diff --git a/active_exercises/ransomware-exercise.json b/active_exercises/ransomware-exercise.json new file mode 120000 index 0000000..b719968 --- /dev/null +++ b/active_exercises/ransomware-exercise.json @@ -0,0 +1 @@ +../exercises/ransomware-exercise.json \ No newline at end of file diff --git a/exercises/basic-event-creation.json b/exercises/basic-event-creation.json index ffcc8f0..982ccc0 100644 --- a/exercises/basic-event-creation.json +++ b/exercises/basic-event-creation.json @@ -138,7 +138,7 @@ { "parameters": [ { - "Event.info": { + ".Event.info": { "comparison": "contains", "values": [ "event", @@ -168,7 +168,7 @@ { "parameters": [ { - "Event.info": { + ".Event.info": { "comparison": "contains", "values": [ "event", @@ -177,7 +177,7 @@ } }, { - "Event.Attribute": { + ".Event.Attribute": { "comparison": "contains", "values": [ { @@ -217,7 +217,7 @@ { "parameters": [ { - "Event.info": { + ".Event.info": { "comparison": "contains", "values": [ "event", @@ -226,7 +226,7 @@ } }, { - "Event.Object": { + ".Event.Object": { "comparison": "contains", "values": [ { @@ -250,7 +250,7 @@ { "parameters": [ { - "Event.info": { + ".Event.info": { "comparison": "contains", "values": [ "event", @@ -259,7 +259,7 @@ } }, { - "Event.Object[name=\"domain-ip\"].Attribute": { + ".Event.Object[name=\"domain-ip\"].Attribute": { "comparison": "contains", "values": [ { @@ -299,7 +299,7 @@ { "parameters": [ { - "Event.info": { + ".Event.info": { "comparison": "contains", "values": [ "event", @@ -308,7 +308,7 @@ } }, { - "Event.Attribute": { + ".Event.Attribute": { "comparison": "contains", "values": [ { @@ -341,7 +341,7 @@ { "parameters": [ { - "Event.info": { + ".Event.info": { "comparison": "contains", "values": [ "event", @@ -350,7 +350,7 @@ } }, { - "Event.Attribute": { + ".Event.Attribute": { "comparison": "contains", "values": [ { @@ -362,7 +362,7 @@ } }, { - "Event.Attribute[value=\"1.2.3.4\"].Tag": { + ".Event.Attribute[value=\"1.2.3.4\"].Tag": { "JQ": "jq '.Event.Attribute[] | select(.value == \"1.2.3.4\") | .Tag'", "comparison": "contains", "values": [ diff --git a/exercises/ransomware-exercise.json b/exercises/ransomware-exercise.json new file mode 100644 index 0000000..b7e2ded --- /dev/null +++ b/exercises/ransomware-exercise.json @@ -0,0 +1,492 @@ +{ + "exercise": { + "description": "MISP Encoding Exercise : Ransomware infection via e-mail", + "expanded": "MISP Encoding Exercise : Ransomware infection via e-mail", + "meta": { + "author": "MISP Project", + "level": "beginner", + "priority": 0 + }, + "name": "MISP Encoding Exercise : Ransomware infection via e-mail", + "namespace": "data-model", + "tags": [ + "exercise:software-scope=\"misp\"", + "state:production" + ], + "total_duration": "7200", + "uuid": "29324587-db6c-4a73-a209-cf8c79871629", + "version": "20240624" + }, + "inject_flow": [ + { + "description": "event-creation", + "inject_uuid": "8e8dbda2-0f5e-4101-83ff-63c1ddda2cae", + "reporting_callback": [], + "requirements": {}, + "sequence": { + "completion_trigger": [ + "time_expiration", + "completion" + ], + "followed_by": [ + "8f636640-e4f0-4ffb-abff-4e85597aa1bd" + ], + "trigger": [ + "startex" + ] + }, + "timing": { + "triggered_at": null + } + }, + { + "description": "infection-email", + "inject_uuid": "8f636640-e4f0-4ffb-abff-4e85597aa1bd", + "reporting_callback": [], + "requirements": { + "inject_uuid": "8e8dbda2-0f5e-4101-83ff-63c1ddda2cae" + }, + "sequence": { + "completion_trigger": [ + "time_expiration", + "completion" + ], + "followed_by": [ + "3e61a340-0314-4622-91cc-042f3ff8543a" + ], + "trigger": [ + ] + }, + "timing": { + "triggered_at": null + } + }, + { + "description": "malicious-payload", + "inject_uuid": "3e61a340-0314-4622-91cc-042f3ff8543a", + "reporting_callback": [], + "requirements": { + "inject_uuid": "8f636640-e4f0-4ffb-abff-4e85597aa1bd" + }, + "sequence": { + "completion_trigger": [ + "time_expiration", + "completion" + ], + "followed_by": [ + "8a2d58c8-2b3a-4ba2-bb77-15bcfa704828" + ], + "trigger": [ + ] + }, + "timing": { + "triggered_at": null + } + }, + { + "description": "c2-ip-address", + "inject_uuid": "8a2d58c8-2b3a-4ba2-bb77-15bcfa704828", + "reporting_callback": [], + "requirements": { + "inject_uuid": "3e61a340-0314-4622-91cc-042f3ff8543a" + }, + "sequence": { + "completion_trigger": [ + "time_expiration", + "completion" + ], + "followed_by": [ + "9df13cc8-b61b-4c9f-a1a8-66def8b64439" + ], + "trigger": [ + ] + }, + "timing": { + "triggered_at": null + } + }, + { + "description": "registry-keys", + "inject_uuid": "9df13cc8-b61b-4c9f-a1a8-66def8b64439", + "reporting_callback": [], + "requirements": { + "inject_uuid": "8a2d58c8-2b3a-4ba2-bb77-15bcfa704828" + }, + "sequence": { + "completion_trigger": [ + "time_expiration", + "completion" + ], + "followed_by": [ + "c5c03af1-7ef3-44e7-819a-6c4fd402148a" + ], + "trigger": [ + ] + }, + "timing": { + "triggered_at": null + } + }, + { + "description": "asym-encryption-key", + "inject_uuid": "c5c03af1-7ef3-44e7-819a-6c4fd402148a", + "reporting_callback": [], + "requirements": { + "inject_uuid": "9df13cc8-b61b-4c9f-a1a8-66def8b64439" + }, + "sequence": { + "completion_trigger": [ + "time_expiration", + "completion" + ], + "followed_by": [ + "11f6f0c2-8813-42ee-a312-136649d3f077" + ], + "trigger": [ + ] + }, + "timing": { + "triggered_at": null + } + }, + { + "description": "context", + "inject_uuid": "11f6f0c2-8813-42ee-a312-136649d3f077", + "reporting_callback": [], + "requirements": { + "inject_uuid": "c5c03af1-7ef3-44e7-819a-6c4fd402148a" + }, + "sequence": { + "completion_trigger": [ + "time_expiration", + "completion" + ], + "followed_by": [ + "e3ef4e5f-454a-48c8-a5d7-b3d1d25ecc9f" + ], + "trigger": [ + ] + }, + "timing": { + "triggered_at": null + } + }, + { + "description": "published", + "inject_uuid": "e3ef4e5f-454a-48c8-a5d7-b3d1d25ecc9f", + "reporting_callback": [], + "requirements": { + "inject_uuid": "11f6f0c2-8813-42ee-a312-136649d3f077" + }, + "sequence": { + "completion_trigger": [ + "time_expiration", + "completion" + ], + "trigger": [ + ] + }, + "timing": { + "triggered_at": null + } + } + ], + "inject_payloads": [ + ], + "injects": [ + { + "action": "event-creation", + "inject_evaluation": [ + { + "parameters": [ + { + ".Event.info": { + "comparison": "contains", + "values": [ + "ransomware" + ] + } + } + ], + "result": "MISP Event created", + "evaluation_strategy": "data_filtering", + "evaluation_context": { + }, + "score_range": [ + 0, + 20 + ] + } + ], + "name": "Event Creation", + "target_tool": "MISP", + "uuid": "8e8dbda2-0f5e-4101-83ff-63c1ddda2cae" + }, + { + "action": "infection-email", + "inject_evaluation": [ + { + "parameters": [ + { + ".Event.info": { + "comparison": "contains", + "values": [ + "ransomware" + ] + } + }, + { + ".Event.Object[].Attribute": { + "comparison": "contains", + "values": [ + { + "type": "email-body" + } + ] + } + } + ], + "result": "Infection Email added", + "evaluation_strategy": "data_filtering", + "evaluation_context": { + }, + "score_range": [ + 0, + 20 + ] + } + ], + "name": "Infection Email", + "target_tool": "MISP", + "uuid": "8f636640-e4f0-4ffb-abff-4e85597aa1bd" + }, + { + "action": "malicious-payload", + "inject_evaluation": [ + { + "parameters": [ + { + ".Event.info": { + "comparison": "contains", + "values": [ + "ransomware" + ] + } + }, + { + ".Event.Object[].Attribute": { + "comparison": "contains", + "values": [ + { + "type": "malware-sample" + }, + { + "type": "filename", + "value": "cryptolocker.exe" + } + ] + } + } + ], + "result": "Malicious payload added", + "evaluation_strategy": "data_filtering", + "evaluation_context": { + }, + "score_range": [ + 0, + 20 + ] + } + ], + "name": "Malicious Payload", + "target_tool": "MISP", + "uuid": "3e61a340-0314-4622-91cc-042f3ff8543a" + }, + { + "action": "c2-ip", + "inject_evaluation": [ + { + "parameters": [ + { + ".Event.info": { + "comparison": "contains", + "values": [ + "ransomware" + ] + } + }, + { + ".Event.Object[] | select((.name == \"domain-ip\") or (.name == \"ip-port\"))": { + "comparison": "contains", + "values": [ + { + "value": "81.177.170.166" + } + ] + } + } + ], + "result": "C2 IP added", + "evaluation_strategy": "data_filtering", + "evaluation_context": { + }, + "score_range": [ + 0, + 20 + ] + } + ], + "name": "C2 IP Address", + "target_tool": "MISP", + "uuid": "8a2d58c8-2b3a-4ba2-bb77-15bcfa704828" + }, + { + "action": "registry-key", + "inject_evaluation": [ + { + "parameters": [ + { + ".Event.info": { + "comparison": "contains", + "values": [ + "ransomware" + ] + } + }, + { + "[.Event.Object[], .Event.Attribute[]]": { + "comparison": "contains", + "values": [ + { + "value": "HKCU\\SOFTWARE\\CryptoLocker VersionInfo" + } + ] + } + } + ], + "result": "Registry key added", + "evaluation_strategy": "data_filtering", + "evaluation_context": { + }, + "score_range": [ + 0, + 20 + ] + } + ], + "name": "Registry Keys", + "target_tool": "MISP", + "uuid": "9df13cc8-b61b-4c9f-a1a8-66def8b64439" + }, + { + "action": "pub-key", + "inject_evaluation": [ + { + "parameters": [ + { + ".Event.info": { + "comparison": "contains", + "values": [ + "ransomware" + ] + } + }, + { + ".Event.Object[]": { + "comparison": "contains", + "values": [ + { + "object_relation": "Public" + } + ] + } + } + ], + "result": "Public key added", + "evaluation_strategy": "data_filtering", + "evaluation_context": { + }, + "score_range": [ + 0, + 20 + ] + } + ], + "name": "Public Key", + "target_tool": "MISP", + "uuid": "c5c03af1-7ef3-44e7-819a-6c4fd402148a" + }, + { + "action": "context", + "inject_evaluation": [ + { + "parameters": [ + { + ".Event.info": { + "comparison": "contains", + "values": [ + "ransomware" + ] + } + }, + { + ".Event.Tag[].name": { + "comparison": "count", + "values": [ + ">=3" + ] + } + } + ], + "result": "Context added", + "evaluation_strategy": "data_filtering", + "evaluation_context": { + }, + "score_range": [ + 0, + 20 + ] + } + ], + "name": "Contextualization", + "target_tool": "MISP", + "uuid": "11f6f0c2-8813-42ee-a312-136649d3f077" + }, + { + "action": "published", + "inject_evaluation": [ + { + "parameters": [ + { + ".Event.info": { + "comparison": "contains", + "values": [ + "ransomware" + ] + } + }, + { + ".Event.published": { + "comparison": "equals", + "values": [ + "1" + ] + } + } + ], + "result": "Event published", + "evaluation_strategy": "data_filtering", + "evaluation_context": { + }, + "score_range": [ + 0, + 20 + ] + } + ], + "name": "Published", + "target_tool": "MISP", + "uuid": "e3ef4e5f-454a-48c8-a5d7-b3d1d25ecc9f" + } + ] +} diff --git a/inject_evaluator.py b/inject_evaluator.py index a7c5ab5..2c04da8 100644 --- a/inject_evaluator.py +++ b/inject_evaluator.py @@ -5,8 +5,8 @@ import re import operator +# .Event.Attribute[] | select(.value == "evil.exe") | .Tag def jq_extract(path: str, data: dict): - path = '.' + path if not path.startswith('.') else path return jq.compile(path).input_value(data).first()