From 8cc4774be5623167efa14e0e6392b45bdb59df9f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maik=20W=C3=BCrth?= Date: Fri, 10 Mar 2023 15:48:28 +0100 Subject: [PATCH] Export object attributes with Defender export module. --- .../modules/export_mod/defender_endpoint_export.py | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/misp_modules/modules/export_mod/defender_endpoint_export.py b/misp_modules/modules/export_mod/defender_endpoint_export.py index 1c36efb..662f11d 100755 --- a/misp_modules/modules/export_mod/defender_endpoint_export.py +++ b/misp_modules/modules/export_mod/defender_endpoint_export.py @@ -8,7 +8,7 @@ import json misperrors = {"error": "Error"} -types_to_use = ['sha1', 'md5', 'domain', 'ip', 'url'] +types_to_use = ['sha256', 'sha1', 'md5', 'domain', 'ip', 'url'] userConfig = { @@ -25,6 +25,12 @@ moduleinfo = {'version': '1.0', 'author': 'Julien Bachmann, Hacknowledge', 'module-type': ['export']} +def handle_sha256(value, period): + query = f"""find in (DeviceAlertEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents) + where SHA256 == '{value}' or InitiatingProcessSHA1 == '{value}'""" + return query.replace('\n', ' ') + + def handle_sha1(value, period): query = f"""find in (DeviceAlertEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents) where SHA1 == '{value}' or InitiatingProcessSHA1 == '{value}'""" @@ -56,6 +62,7 @@ def handle_url(value, period): handlers = { + 'sha256': handle_sha256, 'sha1': handle_sha1, 'md5': handle_md5, 'domain': handle_domain, @@ -75,6 +82,10 @@ def handler(q=False): for attribute in event["Attribute"]: if attribute['type'] in types_to_use: output = output + handlers[attribute['type']](attribute['value'], config['Period']) + '\n' + for obj in event["Object"] + for attribute in obj["Attribute"]: + if attribute['type'] in types_to_use: + output = output + handlers[attribute['type']](attribute['value'], config['Period']) + '\n' r = {"response": [], "data": str(base64.b64encode(bytes(output, 'utf-8')), 'utf-8')} return r