Merge branch 'main' of github.com:MISP/misp-galaxy

This commit is contained in:
Christian Studer 2023-01-16 13:34:03 +01:00
commit 1402b7aba6
8 changed files with 84681 additions and 8 deletions

View file

@ -1195,7 +1195,29 @@
}, },
"uuid": "fa574138-a3bd-4ebc-a5f7-3b465df7106f", "uuid": "fa574138-a3bd-4ebc-a5f7-3b465df7106f",
"value": "Dark Tequila" "value": "Dark Tequila"
},
{
"description": "Distributed by Malteiro",
"meta": {
"refs": [
"https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/"
],
"synonyms": [
"URSA"
]
},
"related": [
{
"dest-uuid": "ba57c28a-47d0-46ba-a933-9aed69f7b84f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "delivered-by"
} }
], ],
"version": 17 "uuid": "d27eea57-e55f-40b1-9690-55c2c8500876",
"value": "Malteiro"
}
],
"version": 18
} }

View file

@ -24257,9 +24257,77 @@
"value": "Povisomware" "value": "Povisomware"
}, },
{ {
"description": "ransomware", "description": "Ransomware written in C#. Fortunately, all current versions of the MafiaWare666 ransomware are decryptable. The Threat Lab from Avast has developed a free decryption tool for this malware.",
"meta": { "meta": {
"date": "December 2020" "date": "December 2020",
"extensions": [
".jcrypt",
".locked",
".daddycrypt",
".omero",
".ncovid",
".NotStonks",
".crypted",
".iam_watching",
".vn_os",
".wearefriends",
".MALWAREDEVELOPER",
".MALKI",
".poison",
".foxxy",
".ZAHACKED",
".JEBAĆ_BYDGOSZCZ!!!",
".titancrypt",
".crypt",
".MafiaWare666",
".brutusptCrypt",
".bmcrypt",
".cyberone",
".l33ch"
],
"payment-method": "Bitcoin",
"ransomenotes": [
"All of your files have been encrypted.\nTo unlock them, please send 1 bitcoin(s) to BTC address: 1BtUL5dhVXHwKLqSdhjyjK9Pe64Vc6CEH1 Afterwards,\nI please email your transaction ID to: this.email.address@gmail.com\nThank you and have a nice day! Encryption Log: ..."
],
"ransomenotes-refs": [
"https://1.bp.blogspot.com/-OF8CopM3MUw/X-XLjUmRkYI/AAAAAAAAXpY/1mLe136SuT8DuruWJfwIVY5WnVs5B1gcgCLcBGAsYHQ/s943/txt-note.png"
],
"ransomnotes-filenames": [
"___RECOVER__FILES__.jcrypt.txt",
"_RECOVER__FILES__.jcrypt.txt",
"___RECOVER__FILES__.locked.txt",
"___RECOVER__FILES__.daddycrypt.txt",
"___RECOVER__FILES__.omero.txt",
"___RECOVER__FILES__.ncovid.txt",
"___RECOVER__FILES__.crypted.txt",
"___RECOVER__FILES__.iam_watching.txt",
"___RECOVER__FILES__.titancrypt.txt",
"_#ODZYSKAJ_PLIKI--.JEBAĆ_BYDGOSZCZ!!!.txt"
],
"refs": [
"https://id-ransomware.blogspot.com/2020/12/jcrypt-ransomware.html",
"https://twitter.com/kangxiaopao/status/1342027328063295488?lang=en",
"https://twitter.com/demonslay335/status/1380610583603638277",
"https://decoded.avast.io/threatresearch/decrypted-mafiaware666-ransomware/",
"https://files.avast.com/files/decryptor/avast_decryptor_mafiaware666.exe"
],
"synonyms": [
"RIP lmao",
"Locked",
"Daddycrypt",
"Omero",
"Crypted",
"Ncovid",
"NotStonks",
"Iam_watching",
"Vn_os",
"Wearefriends",
"MALWAREDEVELOPER",
"MALKI",
"Poison",
"Foxxy",
"Mafiaware666"
]
}, },
"uuid": "dd5712e1-efa8-4054-a5df-fdfdbc9c25b6", "uuid": "dd5712e1-efa8-4054-a5df-fdfdbc9c25b6",
"value": "JCrypt" "value": "JCrypt"
@ -24381,7 +24449,8 @@
"https://www.varonis.com/blog/alphv-blackcat-ransomware", "https://www.varonis.com/blog/alphv-blackcat-ransomware",
"https://www.intrinsec.com/alphv-ransomware-gang-analysis", "https://www.intrinsec.com/alphv-ransomware-gang-analysis",
"https://unit42.paloaltonetworks.com/blackcat-ransomware/", "https://unit42.paloaltonetworks.com/blackcat-ransomware/",
"https://www.cyber.gov.au/acsc/view-all-content/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat" "https://www.cyber.gov.au/acsc/view-all-content/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat",
"https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/"
], ],
"synonyms": [ "synonyms": [
"ALPHV", "ALPHV",
@ -24724,7 +24793,7 @@
"ransomnotes": [ "ransomnotes": [
"Your data are stolen and encrypted\nThe data will be published on TOR website if you do not pay the ransom\nYou can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565y1u2c6Lay6yfiebkcbtvvcytyolt33s77xypi7nypxyd.onion/ \n\nYour company id for log in: [REDACTED]" "Your data are stolen and encrypted\nThe data will be published on TOR website if you do not pay the ransom\nYou can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565y1u2c6Lay6yfiebkcbtvvcytyolt33s77xypi7nypxyd.onion/ \n\nYour company id for log in: [REDACTED]"
], ],
"ransomnotes-files": [ "ransomnotes-filenames": [
"readme.txt" "readme.txt"
], ],
"ransomnotes-refs": [ "ransomnotes-refs": [
@ -24860,5 +24929,5 @@
"value": "Karakurt" "value": "Karakurt"
} }
], ],
"version": 111 "version": 112
} }

84250
clusters/sigma-rules.json Normal file

File diff suppressed because it is too large Load diff

View file

@ -8677,7 +8677,13 @@
"meta": { "meta": {
"refs": [ "refs": [
"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-common-raven-iocs", "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-common-raven-iocs",
"https://www2.swift.com/isac/report/10118" "https://www2.swift.com/isac/report/10118",
"https://blog.group-ib.com/opera1er-apt"
],
"synonyms": [
"OPERA1ER",
"NXSMS",
"DESKTOP-GROUP"
] ]
}, },
"uuid": "da581c60-7c3d-4de6-b54c-cafea1c58389", "uuid": "da581c60-7c3d-4de6-b54c-cafea1c58389",
@ -9943,7 +9949,48 @@
}, },
"uuid": "171d0590-be92-443f-addb-af5dc2a8034d", "uuid": "171d0590-be92-443f-addb-af5dc2a8034d",
"value": "Evasive Panda" "value": "Evasive Panda"
},
{
"description": "A Russia-linked threat actor tracked as TAG-53 is running phishing campaigns impersonating various defense, aerospace, and logistic companies, according to The Record by Recorded Future. Recorded Futures Insikt Group identified overlaps with a threat actor tracked by other companies as Callisto Group, COLDRIVER, and SEABORGIUM.",
"meta": {
"refs": [
"https://blog.knowbe4.com/russian-threat-actor-impersonates-aerospace-and-defense-companies",
"https://www.recordedfuture.com/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations?utm_campaign=PostBeyond&utm_source=Twitter&utm_medium=359877&utm_term=Exposing+TAG-53%E2%80%99s+Credential+Harvesting+Infrastructure+Used+for+Russia-Aligned+Espionage+Operations",
"https://go.recordedfuture.com/hubfs/reports/cta-2022-1205.pdf"
]
},
"related": [
{
"dest-uuid": "fbd279ab-c095-48dc-ba48-4bece3dd5b0f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "overlaps"
} }
], ],
"version": 255 "uuid": "e5865ca1-ec95-43e2-954a-d0f3507a9747",
"value": "TAG-53"
},
{
"description": "This group of cybercriminals is named Malteiroby SCILabs, they operate and distribute the URSA/Mispadu banking trojan.",
"meta": {
"refs": [
"https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/",
"https://blog.scilabs.mx/cyber-threat-profile-malteiro/"
]
},
"related": [
{
"dest-uuid": "d27eea57-e55f-40b1-9690-55c2c8500876",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "delivers"
}
],
"uuid": "ba57c28a-47d0-46ba-a933-9aed69f7b84f",
"value": "Malteiro"
}
],
"version": 257
} }

View file

@ -0,0 +1,9 @@
{
"description": "Sigma Rules are used to detect suspicious behaviors related to threat actors, malware and tools",
"icon": "link",
"name": "Sigma-Rules",
"namespace": "misp",
"type": "sigma-rules",
"uuid": "9cf7cd2e-d5f1-48c4-9909-7896ba1c96b2",
"version": 1
}

3
tools/sigma/config.ini Normal file
View file

@ -0,0 +1,3 @@
[MISP]
cluster_path = ../../clusters/
mitre_attack_cluster = mitre-attack-pattern.json

View file

@ -0,0 +1,268 @@
"""
Author: Jose Luis Sanchez Martinez
Twitter: @Joseliyo_Jstnk
date: 2022/11/18
Modified: 2023/01/03
GitHub: https://github.com/jstnk9/MISP
Description: This script can create MISP Galaxies from Sigma Rules. It can be done setting the path
where you have stored your sigma rules in the system.
Examples: python sigma-to-galaxy -p "C:\lab\sigma\rules\" -r
MISP Galaxy: https://github.com/MISP/misp-galaxy
"""
import os, json, yaml, argparse, uuid, configparser, time
unique_uuid = '9cf7cd2e-d5f1-48c4-9909-7896ba1c96b2'
def main(args):
uuidGalaxy = create_galaxy_json()
galaxyCluster = create_cluster(uuidGalaxy=unique_uuid)
valuesData = create_cluster_value(args.inputPath, args.recursive, galaxyCluster)
galaxyCluster["values"].extend(valuesData)
galaxyCluster = createRelations(galaxyCluster)
create_cluster_json(galaxyCluster)
check_duplicates(galaxyCluster)
def createRelations(galaxyCluster):
"""
:param galaxyCluster: Content of the cluster with all the values related to the Sigma Rules
:return galaxyCluster: Content of the cluster adding the relation between sigma rule and MITRE technique
"""
for obj in galaxyCluster["values"]:
for attack in obj["meta"]["tags"]:
if attack.startswith("attack.t"):
with open(
config["MISP"]["cluster_path"]
+ config["MISP"]["mitre_attack_cluster"],
"r",
) as mitreCluster:
data = json.load(mitreCluster)
for technique in data["values"]:
if (
technique["meta"]["external_id"]
== attack.split(".", 1)[1].upper()
):
if obj.get("related"):
obj["related"].append(
{
"dest-uuid": "%s" % (technique["uuid"]),
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to",
}
)
else:
obj["related"] = []
obj["related"].append(
{
"dest-uuid": "%s" % (technique["uuid"]),
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to",
}
)
return galaxyCluster
def check_duplicates(galaxy):
"""
:param galaxy: Content of the cluster with all the values
:return res:
"""
galaxiesObj = {}
for val in galaxy["values"]:
obj = {}
if galaxiesObj.get(val["value"]):
galaxiesObj[val["value"]].append(val["uuid"])
else:
galaxiesObj[val["value"]] = []
galaxiesObj[val["value"]].append(val["uuid"])
for k, v in galaxiesObj.items():
if len(v) > 1:
print("[*] Title duplicated: %s " % (k))
for ids in v:
print(" %s" % (ids))
def create_cluster_json(galaxyCluster):
"""
:param galaxyCluster: Content of the cluster with all the values related to the Sigma Rules
This function finally creates the sigma-cluster.json file with all the information.
"""
with open("sigma-cluster.json", "w") as f:
json.dump(galaxyCluster, f)
def parseYaml(inputPath, yamlFile):
"""
:param inputPath: Path where is stored the Sigma Rule to parse.
:param yamlFile: Content of the Sigma Rule.
This function can convert a Sigma Rule to JSON (dict)
:return jsonData: Sigma rule converted to dict.
"""
fullPath = os.path.join(inputPath, yamlFile)
with open(fullPath, encoding='utf-8') as f:
jsonData = yaml.load(f, Loader=yaml.FullLoader)
return jsonData
def create_cluster(uuidGalaxy=unique_uuid):
"""
:param uuidGalaxy: Is the uuid4 generated for the galaxy JSON file previously.
This function creates the JSON file of the path /app/files/misp-galaxy/clusters without values.
:return cluster: Dict with the basic information needed for the JSON file.
"""
version = int(time.strftime("%Y%m%d"))
cluster = {
"authors": ["@Joseliyo_Jstnk"],
"category": "rules",
"description": "MISP galaxy cluster based on Sigma Rules.",
"name": "Sigma-Rules",
"source": "https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma",
"type": "sigma-rules",
"uuid": uuidGalaxy,
"values": [],
"version": version
}
return cluster
def create_cluster_value(pathsigma, recursive, galaxyCluster):
"""
:param pathsigma: Is the path established with the -p parameter
:param recurisve: If true, it can recursively navigate through every subfolder of :pathsigma:
:param galaxyCluster: Dictionary with the information needed for the cluster JSON file
This function makes a loop in every subfolder to identify Sigma Rules and after that..
1. It parse the YAML file to dict
2. Once it's a dict, it call the function to parse the dict and start creating the
values of the cluster
IMPORTANT: Sigma rules must ends with .yml and not .yaml
:return valuesData: Array with every Sigma Rule parsed into a dict.
"""
valuesData = []
if recursive == True:
for dirpath, dirs, files in os.walk(pathsigma):
if os.name == 'nt':
path = dirpath.split('/')[0]
else:
path = dirpath
for f in files:
if f.endswith(".yml"):
jsonData = parseYaml(path, f)
valuesData.append(
parse_sigma_to_cluster(jsonData, f, path.split("rules")[1])
)
return valuesData
def parse_sigma_to_cluster(jsonData, sigmaFile, sigmaPath):
"""
:param jsonData: Is the Sigma Rule parsed to dict.
:param sigmaFile: Is the Sigma Rule filename.
:param sigmaPath: Is the path where are stored the Sigma Rules.
This function parse the dict of the Sigma Rule to fill all the fields needed for the MISP Galaxy.
:return valueData: Dict with all the fields filled ready to be added in the cluster JSON file.
"""
valueData = {}
valueData["description"] = jsonData.get("description", "No established description")
valueData["uuid"] = jsonData.get("id", "No established id")
valueData["value"] = jsonData.get("title", "No established title")
valueData["meta"] = {}
valueData["meta"]["refs"] = []
if jsonData.get("references"):
for rf in jsonData.get("references"):
valueData["meta"]["refs"].append(rf)
valueData["meta"]["refs"] = [
*set(valueData["meta"]["refs"])
] # Removing duplicated references
valueData["meta"]["tags"] = jsonData.get("tags", "No established tags")
valueData["meta"]["creation_date"] = jsonData.get("date", "No established date")
valueData["meta"]["filename"] = sigmaFile
valueData["meta"]["author"] = jsonData.get("author", "No established author")
valueData["meta"]["level"] = jsonData.get("level", "No established level")
valueData["meta"]["falsepositive"] = jsonData.get(
"falsepositives", "No established falsepositives"
)
valueData["meta"]["refs"].append(
"https://github.com/SigmaHQ/sigma/tree/master/rules%s/%s"
% (sigmaPath.replace("\\", "/"), sigmaFile)
) # this value only works if you set the path like it was cloned from github
valueData["meta"]["logsource.category"] = jsonData.get("logsource").get(
"category", "No established category"
)
valueData["meta"]["logsource.product"] = jsonData.get("logsource").get(
"product", "No established product"
)
return valueData
def create_galaxy_json():
"""
This method creates first the galaxy JSON stored in the path /app/files/misp-galaxy/galaxies
The information of this JSON is basic.
:return uuidGalaxy: Return the uuid needed for the cluster JSON File which is created after this.
"""
uuidGalaxy = unique_uuid
galaxy = {
"description": "Sigma Rules are used to detect suspicious behaviors related to threat actors, malware and tools",
"icon": "link",
"name": "Sigma-Rules",
"namespace": "misp",
"type": "sigma-rules",
"uuid": uuidGalaxy,
"version": 1,
}
with open("sigma-rules.json", "w") as f:
json.dump(galaxy, f)
return uuidGalaxy
if __name__ == '__main__':
config = configparser.ConfigParser()
config.read("config.ini")
parser = argparse.ArgumentParser(
description="This script can convert your sigma rules in MISP galaxies, generating both files needed for cluster and galaxies. If you need more information about how to import it, please, go to https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma"
)
parser.add_argument(
"-p",
"--path",
dest="inputPath",
required=True,
default="None",
help="Path with your sigma rules.",
)
parser.add_argument(
"-r",
"--recursive",
dest="recursive",
action="store_true",
help="If you have subfolders on the initial path and you want to convert all of them, use -r to do it recursive.",
)
args = parser.parse_args()
main(args)

5
tools/sigma/update.sh Normal file
View file

@ -0,0 +1,5 @@
#!/bin/bash
rm -rf sigma
git clone https://github.com/SigmaHQ/sigma
python3 sigma-to-galaxy.py -r -p ./sigma/rules
cat sigma-cluster.json | jq -S . >../../clusters/sigma-rules.json