new: [exercises] Added flubot exercise (untested)
This commit is contained in:
parent
8003f138d8
commit
f236da0055
2 changed files with 624 additions and 0 deletions
1
active_exercises/flubot-malware.json
Symbolic link
1
active_exercises/flubot-malware.json
Symbolic link
|
@ -0,0 +1 @@
|
|||
../exercises/flubot-malware.json
|
623
exercises/flubot-malware.json
Normal file
623
exercises/flubot-malware.json
Normal file
|
@ -0,0 +1,623 @@
|
|||
{
|
||||
"exercise": {
|
||||
"description": "MISP Encoding Exercise : Flubot Malware",
|
||||
"expanded": "MISP Encoding Exercise : Flubot Malware",
|
||||
"meta": {
|
||||
"author": "MISP Project",
|
||||
"level": "beginner",
|
||||
"priority": 5
|
||||
},
|
||||
"name": "MISP Encoding Exercise : Flubot Malware",
|
||||
"namespace": "data-model",
|
||||
"tags": [
|
||||
"exercise:software-scope=\"misp\"",
|
||||
"state:production"
|
||||
],
|
||||
"total_duration": "7200",
|
||||
"uuid": "a7cb0e57-83f4-4c10-9f5f-6c54877b685e",
|
||||
"version": "20240702"
|
||||
},
|
||||
"inject_flow": [
|
||||
{
|
||||
"description": "event-creation",
|
||||
"inject_uuid": "84eb5c84-e05c-4d14-9a4c-4ef14430a242",
|
||||
"reporting_callback": [],
|
||||
"requirements": {},
|
||||
"sequence": {
|
||||
"completion_trigger": [
|
||||
"time_expiration",
|
||||
"completion"
|
||||
],
|
||||
"followed_by": [
|
||||
],
|
||||
"trigger": [
|
||||
"startex"
|
||||
]
|
||||
},
|
||||
"timing": {
|
||||
"triggered_at": null
|
||||
}
|
||||
},
|
||||
{
|
||||
"description": "phishing-sms",
|
||||
"inject_uuid": "104377cb-cb45-4f6e-affb-2bc1350a4212",
|
||||
"reporting_callback": [],
|
||||
"requirements": {
|
||||
"inject_uuid": "84eb5c84-e05c-4d14-9a4c-4ef14430a242"
|
||||
},
|
||||
"sequence": {
|
||||
"completion_trigger": [
|
||||
"time_expiration",
|
||||
"completion"
|
||||
],
|
||||
"followed_by": [
|
||||
],
|
||||
"trigger": [
|
||||
]
|
||||
},
|
||||
"timing": {
|
||||
"triggered_at": null
|
||||
}
|
||||
},
|
||||
{
|
||||
"description": "phone-number",
|
||||
"inject_uuid": "5a449087-ff74-4dea-9d97-d09dd2abe0b8",
|
||||
"reporting_callback": [],
|
||||
"requirements": {
|
||||
"inject_uuid": "104377cb-cb45-4f6e-affb-2bc1350a4212"
|
||||
},
|
||||
"sequence": {
|
||||
"completion_trigger": [
|
||||
"time_expiration",
|
||||
"completion"
|
||||
],
|
||||
"followed_by": [
|
||||
],
|
||||
"trigger": [
|
||||
]
|
||||
},
|
||||
"timing": {
|
||||
"triggered_at": null
|
||||
}
|
||||
},
|
||||
{
|
||||
"description": "phishing-url&IP",
|
||||
"inject_uuid": "1729e6f9-b899-47b4-b3e8-c3e02f2a2ff8",
|
||||
"reporting_callback": [],
|
||||
"requirements": {
|
||||
"inject_uuid": "5a449087-ff74-4dea-9d97-d09dd2abe0b8"
|
||||
},
|
||||
"sequence": {
|
||||
"completion_trigger": [
|
||||
"time_expiration",
|
||||
"completion"
|
||||
],
|
||||
"followed_by": [
|
||||
],
|
||||
"trigger": [
|
||||
]
|
||||
},
|
||||
"timing": {
|
||||
"triggered_at": null
|
||||
}
|
||||
},
|
||||
{
|
||||
"description": "apk",
|
||||
"inject_uuid": "a4ba921e-744f-4f58-9958-a7d59ff5ff62",
|
||||
"reporting_callback": [],
|
||||
"requirements": {
|
||||
"inject_uuid": "1729e6f9-b899-47b4-b3e8-c3e02f2a2ff8"
|
||||
},
|
||||
"sequence": {
|
||||
"completion_trigger": [
|
||||
"time_expiration",
|
||||
"completion"
|
||||
],
|
||||
"followed_by": [
|
||||
],
|
||||
"trigger": [
|
||||
]
|
||||
},
|
||||
"timing": {
|
||||
"triggered_at": null
|
||||
}
|
||||
},
|
||||
{
|
||||
"description": "CVE",
|
||||
"inject_uuid": "9dc28a53-9011-4cb0-b9df-bff3fe095de1",
|
||||
"reporting_callback": [],
|
||||
"requirements": {
|
||||
"inject_uuid": "a4ba921e-744f-4f58-9958-a7d59ff5ff62"
|
||||
},
|
||||
"sequence": {
|
||||
"completion_trigger": [
|
||||
"time_expiration",
|
||||
"completion"
|
||||
],
|
||||
"followed_by": [
|
||||
],
|
||||
"trigger": [
|
||||
]
|
||||
},
|
||||
"timing": {
|
||||
"triggered_at": null
|
||||
}
|
||||
},
|
||||
{
|
||||
"description": "c2",
|
||||
"inject_uuid": "f995b04d-4648-41b6-893b-19eeebd365ef",
|
||||
"reporting_callback": [],
|
||||
"requirements": {
|
||||
"inject_uuid": "9dc28a53-9011-4cb0-b9df-bff3fe095de1"
|
||||
},
|
||||
"sequence": {
|
||||
"completion_trigger": [
|
||||
"time_expiration",
|
||||
"completion"
|
||||
],
|
||||
"followed_by": [
|
||||
],
|
||||
"trigger": [
|
||||
]
|
||||
},
|
||||
"timing": {
|
||||
"triggered_at": null
|
||||
}
|
||||
},
|
||||
{
|
||||
"description": "yara",
|
||||
"inject_uuid": "2d9a7cf7-25d2-4224-9f61-6aba91adfa78",
|
||||
"reporting_callback": [],
|
||||
"requirements": {
|
||||
"inject_uuid": "f995b04d-4648-41b6-893b-19eeebd365ef"
|
||||
},
|
||||
"sequence": {
|
||||
"completion_trigger": [
|
||||
"time_expiration",
|
||||
"completion"
|
||||
],
|
||||
"followed_by": [
|
||||
],
|
||||
"trigger": [
|
||||
]
|
||||
},
|
||||
"timing": {
|
||||
"triggered_at": null
|
||||
}
|
||||
},
|
||||
{
|
||||
"description": "Contextualization",
|
||||
"inject_uuid": "05b3e7aa-b761-4f65-92e9-eed84e48a6a4",
|
||||
"reporting_callback": [],
|
||||
"requirements": {
|
||||
"inject_uuid": "2d9a7cf7-25d2-4224-9f61-6aba91adfa78"
|
||||
},
|
||||
"sequence": {
|
||||
"completion_trigger": [
|
||||
"time_expiration",
|
||||
"completion"
|
||||
],
|
||||
"followed_by": [
|
||||
],
|
||||
"trigger": [
|
||||
]
|
||||
},
|
||||
"timing": {
|
||||
"triggered_at": null
|
||||
}
|
||||
},
|
||||
{
|
||||
"description": "Published",
|
||||
"inject_uuid": "49df070b-f6fc-47c3-bf43-92454f1582d5",
|
||||
"reporting_callback": [],
|
||||
"requirements": {
|
||||
"inject_uuid": "05b3e7aa-b761-4f65-92e9-eed84e48a6a4"
|
||||
},
|
||||
"sequence": {
|
||||
"completion_trigger": [
|
||||
"time_expiration",
|
||||
"completion"
|
||||
],
|
||||
"followed_by": [
|
||||
],
|
||||
"trigger": [
|
||||
]
|
||||
},
|
||||
"timing": {
|
||||
"triggered_at": null
|
||||
}
|
||||
}
|
||||
],
|
||||
"inject_payloads": [
|
||||
],
|
||||
"injects": [
|
||||
{
|
||||
"action": "event-creation",
|
||||
"inject_evaluation": [
|
||||
{
|
||||
"parameters": [
|
||||
{
|
||||
".Event.info": {
|
||||
"comparison": "contains",
|
||||
"values": [
|
||||
"flubot"
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"result": "MISP Event created",
|
||||
"evaluation_strategy": "data_filtering",
|
||||
"evaluation_context": {
|
||||
},
|
||||
"score_range": [
|
||||
0,
|
||||
10
|
||||
]
|
||||
}
|
||||
],
|
||||
"name": "Event Creation",
|
||||
"target_tool": "MISP",
|
||||
"uuid": "84eb5c84-e05c-4d14-9a4c-4ef14430a242"
|
||||
},
|
||||
{
|
||||
"action": "phishing-sms",
|
||||
"inject_evaluation": [
|
||||
{
|
||||
"parameters": [
|
||||
{
|
||||
".Event.info": {
|
||||
"comparison": "contains",
|
||||
"values": [
|
||||
"flubot"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
".Event.Object[] | select((.name == \"instant-message\")).Attribute[] | select((.type == \"text\")).value": {
|
||||
"extract_type": "all",
|
||||
"comparison": "contains-regex",
|
||||
"values": [
|
||||
"Missed Call: You have a missed call\\..*"
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"result": "SMS added",
|
||||
"evaluation_strategy": "data_filtering",
|
||||
"evaluation_context": {
|
||||
},
|
||||
"score_range": [
|
||||
0,
|
||||
20
|
||||
]
|
||||
}
|
||||
],
|
||||
"name": "Phishing SMS",
|
||||
"target_tool": "MISP",
|
||||
"uuid": "104377cb-cb45-4f6e-affb-2bc1350a4212"
|
||||
},
|
||||
{
|
||||
"action": "phone-number",
|
||||
"inject_evaluation": [
|
||||
{
|
||||
"parameters": [
|
||||
{
|
||||
".Event.info": {
|
||||
"comparison": "contains",
|
||||
"values": [
|
||||
"flubot"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select((.type == \"phone-number\")).value": {
|
||||
"extract_type": "all",
|
||||
"comparison": "contains-regex",
|
||||
"values": [
|
||||
"\\+?352131575"
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"result": "Phone Number added",
|
||||
"evaluation_strategy": "data_filtering",
|
||||
"evaluation_context": {
|
||||
},
|
||||
"score_range": [
|
||||
0,
|
||||
20
|
||||
]
|
||||
}
|
||||
],
|
||||
"name": "Phone Number",
|
||||
"target_tool": "MISP",
|
||||
"uuid": "5a449087-ff74-4dea-9d97-d09dd2abe0b8"
|
||||
},
|
||||
{
|
||||
"action": "url",
|
||||
"inject_evaluation": [
|
||||
{
|
||||
"parameters": [
|
||||
{
|
||||
".Event.info": {
|
||||
"comparison": "contains",
|
||||
"values": [
|
||||
"flubot"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
".Event.Object[].Attribute[] | select((.type == \"url\")).value": {
|
||||
"extract_type": "all",
|
||||
"comparison": "equals",
|
||||
"values": [
|
||||
"https://evilprovider.com/r.php?e1525c0f"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
".Event.Object[].Attribute[] | select(.object_relation == \"query_string\").value": {
|
||||
"extract_type": "all",
|
||||
"comparison": "equals",
|
||||
"values": [
|
||||
".?e1525c0f"
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"result": "Download URL added",
|
||||
"evaluation_strategy": "data_filtering",
|
||||
"evaluation_context": {
|
||||
},
|
||||
"score_range": [
|
||||
0,
|
||||
20
|
||||
]
|
||||
}
|
||||
],
|
||||
"name": "Download URL & IP",
|
||||
"target_tool": "MISP",
|
||||
"uuid": "1729e6f9-b899-47b4-b3e8-c3e02f2a2ff8"
|
||||
},
|
||||
{
|
||||
"action": "apk",
|
||||
"inject_evaluation": [
|
||||
{
|
||||
"parameters": [
|
||||
{
|
||||
".Event.info": {
|
||||
"comparison": "contains",
|
||||
"values": [
|
||||
"flubot"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
".Event.Object[].Attribute[] | select((.type == \"filename\")).value": {
|
||||
"extract_type": "all",
|
||||
"comparison": "equals",
|
||||
"values": [
|
||||
"sample.apk"
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"result": "APK added",
|
||||
"evaluation_strategy": "data_filtering",
|
||||
"evaluation_context": {
|
||||
},
|
||||
"score_range": [
|
||||
0,
|
||||
20
|
||||
]
|
||||
}
|
||||
],
|
||||
"name": "Malicious APK",
|
||||
"target_tool": "MISP",
|
||||
"uuid": "a4ba921e-744f-4f58-9958-a7d59ff5ff62"
|
||||
},
|
||||
{
|
||||
"action": "cve",
|
||||
"inject_evaluation": [
|
||||
{
|
||||
"parameters": [
|
||||
{
|
||||
".Event.info": {
|
||||
"comparison": "contains",
|
||||
"values": [
|
||||
"flubot"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select((.type == \"vulnerability\")).value": {
|
||||
"extract_type": "all",
|
||||
"comparison": "equals",
|
||||
"values": [
|
||||
"CVE-2022-27835"
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"result": "CVE added",
|
||||
"evaluation_strategy": "data_filtering",
|
||||
"evaluation_context": {
|
||||
},
|
||||
"score_range": [
|
||||
0,
|
||||
20
|
||||
]
|
||||
}
|
||||
],
|
||||
"name": "CVE",
|
||||
"target_tool": "MISP",
|
||||
"uuid": "9dc28a53-9011-4cb0-b9df-bff3fe095de1"
|
||||
},
|
||||
{
|
||||
"action": "c2",
|
||||
"inject_evaluation": [
|
||||
{
|
||||
"parameters": [
|
||||
{
|
||||
".Event.info": {
|
||||
"comparison": "contains",
|
||||
"values": [
|
||||
"flubot"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
".Event.Object[] | select((.name == \"url\")).Attribute[] | select((.type == \"url\")).value": {
|
||||
"extract_type": "all",
|
||||
"comparison": "equals",
|
||||
"values": [
|
||||
"https://another.evil.provider.com:42666/c.php?e1525c0f"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
".Event.Object[] | select((.name == \"url\")).Attribute[] | select((.type == \"domain\") or (.type == \"hostname\")).value": {
|
||||
"extract_type": "all",
|
||||
"comparison": "equals",
|
||||
"values": [
|
||||
"another.evil.provider.com"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
".Event.Object[] | select((.name == \"url\")).Attribute[] | select((.object_relation == \"ip\")).value": {
|
||||
"extract_type": "all",
|
||||
"comparison": "equals",
|
||||
"values": [
|
||||
"226.140.183.77"
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"result": "C2 added",
|
||||
"evaluation_strategy": "data_filtering",
|
||||
"evaluation_context": {
|
||||
},
|
||||
"score_range": [
|
||||
0,
|
||||
20
|
||||
]
|
||||
}
|
||||
],
|
||||
"name": "C2 Server",
|
||||
"target_tool": "MISP",
|
||||
"uuid": "f995b04d-4648-41b6-893b-19eeebd365ef"
|
||||
},
|
||||
{
|
||||
"action": "yara",
|
||||
"inject_evaluation": [
|
||||
{
|
||||
"parameters": [
|
||||
{
|
||||
".Event.info": {
|
||||
"comparison": "contains",
|
||||
"values": [
|
||||
"flubot"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select((.type == \"yara\")).value": {
|
||||
"extract_type": "all",
|
||||
"comparison": "contains-regex",
|
||||
"values": [
|
||||
"rule android_flubot \\{.*"
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"result": "Yara rule added",
|
||||
"evaluation_strategy": "data_filtering",
|
||||
"evaluation_context": {
|
||||
},
|
||||
"score_range": [
|
||||
0,
|
||||
20
|
||||
]
|
||||
}
|
||||
],
|
||||
"name": "Yara Rule",
|
||||
"target_tool": "MISP",
|
||||
"uuid": "2d9a7cf7-25d2-4224-9f61-6aba91adfa78"
|
||||
},
|
||||
{
|
||||
"action": "context",
|
||||
"inject_evaluation": [
|
||||
{
|
||||
"parameters": [
|
||||
{
|
||||
".Event.info": {
|
||||
"comparison": "contains",
|
||||
"values": [
|
||||
"flubot"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
".Event.Tag | select(length > 0) | .[].name": {
|
||||
"extract_type": "all",
|
||||
"comparison": "count",
|
||||
"values": [
|
||||
">=3"
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"result": "Context added",
|
||||
"evaluation_strategy": "data_filtering",
|
||||
"evaluation_context": {
|
||||
},
|
||||
"score_range": [
|
||||
0,
|
||||
20
|
||||
]
|
||||
}
|
||||
],
|
||||
"name": "Contextualization",
|
||||
"target_tool": "MISP",
|
||||
"uuid": "05b3e7aa-b761-4f65-92e9-eed84e48a6a4"
|
||||
},
|
||||
{
|
||||
"action": "published",
|
||||
"inject_evaluation": [
|
||||
{
|
||||
"parameters": [
|
||||
{
|
||||
".Event.info": {
|
||||
"comparison": "contains",
|
||||
"values": [
|
||||
"flubot"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
".Event.published": {
|
||||
"comparison": "equals",
|
||||
"values": [
|
||||
"1"
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"result": "Event published",
|
||||
"evaluation_strategy": "data_filtering",
|
||||
"evaluation_context": {
|
||||
},
|
||||
"score_range": [
|
||||
0,
|
||||
20
|
||||
]
|
||||
}
|
||||
],
|
||||
"name": "Published",
|
||||
"target_tool": "MISP",
|
||||
"uuid": "49df070b-f6fc-47c3-bf43-92454f1582d5"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
Loading…
Reference in a new issue