-galaxy:threat-actor=\"Spicy Panda\""],"Stalker Panda":["misp-galaxy:threat-actor=\"Stalker Panda\""],"FruityArmor":["misp-galaxy:threat-actor=\"Stealth Falcon\""],"APT 10":["misp-galaxy:threat-actor=\"Stone Panda\""],"MenuPass":["misp-galaxy:threat-actor=\"Stone Panda\""],"Menupass Team":["misp-galaxy:threat-actor=\"Stone Panda\""],"menuPass Team":["misp-galaxy:threat-actor=\"Stone Panda\""],"happyyongzi":["misp-galaxy:threat-actor=\"Stone Panda\""],"POTASSIUM":["misp-galaxy:threat-actor=\"Stone Panda\""],"DustStorm":["misp-galaxy:threat-actor=\"Stone Panda\""],"Cloud Hopper":["misp-galaxy:threat-actor=\"Stone Panda\""],"Subaat":["misp-galaxy:threat-actor=\"Subaat\"","misp-galaxy:threat-actor=\"The Gorgon Group\""],"TA505":["misp-galaxy:threat-actor=\"TA505\""],"TA530":["misp-galaxy:threat-actor=\"TA530\""],"TEMP.Hermit":["misp-galaxy:threat-actor=\"TEMP.Hermit\""],"Xenotime":["misp-galaxy:threat-actor=\"TEMP.Veles\""],"TeamSpy Crew":["misp-galaxy:threat-actor=\"TeamSpy Crew\""],"TeamSpy":["misp-galaxy:threat-actor=\"TeamSpy Crew\""],"Team Bear":["misp-galaxy:threat-actor=\"TeamSpy Crew\""],"Anger Bear":["misp-galaxy:threat-actor=\"TeamSpy Crew\""],"TeamXRat":["misp-galaxy:threat-actor=\"TeamXRat\""],"CorporacaoXRat":["misp-galaxy:threat-actor=\"TeamXRat\""],"CorporationXRat":["misp-galaxy:threat-actor=\"TeamXRat\""],"TeleBots":["misp-galaxy:threat-actor=\"TeleBots\""],"TempTick":["misp-galaxy:threat-actor=\"TempTick\""],"Temper Panda":["misp-galaxy:threat-actor=\"Temper Panda\""],"Admin338":["misp-galaxy:threat-actor=\"Temper Panda\""],"Team338":["misp-galaxy:threat-actor=\"Temper Panda\""],"MAGNESIUM":["misp-galaxy:threat-actor=\"Temper Panda\""],"Test Panda":["misp-galaxy:threat-actor=\"Test Panda\""],"The Big Bang":["misp-galaxy:threat-actor=\"The Big Bang\""],"The Gorgon Group":["misp-galaxy:threat-actor=\"The Gorgon Group\""],"The Shadow Brokers":["misp-galaxy:threat-actor=\"The Shadow Brokers\""],"The ShadowBrokers":["misp-galaxy:threat-actor=\"The Shadow Brokers\""],"TSB":["misp-galaxy:threat-actor=\"The Shadow Brokers\""],"Shadow Brokers":["misp-galaxy:threat-actor=\"The Shadow Brokers\""],"ShadowBrokers":["misp-galaxy:threat-actor=\"The Shadow Brokers\""],"Bronze Butler":["misp-galaxy:threat-actor=\"Tick\""],"RedBaldKnight":["misp-galaxy:threat-actor=\"Tick\""],"Tiny Spider":["misp-galaxy:threat-actor=\"Tiny Spider\""],"Tonto Team":["misp-galaxy:threat-actor=\"Tonto Team\""],"Toxic Panda":["misp-galaxy:threat-actor=\"Toxic Panda\""],"Operation Tropic Trooper":["misp-galaxy:threat-actor=\"Tropic Trooper\""],"Operation TropicTrooper":["misp-galaxy:threat-actor=\"Tropic Trooper\""],"TropicTrooper":["misp-galaxy:threat-actor=\"Tropic Trooper\""],"TurkHackTeam":["misp-galaxy:threat-actor=\"TurkHackTeam\""],"Turk Hack Team":["misp-galaxy:threat-actor=\"TurkHackTeam\""],"Turla Group":["misp-galaxy:threat-actor=\"Turla Group\""],"Venomous Bear":["misp-galaxy:threat-actor=\"Turla Group\""],"Group 88":["misp-galaxy:threat-actor=\"Turla Group\""],"WRAITH":["misp-galaxy:threat-actor=\"Turla Group\""],"Turla Team":["misp-galaxy:threat-actor=\"Turla Group\""],"Pfinet":["misp-galaxy:threat-actor=\"Turla Group\""],"TAG_0530":["misp-galaxy:threat-actor=\"Turla Group\""],"KRYPTON":["misp-galaxy:threat-actor=\"Turla Group\""],"SIG23":["misp-galaxy:threat-actor=\"Turla Group\""],"Iron Hunter":["misp-galaxy:threat-actor=\"Turla Group\""],"UPS":["misp-galaxy:threat-actor=\"UPS\""],"APT 3":["misp-galaxy:threat-actor=\"UPS\""],"Group 6":["misp-galaxy:threat-actor=\"UPS\""],"Boyusec":["misp-galaxy:threat-actor=\"UPS\""],"Union Panda":["misp-galaxy:threat-actor=\"Union Panda\""],"Union Spider":["misp-galaxy:threat-actor=\"Union Spider\""],"Unit 8200":["misp-galaxy:threat-actor=\"Unit 8200\""],"Duqu Group":["misp-galaxy:threat-actor=\"Unit 8200\""],"Unnamed Actor":["misp-galaxy:threat-actor=\"Unnamed Actor\""],"Viceroy Tiger":["misp-galaxy:threat-actor=\"Viceroy Tiger\""],"Appin":["misp-galaxy:threat-actor=\"Viceroy Tiger\""],"OperationHangover":["misp-galaxy:threat-actor=\"Viceroy Tiger\""],"Viking Jackal":["misp-galaxy:threat-actor=\"Viking Jackal\""],"Vikingdom":["misp-galaxy:threat-actor=\"Viking Jackal\""],"Violin Panda":["misp-galaxy:threat-actor=\"Violin Panda\""],"APT20":["misp-galaxy:threat-actor=\"Violin Panda\""],"APT 20":["misp-galaxy:threat-actor=\"Violin Panda\""],"APT8":["misp-galaxy:threat-actor=\"Violin Panda\""],"APT 8":["misp-galaxy:threat-actor=\"Violin Panda\""],"TH3Bug":["misp-galaxy:threat-actor=\"Violin Panda\""],"Volatile Cedar":["misp-galaxy:threat-actor=\"Volatile Cedar\""],"WIZARD SPIDER":["misp-galaxy:threat-actor=\"WIZARD SPIDER\""],"Wekby":["misp-galaxy:threat-actor=\"Wekby\""],"APT 18":["misp-galaxy:threat-actor=\"Wekby\""],"SCANDIUM":["misp-galaxy:threat-actor=\"Wekby\""],"Wet Panda":["misp-galaxy:threat-actor=\"Wet Panda\""],"White Bear":["misp-galaxy:threat-actor=\"White Bear\""],"Skipper Turla":["misp-galaxy:threat-actor=\"White Bear\""],"Whitefly":["misp-galaxy:threat-actor=\"Whitefly\""],"WildNeutron":["misp-galaxy:threat-actor=\"WildNeutron\""],"Butterfly":["misp-galaxy:threat-actor=\"WildNeutron\""],"Morpho":["misp-galaxy:threat-actor=\"WildNeutron\""],"Sphinx Moth":["misp-galaxy:threat-actor=\"WildNeutron\""],"WindShift":["misp-galaxy:threat-actor=\"WindShift\""],"Winnti Umbrella":["misp-galaxy:threat-actor=\"Winnti Umbrella\""],"Wolf Spider":["misp-galaxy:threat-actor=\"Wolf Spider\""],"Zombie Spider":["misp-galaxy:threat-actor=\"Zombie Spider\""],"[Unnamed group]":["misp-galaxy:threat-actor=\"[Unnamed group]\""],"[Vault 7\/8]":["misp-galaxy:threat-actor=\"[Vault 7\/8]\""],"ALMA Communicator":["misp-galaxy:tool=\"ALMA Communicator\""],"AURIGA":["misp-galaxy:tool=\"AURIGA\""],"Agent ORM":["misp-galaxy:tool=\"Agent ORM\""],"Tosliph":["misp-galaxy:tool=\"Agent ORM\""],"ComRat":["misp-galaxy:tool=\"Agent.BTZ\""],"Agent.dne":["misp-galaxy:tool=\"Agent.dne\""],"PinkSlipBot":["misp-galaxy:tool=\"Akbot\""],"AmmyAdmin":["misp-galaxy:tool=\"AmmyAdmin\""],"August":["misp-galaxy:tool=\"August\""],"Aumlib":["misp-galaxy:tool=\"Aumlib\""],"Yayih":["misp-galaxy:tool=\"Aumlib\""],"mswab":["misp-galaxy:tool=\"Aumlib\""],"BANGAT":["misp-galaxy:tool=\"BANGAT\""],"BASHLITE":["misp-galaxy:tool=\"BASHLITE\""],"BISKVIT":["misp-galaxy:tool=\"BISKVIT\""],"BOUNCER":["misp-galaxy:tool=\"BOUNCER\""],"BabaYaga":["misp-galaxy:tool=\"BabaYaga\""],"BabyShark":["misp-galaxy:tool=\"BabyShark\""],"Backdoor.Dripion":["misp-galaxy:tool=\"Backdoor.Dripion\""],"Dripion":["misp-galaxy:tool=\"Backdoor.Dripion\""],"Backdoor.Tinybaron":["misp-galaxy:tool=\"Backdoor.Tinybaron\""],"Backspace":["misp-galaxy:tool=\"Backspace\""],"Badnews":["misp-galaxy:tool=\"Badnews\""],"Bookworm":["misp-galaxy:tool=\"Bookworm\""],"Brushaloader":["misp-galaxy:tool=\"Brushaloader\""],"Bunny":["misp-galaxy:tool=\"Bunny\""],"Bushaloader":["misp-galaxy:tool=\"Bushaloader\""],"(.v2 fysbis)":["misp-galaxy:tool=\"CHOPSTICK\""],"CMStar":["misp-galaxy:tool=\"CMStar\""],"COMBOS":["misp-galaxy:tool=\"COMBOS\""],"COOKIEBAG":["misp-galaxy:tool=\"COOKIEBAG\""],"TROJAN.COOKIES":["misp-galaxy:tool=\"COOKIEBAG\""],"APT.InfoStealer.Win.CORALDECK":["misp-galaxy:tool=\"CORALDECK\""],"FE_APT_InfoStealer_Win_CORALDECK_1":["misp-galaxy:tool=\"CORALDECK\""],"CTRat":["misp-galaxy:tool=\"CTRat\""],"CUTLET MAKER":["misp-galaxy:tool=\"CUTLET MAKER\""],"CWoolger":["misp-galaxy:tool=\"CWoolger\""],"Cadelspy":["misp-galaxy:tool=\"Cadelspy\""],"WinSpy":["misp-galaxy:tool=\"Cadelspy\""],"Carp Downloader":["misp-galaxy:tool=\"Carp Downloader\""],"Cheshire Cat":["misp-galaxy:tool=\"Cheshire Cat\""],"Pegasus spyware":["misp-galaxy:tool=\"Chrysaor\""],"ClipboardWalletHijacker":["misp-galaxy:tool=\"ClipboardWalletHijacker\""],"Cowboy":["misp-galaxy:tool=\"Cowboy\""],"CowerSnail":["misp-galaxy:tool=\"CowerSnail\""],"Cromptui":["misp-galaxy:tool=\"Cromptui\""],"CroniX":["misp-galaxy:tool=\"CroniX\""],"DAIRY":["misp-galaxy:tool=\"DAIRY\""],"DHS2015":["misp-galaxy:tool=\"DHS2015\""],"iRAT":["misp-galaxy:tool=\"DHS2015\""],"FE_APT_RAT_DOGCALL":["misp-galaxy:tool=\"DOGCALL\""],"FE_APT_Backdoor_Win32_DOGCALL_1":["misp-galaxy:tool=\"DOGCALL\""],"APT.Backdoor.Win.DOGCALL":["misp-galaxy:tool=\"DOGCALL\""],"DOPU":["misp-galaxy:tool=\"DOPU\""],"DanderSpritz":["misp-galaxy:tool=\"DanderSpritz\""],"Dander Spritz":["misp-galaxy:tool=\"DanderSpritz\""],"Dark Pulsar":["misp-galaxy:tool=\"DarkPulsar\""],"TROJ_DLLSERV.BE":["misp-galaxy:tool=\"Derusbi\""],"Digmine":["misp-galaxy:tool=\"Digmine\""],"Disgufa":["misp-galaxy:tool=\"Disgufa\""],"DoubleFantasy":["misp-galaxy:tool=\"DoubleFantasy\""],"DownRage":["misp-galaxy:tool=\"DownRage\""],"Carberplike":["misp-galaxy:tool=\"DownRage\""],"DownRange":["misp-galaxy:tool=\"DownRange\""],"Downloader-FGO":["misp-galaxy:tool=\"Downloader-FGO\""],"Win32:Malware-gen":["misp-galaxy:tool=\"Downloader-FGO\""],"Generic30.ASYL (Trojan horse)":["misp-galaxy:tool=\"Downloader-FGO\""],"TR\/Agent.84480.85":["misp-galaxy:tool=\"Downloader-FGO\""],"Trojan.Generic.8627031":["misp-galaxy:tool=\"Downloader-FGO\""],"Trojan:Win32\/Sisproc":["misp-galaxy:tool=\"Downloader-FGO\""],"SB\/Malware":["misp-galaxy:tool=\"Downloader-FGO\""],"Trj\/CI.A":["misp-galaxy:tool=\"Downloader-FGO\""],"Mal\/Behav-112":["misp-galaxy:tool=\"Downloader-FGO\""],"Trojan.Spuler":["misp-galaxy:tool=\"Downloader-FGO\""],"TROJ_KAZY.SM1":["misp-galaxy:tool=\"Downloader-FGO\""],"Win32\/FakePPT_i":["misp-galaxy:tool=\"Downloader-FGO\""],"EAGERLEVER":["misp-galaxy:tool=\"EAGERLEVER\""],"EARLYSHOVEL":["misp-galaxy:tool=\"EARLYSHOVEL\""],"EASYBEE":["misp-galaxy:tool=\"EASYBEE\""],"EASYFUN":["misp-galaxy:tool=\"EASYFUN\""],"EASYPI":["misp-galaxy:tool=\"EASYPI\""],"EBBISLAND (EBBSHAVE)":["misp-galaxy:tool=\"EBBISLAND (EBBSHAVE)\""],"ECHOWRECKER":["misp-galaxy:tool=\"ECHOWRECKER\""],"ECLIPSEDWING":["misp-galaxy:tool=\"ECLIPSEDWING\""],"EDUCATEDSCHOLAR":["misp-galaxy:tool=\"EDUCATEDSCHOLAR\""],"ELF_IMEIJ":["misp-galaxy:tool=\"ELF_IMEIJ\""],"EMERALDTHREAD":["misp-galaxy:tool=\"EMERALDTHREAD\""],"EMPHASISMINE":["misp-galaxy:tool=\"EMPHASISMINE\""],"ENGLISHMANSDENTIST":["misp-galaxy:tool=\"ENGLISHMANSDENTIST\""],"EPICHERO":["misp-galaxy:tool=\"EPICHERO\""],"ERRATICGOPHER":["misp-galaxy:tool=\"ERRATICGOPHER\""],"ERRATICGOPHERTOUCH":["misp-galaxy:tool=\"ERRATICGOPHERTOUCH\""],"ESKIMOROLL":["misp-galaxy:tool=\"ESKIMOROLL\""],"ESSAYKEYNOTE":["misp-galaxy:tool=\"ESSAYKEYNOTE\""],"ESTEEMAUDIT":["misp-galaxy:tool=\"ESTEEMAUDIT\""],"ETCETERABLUE":["misp-galaxy:tool=\"ETCETERABLUE\""],"ETERNALBLUE":["misp-galaxy:tool=\"ETERNALBLUE\""],"ETERNALCHAMPION":["misp-galaxy:tool=\"ETERNALCHAMPION\""],"ETERNALROMANCE":["misp-galaxy:tool=\"ETERNALROMANCE\""],"ETERNALSYNERGY":["misp-galaxy:tool=\"ETERNALSYNERGY\""],"ETRE":["misp-galaxy:tool=\"ETRE\""],"EVADEFRED":["misp-galaxy:tool=\"EVADEFRED\""],"EVILNUM":["misp-galaxy:tool=\"EVILNUM\""],"EWOKFRENZY":["misp-galaxy:tool=\"EWOKFRENZY\""],"EXPIREDPAYCHECK":["misp-galaxy:tool=\"EXPIREDPAYCHECK\""],"EXPLODINGCAN":["misp-galaxy:tool=\"EXPLODINGCAN\""],"Elise Backdoor":["misp-galaxy:tool=\"Elise Backdoor\""],"Newsripper":["misp-galaxy:tool=\"Emdivi\""],"Empyre":["misp-galaxy:tool=\"Empyre\""],"Empye":["misp-galaxy:tool=\"Empyre\""],"EngineBox Malware":["misp-galaxy:tool=\"EngineBox Malware\""],"EquationLaser":["misp-galaxy:tool=\"EquationLaser\""],"Escad":["misp-galaxy:tool=\"Escad\""],"Etumbot":["misp-galaxy:tool=\"Etumbot\""],"Exploz":["misp-galaxy:tool=\"Etumbot\""],"Specfix":["misp-galaxy:tool=\"Etumbot\""],"BKDR_HGDER":["misp-galaxy:tool=\"EvilGrab\""],"BKDR_EVILOGE":["misp-galaxy:tool=\"EvilGrab\""],"BKDR_NVICM":["misp-galaxy:tool=\"EvilGrab\""],"Wmonder":["misp-galaxy:tool=\"EvilGrab\""],"Exforel":["misp-galaxy:tool=\"Exforel\""],"Explosive":["misp-galaxy:tool=\"Explosive\""],"EyePyramid Malware":["misp-galaxy:tool=\"EyePyramid Malware\""],"FUZZBUNCH":["misp-galaxy:tool=\"FUZZBUNCH\""],"FacexWorm":["misp-galaxy:tool=\"FacexWorm\""],"Fadok":["misp-galaxy:tool=\"Fadok\""],"Win32\/Fadok":["misp-galaxy:tool=\"Fadok\""],"FAKEM":["misp-galaxy:tool=\"Fakem RAT\""],"Fexel":["misp-galaxy:tool=\"Fexel\""],"Loneagent":["misp-galaxy:tool=\"Fexel\""],"FlexSpy":["misp-galaxy:tool=\"FlexSpy\""],"Flokibot":["misp-galaxy:tool=\"Flokibot\""],"Floki Bot":["misp-galaxy:tool=\"Flokibot\""],"Floki":["misp-galaxy:tool=\"Flokibot\""],"Foozer":["misp-galaxy:tool=\"Foozer\""],"FormBook":["misp-galaxy:tool=\"FormBook\""],"Fysbis":["misp-galaxy:tool=\"Fysbis\""],"GDOCUPLOAD":["misp-galaxy:tool=\"GDOCUPLOAD\""],"GELCAPSULE":["misp-galaxy:tool=\"GELCAPSULE\""],"FE_APT_Downloader_Win32_GELCAPSULE_1":["misp-galaxy:tool=\"GELCAPSULE\""],"GETMAIL":["misp-galaxy:tool=\"GETMAIL\""],"GHOLE":["misp-galaxy:tool=\"GHOLE\""],"GHOTEX":["misp-galaxy:tool=\"GHOTEX\""],"TROJAN.GTALK":["misp-galaxy:tool=\"GLOOXMAIL\""],"GOGGLES":["misp-galaxy:tool=\"GOGGLES\""],"TROJAN.FOXY":["misp-galaxy:tool=\"GOGGLES\""],"GREENCAT":["misp-galaxy:tool=\"GREENCAT\""],"Gamut Botnet":["misp-galaxy:tool=\"Gamut Botnet\""],"Gh0st Rat":["misp-galaxy:tool=\"Gh0st Rat\""],"Gh0stRat, GhostRat":["misp-galaxy:tool=\"Gh0st Rat\""],"GoScanSSH":["misp-galaxy:tool=\"GoScanSSH\""],"Gootkit":["misp-galaxy:tool=\"GootKit\""],"GrayFish":["misp-galaxy:tool=\"GrayFish\""],"HACKFASE":["misp-galaxy:tool=\"HACKFASE\""],"FE_APT_Downloader_HAPPYWORK":["misp-galaxy:tool=\"HAPPYWORK\""],"FE_APT_Exploit_HWP_Happy":["misp-galaxy:tool=\"HAPPYWORK\""],"Downloader.APT.HAPPYWORK":["misp-galaxy:tool=\"HAPPYWORK\""],"HDRoot":["misp-galaxy:tool=\"HDRoot\""],"HELAUTO":["misp-galaxy:tool=\"HELAUTO\""],"TokenControl":["misp-galaxy:tool=\"HTTPBrowser\""],"Hackshit":["misp-galaxy:tool=\"Hackshit\""],"Tordal":["misp-galaxy:tool=\"Hancitor\""],"Helminth backdoor":["misp-galaxy:tool=\"Helminth backdoor\""],"HerHer Trojan":["misp-galaxy:tool=\"HerHer Trojan\""],"Heseber BOT":["misp-galaxy:tool=\"Heseber BOT\""],"Hi-ZOR":["misp-galaxy:tool=\"Hi-ZOR\""],"Hoardy":["misp-galaxy:tool=\"Hoardy\""],"Hoarde":["misp-galaxy:tool=\"Hoardy\""],"Phindolp":["misp-galaxy:tool=\"Hoardy\""],"Htran":["misp-galaxy:tool=\"Htran\""],"HUC Packet Transmitter":["misp-galaxy:tool=\"Htran\""],"Huigezi malware":["misp-galaxy:tool=\"Huigezi malware\""],"Houdini":["misp-galaxy:tool=\"Hworm\""],"Hyena":["misp-galaxy:tool=\"Hyena\""],"IISTOUCH":["misp-galaxy:tool=\"IISTOUCH\""],"IRONGATE":["misp-galaxy:tool=\"IRONGATE\""],"Incognito RAT":["misp-galaxy:tool=\"Incognito RAT\""],"IntrudingDivisor":["misp-galaxy:tool=\"IntrudingDivisor\""],"IoT_reaper":["misp-galaxy:tool=\"IoT_reaper\""],"Iron Backdoor":["misp-galaxy:tool=\"Iron Backdoor\""],"JS Flash":["misp-galaxy:tool=\"JS Flash\""],"JavaScript variant of HALFBAKED":["misp-galaxy:tool=\"JS Flash\""],"JS_POWMET":["misp-galaxy:tool=\"JS_POWMET\""],"JasperLoader":["misp-galaxy:tool=\"JasperLoader\""],"JexBoss":["misp-galaxy:tool=\"JexBoss\""],"Jripbot":["misp-galaxy:tool=\"Jripbot\""],"Jiripbot":["misp-galaxy:tool=\"Jripbot\""],"FE_APT_Backdoor_Karae_enc":["misp-galaxy:tool=\"KARAE\""],"FE_APT_Backdoor_Karae":["misp-galaxy:tool=\"KARAE\""],"Backdoor.APT.Karae":["misp-galaxy:tool=\"KARAE\""],"KURTON":["misp-galaxy:tool=\"KURTON\""],"KillDisk Wiper":["misp-galaxy:tool=\"KillDisk Wiper\""],"KimJongRAT":["misp-galaxy:tool=\"KimJongRAT\""],"KingMiner":["misp-galaxy:tool=\"KingMiner\""],"LATENTBOT":["misp-galaxy:tool=\"LATENTBOT\""],"LIGHTBOLT":["misp-galaxy:tool=\"LIGHTBOLT\""],"LIGHTDART":["misp-galaxy:tool=\"LIGHTDART\""],"LONGRUN":["misp-galaxy:tool=\"LONGRUN\""],"LURK":["misp-galaxy:tool=\"LURK\""],"LamePyre":["misp-galaxy:tool=\"LamePyre\""],"OSX.LamePyre":["misp-galaxy:tool=\"LamePyre\""],"Lazagne":["misp-galaxy:tool=\"Lazagne\""],"LockPoS":["misp-galaxy:tool=\"LockPoS\""],"Loki Bot":["misp-galaxy:tool=\"Loki Bot\""],"Lost Door RAT":["misp-galaxy:tool=\"Lost Door RAT\""],"LostDoor RAT":["misp-galaxy:tool=\"Lost Door RAT\""],"BKDR_LODORAT":["misp-galaxy:tool=\"Lost Door RAT\""],"LuminosityLink":["misp-galaxy:tool=\"LuminosityLink\""],"MANITSME":["misp-galaxy:tool=\"MANITSME\""],"MAPIGET":["misp-galaxy:tool=\"MAPIGET\""],"MFC Huner":["misp-galaxy:tool=\"MFC Huner\""],"Hupigon":["misp-galaxy:tool=\"MFC Huner\""],"BKDR_HUPIGON":["misp-galaxy:tool=\"MFC Huner\""],"MILKDROP":["misp-galaxy:tool=\"MILKDROP\""],"FE_Trojan_Win32_MILKDROP_1":["misp-galaxy:tool=\"MILKDROP\""],"MINIASP":["misp-galaxy:tool=\"MINIASP\""],"MM Core backdoor":["misp-galaxy:tool=\"MM Core\""],"BigBoss":["misp-galaxy:tool=\"MM Core\""],"SillyGoose":["misp-galaxy:tool=\"MM Core\""],"BaneChant":["misp-galaxy:tool=\"MM Core\""],"StrangeLove":["misp-galaxy:tool=\"MM Core\""],"MagentoCore Malware":["misp-galaxy:tool=\"MagentoCore Malware\""],"Maikspy":["misp-galaxy:tool=\"Maikspy\""],"Mikatz":["misp-galaxy:tool=\"Mimikatz\""],"Linux\/Mirai":["misp-galaxy:tool=\"Mirai\""],"MoneyTaker 5.0":["misp-galaxy:tool=\"MoneyTaker 5.0\""],"Moneygram Adwind":["misp-galaxy:tool=\"Moneygram Adwind\""],"Mongall":["misp-galaxy:tool=\"Mongall\""],"Moudoor":["misp-galaxy:tool=\"Moudoor\""],"SCAR":["misp-galaxy:tool=\"Moudoor\""],"KillProc.14145":["misp-galaxy:tool=\"Moudoor\""],"NAMEDPIPETOUCH":["misp-galaxy:tool=\"NAMEDPIPETOUCH\""],"NBot":["misp-galaxy:tool=\"NBot\""],"NEWSREELS":["misp-galaxy:tool=\"NEWSREELS\""],"NLBrute":["misp-galaxy:tool=\"NLBrute\""],"NanoCoreRAT":["misp-galaxy:tool=\"NanoCoreRAT\""],"Nancrat":["misp-galaxy:tool=\"NanoCoreRAT\""],"Zurten":["misp-galaxy:tool=\"NanoCoreRAT\""],"Atros2.CKPN":["misp-galaxy:tool=\"NanoCoreRAT\""],"Netfile":["misp-galaxy:tool=\"NetTraveler\""],"Neteagle":["misp-galaxy:tool=\"Neteagle\""],"scout":["misp-galaxy:tool=\"Neteagle\""],"norton":["misp-galaxy:tool=\"Neteagle\""],"Nflog":["misp-galaxy:tool=\"Nflog\""],"Not Petya":["misp-galaxy:tool=\"NotPetya\""],"ODDJOB":["misp-galaxy:tool=\"ODDJOB\""],"BackDoor-FDU":["misp-galaxy:tool=\"OLDBAIT\""],"IEChecker":["misp-galaxy:tool=\"OLDBAIT\""],"OSX.BadWord":["misp-galaxy:tool=\"OSX.BadWord\""],"OSX.Pirrit":["misp-galaxy:tool=\"OSX.Pirrit\""],"OSX\/Pirrit":["misp-galaxy:tool=\"OSX.Pirrit\""],"OSX\/Shlayer":["misp-galaxy:tool=\"OSX\/Shlayer\""],"Oldrea":["misp-galaxy:tool=\"Oldrea\""],"HSDFSDCrypt":["misp-galaxy:tool=\"Ordinypt\""],"OzoneRAT":["misp-galaxy:tool=\"OzoneRAT\""],"Ozone RAT":["misp-galaxy:tool=\"OzoneRAT\""],"ozonercp":["misp-galaxy:tool=\"OzoneRAT\""],"PAExec":["misp-galaxy:tool=\"PAExec\""],"PASSFREELY":["misp-galaxy:tool=\"PASSFREELY\""],"PCClient RAT":["misp-galaxy:tool=\"PCClient RAT\""],"PLEAD Downloader":["misp-galaxy:tool=\"PLEAD Downloader\""],"PNG Dropper":["misp-galaxy:tool=\"PNG Dropper\""],"PNG_Dropper":["misp-galaxy:tool=\"PNG Dropper\""],"PNGDropper":["misp-galaxy:tool=\"PNG Dropper\""],"Backdoor.APT.POORAIM":["misp-galaxy:tool=\"POORAIM\""],"PRILEX":["misp-galaxy:tool=\"PRILEX\""],"PWOBot":["misp-galaxy:tool=\"PWOBot\""],"PWOLauncher":["misp-galaxy:tool=\"PWOBot\""],"PWOHTTPD":["misp-galaxy:tool=\"PWOBot\""],"PWOKeyLogger":["misp-galaxy:tool=\"PWOBot\""],"PWOMiner":["misp-galaxy:tool=\"PWOBot\""],"PWOPyExec":["misp-galaxy:tool=\"PWOBot\""],"PWOQuery":["misp-galaxy:tool=\"PWOBot\""],"Palevo":["misp-galaxy:tool=\"Palevo\""],"Badey":["misp-galaxy:tool=\"Pirpi\""],"EXL":["misp-galaxy:tool=\"Pirpi\""],"Backdoor.FSZO-5117":["misp-galaxy:tool=\"PlugX\""],"Trojan.Heur.JP.juW@ayZZvMb":["misp-galaxy:tool=\"PlugX\""],"Trojan.Inject1.6386":["misp-galaxy:tool=\"PlugX\""],"Agent.dhwf":["misp-galaxy:tool=\"PlugX\""],"Preshin":["misp-galaxy:tool=\"Preshin\""],"PupyRAT":["misp-galaxy:tool=\"PupyRAT\""],"QUASARRAT":["misp-galaxy:tool=\"QUASARRAT\""],"RCS Galileo":["misp-galaxy:tool=\"RCS Galileo\""],"RDPWrap":["misp-galaxy:tool=\"RDPWrap\""],"REDLEAVES":["misp-galaxy:tool=\"REDLEAVES\""],"RICECURRY":["misp-galaxy:tool=\"RICECURRY\""],"Exploit.APT.RICECURRY":["misp-galaxy:tool=\"RICECURRY\""],"RPCOUTCH":["misp-galaxy:tool=\"RPCOUTCH\""],"RUHAPPY":["misp-galaxy:tool=\"RUHAPPY\""],"FE_APT_Trojan_Win32_RUHAPPY_1":["misp-galaxy:tool=\"RUHAPPY\""],"Ratankba":["misp-galaxy:tool=\"Ratankba\""],"Prax":["misp-galaxy:tool=\"Regin\""],"WarriorPride":["misp-galaxy:tool=\"Regin\""],"Rekaf":["misp-galaxy:tool=\"Rekaf\""],"Rotexy":["misp-galaxy:tool=\"Rotexy\""],"SMSThief":["misp-galaxy:tool=\"Rotexy\""],"Rotinom":["misp-galaxy:tool=\"Rotinom\""],"ROVNIX":["misp-galaxy:tool=\"Rovnix\""],"RoyalDNS":["misp-galaxy:tool=\"RoyalDNS\""],"Rubella Macro Builder":["misp-galaxy:tool=\"Rubella Macro Builder\""],"SEASALT":["misp-galaxy:tool=\"SEASALT\""],"FE_APT_Backdoor_SHUTTERSPEED":["misp-galaxy:tool=\"SHUTTERSPEED\""],"APT.Backdoor.SHUTTERSPEED":["misp-galaxy:tool=\"SHUTTERSPEED\""],"FE_APT_Downloader_Win_SLOWDRIFT_1":["misp-galaxy:tool=\"SLOWDRIFT\""],"FE_APT_Downloader_Win_SLOWDRIFT_2":["misp-galaxy:tool=\"SLOWDRIFT\""],"APT.Downloader.SLOWDRIFT":["misp-galaxy:tool=\"SLOWDRIFT\""],"SLUB Backdoor":["misp-galaxy:tool=\"SLUB Backdoor\""],"SMBTOUCH":["misp-galaxy:tool=\"SMBTOUCH\""],"SOUNDWAVE":["misp-galaxy:tool=\"SOUNDWAVE\""],"FE_APT_HackTool_Win32_SOUNDWAVE_1":["misp-galaxy:tool=\"SOUNDWAVE\""],"SPIVY":["misp-galaxy:tool=\"SPIVY\""],"STARSYPOUND":["misp-galaxy:tool=\"STARSYPOUND\""],"SURTR":["misp-galaxy:tool=\"SURTR\""],"SWORD":["misp-galaxy:tool=\"SWORD\""],"Scieron":["misp-galaxy:tool=\"Scieron\""],"Scranos":["misp-galaxy:tool=\"Scranos\""],"Sekur":["misp-galaxy:tool=\"Sekur\""],"ShimRAT":["misp-galaxy:tool=\"ShimRAT\""],"Shipup":["misp-galaxy:tool=\"Shipup\""],"Shiz":["misp-galaxy:tool=\"Shiz\""],"Win32\/Sirefef":["misp-galaxy:tool=\"Sirefef\""],"SkeletonKey":["misp-galaxy:tool=\"SkeletonKey\""],"Skyipot":["misp-galaxy:tool=\"Skyipot\""],"GM-Bot":["misp-galaxy:tool=\"Slempo\""],"Spindest":["misp-galaxy:tool=\"Spindest\""],"StalinLocker":["misp-galaxy:tool=\"StalinLocker\""],"StalinScreamer":["misp-galaxy:tool=\"StalinLocker\""],"StealthWorker":["misp-galaxy:tool=\"StealthWorker\""],"StrongPity2":["misp-galaxy:tool=\"StrongPity2\""],"Win32\/StrongPity2":["misp-galaxy:tool=\"StrongPity2\""],"trojan-banker.androidos.svpeng.ae":["misp-galaxy:tool=\"Svpeng\""],"Swisyn":["misp-galaxy:tool=\"Swisyn\""],"T5000":["misp-galaxy:tool=\"T5000\""],"Plat1":["misp-galaxy:tool=\"T5000\""],"TABMSGSQL":["misp-galaxy:tool=\"TABMSGSQL\""],"TROJAN LETSGO":["misp-galaxy:tool=\"TABMSGSQL\""],"TARSIP-ECLIPSE":["misp-galaxy:tool=\"TARSIP-ECLIPSE\""],"TARSIP-MOON":["misp-galaxy:tool=\"TARSIP-MOON\""],"TRISIS":["misp-galaxy:tool=\"TRISIS\""],"TRITON":["misp-galaxy:tool=\"TRISIS\""],"Tafacalou":["misp-galaxy:tool=\"Tafacalou\""],"Tartine":["misp-galaxy:tool=\"Tartine\""],"Taurus":["misp-galaxy:tool=\"Taurus\""],"Tdrop":["misp-galaxy:tool=\"Tdrop\""],"Tdrop2":["misp-galaxy:tool=\"Tdrop2\""],"Terra Loader":["misp-galaxy:tool=\"Terra Loader\""],"Torn RAT":["misp-galaxy:tool=\"Torn RAT\""],"Travle":["misp-galaxy:tool=\"Travle\""],"PYLOT":["misp-galaxy:tool=\"Travle\""],"Trick Bot":["misp-galaxy:tool=\"Trick Bot\""],"TripleFantasy":["misp-galaxy:tool=\"TripleFantasy\""],"Trojan.Laziok":["misp-galaxy:tool=\"Trojan.Laziok\""],"Trojan.Naid":["misp-galaxy:tool=\"Trojan.Naid\""],"Mdmbot.E":["misp-galaxy:tool=\"Trojan.Naid\""],"AGENT.GUNZ":["misp-galaxy:tool=\"Trojan.Naid\""],"AGENT.AQUP.DROPPER":["misp-galaxy:tool=\"Trojan.Naid\""],"AGENT.BMZA":["misp-galaxy:tool=\"Trojan.Naid\""],"MCRAT.A":["misp-galaxy:tool=\"Trojan.Naid\""],"AGENT.ABQMR":["misp-galaxy:tool=\"Trojan.Naid\""],"Trojan.Seaduke":["misp-galaxy:tool=\"Trojan.Seaduke\""],"Seaduke":["misp-galaxy:tool=\"Trojan.Seaduke\""],"Troy":["misp-galaxy:tool=\"Troy\""],"Urouros":["misp-galaxy:tool=\"Turla\""],"UselessDisk":["misp-galaxy:tool=\"UselessDisk\""],"DiskWriter":["misp-galaxy:tool=\"UselessDisk\""],"VB Flash":["misp-galaxy:tool=\"VB Flash\""],"VPNFilter":["misp-galaxy:tool=\"VPNFilter\""],"WARP":["misp-galaxy:tool=\"WARP\""],"WEBC2-ADSPACE":["misp-galaxy:tool=\"WEBC2-ADSPACE\""],"WEBC2-AUSOV":["misp-galaxy:tool=\"WEBC2-AUSOV\""],"WEBC2-BOLID":["misp-galaxy:tool=\"WEBC2-BOLID\""],"WEBC2-CLOVER":["misp-galaxy:tool=\"WEBC2-CLOVER\""],"WEBC2-CSON":["misp-galaxy:tool=\"WEBC2-CSON\""],"WEBC2-DIV":["misp-galaxy:tool=\"WEBC2-DIV\""],"WEBC2-GREENCAT":["misp-galaxy:tool=\"WEBC2-GREENCAT\""],"WEBC2-HEAD":["misp-galaxy:tool=\"WEBC2-HEAD\""],"WEBC2-KT3":["misp-galaxy:tool=\"WEBC2-KT3\""],"WEBC2-QBP":["misp-galaxy:tool=\"WEBC2-QBP\""],"WEBC2-RAVE":["misp-galaxy:tool=\"WEBC2-RAVE\""],"WEBC2-TABLE":["misp-galaxy:tool=\"WEBC2-TABLE\""],"WEBC2-TOCK":["misp-galaxy:tool=\"WEBC2-TOCK\""],"WEBC2-UGX":["misp-galaxy:tool=\"WEBC2-UGX\""],"WEBC2-Y21K":["misp-galaxy:tool=\"WEBC2-Y21K\""],"WEBC2-YAHOO":["misp-galaxy:tool=\"WEBC2-YAHOO\""],"FE_APT_Backdoor_WINERACK":["misp-galaxy:tool=\"WINERACK\""],"Backdoor.APT.WINERACK":["misp-galaxy:tool=\"WINERACK\""],"WinIDS":["misp-galaxy:tool=\"WinIDS\""],"Etso":["misp-galaxy:tool=\"Winnti\""],"SUQ":["misp-galaxy:tool=\"Winnti\""],"Agent.ALQHI":["misp-galaxy:tool=\"Winnti\""],"Epic Turla":["misp-galaxy:tool=\"Wipbot\""],"Wmiexec":["misp-galaxy:tool=\"Wmiexec\""],"XAgent":["misp-galaxy:tool=\"X-Agent\""],"XSControl":["misp-galaxy:tool=\"XSControl\""],"W32\/Seeav":["misp-galaxy:tool=\"Yahoyah\""],"ZUMKONG":["misp-galaxy:tool=\"ZUMKONG\""],"FE_APT_Trojan_Zumkong":["misp-galaxy:tool=\"ZUMKONG\""],"Trojan.APT.Zumkong":["misp-galaxy:tool=\"ZUMKONG\""],"Sensode":["misp-galaxy:tool=\"ZXShell\""],"ZeGhost":["misp-galaxy:tool=\"ZeGhost\""],"BackDoor-FBZT!52D84425CDF2":["misp-galaxy:tool=\"ZeGhost\""],"Trojan.Win32.Staser.ytq":["misp-galaxy:tool=\"ZeGhost\""],"Win32\/Zegost.BW":["misp-galaxy:tool=\"ZeGhost\""],"Trojan.Zbot":["misp-galaxy:tool=\"Zeus\""],"adzok":["misp-galaxy:tool=\"adzok\""],"albertino":["misp-galaxy:tool=\"albertino\""],"arcom":["misp-galaxy:tool=\"arcom\""],"blacknix":["misp-galaxy:tool=\"blacknix\""],"bluebanana":["misp-galaxy:tool=\"bluebanana\""],"bozok":["misp-galaxy:tool=\"bozok\""],"clientmesh":["misp-galaxy:tool=\"clientmesh\""],"csvde.exe":["misp-galaxy:tool=\"csvde.exe\""],"cybergate":["misp-galaxy:tool=\"cybergate\""],"da Vinci RCS":["misp-galaxy:tool=\"da Vinci RCS\""],"DaVinci":["misp-galaxy:tool=\"da Vinci RCS\""],"Morcut":["misp-galaxy:tool=\"da Vinci RCS\""],"darkcomet":["misp-galaxy:tool=\"darkcomet\""],"darkddoser":["misp-galaxy:tool=\"darkddoser\""],"darkrat":["misp-galaxy:tool=\"darkrat\""],"feodo":["misp-galaxy:tool=\"feodo\""],"greame":["misp-galaxy:tool=\"greame\""],"hawkeye":["misp-galaxy:tool=\"hawkeye\""],"javadropper":["misp-galaxy:tool=\"javadropper\""],"jspy":["misp-galaxy:tool=\"jspy\""],"kitty Malware":["misp-galaxy:tool=\"kitty Malware\""],"lostdoor":["misp-galaxy:tool=\"lostdoor\""],"luxnet":["misp-galaxy:tool=\"luxnet\""],"miniFlame":["misp-galaxy:tool=\"miniFlame\""],"njRAT":["misp-galaxy:tool=\"njRAT\""],"Jorik":["misp-galaxy:tool=\"njRAT\""],"pandora":["misp-galaxy:tool=\"pandora\""],"predatorpain":["misp-galaxy:tool=\"predatorpain\""],"punisher":["misp-galaxy:tool=\"punisher\""],"shadowtech":["misp-galaxy:tool=\"shadowtech\""],"smallnet":["misp-galaxy:tool=\"smallnet\""],"spygate":["misp-galaxy:tool=\"spygate\""],"tapaoux":["misp-galaxy:tool=\"tapaoux\""],"template":["misp-galaxy:tool=\"template\""],"vantom":["misp-galaxy:tool=\"vantom\""],"virusrat":["misp-galaxy:tool=\"virusrat\""],"wp-vcd":["misp-galaxy:tool=\"wp-vcd\""],"xDedic RDP Patch":["misp-galaxy:tool=\"xDedic RDP Patch\""],"xDedic SysScan":["misp-galaxy:tool=\"xDedic SysScan\""],"xena":["misp-galaxy:tool=\"xena\""],"xrat":["misp-galaxy:tool=\"xrat\""],"xtreme":["misp-galaxy:tool=\"xtreme\""]} \ No newline at end of file diff --git a/misp_modules/modules/__init__.py b/misp_modules/modules/__init__.py index 47ddcbf..97fdc13 100644 --- a/misp_modules/modules/__init__.py +++ b/misp_modules/modules/__init__.py @@ -1,3 +1,4 @@ from .expansion import * # noqa from .import_mod import * # noqa from .export_mod import * # noqa +from .action_mod import * # noqa diff --git a/misp_modules/modules/action_mod/__init__.py b/misp_modules/modules/action_mod/__init__.py new file mode 100644 index 0000000..d706e5c --- /dev/null +++ b/misp_modules/modules/action_mod/__init__.py @@ -0,0 +1 @@ +__all__ = ['testaction', 'mattermost'] diff --git a/misp_modules/modules/action_mod/_utils/__init__.py b/misp_modules/modules/action_mod/_utils/__init__.py new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/misp_modules/modules/action_mod/_utils/__init__.py @@ -0,0 +1 @@ + diff --git a/misp_modules/modules/action_mod/_utils/utils.py b/misp_modules/modules/action_mod/_utils/utils.py new file mode 100644 index 0000000..3afdc17 --- /dev/null +++ b/misp_modules/modules/action_mod/_utils/utils.py @@ -0,0 +1,70 @@ +#!/usr/bin/env python + +from jinja2.sandbox import SandboxedEnvironment + +default_template = """ +# Tutorial: How to use jinja2 templating + +:warning: For these examples, we consider the module received data under the MISP core format + +1. You can use the dot `.` notation or the subscript syntax `[]` to access attributes of a variable + - `{% raw %}{{ Event.info }}{% endraw %}` -> {{ Event.info }} + - `{% raw %}{{ Event['info'] }}{% endraw %}` -> {{ Event['info'] }} + +2. Jinja2 allows you to easily create list: +```{% raw %} +{% for attribute in Event.Attribute %} +- {{ attribute.value }} +{% endfor %} +{% endraw %}``` + +Gives: +{% for attribute in Event.Attribute %} +- {{ attribute.value }} +{% endfor %} + +3. Jinja2 allows you to add logic +```{% raw %} +{% if "tlp:white" in Event.Tag %} +- This Event has the TLP:WHITE tag +{% else %} +- This Event doesn't have the TLP:WHITE tag +{% endif %} +{% endraw %}``` + +Gives: +{% if "tlp:white" in Event.Tag %} +- This Event has the TLP:WHITE tag +{% else %} +- This Event doesn't have the TLP:WHITE tag +{% endif %} + +## Jinja2 allows you to modify variables by using filters + +3. The `reverse` filter +- `{% raw %}{{ Event.info | reverse }}{% endraw %}` -> {{ Event.info | reverse }} + +4. The `format` filter +- `{% raw %}{{ "%s :: %s" | format(Event.Attribute[0].type, Event.Attribute[0].value) }}{% endraw %}` -> {{ "%s :: %s" | format(Event.Attribute[0].type, Event.Attribute[0].value) }} + +5.The `groupby` filter +```{% raw %} +{% for type, attributes in Event.Attribute|groupby("type") %} +- {{ type }}{% for attribute in attributes %} + - {{ attribute.value }} + {% endfor %} +{% endfor %} +{% endraw %}``` + +Gives: +{% for type, attributes in Event.Attribute|groupby("type") %} +- {{ type }}{% for attribute in attributes %} + - {{ attribute.value }} + {% endfor %} +{% endfor %} +""" + + +def renderTemplate(data, template=default_template): + env = SandboxedEnvironment() + return env.from_string(template).render(data) \ No newline at end of file diff --git a/misp_modules/modules/action_mod/mattermost.py b/misp_modules/modules/action_mod/mattermost.py new file mode 100644 index 0000000..dbcd336 --- /dev/null +++ b/misp_modules/modules/action_mod/mattermost.py @@ -0,0 +1,97 @@ +import json +from mattermostdriver import Driver +from ._utils import utils + +misperrors = {'error': 'Error'} + +# config fields that your code expects from the site admin +moduleconfig = { + 'params': { + 'mattermost_hostname': { + 'type': 'string', + 'description': 'The Mattermost domain', + 'value': 'example.mattermost.com', + }, + 'bot_access_token': { + 'type': 'string', + 'description': 'Access token generated when you created the bot account', + }, + 'channel_id': { + 'type': 'string', + 'description': 'The channel you added the bot to', + }, + 'message_template': { + 'type': 'large_string', + 'description': 'The template to be used to generate the message to be posted', + 'value': 'The **template** will be rendered using *Jinja2*!', + }, + }, + # Blocking modules break the exection of the current of action + 'blocking': False, + # Indicates whether parts of the data passed to this module should be filtered. Filtered data can be found under the `filteredItems` key + 'support_filters': True, + # Indicates whether the data passed to this module should be compliant with the MISP core format + 'expect_misp_core_format': False, +} + + +# returns either "boolean" or "data" +# Boolean is used to simply signal that the execution has finished. +# For blocking modules the actual boolean value determines whether we break execution +returns = 'boolean' + +moduleinfo = {'version': '0.1', 'author': 'Sami Mokaddem', + 'description': 'Simplistic module to send message to a Mattermost channel.', + 'module-type': ['action']} + + +def createPost(request): + params = request['params'] + mm = Driver({ + 'url': params['mattermost_hostname'], + 'token': params['bot_access_token'], + 'scheme': 'https', + 'basepath': '/api/v4', + 'port': 443, + }) + mm.login() + + data = {} + if 'matchingData' in request: + data = request['matchingData'] + else: + data = request['data'] + + if params['message_template']: + message = utils.renderTemplate(data, params['message_template']) + else: + message = '```\n{}\n```'.format(json.dumps(data)) + + mm.posts.create_post(options={ + 'channel_id': params['channel_id'], + 'message': message + }) + return True + + +def handler(q=False): + if q is False: + return False + request = json.loads(q) + createPost(request) + r = {"data": True} + return r + + +def introspection(): + modulesetup = {} + try: + modulesetup['config'] = moduleconfig + except NameError: + pass + return modulesetup + + +def version(): + moduleinfo['config'] = moduleconfig + return moduleinfo diff --git a/misp_modules/modules/action_mod/testaction.py b/misp_modules/modules/action_mod/testaction.py new file mode 100644 index 0000000..d773c4e --- /dev/null +++ b/misp_modules/modules/action_mod/testaction.py @@ -0,0 +1,59 @@ +import json +from ._utils import utils + +misperrors = {'error': 'Error'} + +# config fields that your code expects from the site admin +moduleconfig = { + 'params': { + 'foo': { + 'type': 'string', + 'description': 'blablabla', + 'value': 'xyz' + }, + 'Data extraction path': { + # Extracted data can be found under the `matchingData` key + 'type': 'hash_path', + 'description': 'Only post content extracted from this path', + 'value': 'Attribute.{n}.AttributeTag.{n}.Tag.name', + }, + }, + # Blocking modules break the exection of the current of action + 'blocking': False, + # Indicates whether parts of the data passed to this module should be extracted. Extracted data can be found under the `filteredItems` key + 'support_filters': False, + # Indicates whether the data passed to this module should be compliant with the MISP core format + 'expect_misp_core_format': False, +} + +# returns either "boolean" or "data" +# Boolean is used to simply signal that the execution has finished. +# For blocking modules the actual boolean value determines whether we break execution +returns = 'boolean' + +moduleinfo = {'version': '0.1', 'author': 'Andras Iklody', + 'description': 'This module is merely a test, always returning true. Triggers on event publishing.', + 'module-type': ['action']} + + +def handler(q=False): + if q is False: + return False + request = json.loads(q) # noqa + success = True + r = {"data": success} + return r + + +def introspection(): + modulesetup = {} + try: + modulesetup['config'] = moduleconfig + except NameError: + pass + return modulesetup + + +def version(): + moduleinfo['config'] = moduleconfig + return moduleinfo diff --git a/misp_modules/modules/expansion/__init__.py b/misp_modules/modules/expansion/__init__.py index 14d5499..4388cb0 100644 --- a/misp_modules/modules/expansion/__init__.py +++ b/misp_modules/modules/expansion/__init__.py @@ -1,12 +1,11 @@ -from . import _vmray # noqa import os import sys sys.path.append('{}/lib'.format('/'.join((os.path.realpath(__file__)).split('/')[:-3]))) __all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'circl_passivessl', - 'countrycode', 'cve', 'cve_advanced', 'dns', 'btc_steroids', 'domaintools', 'eupi', 'eql', - 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal', + 'countrycode', 'cve', 'cve_advanced', 'cpe', 'dns', 'btc_steroids', 'domaintools', 'eupi', + 'eql', 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal', 'whois', 'shodan', 'reversedns', 'geoip_asn', 'geoip_city', 'geoip_country', 'wiki', 'iprep', 'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon', 'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl', @@ -18,4 +17,16 @@ __all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'c 'virustotal_public', 'apiosintds', 'urlscan', 'securitytrails', 'apivoid', 'assemblyline_submit', 'assemblyline_query', 'ransomcoindb', 'malwarebazaar', 'lastline_query', 'lastline_submit', 'sophoslabs_intelix', 'cytomic_orion', 'censys_enrich', - 'trustar_enrich', 'recordedfuture'] + 'trustar_enrich', 'recordedfuture', 'html_to_markdown', 'socialscan', 'passive-ssh', + 'qintel_qsentry', 'mwdb', 'hashlookup', 'mmdb_lookup', 'ipqs_fraud_and_risk_scoring', + 'clamav', 'jinja_template_rendering','hyasinsight', 'variotdbs'] + + +minimum_required_fields = ('type', 'uuid', 'value') + +checking_error = 'containing at least a "type" field and a "value" field' +standard_error_message = 'This module requires an "attribute" field as input' + + +def check_input_attribute(attribute, requirements=minimum_required_fields): + return all(feature in attribute for feature in requirements) diff --git a/misp_modules/modules/expansion/_dnsdb_query/dnsdb_query.py b/misp_modules/modules/expansion/_dnsdb_query/dnsdb_query.py index af3f204..5df1207 100755 --- a/misp_modules/modules/expansion/_dnsdb_query/dnsdb_query.py +++ b/misp_modules/modules/expansion/_dnsdb_query/dnsdb_query.py @@ -119,7 +119,10 @@ class DnsdbClient(object): break yield json.loads(line.decode('ascii')) except (HTTPError, URLError) as e: - raise QueryError(str(e), sys.exc_traceback) + try: + raise QueryError(str(e), sys.exc_traceback) + except AttributeError: + raise QueryError(str(e), sys.exc_info) def quote(path): diff --git a/misp_modules/modules/expansion/_vmray/vmray_rest_api.py b/misp_modules/modules/expansion/_vmray/vmray_rest_api.py deleted file mode 100644 index 4d5245b..0000000 --- a/misp_modules/modules/expansion/_vmray/vmray_rest_api.py +++ /dev/null @@ -1,148 +0,0 @@ -#!/usr/bin/env python3 -"""Python client library for VMRay REST API""" - -import base64 -import datetime -import os.path -import requests -import urllib.parse - -# disable nasty certification warning -# pylint: disable=no-member -try: - requests.packages.urllib3.disable_warnings() -except AttributeError: - try: - import urllib3 - try: - urllib3.disable_warnings() - except AttributeError: - pass - except ImportError: - pass - -# pylint: disable= - - -class VMRayRESTAPIError(Exception): - """Exception class that is used when API returns an error""" - - def __init__(self, *args, **kwargs): - self.status_code = kwargs.pop("status_code", None) - Exception.__init__(self, *args, **kwargs) - - -def handle_rest_api_result(result): - """Handle result of API request (check for errors)""" - - if (result.status_code < 200) or (result.status_code > 299): - try: - json_result = result.json() - except ValueError: - raise VMRayRESTAPIError("API returned error %u: %s" % (result.status_code, result.text), status_code=result.status_code) - - raise VMRayRESTAPIError(json_result.get("error_msg", "Unknown error"), status_code=result.status_code) - - -class VMRayRESTAPI(object): - """VMRay REST API class""" - - def __init__(self, server, api_key, verify_cert=True): - # split server URL into components - url_desc = urllib.parse.urlsplit(server) - - # assume HTTPS if no scheme is specified - if url_desc.scheme == "": - server = "https://" + server - - # save variables - self.server = server - self.api_key = api_key - self.verify_cert = verify_cert - - def call(self, http_method, api_path, params=None, raw_data=False): - """Call VMRay REST API""" - - # get function of requests package - requests_func = getattr(requests, http_method.lower()) - - # parse parameters - req_params = {} - file_params = {} - - if params is not None: - for key, value in params.items(): - if isinstance(value, (datetime.date, - datetime.datetime, - float, - int)): - req_params[key] = str(value) - elif isinstance(value, str): - req_params[key] = str(value) - elif isinstance(value, dict): - filename = value["filename"] - sample = value["data"] - file_params[key] = (filename, sample, "application/octet-stream") - elif hasattr(value, "read"): - filename = os.path.split(value.name)[1] - # For the following block refer to DEV-1820 - try: - filename.decode("ASCII") - except (UnicodeDecodeError, UnicodeEncodeError): - b64_key = key + "name_b64enc" - byte_value = filename.encode("utf-8") - b64_value = base64.b64encode(byte_value) - - filename = "@param=%s" % b64_key - req_params[b64_key] = b64_value - file_params[key] = (filename, value, "application/octet-stream") - else: - raise VMRayRESTAPIError("Parameter \"%s\" has unknown type \"%s\"" % (key, type(value))) - - # construct request - if file_params: - files = file_params - else: - files = None - - # we need to adjust some stuff for POST requests - if http_method.lower() == "post": - req_data = req_params - req_params = None - else: - req_data = None - - # do request - result = requests_func(self.server + api_path, data=req_data, params=req_params, headers={"Authorization": "api_key " + self.api_key}, files=files, verify=self.verify_cert, stream=raw_data) - handle_rest_api_result(result) - - if raw_data: - return result.raw - - # parse result - try: - json_result = result.json() - except ValueError: - raise ValueError("API returned invalid JSON: %s" % (result.text)) - - # if there are no cached elements then return the data - if "continuation_id" not in json_result: - return json_result.get("data", None) - - data = json_result["data"] - - # get cached results - while "continuation_id" in json_result: - # send request to server - result = requests.get("%s/rest/continuation/%u" % (self.server, json_result["continuation_id"]), headers={"Authorization": "api_key " + self.api_key}, verify=self.verify_cert) - handle_rest_api_result(result) - - # parse result - try: - json_result = result.json() - except ValueError: - raise ValueError("API returned invalid JSON: %s" % (result.text)) - - data.extend(json_result["data"]) - - return data diff --git a/misp_modules/modules/expansion/apivoid.py b/misp_modules/modules/expansion/apivoid.py index 5d6395e..fc0d43e 100755 --- a/misp_modules/modules/expansion/apivoid.py +++ b/misp_modules/modules/expansion/apivoid.py @@ -1,10 +1,11 @@ import json import requests +from . import check_input_attribute, standard_error_message from pymisp import MISPAttribute, MISPEvent, MISPObject misperrors = {'error': 'Error'} -mispattributes = {'input': ['domain', 'hostname'], 'format': 'misp_standard'} -moduleinfo = {'version': '0.1', 'author': 'Christian Studer', +mispattributes = {'input': ['domain', 'hostname', 'email', 'email-src', 'email-dst', 'email-reply-to', 'dns-soa-email', 'target-email', 'whois-registrant-email'], 'format': 'misp_standard'} +moduleinfo = {'version': '0.2', 'author': 'Christian Studer', 'description': 'On demand query API for APIVoid.', 'module-type': ['expansion', 'hover']} moduleconfig = ['apikey'] @@ -42,6 +43,31 @@ class APIVoidParser(): ssl = requests.get(f'{self.url.format("sslinfo", apikey)}host={self.attribute.value}').json() self._parse_ssl_certificate(ssl['data']['certificate']) + def handle_email(self, apikey): + feature = 'emailverify' + if requests.get(f'{self.url.format(feature, apikey)}stats').json()['credits_remained'] < 0.06: + self.result = {'error': 'You do not have enough APIVoid credits to proceed your request.'} + return + emaillookup = requests.get(f'{self.url.format(feature, apikey)}email={self.attribute.value}').json() + email_verification = MISPObject('apivoid-email-verification') + boolean_attributes = ['valid_format', 'suspicious_username', 'suspicious_email', 'dirty_words_username', + 'suspicious_email', 'valid_tld', 'disposable', 'has_a_records', 'has_mx_records', + 'has_spf_records', 'is_spoofable', 'dmarc_configured', 'dmarc_enforced', 'free_email', + 'russian_free_email', 'china_free_email', 'suspicious_domain', 'dirty_words_domain', + 'domain_popular', 'risky_tld', 'police_domain', 'government_domain', 'educational_domain', + 'should_block'] + for boolean_attribute in boolean_attributes: + email_verification.add_attribute(boolean_attribute, + **{'type': 'boolean', 'value': emaillookup['data'][boolean_attribute]}) + email_verification.add_attribute('email', **{'type': 'email', 'value': emaillookup['data']['email']}) + email_verification.add_attribute('username', **{'type': 'text', 'value': emaillookup['data']['username']}) + email_verification.add_attribute('role_address', + **{'type': 'boolean', 'value': emaillookup['data']['role_address']}) + email_verification.add_attribute('domain', **{'type': 'domain', 'value': emaillookup['data']['domain']}) + email_verification.add_attribute('score', **{'type': 'float', 'value': emaillookup['data']['score']}) + email_verification.add_reference(self.attribute['uuid'], 'related-to') + self.misp_event.add_object(email_verification) + def _handle_dns_record(self, item, record_type, relationship): dns_record = MISPObject('dns-record') dns_record.add_attribute('queried-domain', type='domain', value=item['host']) @@ -74,10 +100,17 @@ def handler(q=False): request = json.loads(q) if not request.get('config', {}).get('apikey'): return {'error': 'An API key for APIVoid is required.'} - attribute = request.get('attribute') + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} + attribute = request['attribute'] + if attribute['type'] not in mispattributes['input']: + return {'error': 'Unsupported attribute type.'} apikey = request['config']['apikey'] apivoid_parser = APIVoidParser(attribute) - apivoid_parser.parse_domain(apikey) + if attribute['type'] in ['domain', 'hostname']: + apivoid_parser.parse_domain(apikey) + else: + apivoid_parser.handle_email(apikey) return apivoid_parser.get_results() diff --git a/misp_modules/modules/expansion/assemblyline_query.py b/misp_modules/modules/expansion/assemblyline_query.py index 226e4dd..90bdd3c 100644 --- a/misp_modules/modules/expansion/assemblyline_query.py +++ b/misp_modules/modules/expansion/assemblyline_query.py @@ -1,5 +1,6 @@ # -*- coding: utf-8 -*- import json +from . import check_input_attribute, standard_error_message from assemblyline_client import Client, ClientError from collections import defaultdict from pymisp import MISPAttribute, MISPEvent, MISPObject @@ -10,7 +11,7 @@ mispattributes = {'input': ['link'], 'format': 'misp_standard'} moduleinfo = {'version': '1', 'author': 'Christian Studer', 'description': 'Query AssemblyLine with a report URL to get the parsed data.', 'module-type': ['expansion']} -moduleconfig = ["apiurl", "user_id", "apikey", "password"] +moduleconfig = ["apiurl", "user_id", "apikey", "password", "verifyssl"] class AssemblyLineParser(): @@ -124,7 +125,7 @@ def parse_config(apiurl, user_id, config): error = {"error": "Please provide your AssemblyLine API key or Password."} if config.get('apikey'): try: - return Client(apiurl, apikey=(user_id, config['apikey'])) + return Client(apiurl, apikey=(user_id, config['apikey']), verify=config['verifyssl']) except ClientError as e: error['error'] = f'Error while initiating a connection with AssemblyLine: {e.__str__()}' if config.get('password'): @@ -139,6 +140,10 @@ def handler(q=False): if q is False: return False request = json.loads(q) + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} + if request['attribute']['type'] not in mispattributes['input']: + return {'error': 'Unsupported attribute type.'} if not request.get('config'): return {"error": "Missing configuration."} if not request['config'].get('apiurl'): diff --git a/misp_modules/modules/expansion/assemblyline_submit.py b/misp_modules/modules/expansion/assemblyline_submit.py index 206f5c0..9e019ff 100644 --- a/misp_modules/modules/expansion/assemblyline_submit.py +++ b/misp_modules/modules/expansion/assemblyline_submit.py @@ -7,7 +7,7 @@ from urllib.parse import urljoin moduleinfo = {"version": 1, "author": "Christian Studer", "module-type": ["expansion"], "description": "Submit files or URLs to AssemblyLine"} -moduleconfig = ["apiurl", "user_id", "apikey", "password"] +moduleconfig = ["apiurl", "user_id", "apikey", "password", "verifyssl"] mispattributes = {"input": ["attachment", "malware-sample", "url"], "output": ["link"]} @@ -16,12 +16,12 @@ def parse_config(apiurl, user_id, config): error = {"error": "Please provide your AssemblyLine API key or Password."} if config.get('apikey'): try: - return Client(apiurl, apikey=(user_id, config['apikey'])) + return Client(apiurl, apikey=(user_id, config['apikey']), verify=config['verifyssl']) except ClientError as e: error['error'] = f'Error while initiating a connection with AssemblyLine: {e.__str__()}' if config.get('password'): try: - return Client(apiurl, auth=(user_id, config['password'])) + return Client(apiurl, auth=(user_id, config['password']), verify=config['verifyssl']) except ClientError as e: error['error'] = f'Error while initiating a connection with AssemblyLine: {e.__str__()}' return error diff --git a/misp_modules/modules/expansion/bgpranking.py b/misp_modules/modules/expansion/bgpranking.py index b01088d..c021d62 100755 --- a/misp_modules/modules/expansion/bgpranking.py +++ b/misp_modules/modules/expansion/bgpranking.py @@ -1,13 +1,15 @@ # -*- coding: utf-8 -*- import json -from datetime import date, timedelta +from . import check_input_attribute, standard_error_message +from datetime import date, datetime, timedelta from pybgpranking import BGPRanking +from pymisp import MISPAttribute, MISPEvent, MISPObject misperrors = {'error': 'Error'} -mispattributes = {'input': ['AS'], 'output': ['freetext']} +mispattributes = {'input': ['AS'], 'format': 'misp_standard'} moduleinfo = {'version': '0.1', 'author': 'Raphaël Vinot', - 'description': 'Query an ASN Description history service (https://github.com/CIRCL/ASN-Description-History.git)', + 'description': 'Query BGP Ranking to get the ranking of an Autonomous System number.', 'module-type': ['expansion', 'hover']} @@ -15,19 +17,65 @@ def handler(q=False): if q is False: return False request = json.loads(q) - if request.get('AS'): - toquery = request['AS'] - else: - misperrors['error'] = "Unsupported attributes type" - return misperrors + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} + toquery = request['attribute'] + if toquery['type'] not in mispattributes['input']: + return {'error': 'Unsupported attribute type.'} bgpranking = BGPRanking() - values = bgpranking.query(toquery, date=(date.today() - timedelta(1)).isoformat()) + value_toquery = int(toquery['value'][2:]) if toquery['value'].startswith('AS') else int(toquery['value']) + values = bgpranking.query(value_toquery, date=(date.today() - timedelta(1)).isoformat()) - if not values: - misperrors['error'] = 'Unable to find the ASN in BGP Ranking' + if not values['response'] or not values['response']['asn_description']: + misperrors['error'] = 'There is no result about this ASN in BGP Ranking' return misperrors - return {'results': [{'types': mispattributes['output'], 'values': values}]} + + event = MISPEvent() + attribute = MISPAttribute() + attribute.from_dict(**toquery) + event.add_attribute(**attribute) + + asn_object = MISPObject('asn') + asn_object.add_attribute(**{ + 'type': 'AS', + 'object_relation': 'asn', + 'value': values['meta']['asn'] + }) + description, country = values['response']['asn_description'].split(', ') + for relation, value in zip(('description', 'country'), (description, country)): + asn_object.add_attribute(**{ + 'type': 'text', + 'object_relation': relation, + 'value': value + }) + + mapping = { + 'address_family': {'type': 'text', 'object_relation': 'address-family'}, + 'date': {'type': 'datetime', 'object_relation': 'date'}, + 'position': {'type': 'float', 'object_relation': 'position'}, + 'rank': {'type': 'float', 'object_relation': 'ranking'} + } + bgp_object = MISPObject('bgp-ranking') + for feature in ('rank', 'position'): + bgp_attribute = {'value': values['response']['ranking'][feature]} + bgp_attribute.update(mapping[feature]) + bgp_object.add_attribute(**bgp_attribute) + date_attribute = {'value': datetime.strptime(values['meta']['date'], '%Y-%m-%d')} + date_attribute.update(mapping['date']) + bgp_object.add_attribute(**date_attribute) + address_attribute = {'value': values['meta']['address_family']} + address_attribute.update(mapping['address_family']) + bgp_object.add_attribute(**address_attribute) + + asn_object.add_reference(attribute.uuid, 'describes') + asn_object.add_reference(bgp_object.uuid, 'ranked-with') + event.add_object(asn_object) + event.add_object(bgp_object) + + event = json.loads(event.to_json()) + results = {key: event[key] for key in ('Attribute', 'Object')} + return {'results': results} def introspection(): diff --git a/misp_modules/modules/expansion/censys_enrich.py b/misp_modules/modules/expansion/censys_enrich.py index 0fc61ae..f423712 100644 --- a/misp_modules/modules/expansion/censys_enrich.py +++ b/misp_modules/modules/expansion/censys_enrich.py @@ -1,14 +1,26 @@ # encoding: utf-8 import json +import configparser import base64 import codecs +import censys.common.config from dateutil.parser import isoparse +from . import check_input_attribute, standard_error_message from pymisp import MISPAttribute, MISPEvent, MISPObject + try: - import censys.base - import censys.ipv4 - import censys.websites - import censys.certificates + #needed in order to overwrite the censys module intent of creating config files in the home folder of the proccess owner + #-- + def get_config_over() -> configparser.ConfigParser: + config = configparser.ConfigParser() + config[censys.common.config.DEFAULT] = censys.common.config.default_config + return config + censys.common.config.get_config = get_config_over + #-- + + from censys.search import CensysHosts + from censys.search import CensysCertificates + from censys.common.base import * except ImportError: print("Censys module not installed. Try 'pip install censys'") @@ -19,8 +31,11 @@ mispattributes = {'input': ['ip-src', 'ip-dst', 'domain', 'hostname', 'hostname| moduleinfo = {'version': '0.1', 'author': 'Loïc Fortemps', 'description': 'Censys.io expansion module', 'module-type': ['expansion', 'hover']} +api_id = None +api_secret = None def handler(q=False): + global api_id, api_secret if q is False: return False request = json.loads(q) @@ -36,16 +51,15 @@ def handler(q=False): api_id = request['config']['api_id'] api_secret = request['config']['api_secret'] - if not request.get('attribute'): - return {'error': 'Unsupported input.'} + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} attribute = request['attribute'] if not any(input_type == attribute['type'] for input_type in mispattributes['input']): - return {'error': 'Unsupported attributes type'} + return {'error': 'Unsupported attribute type.'} attribute = MISPAttribute() attribute.from_dict(**request['attribute']) # Lists to accomodate multi-types attribute - conn = list() types = list() values = list() results = list() @@ -64,26 +78,29 @@ def handler(q=False): types.append(attribute.type) values.append(attribute.value) + found = False for t in types: - # ip, ip-src or ip-dst - if t[:2] == "ip": - conn.append(censys.ipv4.CensysIPv4(api_id=api_id, api_secret=api_secret)) - elif t == 'domain' or t == "hostname": - conn.append(censys.websites.CensysWebsites(api_id=api_id, api_secret=api_secret)) - elif 'x509-fingerprint' in t: - conn.append(censys.certificates.CensysCertificates(api_id=api_id, api_secret=api_secret)) - - found = True - for c in conn: - val = values.pop(0) try: - r = c.view(val) - results.append(parse_response(r, attribute)) - found = True - except censys.base.CensysNotFoundException: - found = False - except Exception: - misperrors['error'] = "Connection issue" + value = values.pop(0) + # ip, ip-src or ip-dst + if t[:2] == "ip": + r = CensysHosts(api_id, api_secret).view(value) + results.append(parse_response(r, attribute)) + found = True + elif t == 'domain' or t == "hostname": + # get ips + endpoint = CensysHosts(api_id, api_secret) + for r_list in endpoint.search(query=value, per_page=5, pages=1): + for r in r_list: + results.append(parse_response(r, attribute)) + found = True + elif 'x509-fingerprint-sha256' in t: + # use api_v1 as Certificates endpoint in api_v2 doesn't yet provide all the details + r = CensysCertificates(api_id, api_secret).view(value) + results.append(parse_response(r, attribute)) + found = True + except CensysException as e: + misperrors['error'] = "ERROR: param {} / response: {}".format(value, e) return misperrors if not found: @@ -97,38 +114,43 @@ def parse_response(censys_output, attribute): misp_event = MISPEvent() misp_event.add_attribute(**attribute) # Generic fields (for IP/Websites) - if "autonomous_system" in censys_output: - cen_as = censys_output['autonomous_system'] + if censys_output.get('autonomous_system'): + cen_as = censys_output.get('autonomous_system') asn_object = MISPObject('asn') - asn_object.add_attribute('asn', value=cen_as["asn"]) - asn_object.add_attribute('description', value=cen_as['name']) - asn_object.add_attribute('subnet-announced', value=cen_as['routed_prefix']) - asn_object.add_attribute('country', value=cen_as['country_code']) + asn_object.add_attribute('asn', value=cen_as.get("asn")) + asn_object.add_attribute('description', value=cen_as.get('name')) + asn_object.add_attribute('subnet-announced', value=cen_as.get('routed_prefix')) + asn_object.add_attribute('country', value=cen_as.get('country_code')) asn_object.add_reference(attribute.uuid, 'associated-to') misp_event.add_object(**asn_object) - if "ip" in censys_output and "ports" in censys_output: + if censys_output.get('ip') and len(censys_output.get('services')): #"ports" in censys_output ip_object = MISPObject('ip-port') - ip_object.add_attribute('ip', value=censys_output['ip']) - for p in censys_output['ports']: - ip_object.add_attribute('dst-port', value=p) + ip_object.add_attribute('ip', value=censys_output.get('ip')) + for serv in censys_output.get('services'): + if serv.get('port'): + ip_object.add_attribute('dst-port', value=serv.get('port')) ip_object.add_reference(attribute.uuid, 'associated-to') misp_event.add_object(**ip_object) # We explore all ports to find https or ssh services - for k in censys_output.keys(): - if not isinstance(censys_output[k], dict): + for serv in censys_output.get('services', []): + if not isinstance(serv, dict): continue - if 'https' in censys_output[k]: + if serv.get('service_name').lower() == 'http' and serv.get('certificate', None): try: - cert = censys_output[k]['https']['tls']['certificate'] - cert_obj = get_certificate_object(cert, attribute) - misp_event.add_object(**cert_obj) + cert = serv.get('certificate', None) + if cert: + # TODO switch to api_v2 once available + # use api_v1 as Certificates endpoint in api_v2 doesn't yet provide all the details + cert_details = CensysCertificates(api_id, api_secret).view(cert) + cert_obj = get_certificate_object(cert_details, attribute) + misp_event.add_object(**cert_obj) except KeyError: print("Error !") - if 'ssh' in censys_output[k]: + if serv.get('ssh') and serv.get('service_name').lower() == 'ssh': try: - cert = censys_output[k]['ssh']['v2']['server_host_key'] + cert = serv.get('ssh').get('server_host_key').get('fingerprint_sha256') # TODO enable once the type is merged # misp_event.add_attribute(type='hasshserver-sha256', value=cert['fingerprint_sha256']) except KeyError: @@ -143,20 +165,20 @@ def parse_response(censys_output, attribute): if "location" in censys_output: loc_obj = MISPObject('geolocation') loc = censys_output['location'] - loc_obj.add_attribute('latitude', value=loc['latitude']) - loc_obj.add_attribute('longitude', value=loc['longitude']) + loc_obj.add_attribute('latitude', value=loc.get('coordinates', {}).get('latitude', None)) + loc_obj.add_attribute('longitude', value=loc.get('coordinates', {}).get('longitude', None)) if 'city' in loc: - loc_obj.add_attribute('city', value=loc['city']) - loc_obj.add_attribute('country', value=loc['country']) + loc_obj.add_attribute('city', value=loc.get('city')) + loc_obj.add_attribute('country', value=loc.get('country')) if 'postal_code' in loc: - loc_obj.add_attribute('zipcode', value=loc['postal_code']) + loc_obj.add_attribute('zipcode', value=loc.get('postal_code')) if 'province' in loc: - loc_obj.add_attribute('region', value=loc['province']) + loc_obj.add_attribute('region', value=loc.get('province')) loc_obj.add_reference(attribute.uuid, 'associated-to') misp_event.add_object(**loc_obj) event = json.loads(misp_event.to_json()) - return {'Object': event['Object'], 'Attribute': event['Attribute']} + return {'Object': event.get('Object', []), 'Attribute': event.get('Attribute', [])} # In case of multiple enrichment (ip and domain), we need to filter out similar objects @@ -165,24 +187,23 @@ def remove_duplicates(results): # Only one enrichment was performed so no duplicate if len(results) == 1: return results[0] - elif len(results) == 2: - final_result = results[0] - obj_l2 = results[1]['Object'] - for o2 in obj_l2: - if o2['name'] == "asn": - key = "asn" - elif o2['name'] == "ip-port": - key = "ip" - elif o2['name'] == "x509": - key = "x509-fingerprint-sha256" - elif o2['name'] == "geolocation": - key = "latitude" - if not check_if_present(o2, key, final_result['Object']): - final_result['Object'].append(o2) - - return final_result else: - return [] + final_result = results[0] + for i,result in enumerate(results[1:]): + obj_l = results[i+1].get('Object', []) + for o2 in obj_l: + if o2['name'] == "asn": + key = "asn" + elif o2['name'] == "ip-port": + key = "ip" + elif o2['name'] == "x509": + key = "x509-fingerprint-sha256" + elif o2['name'] == "geolocation": + key = "latitude" + if not check_if_present(o2, key, final_result.get('Object', [])): + final_result['Object'].append(o2) + + return final_result def check_if_present(object, attribute_name, list_objects): @@ -252,4 +273,4 @@ def introspection(): def version(): moduleinfo['config'] = moduleconfig - return moduleinfo + return moduleinfo \ No newline at end of file diff --git a/misp_modules/modules/expansion/circl_passivedns.py b/misp_modules/modules/expansion/circl_passivedns.py index d278a85..5f98314 100755 --- a/misp_modules/modules/expansion/circl_passivedns.py +++ b/misp_modules/modules/expansion/circl_passivedns.py @@ -1,5 +1,6 @@ import json import pypdns +from . import check_input_attribute, standard_error_message from pymisp import MISPAttribute, MISPEvent, MISPObject mispattributes = {'input': ['hostname', 'domain', 'ip-src', 'ip-dst', 'ip-src|port', 'ip-dst|port'], 'format': 'misp_standard'} @@ -58,11 +59,11 @@ def handler(q=False): if not request['config'].get('username') or not request['config'].get('password'): return {'error': 'CIRCL Passive DNS authentication is incomplete, please provide your username and password.'} authentication = (request['config']['username'], request['config']['password']) - if not request.get('attribute'): - return {'error': 'Unsupported input.'} + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} attribute = request['attribute'] if not any(input_type == attribute['type'] for input_type in mispattributes['input']): - return {'error': 'Unsupported attributes type'} + return {'error': 'Unsupported attribute type.'} pdns_parser = PassiveDNSParser(attribute, authentication) pdns_parser.parse() return pdns_parser.get_results() diff --git a/misp_modules/modules/expansion/circl_passivessl.py b/misp_modules/modules/expansion/circl_passivessl.py index 102bed8..65783d7 100755 --- a/misp_modules/modules/expansion/circl_passivessl.py +++ b/misp_modules/modules/expansion/circl_passivessl.py @@ -1,5 +1,6 @@ import json import pypssl +from . import check_input_attribute, standard_error_message from pymisp import MISPAttribute, MISPEvent, MISPObject mispattributes = {'input': ['ip-src', 'ip-dst', 'ip-src|port', 'ip-dst|port'], 'format': 'misp_standard'} @@ -83,11 +84,11 @@ def handler(q=False): if not request['config'].get('username') or not request['config'].get('password'): return {'error': 'CIRCL Passive SSL authentication is incomplete, please provide your username and password.'} authentication = (request['config']['username'], request['config']['password']) - if not request.get('attribute'): - return {'error': 'Unsupported input.'} + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} attribute = request['attribute'] if not any(input_type == attribute['type'] for input_type in mispattributes['input']): - return {'error': 'Unsupported attributes type'} + return {'error': 'Unsupported attribute type.'} pssl_parser = PassiveSSLParser(attribute, authentication) pssl_parser.parse() return pssl_parser.get_results() diff --git a/misp_modules/modules/expansion/clamav.py b/misp_modules/modules/expansion/clamav.py new file mode 100644 index 0000000..1582409 --- /dev/null +++ b/misp_modules/modules/expansion/clamav.py @@ -0,0 +1,128 @@ +import base64 +import io +import json +import logging +import sys +import zipfile +import clamd +from . import check_input_attribute, standard_error_message +from typing import Optional +from pymisp import MISPEvent, MISPObject + +log = logging.getLogger("clamav") +log.setLevel(logging.DEBUG) +sh = logging.StreamHandler(sys.stdout) +sh.setLevel(logging.DEBUG) +fmt = logging.Formatter( + "%(asctime)s - %(name)s - %(levelname)s - %(message)s" +) +sh.setFormatter(fmt) +log.addHandler(sh) + +moduleinfo = { + "version": "0.1", + "author": "Jakub Onderka", + "description": "Submit file to ClamAV", + "module-type": ["expansion"] +} +moduleconfig = ["connection"] +mispattributes = { + "input": ["attachment", "malware-sample"], + "format": "misp_standard" +} + + +def create_response(original_attribute: dict, software: str, signature: Optional[str] = None) -> dict: + misp_event = MISPEvent() + if signature: + misp_event.add_attribute(**original_attribute) + + av_signature_object = MISPObject("av-signature") + av_signature_object.add_attribute("signature", signature) + av_signature_object.add_attribute("software", software) + av_signature_object.add_reference(original_attribute["uuid"], "belongs-to") + misp_event.add_object(av_signature_object) + + event = json.loads(misp_event.to_json()) + results = {key: event[key] for key in ('Attribute', 'Object') if (key in event and event[key])} + return {"results": results} + + +def connect_to_clamav(connection_string: str) -> clamd.ClamdNetworkSocket: + if connection_string.startswith("unix://"): + return clamd.ClamdUnixSocket(connection_string.replace("unix://", "")) + elif ":" in connection_string: + host, port = connection_string.split(":") + return clamd.ClamdNetworkSocket(host, int(port)) + else: + raise Exception("ClamAV connection string is invalid. It must be unix socket path with 'unix://' prefix or IP:PORT.") + + +def handler(q=False): + if q is False: + return False + + request = json.loads(q) + + connection_string: str = request["config"].get("connection") + if not connection_string: + return {"error": "No ClamAV connection string provided"} + + attribute = request.get("attribute") + if not attribute: + return {"error": "No attribute provided"} + + if not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} + + if attribute["type"] not in mispattributes["input"]: + return {"error": "Invalid attribute type provided, expected 'malware-sample' or 'attachment'"} + + attribute_data = attribute.get("data") + if not attribute_data: + return {"error": "No attribute data provided"} + + try: + clamav = connect_to_clamav(connection_string) + software_version = clamav.version() + except Exception: + logging.exception("Could not connect to ClamAV") + return {"error": "Could not connect to ClamAV"} + + try: + data = base64.b64decode(attribute_data, validate=True) + except Exception: + logging.exception("Provided data is not valid base64 encoded string") + return {"error": "Provided data is not valid base64 encoded string"} + + if attribute["type"] == "malware-sample": + try: + with zipfile.ZipFile(io.BytesIO(data)) as zipf: + data = zipf.read(zipf.namelist()[0], pwd=b"infected") + except Exception: + logging.exception("Could not extract malware sample from ZIP file") + return {"error": "Could not extract malware sample from ZIP file"} + + try: + status, reason = clamav.instream(io.BytesIO(data))["stream"] + except Exception: + logging.exception("Could not send attribute data to ClamAV. Maybe file is too big?") + return {"error": "Could not send attribute data to ClamAV. Maybe file is too big?"} + + if status == "ERROR": + return {"error": "ClamAV returned error message: {}".format(reason)} + elif status == "OK": + return {"results": {}} + elif status == "FOUND": + return create_response(attribute, software_version, reason) + else: + return {"error": "ClamAV returned invalid status {}: {}".format(status, reason)} + + +def introspection(): + return mispattributes + + +def version(): + moduleinfo["config"] = moduleconfig + return moduleinfo diff --git a/misp_modules/modules/expansion/cpe.py b/misp_modules/modules/expansion/cpe.py new file mode 100644 index 0000000..600ff37 --- /dev/null +++ b/misp_modules/modules/expansion/cpe.py @@ -0,0 +1,133 @@ +import json +import requests +from . import check_input_attribute, standard_error_message +from pymisp import MISPEvent, MISPObject + +misperrors = {'error': 'Error'} +mispattributes = {'input': ['cpe'], 'format': 'misp_standard'} +moduleinfo = { + 'version': '2', + 'author': 'Christian Studer', + 'description': 'An expansion module to enrich a CPE attribute with its related vulnerabilities.', + 'module-type': ['expansion', 'hover'] +} +moduleconfig = ["custom_API_URL", "limit"] +cveapi_url = 'https://cvepremium.circl.lu/api/query' +DEFAULT_LIMIT = 10 + + +class VulnerabilitiesParser(): + def __init__(self, attribute): + self.attribute = attribute + self.misp_event = MISPEvent() + self.misp_event.add_attribute(**attribute) + self.vulnerability_mapping = { + 'id': { + 'type': 'vulnerability', + 'object_relation': 'id' + }, + 'summary': { + 'type': 'text', + 'object_relation': 'summary' + }, + 'vulnerable_configuration': { + 'type': 'cpe', + 'object_relation': 'vulnerable-configuration' + }, + 'vulnerable_configuration_cpe_2_2': { + 'type': 'cpe', + 'object_relation': 'vulnerable-configuration' + }, + 'Modified': { + 'type': 'datetime', + 'object_relation': 'modified' + }, + 'Published': { + 'type': 'datetime', + 'object_relation': 'published' + }, + 'references': { + 'type': 'link', + 'object_relation': 'references' + }, + 'cvss': { + 'type': 'float', + 'object_relation': 'cvss-score' + } + } + + def parse_vulnerabilities(self, vulnerabilities): + for vulnerability in vulnerabilities: + vulnerability_object = MISPObject('vulnerability') + for feature in ('id', 'summary', 'Modified', 'Published', 'cvss'): + if vulnerability.get(feature): + attribute = {'value': vulnerability[feature]} + attribute.update(self.vulnerability_mapping[feature]) + vulnerability_object.add_attribute(**attribute) + if vulnerability.get('Published'): + vulnerability_object.add_attribute(**{ + 'type': 'text', + 'object_relation': 'state', + 'value': 'Published' + }) + for feature in ('references', 'vulnerable_configuration', 'vulnerable_configuration_cpe_2_2'): + if vulnerability.get(feature): + for value in vulnerability[feature]: + if isinstance(value, dict): + value = value['title'] + attribute = {'value': value} + attribute.update(self.vulnerability_mapping[feature]) + vulnerability_object.add_attribute(**attribute) + vulnerability_object.add_reference(self.attribute['uuid'], 'related-to') + self.misp_event.add_object(vulnerability_object) + + def get_result(self): + event = json.loads(self.misp_event.to_json()) + results = {key: event[key] for key in ('Attribute', 'Object')} + return {'results': results} + + +def check_url(url): + return url if url.endswith('/') else f"{url}/" + + +def handler(q=False): + if q is False: + return False + request = json.loads(q) + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} + attribute = request['attribute'] + if attribute.get('type') != 'cpe': + return {'error': 'Wrong input attribute type.'} + config = request['config'] + url = check_url(config['custom_API_URL']) if config.get('custom_API_URL') else cveapi_url + limit = int(config['limit']) if config.get('limit') else DEFAULT_LIMIT + params = { + "retrieve": "cves", + "dict_filter": { + "vulnerable_configuration": attribute['value'] + }, + "limit": limit, + "sort": "cvss", + "sort_dir": "DESC" + } + response = requests.post(url, json=params) + if response.status_code == 200: + vulnerabilities = response.json()['data'] + if not vulnerabilities: + return {'error': 'No related vulnerability for this CPE.'} + else: + return {'error': 'API not accessible.'} + parser = VulnerabilitiesParser(attribute) + parser.parse_vulnerabilities(vulnerabilities) + return parser.get_result() + + +def introspection(): + return mispattributes + + +def version(): + moduleinfo['config'] = moduleconfig + return moduleinfo diff --git a/misp_modules/modules/expansion/crowdstrike_falcon.py b/misp_modules/modules/expansion/crowdstrike_falcon.py index 1342e88..c26d59f 100755 --- a/misp_modules/modules/expansion/crowdstrike_falcon.py +++ b/misp_modules/modules/expansion/crowdstrike_falcon.py @@ -1,42 +1,44 @@ import json -import requests +from . import check_input_attribute, standard_error_message +from falconpy import Intel +from pymisp import MISPAttribute, MISPEvent -moduleinfo = {'version': '0.1', +moduleinfo = {'version': '0.2', 'author': 'Christophe Vandeplas', 'description': 'Module to query CrowdStrike Falcon.', - 'module-type': ['expansion']} + 'module-type': ['expansion', 'hover']} moduleconfig = ['api_id', 'apikey'] misperrors = {'error': 'Error'} -misp_types_in = ['domain', 'email-attachment', 'email-dst', 'email-reply-to', 'email-src', 'email-subject', +misp_type_in = ['domain', 'email-attachment', 'email-dst', 'email-reply-to', 'email-src', 'email-subject', 'filename', 'hostname', 'ip', 'ip-src', 'ip-dst', 'md5', 'mutex', 'regkey', 'sha1', 'sha256', 'uri', 'url', 'user-agent', 'whois-registrant-email', 'x509-fingerprint-md5'] -mapping_out = { # mapping between the MISP attributes types and the compatible CrowdStrike indicator types. - 'domain': {'types': 'hostname', 'to_ids': True}, - 'email_address': {'types': 'email-src', 'to_ids': True}, - 'email_subject': {'types': 'email-subject', 'to_ids': True}, - 'file_name': {'types': 'filename', 'to_ids': True}, - 'hash_md5': {'types': 'md5', 'to_ids': True}, - 'hash_sha1': {'types': 'sha1', 'to_ids': True}, - 'hash_sha256': {'types': 'sha256', 'to_ids': True}, - 'ip_address': {'types': 'ip-dst', 'to_ids': True}, - 'ip_address_block': {'types': 'ip-dst', 'to_ids': True}, - 'mutex_name': {'types': 'mutex', 'to_ids': True}, - 'registry': {'types': 'regkey', 'to_ids': True}, - 'url': {'types': 'url', 'to_ids': True}, - 'user_agent': {'types': 'user-agent', 'to_ids': True}, - 'x509_serial': {'types': 'x509-fingerprint-md5', 'to_ids': True}, +mapping_out = { # mapping between the MISP attributes type and the compatible CrowdStrike indicator types. + 'domain': {'type': 'hostname', 'to_ids': True}, + 'email_address': {'type': 'email-src', 'to_ids': True}, + 'email_subject': {'type': 'email-subject', 'to_ids': True}, + 'file_name': {'type': 'filename', 'to_ids': True}, + 'hash_md5': {'type': 'md5', 'to_ids': True}, + 'hash_sha1': {'type': 'sha1', 'to_ids': True}, + 'hash_sha256': {'type': 'sha256', 'to_ids': True}, + 'ip_address': {'type': 'ip-dst', 'to_ids': True}, + 'ip_address_block': {'type': 'ip-dst', 'to_ids': True}, + 'mutex_name': {'type': 'mutex', 'to_ids': True}, + 'registry': {'type': 'regkey', 'to_ids': True}, + 'url': {'type': 'url', 'to_ids': True}, + 'user_agent': {'type': 'user-agent', 'to_ids': True}, + 'x509_serial': {'type': 'x509-fingerprint-md5', 'to_ids': True}, - 'actors': {'types': 'threat-actor'}, - 'malware_families': {'types': 'text', 'categories': 'Attribution'} + 'actors': {'type': 'threat-actor', 'category': 'Attribution'}, + 'malware_families': {'type': 'text', 'category': 'Attribution'} } -misp_types_out = [item['types'] for item in mapping_out.values()] -mispattributes = {'input': misp_types_in, 'output': misp_types_out} - +misp_type_out = [item['type'] for item in mapping_out.values()] +mispattributes = {'input': misp_type_in, 'format': 'misp_standard'} def handler(q=False): if q is False: return False request = json.loads(q) + #validate CrowdStrike params if (request.get('config')): if (request['config'].get('apikey') is None): misperrors['error'] = 'CrowdStrike apikey is missing' @@ -44,41 +46,64 @@ def handler(q=False): if (request['config'].get('api_id') is None): misperrors['error'] = 'CrowdStrike api_id is missing' return misperrors + + #validate attribute + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} + attribute = request.get('attribute') + if not any(input_type == attribute.get('type') for input_type in misp_type_in): + return {'error': 'Unsupported attribute type.'} + client = CSIntelAPI(request['config']['api_id'], request['config']['apikey']) + attribute = MISPAttribute() + attribute.from_dict(**request.get('attribute') ) r = {"results": []} - valid_type = False - for k in misp_types_in: - if request.get(k): - # map the MISP typ to the CrowdStrike type - for item in lookup_indicator(client, request[k]): - r['results'].append(item) - valid_type = True + + try: + for k in misp_type_in: + if attribute.type == k: + # map the MISP type to the CrowdStrike type + r['results'].append(lookup_indicator(client, attribute)) + valid_type = True + except Exception as e: + return {'error': f"{e}"} if not valid_type: misperrors['error'] = "Unsupported attributes type" return misperrors - return r + return {'results': r.get('results').pop()} -def lookup_indicator(client, item): - result = client.search_indicator(item) - for item in result: - for relation in item['relations']: - if mapping_out.get(relation['type']): - r = mapping_out[relation['type']].copy() - r['values'] = relation['indicator'] - yield(r) - for actor in item['actors']: - r = mapping_out['actors'].copy() - r['values'] = actor - yield(r) - for malware_family in item['malware_families']: - r = mapping_out['malware_families'].copy() - r['values'] = malware_family - yield(r) +def lookup_indicator(client, ref_attribute): + result = client.search_indicator(ref_attribute.value) + misp_event = MISPEvent() + misp_event.add_attribute(**ref_attribute) + for item in result.get('resources', []): + for relation in item.get('relations'): + if mapping_out.get(relation.get('type')): + r = mapping_out[relation.get('type')].copy() + r['value'] = relation.get('indicator') + attribute = MISPAttribute() + attribute.from_dict(**r) + misp_event.add_attribute(**attribute) + for actor in item.get('actors'): + r = mapping_out.get('actors').copy() + r['value'] = actor + attribute = MISPAttribute() + attribute.from_dict(**r) + misp_event.add_attribute(**attribute) + if item.get('malware_families'): + r = mapping_out.get('malware_families').copy() + r['value'] = f"malware_families: {' | '.join(item.get('malware_families'))}" + attribute = MISPAttribute() + attribute.from_dict(**r) + misp_event.add_attribute(**attribute) + + event = json.loads(misp_event.to_json()) + return {'Object': event.get('Object', []), 'Attribute': event.get('Attribute', [])} def introspection(): return mispattributes @@ -90,39 +115,25 @@ def version(): class CSIntelAPI(): - def __init__(self, custid=None, custkey=None, perpage=100, page=1, baseurl="https://intelapi.crowdstrike.com/indicator/v2/search/"): + def __init__(self, custid=None, custkey=None): # customer id and key should be passed when obj is created - self.custid = custid - self.custkey = custkey + self.falcon = Intel(client_id=custid, client_secret=custkey) - self.baseurl = baseurl - self.perpage = perpage - self.page = page - - def request(self, query): - headers = {'X-CSIX-CUSTID': self.custid, - 'X-CSIX-CUSTKEY': self.custkey, - 'Content-Type': 'application/json'} - - full_query = self.baseurl + query - - r = requests.get(full_query, headers=headers) + def search_indicator(self, query): + r = self.falcon.query_indicator_entities(q=query) # 400 - bad request - if r.status_code == 400: + if r.get('status_code') == 400: raise Exception('HTTP Error 400 - Bad request.') # 404 - oh shit - if r.status_code == 404: + if r.get('status_code') == 404: raise Exception('HTTP Error 404 - awww snap.') # catch all? - if r.status_code != 200: - raise Exception('HTTP Error: ' + str(r.status_code)) + if r.get('status_code') != 200: + raise Exception('HTTP Error: ' + str(r.get('status_code'))) - if r.text: - return r + if len(r.get('body').get('errors')): + raise Exception('API Error: ' + ' | '.join(r.get('body').get('errors'))) - def search_indicator(self, item): - query = 'indicator?match=' + item - r = self.request(query) - return json.loads(r.text) + return r.get('body', {}) \ No newline at end of file diff --git a/misp_modules/modules/expansion/cve_advanced.py b/misp_modules/modules/expansion/cve_advanced.py index 86cba8c..32f86d1 100644 --- a/misp_modules/modules/expansion/cve_advanced.py +++ b/misp_modules/modules/expansion/cve_advanced.py @@ -1,34 +1,71 @@ -from collections import defaultdict -from pymisp import MISPEvent, MISPObject import json import requests +from . import check_input_attribute, standard_error_message +from collections import defaultdict +from pymisp import MISPAttribute, MISPEvent, MISPObject misperrors = {'error': 'Error'} mispattributes = {'input': ['vulnerability'], 'format': 'misp_standard'} -moduleinfo = {'version': '1', 'author': 'Christian Studer', +moduleinfo = {'version': '2', 'author': 'Christian Studer', 'description': 'An expansion module to enrich a CVE attribute with the vulnerability information.', 'module-type': ['expansion', 'hover']} moduleconfig = ["custom_API"] -cveapi_url = 'https://cve.circl.lu/api/cve/' +cveapi_url = 'https://cvepremium.circl.lu/api/' class VulnerabilityParser(): - def __init__(self, attribute, vulnerability, api_url): - self.attribute = attribute - self.vulnerability = vulnerability - self.api_url = api_url - self.misp_event = MISPEvent() - self.misp_event.add_attribute(**attribute) + def __init__(self, attribute, api_url): + misp_attribute = MISPAttribute() + misp_attribute.from_dict(**attribute) + misp_event = MISPEvent() + misp_event.add_attribute(**misp_attribute) + self.__misp_attribute = misp_attribute + self.__misp_event = misp_event + self.__api_url = api_url self.references = defaultdict(list) - self.capec_features = ('id', 'name', 'summary', 'prerequisites', 'solutions') - self.vulnerability_mapping = { - 'id': ('text', 'id'), 'summary': ('text', 'summary'), - 'vulnerable_configuration': ('text', 'vulnerable_configuration'), - 'vulnerable_configuration_cpe_2_2': ('text', 'vulnerable_configuration'), - 'Modified': ('datetime', 'modified'), 'Published': ('datetime', 'published'), - 'references': ('link', 'references'), 'cvss': ('float', 'cvss-score')} - self.weakness_mapping = {'name': 'name', 'description_summary': 'description', - 'status': 'status', 'weaknessabs': 'weakness-abs'} + self.__capec_features = ('id', 'name', 'summary', 'prerequisites', 'solutions') + self.__vulnerability_mapping = { + 'id': 'id', 'summary': 'summary', + 'Modified': 'modified', 'cvss3': 'cvss-score', + 'cvss3-vector': 'cvss-string' + } + self.__vulnerability_multiple_mapping = { + 'vulnerable_configuration': 'vulnerable-configuration', + 'vulnerable_configuration_cpe_2_2': 'vulnerable-configuration', + 'references': 'references' + } + self.__weakness_mapping = { + 'name': 'name', 'description_summary': 'description', + 'status': 'status', 'weaknessabs': 'weakness-abs' + } + + @property + def api_url(self) -> str: + return self.__api_url + + @property + def capec_features(self) -> tuple: + return self.__capec_features + + @property + def misp_attribute(self) -> MISPAttribute: + return self.__misp_attribute + + @property + def misp_event(self) -> MISPEvent: + return self.__misp_event + + @property + def vulnerability_mapping(self) -> dict: + return self.__vulnerability_mapping + + @property + def vulnerability_multiple_mapping(self) -> dict: + return self.__vulnerability_multiple_mapping + + @property + def weakness_mapping(self) -> dict: + return self.__weakness_mapping def get_result(self): if self.references: @@ -37,29 +74,26 @@ class VulnerabilityParser(): results = {key: event[key] for key in ('Attribute', 'Object') if (key in event and event[key])} return {'results': results} - def parse_vulnerability_information(self): + def parse_vulnerability_information(self, vulnerability): vulnerability_object = MISPObject('vulnerability') - for feature in ('id', 'summary', 'Modified', 'cvss'): - value = self.vulnerability.get(feature) - if value: - attribute_type, relation = self.vulnerability_mapping[feature] - vulnerability_object.add_attribute(relation, **{'type': attribute_type, 'value': value}) - if 'Published' in self.vulnerability: - vulnerability_object.add_attribute('published', **{'type': 'datetime', 'value': self.vulnerability['Published']}) - vulnerability_object.add_attribute('state', **{'type': 'text', 'value': 'Published'}) - for feature in ('references', 'vulnerable_configuration', 'vulnerable_configuration_cpe_2_2'): - if feature in self.vulnerability: - attribute_type, relation = self.vulnerability_mapping[feature] - for value in self.vulnerability[feature]: + for feature, relation in self.vulnerability_mapping.items(): + if vulnerability.get(feature): + vulnerability_object.add_attribute(relation, vulnerability[feature]) + if 'Published' in vulnerability: + vulnerability_object.add_attribute('published', vulnerability['Published']) + vulnerability_object.add_attribute('state', 'Published') + for feature, relation in self.vulnerability_multiple_mapping.items(): + if feature in vulnerability: + for value in vulnerability[feature]: if isinstance(value, dict): value = value['title'] - vulnerability_object.add_attribute(relation, **{'type': attribute_type, 'value': value}) - vulnerability_object.add_reference(self.attribute['uuid'], 'related-to') - self.misp_event.add_object(**vulnerability_object) - if 'cwe' in self.vulnerability and self.vulnerability['cwe'] not in ('Unknown', 'NVD-CWE-noinfo'): - self.__parse_weakness(vulnerability_object.uuid) - if 'capec' in self.vulnerability: - self.__parse_capec(vulnerability_object.uuid) + vulnerability_object.add_attribute(relation, value) + vulnerability_object.add_reference(self.misp_attribute.uuid, 'related-to') + self.misp_event.add_object(vulnerability_object) + if 'cwe' in vulnerability and vulnerability['cwe'] not in ('Unknown', 'NVD-CWE-noinfo'): + self.__parse_weakness(vulnerability['cwe'], vulnerability_object.uuid) + if 'capec' in vulnerability: + self.__parse_capec(vulnerability['capec'], vulnerability_object.uuid) def __build_references(self): for object_uuid, references in self.references.items(): @@ -69,51 +103,56 @@ class VulnerabilityParser(): misp_object.add_reference(**reference) break - def __parse_capec(self, vulnerability_uuid): - attribute_type = 'text' - for capec in self.vulnerability['capec']: + def __parse_capec(self, capec_values, vulnerability_uuid): + for capec in capec_values: capec_object = MISPObject('attack-pattern') for feature in self.capec_features: - capec_object.add_attribute(feature, **dict(type=attribute_type, value=capec[feature])) + capec_object.add_attribute(feature, capec[feature]) for related_weakness in capec['related_weakness']: - attribute = dict(type='weakness', value="CWE-{}".format(related_weakness)) - capec_object.add_attribute('related-weakness', **attribute) - self.misp_event.add_object(**capec_object) - self.references[vulnerability_uuid].append(dict(referenced_uuid=capec_object.uuid, - relationship_type='targeted-by')) + capec_object.add_attribute('related-weakness', f"CWE-{related_weakness}") + self.misp_event.add_object(capec_object) + self.references[vulnerability_uuid].append( + { + 'referenced_uuid': capec_object.uuid, + 'relationship_type': 'targeted-by' + } + ) - def __parse_weakness(self, vulnerability_uuid): - attribute_type = 'text' - cwe_string, cwe_id = self.vulnerability['cwe'].split('-') - cwes = requests.get(self.api_url.replace('/cve/', '/cwe')) - if cwes.status_code == 200: - for cwe in cwes.json(): - if cwe['id'] == cwe_id: - weakness_object = MISPObject('weakness') - weakness_object.add_attribute('id', **dict(type=attribute_type, value='-'.join([cwe_string, cwe_id]))) - for feature, relation in self.weakness_mapping.items(): - if cwe.get(feature): - weakness_object.add_attribute(relation, **dict(type=attribute_type, value=cwe[feature])) - self.misp_event.add_object(**weakness_object) - self.references[vulnerability_uuid].append(dict(referenced_uuid=weakness_object.uuid, - relationship_type='weakened-by')) - break + def __parse_weakness(self, cwe_value, vulnerability_uuid): + cwe_string, cwe_id = cwe_value.split('-')[:2] + cwe = requests.get(f'{self.api_url}cwe/{cwe_id}') + if cwe.status_code == 200: + cwe = cwe.json() + weakness_object = MISPObject('weakness') + weakness_object.add_attribute('id', f'{cwe_string}-{cwe_id}') + for feature, relation in self.weakness_mapping.items(): + if cwe.get(feature): + weakness_object.add_attribute(relation, cwe[feature]) + self.misp_event.add_object(weakness_object) + self.references[vulnerability_uuid].append( + { + 'referenced_uuid': weakness_object.uuid, + 'relationship_type': 'weakened-by' + } + ) def check_url(url): - return "{}/".format(url) if not url.endswith('/') else url + return f"{url}/" if not url.endswith('/') else url def handler(q=False): if q is False: return False request = json.loads(q) - attribute = request.get('attribute') + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} + attribute = request['attribute'] if attribute.get('type') != 'vulnerability': misperrors['error'] = 'Vulnerability id missing.' return misperrors - api_url = check_url(request['config']['custom_API']) if request['config'].get('custom_API') else cveapi_url - r = requests.get("{}{}".format(api_url, attribute['value'])) + api_url = check_url(request['config']['custom_API']) if request.get('config', {}).get('custom_API') else cveapi_url + r = requests.get(f"{api_url}cve/{attribute['value']}") if r.status_code == 200: vulnerability = r.json() if not vulnerability: @@ -122,8 +161,8 @@ def handler(q=False): else: misperrors['error'] = 'API not accessible' return misperrors['error'] - parser = VulnerabilityParser(attribute, vulnerability, api_url) - parser.parse_vulnerability_information() + parser = VulnerabilityParser(attribute, api_url) + parser.parse_vulnerability_information(vulnerability) return parser.get_result() diff --git a/misp_modules/modules/expansion/cytomic_orion.py b/misp_modules/modules/expansion/cytomic_orion.py index 9723ed6..c13b254 100755 --- a/misp_modules/modules/expansion/cytomic_orion.py +++ b/misp_modules/modules/expansion/cytomic_orion.py @@ -7,6 +7,7 @@ An expansion module to enrich attributes in MISP and share indicators of comprom ''' +from . import check_input_attribute, standard_error_message from pymisp import MISPAttribute, MISPEvent, MISPObject import json import requests @@ -146,9 +147,11 @@ def handler(q=False): if not request.get('attribute'): return {'error': 'Unsupported input.'} + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} attribute = request['attribute'] if not any(input_type == attribute['type'] for input_type in mispattributes['input']): - return {'error': 'Unsupported attributes type'} + return {'error': 'Unsupported attribute type.'} if not request.get('config'): return {'error': 'Missing configuration'} diff --git a/misp_modules/modules/expansion/domaintools.py b/misp_modules/modules/expansion/domaintools.py index d952fdf..353b456 100755 --- a/misp_modules/modules/expansion/domaintools.py +++ b/misp_modules/modules/expansion/domaintools.py @@ -1,3 +1,7 @@ +# This module does not appear to be actively maintained. +# Please see https://github.com/DomainTools/domaintools_misp +# for the official DomainTools-supported MISP app + import json import logging import sys diff --git a/misp_modules/modules/expansion/farsight_passivedns.py b/misp_modules/modules/expansion/farsight_passivedns.py index 5d32ea8..7cf6f66 100755 --- a/misp_modules/modules/expansion/farsight_passivedns.py +++ b/misp_modules/modules/expansion/farsight_passivedns.py @@ -1,15 +1,130 @@ +import dnsdb2 import json -from ._dnsdb_query.dnsdb_query import DnsdbClient, QueryError - +from . import check_input_attribute, standard_error_message +from datetime import datetime +from pymisp import MISPEvent, MISPObject, Distribution misperrors = {'error': 'Error'} -mispattributes = {'input': ['hostname', 'domain', 'ip-src', 'ip-dst'], 'output': ['freetext']} -moduleinfo = {'version': '0.1', 'author': 'Christophe Vandeplas', 'description': 'Module to access Farsight DNSDB Passive DNS', 'module-type': ['expansion', 'hover']} -moduleconfig = ['apikey'] +standard_query_input = [ + 'hostname', + 'domain', + 'ip-src', + 'ip-dst' +] +flex_query_input = [ + 'btc', + 'dkim', + 'email', + 'email-src', + 'email-dst', + 'domain|ip', + 'hex', + 'mac-address', + 'mac-eui-64', + 'other', + 'pattern-filename', + 'target-email', + 'text', + 'uri', + 'url', + 'whois-registrant-email', +] +mispattributes = { + 'input': standard_query_input + flex_query_input, + 'format': 'misp_standard' +} +moduleinfo = { + 'version': '0.5', + 'author': 'Christophe Vandeplas', + 'description': 'Module to access Farsight DNSDB Passive DNS', + 'module-type': ['expansion', 'hover'] +} +moduleconfig = ['apikey', 'server', 'limit', 'flex_queries'] -server = 'https://api.dnsdb.info' +DEFAULT_DNSDB_SERVER = 'https://api.dnsdb.info' +DEFAULT_LIMIT = 10 +DEFAULT_DISTRIBUTION_SETTING = Distribution.your_organisation_only.value +TYPE_TO_FEATURE = { + "btc": "Bitcoin address", + "dkim": "domainkeys identified mail", + "domain": "domain name", + "domain|ip": "domain name / IP address", + "hex": "value in hexadecimal format", + "hostname": "hostname", + "mac-address": "MAC address", + "mac-eui-64": "MAC EUI-64 address", + "pattern-filename": "pattern in the name of a file", + "target-email": "attack target email", + "uri": "Uniform Resource Identifier", + "url": "Uniform Resource Locator", + "whois-registrant-email": "email of a domain's registrant" +} +TYPE_TO_FEATURE.update( + dict.fromkeys( + ("ip-src", "ip-dst"), + "IP address" + ) +) +TYPE_TO_FEATURE.update( + dict.fromkeys( + ("email", "email-src", "email-dst"), + "email address" + ) +) +TYPE_TO_FEATURE.update( + dict.fromkeys( + ("other", "text"), + "text" + ) +) -# TODO return a MISP object with the different attributes + +class FarsightDnsdbParser(): + def __init__(self, attribute): + self.attribute = attribute + self.misp_event = MISPEvent() + self.misp_event.add_attribute(**attribute) + self.passivedns_mapping = { + 'bailiwick': {'type': 'domain', 'object_relation': 'bailiwick'}, + 'count': {'type': 'counter', 'object_relation': 'count'}, + 'raw_rdata': {'type': 'text', 'object_relation': 'raw_rdata'}, + 'rdata': {'type': 'text', 'object_relation': 'rdata'}, + 'rrname': {'type': 'text', 'object_relation': 'rrname'}, + 'rrtype': {'type': 'text', 'object_relation': 'rrtype'}, + 'time_first': {'type': 'datetime', 'object_relation': 'time_first'}, + 'time_last': {'type': 'datetime', 'object_relation': 'time_last'}, + 'zone_time_first': {'type': 'datetime', 'object_relation': 'zone_time_first'}, + 'zone_time_last': {'type': 'datetime', 'object_relation': 'zone_time_last'} + } + self.comment = 'Result from a %s lookup on DNSDB about the %s: %s' + + def parse_passivedns_results(self, query_response): + for query_type, results in query_response.items(): + comment = self.comment % (query_type, TYPE_TO_FEATURE[self.attribute['type']], self.attribute['value']) + for result in results: + passivedns_object = MISPObject('passive-dns') + passivedns_object.distribution = DEFAULT_DISTRIBUTION_SETTING + if result.get('rdata') and isinstance(result['rdata'], list): + for rdata in result.pop('rdata'): + passivedns_object.add_attribute(**self._parse_attribute(comment, 'rdata', rdata)) + for feature, value in result.items(): + passivedns_object.add_attribute(**self._parse_attribute(comment, feature, value)) + if result.get('time_first'): + passivedns_object.first_seen = result['time_first'] + if result.get('time_last'): + passivedns_object.last_seen = result['time_last'] + passivedns_object.add_reference(self.attribute['uuid'], 'related-to') + self.misp_event.add_object(passivedns_object) + + def get_results(self): + event = json.loads(self.misp_event.to_json()) + results = {key: event[key] for key in ('Attribute', 'Object')} + return {'results': results} + + def _parse_attribute(self, comment, feature, value): + attribute = {'value': value, 'comment': comment, 'distribution': DEFAULT_DISTRIBUTION_SETTING} + attribute.update(self.passivedns_mapping[feature]) + return attribute def handler(q=False): @@ -19,56 +134,97 @@ def handler(q=False): if not request.get('config') or not request['config'].get('apikey'): misperrors['error'] = 'Farsight DNSDB apikey is missing' return misperrors - client = DnsdbClient(server, request['config']['apikey']) - if request.get('hostname'): - res = lookup_name(client, request['hostname']) - elif request.get('domain'): - res = lookup_name(client, request['domain']) - elif request.get('ip-src'): - res = lookup_ip(client, request['ip-src']) - elif request.get('ip-dst'): - res = lookup_ip(client, request['ip-dst']) - else: - misperrors['error'] = "Unsupported attributes type" - return misperrors - - out = '' - for v in set(res): # uniquify entries - out = out + "{} ".format(v) - r = {'results': [{'types': mispattributes['output'], 'values': out}]} - return r - - -def lookup_name(client, name): + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} + attribute = request['attribute'] + if attribute['type'] not in mispattributes['input']: + return {'error': 'Unsupported attributes type'} + config = request['config'] + if not config.get('server'): + config['server'] = DEFAULT_DNSDB_SERVER + client_args = {feature: config[feature] for feature in ('apikey', 'server')} + client = dnsdb2.Client(**client_args) + to_query, args = parse_input(attribute, config) try: - res = client.query_rrset(name) # RRSET = entries in the left-hand side of the domain name related labels - for item in res: - if item.get('rrtype') in ['A', 'AAAA', 'CNAME']: - for i in item.get('rdata'): - yield(i.rstrip('.')) - if item.get('rrtype') in ['SOA']: - for i in item.get('rdata'): - # grab email field and replace first dot by @ to convert to an email address - yield(i.split(' ')[1].rstrip('.').replace('.', '@', 1)) - except QueryError: - pass - - try: - res = client.query_rdata_name(name) # RDATA = entries on the right-hand side of the domain name related labels - for item in res: - if item.get('rrtype') in ['A', 'AAAA', 'CNAME']: - yield(item.get('rrname').rstrip('.')) - except QueryError: - pass + response = to_query(client, *args) + except dnsdb2.DnsdbException as e: + return {'error': e.__str__()} + except dnsdb2.exceptions.QueryError: + return {'error': 'Communication error occurs while executing a query, or the server reports an error due to invalid arguments.'} + if not response: + return {'error': f"Empty results on Farsight DNSDB for the {TYPE_TO_FEATURE[attribute['type']]}: {attribute['value']}."} + parser = FarsightDnsdbParser(attribute) + parser.parse_passivedns_results(response) + return parser.get_results() -def lookup_ip(client, ip): - try: - res = client.query_rdata_ip(ip) - for item in res: - yield(item['rrname'].rstrip('.')) - except QueryError: - pass +def parse_input(attribute, config): + lookup_args = { + 'limit': config['limit'] if config.get('limit') else DEFAULT_LIMIT, + 'offset': 0, + 'ignore_limited': True, + 'humantime': True + } + if attribute.get('first_seen'): + lookup_args['time_first_after'] = parse_timestamp(attribute['first_seen']) + attribute_type = attribute['type'] + if attribute_type in flex_query_input: + return flex_queries, (lookup_args, attribute['value']) + flex = add_flex_queries(config.get('flex_queries')) + to_query = lookup_ip if 'ip-' in attribute_type else lookup_name + return to_query, (lookup_args, attribute['value'], flex) + + +def parse_timestamp(str_date): + datetime_date = datetime.strptime(str_date, '%Y-%m-%dT%H:%M:%S.%f%z') + return str(int(datetime_date.timestamp())) + + +def add_flex_queries(flex): + if not flex: + return False + if flex in ('True', 'true', True, '1', 1): + return True + return False + + +def flex_queries(client, lookup_args, name): + response = {} + name = name.replace('@', '.') + for feature in ('rdata', 'rrnames'): + to_call = getattr(client, f'flex_{feature}_regex') + results = list(to_call(name, **lookup_args)) + for result in list(to_call(name.replace('.', '\\.'), **lookup_args)): + if result not in results: + results.append(result) + if results: + response[f'flex_{feature}'] = results + return response + + +def lookup_name(client, lookup_args, name, flex): + response = {} + # RRSET = entries in the left-hand side of the domain name related labels + rrset_response = list(client.lookup_rrset(name, **lookup_args)) + if rrset_response: + response['rrset'] = rrset_response + # RDATA = entries on the right-hand side of the domain name related labels + rdata_response = list(client.lookup_rdata_name(name, **lookup_args)) + if rdata_response: + response['rdata'] = rdata_response + if flex: + response.update(flex_queries(client, lookup_args, name)) + return response + + +def lookup_ip(client, lookup_args, ip, flex): + response = {} + res = list(client.lookup_rdata_ip(ip, **lookup_args)) + if res: + response['rdata'] = res + if flex: + response.update(flex_queries(client, lookup_args, ip)) + return response def introspection(): diff --git a/misp_modules/modules/expansion/google_search.py b/misp_modules/modules/expansion/google_search.py index b7b4e7a..68224ab 100644 --- a/misp_modules/modules/expansion/google_search.py +++ b/misp_modules/modules/expansion/google_search.py @@ -1,6 +1,8 @@ import json +import random +import time try: - from google import google + from googleapi import google except ImportError: print("GoogleAPI not installed. Command : pip install git+https://github.com/abenassi/Google-Search-API") @@ -10,6 +12,10 @@ moduleinfo = {'author': 'Oun & Gindt', 'module-type': ['hover'], 'description': 'An expansion hover module to expand google search information about an URL'} +def sleep(retry): + time.sleep(random.uniform(0, min(40, 0.01 * 2 ** retry))) + + def handler(q=False): if q is False: return False @@ -18,10 +24,16 @@ def handler(q=False): return {'error': "Unsupported attributes type"} num_page = 1 res = "" - search_results = google.search(request['url'], num_page) - for i in range(3): + # The googleapi module sets a random useragent. The output depends on the useragent. + # It's better to retry 3 times. + for retry in range(3): + search_results = google.search(request['url'], num_page) + if len(search_results) > 0: + break + sleep(retry) + for i, search_result in enumerate(search_results): res += "("+str(i+1)+")" + '\t' - res += json.dumps(search_results[i].description, ensure_ascii=False) + res += json.dumps(search_result.description, ensure_ascii=False) res += '\n\n' return {'results': [{'types': mispattributes['output'], 'values':res}]} diff --git a/misp_modules/modules/expansion/greynoise.py b/misp_modules/modules/expansion/greynoise.py index dd54158..a2ccf13 100644 --- a/misp_modules/modules/expansion/greynoise.py +++ b/misp_modules/modules/expansion/greynoise.py @@ -1,37 +1,254 @@ -import requests import json -misperrors = {'error': 'Error'} -mispattributes = {'input': ['ip-dst', 'ip-src'], 'output': ['text']} -moduleinfo = {'version': '0.1', 'author': 'Aurélien Schwab ', 'description': 'Module to access GreyNoise.io API.', 'module-type': ['hover']} -moduleconfig = ['user-agent'] # TODO take this into account in the code +import requests +from pymisp import MISPEvent, MISPObject -greynoise_api_url = 'http://api.greynoise.io:8888/v1/query/ip' -default_user_agent = 'MISP-Module' +misperrors = {"error": "Error"} +mispattributes = {"input": ["ip-dst", "ip-src", "vulnerability"], "output": ["text"]} +moduleinfo = { + "version": "1.1", + "author": "Brad Chiappetta ", + "description": "Module to access GreyNoise.io API.", + "module-type": ["hover"], +} +moduleconfig = ["api_key", "api_type"] +codes_mapping = { + "0x00": "The IP has never been observed scanning the Internet", + "0x01": "The IP has been observed by the GreyNoise sensor network", + "0x02": "The IP has been observed scanning the GreyNoise sensor network, " + "but has not completed a full connection, meaning this can be spoofed", + "0x03": "The IP is adjacent to another host that has been directly observed by the GreyNoise sensor network", + "0x04": "Reserved", + "0x05": "This IP is commonly spoofed in Internet-scan activity", + "0x06": "This IP has been observed as noise, but this host belongs to a cloud provider where IPs can be " + "cycled frequently", + "0x07": "This IP is invalid", + "0x08": "This IP was classified as noise, but has not been observed engaging in Internet-wide scans or " + "attacks in over 90 days", + "0x09": "IP was found in RIOT", + "0x10": "IP has been observed by the GreyNoise sensor network and is in RIOT", +} +vulnerability_mapping = { + "id": ("vulnerability", "CVE #"), + "details": ("text", "Details"), + "count": ("text", "Total Scanner Count"), +} +enterprise_context_basic_mapping = {"ip": ("text", "IP Address"), "code_message": ("text", "Code Message")} +enterprise_context_advanced_mapping = { + "noise": ("text", "Is Internet Background Noise"), + "link": ("link", "Visualizer Link"), + "classification": ("text", "Classification"), + "actor": ("text", "Actor"), + "tags": ("text", "Tags"), + "cve": ("text", "CVEs"), + "first_seen": ("text", "First Seen Scanning"), + "last_seen": ("text", "Last Seen Scanning"), + "vpn": ("text", "Known VPN Service"), + "vpn_service": ("text", "VPN Service Name"), + "bot": ("text", "Known BOT"), +} +enterprise_context_advanced_metadata_mapping = { + "asn": ("text", "ASN"), + "rdns": ("text", "rDNS"), + "category": ("text", "Category"), + "tor": ("text", "Known Tor Exit Node"), + "region": ("text", "Region"), + "city": ("text", "City"), + "country": ("text", "Country"), + "country_code": ("text", "Country Code"), + "organization": ("text", "Organization"), +} +enterprise_riot_mapping = { + "riot": ("text", "Is Common Business Service"), + "link": ("link", "Visualizer Link"), + "category": ("text", "RIOT Category"), + "name": ("text", "Provider Name"), + "trust_level": ("text", "RIOT Trust Level"), + "last_updated": ("text", "Last Updated"), +} +community_found_mapping = { + "ip": ("text", "IP Address"), + "noise": ("text", "Is Internet Background Noise"), + "riot": ("text", "Is Common Business Service"), + "classification": ("text", "Classification"), + "last_seen": ("text", "Last Seen"), + "name": ("text", "Name"), + "link": ("link", "Visualizer Link"), +} +community_not_found_mapping = { + "ip": ("text", "IP Address"), + "noise": ("text", "Is Internet Background Noise"), + "riot": ("text", "Is Common Business Service"), + "message": ("text", "Message"), +} +misp_event = MISPEvent() -def handler(q=False): +def handler(q=False): # noqa: C901 if q is False: return False request = json.loads(q) - for input_type in mispattributes['input']: - if input_type in request: - ip = request[input_type] - break - else: - misperrors['error'] = "Unsupported attributes type" + if not request.get("config") or not request["config"].get("api_key"): + return {"error": "Missing Greynoise API key."} + + headers = { + "Accept": "application/json", + "key": request["config"]["api_key"], + "User-Agent": "greynoise-misp-module-{}".format(moduleinfo["version"]), + } + + if not (request.get("vulnerability") or request.get("ip-dst") or request.get("ip-src")): + misperrors["error"] = "Vulnerability id missing" return misperrors - data = {'ip': ip} - r = requests.post(greynoise_api_url, data=data, headers={'user-agent': default_user_agent}) # Real request - if r.status_code == 200: # OK (record found) - response = r.text - if response: - return {'results': [{'types': mispattributes['output'], 'values': response}]} - elif r.status_code == 404: # Not found (not an error) - return {'results': [{'types': mispattributes['output'], 'values': 'No data'}]} - else: # Real error - misperrors['error'] = 'GreyNoise API not accessible (HTTP ' + str(r.status_code) + ')' - return misperrors['error'] + + ip = "" + vulnerability = "" + + if request.get("ip-dst"): + ip = request.get("ip-dst") + elif request.get("ip-src"): + ip = request.get("ip-src") + else: + vulnerability = request.get("vulnerability") + + if ip: + if request["config"]["api_type"] and request["config"]["api_type"] == "enterprise": + greynoise_api_url = "https://api.greynoise.io/v2/noise/quick/" + else: + greynoise_api_url = "https://api.greynoise.io/v3/community/" + + response = requests.get(f"{greynoise_api_url}{ip}", headers=headers) # Real request for IP Query + if response.status_code == 200: + if request["config"]["api_type"] == "enterprise": + response = response.json() + enterprise_context_object = MISPObject("greynoise-ip-context") + for feature in ("ip", "code_message"): + if feature == "code_message": + value = codes_mapping[response.get("code")] + else: + value = response.get(feature) + if value: + attribute_type, relation = enterprise_context_basic_mapping[feature] + enterprise_context_object.add_attribute(relation, **{"type": attribute_type, "value": value}) + if response["noise"]: + greynoise_api_url = "https://api.greynoise.io/v2/noise/context/" + context_response = requests.get(f"{greynoise_api_url}{ip}", headers=headers) + context_response = context_response.json() + context_response["link"] = "https://www.greynoise.io/viz/ip/" + ip + if "tags" in context_response: + context_response["tags"] = ",".join(context_response["tags"]) + if "cve" in context_response: + context_response["cve"] = ",".join(context_response["cve"]) + for feature in enterprise_context_advanced_mapping.keys(): + value = context_response.get(feature) + if value: + attribute_type, relation = enterprise_context_advanced_mapping[feature] + enterprise_context_object.add_attribute( + relation, **{"type": attribute_type, "value": value} + ) + for feature in enterprise_context_advanced_metadata_mapping.keys(): + value = context_response["metadata"].get(feature) + if value: + attribute_type, relation = enterprise_context_advanced_metadata_mapping[feature] + enterprise_context_object.add_attribute( + relation, **{"type": attribute_type, "value": value} + ) + + if response["riot"]: + greynoise_api_url = "https://api.greynoise.io/v2/riot/" + riot_response = requests.get(f"{greynoise_api_url}{ip}", headers=headers) + riot_response = riot_response.json() + riot_response["link"] = "https://www.greynoise.io/viz/riot/" + ip + for feature in enterprise_riot_mapping.keys(): + value = riot_response.get(feature) + if value: + attribute_type, relation = enterprise_riot_mapping[feature] + enterprise_context_object.add_attribute( + relation, **{"type": attribute_type, "value": value} + ) + misp_event.add_object(enterprise_context_object) + event = json.loads(misp_event.to_json()) + results = {key: event[key] for key in ("Attribute", "Object") if (key in event and event[key])} + return {"results": results} + else: + response = response.json() + community_context_object = MISPObject("greynoise-community-ip-context") + for feature in community_found_mapping.keys(): + value = response.get(feature) + if value: + attribute_type, relation = community_found_mapping[feature] + community_context_object.add_attribute(relation, **{"type": attribute_type, "value": value}) + misp_event.add_object(community_context_object) + event = json.loads(misp_event.to_json()) + results = {key: event[key] for key in ("Attribute", "Object") if (key in event and event[key])} + return {"results": results} + if response.status_code == 404 and request["config"]["api_type"] != "enterprise": + response = response.json() + community_context_object = MISPObject("greynoise-community-ip-context") + for feature in community_not_found_mapping.keys(): + value = response.get(feature) + if value: + attribute_type, relation = community_not_found_mapping[feature] + community_context_object.add_attribute(relation, **{"type": attribute_type, "value": value}) + misp_event.add_object(community_context_object) + event = json.loads(misp_event.to_json()) + results = {key: event[key] for key in ("Attribute", "Object") if (key in event and event[key])} + return {"results": results} + + if vulnerability: + if request["config"]["api_type"] and request["config"]["api_type"] == "enterprise": + greynoise_api_url = "https://api.greynoise.io/v2/experimental/gnql/stats" + querystring = {"query": f"last_seen:1w cve:{vulnerability}"} + else: + misperrors["error"] = "Vulnerability Not Supported with Community API Key" + return misperrors + + response = requests.get(f"{greynoise_api_url}", headers=headers, params=querystring) # Real request + + if response.status_code == 200: + response = response.json() + vulnerability_object = MISPObject("greynoise-vuln-info") + response["details"] = ( + "The IP count below reflects the number of IPs seen " + "by GreyNoise in the last 7 days scanning for this CVE." + ) + response["id"] = vulnerability + for feature in ("id", "details", "count"): + value = response.get(feature) + if value: + attribute_type, relation = vulnerability_mapping[feature] + vulnerability_object.add_attribute(relation, **{"type": attribute_type, "value": value}) + classifications = response["stats"].get("classifications") + for item in classifications: + if item["classification"] == "benign": + value = item["count"] + attribute_type, relation = ("text", "Benign Scanner Count") + vulnerability_object.add_attribute(relation, **{"type": attribute_type, "value": value}) + if item["classification"] == "unknown": + value = item["count"] + attribute_type, relation = ("text", "Unknown Scanner Count") + vulnerability_object.add_attribute(relation, **{"type": attribute_type, "value": value}) + if item["classification"] == "malicious": + value = item["count"] + attribute_type, relation = ("text", "Malicious Scanner Count") + vulnerability_object.add_attribute(relation, **{"type": attribute_type, "value": value}) + misp_event.add_object(vulnerability_object) + event = json.loads(misp_event.to_json()) + results = {key: event[key] for key in ("Attribute", "Object") if (key in event and event[key])} + return {"results": results} + + # There is an error + errors = { + 400: "Bad request.", + 404: "IP not observed scanning the internet or contained in RIOT data set.", + 401: "Unauthorized. Please check your API key.", + 429: "Too many requests. You've hit the rate-limit.", + } + try: + misperrors["error"] = errors[response.status_code] + except KeyError: + misperrors["error"] = f"GreyNoise API not accessible (HTTP {response.status_code})" + return misperrors def introspection(): @@ -39,5 +256,5 @@ def introspection(): def version(): - moduleinfo['config'] = moduleconfig + moduleinfo["config"] = moduleconfig return moduleinfo diff --git a/misp_modules/modules/expansion/hashdd.py b/misp_modules/modules/expansion/hashdd.py index 42fc854..17e1029 100755 --- a/misp_modules/modules/expansion/hashdd.py +++ b/misp_modules/modules/expansion/hashdd.py @@ -2,10 +2,10 @@ import json import requests misperrors = {'error': 'Error'} -mispattributes = {'input': ['md5', 'sha1', 'sha256'], 'output': ['text']} +mispattributes = {'input': ['md5'], 'output': ['text']} moduleinfo = {'version': '0.2', 'author': 'Alexandre Dulaunoy', 'description': 'An expansion module to check hashes against hashdd.com including NSLR dataset.', 'module-type': ['hover']} moduleconfig = [] -hashddapi_url = 'https://api.hashdd.com/' +hashddapi_url = 'https://api.hashdd.com/v1/knownlevel/nsrl/' def handler(q=False): @@ -20,10 +20,10 @@ def handler(q=False): if v is None: misperrors['error'] = 'Hash value is missing.' return misperrors - r = requests.post(hashddapi_url, data={'hash': v}) + r = requests.get(hashddapi_url + v) if r.status_code == 200: state = json.loads(r.text) - summary = state[v]['known_level'] if state and state.get(v) else 'Unknown hash' + summary = state['knownlevel'] if state and state['result'] == "SUCCESS" else state['message'] else: misperrors['error'] = '{} API not accessible'.format(hashddapi_url) return misperrors['error'] diff --git a/misp_modules/modules/expansion/hashlookup.py b/misp_modules/modules/expansion/hashlookup.py new file mode 100644 index 0000000..eeca95f --- /dev/null +++ b/misp_modules/modules/expansion/hashlookup.py @@ -0,0 +1,108 @@ +import json +import requests +from . import check_input_attribute, standard_error_message +from collections import defaultdict +from pymisp import MISPEvent, MISPObject + +misperrors = {'error': 'Error'} +mispattributes = {'input': ['md5', 'sha1', 'sha256'], 'format': 'misp_standard'} +moduleinfo = {'version': '2', 'author': 'Alexandre Dulaunoy', + 'description': 'An expansion module to enrich a file hash with hashlookup.circl.lu services (NSRL and other sources)', + 'module-type': ['expansion', 'hover']} +moduleconfig = ["custom_API"] +hashlookup_url = 'https://hashlookup.circl.lu/' + + +class HashlookupParser(): + def __init__(self, attribute, hashlookupresult, api_url): + self.attribute = attribute + self.hashlookupresult = hashlookupresult + self.api_url = api_url + self.misp_event = MISPEvent() + self.misp_event.add_attribute(**attribute) + self.references = defaultdict(list) + + def get_result(self): + if self.references: + self.__build_references() + event = json.loads(self.misp_event.to_json()) + results = {key: event[key] for key in ('Attribute', 'Object') if (key in event and event[key])} + return {'results': results} + + def parse_hashlookup_information(self): + hashlookup_object = MISPObject('hashlookup') + if 'source' in self.hashlookupresult: + hashlookup_object.add_attribute('source', **{'type': 'text', 'value': self.hashlookupresult['source']}) + if 'KnownMalicious' in self.hashlookupresult: + hashlookup_object.add_attribute('KnownMalicious', **{'type': 'text', 'value': self.hashlookupresult['KnownMalicious']}) + if 'MD5' in self.hashlookupresult: + hashlookup_object.add_attribute('MD5', **{'type': 'md5', 'value': self.hashlookupresult['MD5']}) + # SHA-1 is the default value in hashlookup it must always be present + hashlookup_object.add_attribute('SHA-1', **{'type': 'sha1', 'value': self.hashlookupresult['SHA-1']}) + if 'SHA-256' in self.hashlookupresult: + hashlookup_object.add_attribute('SHA-256', **{'type': 'sha256', 'value': self.hashlookupresult['SHA-256']}) + if 'SSDEEP' in self.hashlookupresult: + hashlookup_object.add_attribute('SSDEEP', **{'type': 'ssdeep', 'value': self.hashlookupresult['SSDEEP']}) + if 'TLSH' in self.hashlookupresult: + hashlookup_object.add_attribute('TLSH', **{'type': 'tlsh', 'value': self.hashlookupresult['TLSH']}) + if 'FileName' in self.hashlookupresult: + hashlookup_object.add_attribute('FileName', **{'type': 'filename', 'value': self.hashlookupresult['FileName']}) + if 'FileSize' in self.hashlookupresult: + hashlookup_object.add_attribute('FileSize', **{'type': 'size-in-bytes', 'value': self.hashlookupresult['FileSize']}) + hashlookup_object.add_reference(self.attribute['uuid'], 'related-to') + self.misp_event.add_object(hashlookup_object) + + def __build_references(self): + for object_uuid, references in self.references.items(): + for misp_object in self.misp_event.objects: + if misp_object.uuid == object_uuid: + for reference in references: + misp_object.add_reference(**reference) + break + +def check_url(url): + return "{}/".format(url) if not url.endswith('/') else url + + +def handler(q=False): + if q is False: + return False + request = json.loads(q) + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} + attribute = request['attribute'] + if attribute.get('type') == 'md5': + pass + elif attribute.get('type') == 'sha1': + pass + elif attribute.get('type') == 'sha256': + pass + else: + misperrors['error'] = 'md5 or sha1 or sha256 is missing.' + return misperrors + api_url = check_url(request['config']['custom_API']) if request['config'].get('custom_API') else hashlookup_url + r = requests.get("{}/lookup/{}/{}".format(api_url, attribute.get('type'), attribute['value'])) + if r.status_code == 200: + hashlookupresult = r.json() + if not hashlookupresult: + misperrors['error'] = 'Empty result' + return misperrors + elif r.status_code == 404: + misperrors['error'] = 'Non existing hash' + return misperrors + else: + misperrors['error'] = 'API not accessible' + return misperrors + parser = HashlookupParser(attribute, hashlookupresult, api_url) + parser.parse_hashlookup_information() + result = parser.get_result() + return result + + +def introspection(): + return mispattributes + + +def version(): + moduleinfo['config'] = moduleconfig + return moduleinfo diff --git a/misp_modules/modules/expansion/hibp.py b/misp_modules/modules/expansion/hibp.py index 8db3fa7..b2d1c16 100644 --- a/misp_modules/modules/expansion/hibp.py +++ b/misp_modules/modules/expansion/hibp.py @@ -1,13 +1,14 @@ +# -*- coding: utf-8 -*- import requests import json misperrors = {'error': 'Error'} -mispattributes = {'input': ['email-dst', 'email-src'], 'output': ['text']} # All mails as input -moduleinfo = {'version': '0.1', 'author': 'Aurélien Schwab', 'description': 'Module to access haveibeenpwned.com API.', 'module-type': ['hover']} -moduleconfig = ['user-agent'] # TODO take this into account in the code +mispattributes = {'input': ['email-dst', 'email-src'], 'output': ['text']} +moduleinfo = {'version': '0.2', 'author': 'Corsin Camichel, Aurélien Schwab', 'description': 'Module to access haveibeenpwned.com API (v3).', 'module-type': ['hover']} +moduleconfig = ['api_key'] -haveibeenpwned_api_url = 'https://api.haveibeenpwned.com/api/v2/breachedaccount/' -default_user_agent = 'MISP-Module' # User agent (must be set, requiered by API)) +haveibeenpwned_api_url = 'https://haveibeenpwned.com/api/v3/breachedaccount/' +API_KEY = "" # details at https://www.troyhunt.com/authentication-and-the-have-i-been-pwned-api/ def handler(q=False): @@ -22,15 +23,21 @@ def handler(q=False): misperrors['error'] = "Unsupported attributes type" return misperrors - r = requests.get(haveibeenpwned_api_url + email, headers={'user-agent': default_user_agent}) # Real request - if r.status_code == 200: # OK (record found) + if request.get('config') is None or request['config'].get('api_key') is None: + misperrors['error'] = 'Have I Been Pwned authentication is incomplete (no API key)' + return misperrors + else: + API_KEY = request['config'].get('api_key') + + r = requests.get(haveibeenpwned_api_url + email, headers={'hibp-api-key': API_KEY}) + if r.status_code == 200: breaches = json.loads(r.text) if breaches: return {'results': [{'types': mispattributes['output'], 'values': breaches}]} - elif r.status_code == 404: # Not found (not an error) + elif r.status_code == 404: return {'results': [{'types': mispattributes['output'], 'values': 'OK (Not Found)'}]} - else: # Real error - misperrors['error'] = 'haveibeenpwned.com API not accessible (HTTP ' + str(r.status_code) + ')' + else: + misperrors['error'] = f'haveibeenpwned.com API not accessible (HTTP {str(r.status_code)})' return misperrors['error'] diff --git a/misp_modules/modules/expansion/html_to_markdown.py b/misp_modules/modules/expansion/html_to_markdown.py new file mode 100755 index 0000000..228b4bc --- /dev/null +++ b/misp_modules/modules/expansion/html_to_markdown.py @@ -0,0 +1,53 @@ +import json +import requests +from markdownify import markdownify +from bs4 import BeautifulSoup + +misperrors = {'error': 'Error'} +mispattributes = {'input': ['url'], 'output': ['text']} +moduleinfo = {'version': '0.1', 'author': 'Sami Mokaddem', + 'description': 'Simple HTML fetcher', + 'module-type': ['expansion']} + + +def fetchHTML(url): + r = requests.get(url) + return r.text + + +def stripUselessTags(html): + soup = BeautifulSoup(html, 'html.parser') + toRemove = ['script', 'head', 'header', 'footer', 'meta', 'link'] + for tag in soup.find_all(toRemove): + tag.decompose() + return str(soup) + + +def convertHTML(html): + toStrip = ['a', 'img'] + return markdownify(html, heading_style='ATX', strip=toStrip) + + +def handler(q=False): + if q is False: + return False + request = json.loads(q) + if request.get('url'): + url = request['url'] + else: + return False + html = fetchHTML(url) + html = stripUselessTags(html) + markdown = convertHTML(html) + + r = {'results': [{'types': mispattributes['output'], + 'values':[str(markdown)]}]} + return r + + +def introspection(): + return mispattributes + + +def version(): + return moduleinfo diff --git a/misp_modules/modules/expansion/hyasinsight.py b/misp_modules/modules/expansion/hyasinsight.py new file mode 100644 index 0000000..1ae9582 --- /dev/null +++ b/misp_modules/modules/expansion/hyasinsight.py @@ -0,0 +1,873 @@ +import json +import logging +from typing import Dict, List, Any + +import requests +import re +from requests.exceptions import ( + HTTPError, + ProxyError, + InvalidURL, + ConnectTimeout +) +from . import check_input_attribute, standard_error_message +from pymisp import MISPEvent, MISPObject, Distribution + +ip_query_input_type = [ + 'ip-src', + 'ip-dst' +] +domain_query_input_type = [ + 'hostname', + 'domain' +] +email_query_input_type = [ + 'email', + 'email-src', + 'email-dst', + 'target-email', + 'whois-registrant-email' +] +phone_query_input_type = [ + 'phone-number', + 'whois-registrant-phone' +] + +md5_query_input_type = [ + 'md5', + 'x509-fingerprint-md5', + 'ja3-fingerprint-md5', + 'hassh-md5', + 'hasshserver-md5' +] + +sha1_query_input_type = [ + 'sha1', + 'x509-fingerprint-sha1' +] + +sha256_query_input_type = [ + 'sha256', + 'x509-fingerprint-sha256' +] + +sha512_query_input_type = [ + 'sha512' +] + +misperrors = { + 'error': 'Error' +} +mispattributes = { + 'input': ip_query_input_type + domain_query_input_type + email_query_input_type + phone_query_input_type + + md5_query_input_type + sha1_query_input_type + sha256_query_input_type + sha512_query_input_type, + 'format': 'misp_standard' +} + +moduleinfo = { + 'version': '0.1', + 'author': 'Mike Champ', + 'description': '', + 'module-type': ['expansion', 'hover'] +} +moduleconfig = ['apikey'] +TIMEOUT = 60 +logger = logging.getLogger('hyasinsight') +logger.setLevel(logging.DEBUG) +HYAS_API_BASE_URL = 'https://insight.hyas.com/api/ext/' +WHOIS_CURRENT_BASE_URL = 'https://api.hyas.com/' +DEFAULT_DISTRIBUTION_SETTING = Distribution.your_organisation_only.value +IPV4_REGEX = r'\b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b([^\/]|$)' +IPV6_REGEX = r'\b(?:(?:[0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,7}:|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:(?:(:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\b' # noqa: E501 +# Enrichment Types +# HYAS API endpoints +PASSIVE_DNS_ENDPOINT = 'passivedns' +DYNAMIC_DNS_ENDPOINT = 'dynamicdns' +PASSIVE_HASH_ENDPOINT = 'passivehash' +SINKHOLE_ENDPOINT = 'sinkhole' +SSL_CERTIFICATE_ENDPOINT = 'ssl_certificate' +DEVICE_GEO_ENDPOINT = 'device_geo' +WHOIS_HISTORIC_ENDPOINT = 'whois' +WHOIS_CURRENT_ENDPOINT = 'whois/v1' +MALWARE_RECORDS_ENDPOINT = 'sample' +MALWARE_INFORMATION_ENDPOINT = 'sample/information' +C2ATTRIBUTION_ENDPOINT = 'c2attribution' +OPEN_SOURCE_INDICATORS_ENDPOINT = 'os_indicators' + +# HYAS API endpoint params +DOMAIN_PARAM = 'domain' +IP_PARAM = 'ip' +IPV4_PARAM = 'ipv4' +IPV6_PARAM = 'ipv6' +EMAIL_PARAM = 'email' +PHONE_PARAM = 'phone' +MD5_PARAM = 'md5' +SHA256_PARAM = 'sha256' +SHA512_PARAM = 'sha512' +HASH_PARAM = 'hash' +SHA1_PARAM = 'sha1' + +HYAS_IP_ENRICHMENT_ENDPOINTS_LIST = [DYNAMIC_DNS_ENDPOINT, PASSIVE_DNS_ENDPOINT, PASSIVE_HASH_ENDPOINT, + SINKHOLE_ENDPOINT, + SSL_CERTIFICATE_ENDPOINT, DEVICE_GEO_ENDPOINT, C2ATTRIBUTION_ENDPOINT, + MALWARE_RECORDS_ENDPOINT, OPEN_SOURCE_INDICATORS_ENDPOINT] +HYAS_DOMAIN_ENRICHMENT_ENDPOINTS_LIST = [PASSIVE_DNS_ENDPOINT, DYNAMIC_DNS_ENDPOINT, WHOIS_HISTORIC_ENDPOINT, + MALWARE_RECORDS_ENDPOINT, WHOIS_CURRENT_ENDPOINT, PASSIVE_HASH_ENDPOINT, + C2ATTRIBUTION_ENDPOINT, SSL_CERTIFICATE_ENDPOINT, + OPEN_SOURCE_INDICATORS_ENDPOINT] +HYAS_EMAIL_ENRICHMENT_ENDPOINTS_LIST = [DYNAMIC_DNS_ENDPOINT, WHOIS_HISTORIC_ENDPOINT, C2ATTRIBUTION_ENDPOINT] +HYAS_PHONE_ENRICHMENT_ENDPOINTS_LIST = [WHOIS_HISTORIC_ENDPOINT] +HYAS_SHA1_ENRICHMENT_ENDPOINTS_LIST = [SSL_CERTIFICATE_ENDPOINT, MALWARE_INFORMATION_ENDPOINT, + OPEN_SOURCE_INDICATORS_ENDPOINT] +HYAS_SHA256_ENRICHMENT_ENDPOINTS_LIST = [C2ATTRIBUTION_ENDPOINT, MALWARE_INFORMATION_ENDPOINT, + OPEN_SOURCE_INDICATORS_ENDPOINT] +HYAS_SHA512_ENRICHMENT_ENDPOINTS_LIST = [MALWARE_INFORMATION_ENDPOINT] +HYAS_MD5_ENRICHMENT_ENDPOINTS_LIST = [MALWARE_RECORDS_ENDPOINT, MALWARE_INFORMATION_ENDPOINT, + OPEN_SOURCE_INDICATORS_ENDPOINT] + +HYAS_OBJECT_NAMES = { + DYNAMIC_DNS_ENDPOINT: "Dynamic DNS Information", + PASSIVE_HASH_ENDPOINT: "Passive Hash Information", + SINKHOLE_ENDPOINT: "Sinkhole Information", + SSL_CERTIFICATE_ENDPOINT: "SSL Certificate Information", + DEVICE_GEO_ENDPOINT: "Mobile Geolocation Information", + C2ATTRIBUTION_ENDPOINT: "C2 Attribution Information", + PASSIVE_DNS_ENDPOINT: "Passive DNS Information", + WHOIS_HISTORIC_ENDPOINT: "Whois Related Information", + WHOIS_CURRENT_ENDPOINT: "Whois Current Related Information", + MALWARE_INFORMATION_ENDPOINT: "Malware Sample Information", + OPEN_SOURCE_INDICATORS_ENDPOINT: "Open Source Intel for malware, ssl certificates and other indicators Information", + MALWARE_RECORDS_ENDPOINT: "Malware Sample Records Information" +} + + +def parse_attribute(comment, feature, value): + """Generic Method for parsing the attributes in the object""" + attribute = { + 'type': 'text', + 'value': value, + 'comment': comment, + 'distribution': DEFAULT_DISTRIBUTION_SETTING, + 'object_relation': feature + } + return attribute + + +def misp_object(endpoint, attribute_value): + object_name = HYAS_OBJECT_NAMES[endpoint] + hyas_object = MISPObject(object_name) + hyas_object.distribution = DEFAULT_DISTRIBUTION_SETTING + hyas_object.template_uuid = "d69d3d15-7b4d-49b1-9e0a-bb29f3d421d9" + hyas_object.template_id = "1" + hyas_object.description = "HYAS INSIGHT " + object_name + hyas_object.comment = "HYAS INSIGHT " + object_name + " for " + attribute_value + setattr(hyas_object, 'meta-category', 'network') + description = ( + "An object containing the enriched attribute and " + "related entities from HYAS Insight." + ) + hyas_object.from_dict( + **{"meta-category": "misc", "description": description, + "distribution": DEFAULT_DISTRIBUTION_SETTING} + ) + return hyas_object + + +def flatten_json(y: Dict) -> Dict[str, Any]: + """ + :param y: raw_response from HYAS api + :return: Flatten json response + """ + out = {} + + def flatten(x, name=''): + # If the Nested key-value + # pair is of dict type + if type(x) is dict: + for a in x: + flatten(x[a], name + a + '_') + else: + out[name[:-1]] = x + + flatten(y) + return out + + +def get_flatten_json_response(raw_api_response: List[Dict]) -> List[Dict]: + """ + :param raw_api_response: raw_api response from the API + :return: Flatten Json response + """ + flatten_json_response = [] + if raw_api_response: + for obj in raw_api_response: + flatten_json_response.append(flatten_json(obj)) + + return flatten_json_response + + +def request_body(query_input, query_param, current): + """ + This Method returns the request body for specific endpoint. + """ + + if current: + return { + "applied_filters": { + query_input: query_param, + "current": True + } + } + else: + return { + "applied_filters": { + query_input: query_param + } + } + + +def malware_info_lookup_to_markdown(results: Dict) -> list: + scan_results = results.get('scan_results', []) + out = [] + if scan_results: + for res in scan_results: + malware_info_data = { + "avscan_score": results.get( + "avscan_score", ''), + "md5": results.get("md5", ''), + 'av_name': res.get( + "av_name", ''), + 'def_time': res.get( + "def_time", ''), + 'threat_found': res.get( + 'threat_found', ''), + 'scan_time': results.get("scan_time", ''), + 'sha1': results.get('sha1', ''), + 'sha256': results.get('sha256', ''), + 'sha512': results.get('sha512', '') + } + out.append(malware_info_data) + else: + malware_info_data = { + "avscan_score": results.get("avscan_score", ''), + "md5": results.get("md5", ''), + 'av_name': '', + 'def_time': '', + 'threat_found': '', + 'scan_time': results.get("scan_time", ''), + 'sha1': results.get('sha1', ''), + 'sha256': results.get('sha256', ''), + 'sha512': results.get('sha512', '') + } + out.append(malware_info_data) + return out + + +class RequestHandler: + """A class for handling any outbound requests from this module.""" + + def __init__(self, apikey): + self.session = requests.Session() + self.api_key = apikey + + def get(self, url: str, headers: dict = None, req_body=None) -> requests.Response: + """General post method to fetch the response from HYAS Insight.""" + response = [] + try: + response = self.session.post( + url, headers=headers, json=req_body + ) + if response: + response = response.json() + except (ConnectTimeout, ProxyError, InvalidURL) as error: + msg = "Error connecting with the HYAS Insight." + logger.error(f"{msg} Error: {error}") + misperrors["error"] = msg + return response + + def hyas_lookup(self, end_point: str, query_input, query_param, current=False) -> requests.Response: + """Do a lookup call.""" + # Building the request + if current: + url = f'{WHOIS_CURRENT_BASE_URL}{WHOIS_CURRENT_ENDPOINT}' + else: + url = f'{HYAS_API_BASE_URL}{end_point}' + headers = { + 'Content-type': 'application/json', + 'X-API-Key': self.api_key, + } + req_body = request_body(query_input, query_param, current) + try: + response = self.get(url, headers, req_body) + except HTTPError as error: + msg = f"Error when requesting data from HYAS Insight. {error.response}: {error.response.reason}" + logger.error(msg) + misperrors["error"] = msg + raise + return response + + +class HyasInsightParser: + """A class for handling the enrichment objects""" + + def __init__(self, attribute): + self.attribute = attribute + self.misp_event = MISPEvent() + self.misp_event.add_attribute(**attribute) + + self.c2_attribution_data_items = [ + 'actor_ipv4', + 'c2_domain', + 'c2_ip', + 'c2_url', + 'datetime', + 'email', + 'email_domain', + 'referrer_domain', + 'referrer_ipv4', + 'referrer_url', + 'sha256' + ] + self.c2_attribution_data_items_friendly_names = { + 'actor_ipv4': 'Actor IPv4', + 'c2_domain': 'C2 Domain', + 'c2_ip': 'C2 IP', + 'c2_url': 'C2 URL', + 'datetime': 'DateTime', + 'email': 'Email', + 'email_domain': 'Email Domain', + 'referrer_domain': 'Referrer Domain', + 'referrer_ipv4': 'Referrer IPv4', + 'referrer_url': 'Referrer URL', + 'sha256': 'SHA256' + } + + self.device_geo_data_items = [ + 'datetime', + 'device_user_agent', + 'geo_country_alpha_2', + 'geo_horizontal_accuracy', + 'ipv4', + 'ipv6', + 'latitude', + 'longitude', + 'wifi_bssid' + ] + + self.device_geo_data_items_friendly_names = { + 'datetime': 'DateTime', + 'device_user_agent': 'Device User Agent', + 'geo_country_alpha_2': 'Alpha-2 Code', + 'geo_horizontal_accuracy': 'GPS Horizontal Accuracy', + 'ipv4': 'IPv4 Address', + 'ipv6': 'IPv6 Address', + 'latitude': 'Latitude', + 'longitude': 'Longitude', + 'wifi_bssid': 'WIFI BSSID' + } + + self.dynamic_dns_data_items = [ + 'a_record', + 'account', + 'created', + 'created_ip', + 'domain', + 'domain_creator_ip', + 'email', + ] + + self.dynamic_dns_data_items_friendly_names = { + 'a_record': 'A Record', + 'account': 'Account Holder', + 'created': 'Created Date', + 'created_ip': 'Account Holder IP Address', + 'domain': 'Domain', + 'domain_creator_ip': 'Domain Creator IP Address', + 'email': 'Email Address', + } + + self.os_indicators_data_items = [ + 'context', + 'datetime', + 'domain', + 'domain_2tld', + 'first_seen', + 'ipv4', + 'ipv6', + 'last_seen', + 'md5', + 'sha1', + 'sha256', + 'source_name', + 'source_url', + 'url' + ] + + self.os_indicators_data_items_friendly_names = { + 'context': 'Context', + 'datetime': 'DateTime', + 'domain': 'Domain', + 'domain_2tld': 'Domain 2TLD', + 'first_seen': 'First Seen', + 'ipv4': 'IPv4 Address', + 'ipv6': 'IPv6 Address', + 'last_seen': 'Last Seen', + 'md5': 'MD5', + 'sha1': 'SHA1', + 'sha256': 'SHA256', + 'source_name': 'Source Name', + 'source_url': 'Source URL', + 'url': 'URL' + } + + self.passive_dns_data_items = [ + 'cert_name', + 'count', + 'domain', + 'first_seen', + 'ip_geo_city_name', + 'ip_geo_country_iso_code', + 'ip_geo_country_name', + 'ip_geo_location_latitude', + 'ip_geo_location_longitude', + 'ip_geo_postal_code', + 'ip_ip', + 'ip_isp_autonomous_system_number', + 'ip_isp_autonomous_system_organization', + 'ip_isp_ip_address', + 'ip_isp_isp', + 'ip_isp_organization', + 'ipv4', + 'ipv6', + 'last_seen' + ] + + self.passive_dns_data_items_friendly_names = { + 'cert_name': 'Certificate Provider Name', + 'count': 'Passive DNS Count', + 'domain': 'Domain', + 'first_seen': 'First Seen', + 'ip_geo_city_name': 'IP Organization City', + 'ip_geo_country_iso_code': 'IP Organization Country ISO Code', + 'ip_geo_country_name': 'IP Organization Country Name', + 'ip_geo_location_latitude': 'IP Organization Latitude', + 'ip_geo_location_longitude': 'IP Organization Longitude', + 'ip_geo_postal_code': 'IP Organization Postal Code', + 'ip_ip': 'IP Address', + 'ip_isp_autonomous_system_number': 'ASN IP', + 'ip_isp_autonomous_system_organization': 'ASO IP', + 'ip_isp_ip_address': 'IP Address', + 'ip_isp_isp': 'ISP', + 'ip_isp_organization': 'ISP Organization', + 'ipv4': 'IPv4 Address', + 'ipv6': 'IPv6 Address', + 'last_seen': 'Last Seen' + } + + self.passive_hash_data_items = [ + 'domain', + 'md5_count' + ] + + self.passive_hash_data_items_friendly_names = { + 'domain': 'Domain', + 'md5_count': 'Passive DNS Count' + } + + self.malware_records_data_items = [ + 'datetime', + 'domain', + 'ipv4', + 'ipv6', + 'md5', + 'sha1', + 'sha256' + ] + + self.malware_records_data_items_friendly_names = { + 'datetime': 'DateTime', + 'domain': 'Domain', + 'ipv4': 'IPv4 Address', + 'ipv6': 'IPv6 Address', + 'md5': 'MD5', + 'sha1': 'SHA1', + 'sha256': 'SHA256' + } + + self.malware_information_data_items = [ + 'avscan_score', + 'md5', + 'av_name', + 'def_time', + 'threat_found', + 'scan_time', + 'sha1', + 'sha256', + 'sha512' + ] + + self.malware_information_data_items_friendly_names = { + 'avscan_score': 'AV Scan Score', + 'md5': 'MD5', + 'av_name': 'AV Name', + 'def_time': 'AV DateTime', + 'threat_found': 'Source', + 'scan_time': 'Scan DateTime', + 'sha1': 'SHA1', + 'sha256': 'SHA256', + 'sha512': 'SHA512' + } + + self.sinkhole_data_items = [ + 'count', + 'country_name', + 'country_code', + 'data_port', + 'datetime', + 'ipv4', + 'last_seen', + 'organization_name', + 'sink_source' + ] + + self.sinkhole_data_items_friendly_names = { + 'count': 'Sinkhole Count', + 'country_name': 'IP Address Country', + 'country_code': 'IP Address Country Code', + 'data_port': 'Data Port', + 'datetime': 'First Seen', + 'ipv4': 'IP Address', + 'last_seen': 'Last Seen', + 'organization_name': 'ISP Organization', + 'sink_source': 'Sink Source IP' + } + + self.ssl_certificate_data_items = [ + 'ip', + 'ssl_cert_cert_key', + 'ssl_cert_expire_date', + 'ssl_cert_issue_date', + 'ssl_cert_issuer_commonName', + 'ssl_cert_issuer_countryName', + 'ssl_cert_issuer_localityName', + 'ssl_cert_issuer_organizationName', + 'ssl_cert_issuer_organizationalUnitName', + 'ssl_cert_issuer_stateOrProvinceName', + 'ssl_cert_md5', + 'ssl_cert_serial_number', + 'ssl_cert_sha1', + 'ssl_cert_sha_256', + 'ssl_cert_sig_algo', + 'ssl_cert_ssl_version', + 'ssl_cert_subject_commonName', + 'ssl_cert_subject_countryName', + 'ssl_cert_subject_localityName', + 'ssl_cert_subject_organizationName', + 'ssl_cert_subject_organizationalUnitName', + 'ssl_cert_timestamp' + ] + + self.ssl_certificate_data_items_friendly_names = { + 'ip': 'IP Address', + 'ssl_cert_cert_key': 'Certificate Key', + 'ssl_cert_expire_date': 'Certificate Expiration Date', + 'ssl_cert_issue_date': 'Certificate Issue Date', + 'ssl_cert_issuer_commonName': 'Issuer Common Name', + 'ssl_cert_issuer_countryName': 'Issuer Country Name', + 'ssl_cert_issuer_localityName': 'Issuer City Name', + 'ssl_cert_issuer_organizationName': 'Issuer Organization Name', + 'ssl_cert_issuer_organizationalUnitName': 'Issuer Organization Unit Name', + 'ssl_cert_issuer_stateOrProvinceName': 'Issuer State or Province Name', + 'ssl_cert_md5': 'Certificate MD5', + 'ssl_cert_serial_number': 'Certificate Serial Number', + 'ssl_cert_sha1': 'Certificate SHA1', + 'ssl_cert_sha_256': 'Certificate SHA256', + 'ssl_cert_sig_algo': 'Certificate Signature Algorithm', + 'ssl_cert_ssl_version': 'SSL Version', + 'ssl_cert_subject_commonName': 'Reciever Subject Name', + 'ssl_cert_subject_countryName': 'Receiver Country Name', + 'ssl_cert_subject_localityName': 'Receiver City Name', + 'ssl_cert_subject_organizationName': 'Receiver Organization Name', + 'ssl_cert_subject_organizationalUnitName': 'Receiver Organization Unit Name', + 'ssl_cert_timestamp': 'Certificate DateTime' + } + + self.whois_historic_data_items = [ + 'abuse_emails', + 'address', + 'city', + 'country', + 'datetime', + 'domain', + 'domain_2tld', + 'domain_created_datetime', + 'domain_expires_datetime', + 'domain_updated_datetime', + 'email', + 'idn_name', + 'name', + 'nameserver', + 'organization', + 'phone', + 'privacy_punch', + 'registrar' + ] + + self.whois_historic_data_items_friendly_names = { + 'abuse_emails': 'Abuse Emails', + 'address': 'Address', + 'city': 'City', + 'country': 'Country', + 'datetime': 'Datetime', + 'domain': 'Domain', + 'domain_2tld': 'Domain 2tld', + 'domain_created_datetime': 'Domain Created Time', + 'domain_expires_datetime': 'Domain Expires Time', + 'domain_updated_datetime': 'Domain Updated Time', + 'email': 'Email Address', + 'idn_name': 'IDN Name', + 'name': 'Name', + 'nameserver': 'Nameserver', + 'organization': 'Organization', + 'phone': 'Phone Info', + 'privacy_punch': 'Privacy Punch', + 'registrar': 'Registrar' + } + + self.whois_current_data_items = [ + 'abuse_emails', + 'address', + 'city', + 'country', + 'datetime', + 'domain', + 'domain_2tld', + 'domain_created_datetime', + 'domain_expires_datetime', + 'domain_updated_datetime', + 'email', + 'idn_name', + 'name', + 'nameserver', + 'organization', + 'phone', + 'privacy_punch', + 'registrar', + 'state' + ] + + self.whois_current_data_items_friendly_names = { + 'abuse_emails': 'Abuse Emails', + 'address': 'Address', + 'city': 'City', + 'country': 'Country', + 'datetime': 'Datetime', + 'domain': 'Domain', + 'domain_2tld': 'Domain 2tld', + 'domain_created_datetime': 'Domain Created Time', + 'domain_expires_datetime': 'Domain Expires Time', + 'domain_updated_datetime': 'Domain Updated Time', + 'email': 'Email Address', + 'idn_name': 'IDN Name', + 'name': 'Name', + 'nameserver': 'Nameserver', + 'organization': 'Organization', + 'phone': 'Phone', + 'privacy_punch': 'Privacy Punch', + 'registrar': 'Registrar', + 'state': 'State' + } + + def create_misp_attributes_and_objects(self, response, endpoint, attribute_value): + flatten_json_response = get_flatten_json_response(response) + data_items: List[str] = [] + data_items_friendly_names: Dict[str, str] = {} + if endpoint == DEVICE_GEO_ENDPOINT: + data_items: List[str] = self.device_geo_data_items + data_items_friendly_names: Dict[str, str] = self.device_geo_data_items_friendly_names + elif endpoint == DYNAMIC_DNS_ENDPOINT: + data_items: List[str] = self.dynamic_dns_data_items + data_items_friendly_names: Dict[str, str] = self.dynamic_dns_data_items_friendly_names + elif endpoint == PASSIVE_DNS_ENDPOINT: + data_items: List[str] = self.passive_dns_data_items + data_items_friendly_names: Dict[str, str] = self.passive_dns_data_items_friendly_names + elif endpoint == PASSIVE_HASH_ENDPOINT: + data_items: List[str] = self.passive_hash_data_items + data_items_friendly_names: Dict[str, str] = self.passive_hash_data_items_friendly_names + elif endpoint == SINKHOLE_ENDPOINT: + data_items: List[str] = self.sinkhole_data_items + data_items_friendly_names: Dict[str, str] = self.sinkhole_data_items_friendly_names + elif endpoint == WHOIS_HISTORIC_ENDPOINT: + data_items = self.whois_historic_data_items + data_items_friendly_names = self.whois_historic_data_items_friendly_names + elif endpoint == WHOIS_CURRENT_ENDPOINT: + data_items: List[str] = self.whois_current_data_items + data_items_friendly_names: Dict[str, str] = self.whois_current_data_items_friendly_names + elif endpoint == SSL_CERTIFICATE_ENDPOINT: + data_items: List[str] = self.ssl_certificate_data_items + data_items_friendly_names: Dict[str, str] = self.ssl_certificate_data_items_friendly_names + elif endpoint == MALWARE_INFORMATION_ENDPOINT: + data_items: List[str] = self.malware_information_data_items + data_items_friendly_names = self.malware_information_data_items_friendly_names + elif endpoint == MALWARE_RECORDS_ENDPOINT: + data_items: List[str] = self.malware_records_data_items + data_items_friendly_names = self.malware_records_data_items_friendly_names + elif endpoint == OPEN_SOURCE_INDICATORS_ENDPOINT: + data_items: List[str] = self.os_indicators_data_items + data_items_friendly_names = self.os_indicators_data_items_friendly_names + elif endpoint == C2ATTRIBUTION_ENDPOINT: + data_items: List[str] = self.c2_attribution_data_items + data_items_friendly_names = self.c2_attribution_data_items_friendly_names + + for result in flatten_json_response: + hyas_object = misp_object(endpoint, attribute_value) + for data_item in result.keys(): + if data_item in data_items: + data_item_text = data_items_friendly_names[data_item] + data_item_value = str(result[data_item]) + hyas_object.add_attribute( + **parse_attribute(hyas_object.comment, data_item_text, data_item_value)) + hyas_object.add_reference(self.attribute['uuid'], 'related-to') + self.misp_event.add_object(hyas_object) + + def get_results(self): + """returns the dictionary object to MISP Instance""" + event = json.loads(self.misp_event.to_json()) + results = {key: event[key] for key in ('Attribute', 'Object')} + return {'results': results} + + +def handler(q=False): + """The function which accepts a JSON document to expand the values and return a dictionary of the expanded + values. """ + if q is False: + return False + request = json.loads(q) + # check if the apikey is provided + if not request.get('config') or not request['config'].get('apikey'): + misperrors['error'] = 'HYAS Insight apikey is missing' + return misperrors + apikey = request['config'].get('apikey') + # check attribute is added to the event + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} + + attribute = request['attribute'] + attribute_type = attribute['type'] + attribute_value = attribute['value'] + + # check if the attribute type is supported by IPQualityScore + if attribute_type not in mispattributes['input']: + return {'error': 'Unsupported attributes type for HYAS Insight Enrichment'} + request_handler = RequestHandler(apikey) + parser = HyasInsightParser(attribute) + has_results = False + if attribute_type in ip_query_input_type: + ip_param = '' + for endpoint in HYAS_IP_ENRICHMENT_ENDPOINTS_LIST: + if endpoint == DEVICE_GEO_ENDPOINT: + if re.match(IPV4_REGEX, attribute_value): + ip_param = IPV4_PARAM + elif re.match(IPV6_REGEX, attribute_value): + ip_param = IPV6_PARAM + elif endpoint == PASSIVE_HASH_ENDPOINT: + ip_param = IPV4_PARAM + elif endpoint == SINKHOLE_ENDPOINT: + ip_param = IPV4_PARAM + elif endpoint == MALWARE_RECORDS_ENDPOINT: + ip_param = IPV4_PARAM + else: + ip_param = IP_PARAM + enrich_response = request_handler.hyas_lookup(endpoint, ip_param, attribute_value) + if endpoint == SSL_CERTIFICATE_ENDPOINT: + enrich_response = enrich_response.get('ssl_certs') + if enrich_response: + has_results = True + parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value) + elif attribute_type in domain_query_input_type: + for endpoint in HYAS_DOMAIN_ENRICHMENT_ENDPOINTS_LIST: + if not endpoint == WHOIS_CURRENT_ENDPOINT: + enrich_response = request_handler.hyas_lookup(endpoint, DOMAIN_PARAM, attribute_value) + else: + enrich_response = request_handler.hyas_lookup(endpoint, DOMAIN_PARAM, attribute_value, + endpoint == WHOIS_CURRENT_ENDPOINT) + enrich_response = enrich_response.get('items') + if enrich_response: + has_results = True + parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value) + elif attribute_type in email_query_input_type: + for endpoint in HYAS_EMAIL_ENRICHMENT_ENDPOINTS_LIST: + enrich_response = request_handler.hyas_lookup(endpoint, EMAIL_PARAM, attribute_value) + if enrich_response: + has_results = True + parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value) + elif attribute_type in phone_query_input_type: + for endpoint in HYAS_PHONE_ENRICHMENT_ENDPOINTS_LIST: + enrich_response = request_handler.hyas_lookup(endpoint, PHONE_PARAM, attribute_value) + if enrich_response: + has_results = True + parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value) + elif attribute_type in md5_query_input_type: + md5_param = MD5_PARAM + for endpoint in HYAS_MD5_ENRICHMENT_ENDPOINTS_LIST: + if endpoint == MALWARE_INFORMATION_ENDPOINT: + md5_param = HASH_PARAM + enrich_response = request_handler.hyas_lookup(endpoint, md5_param, attribute_value) + if enrich_response: + has_results = True + if endpoint == MALWARE_INFORMATION_ENDPOINT: + enrich_response = malware_info_lookup_to_markdown(enrich_response) + parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value) + elif attribute_type in sha1_query_input_type: + sha1_param = SHA1_PARAM + for endpoint in HYAS_SHA1_ENRICHMENT_ENDPOINTS_LIST: + if endpoint == MALWARE_INFORMATION_ENDPOINT: + sha1_param = HASH_PARAM + elif endpoint == SSL_CERTIFICATE_ENDPOINT: + sha1_param = HASH_PARAM + enrich_response = request_handler.hyas_lookup(endpoint, sha1_param, attribute_value) + + if enrich_response: + has_results = True + if endpoint == MALWARE_INFORMATION_ENDPOINT: + enrich_response = malware_info_lookup_to_markdown(enrich_response) + parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value) + elif attribute_type in sha256_query_input_type: + sha256_param = SHA256_PARAM + for endpoint in HYAS_SHA256_ENRICHMENT_ENDPOINTS_LIST: + if endpoint == MALWARE_INFORMATION_ENDPOINT: + sha256_param = HASH_PARAM + enrich_response = request_handler.hyas_lookup(endpoint, sha256_param, attribute_value) + if enrich_response: + has_results = True + if endpoint == MALWARE_INFORMATION_ENDPOINT: + enrich_response = malware_info_lookup_to_markdown(enrich_response) + parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value) + elif attribute_type in sha512_query_input_type: + sha512_param = '' + for endpoint in HYAS_SHA512_ENRICHMENT_ENDPOINTS_LIST: + if endpoint == MALWARE_INFORMATION_ENDPOINT: + sha512_param = HASH_PARAM + enrich_response = request_handler.hyas_lookup(endpoint, sha512_param, attribute_value) + if enrich_response: + has_results = True + if endpoint == MALWARE_INFORMATION_ENDPOINT: + enrich_response = malware_info_lookup_to_markdown(enrich_response) + parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value) + + if has_results: + return parser.get_results() + else: + return {'error': 'No records found in HYAS Insight for the provided attribute.'} + + +def introspection(): + """The function that returns a dict of the supported attributes (input and output) by your expansion module.""" + return mispattributes + + +def version(): + """The function that returns a dict with the version and the associated meta-data including potential + configurations required of the module. """ + moduleinfo['config'] = moduleconfig + return moduleinfo diff --git a/misp_modules/modules/expansion/ipasn.py b/misp_modules/modules/expansion/ipasn.py index 3c6867c..3a32358 100755 --- a/misp_modules/modules/expansion/ipasn.py +++ b/misp_modules/modules/expansion/ipasn.py @@ -1,6 +1,7 @@ # -*- coding: utf-8 -*- import json +from . import check_input_attribute, standard_error_message from pyipasnhistory import IPASNHistory from pymisp import MISPAttribute, MISPEvent, MISPObject @@ -34,11 +35,11 @@ def handler(q=False): if q is False: return False request = json.loads(q) - if request.get('attribute') and request['attribute'].get('type') in mispattributes['input']: - toquery = request['attribute']['value'] - else: - misperrors['error'] = "Unsupported attributes type" - return misperrors + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} + if request['attribute']['type'] not in mispattributes['input']: + return {'error': 'Unsupported attribute type.'} + toquery = request['attribute']['value'] ipasn = IPASNHistory() values = ipasn.query(toquery) diff --git a/misp_modules/modules/expansion/ipqs_fraud_and_risk_scoring.py b/misp_modules/modules/expansion/ipqs_fraud_and_risk_scoring.py new file mode 100644 index 0000000..bb58284 --- /dev/null +++ b/misp_modules/modules/expansion/ipqs_fraud_and_risk_scoring.py @@ -0,0 +1,627 @@ +import json +import logging +import requests +from requests.exceptions import ( + HTTPError, + ProxyError, + InvalidURL, + ConnectTimeout +) +from . import check_input_attribute, standard_error_message +from pymisp import MISPEvent, MISPAttribute, MISPObject, MISPTag, Distribution + +ip_query_input_type = [ + 'ip-src', + 'ip-dst' +] +url_query_input_type = [ + 'hostname', + 'domain', + 'url', + 'uri' +] +email_query_input_type = [ + 'email', + 'email-src', + 'email-dst', + 'target-email', + 'whois-registrant-email' +] +phone_query_input_type = [ + 'phone-number', + 'whois-registrant-phone' +] + +misperrors = { + 'error': 'Error' +} +mispattributes = { + 'input': ip_query_input_type + url_query_input_type + email_query_input_type + phone_query_input_type, + 'format': 'misp_standard' +} +moduleinfo = { + 'version': '0.1', + 'author': 'David Mackler', + 'description': 'IPQualityScore MISP Expansion Module for IP reputation, Email Validation, Phone Number Validation,' + 'Malicious Domain and Malicious URL Scanner.', + 'module-type': ['expansion', 'hover'] +} +moduleconfig = ['apikey'] + +logger = logging.getLogger('ipqualityscore') +logger.setLevel(logging.DEBUG) +BASE_URL = 'https://ipqualityscore.com/api/json' +DEFAULT_DISTRIBUTION_SETTING = Distribution.your_organisation_only.value +IP_ENRICH = 'ip' +URL_ENRICH = 'url' +EMAIL_ENRICH = 'email' +PHONE_ENRICH = 'phone' + + +class RequestHandler: + """A class for handling any outbound requests from this module.""" + + def __init__(self, apikey): + self.session = requests.Session() + self.api_key = apikey + + def get(self, url: str, headers: dict = None, params: dict = None) -> requests.Response: + """General get method to fetch the response from IPQualityScore.""" + try: + response = self.session.get( + url, headers=headers, params=params + ).json() + if str(response["success"]) != "True": + msg = response["message"] + logger.error(f"Error: {msg}") + misperrors["error"] = msg + else: + return response + except (ConnectTimeout, ProxyError, InvalidURL) as error: + msg = "Error connecting with the IPQualityScore." + logger.error(f"{msg} Error: {error}") + misperrors["error"] = msg + + def ipqs_lookup(self, reputation_type: str, ioc: str) -> requests.Response: + """Do a lookup call.""" + url = f"{BASE_URL}/{reputation_type}" + payload = {reputation_type: ioc} + headers = {"IPQS-KEY": self.api_key} + try: + response = self.get(url, headers, payload) + except HTTPError as error: + msg = f"Error when requesting data from IPQualityScore. {error.response}: {error.response.reason}" + logger.error(msg) + misperrors["error"] = msg + raise + return response + + +def parse_attribute(comment, feature, value): + """Generic Method for parsing the attributes in the object""" + attribute = { + 'type': 'text', + 'value': value, + 'comment': comment, + 'distribution': DEFAULT_DISTRIBUTION_SETTING, + 'object_relation': feature + } + return attribute + + +class IPQualityScoreParser: + """A class for handling the enrichment objects""" + + def __init__(self, attribute): + self.rf_white = "#CCCCCC" + self.rf_grey = " #CDCDCD" + self.rf_yellow = "#FFCF00" + self.rf_red = "#D10028" + self.clean = "CLEAN" + self.low = "LOW RISK" + self.medium = "MODERATE RISK" + self.high = "HIGH RISK" + self.critical = "CRITICAL" + self.invalid = "INVALID" + self.suspicious = "SUSPICIOUS" + self.malware = "CRITICAL" + self.phishing = "CRITICAL" + self.disposable = "CRITICAL" + self.attribute = attribute + self.misp_event = MISPEvent() + self.misp_event.add_attribute(**attribute) + self.ipqs_object = MISPObject('IPQS Fraud and Risk Scoring Object') + self.ipqs_object.template_uuid = "57d066e6-6d66-42a7-a1ad-e075e39b2b5e" + self.ipqs_object.template_id = "1" + self.ipqs_object.description = "IPQS Fraud and Risk Scoring Data" + setattr(self.ipqs_object, 'meta-category', 'network') + description = ( + "An object containing the enriched attribute and " + "related entities from IPQualityScore." + ) + self.ipqs_object.from_dict( + **{"meta-category": "misc", "description": description, "distribution": DEFAULT_DISTRIBUTION_SETTING} + ) + + temp_attr = MISPAttribute() + temp_attr.from_dict(**attribute) + self.enriched_attribute = MISPAttribute() + self.enriched_attribute.from_dict( + **{"value": temp_attr.value, "type": temp_attr.type, "distribution": DEFAULT_DISTRIBUTION_SETTING} + ) + self.ipqs_object.distribution = DEFAULT_DISTRIBUTION_SETTING + self.ip_data_items = [ + 'fraud_score', + 'country_code', + 'region', + 'city', + 'zip_code', + 'ISP', + 'ASN', + 'organization', + 'is_crawler', + 'timezone', + 'mobile', + 'host', + 'proxy', + 'vpn', + 'tor', + 'active_vpn', + 'active_tor', + 'recent_abuse', + 'bot_status', + 'connection_type', + 'abuse_velocity', + 'latitude', + 'longitude' + ] + self.ip_data_items_friendly_names = { + 'fraud_score': 'IPQS: Fraud Score', + 'country_code': 'IPQS: Country Code', + 'region': 'IPQS: Region', + 'city': 'IPQS: City', + 'zip_code': 'IPQS: Zip Code', + 'ISP': 'IPQS: ISP', + 'ASN': 'IPQS: ASN', + 'organization': 'IPQS: Organization', + 'is_crawler': 'IPQS: Is Crawler', + 'timezone': 'IPQS: Timezone', + 'mobile': 'IPQS: Mobile', + 'host': 'IPQS: Host', + 'proxy': 'IPQS: Proxy', + 'vpn': 'IPQS: VPN', + 'tor': 'IPQS: TOR', + 'active_vpn': 'IPQS: Active VPN', + 'active_tor': 'IPQS: Active TOR', + 'recent_abuse': 'IPQS: Recent Abuse', + 'bot_status': 'IPQS: Bot Status', + 'connection_type': 'IPQS: Connection Type', + 'abuse_velocity': 'IPQS: Abuse Velocity', + 'latitude': 'IPQS: Latitude', + 'longitude': 'IPQS: Longitude' + } + self.url_data_items = [ + 'unsafe', + 'domain', + 'ip_address', + 'server', + 'domain_rank', + 'dns_valid', + 'parking', + 'spamming', + 'malware', + 'phishing', + 'suspicious', + 'adult', + 'risk_score', + 'category', + 'domain_age' + ] + self.url_data_items_friendly_names = { + 'unsafe': 'IPQS: Unsafe', + 'domain': 'IPQS: Domain', + 'ip_address': 'IPQS: IP Address', + 'server': 'IPQS: Server', + 'domain_rank': 'IPQS: Domain Rank', + 'dns_valid': 'IPQS: DNS Valid', + 'parking': 'IPQS: Parking', + 'spamming': 'IPQS: Spamming', + 'malware': 'IPQS: Malware', + 'phishing': 'IPQS: Phishing', + 'suspicious': 'IPQS: Suspicious', + 'adult': 'IPQS: Adult', + 'risk_score': 'IPQS: Risk Score', + 'category': 'IPQS: Category', + 'domain_age': 'IPQS: Domain Age' + } + self.email_data_items = [ + 'valid', + 'disposable', + 'smtp_score', + 'overall_score', + 'first_name', + 'generic', + 'common', + 'dns_valid', + 'honeypot', + 'deliverability', + 'frequent_complainer', + 'spam_trap_score', + 'catch_all', + 'timed_out', + 'suspect', + 'recent_abuse', + 'fraud_score', + 'suggested_domain', + 'leaked', + 'sanitized_email', + 'domain_age', + 'first_seen' + ] + self.email_data_items_friendly_names = { + 'valid': 'IPQS: Valid', + 'disposable': 'IPQS: Disposable', + 'smtp_score': 'IPQS: SMTP Score', + 'overall_score': 'IPQS: Overall Score', + 'first_name': 'IPQS: First Name', + 'generic': 'IPQS: Generic', + 'common': 'IPQS: Common', + 'dns_valid': 'IPQS: DNS Valid', + 'honeypot': 'IPQS: Honeypot', + 'deliverability': 'IPQS: Deliverability', + 'frequent_complainer': 'IPQS: Frequent Complainer', + 'spam_trap_score': 'IPQS: Spam Trap Score', + 'catch_all': 'IPQS: Catch All', + 'timed_out': 'IPQS: Timed Out', + 'suspect': 'IPQS: Suspect', + 'recent_abuse': 'IPQS: Recent Abuse', + 'fraud_score': 'IPQS: Fraud Score', + 'suggested_domain': 'IPQS: Suggested Domain', + 'leaked': 'IPQS: Leaked', + 'sanitized_email': 'IPQS: Sanitized Email', + 'domain_age': 'IPQS: Domain Age', + 'first_seen': 'IPQS: First Seen' + } + self.phone_data_items = [ + 'formatted', + 'local_format', + 'valid', + 'fraud_score', + 'recent_abuse', + 'VOIP', + 'prepaid', + 'risky', + 'active', + 'carrier', + 'line_type', + 'country', + 'city', + 'zip_code', + 'region', + 'dialing_code', + 'active_status', + 'leaked', + 'name', + 'timezone', + 'do_not_call', + ] + self.phone_data_items_friendly_names = { + 'formatted': 'IPQS: Formatted', + 'local_format': 'IPQS: Local Format', + 'valid': 'IPQS: Valid', + 'fraud_score': 'IPQS: Fraud Score', + 'recent_abuse': 'IPQS: Recent Abuse', + 'VOIP': 'IPQS: VOIP', + 'prepaid': 'IPQS: Prepaid', + 'risky': 'IPQS: Risky', + 'active': 'IPQS: Active', + 'carrier': 'IPQS: Carrier', + 'line_type': 'IPQS: Line Type', + 'country': 'IPQS: Country', + 'city': 'IPQS: City', + 'zip_code': 'IPQS: Zip Code', + 'region': 'IPQS: Region', + 'dialing_code': 'IPQS: Dialing Code', + 'active_status': 'IPQS: Active Status', + 'leaked': 'IPQS: Leaked', + 'name': 'IPQS: Name', + 'timezone': 'IPQS: Timezone', + 'do_not_call': 'IPQS: Do Not Call', + } + self.timestamp_items_friendly_name = { + 'human': ' Human', + 'timestamp': ' Timestamp', + 'iso': ' ISO' + } + self.timestamp_items = [ + 'human', + 'timestamp', + 'iso' + ] + + def criticality_color(self, criticality) -> str: + """method which maps the color to the criticality level""" + mapper = { + self.clean: self.rf_grey, + self.low: self.rf_grey, + self.medium: self.rf_yellow, + self.suspicious: self.rf_yellow, + self.high: self.rf_red, + self.critical: self.rf_red, + self.invalid: self.rf_red, + self.disposable: self.rf_red, + self.malware: self.rf_red, + self.phishing: self.rf_red + } + return mapper.get(criticality, self.rf_white) + + def add_tag(self, tag_name: str, hex_color: str = None) -> None: + """Helper method for adding a tag to the enriched attribute.""" + tag = MISPTag() + tag_properties = {"name": tag_name} + if hex_color: + tag_properties["colour"] = hex_color + tag.from_dict(**tag_properties) + self.enriched_attribute.add_tag(tag) + + def ipqs_parser(self, query_response, enrich_type): + """ helper method to call the enrichment function according to the type""" + if enrich_type == IP_ENRICH: + self.ip_reputation_data(query_response) + elif enrich_type == URL_ENRICH: + self.url_reputation_data(query_response) + elif enrich_type == EMAIL_ENRICH: + self.email_reputation_data(query_response) + elif enrich_type == PHONE_ENRICH: + self.phone_reputation_data(query_response) + + def ip_reputation_data(self, query_response): + """method to create object for IP address""" + comment = "Results from IPQualityScore IP Reputation API" + for ip_data_item in self.ip_data_items: + if ip_data_item in query_response: + data_item = self.ip_data_items_friendly_names[ip_data_item] + data_item_value = str(query_response[ip_data_item]) + self.ipqs_object.add_attribute(**parse_attribute(comment, data_item, data_item_value)) + if ip_data_item == "fraud_score": + fraud_score = int(data_item_value) + self.ip_address_risk_scoring(fraud_score) + + self.ipqs_object.add_attribute( + "Enriched attribute", **self.enriched_attribute + ) + self.ipqs_object.add_reference(self.attribute['uuid'], 'related-to') + self.misp_event.add_object(self.ipqs_object) + + def ip_address_risk_scoring(self, score): + """method to create calculate verdict for IP Address""" + risk_criticality = "" + if score == 100: + risk_criticality = self.critical + elif 85 <= score <= 99: + risk_criticality = self.high + elif 75 <= score <= 84: + risk_criticality = self.medium + elif 60 <= score <= 74: + risk_criticality = self.suspicious + elif score <= 59: + risk_criticality = self.clean + + hex_color = self.criticality_color(risk_criticality) + tag_name = f'IPQS:VERDICT="{risk_criticality}"' + self.add_tag(tag_name, hex_color) + + def url_reputation_data(self, query_response): + """method to create object for URL/Domain""" + malware = False + phishing = False + risk_score = 0 + comment = "Results from IPQualityScore Malicious URL Scanner API" + for url_data_item in self.url_data_items: + if url_data_item in query_response: + data_item_value = "" + if url_data_item == "domain_age": + for timestamp_item in self.timestamp_items: + data_item = self.url_data_items_friendly_names[url_data_item] + \ + self.timestamp_items_friendly_name[timestamp_item] + data_item_value = str(query_response[url_data_item][timestamp_item]) + self.ipqs_object.add_attribute(**parse_attribute(comment, data_item, data_item_value)) + else: + data_item = self.url_data_items_friendly_names[url_data_item] + data_item_value = str(query_response[url_data_item]) + self.ipqs_object.add_attribute(**parse_attribute(comment, data_item, data_item_value)) + + if url_data_item == "malware": + malware = data_item_value + if url_data_item == "phishing": + phishing = data_item_value + if url_data_item == "risk_score": + risk_score = int(data_item_value) + + self.url_risk_scoring(risk_score, malware, phishing) + self.ipqs_object.add_attribute( + "Enriched attribute", **self.enriched_attribute + ) + self.ipqs_object.add_reference(self.attribute['uuid'], 'related-to') + self.misp_event.add_object(self.ipqs_object) + + def url_risk_scoring(self, score, malware, phishing): + """method to create calculate verdict for URL/Domain""" + risk_criticality = "" + if malware == 'True': + risk_criticality = self.malware + elif phishing == 'True': + risk_criticality = self.phishing + elif score >= 90: + risk_criticality = self.high + elif 80 <= score <= 89: + risk_criticality = self.medium + elif 70 <= score <= 79: + risk_criticality = self.low + elif 55 <= score <= 69: + risk_criticality = self.suspicious + elif score <= 54: + risk_criticality = self.clean + + hex_color = self.criticality_color(risk_criticality) + tag_name = f'IPQS:VERDICT="{risk_criticality}"' + self.add_tag(tag_name, hex_color) + + def email_reputation_data(self, query_response): + """method to create object for Email Address""" + comment = "Results from IPQualityScore Email Verification API" + disposable = False + valid = False + fraud_score = 0 + for email_data_item in self.email_data_items: + if email_data_item in query_response: + data_item_value = "" + if email_data_item not in ("domain_age", "first_seen"): + data_item = self.email_data_items_friendly_names[email_data_item] + data_item_value = str(query_response[email_data_item]) + self.ipqs_object.add_attribute(**parse_attribute(comment, data_item, data_item_value)) + else: + for timestamp_item in self.timestamp_items: + data_item = self.email_data_items_friendly_names[email_data_item] + \ + self.timestamp_items_friendly_name[timestamp_item] + data_item_value = str(query_response[email_data_item][timestamp_item]) + self.ipqs_object.add_attribute(**parse_attribute(comment, data_item, data_item_value)) + + if email_data_item == "disposable": + disposable = data_item_value + if email_data_item == "valid": + valid = data_item_value + if email_data_item == "fraud_score": + fraud_score = int(data_item_value) + + self.email_address_risk_scoring(fraud_score, disposable, valid) + self.ipqs_object.add_attribute( + "Enriched attribute", **self.enriched_attribute + ) + self.ipqs_object.add_reference(self.attribute['uuid'], 'related-to') + self.misp_event.add_object(self.ipqs_object) + + def email_address_risk_scoring(self, score, disposable, valid): + """method to create calculate verdict for Email Address""" + risk_criticality = "" + if disposable == "True": + risk_criticality = self.disposable + elif valid == "False": + risk_criticality = self.invalid + elif score == 100: + risk_criticality = self.high + elif 88 <= score <= 99: + risk_criticality = self.medium + elif 80 <= score <= 87: + risk_criticality = self.low + elif score <= 79: + risk_criticality = self.clean + hex_color = self.criticality_color(risk_criticality) + tag_name = f'IPQS:VERDICT="{risk_criticality}"' + + self.add_tag(tag_name, hex_color) + + def phone_reputation_data(self, query_response): + """method to create object for Phone Number""" + fraud_score = 0 + valid = False + active = False + comment = "Results from IPQualityScore Phone Number Validation API" + for phone_data_item in self.phone_data_items: + if phone_data_item in query_response: + data_item = self.phone_data_items_friendly_names[phone_data_item] + data_item_value = str(query_response[phone_data_item]) + self.ipqs_object.add_attribute(**parse_attribute(comment, data_item, data_item_value)) + if phone_data_item == "active": + active = data_item_value + if phone_data_item == "valid": + valid = data_item_value + if phone_data_item == "fraud_score": + fraud_score = int(data_item_value) + + + self.phone_address_risk_scoring(fraud_score, valid, active) + self.ipqs_object.add_attribute( + "Enriched attribute", **self.enriched_attribute + ) + self.ipqs_object.add_reference(self.attribute['uuid'], 'related-to') + self.misp_event.add_object(self.ipqs_object) + + def phone_address_risk_scoring(self, score, valid, active): + """method to create calculate verdict for Phone Number""" + risk_criticality = "" + if valid == "False": + risk_criticality = self.medium + elif active == "False": + risk_criticality = self.medium + elif 90 <= score <= 100: + risk_criticality = self.high + elif 80 <= score <= 89: + risk_criticality = self.low + elif 50 <= score <= 79: + risk_criticality = self.suspicious + elif score <= 49: + risk_criticality = self.clean + hex_color = self.criticality_color(risk_criticality) + tag_name = f'IPQS:VERDICT="{risk_criticality}"' + self.add_tag(tag_name, hex_color) + + def get_results(self): + """returns the dictionary object to MISP Instance""" + event = json.loads(self.misp_event.to_json()) + results = {key: event[key] for key in ('Attribute', 'Object')} + return {'results': results} + + +def handler(q=False): + """The function which accepts a JSON document to expand the values and return a dictionary of the expanded + values. """ + if q is False: + return False + request = json.loads(q) + # check if the apikey is provided + if not request.get('config') or not request['config'].get('apikey'): + misperrors['error'] = 'IPQualityScore apikey is missing' + return misperrors + apikey = request['config'].get('apikey') + # check attribute is added to the event + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} + + attribute = request['attribute'] + attribute_type = attribute['type'] + attribute_value = attribute['value'] + + # check if the attribute type is supported by IPQualityScore + if attribute_type not in mispattributes['input']: + return {'error': 'Unsupported attributes type for IPqualityScore Enrichment'} + request_handler = RequestHandler(apikey) + enrich_type = "" + if attribute_type in ip_query_input_type: + enrich_type = IP_ENRICH + json_response = request_handler.ipqs_lookup(IP_ENRICH, attribute_value) + elif attribute_type in url_query_input_type: + enrich_type = URL_ENRICH + json_response = request_handler.ipqs_lookup(URL_ENRICH, attribute_value) + elif attribute_type in email_query_input_type: + enrich_type = EMAIL_ENRICH + json_response = request_handler.ipqs_lookup(EMAIL_ENRICH, attribute_value) + elif attribute_type in phone_query_input_type: + enrich_type = PHONE_ENRICH + json_response = request_handler.ipqs_lookup(PHONE_ENRICH, attribute_value) + + parser = IPQualityScoreParser(attribute) + parser.ipqs_parser(json_response, enrich_type) + return parser.get_results() + + +def introspection(): + """The function that returns a dict of the supported attributes (input and output) by your expansion module.""" + return mispattributes + + +def version(): + """The function that returns a dict with the version and the associated meta-data including potential + configurations required of the module. """ + moduleinfo['config'] = moduleconfig + return moduleinfo diff --git a/misp_modules/modules/expansion/jinja_template_rendering.py b/misp_modules/modules/expansion/jinja_template_rendering.py new file mode 100755 index 0000000..5749aba --- /dev/null +++ b/misp_modules/modules/expansion/jinja_template_rendering.py @@ -0,0 +1,44 @@ +#!/usr/bin/env python\ + +import json +from jinja2.sandbox import SandboxedEnvironment + +misperrors = {'error': 'Error'} +mispattributes = {'input': ['text'], 'output': ['text']} +moduleinfo = {'version': '0.1', 'author': 'Sami Mokaddem', + 'description': 'Render the template with the data passed', + 'module-type': ['expansion']} + +default_template = '- Default template -' + +def renderTemplate(data, template=default_template): + env = SandboxedEnvironment() + return env.from_string(template).render(data) + +def handler(q=False): + if q is False: + return False + request = json.loads(q) + if request.get('text'): + data = request['text'] + else: + return False + data = json.loads(data) + template = data.get('template', default_template) + templateData = data.get('data', {}) + try: + rendered = renderTemplate(templateData, template) + except TypeError: + rendered = '' + + r = {'results': [{'types': mispattributes['output'], + 'values':[rendered]}]} + return r + + +def introspection(): + return mispattributes + + +def version(): + return moduleinfo diff --git a/misp_modules/modules/expansion/joesandbox_query.py b/misp_modules/modules/expansion/joesandbox_query.py index 1ace259..e303512 100644 --- a/misp_modules/modules/expansion/joesandbox_query.py +++ b/misp_modules/modules/expansion/joesandbox_query.py @@ -1,6 +1,7 @@ # -*- coding: utf-8 -*- import jbxapi import json +from . import check_input_attribute, checking_error, standard_error_message from joe_parser import JoeParser misperrors = {'error': 'Error'} @@ -10,7 +11,7 @@ inputSource = ['link'] moduleinfo = {'version': '0.2', 'author': 'Christian Studer', 'description': 'Query Joe Sandbox API with a report URL to get the parsed data.', 'module-type': ['expansion']} -moduleconfig = ['apiurl', 'apikey', 'import_pe', 'import_mitre_attack'] +moduleconfig = ['apiurl', 'apikey', 'import_executable', 'import_mitre_attack'] def handler(q=False): @@ -20,13 +21,17 @@ def handler(q=False): apiurl = request['config'].get('apiurl') or 'https://jbxcloud.joesecurity.org/api' apikey = request['config'].get('apikey') parser_config = { - "import_pe": request["config"].get('import_pe', "false") == "true", + "import_executable": request["config"].get('import_executable', "false") == "true", "mitre_attack": request["config"].get('import_mitre_attack', "false") == "true", } if not apikey: return {'error': 'No API key provided'} + if not request.get('attribute') or not check_input_attribute(request['attribute'], requirements=('type', 'value')): + return {'error': f'{standard_error_message}, {checking_error} that is the link to the Joe Sandbox report.'} + if request['attribute']['type'] != 'link': + return {'error': 'Unsupported attribute type.'} url = request['attribute']['value'] if "/submissions/" not in url: return {'error': "The URL does not point to a Joe Sandbox analysis."} diff --git a/misp_modules/modules/expansion/lastline_query.py b/misp_modules/modules/expansion/lastline_query.py index 4ce4e47..501a0bd 100644 --- a/misp_modules/modules/expansion/lastline_query.py +++ b/misp_modules/modules/expansion/lastline_query.py @@ -1,10 +1,12 @@ #!/usr/bin/env python3 """ +Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module. + Module (type "expansion") to query a Lastline report from an analysis link. """ import json - import lastline_api +from . import check_input_attribute, checking_error, standard_error_message misperrors = { @@ -52,6 +54,8 @@ def handler(q=False): try: config = request["config"] auth_data = lastline_api.LastlineAbstractClient.get_login_params_from_dict(config) + if not request.get('attribute') or not check_input_attribute(request['attribute'], requirements=('type', 'value')): + return {'error': f'{standard_error_message}, {checking_error} that is the link to a Lastline analysis.'} analysis_link = request['attribute']['value'] # The API url changes based on the analysis link host name api_url = lastline_api.get_portal_url_from_task_link(analysis_link) diff --git a/misp_modules/modules/expansion/lastline_submit.py b/misp_modules/modules/expansion/lastline_submit.py index 1572955..fef165b 100644 --- a/misp_modules/modules/expansion/lastline_submit.py +++ b/misp_modules/modules/expansion/lastline_submit.py @@ -1,5 +1,7 @@ #!/usr/bin/env python3 """ +Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module. + Module (type "expansion") to submit files and URLs to Lastline for analysis. """ import base64 diff --git a/misp_modules/modules/expansion/malwarebazaar.py b/misp_modules/modules/expansion/malwarebazaar.py index 4574b75..60739e8 100644 --- a/misp_modules/modules/expansion/malwarebazaar.py +++ b/misp_modules/modules/expansion/malwarebazaar.py @@ -1,5 +1,6 @@ import json import requests +from . import check_input_attribute, checking_error, standard_error_message from pymisp import MISPEvent, MISPObject mispattributes = {'input': ['md5', 'sha1', 'sha256'], @@ -34,7 +35,11 @@ def handler(q=False): if q is False: return False request = json.loads(q) + if not request.get('attribute') or not check_input_attribute(request['attribute'], requirements=('type', 'value')): + return {'error': f'{standard_error_message}, {checking_error} that is the hash to submit to Malware Bazaar.'} attribute = request['attribute'] + if attribute['type'] not in mispattributes['input']: + return {'error': 'Unsupported attribute type.'} url = 'https://mb-api.abuse.ch/api/v1/' response = requests.post(url, data={'query': 'get_info', 'hash': attribute['value']}).json() query_status = response['query_status'] diff --git a/misp_modules/modules/expansion/mcafee_insights_enrich.py b/misp_modules/modules/expansion/mcafee_insights_enrich.py new file mode 100644 index 0000000..8026d7f --- /dev/null +++ b/misp_modules/modules/expansion/mcafee_insights_enrich.py @@ -0,0 +1,239 @@ +# Written by mohlcyber 13.08.2021 +# MISP Module for McAfee MVISION Insights to query campaign details + +import json +import logging +import requests +import sys + +from . import check_input_attribute, standard_error_message +from pymisp import MISPAttribute, MISPEvent, MISPObject + +misperrors = {'error': 'Error'} +mispattributes = {'input': ["md5", "sha1", "sha256"], + 'format': 'misp_standard'} + +# possible module-types: 'expansion', 'hover' or both +moduleinfo = {'version': '1', 'author': 'Martin Ohl', + 'description': 'Lookup McAfee MVISION Insights Details', + 'module-type': ['hover']} + +# config fields that your code expects from the site admin +moduleconfig = ['api_key', 'client_id', 'client_secret'] + + +class MVAPI(): + def __init__(self, attribute, api_key, client_id, client_secret): + self.misp_event = MISPEvent() + self.attribute = MISPAttribute() + self.attribute.from_dict(**attribute) + self.misp_event.add_attribute(**self.attribute) + + self.base_url = 'https://api.mvision.mcafee.com' + self.session = requests.Session() + + self.api_key = api_key + auth = (client_id, client_secret) + + self.logging() + self.auth(auth) + + def logging(self): + self.logger = logging.getLogger('logs') + self.logger.setLevel('INFO') + handler = logging.StreamHandler() + formatter = logging.Formatter("%(asctime)s;%(levelname)s;%(message)s") + handler.setFormatter(formatter) + self.logger.addHandler(handler) + + def auth(self, auth): + iam_url = "https://iam.mcafee-cloud.com/iam/v1.1/token" + + headers = { + 'x-api-key': self.api_key, + 'Content-Type': 'application/vnd.api+json' + } + + payload = { + "grant_type": "client_credentials", + "scope": "ins.user ins.suser ins.ms.r" + } + + res = self.session.post(iam_url, headers=headers, auth=auth, data=payload) + + if res.status_code != 200: + self.logger.error('Could not authenticate to get the IAM token: {0} - {1}'.format(res.status_code, res.text)) + sys.exit() + else: + self.logger.info('Successful authenticated.') + access_token = res.json()['access_token'] + headers['Authorization'] = 'Bearer ' + access_token + self.session.headers = headers + + def search_ioc(self): + filters = { + 'filter[type][eq]': self.attribute.type, + 'filter[value]': self.attribute.value, + 'fields': 'id, type, value, coverage, uid, is_coat, is_sdb_dirty, category, comment, campaigns, threat, prevalence' + } + res = self.session.get(self.base_url + '/insights/v2/iocs', params=filters) + + if res.ok: + if len(res.json()['data']) == 0: + self.logger.info('No Hash details in MVISION Insights found.') + else: + self.logger.info('Successfully retrieved MVISION Insights details.') + self.logger.debug(res.text) + return res.json() + else: + self.logger.error('Error in search_ioc. HTTP {0} - {1}'.format(str(res.status_code), res.text)) + sys.exit() + + def prep_result(self, ioc): + res = ioc['data'][0] + results = [] + + # Parse out Attribute Category + category_attr = { + 'type': 'text', + 'object_relation': 'text', + 'value': 'Attribute Category: {0}'.format(res['attributes']['category']) + } + results.append(category_attr) + + # Parse out Attribute Comment + comment_attr = { + 'type': 'text', + 'object_relation': 'text', + 'value': 'Attribute Comment: {0}'.format(res['attributes']['comment']) + } + results.append(comment_attr) + + # Parse out Attribute Dat Coverage + cover_attr = { + 'type': 'text', + 'object_relation': 'text', + 'value': 'Dat Version Coverage: {0}'.format(res['attributes']['coverage']['dat_version']['min']) + } + results.append(cover_attr) + + # Parse out if Dirty + cover_attr = { + 'type': 'text', + 'object_relation': 'text', + 'value': 'Is Dirty: {0}'.format(res['attributes']['is-sdb-dirty']) + } + results.append(cover_attr) + + # Parse our targeted countries + countries_dict = [] + countries = res['attributes']['prevalence']['countries'] + + for country in countries: + countries_dict.append(country['iso_code']) + + country_attr = { + 'type': 'text', + 'object_relation': 'text', + 'value': 'Targeted Countries: {0}'.format(countries_dict) + } + results.append(country_attr) + + # Parse out targeted sectors + sectors_dict = [] + sectors = res['attributes']['prevalence']['sectors'] + + for sector in sectors: + sectors_dict.append(sector['sector']) + + sector_attr = { + 'type': 'text', + 'object_relation': 'text', + 'value': 'Targeted Sectors: {0}'.format(sectors_dict) + } + results.append(sector_attr) + + # Parse out Threat Classification + threat_class_attr = { + 'type': 'text', + 'object_relation': 'text', + 'value': 'Threat Classification: {0}'.format(res['attributes']['threat']['classification']) + } + results.append(threat_class_attr) + + # Parse out Threat Name + threat_name_attr = { + 'type': 'text', + 'object_relation': 'text', + 'value': 'Threat Name: {0}'.format(res['attributes']['threat']['name']) + } + results.append(threat_name_attr) + + # Parse out Threat Severity + threat_sev_attr = { + 'type': 'text', + 'object_relation': 'text', + 'value': 'Threat Severity: {0}'.format(res['attributes']['threat']['severity']) + } + results.append(threat_sev_attr) + + # Parse out Attribute ID + attr_id = { + 'type': 'text', + 'object_relation': 'text', + 'value': 'Attribute ID: {0}'.format(res['id']) + } + results.append(attr_id) + + # Parse out Campaign Relationships + campaigns = ioc['included'] + + for campaign in campaigns: + campaign_attr = { + 'type': 'campaign-name', + 'object_relation': 'campaign-name', + 'value': campaign['attributes']['name'] + } + results.append(campaign_attr) + + mv_insights_obj = MISPObject(name='MVISION Insights Details') + for mvi_res in results: + mv_insights_obj.add_attribute(**mvi_res) + mv_insights_obj.add_reference(self.attribute.uuid, 'mvision-insights-details') + + self.misp_event.add_object(mv_insights_obj) + + event = json.loads(self.misp_event.to_json()) + results_mvi = {key: event[key] for key in ('Attribute', 'Object') if (key in event and event[key])} + + return {'results': results_mvi} + + +def handler(q=False): + if q is False: + return False + request = json.loads(q) + + if not request.get('config') or not request['config'].get('api_key') or not request['config'].get('client_id') or not request['config'].get('client_secret'): + misperrors['error'] = "Please provide MVISION API Key, Client ID and Client Secret." + return misperrors + if request['attribute']['type'] not in mispattributes['input']: + return {'error': 'Unsupported attribute type. Please use {0}'.format(mispattributes['input'])} + + api_key = request['config']['api_key'] + client_id = request['config']['client_id'] + client_secret = request['config']['client_secret'] + attribute = request['attribute'] + + mvi = MVAPI(attribute, api_key, client_id, client_secret) + res = mvi.search_ioc() + return mvi.prep_result(res) + + +def introspection(): + return mispattributes + + +def version(): + moduleinfo['config'] = moduleconfig + return moduleinfo diff --git a/misp_modules/modules/expansion/mmdb_lookup.py b/misp_modules/modules/expansion/mmdb_lookup.py new file mode 100644 index 0000000..e3a0eff --- /dev/null +++ b/misp_modules/modules/expansion/mmdb_lookup.py @@ -0,0 +1,129 @@ +import json +import requests +from . import check_input_attribute, standard_error_message +from pymisp import MISPEvent, MISPObject + +misperrors = {'error': 'Error'} +mispattributes = {'input': ['ip-src', 'ip-src|port', 'ip-dst', 'ip-dst|port'], 'format': 'misp_standard'} +moduleinfo = {'version': '1', 'author': 'Jeroen Pinoy', + 'description': "An expansion module to enrich an ip with geolocation and asn information from an mmdb server " + "such as ip.circl.lu.", + 'module-type': ['expansion', 'hover']} +moduleconfig = ["custom_API", "db_source_filter"] +mmdblookup_url = 'https://ip.circl.lu/' + + +class MmdbLookupParser(): + def __init__(self, attribute, mmdblookupresult, api_url): + self.attribute = attribute + self.mmdblookupresult = mmdblookupresult + self.api_url = api_url + self.misp_event = MISPEvent() + self.misp_event.add_attribute(**attribute) + + def get_result(self): + event = json.loads(self.misp_event.to_json()) + results = {key: event[key] for key in ('Attribute', 'Object') if (key in event and event[key])} + return {'results': results} + + def parse_mmdblookup_information(self): + # There is a chance some db's have a hit while others don't so we have to check if entry is empty each time + for result_entry in self.mmdblookupresult: + if result_entry['country_info']: + mmdblookup_object = MISPObject('geolocation') + mmdblookup_object.add_attribute('country', + **{'type': 'text', 'value': result_entry['country_info']['Country']}) + mmdblookup_object.add_attribute('countrycode', + **{'type': 'text', 'value': result_entry['country']['iso_code']}) + mmdblookup_object.add_attribute('latitude', + **{'type': 'float', + 'value': result_entry['country_info']['Latitude (average)']}) + mmdblookup_object.add_attribute('longitude', + **{'type': 'float', + 'value': result_entry['country_info']['Longitude (average)']}) + mmdblookup_object.add_attribute('text', + **{'type': 'text', + 'value': 'db_source: {}. build_db: {}. Latitude and longitude are country average.'.format( + result_entry['meta']['db_source'], + result_entry['meta']['build_db'])}) + mmdblookup_object.add_reference(self.attribute['uuid'], 'related-to') + self.misp_event.add_object(mmdblookup_object) + if 'AutonomousSystemNumber' in result_entry['country']: + mmdblookup_object_asn = MISPObject('asn') + mmdblookup_object_asn.add_attribute('asn', + **{'type': 'text', + 'value': result_entry['country'][ + 'AutonomousSystemNumber']}) + mmdblookup_object_asn.add_attribute('description', + **{'type': 'text', + 'value': 'ASNOrganization: {}. db_source: {}. build_db: {}.'.format( + result_entry['country'][ + 'AutonomousSystemOrganization'], + result_entry['meta']['db_source'], + result_entry['meta']['build_db'])}) + mmdblookup_object_asn.add_reference(self.attribute['uuid'], 'related-to') + self.misp_event.add_object(mmdblookup_object_asn) + + +def check_url(url): + return "{}/".format(url) if not url.endswith('/') else url + + +def handler(q=False): + if q is False: + return False + request = json.loads(q) + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} + attribute = request['attribute'] + if attribute.get('type') == 'ip-src': + toquery = attribute['value'] + elif attribute.get('type') == 'ip-src|port': + toquery = attribute['value'].split('|')[0] + elif attribute.get('type') == 'ip-dst': + toquery = attribute['value'] + elif attribute.get('type') == 'ip-dst|port': + toquery = attribute['value'].split('|')[0] + else: + misperrors['error'] = 'There is no attribute of type ip-src or ip-dst provided as input' + return misperrors + api_url = check_url(request['config']['custom_API']) if 'config' in request and request['config'].get( + 'custom_API') else mmdblookup_url + r = requests.get("{}/geolookup/{}".format(api_url, toquery)) + if r.status_code == 200: + mmdblookupresult = r.json() + if not mmdblookupresult or len(mmdblookupresult) == 0: + misperrors['error'] = 'Empty result returned by server' + return misperrors + if 'config' in request and request['config'].get('db_source_filter'): + db_source_filter = request['config'].get('db_source_filter') + mmdblookupresult = [entry for entry in mmdblookupresult if entry['meta']['db_source'] == db_source_filter] + if not mmdblookupresult or len(mmdblookupresult) == 0: + misperrors['error'] = 'There was no result with the selected db_source' + return misperrors + # Server might return one or multiple entries which could all be empty, we check if there is at least one + # non-empty result below + empty_result = True + for lookup_result_entry in mmdblookupresult: + if lookup_result_entry['country_info']: + empty_result = False + break + if empty_result: + misperrors['error'] = 'Empty result returned by server' + return misperrors + else: + misperrors['error'] = 'API not accessible - http status code {} was returned'.format(r.status_code) + return misperrors + parser = MmdbLookupParser(attribute, mmdblookupresult, api_url) + parser.parse_mmdblookup_information() + result = parser.get_result() + return result + + +def introspection(): + return mispattributes + + +def version(): + moduleinfo['config'] = moduleconfig + return moduleinfo diff --git a/misp_modules/modules/expansion/mwdb.py b/misp_modules/modules/expansion/mwdb.py new file mode 100644 index 0000000..66f5fe4 --- /dev/null +++ b/misp_modules/modules/expansion/mwdb.py @@ -0,0 +1,142 @@ +import json +import sys +import base64 +#from distutils.util import strtobool + +import io +import zipfile + +from pymisp import PyMISP +from mwdblib import MWDB + +misperrors = {'error': 'Error'} +mispattributes = {'input': ['attachment', 'malware-sample'], 'output': ['link']} +moduleinfo = {'version': '1', 'author': 'Koen Van Impe', + 'description': 'Module to push malware samples to a MWDB instance', + 'module-type': ['expansion']} + +moduleconfig = ['mwdb_apikey', 'mwdb_url', 'mwdb_misp_attribute', 'mwdb_public', 'include_tags_event', 'include_tags_attribute'] + +pymisp_keys_file = "/var/www/MISP/PyMISP/" +mwdb_public_default = True + +""" +An expansion module to push malware samples to a MWDB (https://github.com/CERT-Polska/mwdb-core) instance. +This module does not push samples to a sandbox. This can be achieved via Karton (connected to the MWDB) + +Does: +- Upload of attachment or malware sample to MWDB +- Tags of events and/or attributes are added to MWDB. +- Comment of the MISP attribute is added to MWDB. +- A link back to the MISP event is added to MWDB via the MWDB attribute. +- A link to the MWDB attribute is added as an enriched attribute to the MISP event. + +Requires +- mwdblib installed (pip install mwdblib) +- (optional) keys.py file to add tags of events/attributes to MWDB +- (optional) MWDB "attribute" created for the link back to MISP (defined in mwdb_misp_attribute) +""" + + +def handler(q=False): + if q is False: + return False + request = json.loads(q) + + try: + data = request.get("data") + if 'malware-sample' in request: + # malicious samples are encrypted with zip (password infected) and then base64 encoded + sample_filename = request.get("malware-sample").split("|", 1)[0] + data = base64.b64decode(data) + fl = io.BytesIO(data) + zf = zipfile.ZipFile(fl) + sample_hashname = zf.namelist()[0] + data = zf.read(sample_hashname, b"infected") + zf.close() + elif 'attachment' in request: + # All attachments get base64 encoded + sample_filename = request.get("attachment") + data = base64.b64decode(data) + + else: + misperrors['error'] = "No malware sample or attachment supplied" + return misperrors + except Exception: + misperrors['error'] = "Unable to process submited sample data" + return misperrors + + if (request["config"].get("mwdb_apikey") is None) or (request["config"].get("mwdb_url") is None): + misperrors["error"] = "Missing MWDB API key or server URL" + return misperrors + + mwdb_misp_attribute = request["config"].get("mwdb_misp_attribute") + mwdb_public = request["config"].get("mwdb_public", mwdb_public_default) + + include_tags_event = request["config"].get("include_tags_event") + include_tags_attribute = request["config"].get("include_tags_attribute") + misp_event_id = request.get("event_id") + misp_attribute_uuid = request.get("attribute_uuid") + misp_attribute_comment = "" + mwdb_tags = [] + misp_info = "" + + try: + if include_tags_event: + sys.path.append(pymisp_keys_file) + from keys import misp_url, misp_key, misp_verifycert + misp = PyMISP(misp_url, misp_key, misp_verifycert, False) + misp_event = misp.get_event(misp_event_id) + if "Event" in misp_event: + misp_info = misp_event["Event"]["info"] + if "Tag" in misp_event["Event"]: + tags = misp_event["Event"]["Tag"] + for tag in tags: + if "misp-galaxy" not in tag["name"]: + mwdb_tags.append(tag["name"]) + if include_tags_attribute: + sys.path.append(pymisp_keys_file) + from keys import misp_url, misp_key, misp_verifycert + misp = PyMISP(misp_url, misp_key, misp_verifycert, False) + misp_attribute = misp.get_attribute(misp_attribute_uuid) + if "Attribute" in misp_attribute: + if "Tag" in misp_attribute["Attribute"]: + tags = misp_attribute["Attribute"]["Tag"] + for tag in tags: + if "misp-galaxy" not in tag["name"]: + mwdb_tags.append(tag["name"]) + misp_attribute_comment = misp_attribute["Attribute"]["comment"] + except Exception: + misperrors['error'] = "Unable to read PyMISP (keys.py) configuration file" + return misperrors + + try: + mwdb = MWDB(api_key=request["config"].get("mwdb_apikey"), api_url=request["config"].get("mwdb_url")) + if mwdb_misp_attribute and len(mwdb_misp_attribute) > 0: + metakeys = {mwdb_misp_attribute: misp_event_id} + else: + metakeys = False + file_object = mwdb.upload_file(sample_filename, data, metakeys=metakeys, public=mwdb_public) + for tag in mwdb_tags: + file_object.add_tag(tag) + if len(misp_attribute_comment) < 1: + misp_attribute_comment = "MISP attribute {}".format(misp_attribute_uuid) + file_object.add_comment(misp_attribute_comment) + if len(misp_event) > 0: + file_object.add_comment("Fetched from event {} - {}".format(misp_event_id, misp_info)) + mwdb_link = request["config"].get("mwdb_url").replace("/api", "/file/") + "{}".format(file_object.md5) + except Exception: + misperrors['error'] = "Unable to send sample to MWDB instance" + return misperrors + + r = {'results': [{'types': 'link', 'values': mwdb_link, 'comment': 'Link to MWDB sample'}]} + return r + + +def introspection(): + return mispattributes + + +def version(): + moduleinfo['config'] = moduleconfig + return moduleinfo diff --git a/misp_modules/modules/expansion/ocr_enrich.py b/misp_modules/modules/expansion/ocr_enrich.py index cd6baca..ff0a70c 100644 --- a/misp_modules/modules/expansion/ocr_enrich.py +++ b/misp_modules/modules/expansion/ocr_enrich.py @@ -6,14 +6,21 @@ import pytesseract misperrors = {'error': 'Error'} mispattributes = {'input': ['attachment'], - 'output': ['freetext', 'text']} -moduleinfo = {'version': '0.1', 'author': 'Sascha Rommelfangen', + 'output': ['freetext']} +moduleinfo = {'version': '0.2', 'author': 'Sascha Rommelfangen', 'description': 'OCR decoder', 'module-type': ['expansion']} moduleconfig = [] +def filter_decoded(decoded): + for line in decoded.split('\n'): + decoded_line = line.strip('\t\x0b\x0c\r ') + if decoded_line: + yield decoded_line + + def handler(q=False): if q is False: return False @@ -31,9 +38,16 @@ def handler(q=False): image = img_array image = cv2.imdecode(img_array, cv2.IMREAD_COLOR) try: - decoded = pytesseract.image_to_string(image) - return {'results': [{'types': ['freetext'], 'values': decoded, 'comment': "OCR from file " + filename}, - {'types': ['text'], 'values': decoded, 'comment': "ORC from file " + filename}]} + decoded = pytesseract.image_to_string(cv2.cvtColor(image, cv2.COLOR_BGR2RGB)) + return { + 'results': [ + { + 'types': ['freetext'], + 'values': list(filter_decoded(decoded)), + 'comment': f"OCR from file {filename}" + } + ] + } except Exception as e: print(e) err = "Couldn't analyze file type. Only images are supported right now." diff --git a/misp_modules/modules/expansion/ods_enrich.py b/misp_modules/modules/expansion/ods_enrich.py index b247c44..69aca77 100644 --- a/misp_modules/modules/expansion/ods_enrich.py +++ b/misp_modules/modules/expansion/ods_enrich.py @@ -4,6 +4,7 @@ import np import ezodf import pandas_ods_reader import io +import logging misperrors = {'error': 'Error'} mispattributes = {'input': ['attachment'], @@ -35,13 +36,12 @@ def handler(q=False): num_sheets = len(doc.sheets) try: for i in range(0, num_sheets): - ods = pandas_ods_reader.read_ods(ods_file, i, headers=False) + ods = pandas_ods_reader.algo.read_data(pandas_ods_reader.parsers.ods, ods_file, i, headers=False) ods_content = ods_content + "\n" + ods.to_string(max_rows=None) - print(ods_content) return {'results': [{'types': ['freetext'], 'values': ods_content, 'comment': ".ods-to-text from file " + filename}, {'types': ['text'], 'values': ods_content, 'comment': ".ods-to-text from file " + filename}]} except Exception as e: - print(e) + logging.exception(e) err = "Couldn't analyze file as .ods. Error was: " + str(e) misperrors['error'] = err return misperrors diff --git a/misp_modules/modules/expansion/onyphe.py b/misp_modules/modules/expansion/onyphe.py index d8db477..c777707 100644 --- a/misp_modules/modules/expansion/onyphe.py +++ b/misp_modules/modules/expansion/onyphe.py @@ -1,6 +1,9 @@ # -*- coding: utf-8 -*- import json + +from pymisp import MISPEvent, MISPObject + try: from onyphe import Onyphe except ImportError: @@ -9,9 +12,10 @@ except ImportError: misperrors = {'error': 'Error'} mispattributes = {'input': ['ip-src', 'ip-dst', 'hostname', 'domain'], - 'output': ['hostname', 'domain', 'ip-src', 'ip-dst', 'url']} + 'output': ['hostname', 'domain', 'ip-src', 'ip-dst', 'url'], + 'format': 'misp_standard'} # possible module-types: 'expansion', 'hover' or both -moduleinfo = {'version': '1', 'author': 'Sebastien Larinier @sebdraven', +moduleinfo = {'version': '2', 'author': 'Sebastien Larinier @sebdraven', 'description': 'Query on Onyphe', 'module-type': ['expansion', 'hover']} @@ -19,84 +23,205 @@ moduleinfo = {'version': '1', 'author': 'Sebastien Larinier @sebdraven', moduleconfig = ['apikey'] +class OnypheClient: + + def __init__(self, api_key, attribute): + self.onyphe_client = Onyphe(api_key=api_key) + self.attribute = attribute + self.misp_event = MISPEvent() + self.misp_event.add_attribute(**attribute) + + def get_results(self): + event = json.loads(self.misp_event.to_json()) + results = {key: event[key] + for key in ('Attribute', 'Object') if key in event} + return results + + def get_query_onyphe(self): + if self.attribute['type'] == 'ip-src' or self.attribute['type'] == 'ip-dst': + self.__summary_ip() + if self.attribute['type'] == 'domain': + self.__summary_domain() + if self.attribute['type'] == 'hostname': + self.__summary_hostname() + + def __summary_ip(self): + results = self.onyphe_client.summary_ip(self.attribute['value']) + if 'results' in results: + for r in results['results']: + if 'domain' in r: + domain = r['domain'] + if type(domain) == list: + for d in domain: + self.__get_object_domain_ip(d, 'domain') + elif type(domain) == str: + self.__get_object_domain_ip(domain, 'domain') + + if 'hostname' in r: + hostname = r['hostname'] + if type(hostname) == list: + for d in hostname: + self.__get_object_domain_ip(d, 'domain') + elif type(hostname) == str: + self.__get_object_domain_ip(hostname, 'domain') + + if 'issuer' in r: + self.__get_object_certificate(r) + + def __summary_domain(self): + results = self.onyphe_client.summary_domain(self.attribute['value']) + if 'results' in results: + for r in results['results']: + + for domain in r.get('domain'): + self.misp_event.add_attribute('domain', domain) + for hostname in r.get('hostname'): + self.misp_event.add_attribute('hostname', hostname) + if 'ip' in r: + if type(r['ip']) is str: + self.__get_object_domain_ip(r['ip'], 'ip') + if type(r['ip']) is list: + for ip in r['ip']: + self.__get_object_domain_ip(ip, 'ip') + if 'issuer' in r: + self.__get_object_certificate(r) + + def __summary_hostname(self): + results = self.onyphe_client.summary_hostname(self.attribute['value']) + if 'results' in results: + + for r in results['results']: + if 'domain' in r: + if type(r['domain']) is str: + self.misp_event.add_attribute( + 'domain', r['domain']) + if type(r['domain']) is list: + for domain in r['domain']: + self.misp_event.add_attribute('domain', domain) + + if 'hostname' in r: + if type(r['hostname']) is str: + self.misp_event.add_attribute( + 'hostname', r['hostname']) + if type(r['hostname']) is list: + for hostname in r['hostname']: + self.misp_event.add_attribute( + 'hostname', hostname) + + if 'ip' in r: + if type(r['ip']) is str: + self.__get_object_domain_ip(r['ip'], 'ip') + if type(r['ip']) is list: + for ip in r['ip']: + self.__get_object_domain_ip(ip, 'ip') + + if 'issuer' in r: + self.__get_object_certificate(r) + + if 'cve' in r: + if type(r['cve']) is list: + for cve in r['cve']: + self.__get_object_cve(r, cve) + + def __get_object_certificate(self, r): + object_certificate = MISPObject('x509') + object_certificate.add_attribute('ip', self.attribute['value']) + object_certificate.add_attribute('serial-number', r['serial']) + object_certificate.add_attribute( + 'x509-fingerprint-sha256', r['fingerprint']['sha256']) + object_certificate.add_attribute( + 'x509-fingerprint-sha1', r['fingerprint']['sha1']) + object_certificate.add_attribute( + 'x509-fingerprint-md5', r['fingerprint']['md5']) + + signature = r['signature']['algorithm'] + value = '' + if 'sha256' in signature and 'RSA' in signature: + value = 'SHA256_WITH_RSA_ENCRYPTION' + elif 'sha1' in signature and 'RSA' in signature: + value = 'SHA1_WITH_RSA_ENCRYPTION' + if value: + object_certificate.add_attribute('signature_algorithm', value) + + object_certificate.add_attribute( + 'pubkey-info-algorithm', r['publickey']['algorithm']) + + if 'exponent' in r['publickey']: + object_certificate.add_attribute( + 'pubkey-info-exponent', r['publickey']['exponent']) + if 'length' in r['publickey']: + object_certificate.add_attribute( + 'pubkey-info-size', r['publickey']['length']) + + object_certificate.add_attribute('issuer', r['issuer']['commonname']) + object_certificate.add_attribute( + 'validity-not-before', r['validity']['notbefore']) + object_certificate.add_attribute( + 'validity-not-after', r['validity']['notbefore']) + object_certificate.add_reference(self.attribute['uuid'], 'related-to') + self.misp_event.add_object(object_certificate) + + def __get_object_domain_ip(self, obs, relation): + objet_domain_ip = MISPObject('domain-ip') + objet_domain_ip.add_attribute(relation, obs) + relation_attr = self.__get_relation_attribute() + if relation_attr: + objet_domain_ip.add_attribute( + relation_attr, self.attribute['value']) + objet_domain_ip.add_reference(self.attribute['uuid'], 'related-to') + self.misp_event.add_object(objet_domain_ip) + + def __get_relation_attribute(self): + + if self.attribute['type'] == 'ip-src': + return 'ip' + elif self.attribute['type'] == 'ip-dst': + return 'ip' + elif self.attribute['type'] == 'domain': + return 'domain' + elif self.attribute['type'] == 'hostname': + return 'domain' + + def __get_object_cve(self, item, cve): + attributes = [] + object_cve = MISPObject('vulnerability') + object_cve.add_attribute('id', cve) + object_cve.add_attribute('state', 'Published') + + if type(item['ip']) is list: + for ip in item['ip']: + attributes.extend( + list(filter(lambda x: x['value'] == ip, self.misp_event['Attribute']))) + for obj in self.misp_event['Object']: + attributes.extend( + list(filter(lambda x: x['value'] == ip, obj['Attribute']))) + if type(item['ip']) is str: + + for obj in self.misp_event['Object']: + for att in obj['Attribute']: + if att['value'] == item['ip']: + object_cve.add_reference(obj['uuid'], 'cve') + + self.misp_event.add_object(object_cve) + + def handler(q=False): if q: request = json.loads(q) + attribute = request['attribute'] if not request.get('config') or not request['config'].get('apikey'): misperrors['error'] = 'Onyphe authentication is missing' return misperrors - api = Onyphe(request['config'].get('apikey')) + api_key = request['config'].get('apikey') - if not api: - misperrors['error'] = 'Onyphe Error instance api' + onyphe_client = OnypheClient(api_key, attribute) + onyphe_client.get_query_onyphe() + results = onyphe_client.get_results() - ip = '' - if request.get('ip-src'): - ip = request['ip-src'] - elif request.get('ip-dst'): - ip = request['ip-dst'] - else: - misperrors['error'] = "Unsupported attributes type" - return misperrors - - return handle_expansion(api, ip, misperrors) - else: - return False - - -def handle_expansion(api, ip, misperrors): - result = api.ip(ip) - - if result['status'] == 'nok': - misperrors['error'] = result['message'] - return misperrors - - # categories = list(set([item['@category'] for item in result['results']])) - - result_filtered = {"results": []} - urls_pasties = [] - asn_list = [] - os_list = [] - domains_resolver = [] - domains_forward = [] - - for r in result['results']: - if r['@category'] == 'pastries': - if r['source'] == 'pastebin': - urls_pasties.append('https://pastebin.com/raw/%s' % r['key']) - elif r['@category'] == 'synscan': - asn_list.append(r['asn']) - os_target = r['os'] - if os_target != 'Unknown': - os_list.append(r['os']) - elif r['@category'] == 'resolver' and r['type'] == 'reverse': - domains_resolver.append(r['reverse']) - elif r['@category'] == 'resolver' and r['type'] == 'forward': - domains_forward.append(r['forward']) - - result_filtered['results'].append({'types': ['url'], 'values': urls_pasties, - 'categories': ['External analysis']}) - - result_filtered['results'].append({'types': ['AS'], 'values': list(set(asn_list)), - 'categories': ['Network activity']}) - - result_filtered['results'].append({'types': ['target-machine'], - 'values': list(set(os_list)), - 'categories': ['Targeting data']}) - - result_filtered['results'].append({'types': ['domain'], - 'values': list(set(domains_resolver)), - 'categories': ['Network activity'], - 'comment': 'resolver to %s' % ip}) - - result_filtered['results'].append({'types': ['domain'], - 'values': list(set(domains_forward)), - 'categories': ['Network activity'], - 'comment': 'forward to %s' % ip}) - return result_filtered + return {'results': results} def introspection(): diff --git a/misp_modules/modules/expansion/passive-ssh.py b/misp_modules/modules/expansion/passive-ssh.py new file mode 100644 index 0000000..bf70ec9 --- /dev/null +++ b/misp_modules/modules/expansion/passive-ssh.py @@ -0,0 +1,140 @@ +import json +import requests +from . import check_input_attribute, standard_error_message +from collections import defaultdict +from pymisp import MISPEvent, MISPObject + +misperrors = {'error': 'Error'} + +mispattributes = {'input': ['ip-src', 'ip-dst', 'ssh-fingerprint'], + 'format': 'misp_standard'} + +moduleinfo = {'version': '1', 'author': 'Jean-Louis Huynen', + 'description': 'An expansion module to enrich, SSH key fingerprints and IP addresses with information collected by passive-ssh', + 'module-type': ['expansion', 'hover']} + +moduleconfig = ["custom_api_url", "api_user", "api_key"] + +passivessh_url = 'https://passivessh.circl.lu/' + +host_query = '/host/ssh' +fingerprint_query = '/fingerprint/all' + + +class PassivesshParser(): + def __init__(self, attribute, passivesshresult): + self.attribute = attribute + self.passivesshresult = passivesshresult + self.misp_event = MISPEvent() + self.misp_event.add_attribute(**attribute) + self.references = defaultdict(list) + + def get_result(self): + if self.references: + self.__build_references() + event = json.loads(self.misp_event.to_json()) + results = {key: event[key] for key in ( + 'Attribute', 'Object') if (key in event and event[key])} + return {'results': results} + + def parse_passivessh_information(self): + passivessh_object = MISPObject('passive-ssh') + if 'first_seen' in self.passivesshresult: + passivessh_object.add_attribute( + 'first_seen', **{'type': 'datetime', 'value': self.passivesshresult['first_seen']}) + if 'last_seen' in self.passivesshresult: + passivessh_object.add_attribute( + 'last_seen', **{'type': 'datetime', 'value': self.passivesshresult['last_seen']}) + if 'base64' in self.passivesshresult: + passivessh_object.add_attribute( + 'base64', **{'type': 'text', 'value': self.passivesshresult['base64']}) + if 'keys' in self.passivesshresult: + for key in self.passivesshresult['keys']: + passivessh_object.add_attribute( + 'fingerprint', **{'type': 'ssh-fingerprint', 'value': key['fingerprint']}) + if 'hosts' in self.passivesshresult: + for host in self.passivesshresult['hosts']: + passivessh_object.add_attribute( + 'host', **{'type': 'ip-dst', 'value': host}) + + passivessh_object.add_reference(self.attribute['uuid'], 'related-to') + self.misp_event.add_object(passivessh_object) + + def __build_references(self): + for object_uuid, references in self.references.items(): + for misp_object in self.misp_event.objects: + if misp_object.uuid == object_uuid: + for reference in references: + misp_object.add_reference(**reference) + break + + +def check_url(url): + return "{}/".format(url) if not url.endswith('/') else url + + +def handler(q=False): + + if q is False: + return False + request = json.loads(q) + + api_url = check_url(request['config']['custom_api_url']) if request['config'].get( + 'custom_api_url') else passivessh_url + + if request['config'].get('api_user'): + api_user = request['config'].get('api_user') + else: + misperrors['error'] = 'passive-ssh user required' + return misperrors + if request['config'].get('api_key'): + api_key = request['config'].get('api_key') + else: + misperrors['error'] = 'passive-ssh password required' + return misperrors + + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} + attribute = request['attribute'] + if attribute.get('type') == 'ip-src': + type = host_query + pass + elif attribute.get('type') == 'ip-dst': + type = host_query + pass + elif attribute.get('type') == 'ssh-fingerprint': + type = fingerprint_query + pass + else: + misperrors['error'] = 'ip is missing.' + return misperrors + + r = requests.get("{}{}/{}".format(api_url, type, + attribute['value']), auth=(api_user, api_key)) + + if r.status_code == 200: + passivesshresult = r.json() + if not passivesshresult: + misperrors['error'] = 'Empty result' + return misperrors + elif r.status_code == 404: + misperrors['error'] = 'Non existing hash' + return misperrors + else: + misperrors['error'] = 'API not accessible' + return misperrors + + parser = PassivesshParser(attribute, passivesshresult) + parser.parse_passivessh_information() + result = parser.get_result() + + return result + + +def introspection(): + return mispattributes + + +def version(): + moduleinfo['config'] = moduleconfig + return moduleinfo diff --git a/misp_modules/modules/expansion/qintel_qsentry.py b/misp_modules/modules/expansion/qintel_qsentry.py new file mode 100644 index 0000000..6733b93 --- /dev/null +++ b/misp_modules/modules/expansion/qintel_qsentry.py @@ -0,0 +1,221 @@ +import logging +import json + +from pymisp import MISPAttribute, MISPEvent, MISPTag, MISPObject +from . import check_input_attribute, checking_error, standard_error_message + +from qintel_helper import search_qsentry + +logger = logging.getLogger('qintel_qsentry') +logger.setLevel(logging.DEBUG) + +moduleinfo = { + 'version': '1.0', + 'author': 'Qintel, LLC', + 'description': 'Query Qintel QSentry for ip intelligence', + 'module-type': ['hover', 'expansion'] +} + +moduleconfig = ['token', 'remote'] + +misperrors = {'error': 'Error'} + +mispattributes = { + 'input': ['ip-src', 'ip-dst'], + 'output': ['ip-src', 'ip-dst', 'AS', 'freetext'], + 'format': 'misp_standard' +} + +TAG_COLOR = { + 'benign': '#27ae60', + 'suspicious': '#e6a902', + 'malicious': '#c0392b' +} + +CLIENT_HEADERS = { + 'User-Agent': f"MISP/{moduleinfo['version']}", +} + + +def _return_error(message): + misperrors['error'] = message + return misperrors + + +def _make_tags(enriched_attr, result): + + for tag in result['tags']: + color = TAG_COLOR['suspicious'] + if tag == 'criminal': + color = TAG_COLOR['malicious'] + + t = MISPTag() + t.from_dict(**{ + 'name': f'qintel:tag="{tag}"', + 'colour': color + }) + enriched_attr.add_tag(**t) + + return enriched_attr + + +def _make_enriched_attr(event, result, orig_attr): + + enriched_object = MISPObject('Qintel Threat Enrichment') + enriched_object.add_reference(orig_attr.uuid, 'related-to') + + enriched_attr = MISPAttribute() + enriched_attr.from_dict(**{ + 'value': orig_attr.value, + 'type': orig_attr.type, + 'distribution': 0, + 'object_relation': 'enriched-attr', + 'to_ids': orig_attr.to_ids + }) + + enriched_attr = _make_tags(enriched_attr, result) + enriched_object.add_attribute(**enriched_attr) + + comment_attr = MISPAttribute() + comment_attr.from_dict(**{ + 'value': '\n'.join(result.get('descriptions', [])), + 'type': 'text', + 'object_relation': 'descriptions', + 'distribution': 0 + }) + enriched_object.add_attribute(**comment_attr) + + last_seen = MISPAttribute() + last_seen.from_dict(**{ + 'value': result.get('last_seen'), + 'type': 'datetime', + 'object_relation': 'last-seen', + 'distribution': 0 + }) + enriched_object.add_attribute(**last_seen) + + event.add_attribute(**orig_attr) + event.add_object(**enriched_object) + + return event + + +def _make_asn_attr(event, result, orig_attr): + + asn_object = MISPObject('asn') + asn_object.add_reference(orig_attr.uuid, 'related-to') + + asn_attr = MISPAttribute() + asn_attr.from_dict(**{ + 'type': 'AS', + 'value': result.get('asn'), + 'object_relation': 'asn', + 'distribution': 0 + }) + asn_object.add_attribute(**asn_attr) + + org_attr = MISPAttribute() + org_attr.from_dict(**{ + 'type': 'text', + 'value': result.get('asn_name', 'unknown').title(), + 'object_relation': 'description', + 'distribution': 0 + }) + asn_object.add_attribute(**org_attr) + + event.add_object(**asn_object) + + return event + + +def _format_hover(event, result): + + enriched_object = event.get_objects_by_name('Qintel Threat Enrichment')[0] + + tags = ', '.join(result.get('tags')) + enriched_object.add_attribute('Tags', type='text', value=tags) + + return event + + +def _format_result(attribute, result): + + event = MISPEvent() + + orig_attr = MISPAttribute() + orig_attr.from_dict(**attribute) + + event = _make_enriched_attr(event, result, orig_attr) + event = _make_asn_attr(event, result, orig_attr) + + return event + + +def _check_config(config): + if not config: + return False + + if not isinstance(config, dict): + return False + + if config.get('token', '') == '': + return False + + return True + + +def _check_request(request): + if not request.get('attribute'): + return f'{standard_error_message}, {checking_error}' + + check_reqs = ('type', 'value') + if not check_input_attribute(request['attribute'], + requirements=check_reqs): + return f'{standard_error_message}, {checking_error}' + + if request['attribute']['type'] not in mispattributes['input']: + return 'Unsupported attribute type' + + +def handler(q=False): + if not q: + return False + + request = json.loads(q) + config = request.get('config') + + if not _check_config(config): + return _return_error('Missing Qintel token') + + check_request_error = _check_request(request) + if check_request_error: + return _return_error(check_request_error) + + search_args = { + 'token': config['token'], + 'remote': config.get('remote') + } + + try: + result = search_qsentry(request['attribute']['value'], **search_args) + except Exception as e: + return _return_error(str(e)) + + event = _format_result(request['attribute'], result) + if not request.get('event_id'): + event = _format_hover(event, result) + + event = json.loads(event.to_json()) + + ret_result = {key: event[key] for key in ('Attribute', 'Object') if key + in event} + return {'results': ret_result} + + +def introspection(): + return mispattributes + + +def version(): + moduleinfo['config'] = moduleconfig + return moduleinfo diff --git a/misp_modules/modules/expansion/ransomcoindb.py b/misp_modules/modules/expansion/ransomcoindb.py index 2b9b566..0e05855 100644 --- a/misp_modules/modules/expansion/ransomcoindb.py +++ b/misp_modules/modules/expansion/ransomcoindb.py @@ -1,4 +1,5 @@ import json +from . import check_input_attribute, checking_error, standard_error_message from ._ransomcoindb import ransomcoindb from pymisp import MISPObject @@ -28,6 +29,10 @@ def handler(q=False): q = json.loads(q) if "config" not in q or "api-key" not in q["config"]: return {"error": "Ransomcoindb API key is missing"} + if not q.get('attribute') or not check_input_attribute(q['attribute'], requirements=('type', 'value')): + return {'error': f'{standard_error_message}, {checking_error}.'} + if q['attribute']['type'] not in mispattributes['input']: + return {'error': 'Unsupported attribute type.'} api_key = q["config"]["api-key"] r = {"results": []} diff --git a/misp_modules/modules/expansion/rbl.py b/misp_modules/modules/expansion/rbl.py index 4d7bba5..d3f661e 100644 --- a/misp_modules/modules/expansion/rbl.py +++ b/misp_modules/modules/expansion/rbl.py @@ -3,78 +3,75 @@ import sys try: import dns.resolver - resolver = dns.resolver.Resolver() - resolver.timeout = 0.2 - resolver.lifetime = 0.2 except ImportError: print("dnspython3 is missing, use 'pip install dnspython3' to install it.") sys.exit(0) misperrors = {'error': 'Error'} mispattributes = {'input': ['ip-src', 'ip-dst'], 'output': ['text']} -moduleinfo = {'version': '0.1', 'author': 'Christian Studer', +moduleinfo = {'version': '0.2', 'author': 'Christian Studer', 'description': 'Check an IPv4 address against known RBLs.', 'module-type': ['expansion', 'hover']} -moduleconfig = [] +moduleconfig = ['timeout'] -rbls = { - 'spam.spamrats.com': 'http://www.spamrats.com', - 'spamguard.leadmon.net': 'http://www.leadmon.net/SpamGuard/', - 'rbl-plus.mail-abuse.org': 'http://www.mail-abuse.com/lookup.html', - 'web.dnsbl.sorbs.net': 'http://www.sorbs.net', - 'ix.dnsbl.manitu.net': 'http://www.dnsbl.manitu.net', - 'virus.rbl.jp': 'http://www.rbl.jp', - 'dul.dnsbl.sorbs.net': 'http://www.sorbs.net', - 'bogons.cymru.com': 'http://www.team-cymru.org/Services/Bogons/', - 'psbl.surriel.com': 'http://psbl.surriel.com', - 'misc.dnsbl.sorbs.net': 'http://www.sorbs.net', - 'httpbl.abuse.ch': 'http://dnsbl.abuse.ch', - 'combined.njabl.org': 'http://combined.njabl.org', - 'smtp.dnsbl.sorbs.net': 'http://www.sorbs.net', - 'korea.services.net': 'http://korea.services.net', - 'drone.abuse.ch': 'http://dnsbl.abuse.ch', - 'rbl.efnetrbl.org': 'http://rbl.efnetrbl.org', - 'cbl.anti-spam.org.cn': 'http://www.anti-spam.org.cn/?Locale=en_US', - 'b.barracudacentral.org': 'http://www.barracudacentral.org/rbl/removal-request', - 'bl.spamcannibal.org': 'http://www.spamcannibal.org', - 'xbl.spamhaus.org': 'http://www.spamhaus.org/xbl/', - 'zen.spamhaus.org': 'http://www.spamhaus.org/zen/', - 'rbl.suresupport.com': 'http://suresupport.com/postmaster', - 'db.wpbl.info': 'http://www.wpbl.info', - 'sbl.spamhaus.org': 'http://www.spamhaus.org/sbl/', - 'http.dnsbl.sorbs.net': 'http://www.sorbs.net', - 'csi.cloudmark.com': 'http://www.cloudmark.com/en/products/cloudmark-sender-intelligence/index', - 'rbl.interserver.net': 'http://rbl.interserver.net', - 'ubl.unsubscore.com': 'http://www.lashback.com/blacklist/', - 'dnsbl.sorbs.net': 'http://www.sorbs.net', - 'virbl.bit.nl': 'http://virbl.bit.nl', - 'pbl.spamhaus.org': 'http://www.spamhaus.org/pbl/', - 'socks.dnsbl.sorbs.net': 'http://www.sorbs.net', - 'short.rbl.jp': 'http://www.rbl.jp', - 'dnsbl.dronebl.org': 'http://www.dronebl.org', - 'blackholes.mail-abuse.org': 'http://www.mail-abuse.com/lookup.html', - 'truncate.gbudb.net': 'http://www.gbudb.com/truncate/index.jsp', - 'dyna.spamrats.com': 'http://www.spamrats.com', - 'spamrbl.imp.ch': 'http://antispam.imp.ch', - 'spam.dnsbl.sorbs.net': 'http://www.sorbs.net', - 'wormrbl.imp.ch': 'http://antispam.imp.ch', - 'query.senderbase.org': 'http://www.senderbase.org/about', - 'opm.tornevall.org': 'http://dnsbl.tornevall.org', - 'netblock.pedantic.org': 'http://pedantic.org', - 'access.redhawk.org': 'http://www.redhawk.org/index.php?option=com_wrapper&Itemid=33', - 'cdl.anti-spam.org.cn': 'http://www.anti-spam.org.cn/?Locale=en_US', - 'multi.surbl.org': 'http://www.surbl.org', - 'noptr.spamrats.com': 'http://www.spamrats.com', - 'dnsbl.inps.de': 'http://dnsbl.inps.de/index.cgi?lang=en', - 'bl.spamcop.net': 'http://bl.spamcop.net', - 'cbl.abuseat.org': 'http://cbl.abuseat.org', - 'dsn.rfc-ignorant.org': 'http://www.rfc-ignorant.org/policy-dsn.php', - 'zombie.dnsbl.sorbs.net': 'http://www.sorbs.net', - 'dnsbl.njabl.org': 'http://dnsbl.njabl.org', - 'relays.mail-abuse.org': 'http://www.mail-abuse.com/lookup.html', - 'rbl.spamlab.com': 'http://tools.appriver.com/index.aspx?tool=rbl', - 'all.bl.blocklist.de': 'http://www.blocklist.de/en/rbldns.html' -} +rbls = ( + "spam.spamrats.com", + "spamguard.leadmon.net", + "rbl-plus.mail-abuse.org", + "web.dnsbl.sorbs.net", + "ix.dnsbl.manitu.net", + "virus.rbl.jp", + "dul.dnsbl.sorbs.net", + "bogons.cymru.com", + "psbl.surriel.com", + "misc.dnsbl.sorbs.net", + "httpbl.abuse.ch", + "combined.njabl.org", + "smtp.dnsbl.sorbs.net", + "korea.services.net", + "drone.abuse.ch", + "rbl.efnetrbl.org", + "cbl.anti-spam.org.cn", + "b.barracudacentral.org", + "bl.spamcannibal.org", + "xbl.spamhaus.org", + "zen.spamhaus.org", + "rbl.suresupport.com", + "db.wpbl.info", + "sbl.spamhaus.org", + "http.dnsbl.sorbs.net", + "csi.cloudmark.com", + "rbl.interserver.net", + "ubl.unsubscore.com", + "dnsbl.sorbs.net", + "virbl.bit.nl", + "pbl.spamhaus.org", + "socks.dnsbl.sorbs.net", + "short.rbl.jp", + "dnsbl.dronebl.org", + "blackholes.mail-abuse.org", + "truncate.gbudb.net", + "dyna.spamrats.com", + "spamrbl.imp.ch", + "spam.dnsbl.sorbs.net", + "wormrbl.imp.ch", + "query.senderbase.org", + "opm.tornevall.org", + "netblock.pedantic.org", + "access.redhawk.org", + "cdl.anti-spam.org.cn", + "multi.surbl.org", + "noptr.spamrats.com", + "dnsbl.inps.de", + "bl.spamcop.net", + "cbl.abuseat.org", + "dsn.rfc-ignorant.org", + "zombie.dnsbl.sorbs.net", + "dnsbl.njabl.org", + "relays.mail-abuse.org", + "rbl.spamlab.com", + "all.bl.blocklist.de" +) def handler(q=False): @@ -88,18 +85,23 @@ def handler(q=False): else: misperrors['error'] = "Unsupported attributes type" return misperrors - listeds = [] - infos = [] + resolver = dns.resolver.Resolver() + try: + timeout = float(request['config']['timeout']) + except (KeyError, ValueError): + timeout = 0.4 + resolver.timeout = timeout + resolver.lifetime = timeout + infos = {} ipRev = '.'.join(ip.split('.')[::-1]) for rbl in rbls: query = '{}.{}'.format(ipRev, rbl) try: txt = resolver.query(query, 'TXT') - listeds.append(query) - infos.append([str(t) for t in txt]) + infos[query] = [str(t) for t in txt] except Exception: continue - result = "\n".join([f"{listed}: {' - '.join(info)}" for listed, info in zip(listeds, infos)]) + result = "\n".join([f"{rbl}: {' - '.join(info)}" for rbl, info in infos.items()]) if not result: return {'error': 'No data found by querying known RBLs'} return {'results': [{'types': mispattributes.get('output'), 'values': result}]} diff --git a/misp_modules/modules/expansion/recordedfuture.py b/misp_modules/modules/expansion/recordedfuture.py index c42a42b..8056bfa 100644 --- a/misp_modules/modules/expansion/recordedfuture.py +++ b/misp_modules/modules/expansion/recordedfuture.py @@ -1,91 +1,201 @@ import json import logging import requests -from urllib.parse import quote +from requests.exceptions import ( + HTTPError, + ProxyError, + InvalidURL, + ConnectTimeout, + ConnectionError, +) +from typing import Optional, List, Tuple, Dict +from . import check_input_attribute, checking_error, standard_error_message +import platform +import os +from urllib.parse import quote, urlparse from pymisp import MISPAttribute, MISPEvent, MISPTag, MISPObject -moduleinfo = {'version': '1.0', 'author': 'Recorded Future', - 'description': 'Module to retrieve data from Recorded Future', - 'module-type': ['expansion', 'hover']} +moduleinfo = { + "version": "2.0.0", + "author": "Recorded Future", + "description": "Module to retrieve data from Recorded Future", + "module-type": ["expansion", "hover"], +} -moduleconfig = ['token'] +moduleconfig = ["token", "proxy_host", "proxy_port", "proxy_username", "proxy_password"] -misperrors = {'error': 'Error'} +misperrors = {"error": "Error"} -mispattributes = {'input': ['ip', 'ip-src', 'ip-dst', 'domain', 'hostname', 'md5', 'sha1', 'sha256', - 'uri', 'url', 'vulnerability', 'weakness'], - 'output': ['ip', 'ip-src', 'ip-dst', 'domain', 'hostname', 'md5', 'sha1', 'sha256', - 'uri', 'url', 'vulnerability', 'weakness', 'email-src', 'text'], - 'format': 'misp_standard'} +GALAXY_FILE_PATH = "https://raw.githubusercontent.com/MISP/misp-galaxy/main/clusters/" -LOGGER = logging.getLogger('recorded_future') +ATTRIBUTESTYPES = [ + "ip", + "ip-src", + "ip-dst", + "ip-src|port", + "ip-dst|port", + "domain", + "hostname", + "md5", + "sha1", + "sha256", + "uri", + "url", + "vulnerability", + "weakness", +] + +OUTPUTATTRIBUTESTYPES = ATTRIBUTESTYPES + [ + "email-src", + "malware-sample", + "text", + "target-org", + "threat-actor", + "target-user", +] + +mispattributes = { + "input": ATTRIBUTESTYPES, + "output": OUTPUTATTRIBUTESTYPES, + "format": "misp_standard", +} + +LOGGER = logging.getLogger("recorded_future") LOGGER.setLevel(logging.INFO) -def rf_lookup(api_token: str, category: str, ioc: str) -> requests.Response: - """Do a lookup call using Recorded Future's ConnectAPI.""" - auth_header = {"X-RFToken": api_token} - parsed_ioc = quote(ioc, safe='') - url = f'https://api.recordedfuture.com/v2/{category}/{parsed_ioc}?fields=risk%2CrelatedEntities' - response = requests.get(url, headers=auth_header) - response.raise_for_status() - return response +class RequestHandler: + """A class for handling any outbound requests from this module.""" + + def __init__(self): + self.session = requests.Session() + self.app_id = ( + f'{os.path.basename(__file__)}/{moduleinfo["version"]} ({platform.platform()}) ' + f'misp_enrichment/{moduleinfo["version"]} python-requests/{requests.__version__}' + ) + self.proxies = None + self.rf_token = None + + def get(self, url: str, headers: dict = None) -> requests.Response: + """General get method with proxy error handling.""" + try: + timeout = 7 if self.proxies else None + response = self.session.get( + url, headers=headers, proxies=self.proxies, timeout=timeout + ) + response.raise_for_status() + return response + except (ConnectTimeout, ProxyError, InvalidURL) as error: + msg = "Error connecting with proxy, please check the Recorded Future app proxy settings." + LOGGER.error(f"{msg} Error: {error}") + misperrors["error"] = msg + raise + + def rf_lookup(self, category: str, ioc: str) -> requests.Response: + """Do a lookup call using Recorded Future's ConnectAPI.""" + parsed_ioc = quote(ioc, safe="") + url = f"https://api.recordedfuture.com/gw/misp/lookup/{category}/{parsed_ioc}" + headers = {"X-RFToken": self.rf_token, "User-Agent": self.app_id} + try: + response = self.get(url, headers) + except HTTPError as error: + msg = f"Error when requesting data from Recorded Future. {error.response}: {error.response.reason}" + LOGGER.error(msg) + misperrors["error"] = msg + raise + return response + + +GLOBAL_REQUEST_HANDLER = RequestHandler() class GalaxyFinder: """A class for finding MISP galaxy matches to Recorded Future data.""" + def __init__(self): self.session = requests.Session() + # There are duplicates values for different keys because Links entities and Related entities + # have have different naming for the same types self.sources = { - 'RelatedThreatActor': ['https://raw.githubusercontent.com/MISP/misp-galaxy/' - 'main/clusters/threat-actor.json'], - 'RelatedMalware': ['https://raw.githubusercontent.com/MISP/misp-galaxy/main/clusters/banker.json', - 'https://raw.githubusercontent.com/MISP/misp-galaxy/main/clusters/botnet.json', - 'https://raw.githubusercontent.com/MISP/misp-galaxy/main/clusters/exploit-kit.json', - 'https://raw.githubusercontent.com/MISP/misp-galaxy/main/clusters/rat.json', - 'https://raw.githubusercontent.com/MISP/misp-galaxy/main/clusters/ransomware.json', - 'https://raw.githubusercontent.com/MISP/misp-galaxy/main/clusters/malpedia.json'] + "RelatedThreatActor": [f"{GALAXY_FILE_PATH}threat-actor.json"], + "Threat Actor": [f"{GALAXY_FILE_PATH}threat-actor.json"], + "RelatedMalware": [ + f"{GALAXY_FILE_PATH}banker.json", + f"{GALAXY_FILE_PATH}botnet.json", + f"{GALAXY_FILE_PATH}exploit-kit.json", + f"{GALAXY_FILE_PATH}rat.json", + f"{GALAXY_FILE_PATH}ransomware.json", + f"{GALAXY_FILE_PATH}malpedia.json", + ], + "Malware": [ + f"{GALAXY_FILE_PATH}banker.json", + f"{GALAXY_FILE_PATH}botnet.json", + f"{GALAXY_FILE_PATH}exploit-kit.json", + f"{GALAXY_FILE_PATH}rat.json", + f"{GALAXY_FILE_PATH}ransomware.json", + f"{GALAXY_FILE_PATH}malpedia.json", + ], + "MitreAttackIdentifier": [ + f"{GALAXY_FILE_PATH}mitre-attack-pattern.json", + f"{GALAXY_FILE_PATH}mitre-course-of-action.json", + f"{GALAXY_FILE_PATH}mitre-enterprise-attack-attack-pattern.json", + f"{GALAXY_FILE_PATH}mitre-enterprise-attack-course-of-action.json", + f"{GALAXY_FILE_PATH}mitre-enterprise-attack-intrusion-set.json", + f"{GALAXY_FILE_PATH}mitre-enterprise-attack-malware.json", + f"{GALAXY_FILE_PATH}mitre-enterprise-attack-tool.json", + f"{GALAXY_FILE_PATH}mitre-intrusion-set.json", + f"{GALAXY_FILE_PATH}mitre-malware.json", + f"{GALAXY_FILE_PATH}mitre-mobile-attack-attack-pattern.json", + f"{GALAXY_FILE_PATH}mitre-mobile-attack-course-of-action.json", + f"{GALAXY_FILE_PATH}mitre-mobile-attack-intrusion-set.json", + f"{GALAXY_FILE_PATH}mitre-mobile-attack-malware.json", + f"{GALAXY_FILE_PATH}mitre-mobile-attack-tool.json", + f"{GALAXY_FILE_PATH}mitre-pre-attack-attack-pattern.json", + f"{GALAXY_FILE_PATH}mitre-pre-attack-intrusion-set.json", + f"{GALAXY_FILE_PATH}mitre-tool.json", + ], } self.galaxy_clusters = {} - def pull_galaxy_cluster(self, related_type: str): + def pull_galaxy_cluster(self, related_type: str) -> None: """Fetches galaxy clusters for the related_type from the remote json files specified as self.sources.""" # Only fetch clusters if not fetched previously if not self.galaxy_clusters.get(related_type): for source in self.sources.get(related_type): - response = self.session.get(source) - if response.ok: - name = source.split('/')[-1].split('.')[0] - self.galaxy_clusters[related_type] = {name: response.json()} - else: - LOGGER.info(f'pull_galaxy_cluster failed for source: {source},' - f' got response: {response}, {response.reason}.') + try: + response = GLOBAL_REQUEST_HANDLER.get(source) + name = source.split("/")[-1].split(".")[0] + self.galaxy_clusters.setdefault(related_type, {}).update( + {name: response.json()} + ) + except ConnectionError as error: + LOGGER.warning( + f"pull_galaxy_cluster failed for source: {source}, with error: {error}." + ) def find_galaxy_match(self, indicator: str, related_type: str) -> str: """Searches the clusters of the related_type for a match with the indicator. - :returns the first matching galaxy string or an empty string if no galaxy match is found. + :returns the first matching galaxy string or an empty string if no galaxy match is found. """ self.pull_galaxy_cluster(related_type) - try: - for cluster_name, cluster in self.galaxy_clusters[related_type].items(): - for value in cluster['values']: - try: - if indicator in value['meta']['synonyms'] or indicator in value['value']: - value = value['value'] - return f'misp-galaxy:{cluster_name}="{value}"' - except KeyError: - pass - except KeyError: - pass - return '' + for cluster_name, cluster in self.galaxy_clusters.get(related_type, {}).items(): + for value in cluster["values"]: + if indicator in value.get("meta", {}).get( + "synonyms", "" + ) or indicator in value.get("value", ""): + value = value["value"] + return f'misp-galaxy:{cluster_name}="{value}"' + return "" class RFColors: """Class for setting signature RF-colors.""" + def __init__(self): - self.rf_white = '#CCCCCC' - self.rf_yellow = '#FFCE00' - self.rf_red = '#CF0A2C' + self.rf_white = "#CCCCCC" + self.rf_grey = " #CDCDCD" + self.rf_yellow = "#FFCF00" + self.rf_red = "#D10028" def riskscore_color(self, risk_score: int) -> str: """Returns appropriate hex-colors according to risk score.""" @@ -107,143 +217,277 @@ class RFColors: else: # risk_rule_criticality == 3 or 4 return self.rf_red + def criticality_color(self, criticality) -> str: + mapper = { + "None": self.rf_grey, + "Low": self.rf_grey, + "Unusual": self.rf_grey, + "Informational": self.rf_grey, + "Medium": self.rf_yellow, + "Suspicious": self.rf_yellow, + "High": self.rf_red, + "Critical": self.rf_red, + "Very Critical": self.rf_red, + "Malicious": self.rf_red, + "Very Malicious": self.rf_red, + } + return mapper.get(criticality, self.rf_white) + class RFEnricher: """Class for enriching an attribute with data from Recorded Future. - The enrichment data is returned as a custom MISP object. + The enrichment data is returned as a custom MISP object. """ - def __init__(self, api_token: str, attribute_props: dict): - self.api_token = api_token + + def __init__(self, attribute_props: dict): self.event = MISPEvent() - self.enrichment_object = MISPObject('Recorded Future Enrichment') - self.enrichment_object.from_dict(**{'meta-category': 'misc', - 'description': 'An object containing the enriched attribute and related ' - 'entities from Recorded Future.', - 'distribution': 0}) + self.enrichment_object = MISPObject("Recorded Future Enrichment") + self.enrichment_object.template_uuid = "cbe0ffda-75e5-4c49-833f-093f057652ba" + self.enrichment_object.template_id = "1" + self.enrichment_object.description = "Recorded Future Enrichment" + setattr(self.enrichment_object, 'meta-category', 'network') + description = ( + "An object containing the enriched attribute and " + "related entities from Recorded Future." + ) + self.enrichment_object.from_dict( + **{"meta-category": "misc", "description": description, "distribution": 0} + ) # Create a copy of enriched attribute to add tags to temp_attr = MISPAttribute() temp_attr.from_dict(**attribute_props) self.enriched_attribute = MISPAttribute() - self.enriched_attribute.from_dict(**{'value': temp_attr.value, 'type': temp_attr.type, 'distribution': 0}) + self.enriched_attribute.from_dict( + **{"value": temp_attr.value, "type": temp_attr.type, "distribution": 0} + ) - self.related_attributes = [] + self.related_attributes: List[Tuple[str, MISPAttribute]] = [] self.color_picker = RFColors() self.galaxy_finder = GalaxyFinder() # Mapping from MISP-type to RF-type - self.type_to_rf_category = {'ip': 'ip', 'ip-src': 'ip', 'ip-dst': 'ip', - 'domain': 'domain', 'hostname': 'domain', - 'md5': 'hash', 'sha1': 'hash', 'sha256': 'hash', - 'uri': 'url', 'url': 'url', - 'vulnerability': 'vulnerability', 'weakness': 'vulnerability'} + self.type_to_rf_category = { + "ip": "ip", + "ip-src": "ip", + "ip-dst": "ip", + "ip-src|port": "ip", + "ip-dst|port": "ip", + "domain": "domain", + "hostname": "domain", + "md5": "hash", + "sha1": "hash", + "sha256": "hash", + "uri": "url", + "url": "url", + "vulnerability": "vulnerability", + "weakness": "vulnerability", + } - # Related entities from RF portrayed as related attributes in MISP - self.related_attribute_types = ['RelatedIpAddress', 'RelatedInternetDomainName', 'RelatedHash', - 'RelatedEmailAddress', 'RelatedCyberVulnerability'] - # Related entities from RF portrayed as tags in MISP - self.galaxy_tag_types = ['RelatedMalware', 'RelatedThreatActor'] + # Related entities have 'Related' as part of the word and Links entities from RF + # portrayed as related attributes in MISP + self.related_attribute_types = [ + "RelatedIpAddress", + "RelatedInternetDomainName", + "RelatedHash", + "RelatedEmailAddress", + "RelatedCyberVulnerability", + "IpAddress", + "InternetDomainName", + "Hash", + "EmailAddress", + "CyberVulnerability", + ] + # Related entities have 'Related' as part of the word and and Links entities from RF portrayed as tags in MISP + self.galaxy_tag_types = [ + "RelatedMalware", + "RelatedThreatActor", + "Threat Actor", + "MitreAttackIdentifier", + "Malware", + ] - def enrich(self): + def enrich(self) -> None: """Run the enrichment.""" - category = self.type_to_rf_category.get(self.enriched_attribute.type) - - try: - response = rf_lookup(self.api_token, category, self.enriched_attribute.value) - json_response = json.loads(response.content) - except requests.HTTPError as error: - misperrors['error'] = f'Error when requesting data from Recorded Future. ' \ - f'{error.response} : {error.response.reason}' - raise error + category = self.type_to_rf_category.get(self.enriched_attribute.type, "") + enriched_attribute_value = self.enriched_attribute.value + # If enriched attribute has a port we need to remove that port + # since RF do not support enriching ip addresses with port + if self.enriched_attribute.type in ["ip-src|port", "ip-dst|port"]: + enriched_attribute_value = enriched_attribute_value.split("|")[0] + json_response = GLOBAL_REQUEST_HANDLER.rf_lookup( + category, enriched_attribute_value + ) + response = json.loads(json_response.content) try: # Add risk score and risk rules as tags to the enriched attribute - risk_score = json_response['data']['risk']['score'] + risk_score = response["data"]["risk"]["score"] hex_color = self.color_picker.riskscore_color(risk_score) tag_name = f'recorded-future:risk-score="{risk_score}"' self.add_tag(tag_name, hex_color) - for evidence in json_response['data']['risk']['evidenceDetails']: - risk_rule = evidence['rule'] - criticality = evidence['criticality'] + risk_criticality = response["data"]["risk"]["criticalityLabel"] + hex_color = self.color_picker.criticality_color(risk_criticality) + tag_name = f'recorded-future:criticality="{risk_criticality}"' + self.add_tag(tag_name, hex_color) + + for evidence in response["data"]["risk"]["evidenceDetails"]: + risk_rule = evidence["rule"] + criticality = evidence["criticality"] hex_color = self.color_picker.riskrule_color(criticality) tag_name = f'recorded-future:risk-rule="{risk_rule}"' self.add_tag(tag_name, hex_color) - # Retrieve related entities - for related_entity in json_response['data']['relatedEntities']: - related_type = related_entity['type'] - if related_type in self.related_attribute_types: - # Related entities returned as additional attributes - for related in related_entity['entities']: - if int(related["count"]) > 4: - indicator = related['entity']['name'] - self.add_related_attribute(indicator, related_type) - elif related_type in self.galaxy_tag_types: - # Related entities added as galaxy-tags to the enriched attribute - galaxy_tags = [] - for related in related_entity['entities']: - if int(related["count"]) > 4: - indicator = related['entity']['name'] - galaxy = self.galaxy_finder.find_galaxy_match(indicator, related_type) - # Handle deduplication of galaxy tags - if galaxy and galaxy not in galaxy_tags: - galaxy_tags.append(galaxy) - for galaxy in galaxy_tags: - self.add_tag(galaxy) - except KeyError as error: - misperrors['error'] = 'Unexpected format in Recorded Future api response.' - raise error + links_data = response["data"].get("links", {}).get("hits") + # Check if we have error in links response. If yes, then user do not have right module enabled in token + links_access_error = response["data"].get("links", {}).get("error") + galaxy_tags = [] + if not links_access_error: + for hit in links_data: + for section in hit["sections"]: + for sec_list in section["lists"]: + entity_type = sec_list["type"]["name"] + for entity in sec_list["entities"]: + if entity_type in self.galaxy_tag_types: + galaxy = self.galaxy_finder.find_galaxy_match( + entity["name"], entity_type + ) + if galaxy and galaxy not in galaxy_tags: + galaxy_tags.append(galaxy) + else: + self.add_attribute(entity["name"], entity_type) - def add_related_attribute(self, indicator: str, related_type: str) -> None: - """Helper method for adding an indicator to the related attribute list.""" - out_type = self.get_output_type(related_type, indicator) + else: + # Retrieve related entities + for related_entity in response["data"]["relatedEntities"]: + related_type = related_entity["type"] + if related_type in self.related_attribute_types: + # Related entities returned as additional attributes + for related in related_entity["entities"]: + # filter those entities that have count bigger than 4, to reduce noise + # because there can be a huge list of related entities + if int(related["count"]) > 4: + indicator = related["entity"]["name"] + self.add_attribute(indicator, related_type) + elif related_type in self.galaxy_tag_types: + # Related entities added as galaxy-tags to the enriched attribute + galaxy_tags = [] + for related in related_entity["entities"]: + # filter those entities that have count bigger than 4, to reduce noise + # because there can be a huge list of related entities + if int(related["count"]) > 4: + indicator = related["entity"]["name"] + galaxy = self.galaxy_finder.find_galaxy_match( + indicator, related_type + ) + # Handle deduplication of galaxy tags + if galaxy and galaxy not in galaxy_tags: + galaxy_tags.append(galaxy) + for galaxy in galaxy_tags: + self.add_tag(galaxy) + + except KeyError: + misperrors["error"] = "Unexpected format in Recorded Future api response." + raise + + def add_attribute(self, indicator: str, indicator_type: str) -> None: + """Helper method for adding an indicator to the attribute list.""" + out_type = self.get_output_type(indicator_type, indicator) attribute = MISPAttribute() - attribute.from_dict(**{'value': indicator, 'type': out_type, 'distribution': 0}) - self.related_attributes.append((related_type, attribute)) + attribute.from_dict(**{"value": indicator, "type": out_type, "distribution": 0}) + self.related_attributes.append((indicator_type, attribute)) def add_tag(self, tag_name: str, hex_color: str = None) -> None: """Helper method for adding a tag to the enriched attribute.""" tag = MISPTag() - tag_properties = {'name': tag_name} + tag_properties = {"name": tag_name} if hex_color: - tag_properties['colour'] = hex_color + tag_properties["colour"] = hex_color tag.from_dict(**tag_properties) self.enriched_attribute.add_tag(tag) def get_output_type(self, related_type: str, indicator: str) -> str: """Helper method for translating a Recorded Future related type to a MISP output type.""" - output_type = 'text' - if related_type == 'RelatedIpAddress': - output_type = 'ip-dst' - elif related_type == 'RelatedInternetDomainName': - output_type = 'domain' - elif related_type == 'RelatedHash': + output_type = "text" + if related_type in ["RelatedIpAddress", "IpAddress"]: + output_type = "ip-dst" + elif related_type in ["RelatedInternetDomainName", "InternetDomainName"]: + output_type = "domain" + elif related_type in ["RelatedHash", "Hash"]: hash_len = len(indicator) if hash_len == 64: - output_type = 'sha256' + output_type = "sha256" elif hash_len == 40: - output_type = 'sha1' + output_type = "sha1" elif hash_len == 32: - output_type = 'md5' - elif related_type == 'RelatedEmailAddress': - output_type = 'email-src' - elif related_type == 'RelatedCyberVulnerability': - signature = indicator.split('-')[0] - if signature == 'CVE': - output_type = 'vulnerability' - elif signature == 'CWE': - output_type = 'weakness' + output_type = "md5" + elif related_type in ["RelatedEmailAddress", "EmailAddress"]: + output_type = "email-src" + elif related_type in ["RelatedCyberVulnerability", "CyberVulnerability"]: + signature = indicator.split("-")[0] + if signature == "CVE": + output_type = "vulnerability" + elif signature == "CWE": + output_type = "weakness" + elif related_type == "MalwareSignature": + output_type = "malware-sample" + elif related_type == "Organization": + output_type = "target-org" + elif related_type == "Username": + output_type = "target-user" return output_type def get_results(self) -> dict: """Build and return the enrichment results.""" - self.enrichment_object.add_attribute('Enriched attribute', **self.enriched_attribute) + self.enrichment_object.add_attribute( + "Enriched attribute", **self.enriched_attribute + ) for related_type, attribute in self.related_attributes: self.enrichment_object.add_attribute(related_type, **attribute) self.event.add_object(**self.enrichment_object) event = json.loads(self.event.to_json()) - result = {key: event[key] for key in ['Object'] if key in event} - return {'results': result} + result = {key: event[key] for key in ["Object"] if key in event} + return {"results": result} + + +def get_proxy_settings(config: dict) -> Optional[Dict[str, str]]: + """Returns proxy settings in the requests format. + If no proxy settings are set, return None.""" + proxies = None + host = config.get("proxy_host") + port = config.get("proxy_port") + username = config.get("proxy_username") + password = config.get("proxy_password") + + if host: + if not port: + misperrors["error"] = ( + "The recordedfuture_proxy_host config is set, " + "please also set the recordedfuture_proxy_port." + ) + raise KeyError + parsed = urlparse(host) + if "http" in parsed.scheme: + scheme = "http" + else: + scheme = parsed.scheme + netloc = parsed.netloc + host = f"{netloc}:{port}" + + if username: + if not password: + misperrors["error"] = ( + "The recordedfuture_proxy_username config is set, " + "please also set the recordedfuture_proxy_password." + ) + raise KeyError + auth = f"{username}:{password}" + host = auth + "@" + host + + proxies = {"http": f"{scheme}://{host}", "https": f"{scheme}://{host}"} + + LOGGER.info(f"Proxy settings: {proxies}") + return proxies def handler(q=False): @@ -252,17 +496,30 @@ def handler(q=False): return False request = json.loads(q) - if request.get('config') and request['config'].get('token'): - token = request['config'].get('token') + config = request.get("config") + if config and config.get("token"): + GLOBAL_REQUEST_HANDLER.rf_token = config.get("token") else: - misperrors['error'] = 'Missing Recorded Future token.' + misperrors["error"] = "Missing Recorded Future token." + return misperrors + if not request.get("attribute") or not check_input_attribute( + request["attribute"], requirements=("type", "value") + ): + return {"error": f"{standard_error_message}, {checking_error}."} + if request["attribute"]["type"] not in mispattributes["input"]: + return {"error": "Unsupported attribute type."} + + try: + GLOBAL_REQUEST_HANDLER.proxies = get_proxy_settings(config) + except KeyError: return misperrors - input_attribute = request.get('attribute') - rf_enricher = RFEnricher(token, input_attribute) + input_attribute = request.get("attribute") + rf_enricher = RFEnricher(input_attribute) + try: rf_enricher.enrich() - except (requests.HTTPError, KeyError): + except (HTTPError, ConnectTimeout, ProxyError, InvalidURL, KeyError): return misperrors return rf_enricher.get_results() @@ -276,5 +533,5 @@ def introspection(): def version(): """Returns a dict with the version and the associated meta-data including potential configurations required of the module.""" - moduleinfo['config'] = moduleconfig + moduleinfo["config"] = moduleconfig return moduleinfo diff --git a/misp_modules/modules/expansion/shodan.py b/misp_modules/modules/expansion/shodan.py index 5a4b792..2ea9749 100755 --- a/misp_modules/modules/expansion/shodan.py +++ b/misp_modules/modules/expansion/shodan.py @@ -5,38 +5,224 @@ try: import shodan except ImportError: print("shodan module not installed.") +from . import check_input_attribute, standard_error_message +from datetime import datetime +from pymisp import MISPAttribute, MISPEvent, MISPObject misperrors = {'error': 'Error'} -mispattributes = {'input': ['ip-src', 'ip-dst'], 'output': ['freetext']} -moduleinfo = {'version': '0.1', 'author': 'Raphaël Vinot', +mispattributes = {'input': ['ip-src', 'ip-dst'], + 'format': 'misp_standard'} +moduleinfo = {'version': '0.2', 'author': 'Raphaël Vinot', 'description': 'Query on Shodan', 'module-type': ['expansion']} moduleconfig = ['apikey'] +class ShodanParser(): + def __init__(self, attribute): + self.misp_event = MISPEvent() + self.attribute = MISPAttribute() + self.attribute.from_dict(**attribute) + self.misp_event.add_attribute(**self.attribute) + self.ip_address_mapping = { + 'asn': {'type': 'AS', 'object_relation': 'asn'}, + 'city': {'type': 'text', 'object_relation': 'city'}, + 'country_code': {'type': 'text', 'object_relation': 'country-code'}, + 'country_name': {'type': 'text', 'object_relation': 'country'}, + 'isp': {'type': 'text', 'object_relation': 'ISP'}, + 'latitude': {'type': 'float', 'object_relation': 'latitude'}, + 'longitude': {'type': 'float', 'object_relation': 'longitude'}, + 'org': {'type': 'text', 'object_relation': 'organization'}, + 'postal_code': {'type': 'text', 'object_relation': 'zipcode'}, + 'region_code': {'type': 'text', 'object_relation': 'region-code'} + } + self.ip_port_mapping = { + 'domains': {'type': 'domain', 'object_relation': 'domain'}, + 'hostnames': {'type': 'hostname', 'object_relation': 'hostname'} + } + self.vulnerability_mapping = { + 'cvss': {'type': 'float', 'object_relation': 'cvss-score'}, + 'summary': {'type': 'text', 'object_relation': 'summary'} + } + self.x509_mapping = { + 'bits': {'type': 'text', 'object_relation': 'pubkey-info-size'}, + 'expires': {'type': 'datetime', 'object_relation': 'validity-not-after'}, + 'issued': {'type': 'datetime', 'object_relation': 'validity-not-before'}, + 'issuer': {'type': 'text', 'object_relation': 'issuer'}, + 'serial': {'type': 'text', 'object_relation': 'serial-number'}, + 'sig_alg': {'type': 'text', 'object_relation': 'signature_algorithm'}, + 'subject': {'type': 'text', 'object_relation': 'subject'}, + 'type': {'type': 'text', 'object_relation': 'pubkey-info-algorithm'}, + 'version': {'type': 'text', 'object_relation': 'version'} + } + + def query_shodan(self, apikey): + # Query Shodan and get the results in a json blob + api = shodan.Shodan(apikey) + query_results = api.host(self.attribute.value) + + # Parse the information about the IP address used as input + ip_address_attributes = [] + for feature, mapping in self.ip_address_mapping.items(): + if query_results.get(feature): + attribute = {'value': query_results[feature]} + attribute.update(mapping) + ip_address_attributes.append(attribute) + if ip_address_attributes: + ip_address_object = MISPObject('ip-api-address') + for attribute in ip_address_attributes: + ip_address_object.add_attribute(**attribute) + ip_address_object.add_reference(self.attribute.uuid, 'describes') + self.misp_event.add_object(ip_address_object) + + # Parse the hostnames / domains and ports associated with the IP address + if query_results.get('ports'): + ip_port_object = MISPObject('ip-port') + ip_port_object.add_attribute(**self._get_source_attribute()) + feature = self.attribute.type.split('-')[1] + for port in query_results['ports']: + attribute = { + 'type': 'port', + 'object_relation': f'{feature}-port', + 'value': port + } + ip_port_object.add_attribute(**attribute) + for feature, mapping in self.ip_port_mapping.items(): + for value in query_results.get(feature, []): + attribute = {'value': value} + attribute.update(mapping) + ip_port_object.add_attribute(**attribute) + ip_port_object.add_reference(self.attribute.uuid, 'extends') + self.misp_event.add_object(ip_port_object) + else: + if any(query_results.get(feature) for feature in ('domains', 'hostnames')): + domain_ip_object = MISPObject('domain-ip') + domain_ip_object.add_attribute(**self._get_source_attribute()) + for feature in ('domains', 'hostnames'): + for value in query_results[feature]: + attribute = { + 'type': 'domain', + 'object_relation': 'domain', + 'value': value + } + domain_ip_object.add_attribute(**attribute) + domain_ip_object.add_reference(self.attribute.uuid, 'extends') + self.misp_event.add_object(domain_ip_object) + + # Parse data within the "data" field + if query_results.get('vulns'): + vulnerabilities = {} + for data in query_results['data']: + # Parse vulnerabilities + if data.get('vulns'): + for cve, vulnerability in data['vulns'].items(): + if cve not in vulnerabilities: + vulnerabilities[cve] = vulnerability + # Also parse the certificates + if data.get('ssl'): + self._parse_cert(data['ssl']) + for cve, vulnerability in vulnerabilities.items(): + vulnerability_object = MISPObject('vulnerability') + vulnerability_object.add_attribute(**{ + 'type': 'vulnerability', + 'object_relation': 'id', + 'value': cve + }) + for feature, mapping in self.vulnerability_mapping.items(): + if vulnerability.get(feature): + attribute = {'value': vulnerability[feature]} + attribute.update(mapping) + vulnerability_object.add_attribute(**attribute) + if vulnerability.get('references'): + for reference in vulnerability['references']: + vulnerability_object.add_attribute(**{ + 'type': 'link', + 'object_relation': 'references', + 'value': reference + }) + vulnerability_object.add_reference(self.attribute.uuid, 'vulnerability-of') + self.misp_event.add_object(vulnerability_object) + for cve_id in query_results['vulns']: + if cve_id not in vulnerabilities: + attribute = { + 'type': 'vulnerability', + 'value': cve_id + } + self.misp_event.add_attribute(**attribute) + else: + # We have no vulnerability data, we only check if we have + # certificates within the "data" field + for data in query_results['data']: + if data.get('ssl'): + self._parse_cert(data['ssl']['cert']) + + def get_result(self): + event = json.loads(self.misp_event.to_json()) + results = {key: event[key] for key in ('Attribute', 'Object') if (key in event and event[key])} + return {'results': results} + + # When we want to add the IP address information in objects such as the + # domain-ip or ip-port objects referencing the input IP address attribute + def _get_source_attribute(self): + return { + 'type': self.attribute.type, + 'object_relation': self.attribute.type, + 'value': self.attribute.value + } + + def _parse_cert(self, certificate): + x509_object = MISPObject('x509') + for feature in ('serial', 'sig_alg', 'version'): + if certificate.get(feature): + attribute = {'value': certificate[feature]} + attribute.update(self.x509_mapping[feature]) + x509_object.add_attribute(**attribute) + # Parse issuer and subject value + for feature in ('issuer', 'subject'): + if certificate.get(feature): + attribute_value = (f'{identifier}={value}' for identifier, value in certificate[feature].items()) + attribute = {'value': f'/{"/".join(attribute_value)}'} + attribute.update(self.x509_mapping[feature]) + x509_object.add_attribute(**attribute) + # Parse datetime attributes + for feature in ('expires', 'issued'): + if certificate.get(feature): + attribute = {'value': datetime.strptime(certificate[feature], '%Y%m%d%H%M%SZ')} + attribute.update(self.x509_mapping[feature]) + x509_object.add_attribute(**attribute) + # Parse fingerprints + if certificate.get('fingerprint'): + for hash_type, hash_value in certificate['fingerprint'].items(): + x509_object.add_attribute(**{ + 'type': f'x509-fingerprint-{hash_type}', + 'object_relation': f'x509-fingerprint-{hash_type}', + 'value': hash_value + }) + # Parse public key related info + if certificate.get('pubkey'): + for feature, value in certificate['pubkey'].items(): + attribute = {'value': value} + attribute.update(self.x509_mapping[feature]) + x509_object.add_attribute(**attribute) + x509_object.add_reference(self.attribute.uuid, 'identifies') + self.misp_event.add_object(x509_object) + + def handler(q=False): if q is False: return False request = json.loads(q) - if request.get('ip-src'): - toquery = request['ip-src'] - elif request.get('ip-dst'): - toquery = request['ip-dst'] - else: - misperrors['error'] = "Unsupported attributes type" - return misperrors - - if not request.get('config') or not request['config'].get('apikey'): - misperrors['error'] = 'Shodan authentication is missing' - return misperrors - api = shodan.Shodan(request['config'].get('apikey')) - - return handle_expansion(api, toquery) - - -def handle_expansion(api, domain): - return {'results': [{'types': mispattributes['output'], 'values': json.dumps(api.host(domain))}]} + if not request.get('config', {}).get('apikey'): + return {'error': 'Shodan authentication is missing'} + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} + attribute = request['attribute'] + if attribute['type'] not in mispattributes['input']: + return {'error': 'Unsupported attribute type.'} + shodan_parser = ShodanParser(attribute) + shodan_parser.query_shodan(request['config']['apikey']) + return shodan_parser.get_result() def introspection(): diff --git a/misp_modules/modules/expansion/socialscan.py b/misp_modules/modules/expansion/socialscan.py new file mode 100644 index 0000000..54f58f6 --- /dev/null +++ b/misp_modules/modules/expansion/socialscan.py @@ -0,0 +1,101 @@ +import json +from socialscan.platforms import Platforms +from socialscan.util import sync_execute_queries + +moduleinfo = { + 'version': '1', + 'author': 'Christian Studer', + 'description': 'Module to query several online platforms to look for existing accounts.', + 'module-type': ['hover'] +} +mispattributes = { + 'input': [ + 'github-username', + 'target-user', + 'email', + 'email-src', + 'email-dst', + 'target-email', + 'whois-registrant-email' + ], + 'output': ['text'] +} +moduleconfig = [] + +_PLATFORMS = [ + Platforms.INSTAGRAM, + Platforms.TWITTER, + Platforms.GITHUB, + Platforms.TUMBLR, + Platforms.LASTFM +] +_EMAIL_PLATFORMS = [ + Platforms.PINTEREST, + Platforms.SPOTIFY, + Platforms.FIREFOX +] +_EMAIL_PLATFORMS.extend(_PLATFORMS) +_USERNAME_PLATFORMS = [ + Platforms.SNAPCHAT, + Platforms.GITLAB, + Platforms.REDDIT, + Platforms.YAHOO +] +_USERNAME_PLATFORMS.extend(_PLATFORMS) + + +def parse_results(query_results, feature): + results = [] + for result in query_results: + if not result.success: + results.append(f'Unable to retrieve the {feature} on {result.platform}.') + continue + if not result.valid: + results.append(f'Invalid response from {result.platform}, or invalid {feature}.') + continue + statement = 'No account' if result.available else 'There is an account' + results.append(f'{statement} linked to the {feature} on {result.platform}.') + to_return = [ + { + 'types': mispattributes['output'], + 'values': result + } for result in results + ] + return {'results': to_return} + + +def parse_email(email): + results = sync_execute_queries([email], platforms=_EMAIL_PLATFORMS) + return parse_results(results, 'email address') + + +def parse_username(username, platforms=_USERNAME_PLATFORMS): + results = sync_execute_queries([username], platforms=platforms) + return parse_results(results, 'username') + + +def parse_github_username(username): + return parse_username(username, platforms=[Platforms.GITHUB]) + + +def handler(q=False): + if q is False: + return False + request = json.loads(q) + if request.get('github-username'): + return parse_github_username(request['github-username']) + if request.get('target-user'): + return parse_username(request['target-user']) + for attribute_type in mispattributes['input'][2:]: + if request.get(attribute_type): + return parse_email(request[attribute_type]) + return {'error': 'Unsupported attributes type'} + + +def introspection(): + return mispattributes + + +def version(): + moduleinfo['config'] = moduleconfig + return moduleinfo diff --git a/misp_modules/modules/expansion/sophoslabs_intelix.py b/misp_modules/modules/expansion/sophoslabs_intelix.py index 017683a..4d7c413 100644 --- a/misp_modules/modules/expansion/sophoslabs_intelix.py +++ b/misp_modules/modules/expansion/sophoslabs_intelix.py @@ -1,7 +1,8 @@ -from pymisp import MISPEvent, MISPObject import json import requests import base64 +from . import check_input_attribute, checking_error, standard_error_message +from pymisp import MISPEvent, MISPObject from urllib.parse import quote moduleinfo = {'version': '1.0', @@ -105,13 +106,25 @@ def handler(q=False): misperrors['error'] = "Missing client_id or client_secret value for SOPHOSLabs Intelix. \ It's free to sign up here https://aws.amazon.com/marketplace/pp/B07SLZPMCS." return misperrors + to_check = (('type', 'value'), ('type', 'value1')) + if not j.get('attribute') or not any(check_input_attribute(j['attribute'], requirements=check) for check in to_check): + return {'error': f'{standard_error_message}, {checking_error}.'} + attribute = j['attribute'] + if attribute['type'] not in misp_types_in: + return {'error': 'Unsupported attribute type.'} client = SophosLabsApi(j['config']['client_id'], j['config']['client_secret']) - if j['attribute']['type'] == "sha256": - client.hash_lookup(j['attribute']['value1']) - if j['attribute']['type'] in ['ip-dst', 'ip-src', 'ip']: - client.ip_lookup(j["attribute"]["value1"]) - if j['attribute']['type'] in ['uri', 'url', 'domain', 'hostname']: - client.url_lookup(j["attribute"]["value1"]) + mapping = { + 'sha256': 'hash_lookup', + 'ip-dst': 'ip_lookup', + 'ip-src': 'ip_lookup', + 'ip': 'ip_lookup', + 'uri': 'url_lookup', + 'url': 'url_lookup', + 'domain': 'url_lookup', + 'hostname': 'url_lookup' + } + attribute_value = attribute['value'] if 'value' in attribute else attribute['value1'] + getattr(client, mapping[attribute['type']])(attribute_value) return client.get_result() diff --git a/misp_modules/modules/expansion/threatfox.py b/misp_modules/modules/expansion/threatfox.py new file mode 100644 index 0000000..4a89918 --- /dev/null +++ b/misp_modules/modules/expansion/threatfox.py @@ -0,0 +1,63 @@ +# -*- coding: utf-8 -*- +import requests +import json + +misperrors = {'error': 'Error'} +mispattributes = {'input': ['md5', 'sha1', 'sha256', 'domain', 'url', 'email-src', 'ip-dst|port', 'ip-src|port'], 'output': ['text']} +moduleinfo = {'version': '0.1', 'author': 'Corsin Camichel', 'description': 'Module to search for an IOC on ThreatFox by abuse.ch.', 'module-type': ['hover', 'expansion']} +moduleconfig = [] + +API_URL = "https://threatfox-api.abuse.ch/api/v1/" + + +# copied from +# https://github.com/marjatech/threatfox2misp/blob/main/threatfox2misp.py +def confidence_level_to_tag(level: int) -> str: + confidence_tagging = { + 0: 'misp:confidence-level="unconfident"', + 10: 'misp:confidence-level="rarely-confident"', + 37: 'misp:confidence-level="fairly-confident"', + 63: 'misp:confidence-level="usually-confident"', + 90: 'misp:confidence-level="completely-confident"', + } + + confidence_tag = "" + for tag_minvalue, tag in confidence_tagging.items(): + if level >= tag_minvalue: + confidence_tag = tag + return confidence_tag + + +def handler(q=False): + if q is False: + return False + + request = json.loads(q) + ret_val = "" + + for input_type in mispattributes['input']: + if input_type in request: + to_query = request[input_type] + break + else: + misperrors['error'] = "Unsupported attributes type:" + return misperrors + + data = {"query": "search_ioc", "search_term": f"{to_query}"} + response = requests.post(API_URL, data=json.dumps(data)) + if response.status_code == 200: + result = json.loads(response.text) + if(result["query_status"] == "ok"): + confidence_tag = confidence_level_to_tag(result["data"][0]["confidence_level"]) + ret_val = {'results': [{'types': mispattributes['output'], 'values': [result["data"][0]["threat_type_desc"]], 'tags': [result["data"][0]["malware"], result["data"][0]["malware_printable"], confidence_tag]}]} + + return ret_val + + +def introspection(): + return mispattributes + + +def version(): + moduleinfo['config'] = moduleconfig + return moduleinfo diff --git a/misp_modules/modules/expansion/trustar_enrich.py b/misp_modules/modules/expansion/trustar_enrich.py index efe7c53..b7ee2a4 100644 --- a/misp_modules/modules/expansion/trustar_enrich.py +++ b/misp_modules/modules/expansion/trustar_enrich.py @@ -1,7 +1,11 @@ import json import pymisp +from base64 import b64encode +from collections import OrderedDict +from . import check_input_attribute, checking_error, standard_error_message from pymisp import MISPAttribute, MISPEvent, MISPObject -from trustar import TruStar +from trustar import TruStar, Indicator +from urllib.parse import quote misperrors = {'error': "Error"} mispattributes = { @@ -33,9 +37,13 @@ class TruSTARParser: 'SHA256': "sha256" } + # Relevant fields from each TruSTAR endpoint + SUMMARY_FIELDS = ["severityLevel", "source", "score", "attributes"] + METADATA_FIELDS = ["sightings", "firstSeen", "lastSeen", "tags"] + REPORT_BASE_URL = "https://station.trustar.co/constellation/reports/{}" - CLIENT_METATAG = "MISP-{}".format(pymisp.__version__) + CLIENT_METATAG = f"MISP-{pymisp.__version__}" def __init__(self, attribute, config): config['enclave_ids'] = config.get('enclave_ids', "").strip().split(',') @@ -51,45 +59,111 @@ class TruSTARParser: """ Returns the MISP Event enriched with TruSTAR indicator summary data. """ - event = json.loads(self.misp_event.to_json()) - results = {key: event[key] for key in ('Attribute', 'Object') if (key in event and event[key])} - return {'results': results} + try: + event = json.loads(self.misp_event.to_json()) + results = {key: event[key] for key in ('Attribute', 'Object') if (key in event and event[key])} + return {'results': results} + except Exception as e: + misperrors['error'] += f" -- Encountered issue serializing enrichment data -- {e}" + return misperrors - def generate_trustar_links(self, entity_value): + def generate_trustar_link(self, entity_type, entity_value): """ - Generates links to TruSTAR reports if they exist. + Generates link to TruSTAR report of entity. + :param entity_type: Type of entity. :param entity_value: Value of entity. + :return: Link to indicator report in TruSTAR platform. """ - report_links = list() - trustar_reports = self.ts_client.search_reports(entity_value) - for report in trustar_reports: - report_links.append(self.REPORT_BASE_URL.format(report.id)) + report_id = b64encode(quote(f"{entity_type}|{entity_value}").encode()).decode() - return report_links + return self.REPORT_BASE_URL.format(report_id) - def parse_indicator_summary(self, summaries): + @staticmethod + def extract_tags(enrichment_report): """ - Converts a response from the TruSTAR /1.3/indicators/summaries endpoint - a MISP trustar_report object and adds the summary data and links as attributes. + Extracts tags from the enrichment report in order to add them + to the TruSTAR MISP Object. Removes tags from report to avoid + redundancy. - :param summaries: A TruSTAR Python SDK Page.generator object for generating - indicator summaries pages. + :param: Enrichment data. + :return: List of tags. + """ + if enrichment_report and enrichment_report.get('tags'): + return [tag.get('name') for tag in enrichment_report.pop('tags')] + return None + + def generate_enrichment_report(self, summary, metadata): + """ + Extracts desired fields from summary and metadata reports and + generates an enrichment report. + + :param summary: Indicator summary report. + :param metadata: Indicator metadata report. + :return: Enrichment report. + """ + # Preserve order of fields as they exist in SUMMARY_FIELDS and METADATA_FIELDS + enrichment_report = OrderedDict() + + if summary: + summary_dict = summary.to_dict() + enrichment_report.update( + {field: summary_dict[field] for field in self.SUMMARY_FIELDS if summary_dict.get(field)}) + + if metadata: + metadata_dict = metadata.to_dict() + enrichment_report.update( + {field: metadata_dict[field] for field in self.METADATA_FIELDS if metadata_dict.get(field)}) + + return enrichment_report + + def parse_indicator_summary(self, indicator, summary, metadata): + """ + Pulls enrichment data from the TruSTAR /indicators/summaries and /indicators/metadata endpoints + and creates a MISP trustar_report. + + :param indicator: Value of the attribute + :summary: Indicator summary response object. + :metadata: Indicator response object. """ - for summary in summaries: - trustar_obj = MISPObject('trustar_report') + # Verify that the indicator type is supported by TruSTAR + if summary and summary.indicator_type in self.ENTITY_TYPE_MAPPINGS: indicator_type = summary.indicator_type - indicator_value = summary.value - if indicator_type in self.ENTITY_TYPE_MAPPINGS: + elif metadata and metadata.type in self.ENTITY_TYPE_MAPPINGS: + indicator_type = metadata.type + else: + misperrors['error'] += " -- Attribute not found or not supported" + raise Exception + + try: + # Extract most relevant fields from indicator summary and metadata responses + enrichment_report = self.generate_enrichment_report(summary, metadata) + tags = self.extract_tags(enrichment_report) + + if enrichment_report: + # Create MISP trustar_report object and populate it with enrichment data + trustar_obj = MISPObject('trustar_report') trustar_obj.add_attribute(indicator_type, attribute_type=self.ENTITY_TYPE_MAPPINGS[indicator_type], - value=indicator_value) + value=indicator) trustar_obj.add_attribute("INDICATOR_SUMMARY", attribute_type="text", - value=json.dumps(summary.to_dict(), sort_keys=True, indent=4)) - report_links = self.generate_trustar_links(indicator_value) - for link in report_links: - trustar_obj.add_attribute("REPORT_LINK", attribute_type="link", value=link) + value=json.dumps(enrichment_report, indent=4)) + + report_link = self.generate_trustar_link(indicator_type, indicator) + trustar_obj.add_attribute("REPORT_LINK", attribute_type="link", value=report_link) + self.misp_event.add_object(**trustar_obj) + elif not tags: + # If enrichment report is empty and there are no tags, nothing to add to attribute + raise Exception("No relevant data found") + + if tags: + for tag in tags: + self.misp_event.add_attribute_tag(tag, indicator) + + except Exception as e: + misperrors['error'] += f" -- Error enriching attribute {indicator} -- {e}" + raise e def handler(q=False): @@ -110,17 +184,35 @@ def handler(q=False): misperrors['error'] = "Your TruSTAR API key and secret are required for indicator enrichment." return misperrors + if not request.get('attribute') or not check_input_attribute(request['attribute'], requirements=('type', 'value')): + return {'error': f'{standard_error_message}, {checking_error}.'} attribute = request['attribute'] + if attribute['type'] not in mispattributes['input']: + return {'error': 'Unsupported attribute type.'} trustar_parser = TruSTARParser(attribute, config) + metadata = None + summary = None try: - summaries = list( - trustar_parser.ts_client.get_indicator_summaries([attribute['value']], page_size=MAX_PAGE_SIZE)) + metadata = trustar_parser.ts_client.get_indicators_metadata([Indicator(value=attribute['value'])])[0] + except IndexError: + misperrors['error'] += f" -- No metadata found for indicator {attribute['value']}" except Exception as e: - misperrors['error'] = "Unable to retrieve TruSTAR summary data: {}".format(e) + misperrors['error'] += f" -- Could not retrieve indicator metadata from TruSTAR {e}" + + try: + summary = list( + trustar_parser.ts_client.get_indicator_summaries([attribute['value']], page_size=MAX_PAGE_SIZE))[0] + except IndexError: + misperrors['error'] += f" -- No summary data found for indicator {attribute['value']}" + except Exception as e: + misperrors['error'] += f" -- Unable to retrieve TruSTAR summary data: {e}" + + try: + trustar_parser.parse_indicator_summary(attribute['value'], summary, metadata) + except Exception: return misperrors - trustar_parser.parse_indicator_summary(summaries) return trustar_parser.get_results() diff --git a/misp_modules/modules/expansion/urlhaus.py b/misp_modules/modules/expansion/urlhaus.py index baaaaf6..ed13b77 100644 --- a/misp_modules/modules/expansion/urlhaus.py +++ b/misp_modules/modules/expansion/urlhaus.py @@ -1,6 +1,8 @@ -from pymisp import MISPAttribute, MISPEvent, MISPObject +# -*- coding: utf-8 -*- import json import requests +from . import check_input_attribute, standard_error_message +from pymisp import MISPAttribute, MISPEvent, MISPObject misperrors = {'error': 'Error'} mispattributes = {'input': ['domain', 'hostname', 'ip-src', 'ip-dst', 'md5', 'sha256', 'url'], @@ -134,7 +136,11 @@ def handler(q=False): if q is False: return False request = json.loads(q) + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} attribute = request['attribute'] + if attribute['type'] not in mispattributes['input']: + return {'error': 'Unsupported attribute type.'} urlhaus_parser = _misp_type_mapping[attribute['type']](attribute) return urlhaus_parser.query_api() diff --git a/misp_modules/modules/expansion/variotdbs.py b/misp_modules/modules/expansion/variotdbs.py new file mode 100644 index 0000000..6dc8880 --- /dev/null +++ b/misp_modules/modules/expansion/variotdbs.py @@ -0,0 +1,216 @@ +import json +import requests +from . import check_input_attribute, standard_error_message +from pymisp import MISPAttribute, MISPEvent, MISPObject + +misperrors = {'error': 'Error'} +mispattributes = {'input': ['vulnerability'], 'format': 'misp_standard'} +moduleinfo = {'version': '1', 'author': 'Christian Studer', + 'description': 'An expansion module to query variotdbs.pl', + 'module-type': ['expansion', 'hover']} +moduleconfig = ['API_key'] +variotdbs_url = 'https://www.variotdbs.pl/api' + + +class VariotdbsParser: + def __init__(self, attribute): + misp_attribute = MISPAttribute() + misp_attribute.from_dict(**attribute) + misp_event = MISPEvent() + misp_event.add_attribute(**misp_attribute) + self.__misp_attribute = misp_attribute + self.__misp_event = misp_event + self.__exploit_mapping = { + 'credits': 'credit', + 'description': 'description', + 'exploit': 'exploit', + 'title': 'title' + } + self.__exploit_multiple_mapping = { + 'cve': { + 'feature': 'cve_id', + 'relation': 'cve-id' + }, + 'references': { + 'feature': 'url', + 'relation': 'reference' + } + } + self.__vulnerability_data_mapping = { + 'credits': 'credit', + 'description': 'description', + 'title': 'summary' + } + self.__vulnerability_flat_mapping = { + 'cve': 'id', 'id': 'id' + } + + @property + def exploit_mapping(self) -> dict: + return self.__exploit_mapping + + @property + def exploit_multiple_mapping(self) -> dict: + return self.__exploit_multiple_mapping + + @property + def misp_attribute(self) -> MISPAttribute: + return self.__misp_attribute + + @property + def misp_event(self) -> MISPEvent: + return self.__misp_event + + @property + def vulnerability_data_mapping(self) -> dict: + return self.__vulnerability_data_mapping + + @property + def vulnerability_flat_mapping(self) -> dict: + return self.__vulnerability_flat_mapping + + def get_results(self): + event = json.loads(self.misp_event.to_json()) + results = {key: event[key] for key in ('Attribute', 'Object') if event.get(key)} + return {'results': results} + + def parse_exploit_information(self, query_results): + for exploit in query_results: + exploit_object = MISPObject('exploit') + exploit_object.add_attribute('exploitdb-id', exploit['edb_id']) + for feature, relation in self.exploit_mapping.items(): + if exploit.get(feature): + exploit_object.add_attribute( + relation, + exploit[feature]['data'] + ) + for feature, relation in self.exploit_multiple_mapping.items(): + if exploit.get(feature): + for value in exploit[feature]['data']: + exploit_object.add_attribute( + relation['relation'], + value[relation['feature']] + ) + exploit_object.add_reference(self.misp_attribute.uuid, 'related-to') + self.misp_event.add_object(exploit_object) + + def parse_vulnerability_information(self, query_results): + vulnerability_object = MISPObject('vulnerability') + for feature, relation in self.vulnerability_flat_mapping.items(): + if query_results.get(feature): + vulnerability_object.add_attribute( + relation, + query_results[feature] + ) + for feature, relation in self.vulnerability_data_mapping.items(): + if query_results.get(feature, {}).get('data'): + vulnerability_object.add_attribute( + relation, + query_results[feature]['data'] + ) + if query_results.get('configurations', {}).get('data'): + for configuration in query_results['configurations']['data']: + for node in configuration['nodes']: + for cpe_match in node['cpe_match']: + if cpe_match['vulnerable']: + vulnerability_object.add_attribute( + 'vulnerable-configuration', + cpe_match['cpe23Uri'] + ) + if query_results.get('cvss', {}).get('data'): + cvss = {} + for cvss_data in query_results['cvss']['data']: + for cvss_v3 in cvss_data['cvssV3']: + cvss[float(cvss_v3['trust'])] = cvss_v3 + if cvss: + cvss = cvss[max(cvss)] + vulnerability_object.add_attribute( + 'cvss-score', + cvss['baseScore'] + ) + vulnerability_object.add_attribute( + 'cvss-string', + cvss['vectorString'] + ) + if query_results.get('references', {}).get('data'): + for reference in query_results['references']['data']: + vulnerability_object.add_attribute( + 'references', + reference['url'] + ) + if query_results.get('sources_release_date', {}).get('data'): + for release_date in query_results['sources_release_date']['data']: + if release_date['db'] != 'NVD': + continue + if release_date['id'] == self.misp_attribute.value: + vulnerability_object.add_attribute( + 'published', + release_date['date'] + ) + break + if query_results.get('sources_update_date', {}).get('data'): + for update_date in query_results['sources_update_date']['data']: + if update_date['db'] != 'NVD': + continue + if update_date['id'] == self.misp_attribute.value: + vulnerability_object.add_attribute( + 'modified', + update_date['date'] + ) + break + vulnerability_object.add_reference(self.misp_attribute.uuid, 'related-to') + self.misp_event.add_object(vulnerability_object) + + +def handler(q=False): + if q is False: + return False + request = json.loads(q) + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} + attribute = request['attribute'] + if attribute.get('type') != 'vulnerability': + return {'error': 'Vulnerability id missing.'} + headers = {'Content-Type': 'application/json'} + if request.get('config', {}).get('API_key'): + headers['Authorization'] = f"Token {request['config']['API_key']}" + empty = True + parser = VariotdbsParser(attribute) + r = requests.get(f"{variotdbs_url}/vuln/{attribute['value']}/", headers=headers) + if r.status_code == 200: + vulnerability_results = r.json() + if vulnerability_results: + parser.parse_vulnerability_information(vulnerability_results) + empty = False + else: + if r.reason != 'Not Found': + return {'error': 'Error while querying the variotdbs API.'} + r = requests.get(f"{variotdbs_url}/exploits/?cve={attribute['value']}", headers=headers) + if r.status_code == 200: + exploit_results = r.json() + if exploit_results: + parser.parse_exploit_information(exploit_results['results']) + empty = False + if exploit_results['next'] is not None: + while(1): + exploit_results = requests.get(exploit_results['next'], headers=headers) + if exploit_results.status_code != 200: + break + exploit_results = exploit_results.json() + parser.parse_exploit_information(exploit_results['results']) + if exploit_results['next'] is None: + break + else: + return {'error': 'Error while querying the variotdbs API.'} + if empty: + return {'error': 'Empty results'} + return parser.get_results() + + +def introspection(): + return mispattributes + + +def version(): + moduleinfo['config'] = moduleconfig + return moduleinfo diff --git a/misp_modules/modules/expansion/virustotal.py b/misp_modules/modules/expansion/virustotal.py index b09de81..2d9e714 100644 --- a/misp_modules/modules/expansion/virustotal.py +++ b/misp_modules/modules/expansion/virustotal.py @@ -1,185 +1,254 @@ -from pymisp import MISPAttribute, MISPEvent, MISPObject import json -import requests +from urllib.parse import urlparse +import vt +from . import check_input_attribute, standard_error_message +from pymisp import MISPAttribute, MISPEvent, MISPObject misperrors = {'error': 'Error'} mispattributes = {'input': ['hostname', 'domain', "ip-src", "ip-dst", "md5", "sha1", "sha256", "url"], 'format': 'misp_standard'} # possible module-types: 'expansion', 'hover' or both -moduleinfo = {'version': '4', 'author': 'Hannah Ward', - 'description': 'Get information from VirusTotal', +moduleinfo = {'version': '5', 'author': 'Hannah Ward', + 'description': 'Enrich observables with the VirusTotal v3 API', 'module-type': ['expansion']} # config fields that your code expects from the site admin -moduleconfig = ["apikey", "event_limit"] +moduleconfig = ["apikey", "event_limit", 'proxy_host', 'proxy_port', 'proxy_username', 'proxy_password'] -class VirusTotalParser(object): - def __init__(self, apikey, limit): - self.apikey = apikey - self.limit = limit - self.base_url = "https://www.virustotal.com/vtapi/v2/{}/report" +DEFAULT_RESULTS_LIMIT = 10 + + +class VirusTotalParser: + def __init__(self, client: vt.Client, limit: int) -> None: + self.client = client + self.limit = limit or DEFAULT_RESULTS_LIMIT self.misp_event = MISPEvent() + self.attribute = MISPAttribute() self.parsed_objects = {} self.input_types_mapping = {'ip-src': self.parse_ip, 'ip-dst': self.parse_ip, 'domain': self.parse_domain, 'hostname': self.parse_domain, 'md5': self.parse_hash, 'sha1': self.parse_hash, 'sha256': self.parse_hash, 'url': self.parse_url} + self.proxies = None - def query_api(self, attribute): - self.attribute = MISPAttribute() + @staticmethod + def get_total_analysis(analysis: dict, known_distributors: dict = None) -> int: + if not analysis: + return 0 + count = sum([analysis['undetected'], analysis['suspicious'], analysis['harmless']]) + return count if known_distributors else count + analysis['malicious'] + + def query_api(self, attribute: dict) -> None: self.attribute.from_dict(**attribute) - return self.input_types_mapping[self.attribute.type](self.attribute.value, recurse=True) + self.input_types_mapping[self.attribute.type](self.attribute.value) - def get_result(self): + def get_result(self) -> dict: event = json.loads(self.misp_event.to_json()) results = {key: event[key] for key in ('Attribute', 'Object') if (key in event and event[key])} return {'results': results} + def add_vt_report(self, report: vt.Object) -> str: + analysis = report.get('last_analysis_stats') + total = self.get_total_analysis(analysis, report.get('known_distributors')) + permalink = f'https://www.virustotal.com/gui/{report.type}/{report.id}' + + vt_object = MISPObject('virustotal-report') + vt_object.add_attribute('permalink', type='link', value=permalink) + detection_ratio = f"{analysis['malicious']}/{total}" if analysis else '-/-' + vt_object.add_attribute('detection-ratio', type='text', value=detection_ratio, disable_correlation=True) + self.misp_event.add_object(**vt_object) + return vt_object.uuid + + def create_misp_object(self, report: vt.Object) -> MISPObject: + misp_object = None + vt_uuid = self.add_vt_report(report) + + if report.type == 'file': + misp_object = MISPObject('file') + for hash_type in ('md5', 'sha1', 'sha256', 'tlsh', + 'vhash', 'ssdeep', 'imphash'): + misp_object.add_attribute(hash_type, + **{'type': hash_type, + 'value': report.get(hash_type)}) + elif report.type == 'domain': + misp_object = MISPObject('domain-ip') + misp_object.add_attribute('domain', type='domain', value=report.id) + elif report.type == 'ip_address': + misp_object = MISPObject('domain-ip') + misp_object.add_attribute('ip', type='ip-dst', value=report.id) + elif report.type == 'url': + misp_object = MISPObject('url') + misp_object.add_attribute('url', type='url', value=report.url) + misp_object.add_reference(vt_uuid, 'analyzed-with') + return misp_object + ################################################################################ #### Main parsing functions #### # noqa ################################################################################ - def parse_domain(self, domain, recurse=False): - req = requests.get(self.base_url.format('domain'), params={'apikey': self.apikey, 'domain': domain}) - if req.status_code != 200: - return req.status_code - req = req.json() - hash_type = 'sha256' - whois = 'whois' - feature_types = {'communicating': 'communicates-with', - 'downloaded': 'downloaded-from', - 'referrer': 'referring'} - siblings = (self.parse_siblings(domain) for domain in req['domain_siblings']) - uuid = self.parse_resolutions(req['resolutions'], req['subdomains'] if 'subdomains' in req else None, siblings) - for feature_type, relationship in feature_types.items(): - for feature in ('undetected_{}_samples', 'detected_{}_samples'): - for sample in req.get(feature.format(feature_type), [])[:self.limit]: - status_code = self.parse_hash(sample[hash_type], False, uuid, relationship) - if status_code != 200: - return status_code - if req.get(whois): - whois_object = MISPObject(whois) - whois_object.add_attribute('text', type='text', value=req[whois]) + def parse_domain(self, domain: str) -> str: + domain_report = self.client.get_object(f'/domains/{domain}') + + # DOMAIN + domain_object = self.create_misp_object(domain_report) + + # WHOIS + if domain_report.whois: + whois_object = MISPObject('whois') + whois_object.add_attribute('text', type='text', value=domain_report.whois) self.misp_event.add_object(**whois_object) - return self.parse_related_urls(req, recurse, uuid) - def parse_hash(self, sample, recurse=False, uuid=None, relationship=None): - req = requests.get(self.base_url.format('file'), params={'apikey': self.apikey, 'resource': sample}) - status_code = req.status_code - if req.status_code == 200: - req = req.json() - vt_uuid = self.parse_vt_object(req) - file_attributes = [] - for hash_type in ('md5', 'sha1', 'sha256'): - if req.get(hash_type): - file_attributes.append({'type': hash_type, 'object_relation': hash_type, - 'value': req[hash_type]}) - if file_attributes: - file_object = MISPObject('file') - for attribute in file_attributes: - file_object.add_attribute(**attribute) - file_object.add_reference(vt_uuid, 'analyzed-with') - if uuid and relationship: - file_object.add_reference(uuid, relationship) + # SIBLINGS AND SUBDOMAINS + for relationship_name, misp_name in [('siblings', 'sibling-of'), ('subdomains', 'subdomain')]: + rel_iterator = self.client.iterator(f'/domains/{domain_report.id}/{relationship_name}', limit=self.limit) + for item in rel_iterator: + attr = MISPAttribute() + attr.from_dict(**dict(type='domain', value=item.id)) + self.misp_event.add_attribute(**attr) + domain_object.add_reference(attr.uuid, misp_name) + + # RESOLUTIONS + resolutions_iterator = self.client.iterator(f'/domains/{domain_report.id}/resolutions', limit=self.limit) + for resolution in resolutions_iterator: + domain_object.add_attribute('ip', type='ip-dst', value=resolution.ip_address) + + # COMMUNICATING, DOWNLOADED AND REFERRER FILES + for relationship_name, misp_name in [ + ('communicating_files', 'communicates-with'), + ('downloaded_files', 'downloaded-from'), + ('referrer_files', 'referring') + ]: + files_iterator = self.client.iterator(f'/domains/{domain_report.id}/{relationship_name}', limit=self.limit) + for file in files_iterator: + file_object = self.create_misp_object(file) + file_object.add_reference(domain_object.uuid, misp_name) self.misp_event.add_object(**file_object) - return status_code - def parse_ip(self, ip, recurse=False): - req = requests.get(self.base_url.format('ip-address'), params={'apikey': self.apikey, 'ip': ip}) - if req.status_code != 200: - return req.status_code - req = req.json() - if req.get('asn'): - asn_mapping = {'network': ('ip-src', 'subnet-announced'), - 'country': ('text', 'country')} - asn_object = MISPObject('asn') - asn_object.add_attribute('asn', type='AS', value=req['asn']) - for key, value in asn_mapping.items(): - if req.get(key): - attribute_type, relation = value - asn_object.add_attribute(relation, type=attribute_type, value=req[key]) - self.misp_event.add_object(**asn_object) - uuid = self.parse_resolutions(req['resolutions']) if req.get('resolutions') else None - return self.parse_related_urls(req, recurse, uuid) + # URLS + urls_iterator = self.client.iterator(f'/domains/{domain_report.id}/urls', limit=self.limit) + for url in urls_iterator: + url_object = self.create_misp_object(url) + url_object.add_reference(domain_object.uuid, 'hosted-in') + self.misp_event.add_object(**url_object) - def parse_url(self, url, recurse=False, uuid=None): - req = requests.get(self.base_url.format('url'), params={'apikey': self.apikey, 'resource': url}) - status_code = req.status_code - if req.status_code == 200: - req = req.json() - vt_uuid = self.parse_vt_object(req) - if not recurse: - feature = 'url' - url_object = MISPObject(feature) - url_object.add_attribute(feature, type=feature, value=url) - url_object.add_reference(vt_uuid, 'analyzed-with') - if uuid: - url_object.add_reference(uuid, 'hosted-in') - self.misp_event.add_object(**url_object) - return status_code + self.misp_event.add_object(**domain_object) + return domain_object.uuid - ################################################################################ - #### Additional parsing functions #### # noqa - ################################################################################ + def parse_hash(self, file_hash: str) -> str: + file_report = self.client.get_object(f'/files/{file_hash}') + file_object = self.create_misp_object(file_report) - def parse_related_urls(self, query_result, recurse, uuid=None): - if recurse: - for feature in ('detected_urls', 'undetected_urls'): - if feature in query_result: - for url in query_result[feature]: - value = url['url'] if isinstance(url, dict) else url[0] - status_code = self.parse_url(value, False, uuid) - if status_code != 200: - return status_code + # ITW URLS + urls_iterator = self.client.iterator(f'/files/{file_report.id}/itw_urls', limit=self.limit) + for url in urls_iterator: + url_object = self.create_misp_object(url) + url_object.add_reference(file_object.uuid, 'downloaded') + self.misp_event.add_object(**url_object) + + # COMMUNICATING, DOWNLOADED AND REFERRER FILES + for relationship_name, misp_name in [ + ('contacted_urls', 'communicates-with'), + ('contacted_domains', 'communicates-with'), + ('contacted_ips', 'communicates-with') + ]: + files_iterator = self.client.iterator(f'/files/{file_report.id}/{relationship_name}', limit=self.limit) + for file in files_iterator: + file_object = self.create_misp_object(file) + file_object.add_reference(file_object.uuid, misp_name) + self.misp_event.add_object(**file_object) + + self.misp_event.add_object(**file_object) + return file_object.uuid + + def parse_ip(self, ip: str) -> str: + ip_report = self.client.get_object(f'/ip_addresses/{ip}') + + # IP + ip_object = self.create_misp_object(ip_report) + + # ASN + asn_object = MISPObject('asn') + asn_object.add_attribute('asn', type='AS', value=ip_report.asn) + asn_object.add_attribute('subnet-announced', type='ip-src', value=ip_report.network) + asn_object.add_attribute('country', type='text', value=ip_report.country) + self.misp_event.add_object(**asn_object) + + # RESOLUTIONS + resolutions_iterator = self.client.iterator(f'/ip_addresses/{ip_report.id}/resolutions', limit=self.limit) + for resolution in resolutions_iterator: + ip_object.add_attribute('domain', type='domain', value=resolution.host_name) + + # URLS + urls_iterator = self.client.iterator(f'/ip_addresses/{ip_report.id}/urls', limit=self.limit) + for url in urls_iterator: + url_object = self.create_misp_object(url) + url_object.add_reference(ip_object.uuid, 'hosted-in') + self.misp_event.add_object(**url_object) + + self.misp_event.add_object(**ip_object) + return ip_object.uuid + + def parse_url(self, url: str) -> str: + url_id = vt.url_id(url) + url_report = self.client.get_object(f'/urls/{url_id}') + url_object = self.create_misp_object(url_report) + + # COMMUNICATING, DOWNLOADED AND REFERRER FILES + for relationship_name, misp_name in [ + ('communicating_files', 'communicates-with'), + ('downloaded_files', 'downloaded-from'), + ('referrer_files', 'referring') + ]: + files_iterator = self.client.iterator(f'/urls/{url_report.id}/{relationship_name}', limit=self.limit) + for file in files_iterator: + file_object = self.create_misp_object(file) + file_object.add_reference(url_object.uuid, misp_name) + self.misp_event.add_object(**file_object) + + self.misp_event.add_object(**url_object) + return url_object.uuid + + +def get_proxy_settings(config: dict) -> dict: + """Returns proxy settings in the requests format. + If no proxy settings are set, return None.""" + proxies = None + host = config.get('proxy_host') + port = config.get('proxy_port') + username = config.get('proxy_username') + password = config.get('proxy_password') + + if host: + if not port: + misperrors['error'] = 'The virustotal_proxy_host config is set, ' \ + 'please also set the virustotal_proxy_port.' + raise KeyError + parsed = urlparse(host) + if 'http' in parsed.scheme: + scheme = 'http' else: - for feature in ('detected_urls', 'undetected_urls'): - if feature in query_result: - for url in query_result[feature]: - value = url['url'] if isinstance(url, dict) else url[0] - self.misp_event.add_attribute('url', value) - return 200 + scheme = parsed.scheme + netloc = parsed.netloc + host = f'{netloc}:{port}' - def parse_resolutions(self, resolutions, subdomains=None, uuids=None): - domain_ip_object = MISPObject('domain-ip') - if self.attribute.type == 'domain': - domain_ip_object.add_attribute('domain', type='domain', value=self.attribute.value) - attribute_type, relation, key = ('ip-dst', 'ip', 'ip_address') - else: - domain_ip_object.add_attribute('ip', type='ip-dst', value=self.attribute.value) - attribute_type, relation, key = ('domain', 'domain', 'hostname') - for resolution in resolutions: - domain_ip_object.add_attribute(relation, type=attribute_type, value=resolution[key]) - if subdomains: - for subdomain in subdomains: - attribute = MISPAttribute() - attribute.from_dict(**dict(type='domain', value=subdomain)) - self.misp_event.add_attribute(**attribute) - domain_ip_object.add_reference(attribute.uuid, 'subdomain') - if uuids: - for uuid in uuids: - domain_ip_object.add_reference(uuid, 'sibling-of') - self.misp_event.add_object(**domain_ip_object) - return domain_ip_object.uuid + if username: + if not password: + misperrors['error'] = 'The virustotal_proxy_username config is set, ' \ + 'please also set the virustotal_proxy_password.' + raise KeyError + auth = f'{username}:{password}' + host = auth + '@' + host - def parse_siblings(self, domain): - attribute = MISPAttribute() - attribute.from_dict(**dict(type='domain', value=domain)) - self.misp_event.add_attribute(**attribute) - return attribute.uuid - - def parse_vt_object(self, query_result): - if query_result['response_code'] == 1: - vt_object = MISPObject('virustotal-report') - vt_object.add_attribute('permalink', type='link', value=query_result['permalink']) - detection_ratio = '{}/{}'.format(query_result['positives'], query_result['total']) - vt_object.add_attribute('detection-ratio', type='text', value=detection_ratio) - self.misp_event.add_object(**vt_object) - return vt_object.uuid + proxies = { + 'http': f'{scheme}://{host}', + 'https': f'{scheme}://{host}' + } + return proxies -def parse_error(status_code): +def parse_error(status_code: int) -> str: status_mapping = {204: 'VirusTotal request rate limit exceeded.', 400: 'Incorrect request, please check the arguments.', 403: 'You don\'t have enough privileges to make the request.'} @@ -193,17 +262,29 @@ def handler(q=False): return False request = json.loads(q) if not request.get('config') or not request['config'].get('apikey'): - misperrors['error'] = "A VirusTotal api key is required for this module." + misperrors['error'] = 'A VirusTotal api key is required for this module.' return misperrors + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} + if request['attribute']['type'] not in mispattributes['input']: + return {'error': 'Unsupported attribute type.'} + event_limit = request['config'].get('event_limit') - if not isinstance(event_limit, int): - event_limit = 5 - parser = VirusTotalParser(request['config']['apikey'], event_limit) attribute = request['attribute'] - status = parser.query_api(attribute) - if status != 200: - misperrors['error'] = parse_error(status) + proxy_settings = get_proxy_settings(request.get('config')) + + try: + client = vt.Client(request['config']['apikey'], + headers={ + 'x-tool': 'MISPModuleVirusTotalExpansion', + }, + proxy=proxy_settings['http'] if proxy_settings else None) + parser = VirusTotalParser(client, int(event_limit) if event_limit else None) + parser.query_api(attribute) + except vt.APIError as ex: + misperrors['error'] = ex.message return misperrors + return parser.get_result() diff --git a/misp_modules/modules/expansion/virustotal_public.py b/misp_modules/modules/expansion/virustotal_public.py index e7c2e96..f5bb76b 100644 --- a/misp_modules/modules/expansion/virustotal_public.py +++ b/misp_modules/modules/expansion/virustotal_public.py @@ -1,164 +1,219 @@ -from pymisp import MISPAttribute, MISPEvent, MISPObject import json -import requests +import logging +import vt +from . import check_input_attribute, standard_error_message +from urllib.parse import urlparse +from pymisp import MISPAttribute, MISPEvent, MISPObject misperrors = {'error': 'Error'} mispattributes = {'input': ['hostname', 'domain', "ip-src", "ip-dst", "md5", "sha1", "sha256", "url"], 'format': 'misp_standard'} -moduleinfo = {'version': '1', 'author': 'Christian Studer', - 'description': 'Get information from VirusTotal public API v2.', +moduleinfo = {'version': '2', 'author': 'Christian Studer', + 'description': 'Enrich observables with the VirusTotal v3 public API', 'module-type': ['expansion', 'hover']} -moduleconfig = ['apikey'] +moduleconfig = ['apikey', 'proxy_host', 'proxy_port', 'proxy_username', 'proxy_password'] + +LOGGER = logging.getLogger('virus_total_public') +LOGGER.setLevel(logging.INFO) -class VirusTotalParser(): - def __init__(self): - super(VirusTotalParser, self).__init__() +DEFAULT_RESULTS_LIMIT = 10 + + +class VirusTotalParser: + def __init__(self, client: vt.Client, limit: int) -> None: + self.client = client + self.limit = limit or DEFAULT_RESULTS_LIMIT self.misp_event = MISPEvent() - - def declare_variables(self, apikey, attribute): self.attribute = MISPAttribute() - self.attribute.from_dict(**attribute) - self.apikey = apikey + self.parsed_objects = {} + self.input_types_mapping = {'ip-src': self.parse_ip, 'ip-dst': self.parse_ip, + 'domain': self.parse_domain, 'hostname': self.parse_domain, + 'md5': self.parse_hash, 'sha1': self.parse_hash, + 'sha256': self.parse_hash, 'url': self.parse_url} + self.proxies = None - def get_result(self): + @staticmethod + def get_total_analysis(analysis: dict, known_distributors: dict = None) -> int: + if not analysis: + return 0 + count = sum([analysis['undetected'], analysis['suspicious'], analysis['harmless']]) + return count if known_distributors else count + analysis['malicious'] + + def query_api(self, attribute: dict) -> None: + self.attribute.from_dict(**attribute) + self.input_types_mapping[self.attribute.type](self.attribute.value) + + def get_result(self) -> dict: event = json.loads(self.misp_event.to_json()) results = {key: event[key] for key in ('Attribute', 'Object') if (key in event and event[key])} return {'results': results} - def parse_urls(self, query_result): - for feature in ('detected_urls', 'undetected_urls'): - if feature in query_result: - for url in query_result[feature]: - value = url['url'] if isinstance(url, dict) else url[0] - self.misp_event.add_attribute('url', value) + def add_vt_report(self, report: vt.Object) -> str: + analysis = report.get('last_analysis_stats') + total = self.get_total_analysis(analysis, report.get('known_distributors')) + permalink = f'https://www.virustotal.com/gui/{report.type}/{report.id}' - def parse_resolutions(self, resolutions, subdomains=None, uuids=None): - domain_ip_object = MISPObject('domain-ip') - if self.attribute.type == 'domain': - domain_ip_object.add_attribute('domain', type='domain', value=self.attribute.value) - attribute_type, relation, key = ('ip-dst', 'ip', 'ip_address') - else: - domain_ip_object.add_attribute('ip', type='ip-dst', value=self.attribute.value) - attribute_type, relation, key = ('domain', 'domain', 'hostname') - for resolution in resolutions: - domain_ip_object.add_attribute(relation, type=attribute_type, value=resolution[key]) - if subdomains: - for subdomain in subdomains: - attribute = MISPAttribute() - attribute.from_dict(**dict(type='domain', value=subdomain)) - self.misp_event.add_attribute(**attribute) - domain_ip_object.add_reference(attribute.uuid, 'subdomain') - if uuids: - for uuid in uuids: - domain_ip_object.add_reference(uuid, 'sibling-of') - self.misp_event.add_object(**domain_ip_object) + vt_object = MISPObject('virustotal-report') + vt_object.add_attribute('permalink', type='link', value=permalink) + detection_ratio = f"{analysis['malicious']}/{total}" if analysis else '-/-' + vt_object.add_attribute('detection-ratio', type='text', value=detection_ratio, disable_correlation=True) + self.misp_event.add_object(**vt_object) + return vt_object.uuid - def parse_vt_object(self, query_result): - if query_result['response_code'] == 1: - vt_object = MISPObject('virustotal-report') - vt_object.add_attribute('permalink', type='link', value=query_result['permalink']) - detection_ratio = '{}/{}'.format(query_result['positives'], query_result['total']) - vt_object.add_attribute('detection-ratio', type='text', value=detection_ratio) - self.misp_event.add_object(**vt_object) + def create_misp_object(self, report: vt.Object) -> MISPObject: + misp_object = None + vt_uuid = self.add_vt_report(report) + if report.type == 'file': + misp_object = MISPObject('file') + for hash_type in ('md5', 'sha1', 'sha256', 'tlsh', + 'vhash', 'ssdeep', 'imphash'): + misp_object.add_attribute(**{'type': hash_type, + 'object_relation': hash_type, + 'value': report.get(hash_type)}) + elif report.type == 'domain': + misp_object = MISPObject('domain-ip') + misp_object.add_attribute('domain', type='domain', value=report.id) + elif report.type == 'ip_address': + misp_object = MISPObject('domain-ip') + misp_object.add_attribute('ip', type='ip-dst', value=report.id) + elif report.type == 'url': + misp_object = MISPObject('url') + misp_object.add_attribute('url', type='url', value=report.url) + misp_object.add_reference(vt_uuid, 'analyzed-with') + return misp_object - def get_query_result(self, query_type): - params = {query_type: self.attribute.value, 'apikey': self.apikey} - return requests.get(self.base_url, params=params) + ################################################################################ + #### Main parsing functions #### # noqa + ################################################################################ + def parse_domain(self, domain: str) -> str: + domain_report = self.client.get_object(f'/domains/{domain}') -class DomainQuery(VirusTotalParser): - def __init__(self, apikey, attribute): - super(DomainQuery, self).__init__() - self.base_url = "https://www.virustotal.com/vtapi/v2/domain/report" - self.declare_variables(apikey, attribute) + # DOMAIN + domain_object = self.create_misp_object(domain_report) - def parse_report(self, query_result): - hash_type = 'sha256' - whois = 'whois' - for feature_type in ('referrer', 'downloaded', 'communicating'): - for feature in ('undetected_{}_samples', 'detected_{}_samples'): - for sample in query_result.get(feature.format(feature_type), []): - self.misp_event.add_attribute(hash_type, sample[hash_type]) - if query_result.get(whois): - whois_object = MISPObject(whois) - whois_object.add_attribute('text', type='text', value=query_result[whois]) + # WHOIS + if domain_report.whois: + whois_object = MISPObject('whois') + whois_object.add_attribute('text', type='text', value=domain_report.whois) self.misp_event.add_object(**whois_object) - if 'domain_siblings' in query_result: - siblings = (self.parse_siblings(domain) for domain in query_result['domain_siblings']) - if 'subdomains' in query_result: - self.parse_resolutions(query_result['resolutions'], query_result['subdomains'], siblings) - self.parse_urls(query_result) - def parse_siblings(self, domain): - attribute = MISPAttribute() - attribute.from_dict(**dict(type='domain', value=domain)) - self.misp_event.add_attribute(**attribute) - return attribute.uuid + # SIBLINGS AND SUBDOMAINS + for relationship_name, misp_name in [('siblings', 'sibling-of'), ('subdomains', 'subdomain')]: + rel_iterator = self.client.iterator(f'/domains/{domain_report.id}/{relationship_name}', limit=self.limit) + for item in rel_iterator: + attr = MISPAttribute() + attr.from_dict(**dict(type='domain', value=item.id)) + self.misp_event.add_attribute(**attr) + domain_object.add_reference(attr.uuid, misp_name) + + # RESOLUTIONS + resolutions_iterator = self.client.iterator(f'/domains/{domain_report.id}/resolutions', limit=self.limit) + for resolution in resolutions_iterator: + domain_object.add_attribute('ip', type='ip-dst', value=resolution.ip_address) + + # COMMUNICATING AND REFERRER FILES + for relationship_name, misp_name in [ + ('communicating_files', 'communicates-with'), + ('referrer_files', 'referring') + ]: + files_iterator = self.client.iterator(f'/domains/{domain_report.id}/{relationship_name}', limit=self.limit) + for file in files_iterator: + file_object = self.create_misp_object(file) + file_object.add_reference(domain_object.uuid, misp_name) + self.misp_event.add_object(**file_object) + + self.misp_event.add_object(**domain_object) + return domain_object.uuid + + def parse_hash(self, file_hash: str) -> str: + file_report = self.client.get_object(f'/files/{file_hash}') + file_object = self.create_misp_object(file_report) + + # COMMUNICATING, DOWNLOADED AND REFERRER FILES + for relationship_name, misp_name in [ + ('contacted_urls', 'communicates-with'), + ('contacted_domains', 'communicates-with'), + ('contacted_ips', 'communicates-with') + ]: + files_iterator = self.client.iterator(f'/files/{file_report.id}/{relationship_name}', limit=self.limit) + for file in files_iterator: + file_object = self.create_misp_object(file) + file_object.add_reference(file_object.uuid, misp_name) + self.misp_event.add_object(**file_object) + + self.misp_event.add_object(**file_object) + return file_object.uuid + + def parse_ip(self, ip: str) -> str: + ip_report = self.client.get_object(f'/ip_addresses/{ip}') + + # IP + ip_object = self.create_misp_object(ip_report) + + # ASN + asn_object = MISPObject('asn') + asn_object.add_attribute('asn', type='AS', value=ip_report.asn) + asn_object.add_attribute('subnet-announced', type='ip-src', value=ip_report.network) + asn_object.add_attribute('country', type='text', value=ip_report.country) + self.misp_event.add_object(**asn_object) + + # RESOLUTIONS + resolutions_iterator = self.client.iterator(f'/ip_addresses/{ip_report.id}/resolutions', limit=self.limit) + for resolution in resolutions_iterator: + ip_object.add_attribute('domain', type='domain', value=resolution.host_name) + + self.misp_event.add_object(**ip_object) + return ip_object.uuid + + def parse_url(self, url: str) -> str: + url_id = vt.url_id(url) + url_report = self.client.get_object(f'/urls/{url_id}') + url_object = self.create_misp_object(url_report) + self.misp_event.add_object(**url_object) + return url_object.uuid -class HashQuery(VirusTotalParser): - def __init__(self, apikey, attribute): - super(HashQuery, self).__init__() - self.base_url = "https://www.virustotal.com/vtapi/v2/file/report" - self.declare_variables(apikey, attribute) +def get_proxy_settings(config: dict) -> dict: + """Returns proxy settings in the requests format. + If no proxy settings are set, return None.""" + proxies = None + host = config.get('proxy_host') + port = config.get('proxy_port') + username = config.get('proxy_username') + password = config.get('proxy_password') - def parse_report(self, query_result): - file_attributes = [] - for hash_type in ('md5', 'sha1', 'sha256'): - if query_result.get(hash_type): - file_attributes.append({'type': hash_type, 'object_relation': hash_type, - 'value': query_result[hash_type]}) - if file_attributes: - file_object = MISPObject('file') - for attribute in file_attributes: - file_object.add_attribute(**attribute) - self.misp_event.add_object(**file_object) - self.parse_vt_object(query_result) + if host: + if not port: + misperrors['error'] = 'The virustotal_proxy_host config is set, ' \ + 'please also set the virustotal_proxy_port.' + raise KeyError + parsed = urlparse(host) + if 'http' in parsed.scheme: + scheme = 'http' + else: + scheme = parsed.scheme + netloc = parsed.netloc + host = f'{netloc}:{port}' + + if username: + if not password: + misperrors['error'] = 'The virustotal_proxy_username config is set, ' \ + 'please also set the virustotal_proxy_password.' + raise KeyError + auth = f'{username}:{password}' + host = auth + '@' + host + + proxies = { + 'http': f'{scheme}://{host}', + 'https': f'{scheme}://{host}' + } + return proxies -class IpQuery(VirusTotalParser): - def __init__(self, apikey, attribute): - super(IpQuery, self).__init__() - self.base_url = "https://www.virustotal.com/vtapi/v2/ip-address/report" - self.declare_variables(apikey, attribute) - - def parse_report(self, query_result): - if query_result.get('asn'): - asn_mapping = {'network': ('ip-src', 'subnet-announced'), - 'country': ('text', 'country')} - asn_object = MISPObject('asn') - asn_object.add_attribute('asn', type='AS', value=query_result['asn']) - for key, value in asn_mapping.items(): - if query_result.get(key): - attribute_type, relation = value - asn_object.add_attribute(relation, type=attribute_type, value=query_result[key]) - self.misp_event.add_object(**asn_object) - self.parse_urls(query_result) - if query_result.get('resolutions'): - self.parse_resolutions(query_result['resolutions']) - - -class UrlQuery(VirusTotalParser): - def __init__(self, apikey, attribute): - super(UrlQuery, self).__init__() - self.base_url = "https://www.virustotal.com/vtapi/v2/url/report" - self.declare_variables(apikey, attribute) - - def parse_report(self, query_result): - self.parse_vt_object(query_result) - - -domain = ('domain', DomainQuery) -ip = ('ip', IpQuery) -file = ('resource', HashQuery) -misp_type_mapping = {'domain': domain, 'hostname': domain, 'ip-src': ip, - 'ip-dst': ip, 'md5': file, 'sha1': file, 'sha256': file, - 'url': ('resource', UrlQuery)} - - -def parse_error(status_code): +def parse_error(status_code: int) -> str: status_mapping = {204: 'VirusTotal request rate limit exceeded.', 400: 'Incorrect request, please check the arguments.', 403: 'You don\'t have enough privileges to make the request.'} @@ -172,18 +227,29 @@ def handler(q=False): return False request = json.loads(q) if not request.get('config') or not request['config'].get('apikey'): - misperrors['error'] = "A VirusTotal api key is required for this module." + misperrors['error'] = 'A VirusTotal api key is required for this module.' return misperrors + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} + if request['attribute']['type'] not in mispattributes['input']: + return {'error': 'Unsupported attribute type.'} + + event_limit = request['config'].get('event_limit') attribute = request['attribute'] - query_type, to_call = misp_type_mapping[attribute['type']] - parser = to_call(request['config']['apikey'], attribute) - query_result = parser.get_query_result(query_type) - status_code = query_result.status_code - if status_code == 200: - parser.parse_report(query_result.json()) - else: - misperrors['error'] = parse_error(status_code) + proxy_settings = get_proxy_settings(request.get('config')) + + try: + client = vt.Client(request['config']['apikey'], + headers={ + 'x-tool': 'MISPModuleVirusTotalPublicExpansion', + }, + proxy=proxy_settings['http'] if proxy_settings else None) + parser = VirusTotalParser(client, int(event_limit) if event_limit else None) + parser.query_api(attribute) + except vt.APIError as ex: + misperrors['error'] = ex.message return misperrors + return parser.get_result() diff --git a/misp_modules/modules/expansion/vmray_submit.py b/misp_modules/modules/expansion/vmray_submit.py index 1c0d553..fa0a073 100644 --- a/misp_modules/modules/expansion/vmray_submit.py +++ b/misp_modules/modules/expansion/vmray_submit.py @@ -19,7 +19,7 @@ from distutils.util import strtobool import io import zipfile -from ._vmray.vmray_rest_api import VMRayRESTAPI +from _vmray.rest_api import VMRayRESTAPI misperrors = {'error': 'Error'} mispattributes = {'input': ['attachment', 'malware-sample'], 'output': ['text', 'sha1', 'sha256', 'md5', 'link']} diff --git a/misp_modules/modules/expansion/vmware_nsx.py b/misp_modules/modules/expansion/vmware_nsx.py new file mode 100644 index 0000000..4496268 --- /dev/null +++ b/misp_modules/modules/expansion/vmware_nsx.py @@ -0,0 +1,621 @@ +#!/usr/bin/env python3 +""" +Expansion module integrating with VMware NSX Defender. +""" +import argparse +import base64 +import configparser +import datetime +import hashlib +import io +import ipaddress +import json +import logging +import pymisp +import sys +import vt +import zipfile +from urllib import parse +from typing import Any, Dict, List, Optional, Tuple, Union + +import tau_clients +from tau_clients import exceptions +from tau_clients import nsx_defender + + +logger = logging.getLogger("vmware_nsx") +logger.setLevel(logging.DEBUG) + +misperrors = { + "error": "Error", +} + +mispattributes = { + "input": [ + "attachment", + "malware-sample", + "url", + "md5", + "sha1", + "sha256", + ], + "format": "misp_standard", +} + +moduleinfo = { + "version": "0.2", + "author": "Jason Zhang, Stefano Ortolani", + "description": "Enrich a file or URL with VMware NSX Defender", + "module-type": ["expansion", "hover"], +} + +moduleconfig = [ + "analysis_url", # optional, defaults to hard-coded values + "analysis_verify_ssl", # optional, defaults to True + "analysis_key", # required + "analysis_api_token", # required + "vt_key", # optional + "misp_url", # optional + "misp_verify_ssl", # optional, defaults to True + "misp_key", # optional +] + +DEFAULT_ZIP_PASSWORD = b"infected" + +DEFAULT_ENDPOINT = tau_clients.NSX_DEFENDER_DC_WESTUS + +WORKFLOW_COMPLETE_TAG = "workflow:state='complete'" + +WORKFLOW_INCOMPLETE_TAG = "workflow:state='incomplete'" + +VT_DOWNLOAD_TAG = "vt:download" + +GALAXY_ATTACK_PATTERNS_UUID = "c4e851fa-775f-11e7-8163-b774922098cd" + + +class ResultParser: + """This is a parser to extract *basic* information from a result dictionary.""" + + def __init__(self, techniques_galaxy: Optional[Dict[str, str]] = None): + """Constructor.""" + self.techniques_galaxy = techniques_galaxy or {} + + def parse(self, analysis_link: str, result: Dict[str, Any]) -> pymisp.MISPEvent: + """ + Parse the analysis result into a MISP event. + + :param str analysis_link: the analysis link + :param dict[str, any] result: the JSON returned by the analysis client. + :rtype: pymisp.MISPEvent + :return: a MISP event + """ + misp_event = pymisp.MISPEvent() + + # Add analysis subject info + if "url" in result["analysis_subject"]: + o = pymisp.MISPObject("url") + o.add_attribute("url", result["analysis_subject"]["url"]) + else: + o = pymisp.MISPObject("file") + o.add_attribute("md5", type="md5", value=result["analysis_subject"]["md5"]) + o.add_attribute("sha1", type="sha1", value=result["analysis_subject"]["sha1"]) + o.add_attribute("sha256", type="sha256", value=result["analysis_subject"]["sha256"]) + o.add_attribute( + "mimetype", + category="Payload delivery", + type="mime-type", + value=result["analysis_subject"]["mime_type"] + ) + misp_event.add_object(o) + + # Add HTTP requests from url analyses + network_dict = result.get("report", {}).get("analysis", {}).get("network", {}) + for request in network_dict.get("requests", []): + if not request["url"] and not request["ip"]: + continue + o = pymisp.MISPObject(name="http-request") + o.add_attribute("method", "GET") + if request["url"]: + parsed_uri = parse.urlparse(request["url"]) + o.add_attribute("host", parsed_uri.netloc) + o.add_attribute("uri", request["url"]) + if request["ip"]: + o.add_attribute("ip-dst", request["ip"]) + misp_event.add_object(o) + + # Add network behaviors from files + for subject in result.get("report", {}).get("analysis_subjects", []): + + # Add DNS requests + for dns_query in subject.get("dns_queries", []): + hostname = dns_query.get("hostname") + # Skip if it is an IP address + try: + if hostname == "wpad" or hostname == "localhost": + continue + # Invalid hostname, e.g., hostname: ZLKKJRPY or 2.2.0.10.in-addr.arpa. + if "." not in hostname or hostname[-1] == ".": + continue + _ = ipaddress.ip_address(hostname) + continue + except ValueError: + pass + + o = pymisp.MISPObject(name="domain-ip") + o.add_attribute("hostname", type="hostname", value=hostname) + for ip in dns_query.get("results", []): + o.add_attribute("ip", type="ip-dst", value=ip) + + misp_event.add_object(o) + + # Add HTTP conversations (as network connection and as http request) + for http_conversation in subject.get("http_conversations", []): + o = pymisp.MISPObject(name="network-connection") + o.add_attribute("ip-src", http_conversation["src_ip"]) + o.add_attribute("ip-dst", http_conversation["dst_ip"]) + o.add_attribute("src-port", http_conversation["src_port"]) + o.add_attribute("dst-port", http_conversation["dst_port"]) + o.add_attribute("hostname-dst", http_conversation["dst_host"]) + o.add_attribute("layer3-protocol", "IP") + o.add_attribute("layer4-protocol", "TCP") + o.add_attribute("layer7-protocol", "HTTP") + misp_event.add_object(o) + + method, path, http_version = http_conversation["url"].split(" ") + if http_conversation["dst_port"] == 80: + uri = "http://{}{}".format(http_conversation["dst_host"], path) + else: + uri = "http://{}:{}{}".format( + http_conversation["dst_host"], + http_conversation["dst_port"], + path + ) + o = pymisp.MISPObject(name="http-request") + o.add_attribute("host", http_conversation["dst_host"]) + o.add_attribute("method", method) + o.add_attribute("uri", uri) + o.add_attribute("ip-dst", http_conversation["dst_ip"]) + misp_event.add_object(o) + + # Add sandbox info like score and sandbox type + o = pymisp.MISPObject(name="sandbox-report") + sandbox_type = "saas" if tau_clients.is_task_hosted(analysis_link) else "on-premise" + o.add_attribute("score", result["score"]) + o.add_attribute("sandbox-type", sandbox_type) + o.add_attribute("{}-sandbox".format(sandbox_type), "vmware-nsx-defender") + o.add_attribute("permalink", analysis_link) + misp_event.add_object(o) + + # Add behaviors + # Check if its not empty first, as at least one attribute has to be set for sb-signature object + if result.get("malicious_activity", []): + o = pymisp.MISPObject(name="sb-signature") + o.add_attribute("software", "VMware NSX Defender") + for activity in result.get("malicious_activity", []): + a = pymisp.MISPAttribute() + a.from_dict(type="text", value=activity) + o.add_attribute("signature", **a) + misp_event.add_object(o) + + # Add mitre techniques + for techniques in result.get("activity_to_mitre_techniques", {}).values(): + for technique in techniques: + for misp_technique_id, misp_technique_name in self.techniques_galaxy.items(): + if technique["id"].casefold() in misp_technique_id.casefold(): + # If report details a sub-technique, trust the match + # Otherwise trust it only if the MISP technique is not a sub-technique + if "." in technique["id"] or "." not in misp_technique_id: + misp_event.add_tag(misp_technique_name) + break + return misp_event + + +def _parse_submission_response(response: Dict[str, Any]) -> Tuple[str, List[str]]: + """ + Parse the response from "submit_*" methods. + + :param dict[str, any] response: the client response + :rtype: tuple(str, list[str]) + :return: the task_uuid and whether the analysis is available + :raises ValueError: in case of any error + """ + task_uuid = response.get("task_uuid") + if not task_uuid: + raise ValueError("Submission failed, unable to process the data") + if response.get("score") is not None: + tags = [WORKFLOW_COMPLETE_TAG] + else: + tags = [WORKFLOW_INCOMPLETE_TAG] + return task_uuid, tags + + +def _unzip(zipped_data: bytes, password: bytes = DEFAULT_ZIP_PASSWORD) -> bytes: + """ + Unzip the data. + + :param bytes zipped_data: the zipped data + :param bytes password: the password + :rtype: bytes + :return: the unzipped data + :raises ValueError: in case of any error + """ + try: + data_file_object = io.BytesIO(zipped_data) + with zipfile.ZipFile(data_file_object) as zip_file: + sample_hash_name = zip_file.namelist()[0] + return zip_file.read(sample_hash_name, password) + except (IOError, ValueError) as e: + raise ValueError(str(e)) + + +def _download_from_vt(client: vt.Client, file_hash: str) -> bytes: + """ + Download file from VT. + + :param vt.Client client: the VT client + :param str file_hash: the file hash + :rtype: bytes + :return: the downloaded data + :raises ValueError: in case of any error + """ + try: + buffer = io.BytesIO() + client.download_file(file_hash, buffer) + buffer.seek(0, 0) + return buffer.read() + except (IOError, vt.APIError) as e: + raise ValueError(str(e)) + finally: + # vt.Client likes to free resources at shutdown, and it can be used as context to ease that + # Since the structure of the module does not play well with how MISP modules are organized + # let's play nice and close connections pro-actively (opened by "download_file") + if client: + client.close() + + +def _get_analysis_tags( + clients: Dict[str, nsx_defender.AnalysisClient], + task_uuid: str, +) -> List[str]: + """ + Get the analysis tags of a task. + + :param dict[str, nsx_defender.AnalysisClient] clients: the analysis clients + :param str task_uuid: the task uuid + :rtype: list[str] + :return: the analysis tags + :raises exceptions.ApiError: in case of client errors + :raises exceptions.CommunicationError: in case of client communication errors + """ + client = clients[DEFAULT_ENDPOINT] + response = client.get_analysis_tags(task_uuid) + tags = set([]) + for tag in response.get("analysis_tags", []): + tag_header = None + tag_type = tag["data"]["type"] + if tag_type == "av_family": + tag_header = "av-fam" + elif tag_type == "av_class": + tag_header = "av-cls" + elif tag_type == "lastline_malware": + tag_header = "nsx" + if tag_header: + tags.add("{}:{}".format(tag_header, tag["data"]["value"])) + return sorted(tags) + + +def _get_latest_analysis( + clients: Dict[str, nsx_defender.AnalysisClient], + file_hash: str, +) -> Optional[str]: + """ + Get the latest analysis. + + :param dict[str, nsx_defender.AnalysisClient] clients: the analysis clients + :param str file_hash: the hash of the file + :rtype: str|None + :return: the task uuid if present, None otherwise + :raises exceptions.ApiError: in case of client errors + :raises exceptions.CommunicationError: in case of client communication errors + """ + def _parse_expiration(task_info: Dict[str, str]) -> datetime.datetime: + """ + Parse expiration time of a task + + :param dict[str, str] task_info: the task + :rtype: datetime.datetime + :return: the parsed datetime object + """ + return datetime.datetime.strptime(task_info["expires"], "%Y-%m-%d %H:%M:%S") + results = [] + for data_center, client in clients.items(): + response = client.query_file_hash(file_hash=file_hash) + for task in response.get("tasks", []): + results.append(task) + if results: + return sorted(results, key=_parse_expiration)[-1]["task_uuid"] + else: + return None + + +def _get_mitre_techniques_galaxy(misp_client: pymisp.PyMISP) -> Dict[str, str]: + """ + Get all the MITRE techniques from the MISP galaxy. + + :param pymisp.PyMISP misp_client: the MISP client + :rtype: dict[str, str] + :return: all techniques indexed by their id + """ + galaxy_attack_patterns = misp_client.get_galaxy( + galaxy=GALAXY_ATTACK_PATTERNS_UUID, + withCluster=True, + pythonify=True, + ) + ret = {} + for cluster in galaxy_attack_patterns.clusters: + ret[cluster.value] = cluster.tag_name + return ret + + +def introspection() -> Dict[str, Union[str, List[str]]]: + """ + Implement interface. + + :return: the supported MISP attributes + :rtype: dict[str, list[str]] + """ + return mispattributes + + +def version() -> Dict[str, Union[str, List[str]]]: + """ + Implement interface. + + :return: the module config inside another dictionary + :rtype: dict[str, list[str]] + """ + moduleinfo["config"] = moduleconfig + return moduleinfo + + +def handler(q: Union[bool, str] = False) -> Union[bool, Dict[str, Any]]: + """ + Implement interface. + + :param bool|str q: the input received + :rtype: bool|dict[str, any] + """ + if q is False: + return False + + request = json.loads(q) + config = request.get("config", {}) + + # Load the client to connect to VMware NSX ATA (hard-fail) + try: + analysis_url = config.get("analysis_url") + login_params = { + "key": config["analysis_key"], + "api_token": config["analysis_api_token"], + } + # If 'analysis_url' is specified we are connecting on-premise + if analysis_url: + analysis_clients = { + DEFAULT_ENDPOINT: nsx_defender.AnalysisClient( + api_url=analysis_url, + login_params=login_params, + verify_ssl=bool(config.get("analysis_verify_ssl", True)), + ) + } + logger.info("Connected NSX AnalysisClient to on-premise infrastructure") + else: + analysis_clients = { + data_center: nsx_defender.AnalysisClient( + api_url=tau_clients.NSX_DEFENDER_ANALYSIS_URLS[data_center], + login_params=login_params, + verify_ssl=bool(config.get("analysis_verify_ssl", True)), + ) for data_center in [ + tau_clients.NSX_DEFENDER_DC_WESTUS, + tau_clients.NSX_DEFENDER_DC_NLEMEA, + ] + } + logger.info("Connected NSX AnalysisClient to hosted infrastructure") + except KeyError as ke: + logger.error("Integration with VMware NSX ATA failed to connect: %s", str(ke)) + return {"error": "Error connecting to VMware NSX ATA: {}".format(ke)} + + # Load the client to connect to MISP (soft-fail) + try: + misp_client = pymisp.PyMISP( + url=config["misp_url"], + key=config["misp_key"], + ssl=bool(config.get("misp_verify_ssl", True)), + ) + except (KeyError, pymisp.PyMISPError): + logger.error("Integration with pyMISP disabled: no MITRE techniques tags") + misp_client = None + + # Load the client to connect to VT (soft-fail) + try: + vt_client = vt.Client(apikey=config["vt_key"]) + except (KeyError, ValueError): + logger.error("Integration with VT disabled: no automatic download of samples") + vt_client = None + + # Decode and issue the request + try: + if request["attribute"]["type"] == "url": + sample_url = request["attribute"]["value"] + response = analysis_clients[DEFAULT_ENDPOINT].submit_url(sample_url) + task_uuid, tags = _parse_submission_response(response) + else: + if request["attribute"]["type"] == "malware-sample": + # Raise TypeError + file_data = _unzip(base64.b64decode(request["attribute"]["data"])) + file_name = request["attribute"]["value"].split("|", 1)[0] + hash_value = hashlib.sha1(file_data).hexdigest() + elif request["attribute"]["type"] == "attachment": + # Raise TypeError + file_data = base64.b64decode(request["attribute"]["data"]) + file_name = request["attribute"].get("value") + hash_value = hashlib.sha1(file_data).hexdigest() + else: + hash_value = request["attribute"]["value"] + file_data = None + file_name = "{}.bin".format(hash_value) + # Check whether we have a task for that file + tags = [] + task_uuid = _get_latest_analysis(analysis_clients, hash_value) + if not task_uuid: + # If we have no analysis, download the sample from VT + if not file_data: + if not vt_client: + raise ValueError("No file available locally and VT is disabled") + file_data = _download_from_vt(vt_client, hash_value) + tags.append(VT_DOWNLOAD_TAG) + # ... and submit it (_download_from_vt fails if no sample availabe) + response = analysis_clients[DEFAULT_ENDPOINT].submit_file(file_data, file_name) + task_uuid, _tags = _parse_submission_response(response) + tags.extend(_tags) + except KeyError as e: + logger.error("Error parsing input: %s", request["attribute"]) + return {"error": "Error parsing input: {}".format(e)} + except TypeError as e: + logger.error("Error decoding input: %s", request["attribute"]) + return {"error": "Error decoding input: {}".format(e)} + except ValueError as e: + logger.error("Error processing input: %s", request["attribute"]) + return {"error": "Error processing input: {}".format(e)} + except (exceptions.CommunicationError, exceptions.ApiError) as e: + logger.error("Error issuing API call: %s", str(e)) + return {"error": "Error issuing API call: {}".format(e)} + else: + analysis_link = tau_clients.get_task_link( + uuid=task_uuid, + analysis_url=analysis_clients[DEFAULT_ENDPOINT].base, + prefer_load_balancer=True, + ) + + # Return partial results if the analysis has yet to terminate + try: + tags.extend(_get_analysis_tags(analysis_clients, task_uuid)) + report = analysis_clients[DEFAULT_ENDPOINT].get_result(task_uuid) + except (exceptions.CommunicationError, exceptions.ApiError) as e: + logger.error("Error retrieving the report: %s", str(e)) + return { + "results": { + "types": "link", + "categories": ["External analysis"], + "values": analysis_link, + "tags": tags, + } + } + + # Return the enrichment + try: + techniques_galaxy = None + if misp_client: + techniques_galaxy = _get_mitre_techniques_galaxy(misp_client) + result_parser = ResultParser(techniques_galaxy=techniques_galaxy) + misp_event = result_parser.parse(analysis_link, report) + for tag in tags: + if tag not in frozenset([WORKFLOW_COMPLETE_TAG]): + misp_event.add_tag(tag) + return { + "results": { + key: json.loads(misp_event.to_json())[key] + for key in ("Attribute", "Object", "Tag") + if (key in misp_event and misp_event[key]) + } + } + except pymisp.PyMISPError as e: + logger.error("Error parsing the report: %s", str(e)) + return {"error": "Error parsing the report: {}".format(e)} + + +def main(): + """Main function used to test basic functionalities of the module.""" + parser = argparse.ArgumentParser() + parser.add_argument( + "-c", + "--config-file", + dest="config_file", + required=True, + help="the configuration file used for testing", + ) + parser.add_argument( + "-t", + "--test-attachment", + dest="test_attachment", + default=None, + help="the path to a test attachment", + ) + args = parser.parse_args() + conf = configparser.ConfigParser() + conf.read(args.config_file) + config = { + "analysis_verify_ssl": conf.getboolean("analysis", "analysis_verify_ssl"), + "analysis_key": conf.get("analysis", "analysis_key"), + "analysis_api_token": conf.get("analysis", "analysis_api_token"), + "vt_key": conf.get("vt", "vt_key"), + "misp_url": conf.get("misp", "misp_url"), + "misp_verify_ssl": conf.getboolean("misp", "misp_verify_ssl"), + "misp_key": conf.get("misp", "misp_key"), + } + + # TEST 1: submit a URL + j = json.dumps( + { + "config": config, + "attribute": { + "type": "url", + "value": "https://www.google.com", + } + } + ) + print(json.dumps(handler(j), indent=4, sort_keys=True)) + + # TEST 2: submit a file attachment + if args.test_attachment: + with open(args.test_attachment, "rb") as f: + data = f.read() + j = json.dumps( + { + "config": config, + "attribute": { + "type": "attachment", + "value": "test.docx", + "data": base64.b64encode(data).decode("utf-8"), + } + } + ) + print(json.dumps(handler(j), indent=4, sort_keys=True)) + + # TEST 3: submit a file hash that is known by NSX ATA + j = json.dumps( + { + "config": config, + "attribute": { + "type": "md5", + "value": "002c56165a0e78369d0e1023ce044bf0", + } + } + ) + print(json.dumps(handler(j), indent=4, sort_keys=True)) + + # TEST 4 : submit a file hash that is NOT known byt NSX ATA + j = json.dumps( + { + "config": config, + "attribute": { + "type": "sha1", + "value": "2aac25ecdccf87abf6f1651ef2ffb30fcf732250", + } + } + ) + print(json.dumps(handler(j), indent=4, sort_keys=True)) + return 0 + + +if __name__ == "__main__": + sys.exit(main()) diff --git a/misp_modules/modules/expansion/wiki.py b/misp_modules/modules/expansion/wiki.py index 90dd547..110e8f8 100755 --- a/misp_modules/modules/expansion/wiki.py +++ b/misp_modules/modules/expansion/wiki.py @@ -17,7 +17,7 @@ def handler(q=False): misperrors['error'] = 'Query text missing' return misperrors - sparql = SPARQLWrapper(wiki_api_url) + sparql = SPARQLWrapper(wiki_api_url, agent='Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36') query_string = \ "SELECT ?item \n" \ "WHERE { \n" \ @@ -26,7 +26,6 @@ def handler(q=False): sparql.setQuery(query_string) sparql.setReturnFormat(JSON) results = sparql.query().convert() - summary = '' try: result = results["results"]["bindings"] summary = result[0]["item"]["value"] if result else 'No additional data found on Wikidata' diff --git a/misp_modules/modules/expansion/xforceexchange.py b/misp_modules/modules/expansion/xforceexchange.py index 7999ce2..936917f 100644 --- a/misp_modules/modules/expansion/xforceexchange.py +++ b/misp_modules/modules/expansion/xforceexchange.py @@ -1,6 +1,7 @@ import requests import json import sys +from . import check_input_attribute, standard_error_message from collections import defaultdict from pymisp import MISPAttribute, MISPEvent, MISPObject from requests.auth import HTTPBasicAuth @@ -160,6 +161,10 @@ def handler(q=False): return misperrors key = request["config"]["apikey"] password = request['config']['apipassword'] + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message} which should contain at least a type, a value and an uuid.'} + if request['attribute']['type'] not in mispattributes['input']: + return {'error': 'Unsupported attribute type.'} parser = XforceExchange(request['attribute'], key, password) parser.parse() return parser.get_result() diff --git a/misp_modules/modules/expansion/yara_query.py b/misp_modules/modules/expansion/yara_query.py index 3a75acc..e905de5 100644 --- a/misp_modules/modules/expansion/yara_query.py +++ b/misp_modules/modules/expansion/yara_query.py @@ -14,6 +14,12 @@ moduleconfig = [] mispattributes = {'input': ['md5', 'sha1', 'sha256', 'filename|md5', 'filename|sha1', 'filename|sha256', 'imphash'], 'output': ['yara']} +def extract_input_attribute(request): + for input_type in mispattributes['input']: + if input_type in request: + return input_type, request[input_type] + + def get_hash_condition(hashtype, hashvalue): hashvalue = hashvalue.lower() required_module, params = ('pe', '()') if hashtype == 'imphash' else ('hash', '(0, filesize)') @@ -24,11 +30,11 @@ def handler(q=False): if q is False: return False request = json.loads(q) - del request['module'] - if 'event_id' in request: - del request['event_id'] + attribute = extract_input_attribute(request) + if attribute is None: + return {'error': f'Wrong input type, please choose in the following: {", ".join(mispattributes["input"])}'} uuid = request.pop('attribute_uuid') if 'attribute_uuid' in request else None - attribute_type, value = list(request.items())[0] + attribute_type, value = attribute if 'filename' in attribute_type: _, attribute_type = attribute_type.split('|') _, value = value.split('|') diff --git a/misp_modules/modules/expansion/yeti.py b/misp_modules/modules/expansion/yeti.py new file mode 100644 index 0000000..3eeea95 --- /dev/null +++ b/misp_modules/modules/expansion/yeti.py @@ -0,0 +1,186 @@ +import json +import logging + +try: + import pyeti +except ImportError: + print("pyeti module not installed.") + +from pymisp import MISPEvent, MISPObject + +misperrors = {'error': 'Error'} + +mispattributes = {'input': ['AS', 'ip-src', 'ip-dst', 'hostname', 'domain', 'sha256', 'sha1', 'md5', 'url'], + 'format': 'misp_standard' + } +# possible module-types: 'expansion', 'hover' or both +moduleinfo = {'version': '1', 'author': 'Sebastien Larinier @sebdraven', + 'description': 'Query on yeti', + 'module-type': ['expansion', 'hover']} + +moduleconfig = ['apikey', 'url'] + + +class Yeti(): + + def __init__(self, url, key, attribute): + self.misp_mapping = {'Ip': 'ip-dst', 'Domain': 'domain', 'Hostname': 'hostname', 'Url': 'url', + 'AutonomousSystem': 'AS', 'File': 'sha256'} + self.yeti_client = pyeti.YetiApi(url=url, api_key=key) + self.attribute = attribute + self.misp_event = MISPEvent() + self.misp_event.add_attribute(**attribute) + + def search(self, value): + obs = self.yeti_client.observable_search(value=value) + if obs: + return obs[0] + + def get_neighboors(self, obs_id): + neighboors = self.yeti_client.neighbors_observables(obs_id) + if neighboors and 'objs' in neighboors: + links_by_id = {link['dst']['id']: (link['description'], 'dst') for link in neighboors['links'] + if link['dst']['id'] != obs_id} + links_by_id.update({link['src']['id']: (link['description'], 'src') for link in neighboors['links'] + if link['src']['id'] != obs_id}) + + for n in neighboors['objs']: + yield n, links_by_id[n['id']] + + def parse_yeti_result(self): + obs = self.search(self.attribute['value']) + + for obs_to_add, link in self.get_neighboors(obs['id']): + object_misp_domain_ip = self.__get_object_domain_ip(obs_to_add) + if object_misp_domain_ip: + self.misp_event.add_object(object_misp_domain_ip) + continue + object_misp_url = self.__get_object_url(obs_to_add) + if object_misp_url: + self.misp_event.add_object(object_misp_url) + continue + if link[0] == 'NS record': + object_ns_record = self.__get_object_ns_record(obs_to_add, link[1]) + if object_ns_record: + self.misp_event.add_object(object_ns_record) + continue + self.__get_attribute(obs_to_add, link[0]) + + def get_result(self): + event = json.loads(self.misp_event.to_json()) + results = {key: event[key] for key in ('Attribute', 'Object') if key in event} + return results + + def __get_attribute(self, obs_to_add, link): + + try: + type_attr = self.misp_mapping[obs_to_add['type']] + value = None + if obs_to_add['type'] == 'File': + value = obs_to_add['value'].split(':')[1] + else: + value = obs_to_add['value'] + attr = self.misp_event.add_attribute(value=value, type=type_attr) + attr.comment = '%s: %s' % (link, self.attribute['value']) + except KeyError: + logging.error('type not found %s' % obs_to_add['type']) + return + + for t in obs_to_add['tags']: + self.misp_event.add_attribute_tag(t['name'], attr['uuid']) + + def __get_object_domain_ip(self, obj_to_add): + if (obj_to_add['type'] == 'Ip' and self.attribute['type'] in ['hostname', 'domain']) or \ + (obj_to_add['type'] in ('Hostname', 'Domain') and self.attribute['type'] in ('ip-src', 'ip-dst')): + domain_ip_object = MISPObject('domain-ip') + domain_ip_object.add_attribute(self.__get_relation(obj_to_add), + obj_to_add['value']) + domain_ip_object.add_attribute(self.__get_relation(self.attribute, is_yeti_object=False), + self.attribute['value']) + domain_ip_object.add_reference(self.attribute['uuid'], 'related_to') + + return domain_ip_object + + def __get_object_url(self, obj_to_add): + if (obj_to_add['type'] == 'Url' and self.attribute['type'] in ['hostname', 'domain', 'ip-src', 'ip-dst']) or ( + obj_to_add['type'] in ('Hostname', 'Domain', 'Ip') and self.attribute['type'] == 'url' + ): + url_object = MISPObject('url') + obj_relation = self.__get_relation(obj_to_add) + if obj_relation: + url_object.add_attribute(obj_relation, obj_to_add['value']) + obj_relation = self.__get_relation(self.attribute, is_yeti_object=False) + if obj_relation: + url_object.add_attribute(obj_relation, + self.attribute['value']) + url_object.add_reference(self.attribute['uuid'], 'related_to') + + return url_object + + def __get_object_ns_record(self, obj_to_add, link): + queried_domain = None + ns_domain = None + object_dns_record = MISPObject('dns-record') + if link == 'dst': + queried_domain = self.attribute['value'] + ns_domain = obj_to_add['value'] + elif link == 'src': + queried_domain = obj_to_add['value'] + ns_domain = self.attribute['value'] + if queried_domain and ns_domain: + object_dns_record.add_attribute('queried-domain', queried_domain) + object_dns_record.add_attribute('ns-record', ns_domain) + object_dns_record.add_reference(self.attribute['uuid'], 'related_to') + + return object_dns_record + + def __get_relation(self, obj, is_yeti_object=True): + if is_yeti_object: + type_attribute = self.misp_mapping[obj['type']] + else: + type_attribute = obj['type'] + if type_attribute == 'ip-src' or type_attribute == 'ip-dst': + return 'ip' + elif 'domain' == type_attribute: + return 'domain' + elif 'hostname' == type_attribute: + return 'domain' + elif type_attribute == 'url': + return type_attribute + + +def handler(q=False): + if q is False: + return False + + apikey = None + yeti_url = None + yeti_client = None + + request = json.loads(q) + attribute = request['attribute'] + if attribute['type'] not in mispattributes['input']: + return {'error': 'Unsupported attributes type'} + + if 'config' in request and 'url' in request['config']: + yeti_url = request['config']['url'] + if 'config' in request and 'apikey' in request['config']: + apikey = request['config']['apikey'] + if apikey and yeti_url: + yeti_client = Yeti(yeti_url, apikey, attribute) + + if yeti_client: + yeti_client.parse_yeti_result() + return {'results': yeti_client.get_result()} + else: + misperrors['error'] = 'Yeti Config Error' + return misperrors + + +def version(): + moduleinfo['config'] = moduleconfig + return moduleinfo + + +def introspection(): + return mispattributes diff --git a/misp_modules/modules/export_mod/__init__.py b/misp_modules/modules/export_mod/__init__.py index 1b0e1d0..ea90d19 100644 --- a/misp_modules/modules/export_mod/__init__.py +++ b/misp_modules/modules/export_mod/__init__.py @@ -1,2 +1,3 @@ __all__ = ['cef_export', 'mass_eql_export', 'liteexport', 'goamlexport', 'threat_connect_export', 'pdfexport', - 'threatStream_misp_export', 'osqueryexport', 'nexthinkexport', 'vt_graph'] + 'threatStream_misp_export', 'osqueryexport', 'nexthinkexport', 'vt_graph', 'defender_endpoint_export', + 'virustotal_collections'] diff --git a/misp_modules/modules/export_mod/defender_endpoint_export.py b/misp_modules/modules/export_mod/defender_endpoint_export.py new file mode 100755 index 0000000..1c36efb --- /dev/null +++ b/misp_modules/modules/export_mod/defender_endpoint_export.py @@ -0,0 +1,109 @@ +""" +Export module for coverting MISP events into Defender for Endpoint KQL queries. +Config['Period'] : allows to define period over witch to look for IOC from now +""" + +import base64 +import json + +misperrors = {"error": "Error"} + +types_to_use = ['sha1', 'md5', 'domain', 'ip', 'url'] + +userConfig = { + +} + +moduleconfig = ["Period"] +inputSource = ['event'] + +outputFileExtension = 'kql' +responseType = 'application/txt' + +moduleinfo = {'version': '1.0', 'author': 'Julien Bachmann, Hacknowledge', + 'description': 'Defender for Endpoint KQL hunting query export module', + 'module-type': ['export']} + + +def handle_sha1(value, period): + query = f"""find in (DeviceAlertEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents) + where SHA1 == '{value}' or InitiatingProcessSHA1 == '{value}'""" + return query.replace('\n', ' ') + + +def handle_md5(value, period): + query = f"""find in (DeviceAlertEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents) + where MD5 == '{value}' or InitiatingProcessMD5 == '{value}'""" + return query.replace('\n', ' ') + + +def handle_domain(value, period): + query = f"""find in (DeviceAlertEvents, DeviceNetworkEvents) + where RemoteUrl contains '{value}'""" + return query.replace('\n', ' ') + + +def handle_ip(value, period): + query = f"""find in (DeviceAlertEvents, DeviceNetworkEvents) + where RemoteIP == '{value}'""" + return query.replace('\n', ' ') + + +def handle_url(value, period): + query = f"""find in (DeviceAlertEvents, DeviceNetworkEvents) + where RemoteUrl startswith '{value}'""" + return query.replace('\n', ' ') + + +handlers = { + 'sha1': handle_sha1, + 'md5': handle_md5, + 'domain': handle_domain, + 'ip': handle_ip, + 'url': handle_url +} + + +def handler(q=False): + if q is False: + return False + request = json.loads(q) + config = request.get("config", {"Period": ""}) + output = '' + + for event in request["data"]: + for attribute in event["Attribute"]: + if attribute['type'] in types_to_use: + output = output + handlers[attribute['type']](attribute['value'], config['Period']) + '\n' + r = {"response": [], "data": str(base64.b64encode(bytes(output, 'utf-8')), 'utf-8')} + return r + + +def introspection(): + modulesetup = {} + try: + responseType + modulesetup['responseType'] = responseType + except NameError: + pass + try: + userConfig + modulesetup['userConfig'] = userConfig + except NameError: + pass + try: + outputFileExtension + modulesetup['outputFileExtension'] = outputFileExtension + except NameError: + pass + try: + inputSource + modulesetup['inputSource'] = inputSource + except NameError: + pass + return modulesetup + + +def version(): + moduleinfo['config'] = moduleconfig + return moduleinfo diff --git a/misp_modules/modules/export_mod/virustotal_collections.py b/misp_modules/modules/export_mod/virustotal_collections.py new file mode 100644 index 0000000..fa2929c --- /dev/null +++ b/misp_modules/modules/export_mod/virustotal_collections.py @@ -0,0 +1,134 @@ +#!/usr/bin/env python3 + +# Copyright 2022 Google Inc. All Rights Reserved. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +"""Creates a VT Collection with indicators present in a given event.""" + +import base64 +import json +import requests + +misperrors = { + 'error': 'Error' +} + +mispattributes = { + 'input': [ + 'hostname', + 'domain', + 'ip-src', + 'ip-dst', + 'md5', + 'sha1', + 'sha256', + 'url' + ], + 'format': 'misp_standard', + 'responseType': 'application/txt', + 'outputFileExtension': 'txt', +} + +moduleinfo = { + 'version': '1.0', + 'author': 'VirusTotal', + 'description': 'Creates a VT Collection from an event iocs.', + 'module-type': ['export'] +} + +moduleconfig = [ + 'vt_api_key', + 'proxy_host', + 'proxy_port', + 'proxy_username', + 'proxy_password' +] + + +class VTError(Exception): + "Exception class to map vt api response errors." + pass + + +def create_collection(api_key, event_data): + headers = { + 'x-apikey': api_key, + 'content-type': 'application/json', + 'x-tool': 'MISPModuleVirusTotalCollectionExport', + } + + response = requests.post('https://www.virustotal.com/api/v3/integrations/misp/collections', + headers=headers, + json=event_data) + + uuid = event_data['Event']['uuid'] + response_data = response.json() + + if response.status_code == 200: + link = response_data['data']['links']['self'] + return f'{uuid}: {link}' + + error = response_data['error']['message'] + if response.status_code == 400: + return f'{uuid}: {error}' + else: + misperrors['error'] = error + raise VTError(error) + + +def normalize_misp_data(data): + normalized_data = {'Event': data.pop('Event', {})} + for attr_key in data: + if isinstance(data[attr_key], list) or isinstance(data[attr_key], dict): + if attr_key == 'EventTag': + normalized_data['Event']['Tag'] = [tag['Tag'] for tag in data[attr_key]] + else: + normalized_data['Event'][attr_key] = data[attr_key] + + return normalized_data + + +def handler(q=False): + request = json.loads(q) + + if not request.get('config') or not request['config'].get('vt_api_key'): + misperrors['error'] = 'A VirusTotal api key is required for this module.' + return misperrors + + config = request['config'] + data = request['data'] + responses = [] + + try: + for event_data in data: + normalized_event = normalize_misp_data(event_data) + responses.append(create_collection(config.get('vt_api_key'), + normalized_event)) + + output = '\n'.join(responses) + return { + "response": [], + "data": str(base64.b64encode(bytes(output, 'utf-8')), 'utf-8'), + } + except VTError: + return misperrors + + + +def introspection(): + return mispattributes + + +def version(): + moduleinfo['config'] = moduleconfig + return moduleinfo diff --git a/misp_modules/modules/import_mod/__init__.py b/misp_modules/modules/import_mod/__init__.py index fbad911..a7d220d 100644 --- a/misp_modules/modules/import_mod/__init__.py +++ b/misp_modules/modules/import_mod/__init__.py @@ -1,4 +1,3 @@ -from . import _vmray # noqa import os import sys sys.path.append('{}/lib'.format('/'.join((os.path.realpath(__file__)).split('/')[:-3]))) @@ -14,5 +13,7 @@ __all__ = [ 'openiocimport', 'threatanalyzer_import', 'csvimport', + 'cof2misp', 'joe_import', + 'taxii21' ] diff --git a/misp_modules/modules/import_mod/cof2misp.py b/misp_modules/modules/import_mod/cof2misp.py new file mode 100755 index 0000000..841da09 --- /dev/null +++ b/misp_modules/modules/import_mod/cof2misp.py @@ -0,0 +1,254 @@ +""" PassiveDNS Common Output Format (COF) MISP importer. + +Takes as input a valid COF file or the output of the dnsdbflex utility +and creates MISP objects for the input. + +Copyright 2021: Farsight Security (https://www.farsightsecurity.com/) + +Author: Aaron Kaplan + +Released under the Apache 2.0 license. +See: https://www.apache.org/licenses/LICENSE-2.0.txt + +""" + +import sys +import json +import base64 + + +import ndjson + +# from pymisp import MISPObject, MISPEvent, PyMISP +from pymisp import MISPObject + +from cof2misp.cof import validate_cof, validate_dnsdbflex + + +create_specific_attributes = False # this is for https://github.com/MISP/misp-objects/pull/314 + + +misperrors = {'error': 'Error'} +userConfig = {} + +inputSource = ['file'] + +mispattributes = {'inputSource': ['file'], 'output': ['MISP objects'], + 'format': 'misp_standard'} + + +moduleinfo = {'version': '0.3', 'author': 'Aaron Kaplan', + 'description': 'Module to import the passive DNS Common Output Format (COF) and merge as a MISP objet into a MISP event.', + 'module-type': ['import']} + +moduleconfig = [] + + +# misp = PyMISP() + + +def parse_and_insert_cof(data: str) -> dict: + """Parse and validate the COF data. + + Parameters + ---------- + data as a string + + Returns + ------- + A dict with either the error message or the data which may be sent off the the caller of handler() + + Raises + -------- + none. All Exceptions will be handled here. On error, a misperror is returned. + """ + + objects = [] + try: + entries = ndjson.loads(data) + for entry in entries: # iterate over all ndjson lines + + # validate here (simple validation or full JSON Schema validation) + if not validate_cof(entry): + return {"error": "Could not validate the COF input '%s'" % entry} + + # Next, extract some fields + rrtype = entry['rrtype'].upper() + rrname = entry['rrname'].rstrip('.') + rdata = [x.rstrip('.') for x in entry['rdata']] + + # create a new MISP object, based on the passive-dns object for each nd-JSON line + o = MISPObject(name='passive-dns', standalone=False, comment='created by cof2misp') + + # o.add_tag('tlp:amber') # FIXME: we'll want to add a tlp: tag to the object + if 'bailiwick' in entry: + o.add_attribute('bailiwick', value=entry['bailiwick'].rstrip('.'), distribution=0) + + # + # handle the combinations of rrtype (domain, ip) on both left and right side + # + + if create_specific_attributes: + if rrtype in ['A', 'AAAA', 'A6']: # address type + # address type + o.add_attribute('rrname_domain', value=rrname, distribution=0) + for r in rdata: + o.add_attribute('rdata_ip', value=r, distribution=0) + elif rrtype in ['CNAME', 'DNAME', 'NS']: # both sides are domains + o.add_attribute('rrname_domain', value=rrname, distribution=0) + for r in rdata: + o.add_attribute('rdata_domain', value=r, distribution=0) + elif rrtype in ['SOA']: # left side is a domain, right side is text + o.add_attribute('rrname_domain', value=rrname, distribution=0) + + # + # now do the regular filling up of rrname, rrtype, time_first, etc. + # + o.add_attribute('rrname', value=rrname, distribution=0) + o.add_attribute('rrtype', value=rrtype, distribution=0) + for r in rdata: + o.add_attribute('rdata', value=r, distribution=0) + o.add_attribute('raw_rdata', value=json.dumps(rdata), distribution=0) # FIXME: do we need to hex encode it? + o.add_attribute('time_first', value=entry['time_first'], distribution=0) + o.add_attribute('time_last', value=entry['time_last'], distribution=0) + o.first_seen = entry['time_first'] # is this redundant? + o.last_seen = entry['time_last'] + + # + # Now add the other optional values. # FIXME: how about a map() other function. DNRY + # + for k in ['count', 'sensor_id', 'origin', 'text', 'time_first_ms', 'time_last_ms', 'zone_time_first', 'zone_time_last']: + if k in entry and entry[k]: + o.add_attribute(k, value=entry[k], distribution=0) + + # + # add COF entry to MISP object + # + objects.append(o.to_json()) + + r = {'results': {'Object': [json.loads(o) for o in objects]}} + except Exception as ex: + misperrors["error"] = "An error occured during parsing of input: '%s'" % (str(ex),) + return misperrors + return r + + +def parse_and_insert_dnsdbflex(data: str): + """Parse and validate the more simplier dndsdbflex output data. + + Parameters + ---------- + data as a string + + Returns + ------- + A dict with either the error message or the data which may be sent off the the caller of handler() + + Raises + -------- + none + """ + objects = [] + try: + entries = ndjson.loads(data) + for entry in entries: # iterate over all ndjson lines + # validate here (simple validation or full JSON Schema validation) + if not validate_dnsdbflex(entry): + return {"error": "Could not validate the dnsdbflex input '%s'" % entry} + + # Next, extract some fields + rrtype = entry['rrtype'].upper() + rrname = entry['rrname'].rstrip('.') + + # create a new MISP object, based on the passive-dns object for each nd-JSON line + try: + o = MISPObject(name='passive-dns', standalone=False, distribution=0, comment='DNSDBFLEX import by cof2misp') + o.add_attribute('rrtype', value=rrtype, distribution=0, comment='DNSDBFLEX import by cof2misp') + o.add_attribute('rrname', value=rrname, distribution=0, comment='DNSDBFLEX import by cof2misp') + except Exception as ex: + print("could not create object. Reason: %s" % str(ex)) + + # + # add dnsdbflex entry to MISP object + # + objects.append(o.to_json()) + + r = {'results': {'Object': [json.loads(o) for o in objects]}} + except Exception as ex: + misperrors["error"] = "An error occured during parsing of input: '%s'" % (str(ex),) + return misperrors + return r + + +def is_dnsdbflex(data: str) -> bool: + """Check if the supplied data conforms to the dnsdbflex output (which only contains rrname and rrtype) + + Parameters + ---------- + ndjson data as a string + + Returns + ------- + True or False + + Raises + -------- + none + """ + + try: + j = ndjson.loads(data) + for line in j: + if not set(line.keys()) == {'rrname', 'rrtype'}: + return False # shortcut. We assume it's not if a single line does not conform + return True + except Exception as ex: + print("oops, this should not have happened. Maybe not an ndjson file? Reason: %s" % (str(ex),), file=sys.stderr) + return False + + +def is_cof(data: str) -> bool: + return True + + +def handler(q=False): + if q is False: + return False + + request = json.loads(q) + # Parse the json, determine which type of JSON it is (dnsdbflex or COF?) + # Validate it + # transform into MISP object + # push to MISP + # event_id = request['event_id'] + # event = misp.get_event(event_id) + # print("event_id = %s" % event_id, file=sys.stderr) + try: + data = base64.b64decode(request["data"]).decode('utf-8') + if not data: + return json.dumps({'success': 0}) # empty file is ok + if is_dnsdbflex(data): + return parse_and_insert_dnsdbflex(data) + elif is_cof(data): + # check if it's valid COF format + return parse_and_insert_cof(data) + else: + return {'error': 'Could not find any valid COF input nor dnsdbflex input. Please have a loot at: https://datatracker.ietf.org/doc/draft-dulaunoy-dnsop-passive-dns-cof/'} + except Exception as ex: + print("oops, got exception %s" % str(ex), file=sys.stderr) + return {'error': "Got exception %s" % str(ex)} + + +def introspection(): + return mispattributes + + +def version(): + moduleinfo['config'] = moduleconfig + return moduleinfo + + +if __name__ == '__main__': + x = open('test.json', 'r') + r = handler(q=x.read()) + print(json.dumps(r)) diff --git a/misp_modules/modules/import_mod/csvimport.py b/misp_modules/modules/import_mod/csvimport.py index 34eed8c..6bd79b7 100644 --- a/misp_modules/modules/import_mod/csvimport.py +++ b/misp_modules/modules/import_mod/csvimport.py @@ -224,7 +224,8 @@ class CsvParser(): @staticmethod def __deal_with_tags(attribute): - attribute['Tag'] = [{'name': tag.strip()} for tag in attribute['Tag'].split(',')] + if 'Tag' in attribute.keys(): + attribute['Tag'] = [{'name': tag.strip()} for tag in attribute['Tag'].split(',')] def __get_score(self): score = 1 if 'to_ids' in self.header else 0 diff --git a/misp_modules/modules/import_mod/email_import.py b/misp_modules/modules/import_mod/email_import.py index 114f8c9..3ebf3a2 100644 --- a/misp_modules/modules/import_mod/email_import.py +++ b/misp_modules/modules/import_mod/email_import.py @@ -42,7 +42,7 @@ def handler(q=False): # request data is always base 64 byte encoded data = base64.b64decode(request["data"]) - email_object = EMailObject(pseudofile=BytesIO(data), attach_original_mail=True, standalone=False) + email_object = EMailObject(pseudofile=BytesIO(data), attach_original_email=True, standalone=False) # Check if we were given a configuration config = request.get("config", {}) @@ -110,21 +110,20 @@ def handler(q=False): email_object.add_reference(f_object.uuid, 'includes', 'Email attachment') mail_body = email_object.email.get_body(preferencelist=('html', 'plain')) - if extract_urls: - if mail_body: - charset = mail_body.get_content_charset() - if mail_body.get_content_type() == 'text/html': - url_parser = HTMLURLParser() - url_parser.feed(mail_body.get_payload(decode=True).decode(charset, errors='ignore')) - urls = url_parser.urls - else: - urls = re.findall(r'https?://(?:[-\w.]|(?:%[\da-fA-F]{2}))+', mail_body.get_payload(decode=True).decode(charset, errors='ignore')) - for url in urls: - if not url: - continue - url_object = URLObject(url, standalone=False) - file_objects.append(url_object) - email_object.add_reference(url_object.uuid, 'includes', 'URL in email body') + if extract_urls and mail_body: + charset = mail_body.get_content_charset('utf-8') + if mail_body.get_content_type() == 'text/html': + url_parser = HTMLURLParser() + url_parser.feed(mail_body.get_payload(decode=True).decode(charset, errors='ignore')) + urls = url_parser.urls + else: + urls = re.findall(r'https?://(?:[-\w.]|(?:%[\da-fA-F]{2}))+', mail_body.get_payload(decode=True).decode(charset, errors='ignore')) + for url in urls: + if not url: + continue + url_object = URLObject(url, standalone=False) + file_objects.append(url_object) + email_object.add_reference(url_object.uuid, 'includes', 'URL in email body') objects = [email_object.to_json()] if file_objects: diff --git a/misp_modules/modules/import_mod/joe_import.py b/misp_modules/modules/import_mod/joe_import.py index 0753167..ce56698 100644 --- a/misp_modules/modules/import_mod/joe_import.py +++ b/misp_modules/modules/import_mod/joe_import.py @@ -5,9 +5,9 @@ from joe_parser import JoeParser misperrors = {'error': 'Error'} userConfig = { - "Import PE": { + "Import Executable": { "type": "Boolean", - "message": "Import PE Information", + "message": "Import Executable Information (PE, elf or apk for instance)", }, "Mitre Att&ck": { "type": "Boolean", @@ -29,7 +29,7 @@ def handler(q=False): return False q = json.loads(q) config = { - "import_pe": bool(int(q["config"]["Import PE"])), + "import_executable": bool(int(q["config"]["Import Executable"])), "mitre_attack": bool(int(q["config"]["Mitre Att&ck"])), } diff --git a/misp_modules/modules/import_mod/lastline_import.py b/misp_modules/modules/import_mod/lastline_import.py index 37f6249..3307852 100644 --- a/misp_modules/modules/import_mod/lastline_import.py +++ b/misp_modules/modules/import_mod/lastline_import.py @@ -1,5 +1,7 @@ #!/usr/bin/env python3 """ +Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module. + Module (type "import") to import a Lastline report from an analysis link. """ import json diff --git a/misp_modules/modules/import_mod/ocr.py b/misp_modules/modules/import_mod/ocr.py index fef0fd1..2e82cd2 100755 --- a/misp_modules/modules/import_mod/ocr.py +++ b/misp_modules/modules/import_mod/ocr.py @@ -67,7 +67,7 @@ def handler(q=False): image = img.make_blob('png') log.debug("Final image size is {}x{}".format(pdf.width, pdf.height * (p + 1))) else: - image = document + image = base64.b64decode(request["data"]) image_file = BytesIO(image) image_file.seek(0) diff --git a/misp_modules/modules/import_mod/taxii21.py b/misp_modules/modules/import_mod/taxii21.py new file mode 100644 index 0000000..d03b85c --- /dev/null +++ b/misp_modules/modules/import_mod/taxii21.py @@ -0,0 +1,373 @@ +""" +Import content from a TAXII 2.1 server. +""" +import collections +import itertools +import json +import misp_modules.lib.stix2misp +from pathlib import Path +import re +import stix2.v20 +import taxii2client +import taxii2client.exceptions +import requests + + +class ConfigError(Exception): + """ + Represents an error in the config settings for one invocation of this + module. + """ + pass + + +misperrors = {'error': 'Error'} + +moduleinfo = {'version': '0.1', 'author': 'Abc', + 'description': 'Import content from a TAXII 2.1 server', + 'module-type': ['import']} + +mispattributes = { + 'inputSource': [], + 'output': ['MISP objects'], + 'format': 'misp_standard', +} + + +userConfig = { + "url": { + "type": "String", + "message": "A TAXII 2.1 collection URL", + }, + "added_after": { + "type": "String", + "message": "Lower bound on time the object was uploaded to the TAXII server" + }, + "stix_id": { + "type": "String", + "message": "STIX ID(s) of objects" + }, + "spec_version": { # TAXII 2.1 specific + "type": "String", + "message": "STIX version(s) of objects" + }, + "type": { + "type": "String", + "message": "STIX type(s) of objects" + }, + "version": { + "type": "String", + "message": 'Version timestamp(s), or "first"/"last"/"all"' + }, + # Should we give some user control over this? It will not be allowed to + # exceed the admin setting. + "STIX object limit": { + "type": "Integer", + "message": "Maximum number of STIX objects to process" + }, + "username": { + "type": "String", + "message": "Username for TAXII server authentication, if necessary" + }, + "password": { + "type": "String", + "message": "Password for TAXII server authentication, if necessary" + } +} + +# Paging will be handled transparently by this module, so user-defined +# paging-related filtering parameters will not be supported. + + +# This module will not process more than this number of STIX objects in total +# from a TAXII server in one module invocation (across all pages), to limit +# resource consumption. +moduleconfig = [ + "stix_object_limit" +] + + +# In case there is neither an admin nor user setting given. +_DEFAULT_STIX_OBJECT_LIMIT = 1000 + + +# Page size to use when paging TAXII results. Trades off the amount of +# hammering on TAXII servers and overhead of repeated requests, with the +# resource consumption of a single page. (Should be an admin setting too?) +_PAGE_SIZE = 100 + + +_synonymsToTagNames_path = Path(__file__).parent / "../../lib/synonymsToTagNames.json" + + +# Collects module config information necessary to perform the TAXII query. +Config = collections.namedtuple("Config", [ + "url", + "added_after", + "id", + "spec_version", + "type", + "version", + "stix_object_limit", + "username", + "password" +]) + + +def _pymisp_to_json_serializable(obj): + """ + Work around a possible bug with PyMISP's + AbstractMisp.to_dict(json_format=True) method, which doesn't always produce + a JSON-serializable value (i.e. a value which is serializable with the + default JSON encoder). + + :param obj: A PyMISP object + :return: A JSON-serializable version of the object + """ + + # The workaround creates a JSON string and then parses it back to a + # JSON-serializable value. + json_ = obj.to_json() + json_serializable = json.loads(json_) + + return json_serializable + + +def _normalize_multi_values(value): + """ + Some TAXII filters may contain multiple values separated by commas, + without spaces around the commas. Maybe give MISP users a little more + flexibility? This function normalizes a possible multi-valued value + (e.g. multiple values delimited by commas or spaces, all in the same + string) to TAXII-required format. + + :param value: A MISP config value + :return: A normalized value + """ + + if "," in value: + value = re.sub(r"\s*,\s*", ",", value) + else: + # Assume space delimiting; replace spaces with commas. + # I don't think we need to worry about spaces embedded in values. + value = re.sub(r"\s+", ",", value) + + value = value.strip(",") + + return value + + +def _get_config(config): + """ + Combine user, admin, and default config settings to produce a config + object with all settings together. + + :param config: The misp-modules request's "config" value. + :return: A Config object + :raises ConfigError: if any config errors are detected + """ + + # Strip whitespace from all config settings... except for password? + for key, val in config.items(): + if isinstance(val, str) and key != "password": + config[key] = val.strip() + + url = config.get("url") + added_after = config.get("added_after") + id_ = config.get("stix_id") + spec_version = config.get("spec_version") + type_ = config.get("type") + version_ = config.get("version") + username = config.get("username") + password = config.get("password") + admin_stix_object_limit = config.get("stix_object_limit") + user_stix_object_limit = config.get("STIX object limit") + + if admin_stix_object_limit: + admin_stix_object_limit = int(admin_stix_object_limit) + else: + admin_stix_object_limit = _DEFAULT_STIX_OBJECT_LIMIT + + if user_stix_object_limit: + user_stix_object_limit = int(user_stix_object_limit) + stix_object_limit = min(user_stix_object_limit, admin_stix_object_limit) + else: + stix_object_limit = admin_stix_object_limit + + # How much of this should we sanity-check here before passing it off to the + # TAXII client (and thence, to the TAXII server)? + + if not url: + raise ConfigError("A TAXII 2.1 collection URL is required.") + + if admin_stix_object_limit < 1: + raise ConfigError( + "Invalid admin object limit: must be positive: " + + str(admin_stix_object_limit) + ) + + if stix_object_limit < 1: + raise ConfigError( + "Invalid object limit: must be positive: " + + str(stix_object_limit) + ) + + if id_: + id_ = _normalize_multi_values(id_) + if spec_version: + spec_version = _normalize_multi_values(spec_version) + if type_: + type_ = _normalize_multi_values(type_) + if version_: + version_ = _normalize_multi_values(version_) + + # STIX->MISP converter currently only supports STIX 2.0, so let's force + # spec_version="2.0". + if not spec_version: + spec_version = "2.0" + elif spec_version != "2.0": + raise ConfigError('Only spec_version="2.0" is supported for now.') + + if (username and not password) or (not username and password): + raise ConfigError( + 'Both or neither of "username" and "password" are required.' + ) + + config_obj = Config( + url, added_after, id_, spec_version, type_, version_, stix_object_limit, + username, password + ) + + return config_obj + + +def _query_taxii(config): + """ + Query the TAXII server according to the given config, convert the STIX + results to MISP, and return a standard misp-modules response. + + :param config: Module config information as a Config object + :return: A dict containing a misp-modules response + """ + + collection = taxii2client.Collection( + config.url, user=config.username, password=config.password + ) + + # No point in asking for more than our overall limit. + page_size = min(_PAGE_SIZE, config.stix_object_limit) + + kwargs = { + "per_request": page_size + } + + if config.spec_version: + kwargs["spec_version"] = config.spec_version + if config.version: + kwargs["version"] = config.version + if config.id: + kwargs["id"] = config.id + if config.type: + kwargs["type"] = config.type + if config.added_after: + kwargs["added_after"] = config.added_after + + pages = taxii2client.as_pages( + collection.get_objects, + **kwargs + ) + + # Chain all the objects from all pages together... + all_stix_objects = itertools.chain.from_iterable( + taxii_envelope.get("objects", []) + for taxii_envelope in pages + ) + + # And only take the first N objects from that. + limited_stix_objects = itertools.islice( + all_stix_objects, 0, config.stix_object_limit + ) + + # Collect into a list. This is... unfortunate, but I don't think the + # converter will work incrementally (will it?). It expects all objects to + # be given at once. + # + # It may also be desirable to have all objects available at once so that + # cross-references can be made where possible, but it results in increased + # memory usage. + stix_objects = list(limited_stix_objects) + + # The STIX 2.0 converter wants a 2.0 bundle. (Hope the TAXII server isn't + # returning 2.1 objects!) + bundle20 = stix2.v20.Bundle(stix_objects, allow_custom=True) + + converter = misp_modules.lib.stix2misp.ExternalStixParser() + converter.handler( + bundle20, None, [0, "event", str(_synonymsToTagNames_path)] + ) + + attributes = [ + _pymisp_to_json_serializable(attr) + for attr in converter.misp_event.attributes + ] + + objects = [ + _pymisp_to_json_serializable(obj) + for obj in converter.misp_event.objects + ] + + tags = [ + _pymisp_to_json_serializable(tag) + for tag in converter.misp_event.tags + ] + + result = { + "results": { + "Attribute": attributes, + "Object": objects, + "Tag": tags + } + } + + return result + + +def handler(q=False): + if q is False: + return False + request = json.loads(q) + + result = None + config = None + + try: + config = _get_config(request["config"]) + except ConfigError as e: + result = misperrors + result["error"] = e.args[0] + + if not result: + try: + result = _query_taxii(config) + except taxii2client.exceptions.TAXIIServiceException as e: + result = misperrors + result["error"] = str(e) + except requests.HTTPError as e: + # Let's give a better error message for auth issues. + if e.response.status_code in (401, 403): + result = misperrors + result["error"] = "Access was denied." + else: + raise + + return result + + +def introspection(): + mispattributes["userConfig"] = userConfig + return mispattributes + + +def version(): + moduleinfo['config'] = moduleconfig + return moduleinfo diff --git a/misp_modules/modules/import_mod/vmray_import.py b/misp_modules/modules/import_mod/vmray_import.py index 824c970..8385634 100644 --- a/misp_modules/modules/import_mod/vmray_import.py +++ b/misp_modules/modules/import_mod/vmray_import.py @@ -6,8 +6,6 @@ Import VMRay results. This version supports import from different analyze jobs, starting from one sample (the supplied sample_id). -Requires "vmray_rest_api" - The expansion module vmray_submit and import module vmray_import are a two step process to import data from VMRay. You can automate this by setting the PyMISP example script 'vmray_automation' @@ -17,378 +15,72 @@ as a cron job import json -from ._vmray.vmray_rest_api import VMRayRESTAPI +from _vmray.parser import VMRayParser, VMRayParseError + misperrors = {'error': 'Error'} -inputSource = [] -moduleinfo = {'version': '0.2', 'author': 'Koen Van Impe', - 'description': 'Import VMRay results', + +moduleinfo = {'version': '0.4', 'author': 'Jens Thom (VMRay), Koen van Impe', + 'description': 'Import VMRay analysis results from a server', 'module-type': ['import']} -userConfig = {'include_analysisid': {'type': 'Boolean', - 'message': 'Include link to VMRay analysis' - }, - 'include_analysisdetails': {'type': 'Boolean', - 'message': 'Include (textual) analysis details' - }, - 'include_vtidetails': {'type': 'Boolean', - 'message': 'Include VMRay Threat Identifier (VTI) rules' - }, - 'include_imphash_ssdeep': {'type': 'Boolean', - 'message': 'Include imphash and ssdeep' - }, - 'include_extracted_files': {'type': 'Boolean', - 'message': 'Include extracted files section' - }, - 'sample_id': {'type': 'Integer', - 'errorMessage': 'Expected a sample ID', - 'message': 'The VMRay sample_id' - } - } +mispattributes = { + 'inputSource': [], + 'output': ['MISP objects'], + 'format': 'misp_standard', +} -moduleconfig = ['apikey', 'url', 'wait_period'] +userConfig = { + "Sample ID": { + "type": "Integer", + "errorMessage": "The VMRay sample ID to download the reports", + }, + "VTI": { + "type": "Boolean", + "message": "Include VMRay Threat Identifiers", + "checked": "True" + }, + "IOCs": { + "type": "Boolean", + "message": "Include IOCs", + "checked": "True" + }, + "Artifacts": { + "type": "Boolean", + "message": "Include other Artifacts", + }, + "Analysis Details": { + "type": "Boolean", + "message": "Include Analysis Details", + "checked": "True" + } +} + +moduleconfig = ["apikey", "url", "disable_tags", "disable_misp_objects", "ignore_analysis_finished"] def handler(q=False): - global include_analysisid, include_imphash_ssdeep, include_extracted_files, include_analysisdetails, include_vtidetails, include_static_to_ids - if q is False: return False request = json.loads(q) - include_analysisid = bool(int(request["config"].get("include_analysisid"))) - include_imphash_ssdeep = bool(int(request["config"].get("include_imphash_ssdeep"))) - include_extracted_files = bool(int(request["config"].get("include_extracted_files"))) - include_analysisdetails = bool(int(request["config"].get("include_extracted_files"))) - include_vtidetails = bool(int(request["config"].get("include_vtidetails"))) - include_static_to_ids = True - - # print("include_analysisid: %s include_imphash_ssdeep: %s include_extracted_files: %s include_analysisdetails: %s include_vtidetails: %s" % ( include_analysisid, include_imphash_ssdeep, include_extracted_files, include_analysisdetails, include_vtidetails)) - - sample_id = int(request["config"].get("sample_id")) - - if (request["config"].get("apikey") is None) or (request["config"].get("url") is None): - misperrors["error"] = "Missing API key or server URL (hint: try cloud.vmray.com)" + parser = VMRayParser() + try: + parser.from_api(request["config"]) + parser.parse() + except VMRayParseError as exc: + misperrors["error"] = str(exc) return misperrors - if sample_id > 0: - try: - api = VMRayRESTAPI(request["config"].get("url"), request["config"].get("apikey"), False) - vmray_results = {'results': []} - - # Get all information on the sample, returns a set of finished analyze jobs - data = vmrayGetInfoAnalysis(api, sample_id) - if data["data"]: - for analysis in data["data"]: - analysis_id = int(analysis["analysis_id"]) - if analysis_id > 0: - # Get the details for an analyze job - analysis_data = vmrayDownloadAnalysis(api, analysis_id) - - if analysis_data: - if include_analysisdetails and "analysis_details" in analysis_data: - analysis_details = vmrayAnalysisDetails(analysis_data["analysis_details"], analysis_id) - if analysis_details and len(analysis_details["results"]) > 0: - vmray_results = {'results': vmray_results["results"] + analysis_details["results"]} - - if "classifications" in analysis_data: - classifications = vmrayClassifications(analysis_data["classifications"], analysis_id) - if classifications and len(classifications["results"]) > 0: - vmray_results = {'results': vmray_results["results"] + classifications["results"]} - - if include_extracted_files and "extracted_files" in analysis_data: - extracted_files = vmrayExtractedfiles(analysis_data["extracted_files"]) - if extracted_files and len(extracted_files["results"]) > 0: - vmray_results = {'results': vmray_results["results"] + extracted_files["results"]} - - if include_vtidetails and "vti" in analysis_data: - vti = vmrayVti(analysis_data["vti"]) - if vti and len(vti["results"]) > 0: - vmray_results = {'results': vmray_results["results"] + vti["results"]} - - if "artifacts" in analysis_data: - artifacts = vmrayArtifacts(analysis_data["artifacts"]) - if artifacts and len(artifacts["results"]) > 0: - vmray_results = {'results': vmray_results["results"] + artifacts["results"]} - - if include_analysisid: - a_id = {'results': []} - url1 = request["config"].get("url") + "/user/analysis/view?from_sample_id=%u" % sample_id - url2 = "&id=%u" % analysis_id - url3 = "&sub=%2Freport%2Foverview.html" - a_id["results"].append({"values": url1 + url2 + url3, "types": "link"}) - vmray_results = {'results': vmray_results["results"] + a_id["results"]} - - # Clean up (remove doubles) - if len(vmray_results["results"]) > 0: - vmray_results = vmrayCleanup(vmray_results) - return vmray_results - else: - misperrors['error'] = "No vti_results returned or jobs not finished" - return misperrors - else: - if "result" in data: - if data["result"] == "ok": - return vmray_results - - # Fallback - misperrors['error'] = "Unable to fetch sample id %u" % (sample_id) - return misperrors - except Exception as e: # noqa - misperrors['error'] = "Unable to access VMRay API : %s" % (e) - return misperrors - else: - misperrors['error'] = "Not a valid sample id" - return misperrors + event = parser.to_json() + return event def introspection(): - modulesetup = {} - try: - userConfig - modulesetup['userConfig'] = userConfig - except NameError: - pass - try: - inputSource - modulesetup['inputSource'] = inputSource - except NameError: - pass - return modulesetup + mispattributes["userConfig"] = userConfig + return mispattributes def version(): moduleinfo['config'] = moduleconfig return moduleinfo - - -def vmrayGetInfoAnalysis(api, sample_id): - ''' Get information from a sample, returns a set of analyzed reports''' - - if sample_id: - data = api.call("GET", "/rest/analysis/sample/%u" % (sample_id), raw_data=True) - return json.loads(data.read().decode()) - else: - return False - - -def vmrayDownloadAnalysis(api, analysis_id): - ''' Get the details from an analysis''' - if analysis_id: - try: - data = api.call("GET", "/rest/analysis/%u/archive/logs/summary.json" % (analysis_id), raw_data=True) - return json.loads(data.read().decode()) - except Exception as e: # noqa - misperrors['error'] = "Unable to download summary.json for analysis %s" % (analysis_id) - return misperrors - else: - return False - - -def vmrayVti(vti): - '''VMRay Threat Identifier (VTI) rules that matched for this analysis''' - - if vti: - r = {'results': []} - for rule in vti: - if rule == "vti_rule_matches": - vti_rule = vti["vti_rule_matches"] - for el in vti_rule: - if "operation_desc" in el: - comment = "" - types = ["text"] - values = el["operation_desc"] - r['results'].append({'types': types, 'values': values, 'comment': comment}) - - return r - - else: - return False - - -def vmrayExtractedfiles(extracted_files): - ''' Information about files which were extracted during the analysis, such as files that were created, modified, or embedded by the malware''' - - if extracted_files: - r = {'results': []} - - for file in extracted_files: - if "file_type" and "norm_filename" in file: - comment = "%s - %s" % (file["file_type"], file["norm_filename"]) - else: - comment = "" - - if "norm_filename" in file: - attr_filename_c = file["norm_filename"].rsplit("\\", 1) - if len(attr_filename_c) > 1: - attr_filename = attr_filename_c[len(attr_filename_c) - 1] - else: - attr_filename = "vmray_sample" - else: - attr_filename = "vmray_sample" - - if "md5_hash" in file and file["md5_hash"] is not None: - r['results'].append({'types': ["filename|md5"], 'values': '{}|{}'.format(attr_filename, file["md5_hash"]), 'comment': comment, 'categories': ['Payload delivery', 'Artifacts dropped'], 'to_ids': include_static_to_ids}) - if include_imphash_ssdeep and "imp_hash" in file and file["imp_hash"] is not None: - r['results'].append({'types': ["filename|imphash"], 'values': '{}|{}'.format(attr_filename, file["imp_hash"]), 'comment': comment, 'categories': ['Payload delivery', 'Artifacts dropped'], 'to_ids': include_static_to_ids}) - if "sha1_hash" in file and file["sha1_hash"] is not None: - r['results'].append({'types': ["filename|sha1"], 'values': '{}|{}'.format(attr_filename, file["sha1_hash"]), 'comment': comment, 'categories': ['Payload delivery', 'Artifacts dropped'], 'to_ids': include_static_to_ids}) - if "sha256_hash" in file and file["sha256_hash"] is not None: - r['results'].append({'types': ["filename|sha256"], 'values': '{}|{}'.format(attr_filename, file["sha256_hash"]), 'comment': comment, 'categories': ['Payload delivery', 'Artifacts dropped'], 'to_ids': include_static_to_ids}) - if include_imphash_ssdeep and "ssdeep_hash" in file and file["ssdeep_hash"] is not None: - r['results'].append({'types': ["filename|ssdeep"], 'values': '{}|{}'.format(attr_filename, file["ssdeep_hash"]), 'comment': comment, 'categories': ['Payload delivery', 'Artifacts dropped'], 'to_ids': include_static_to_ids}) - - return r - - else: - return False - - -def vmrayClassifications(classification, analysis_id): - ''' List the classifications, tag them on a "text" attribute ''' - - if classification: - r = {'results': []} - types = ["text"] - comment = "" - values = "Classification : %s " % (", ".join(str(x) for x in classification)) - r['results'].append({'types': types, 'values': values, 'comment': comment}) - - return r - - else: - return False - - -def vmrayAnalysisDetails(details, analysis_id): - ''' General information about the analysis information ''' - - if details: - r = {'results': []} - types = ["text"] - comment = "" - if "execution_successful" in details: - values = "Analysis %s : execution_successful : %s " % (analysis_id, str(details["execution_successful"])) - r['results'].append({'types': types, 'values': values, 'comment': comment}) - if "termination_reason" in details: - values = "Analysis %s : termination_reason : %s " % (analysis_id, str(details["termination_reason"])) - r['results'].append({'types': types, 'values': values, 'comment': comment}) - if "result_str" in details: - values = "Analysis %s : result : %s " % (analysis_id, details["result_str"]) - r['results'].append({'types': types, 'values': values, 'comment': comment}) - - return r - - else: - return False - - -def vmrayArtifacts(patterns): - ''' IOCs that were seen during the analysis ''' - - if patterns: - r = {'results': []} - y = {'results': []} - - for pattern in patterns: - if pattern == "domains": - for el in patterns[pattern]: - values = el["domain"] - types = ["domain", "hostname"] - if "sources" in el: - sources = el["sources"] - comment = "Found in: " + ", ".join(str(x) for x in sources) - else: - comment = "" - r['results'].append({'types': types, 'values': values, 'comment': comment, 'to_ids': include_static_to_ids}) - if pattern == "files": - for el in patterns[pattern]: - filename_values = el["filename"] - attr_filename_c = filename_values.rsplit("\\", 1) - if len(attr_filename_c) > 1: - attr_filename = attr_filename_c[len(attr_filename_c) - 1] - else: - attr_filename = "" - filename_types = ["filename"] - filename_operations = el["operations"] - comment = "File operations: " + ", ".join(str(x) for x in filename_operations) - r['results'].append({'types': filename_types, 'values': filename_values, 'comment': comment}) - - # Run through all hashes - if "hashes" in el: - for hash in el["hashes"]: - if "md5_hash" in hash and hash["md5_hash"] is not None: - r['results'].append({'types': ["filename|md5"], 'values': '{}|{}'.format(attr_filename, hash["md5_hash"]), 'comment': comment, 'categories': ['Payload delivery', 'Artifacts dropped'], 'to_ids': include_static_to_ids}) - if include_imphash_ssdeep and "imp_hash" in hash and hash["imp_hash"] is not None: - r['results'].append({'types': ["filename|imphash"], 'values': '{}|{}'.format(attr_filename, hash["imp_hash"]), 'comment': comment, 'categories': ['Payload delivery', 'Artifacts dropped'], 'to_ids': include_static_to_ids}) - if "sha1_hash" in hash and hash["sha1_hash"] is not None: - r['results'].append({'types': ["filename|sha1"], 'values': '{}|{}'.format(attr_filename, hash["sha1_hash"]), 'comment': comment, 'categories': ['Payload delivery', 'Artifacts dropped'], 'to_ids': include_static_to_ids}) - if "sha256_hash" in hash and hash["sha256_hash"] is not None: - r['results'].append({'types': ["filename|sha256"], 'values': '{}|{}'.format(attr_filename, hash["sha256_hash"]), 'comment': comment, 'categories': ['Payload delivery', 'Artifacts dropped'], 'to_ids': include_static_to_ids}) - if include_imphash_ssdeep and "ssdeep_hash" in hash and hash["ssdeep_hash"] is not None: - r['results'].append({'types': ["filename|ssdeep"], 'values': '{}|{}'.format(attr_filename, hash["ssdeep_hash"]), 'comment': comment, 'categories': ['Payload delivery', 'Artifacts dropped'], 'to_ids': include_static_to_ids}) - if pattern == "ips": - for el in patterns[pattern]: - values = el["ip_address"] - types = ["ip-dst"] - if "sources" in el: - sources = el["sources"] - comment = "Found in: " + ", ".join(str(x) for x in sources) - else: - comment = "" - - r['results'].append({'types': types, 'values': values, 'comment': comment, 'to_ids': include_static_to_ids}) - if pattern == "mutexes": - for el in patterns[pattern]: - values = el["mutex_name"] - types = ["mutex"] - if "operations" in el: - sources = el["operations"] - comment = "Operations: " + ", ".join(str(x) for x in sources) - else: - comment = "" - - r['results'].append({'types': types, 'values': values, 'comment': comment, 'to_ids': include_static_to_ids}) - if pattern == "registry": - for el in patterns[pattern]: - values = el["reg_key_name"] - types = ["regkey"] - include_static_to_ids_tmp = include_static_to_ids - if "operations" in el: - sources = el["operations"] - if sources == ["access"]: - include_static_to_ids_tmp = False - comment = "Operations: " + ", ".join(str(x) for x in sources) - else: - comment = "" - - r['results'].append({'types': types, 'values': values, 'comment': comment, 'to_ids': include_static_to_ids_tmp}) - if pattern == "urls": - for el in patterns[pattern]: - values = el["url"] - types = ["url"] - if "operations" in el: - sources = el["operations"] - comment = "Operations: " + ", ".join(str(x) for x in sources) - else: - comment = "" - - r['results'].append({'types': types, 'values': values, 'comment': comment, 'to_ids': include_static_to_ids}) - - # Remove doubles - for el in r["results"]: - if el not in y["results"]: - y["results"].append(el) - return y - - else: - return False - - -def vmrayCleanup(x): - ''' Remove doubles''' - y = {'results': []} - for el in x["results"]: - if el not in y["results"]: - y["results"].append(el) - return y diff --git a/misp_modules/modules/import_mod/vmray_summary_json_import.py b/misp_modules/modules/import_mod/vmray_summary_json_import.py new file mode 100644 index 0000000..e7f4985 --- /dev/null +++ b/misp_modules/modules/import_mod/vmray_summary_json_import.py @@ -0,0 +1,80 @@ +import json + +from _vmray.parser import VMRayParser, VMRayParseError + + +misperrors = {'error': 'Error'} + +moduleconfig = ["disable_tags"] + +moduleinfo = { + "version": "0.1", + "author": "VMRay", + "description": "Import a VMRay Summary JSON report.", + "module-type": ["import"], +} + +mispattributes = { + "inputSource": ["file"], + "output": ["MISP objects", "MISP attributes"], + "format": "misp_standard", +} + +user_config = { + "Analysis ID": { + "type": "Boolean", + "message": "Include Analysis ID", + "checked": "True" + }, + "VTI": { + "type": "Boolean", + "message": "Include VMRay Threat Identifiers", + "checked": "True" + }, + "IOCs": { + "type": "Boolean", + "message": "Include IOCs", + "checked": "True" + }, + "Artifacts": { + "type": "Boolean", + "message": "Include other Artifacts", + }, + "Analysis Details": { + "type": "Boolean", + "message": "Include Analysis Details", + }, + "Attach Report": { + "type": "Boolean", + "message": "Include the original imported file as attachment", + } +} + + +def handler(q=False): + # In case there's no data + if q is False: + return False + + q = json.loads(q) + + parser = VMRayParser() + try: + parser.from_base64_string(q["config"], q["data"], q["filename"]) + parser.parse() + except VMRayParseError as exc: + misperrors["error"] = str(exc) + return misperrors + + event = parser.to_json() + return event + + +def introspection(): + mispattributes["userConfig"] = user_config + return mispattributes + + +def version(): + moduleinfo["config"] = moduleconfig + return moduleinfo diff --git a/mkdocs.yml b/mkdocs.yml index be23ba7..ea06ad7 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -16,19 +16,18 @@ edit_uri: "" use_directory_urls: true # Copyright -copyright: "Copyright © 2019 MISP Project" +copyright: "Copyright © 2019-2022 MISP Project" # Options extra: search: languages: "en" social: - - type: globe - link: https://www.misp-project.org/ - - type: github-alt - link: https://github.com/MISP - - type: twitter - link: https://twitter.com/MISPProject + - icon: fontawesome/brands/twitter + link: https://twitter.com/MISPProject + - icon: fontawesome/brands/github-alt + link: https://github.com/MISP + theme: name: material diff --git a/pyproject.toml b/pyproject.toml new file mode 100644 index 0000000..b0471b7 --- /dev/null +++ b/pyproject.toml @@ -0,0 +1,3 @@ +[build-system] +requires = ["setuptools", "wheel"] +build-backend = "setuptools.build_meta:__legacy__" \ No newline at end of file diff --git a/setup.py b/setup.py index 55ed8b7..ea55174 100644 --- a/setup.py +++ b/setup.py @@ -25,6 +25,7 @@ setup( install_requires=[ 'tornado', 'psutil', - 'redis>=3' + 'redis>=3', + 'pyparsing==2.4.7' ], ) diff --git a/tests/expansion_configs.json b/tests/expansion_configs.json new file mode 100644 index 0000000..8056ec8 --- /dev/null +++ b/tests/expansion_configs.json @@ -0,0 +1,10 @@ +{ + "censys_enrich": { + "api_id" : "", + "api_secret": "" + }, + "crowdstrike_falcon": { + "api_id" : "", + "apikey": "" + } +} \ No newline at end of file diff --git a/tests/test_expansions.py b/tests/test_expansions.py index b853c25..0a7bcf7 100644 --- a/tests/test_expansions.py +++ b/tests/test_expansions.py @@ -8,6 +8,7 @@ from base64 import b64encode import json import os +LiveCI = True class TestExpansions(unittest.TestCase): @@ -64,6 +65,8 @@ class TestExpansions(unittest.TestCase): if not isinstance(data, dict): print(json.dumps(data, indent=2)) return data + if 'results' not in data: + return data for result in data['results']: values = result['values'] if values: @@ -97,18 +100,28 @@ class TestExpansions(unittest.TestCase): self.assertEqual(self.get_errors(response), 'An API key for APIVoid is required.') def test_bgpranking(self): - query = {"module": "bgpranking", "AS": "13335"} + query = { + "module": "bgpranking", + "attribute": { + "type": "AS", + "value": "13335", + "uuid": "ea89a33b-4ab7-4515-9f02-922a0bee333d" + } + } response = self.misp_modules_post(query) - self.assertEqual(self.get_values(response)['response']['asn_description'], 'CLOUDFLARENET, US') + self.assertEqual(self.get_object(response), 'asn') def test_btc_steroids(self): + if LiveCI: + return True + query = {"module": "btc_steroids", "btc": "1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA"} response = self.misp_modules_post(query) try: self.assertTrue(self.get_values(response).startswith('\n\nAddress:\t1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA\nBalance:\t0.0002126800 BTC (+0.0007482500 BTC / -0.0005355700 BTC)')) except Exception: - self.assertEqual(self.get_values(response), 'Not a valid BTC address, or Balance has changed') + self.assertTrue(self.get_values(response).startswith('Not a valid BTC address')) def test_btc_scam_check(self): query = {"module": "btc_scam_check", "btc": "1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA"} @@ -137,7 +150,7 @@ class TestExpansions(unittest.TestCase): module_name = "circl_passivessl" query = {"module": module_name, "attribute": {"type": "ip-dst", - "value": "149.13.33.14", + "value": "185.194.93.14", "uuid": "ea89a33b-4ab7-4515-9f02-922a0bee333d"}, "config": {}} if module_name in self.configs: @@ -192,7 +205,7 @@ class TestExpansions(unittest.TestCase): def test_dns(self): query = {"module": "dns", "hostname": "www.circl.lu", "config": {"nameserver": "8.8.8.8"}} response = self.misp_modules_post(query) - self.assertEqual(self.get_values(response), '149.13.33.14') + self.assertEqual(self.get_values(response), '185.194.93.14') def test_docx(self): filename = 'test.docx' @@ -202,6 +215,25 @@ class TestExpansions(unittest.TestCase): response = self.misp_modules_post(query) self.assertEqual(self.get_values(response), '\nThis is an basic test docx file. ') + def test_censys(self): + module_name = "censys_enrich" + query = { + "attribute": {"type" : "ip-dst", "value": "8.8.8.8", "uuid": ""}, + "module": module_name, + "config": {} + } + if module_name in self.configs: + query['config'] = self.configs[module_name] + response = self.misp_modules_post(query) + + if self.configs[module_name].get('api_id') == '': + self.assertTrue(self.get_errors(response).startswith('ERROR: param ')) + else: + self.assertGreaterEqual(len(response.json().get('results', {}).get('Attribute')), 1) + else: + response = self.misp_modules_post(query) + self.assertTrue(self.get_errors(response).startswith('Please provide config options')) + def test_farsight_passivedns(self): module_name = 'farsight_passivedns' if module_name in self.configs: @@ -214,27 +246,60 @@ class TestExpansions(unittest.TestCase): try: self.assertIn(result, self.get_values(response)) except Exception: - self.assertTrue(self.get_errors(response).startwith('Something went wrong')) + self.assertTrue(self.get_errors(response).startswith('Something went wrong')) else: query = {"module": module_name, "ip-src": "8.8.8.8"} response = self.misp_modules_post(query) self.assertEqual(self.get_errors(response), 'Farsight DNSDB apikey is missing') def test_haveibeenpwned(self): + module_name = 'hibp' query = {"module": "hibp", "email-src": "info@circl.lu"} response = self.misp_modules_post(query) - to_check = self.get_values(response) - if to_check == "haveibeenpwned.com API not accessible (HTTP 401)": - self.skipTest(f"haveibeenpwned blocks travis IPs: {response}") - self.assertEqual(to_check, 'OK (Not Found)', response) + if module_name in self.configs: + to_check = self.get_values(response) + if to_check == "haveibeenpwned.com API not accessible (HTTP 401)": + self.skipTest(f"haveibeenpwned blocks travis IPs: {response}") + self.assertEqual(to_check, 'OK (Not Found)', response) + else: + self.assertEqual(self.get_errors(response), 'Have I Been Pwned authentication is incomplete (no API key)') + + def test_hyasinsight(self): + module_name = "hyasinsight" + query = {"module": module_name, + "attribute": {"type": "phone-number", + "value": "+84853620279", + "uuid": "b698dc2b-94c1-487d-8b65-3114bad5a40c"}, + "config": {}} + if module_name in self.configs: + query['config'] = self.configs[module_name] + response = self.misp_modules_post(query) + self.assertEqual(self.get_values(response)['domain'], 'tienichphongnet.com') + else: + response = self.misp_modules_post(query) + self.assertEqual(self.get_errors(response), 'HYAS Insight apikey is missing') def test_greynoise(self): - query = {"module": "greynoise", "ip-dst": "1.1.1.1"} - response = self.misp_modules_post(query) - value = self.get_values(response) - if value != 'GreyNoise API not accessible (HTTP 429)': - self.assertTrue(value.startswith('{"ip":"1.1.1.1","status":"ok"')) + module_name = 'greynoise' + query = {"module": module_name, "ip-dst": "1.1.1.1"} + if module_name in self.configs: + query['config'] = self.configs[module_name] + response = self.misp_modules_post(query) + try: + self.assertEqual(self.get_values(response), 'This IP is commonly spoofed in Internet-scan activity') + except Exception: + self.assertIn( + self.get_errors(response), + ( + "Unauthorized. Please check your API key.", + "Too many requests. You've hit the rate-limit." + ) + ) + else: + response = self.misp_modules_post(query) + self.assertEqual(self.get_errors(response), 'Missing Greynoise API key.') + @unittest.skip("Service doesn't work") def test_ipasn(self): query = {"module": "ipasn", "attribute": {"type": "ip-src", @@ -243,6 +308,22 @@ class TestExpansions(unittest.TestCase): response = self.misp_modules_post(query) self.assertEqual(self.get_object(response), 'asn') + def test_ipqs_fraud_and_risk_scoring(self): + module_name = "ipqs_fraud_and_risk_scoring" + query = {"module": module_name, + "attribute": {"type": "email", + "value": "noreply@ipqualityscore.com", + "uuid": "ea89a33b-4ab7-4515-9f02-922a0bee333d"}, + "config": {}} + if module_name in self.configs: + query['config'] = self.configs[module_name] + response = self.misp_modules_post(query) + self.assertEqual(self.get_values(response)['message'], 'Success.') + else: + response = self.misp_modules_post(query) + self.assertEqual(self.get_errors(response), 'IPQualityScore apikey is missing') + + def test_macaddess_io(self): module_name = 'macaddress_io' query = {"module": module_name, "mac-address": "44:38:39:ff:ef:57"} @@ -265,7 +346,7 @@ class TestExpansions(unittest.TestCase): encoded = b64encode(f.read()).decode() query = {"module": "ocr_enrich", "attachment": filename, "data": encoded} response = self.misp_modules_post(query) - self.assertEqual(self.get_values(response), 'Threat Sharing') + self.assertEqual(self.get_values(response).strip('\n'), 'Threat Sharing') def test_ods(self): filename = 'test.ods' @@ -273,7 +354,7 @@ class TestExpansions(unittest.TestCase): encoded = b64encode(f.read()).decode() query = {"module": "ods_enrich", "attachment": filename, "data": encoded} response = self.misp_modules_post(query) - self.assertEqual(self.get_values(response), '\n column_0\n0 ods test') + self.assertEqual(self.get_values(response), '\n column.0\n0 ods test') def test_odt(self): filename = 'test.odt' @@ -285,6 +366,8 @@ class TestExpansions(unittest.TestCase): def test_onyphe(self): module_name = "onyphe" + if LiveCI: + return True query = {"module": module_name, "ip-src": "8.8.8.8"} if module_name in self.configs: query["config"] = self.configs[module_name] @@ -299,6 +382,8 @@ class TestExpansions(unittest.TestCase): def test_onyphe_full(self): module_name = "onyphe_full" + if LiveCI: + return True query = {"module": module_name, "ip-src": "8.8.8.8"} if module_name in self.configs: query["config"] = self.configs[module_name] @@ -311,6 +396,7 @@ class TestExpansions(unittest.TestCase): response = self.misp_modules_post(query) self.assertEqual(self.get_errors(response), 'Onyphe authentication is missing') + @unittest.skip("Unreliable results") def test_otx(self): query_types = ('domain', 'ip-src', 'md5') query_values = ('circl.lu', '8.8.8.8', '616eff3e9a7575ae73821b4668d2801c') @@ -328,12 +414,12 @@ class TestExpansions(unittest.TestCase): def test_passivetotal(self): module_name = "passivetotal" - query = {"module": module_name, "ip-src": "149.13.33.14", "config": {}} + query = {"module": module_name, "ip-src": "185.194.93.14", "config": {}} if module_name in self.configs: query["config"] = self.configs[module_name] response = self.misp_modules_post(query) try: - self.assertEqual(self.get_values(response), 'circl.lu') + self.assertIn('www.circl.lu', response.json()['results'][0]['values']) except Exception: self.assertIn(self.get_errors(response), ('We hit an error, time to bail!', 'API quota exceeded.')) else: @@ -374,10 +460,12 @@ class TestExpansions(unittest.TestCase): self.assertEqual(self.get_errors(response), "Ransomcoindb API key is missing") def test_rbl(self): + if LiveCI: + return True query = {"module": "rbl", "ip-src": "8.8.8.8"} response = self.misp_modules_post(query) try: - self.assertTrue(self.get_values(response).startswith('8.8.8.8.query.senderbase.org: "0-0=1|1=GOOGLE')) + self.assertTrue(self.get_values(response).startswith('8.8.8.8.bl.spamcannibal.org')) except Exception: self.assertEqual(self.get_errors(response), "No data found by querying known RBLs") @@ -406,11 +494,18 @@ class TestExpansions(unittest.TestCase): def test_shodan(self): module_name = "shodan" - query = {"module": module_name, "ip-src": "149.13.33.14"} + query = { + "module": module_name, + "attribute": { + "uuid": "a21aae0c-7426-4762-9b79-854314d69059", + "type": "ip-src", + "value": "149.13.33.14" + } + } if module_name in self.configs: query['config'] = self.configs[module_name] response = self.misp_modules_post(query) - self.assertIn("circl.lu", self.get_values(response)) + self.assertEqual(self.get_object(response), 'ip-api-address') else: response = self.misp_modules_post(query) self.assertEqual(self.get_errors(response), 'Shodan authentication is missing') @@ -430,23 +525,45 @@ class TestExpansions(unittest.TestCase): query = {"module": "sourcecache", "link": input_value} response = self.misp_modules_post(query) self.assertEqual(self.get_values(response), input_value) - self.assertTrue(self.get_data(response).startswith('PCFET0NUWVBFIEhUTUw+CjwhLS0KCUFyY2FuYSBieSBIVE1MN')) + self.assertTrue(self.get_data(response)) def test_stix2_pattern_validator(self): query = {"module": "stix2_pattern_syntax_validator", "stix2-pattern": "[ipv4-addr:value = '8.8.8.8']"} response = self.misp_modules_post(query) self.assertEqual(self.get_values(response), 'Syntax valid') - def test_threatcrowd(self): + if LiveCI: + return True query_types = ('domain', 'ip-src', 'md5', 'whois-registrant-email') - query_values = ('circl.lu', '149.13.33.4', '616eff3e9a7575ae73821b4668d2801c', 'hostmaster@eurodns.com') - results = ('149.13.33.14', 'cve.circl.lu', 'devilreturns.com', 'navabi.lu') + query_values = ('circl.lu', '149.13.33.14', '616eff3e9a7575ae73821b4668d2801c', 'hostmaster@eurodns.com') + results = ('149.13.33.4', 'cve.circl.lu', 'devilreturns.com', 'navabi.lu') for query_type, query_value, result in zip(query_types, query_values, results): query = {"module": "threatcrowd", query_type: query_value} response = self.misp_modules_post(query) self.assertTrue(self.get_values(response), result) + def test_crowdstrike(self): + module_name = "crowdstrike_falcon" + query = { + "attribute": {"type": "sha256", "value": "", "uuid": ""}, + "module": module_name, + "config": {} + } + if module_name in self.configs: + query['config'] = self.configs[module_name] + response = self.misp_modules_post(query) + + if self.configs[module_name].get('api_id') == '': + self.assertTrue(self.get_errors(response).startswith('HTTP Error:')) + else: + self.assertGreaterEqual(len(response.json().get('results', {}).get('Attribute')), 1) + else: + response = self.misp_modules_post(query) + self.assertTrue(self.get_errors(response).startswith('CrowdStrike apikey is missing')) + def test_threatminer(self): + if LiveCI: + return True query_types = ('domain', 'ip-src', 'md5') query_values = ('circl.lu', '149.13.33.4', 'b538dbc6160ef54f755a540e06dc27cd980fc4a12005e90b3627febb44a1a90f') results = ('149.13.33.14', 'f6ecb9d5c21defb1f622364a30cb8274f817a1a2', 'http://www.circl.lu/') @@ -489,16 +606,33 @@ class TestExpansions(unittest.TestCase): def test_virustotal_public(self): module_name = "virustotal_public" - query_types = ('domain', 'ip-src', 'sha256', 'url') - query_values = ('circl.lu', '149.13.33.14', - 'a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3', - 'http://194.169.88.56:49151/.i') + attributes = ( + { + "uuid": "ffea0594-355a-42fe-9b98-fad28fd248b3", + "type": "domain", + "value": "circl.lu" + }, + { + "uuid": "1f3f0f2d-5143-4b05-a0f1-8ac82f51a979", + "type": "ip-src", + "value": "149.13.33.14" + }, + { + "uuid": "b4be6652-f4ff-4515-ae63-3f016df37e8f", + "type": "sha256", + "value": "a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3" + }, + { + "uuid": "6cead544-b683-48cb-b19b-a2561ffa1f51", + "type": "url", + "value": "http://194.169.88.56:49151/.i" + } + ) results = ('whois', 'asn', 'file', 'virustotal-report') if module_name in self.configs: - for query_type, query_value, result in zip(query_types, query_values, results): + for attribute, result in zip(attributes, results): query = {"module": module_name, - "attribute": {"type": query_type, - "value": query_value}, + "attribute": attribute, "config": self.configs[module_name]} response = self.misp_modules_post(query) try: @@ -506,24 +640,42 @@ class TestExpansions(unittest.TestCase): except Exception: self.assertEqual(self.get_errors(response), "VirusTotal request rate limit exceeded.") else: - query = {"module": module_name, - "attribute": {"type": query_types[0], - "value": query_values[0]}} + query = { + "module": module_name, + "attribute": attributes[0] + } response = self.misp_modules_post(query) self.assertEqual(self.get_errors(response), "A VirusTotal api key is required for this module.") def test_virustotal(self): module_name = "virustotal" - query_types = ('domain', 'ip-src', 'sha256', 'url') - query_values = ('circl.lu', '149.13.33.14', - 'a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3', - 'http://194.169.88.56:49151/.i') + attributes = ( + { + "uuid": "ffea0594-355a-42fe-9b98-fad28fd248b3", + "type": "domain", + "value": "circl.lu" + }, + { + "uuid": "1f3f0f2d-5143-4b05-a0f1-8ac82f51a979", + "type": "ip-src", + "value": "149.13.33.14" + }, + { + "uuid": "b4be6652-f4ff-4515-ae63-3f016df37e8f", + "type": "sha256", + "value": "a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3" + }, + { + "uuid": "6cead544-b683-48cb-b19b-a2561ffa1f51", + "type": "url", + "value": "http://194.169.88.56:49151/.i" + } + ) results = ('domain-ip', 'asn', 'virustotal-report', 'virustotal-report') if module_name in self.configs: - for query_type, query_value, result in zip(query_types, query_values, results): + for attribute, result in zip(attributes, results): query = {"module": module_name, - "attribute": {"type": query_type, - "value": query_value}, + "attribute": attribute, "config": self.configs[module_name]} response = self.misp_modules_post(query) try: @@ -531,9 +683,10 @@ class TestExpansions(unittest.TestCase): except Exception: self.assertEqual(self.get_errors(response), "VirusTotal request rate limit exceeded.") else: - query = {"module": module_name, - "attribute": {"type": query_types[0], - "value": query_values[0]}} + query = { + "module": module_name, + "attribute": attributes[0] + } response = self.misp_modules_post(query) self.assertEqual(self.get_errors(response), "A VirusTotal api key is required for this module.") @@ -582,6 +735,8 @@ class TestExpansions(unittest.TestCase): self.assertEqual(self.get_errors(response), "An API authentication is required (key and password).") def test_xlsx(self): + if LiveCI: + return True filename = 'test.xlsx' with open(f'{self.dirname}/test_files/{filename}', 'rb') as f: encoded = b64encode(f.read()).decode()