MISP/SkillAegis
MISP/SkillAegis
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chg: [exercises] Correct usage of JQ query

Browse source
This commit is contained in:
Sami Mokaddem 2024-06-27 07:34:21 +02:00
parent 3e6c2e5561
commit d13577212b
4 changed files with 506 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
active_exercises/ransomware-exercise.json Symbolic link
View file

@ -0,0 +1 @@
../exercises/ransomware-exercise.json

24
exercises/basic-event-creation.json
View file

@ -138,7 +138,7 @@
{ {
"parameters": [ "parameters": [
{ {
"Event.info": { ".Event.info": {
"comparison": "contains", "comparison": "contains",
"values": [ "values": [
"event", "event",
@ -168,7 +168,7 @@
{ {
"parameters": [ "parameters": [
{ {
"Event.info": { ".Event.info": {
"comparison": "contains", "comparison": "contains",
"values": [ "values": [
"event", "event",
@ -177,7 +177,7 @@
} }
}, },
{ {
"Event.Attribute": { ".Event.Attribute": {
"comparison": "contains", "comparison": "contains",
"values": [ "values": [
{ {
@ -217,7 +217,7 @@
{ {
"parameters": [ "parameters": [
{ {
"Event.info": { ".Event.info": {
"comparison": "contains", "comparison": "contains",
"values": [ "values": [
"event", "event",
@ -226,7 +226,7 @@
} }
}, },
{ {
"Event.Object": { ".Event.Object": {
"comparison": "contains", "comparison": "contains",
"values": [ "values": [
{ {
@ -250,7 +250,7 @@
{ {
"parameters": [ "parameters": [
{ {
"Event.info": { ".Event.info": {
"comparison": "contains", "comparison": "contains",
"values": [ "values": [
"event", "event",
@ -259,7 +259,7 @@
} }
}, },
{ {
"Event.Object[name=\"domain-ip\"].Attribute": { ".Event.Object[name=\"domain-ip\"].Attribute": {
"comparison": "contains", "comparison": "contains",
"values": [ "values": [
{ {
@ -299,7 +299,7 @@
{ {
"parameters": [ "parameters": [
{ {
"Event.info": { ".Event.info": {
"comparison": "contains", "comparison": "contains",
"values": [ "values": [
"event", "event",
@ -308,7 +308,7 @@
} }
}, },
{ {
"Event.Attribute": { ".Event.Attribute": {
"comparison": "contains", "comparison": "contains",
"values": [ "values": [
{ {
@ -341,7 +341,7 @@
{ {
"parameters": [ "parameters": [
{ {
"Event.info": { ".Event.info": {
"comparison": "contains", "comparison": "contains",
"values": [ "values": [
"event", "event",
@ -350,7 +350,7 @@
} }
}, },
{ {
"Event.Attribute": { ".Event.Attribute": {
"comparison": "contains", "comparison": "contains",
"values": [ "values": [
{ {
@ -362,7 +362,7 @@
} }
}, },
{ {
"Event.Attribute[value=\"1.2.3.4\"].Tag": { ".Event.Attribute[value=\"1.2.3.4\"].Tag": {
"JQ": "jq '.Event.Attribute[] | select(.value == \"1.2.3.4\") | .Tag'", "JQ": "jq '.Event.Attribute[] | select(.value == \"1.2.3.4\") | .Tag'",
"comparison": "contains", "comparison": "contains",
"values": [ "values": [

492
exercises/ransomware-exercise.json Normal file
View file

@ -0,0 +1,492 @@
{
"exercise": {
"description": "MISP Encoding Exercise : Ransomware infection via e-mail",
"expanded": "MISP Encoding Exercise : Ransomware infection via e-mail",
"meta": {
"author": "MISP Project",
"level": "beginner",
"priority": 0
},
"name": "MISP Encoding Exercise : Ransomware infection via e-mail",
"namespace": "data-model",
"tags": [
"exercise:software-scope=\"misp\"",
"state:production"
],
"total_duration": "7200",
"uuid": "29324587-db6c-4a73-a209-cf8c79871629",
"version": "20240624"
},
"inject_flow": [
{
"description": "event-creation",
"inject_uuid": "8e8dbda2-0f5e-4101-83ff-63c1ddda2cae",
"reporting_callback": [],
"requirements": {},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
"8f636640-e4f0-4ffb-abff-4e85597aa1bd"
],
"trigger": [
"startex"
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "infection-email",
"inject_uuid": "8f636640-e4f0-4ffb-abff-4e85597aa1bd",
"reporting_callback": [],
"requirements": {
"inject_uuid": "8e8dbda2-0f5e-4101-83ff-63c1ddda2cae"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
"3e61a340-0314-4622-91cc-042f3ff8543a"
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "malicious-payload",
"inject_uuid": "3e61a340-0314-4622-91cc-042f3ff8543a",
"reporting_callback": [],
"requirements": {
"inject_uuid": "8f636640-e4f0-4ffb-abff-4e85597aa1bd"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
"8a2d58c8-2b3a-4ba2-bb77-15bcfa704828"
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "c2-ip-address",
"inject_uuid": "8a2d58c8-2b3a-4ba2-bb77-15bcfa704828",
"reporting_callback": [],
"requirements": {
"inject_uuid": "3e61a340-0314-4622-91cc-042f3ff8543a"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
"9df13cc8-b61b-4c9f-a1a8-66def8b64439"
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "registry-keys",
"inject_uuid": "9df13cc8-b61b-4c9f-a1a8-66def8b64439",
"reporting_callback": [],
"requirements": {
"inject_uuid": "8a2d58c8-2b3a-4ba2-bb77-15bcfa704828"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
"c5c03af1-7ef3-44e7-819a-6c4fd402148a"
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "asym-encryption-key",
"inject_uuid": "c5c03af1-7ef3-44e7-819a-6c4fd402148a",
"reporting_callback": [],
"requirements": {
"inject_uuid": "9df13cc8-b61b-4c9f-a1a8-66def8b64439"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
"11f6f0c2-8813-42ee-a312-136649d3f077"
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "context",
"inject_uuid": "11f6f0c2-8813-42ee-a312-136649d3f077",
"reporting_callback": [],
"requirements": {
"inject_uuid": "c5c03af1-7ef3-44e7-819a-6c4fd402148a"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
"e3ef4e5f-454a-48c8-a5d7-b3d1d25ecc9f"
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "published",
"inject_uuid": "e3ef4e5f-454a-48c8-a5d7-b3d1d25ecc9f",
"reporting_callback": [],
"requirements": {
"inject_uuid": "11f6f0c2-8813-42ee-a312-136649d3f077"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
}
],
"inject_payloads": [
],
"injects": [
{
"action": "event-creation",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"ransomware"
]
}
}
],
"result": "MISP Event created",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Event Creation",
"target_tool": "MISP",
"uuid": "8e8dbda2-0f5e-4101-83ff-63c1ddda2cae"
},
{
"action": "infection-email",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"ransomware"
]
}
},
{
".Event.Object[].Attribute": {
"comparison": "contains",
"values": [
{
"type": "email-body"
}
]
}
}
],
"result": "Infection Email added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Infection Email",
"target_tool": "MISP",
"uuid": "8f636640-e4f0-4ffb-abff-4e85597aa1bd"
},
{
"action": "malicious-payload",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"ransomware"
]
}
},
{
".Event.Object[].Attribute": {
"comparison": "contains",
"values": [
{
"type": "malware-sample"
},
{
"type": "filename",
"value": "cryptolocker.exe"
}
]
}
}
],
"result": "Malicious payload added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Malicious Payload",
"target_tool": "MISP",
"uuid": "3e61a340-0314-4622-91cc-042f3ff8543a"
},
{
"action": "c2-ip",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"ransomware"
]
}
},
{
".Event.Object[] | select((.name == \"domain-ip\") or (.name == \"ip-port\"))": {
"comparison": "contains",
"values": [
{
"value": "81.177.170.166"
}
]
}
}
],
"result": "C2 IP added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "C2 IP Address",
"target_tool": "MISP",
"uuid": "8a2d58c8-2b3a-4ba2-bb77-15bcfa704828"
},
{
"action": "registry-key",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"ransomware"
]
}
},
{
"[.Event.Object[], .Event.Attribute[]]": {
"comparison": "contains",
"values": [
{
"value": "HKCU\\SOFTWARE\\CryptoLocker VersionInfo"
}
]
}
}
],
"result": "Registry key added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Registry Keys",
"target_tool": "MISP",
"uuid": "9df13cc8-b61b-4c9f-a1a8-66def8b64439"
},
{
"action": "pub-key",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"ransomware"
]
}
},
{
".Event.Object[]": {
"comparison": "contains",
"values": [
{
"object_relation": "Public"
}
]
}
}
],
"result": "Public key added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Public Key",
"target_tool": "MISP",
"uuid": "c5c03af1-7ef3-44e7-819a-6c4fd402148a"
},
{
"action": "context",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"ransomware"
]
}
},
{
".Event.Tag[].name": {
"comparison": "count",
"values": [
">=3"
]
}
}
],
"result": "Context added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Contextualization",
"target_tool": "MISP",
"uuid": "11f6f0c2-8813-42ee-a312-136649d3f077"
},
{
"action": "published",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"ransomware"
]
}
},
{
".Event.published": {
"comparison": "equals",
"values": [
"1"
]
}
}
],
"result": "Event published",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Published",
"target_tool": "MISP",
"uuid": "e3ef4e5f-454a-48c8-a5d7-b3d1d25ecc9f"
}
]
}

2
inject_evaluator.py
View file

@ -5,8 +5,8 @@ import re
import operator import operator
# .Event.Attribute[] | select(.value == "evil.exe") | .Tag
def jq_extract(path: str, data: dict): def jq_extract(path: str, data: dict):
path = '.' + path if not path.startswith('.') else path
return jq.compile(path).input_value(data).first() return jq.compile(path).input_value(data).first()