From 87401f7ac0159f9cfde798cc8577a0a33359c1c8 Mon Sep 17 00:00:00 2001 From: Sami Mokaddem Date: Mon, 15 Jul 2024 10:57:57 +0200 Subject: [PATCH] new: [exercises] Added spearphishing-incident simple exercise --- active_exercises/spearphishing-incident.json | 1 + exercises/spearphishing-incident.json | 519 +++++++++++++++++++ 2 files changed, 520 insertions(+) create mode 120000 active_exercises/spearphishing-incident.json create mode 100644 exercises/spearphishing-incident.json diff --git a/active_exercises/spearphishing-incident.json b/active_exercises/spearphishing-incident.json new file mode 120000 index 0000000..1a4d91a --- /dev/null +++ b/active_exercises/spearphishing-incident.json @@ -0,0 +1 @@ +../exercises/spearphishing-incident.json \ No newline at end of file diff --git a/exercises/spearphishing-incident.json b/exercises/spearphishing-incident.json new file mode 100644 index 0000000..00f823d --- /dev/null +++ b/exercises/spearphishing-incident.json @@ -0,0 +1,519 @@ +{ + "exercise": { + "description": "MISP Encoding Exercise : Spearphishing Incident", + "expanded": "MISP Encoding Exercise : Spearphishing Incident", + "meta": { + "author": "MISP Project", + "level": "beginner", + "priority": 5 + }, + "name": "MISP Encoding Exercise : Spearphishing Incident", + "namespace": "data-model", + "tags": [ + "exercise:software-scope=\"misp\"", + "state:production" + ], + "total_duration": "7200", + "uuid": "53b20321-ac8c-4a3e-9c56-e772caf669e6", + "version": "20240715" + }, + "inject_flow": [ + { + "description": "event-creation", + "inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd", + "reporting_callback": [], + "requirements": {}, + "sequence": { + "completion_trigger": [ + "time_expiration", + "completion" + ], + "followed_by": [], + "trigger": [ + "startex" + ] + }, + "timing": { + "triggered_at": null + } + }, + { + "description": "IP-address", + "inject_uuid": "92fc404b-2dce-4815-8a7e-b68a582c3569", + "reporting_callback": [], + "requirements": { + "inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd" + }, + "sequence": { + "completion_trigger": [ + "time_expiration", + "completion" + ], + "followed_by": [], + "trigger": [] + }, + "timing": { + "triggered_at": null + } + }, + { + "description": "malicious-payloads", + "inject_uuid": "cfc47f7c-590c-4897-bfb9-cc72965fee24", + "reporting_callback": [], + "requirements": { + "inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd" + }, + "sequence": { + "completion_trigger": [ + "time_expiration", + "completion" + ], + "followed_by": [], + "trigger": [] + }, + "timing": { + "triggered_at": null + } + }, + { + "description": "Download URL", + "inject_uuid": "e849a314-3394-4501-a9e1-126e0e61f11d", + "reporting_callback": [], + "requirements": { + "inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd" + }, + "sequence": { + "completion_trigger": [ + "time_expiration", + "completion" + ], + "followed_by": [], + "trigger": [] + }, + "timing": { + "triggered_at": null + } + }, + { + "description": "CVE", + "inject_uuid": "32141393-adce-4007-950c-77b4c7c60a39", + "reporting_callback": [], + "requirements": { + "inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd" + }, + "sequence": { + "completion_trigger": [ + "time_expiration", + "completion" + ], + "followed_by": [], + "trigger": [] + }, + "timing": { + "triggered_at": null + } + }, + { + "description": "C2", + "inject_uuid": "a0d7f076-1737-4c1c-af36-c2717885299e", + "reporting_callback": [], + "requirements": { + "inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd" + }, + "sequence": { + "completion_trigger": [ + "time_expiration", + "completion" + ], + "followed_by": [], + "trigger": [] + }, + "timing": { + "triggered_at": null + } + }, + { + "description": "Person", + "inject_uuid": "92a55537-0e4c-44f8-8bcd-102c38d343a9", + "reporting_callback": [], + "requirements": { + "inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd" + }, + "sequence": { + "completion_trigger": [ + "time_expiration", + "completion" + ], + "followed_by": [], + "trigger": [] + }, + "timing": { + "triggered_at": null + } + }, + { + "description": "Contextualization", + "inject_uuid": "b19e8d39-e64e-4a51-94ee-462cd74b8d24", + "reporting_callback": [], + "requirements": { + "inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd" + }, + "sequence": { + "completion_trigger": [ + "time_expiration", + "completion" + ], + "followed_by": [], + "trigger": [] + }, + "timing": { + "triggered_at": null + } + }, + { + "description": "Published", + "inject_uuid": "930459b8-ed61-4e62-b072-071577ea0430", + "reporting_callback": [], + "requirements": { + "inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd" + }, + "sequence": { + "completion_trigger": [ + "time_expiration", + "completion" + ], + "followed_by": [], + "trigger": [] + }, + "timing": { + "triggered_at": null + } + } + ], + "inject_payloads": [], + "injects": [ + { + "action": "event-creation", + "inject_evaluation": [ + { + "parameters": [ + { + ".Event.info": { + "comparison": "regex", + "values": [ + ".*[sS]pear[-\\s]?phishing.*" + ] + } + } + ], + "result": "MISP Event created", + "evaluation_strategy": "data_filtering", + "evaluation_context": {}, + "score_range": [ + 0, + 10 + ] + } + ], + "name": "Event Creation", + "target_tool": "MISP", + "uuid": "a95726bb-2761-442d-8b5c-842e384df2bd" + }, + { + "action": "ip-address", + "inject_evaluation": [ + { + "parameters": [ + { + ".Event.info": { + "comparison": "regex", + "values": [ + ".*[sS]pear[-\\s]?phishing.*" + ] + } + }, + { + "[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select(.value == \"john.doe@luxembourg.edu\")": { + "extract_type": "all", + "comparison": "count", + "values": [ + ">0" + ] + } + } + ], + "result": "Email address spoofed", + "evaluation_strategy": "data_filtering", + "evaluation_context": {}, + "score_range": [ + 0, + 20 + ] + } + ], + "name": "Email address", + "target_tool": "MISP", + "uuid": "92fc404b-2dce-4815-8a7e-b68a582c3569" + }, + { + "action": "malware-sample", + "inject_evaluation": [ + { + "parameters": [ + { + ".Event.info": { + "comparison": "regex", + "values": [ + ".*[sS]pear[-\\s]?phishing.*" + ] + } + }, + { + ".Event.Object[].Attribute[].value": { + "extract_type": "all", + "comparison": "contains", + "values": [ + "7c08ddb3b57cf9a00f02a484e23a4b6c8a6d738d" + ] + } + } + ], + "result": "Malware samples added", + "evaluation_strategy": "data_filtering", + "evaluation_context": {}, + "score_range": [ + 0, + 20 + ] + } + ], + "name": "Malware sample", + "target_tool": "MISP", + "uuid": "cfc47f7c-590c-4897-bfb9-cc72965fee24" + }, + { + "action": "download url", + "inject_evaluation": [ + { + "parameters": [ + { + ".Event.info": { + "comparison": "regex", + "values": [ + ".*[sS]pear[-\\s]?phishing.*" + ] + } + }, + { + ".Event.Object[].Attribute[] | select((.type == \"url\")).value": { + "extract_type": "all", + "comparison": "contains", + "values": [ + "https://evilprovider.com/this-is-not-malicious.exe" + ] + } + }, + { + ".Event.Object[].Attribute[] | select((.type == \"domain\") or (.type == \"hostname\")).value": { + "extract_type": "all", + "comparison": "equals", + "values": [ + "evilprovider.com" + ] + } + } + ], + "result": "Download URL added", + "evaluation_strategy": "data_filtering", + "evaluation_context": {}, + "score_range": [ + 0, + 20 + ] + } + ], + "name": "Download URL", + "target_tool": "MISP", + "uuid": "e849a314-3394-4501-a9e1-126e0e61f11d" + }, + { + "action": "CVE", + "inject_evaluation": [ + { + "parameters": [ + { + ".Event.info": { + "comparison": "regex", + "values": [ + ".*[sS]pear[-\\s]?phishing.*" + ] + } + }, + { + "[.Event.Object[].Attribute[], .Event.Attribute[]] | .[].value": { + "extract_type": "all", + "comparison": "contains", + "values": [ + "CVE-2015-5465" + ] + } + } + ], + "result": "CVE", + "evaluation_strategy": "data_filtering", + "evaluation_context": {}, + "score_range": [ + 0, + 20 + ] + } + ], + "name": "CVE", + "target_tool": "MISP", + "uuid": "32141393-adce-4007-950c-77b4c7c60a39" + }, + { + "action": "C2", + "inject_evaluation": [ + { + "parameters": [ + { + ".Event.info": { + "comparison": "regex", + "values": [ + ".*[sS]pear[-\\s]?phishing.*" + ] + } + }, + { + ".Event.Object[] | select((.name == \"url\")).Attribute[] | select(.type == \"url\").value": { + "extract_type": "all", + "comparison": "contains-regex", + "values": [ + "https:\\/\\/another\\.evil\\.provider\\.com(:57666)?" + ] + } + } + ], + "result": "C2 added", + "evaluation_strategy": "data_filtering", + "evaluation_context": {}, + "score_range": [ + 0, + 20 + ] + } + ], + "name": "C2", + "target_tool": "MISP", + "uuid": "a0d7f076-1737-4c1c-af36-c2717885299e" + }, + { + "action": "Email Provider", + "inject_evaluation": [ + { + "parameters": [ + { + ".Event.info": { + "comparison": "regex", + "values": [ + ".*[sS]pear[-\\s]?phishing.*" + ] + } + }, + { + "[(.Event.Object[] | select((.name == \"email\")).Attribute[]), .Event.Attribute[]] | .[].value": { + "extract_type": "all", + "comparison": "contains", + "values": [ + "throwaway-email-provider.com" + ] + } + } + ], + "result": "Email Provider added", + "evaluation_strategy": "data_filtering", + "evaluation_context": {}, + "score_range": [ + 0, + 20 + ] + } + ], + "name": "Email Provider", + "target_tool": "MISP", + "uuid": "92a55537-0e4c-44f8-8bcd-102c38d343a9" + }, + { + "action": "context", + "inject_evaluation": [ + { + "parameters": [ + { + ".Event.info": { + "comparison": "regex", + "values": [ + ".*[sS]pear[-\\s]?phishing.*" + ] + } + }, + { + ".Event.Tag | select(length > 0) | .[].name": { + "extract_type": "all", + "comparison": "count", + "values": [ + ">=3" + ] + } + } + ], + "result": "Context added", + "evaluation_strategy": "data_filtering", + "evaluation_context": {}, + "score_range": [ + 0, + 20 + ] + } + ], + "name": "Contextualization", + "target_tool": "MISP", + "uuid": "b19e8d39-e64e-4a51-94ee-462cd74b8d24" + }, + { + "action": "published", + "inject_evaluation": [ + { + "parameters": [ + { + ".Event.info": { + "comparison": "regex", + "values": [ + ".*[sS]pear[-\\s]?phishing.*" + ] + } + }, + { + ".Event.published": { + "comparison": "equals", + "values": [ + "1" + ] + } + } + ], + "result": "Event published", + "evaluation_strategy": "data_filtering", + "evaluation_context": {}, + "score_range": [ + 0, + 20 + ] + } + ], + "name": "Published", + "target_tool": "MISP", + "uuid": "930459b8-ed61-4e62-b072-071577ea0430" + } + ] +} \ No newline at end of file