2020-01-06 14:29:31 +01:00
|
|
|
|
|
|
|
|
import tornado.ioloop
|
|
|
|
|
import tornado.web
|
2020-11-03 12:51:01 +01:00
|
|
|
|
2020-01-06 14:29:31 +01:00
|
|
|
from tornado.escape import json_decode, json_encode
|
2020-11-03 12:51:01 +01:00
|
|
|
from tornado.options import define, options
|
2020-01-06 14:29:31 +01:00
|
|
|
import os.path
|
|
|
|
|
import sys
|
|
|
|
|
import json
|
2020-01-08 13:32:33 +01:00
|
|
|
import datetime
|
2020-01-06 14:29:31 +01:00
|
|
|
|
2020-11-03 12:51:01 +01:00
|
|
|
define('port', default=8889, help='port to listen on')
|
|
|
|
|
define('address', default='0.0.0.0', help='address to listen on')
|
|
|
|
|
|
2020-01-06 14:29:31 +01:00
|
|
|
class Query(tornado.web.RequestHandler):
|
|
|
|
|
|
2020-01-06 16:01:33 +01:00
|
|
|
def prepare(self):
|
|
|
|
|
header = "Content-Type"
|
|
|
|
|
body = "application/json"
|
|
|
|
|
self.set_header(header, body)
|
|
|
|
|
|
2020-01-06 14:29:31 +01:00
|
|
|
def post(self):
|
|
|
|
|
query = json_decode(self.request.body)
|
2020-05-28 10:13:04 +02:00
|
|
|
if not ('uuid' in query or 'name' in query or 'country' in query):
|
2020-01-07 10:52:24 +01:00
|
|
|
return self.write(json.dumps("'error': 'Incorrect query format'"))
|
2020-01-07 11:00:18 +01:00
|
|
|
user_agent = self.request.headers["User-Agent"]
|
2020-01-06 14:29:31 +01:00
|
|
|
if 'uuid' in query:
|
|
|
|
|
if query['uuid'] in tai_full:
|
|
|
|
|
result = tai_full[query['uuid']]
|
|
|
|
|
else:
|
|
|
|
|
result = {'error': 'UUID is not known in the MISP galaxy threat-actor'}
|
|
|
|
|
if 'name' in query:
|
|
|
|
|
if query['name'].lower() not in tai_names:
|
|
|
|
|
result = {'error': 'Name or synomym is not known in the MISP galaxy threat-actor'}
|
|
|
|
|
return self.write("{}".format(json.dumps(result)))
|
2020-05-28 10:13:04 +02:00
|
|
|
result = []
|
2020-01-06 14:29:31 +01:00
|
|
|
for uuid in tai_names[query['name'].lower()]:
|
|
|
|
|
result.append(tai_full[uuid])
|
2020-05-28 10:13:04 +02:00
|
|
|
if 'country' in query:
|
2020-05-29 11:44:20 +02:00
|
|
|
if query['country'].lower() in tai_country:
|
|
|
|
|
ta = tai_country[query['country'].lower()]
|
|
|
|
|
result = []
|
|
|
|
|
for uuid in tai_country[query['country'].lower()]:
|
|
|
|
|
result.append(tai_full[uuid])
|
|
|
|
|
else:
|
|
|
|
|
result = {'error': 'Not existing country in the MISP galaxy threat-actor'}
|
2020-01-07 11:00:18 +01:00
|
|
|
print("Query {} from {}".format(query, user_agent))
|
2020-01-06 14:29:31 +01:00
|
|
|
return self.write("{}".format(json.dumps(result)))
|
|
|
|
|
|
2020-05-29 11:44:20 +02:00
|
|
|
|
chg: [api] a simple GET has been added to get a threat-actor per UUID in a single get request
curl --silent http://localhost:8889/get/0286e80e-b0ed-464f-ad62-beec8536d0cb | jq .
{
"description": "We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies. The determination of this China-based adversary is truly impressive: they are like a dog with a bone.\nHURRICANE PANDA’s preferred initial vector of compromise and persistence is a China Chopper webshell – a tiny and easily obfuscated 70 byte text file that consists of an ‘eval()’ command, which is then used to provide full command execution and file upload/download capabilities to the attackers. This script is typically uploaded to a web server via a SQL injection or WebDAV vulnerability, which is often trivial to uncover in a company with a large external web presence.\nOnce inside, the adversary immediately moves on to execution of a credential theft tool such as Mimikatz (repacked to avoid AV detection). If they are lucky to have caught an administrator who might be logged into that web server at the time, they will have gained domain administrator credentials and can now roam your network at will via ‘net use’ and ‘wmic’ commands executed through the webshell terminal.",
"meta": {
"attribution-confidence": "50",
"country": "CN",
"refs": [
"http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/",
"https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85",
"https://blog.confiant.com/zirconium-was-one-step-ahead-of-chromes-redirect-blocker-with-0-day-2d61802efd0d"
],
"synonyms": [
"Black Vine",
"TEMP.Avengers",
"Zirconium",
"APT 31",
"APT31"
]
},
"related": [
{
"dest-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "103ebfd8-4280-4027-b61a-69bd9967ad6c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "0286e80e-b0ed-464f-ad62-beec8536d0cb",
"value": "Hurricane Panda"
}
2020-01-06 15:45:14 +01:00
|
|
|
class Get(tornado.web.RequestHandler):
|
|
|
|
|
|
2020-01-06 16:01:33 +01:00
|
|
|
def prepare(self):
|
|
|
|
|
header = "Content-Type"
|
|
|
|
|
body = "application/json"
|
|
|
|
|
self.set_header(header, body)
|
|
|
|
|
|
chg: [api] a simple GET has been added to get a threat-actor per UUID in a single get request
curl --silent http://localhost:8889/get/0286e80e-b0ed-464f-ad62-beec8536d0cb | jq .
{
"description": "We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies. The determination of this China-based adversary is truly impressive: they are like a dog with a bone.\nHURRICANE PANDA’s preferred initial vector of compromise and persistence is a China Chopper webshell – a tiny and easily obfuscated 70 byte text file that consists of an ‘eval()’ command, which is then used to provide full command execution and file upload/download capabilities to the attackers. This script is typically uploaded to a web server via a SQL injection or WebDAV vulnerability, which is often trivial to uncover in a company with a large external web presence.\nOnce inside, the adversary immediately moves on to execution of a credential theft tool such as Mimikatz (repacked to avoid AV detection). If they are lucky to have caught an administrator who might be logged into that web server at the time, they will have gained domain administrator credentials and can now roam your network at will via ‘net use’ and ‘wmic’ commands executed through the webshell terminal.",
"meta": {
"attribution-confidence": "50",
"country": "CN",
"refs": [
"http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/",
"https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85",
"https://blog.confiant.com/zirconium-was-one-step-ahead-of-chromes-redirect-blocker-with-0-day-2d61802efd0d"
],
"synonyms": [
"Black Vine",
"TEMP.Avengers",
"Zirconium",
"APT 31",
"APT31"
]
},
"related": [
{
"dest-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "103ebfd8-4280-4027-b61a-69bd9967ad6c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "0286e80e-b0ed-464f-ad62-beec8536d0cb",
"value": "Hurricane Panda"
}
2020-01-06 15:45:14 +01:00
|
|
|
def get(self, uuid):
|
|
|
|
|
if uuid in tai_full:
|
|
|
|
|
result = tai_full[uuid]
|
|
|
|
|
else:
|
|
|
|
|
result = {'error': 'UUID is not known in the MISP galaxy threat-actor'}
|
|
|
|
|
return self.write("{}".format(json.dumps(result)))
|
|
|
|
|
|
2020-01-08 13:32:33 +01:00
|
|
|
class Info(tornado.web.RequestHandler):
|
|
|
|
|
|
|
|
|
|
def get(self):
|
|
|
|
|
return self.write("{}".format(json.dumps(tai_info)))
|
chg: [api] a simple GET has been added to get a threat-actor per UUID in a single get request
curl --silent http://localhost:8889/get/0286e80e-b0ed-464f-ad62-beec8536d0cb | jq .
{
"description": "We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies. The determination of this China-based adversary is truly impressive: they are like a dog with a bone.\nHURRICANE PANDA’s preferred initial vector of compromise and persistence is a China Chopper webshell – a tiny and easily obfuscated 70 byte text file that consists of an ‘eval()’ command, which is then used to provide full command execution and file upload/download capabilities to the attackers. This script is typically uploaded to a web server via a SQL injection or WebDAV vulnerability, which is often trivial to uncover in a company with a large external web presence.\nOnce inside, the adversary immediately moves on to execution of a credential theft tool such as Mimikatz (repacked to avoid AV detection). If they are lucky to have caught an administrator who might be logged into that web server at the time, they will have gained domain administrator credentials and can now roam your network at will via ‘net use’ and ‘wmic’ commands executed through the webshell terminal.",
"meta": {
"attribution-confidence": "50",
"country": "CN",
"refs": [
"http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/",
"https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85",
"https://blog.confiant.com/zirconium-was-one-step-ahead-of-chromes-redirect-blocker-with-0-day-2d61802efd0d"
],
"synonyms": [
"Black Vine",
"TEMP.Avengers",
"Zirconium",
"APT 31",
"APT31"
]
},
"related": [
{
"dest-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "103ebfd8-4280-4027-b61a-69bd9967ad6c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "0286e80e-b0ed-464f-ad62-beec8536d0cb",
"value": "Hurricane Panda"
}
2020-01-06 15:45:14 +01:00
|
|
|
|
2020-01-06 14:29:31 +01:00
|
|
|
application = tornado.web.Application([
|
chg: [api] a simple GET has been added to get a threat-actor per UUID in a single get request
curl --silent http://localhost:8889/get/0286e80e-b0ed-464f-ad62-beec8536d0cb | jq .
{
"description": "We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies. The determination of this China-based adversary is truly impressive: they are like a dog with a bone.\nHURRICANE PANDA’s preferred initial vector of compromise and persistence is a China Chopper webshell – a tiny and easily obfuscated 70 byte text file that consists of an ‘eval()’ command, which is then used to provide full command execution and file upload/download capabilities to the attackers. This script is typically uploaded to a web server via a SQL injection or WebDAV vulnerability, which is often trivial to uncover in a company with a large external web presence.\nOnce inside, the adversary immediately moves on to execution of a credential theft tool such as Mimikatz (repacked to avoid AV detection). If they are lucky to have caught an administrator who might be logged into that web server at the time, they will have gained domain administrator credentials and can now roam your network at will via ‘net use’ and ‘wmic’ commands executed through the webshell terminal.",
"meta": {
"attribution-confidence": "50",
"country": "CN",
"refs": [
"http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/",
"https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85",
"https://blog.confiant.com/zirconium-was-one-step-ahead-of-chromes-redirect-blocker-with-0-day-2d61802efd0d"
],
"synonyms": [
"Black Vine",
"TEMP.Avengers",
"Zirconium",
"APT 31",
"APT31"
]
},
"related": [
{
"dest-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "103ebfd8-4280-4027-b61a-69bd9967ad6c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "0286e80e-b0ed-464f-ad62-beec8536d0cb",
"value": "Hurricane Panda"
}
2020-01-06 15:45:14 +01:00
|
|
|
(r"/query", Query),
|
2020-01-08 13:32:33 +01:00
|
|
|
(r"/get/(.*)", Get),
|
|
|
|
|
(r"/info", Info)
|
2020-01-06 14:29:31 +01:00
|
|
|
])
|
|
|
|
|
|
|
|
|
|
if not (os.path.exists('../misp-galaxy/clusters/threat-actor.json')):
|
|
|
|
|
sys.exit("Missing threat-actor.json MISP galaxy, did you git submodule init/update?")
|
|
|
|
|
|
|
|
|
|
with open('../misp-galaxy/clusters/threat-actor.json', 'rb') as galaxyta:
|
|
|
|
|
threat_actors = json.load(galaxyta)
|
|
|
|
|
|
|
|
|
|
tai_full = {}
|
|
|
|
|
tai_names = {}
|
2020-01-08 13:32:33 +01:00
|
|
|
tai_info = {}
|
2020-05-28 10:13:04 +02:00
|
|
|
tai_country = {}
|
2020-01-08 13:32:33 +01:00
|
|
|
|
|
|
|
|
tai_info['version'] = threat_actors['version']
|
|
|
|
|
tai_info['number_actors'] = 0
|
|
|
|
|
tai_info['number_synonyms'] = 0
|
|
|
|
|
tai_info['started'] = datetime.datetime.now().strftime("%d/%m/%Y %H:%M:%S")
|
2020-01-06 14:29:31 +01:00
|
|
|
|
|
|
|
|
for threat_actor in threat_actors['values']:
|
|
|
|
|
tai_full[threat_actor['uuid']] = threat_actor
|
|
|
|
|
tai_names[threat_actor['value'].lower()] = []
|
|
|
|
|
tai_names[threat_actor['value'].lower()].append(threat_actor['uuid'])
|
2020-01-08 13:32:33 +01:00
|
|
|
tai_info['number_actors'] += 1
|
2020-01-06 14:29:31 +01:00
|
|
|
if 'meta' in threat_actor:
|
|
|
|
|
if 'synonyms' in threat_actor['meta']:
|
|
|
|
|
for synonym in threat_actor['meta']['synonyms']:
|
|
|
|
|
if not synonym.lower() in tai_names:
|
|
|
|
|
tai_names[synonym.lower()] = []
|
|
|
|
|
tai_names[synonym.lower()].append(threat_actor['uuid'])
|
2020-01-08 13:32:33 +01:00
|
|
|
tai_info['number_synonyms'] += 1
|
2020-05-28 10:13:04 +02:00
|
|
|
if 'country' in threat_actor['meta']:
|
|
|
|
|
if not threat_actor['meta']['country'].lower() in tai_country:
|
|
|
|
|
tai_country[threat_actor['meta']['country'].lower()] = []
|
|
|
|
|
tai_country[threat_actor['meta']['country'].lower()].append(threat_actor['uuid'])
|
2020-01-06 14:29:31 +01:00
|
|
|
|
|
|
|
|
if __name__ == "__main__":
|
2020-11-03 12:51:01 +01:00
|
|
|
tornado.options.parse_command_line()
|
|
|
|
|
application.listen(options.port, address=options.address)
|
2020-01-06 14:29:31 +01:00
|
|
|
tornado.ioloop.IOLoop.instance().start()
|
