Compare commits

..

2 commits

Author SHA1 Message Date
Sami Mokaddem
f236da0055 new: [exercises] Added flubot exercise (untested) 2024-07-02 16:14:08 +02:00
Sami Mokaddem
8003f138d8 chg: [exercises] Renamed exercise name 2024-07-02 16:14:01 +02:00
4 changed files with 626 additions and 2 deletions

View file

@ -0,0 +1 @@
../exercises/flubot-malware.json

View file

@ -7,7 +7,7 @@
"level": "beginner", "level": "beginner",
"priority": 1 "priority": 1
}, },
"name": "Simple Data Creation Via the API", "name": "API: Simple Data Creation",
"namespace": "data-model", "namespace": "data-model",
"tags": [ "tags": [
"exercise:software-scope=\"misp\"", "exercise:software-scope=\"misp\"",

View file

@ -7,7 +7,7 @@
"level": "beginner", "level": "beginner",
"priority": 2 "priority": 2
}, },
"name": "Basic Filtering - Usage of the API to filter data", "name": "API: Basic Filtering",
"namespace": "data-model", "namespace": "data-model",
"tags": [ "tags": [
"exercise:software-scope=\"misp\"", "exercise:software-scope=\"misp\"",

View file

@ -0,0 +1,623 @@
{
"exercise": {
"description": "MISP Encoding Exercise : Flubot Malware",
"expanded": "MISP Encoding Exercise : Flubot Malware",
"meta": {
"author": "MISP Project",
"level": "beginner",
"priority": 5
},
"name": "MISP Encoding Exercise : Flubot Malware",
"namespace": "data-model",
"tags": [
"exercise:software-scope=\"misp\"",
"state:production"
],
"total_duration": "7200",
"uuid": "a7cb0e57-83f4-4c10-9f5f-6c54877b685e",
"version": "20240702"
},
"inject_flow": [
{
"description": "event-creation",
"inject_uuid": "84eb5c84-e05c-4d14-9a4c-4ef14430a242",
"reporting_callback": [],
"requirements": {},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
],
"trigger": [
"startex"
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "phishing-sms",
"inject_uuid": "104377cb-cb45-4f6e-affb-2bc1350a4212",
"reporting_callback": [],
"requirements": {
"inject_uuid": "84eb5c84-e05c-4d14-9a4c-4ef14430a242"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "phone-number",
"inject_uuid": "5a449087-ff74-4dea-9d97-d09dd2abe0b8",
"reporting_callback": [],
"requirements": {
"inject_uuid": "104377cb-cb45-4f6e-affb-2bc1350a4212"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "phishing-url&IP",
"inject_uuid": "1729e6f9-b899-47b4-b3e8-c3e02f2a2ff8",
"reporting_callback": [],
"requirements": {
"inject_uuid": "5a449087-ff74-4dea-9d97-d09dd2abe0b8"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "apk",
"inject_uuid": "a4ba921e-744f-4f58-9958-a7d59ff5ff62",
"reporting_callback": [],
"requirements": {
"inject_uuid": "1729e6f9-b899-47b4-b3e8-c3e02f2a2ff8"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "CVE",
"inject_uuid": "9dc28a53-9011-4cb0-b9df-bff3fe095de1",
"reporting_callback": [],
"requirements": {
"inject_uuid": "a4ba921e-744f-4f58-9958-a7d59ff5ff62"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "c2",
"inject_uuid": "f995b04d-4648-41b6-893b-19eeebd365ef",
"reporting_callback": [],
"requirements": {
"inject_uuid": "9dc28a53-9011-4cb0-b9df-bff3fe095de1"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "yara",
"inject_uuid": "2d9a7cf7-25d2-4224-9f61-6aba91adfa78",
"reporting_callback": [],
"requirements": {
"inject_uuid": "f995b04d-4648-41b6-893b-19eeebd365ef"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "Contextualization",
"inject_uuid": "05b3e7aa-b761-4f65-92e9-eed84e48a6a4",
"reporting_callback": [],
"requirements": {
"inject_uuid": "2d9a7cf7-25d2-4224-9f61-6aba91adfa78"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "Published",
"inject_uuid": "49df070b-f6fc-47c3-bf43-92454f1582d5",
"reporting_callback": [],
"requirements": {
"inject_uuid": "05b3e7aa-b761-4f65-92e9-eed84e48a6a4"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
}
],
"inject_payloads": [
],
"injects": [
{
"action": "event-creation",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"flubot"
]
}
}
],
"result": "MISP Event created",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
10
]
}
],
"name": "Event Creation",
"target_tool": "MISP",
"uuid": "84eb5c84-e05c-4d14-9a4c-4ef14430a242"
},
{
"action": "phishing-sms",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"flubot"
]
}
},
{
".Event.Object[] | select((.name == \"instant-message\")).Attribute[] | select((.type == \"text\")).value": {
"extract_type": "all",
"comparison": "contains-regex",
"values": [
"Missed Call: You have a missed call\\..*"
]
}
}
],
"result": "SMS added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Phishing SMS",
"target_tool": "MISP",
"uuid": "104377cb-cb45-4f6e-affb-2bc1350a4212"
},
{
"action": "phone-number",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"flubot"
]
}
},
{
"[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select((.type == \"phone-number\")).value": {
"extract_type": "all",
"comparison": "contains-regex",
"values": [
"\\+?352131575"
]
}
}
],
"result": "Phone Number added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Phone Number",
"target_tool": "MISP",
"uuid": "5a449087-ff74-4dea-9d97-d09dd2abe0b8"
},
{
"action": "url",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"flubot"
]
}
},
{
".Event.Object[].Attribute[] | select((.type == \"url\")).value": {
"extract_type": "all",
"comparison": "equals",
"values": [
"https://evilprovider.com/r.php?e1525c0f"
]
}
},
{
".Event.Object[].Attribute[] | select(.object_relation == \"query_string\").value": {
"extract_type": "all",
"comparison": "equals",
"values": [
".?e1525c0f"
]
}
}
],
"result": "Download URL added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Download URL & IP",
"target_tool": "MISP",
"uuid": "1729e6f9-b899-47b4-b3e8-c3e02f2a2ff8"
},
{
"action": "apk",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"flubot"
]
}
},
{
".Event.Object[].Attribute[] | select((.type == \"filename\")).value": {
"extract_type": "all",
"comparison": "equals",
"values": [
"sample.apk"
]
}
}
],
"result": "APK added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Malicious APK",
"target_tool": "MISP",
"uuid": "a4ba921e-744f-4f58-9958-a7d59ff5ff62"
},
{
"action": "cve",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"flubot"
]
}
},
{
"[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select((.type == \"vulnerability\")).value": {
"extract_type": "all",
"comparison": "equals",
"values": [
"CVE-2022-27835"
]
}
}
],
"result": "CVE added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "CVE",
"target_tool": "MISP",
"uuid": "9dc28a53-9011-4cb0-b9df-bff3fe095de1"
},
{
"action": "c2",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"flubot"
]
}
},
{
".Event.Object[] | select((.name == \"url\")).Attribute[] | select((.type == \"url\")).value": {
"extract_type": "all",
"comparison": "equals",
"values": [
"https://another.evil.provider.com:42666/c.php?e1525c0f"
]
}
},
{
".Event.Object[] | select((.name == \"url\")).Attribute[] | select((.type == \"domain\") or (.type == \"hostname\")).value": {
"extract_type": "all",
"comparison": "equals",
"values": [
"another.evil.provider.com"
]
}
},
{
".Event.Object[] | select((.name == \"url\")).Attribute[] | select((.object_relation == \"ip\")).value": {
"extract_type": "all",
"comparison": "equals",
"values": [
"226.140.183.77"
]
}
}
],
"result": "C2 added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "C2 Server",
"target_tool": "MISP",
"uuid": "f995b04d-4648-41b6-893b-19eeebd365ef"
},
{
"action": "yara",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"flubot"
]
}
},
{
"[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select((.type == \"yara\")).value": {
"extract_type": "all",
"comparison": "contains-regex",
"values": [
"rule android_flubot \\{.*"
]
}
}
],
"result": "Yara rule added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Yara Rule",
"target_tool": "MISP",
"uuid": "2d9a7cf7-25d2-4224-9f61-6aba91adfa78"
},
{
"action": "context",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"flubot"
]
}
},
{
".Event.Tag | select(length > 0) | .[].name": {
"extract_type": "all",
"comparison": "count",
"values": [
">=3"
]
}
}
],
"result": "Context added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Contextualization",
"target_tool": "MISP",
"uuid": "05b3e7aa-b761-4f65-92e9-eed84e48a6a4"
},
{
"action": "published",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"flubot"
]
}
},
{
".Event.published": {
"comparison": "equals",
"values": [
"1"
]
}
}
],
"result": "Event published",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Published",
"target_tool": "MISP",
"uuid": "49df070b-f6fc-47c3-bf43-92454f1582d5"
}
]
}