mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-22 23:07:19 +00:00
Merge branch 'main' of github.com:MISP/misp-galaxy
This commit is contained in:
commit
1402b7aba6
8 changed files with 84681 additions and 8 deletions
|
@ -1195,7 +1195,29 @@
|
|||
},
|
||||
"uuid": "fa574138-a3bd-4ebc-a5f7-3b465df7106f",
|
||||
"value": "Dark Tequila"
|
||||
},
|
||||
{
|
||||
"description": "Distributed by Malteiro",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/"
|
||||
],
|
||||
"synonyms": [
|
||||
"URSA"
|
||||
]
|
||||
},
|
||||
"related": [
|
||||
{
|
||||
"dest-uuid": "ba57c28a-47d0-46ba-a933-9aed69f7b84f",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"likely\""
|
||||
],
|
||||
"type": "delivered-by"
|
||||
}
|
||||
],
|
||||
"version": 17
|
||||
"uuid": "d27eea57-e55f-40b1-9690-55c2c8500876",
|
||||
"value": "Malteiro"
|
||||
}
|
||||
],
|
||||
"version": 18
|
||||
}
|
||||
|
|
|
@ -24257,9 +24257,77 @@
|
|||
"value": "Povisomware"
|
||||
},
|
||||
{
|
||||
"description": "ransomware",
|
||||
"description": "Ransomware written in C#. Fortunately, all current versions of the MafiaWare666 ransomware are decryptable. The Threat Lab from Avast has developed a free decryption tool for this malware.",
|
||||
"meta": {
|
||||
"date": "December 2020"
|
||||
"date": "December 2020",
|
||||
"extensions": [
|
||||
".jcrypt",
|
||||
".locked",
|
||||
".daddycrypt",
|
||||
".omero",
|
||||
".ncovid",
|
||||
".NotStonks",
|
||||
".crypted",
|
||||
".iam_watching",
|
||||
".vn_os",
|
||||
".wearefriends",
|
||||
".MALWAREDEVELOPER",
|
||||
".MALKI",
|
||||
".poison",
|
||||
".foxxy",
|
||||
".ZAHACKED",
|
||||
".JEBAĆ_BYDGOSZCZ!!!",
|
||||
".titancrypt",
|
||||
".crypt",
|
||||
".MafiaWare666",
|
||||
".brutusptCrypt",
|
||||
".bmcrypt",
|
||||
".cyberone",
|
||||
".l33ch"
|
||||
],
|
||||
"payment-method": "Bitcoin",
|
||||
"ransomenotes": [
|
||||
"All of your files have been encrypted.\nTo unlock them, please send 1 bitcoin(s) to BTC address: 1BtUL5dhVXHwKLqSdhjyjK9Pe64Vc6CEH1 Afterwards,\nI please email your transaction ID to: this.email.address@gmail.com\nThank you and have a nice day! Encryption Log: ..."
|
||||
],
|
||||
"ransomenotes-refs": [
|
||||
"https://1.bp.blogspot.com/-OF8CopM3MUw/X-XLjUmRkYI/AAAAAAAAXpY/1mLe136SuT8DuruWJfwIVY5WnVs5B1gcgCLcBGAsYHQ/s943/txt-note.png"
|
||||
],
|
||||
"ransomnotes-filenames": [
|
||||
"___RECOVER__FILES__.jcrypt.txt",
|
||||
"_RECOVER__FILES__.jcrypt.txt",
|
||||
"___RECOVER__FILES__.locked.txt",
|
||||
"___RECOVER__FILES__.daddycrypt.txt",
|
||||
"___RECOVER__FILES__.omero.txt",
|
||||
"___RECOVER__FILES__.ncovid.txt",
|
||||
"___RECOVER__FILES__.crypted.txt",
|
||||
"___RECOVER__FILES__.iam_watching.txt",
|
||||
"___RECOVER__FILES__.titancrypt.txt",
|
||||
"_#ODZYSKAJ_PLIKI--.JEBAĆ_BYDGOSZCZ!!!.txt"
|
||||
],
|
||||
"refs": [
|
||||
"https://id-ransomware.blogspot.com/2020/12/jcrypt-ransomware.html",
|
||||
"https://twitter.com/kangxiaopao/status/1342027328063295488?lang=en",
|
||||
"https://twitter.com/demonslay335/status/1380610583603638277",
|
||||
"https://decoded.avast.io/threatresearch/decrypted-mafiaware666-ransomware/",
|
||||
"https://files.avast.com/files/decryptor/avast_decryptor_mafiaware666.exe"
|
||||
],
|
||||
"synonyms": [
|
||||
"RIP lmao",
|
||||
"Locked",
|
||||
"Daddycrypt",
|
||||
"Omero",
|
||||
"Crypted",
|
||||
"Ncovid",
|
||||
"NotStonks",
|
||||
"Iam_watching",
|
||||
"Vn_os",
|
||||
"Wearefriends",
|
||||
"MALWAREDEVELOPER",
|
||||
"MALKI",
|
||||
"Poison",
|
||||
"Foxxy",
|
||||
"Mafiaware666"
|
||||
]
|
||||
},
|
||||
"uuid": "dd5712e1-efa8-4054-a5df-fdfdbc9c25b6",
|
||||
"value": "JCrypt"
|
||||
|
@ -24381,7 +24449,8 @@
|
|||
"https://www.varonis.com/blog/alphv-blackcat-ransomware",
|
||||
"https://www.intrinsec.com/alphv-ransomware-gang-analysis",
|
||||
"https://unit42.paloaltonetworks.com/blackcat-ransomware/",
|
||||
"https://www.cyber.gov.au/acsc/view-all-content/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat"
|
||||
"https://www.cyber.gov.au/acsc/view-all-content/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat",
|
||||
"https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/"
|
||||
],
|
||||
"synonyms": [
|
||||
"ALPHV",
|
||||
|
@ -24724,7 +24793,7 @@
|
|||
"ransomnotes": [
|
||||
"Your data are stolen and encrypted\nThe data will be published on TOR website if you do not pay the ransom\nYou can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565y1u2c6Lay6yfiebkcbtvvcytyolt33s77xypi7nypxyd.onion/ \n\nYour company id for log in: [REDACTED]"
|
||||
],
|
||||
"ransomnotes-files": [
|
||||
"ransomnotes-filenames": [
|
||||
"readme.txt"
|
||||
],
|
||||
"ransomnotes-refs": [
|
||||
|
@ -24860,5 +24929,5 @@
|
|||
"value": "Karakurt"
|
||||
}
|
||||
],
|
||||
"version": 111
|
||||
"version": 112
|
||||
}
|
||||
|
|
84250
clusters/sigma-rules.json
Normal file
84250
clusters/sigma-rules.json
Normal file
File diff suppressed because it is too large
Load diff
|
@ -8677,7 +8677,13 @@
|
|||
"meta": {
|
||||
"refs": [
|
||||
"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-common-raven-iocs",
|
||||
"https://www2.swift.com/isac/report/10118"
|
||||
"https://www2.swift.com/isac/report/10118",
|
||||
"https://blog.group-ib.com/opera1er-apt"
|
||||
],
|
||||
"synonyms": [
|
||||
"OPERA1ER",
|
||||
"NXSMS",
|
||||
"DESKTOP-GROUP"
|
||||
]
|
||||
},
|
||||
"uuid": "da581c60-7c3d-4de6-b54c-cafea1c58389",
|
||||
|
@ -9943,7 +9949,48 @@
|
|||
},
|
||||
"uuid": "171d0590-be92-443f-addb-af5dc2a8034d",
|
||||
"value": "Evasive Panda"
|
||||
},
|
||||
{
|
||||
"description": "A Russia-linked threat actor tracked as TAG-53 is running phishing campaigns impersonating various defense, aerospace, and logistic companies, according to The Record by Recorded Future. Recorded Future’s Insikt Group identified overlaps with a threat actor tracked by other companies as Callisto Group, COLDRIVER, and SEABORGIUM.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://blog.knowbe4.com/russian-threat-actor-impersonates-aerospace-and-defense-companies",
|
||||
"https://www.recordedfuture.com/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations?utm_campaign=PostBeyond&utm_source=Twitter&utm_medium=359877&utm_term=Exposing+TAG-53%E2%80%99s+Credential+Harvesting+Infrastructure+Used+for+Russia-Aligned+Espionage+Operations",
|
||||
"https://go.recordedfuture.com/hubfs/reports/cta-2022-1205.pdf"
|
||||
]
|
||||
},
|
||||
"related": [
|
||||
{
|
||||
"dest-uuid": "fbd279ab-c095-48dc-ba48-4bece3dd5b0f",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"likely\""
|
||||
],
|
||||
"type": "overlaps"
|
||||
}
|
||||
],
|
||||
"version": 255
|
||||
"uuid": "e5865ca1-ec95-43e2-954a-d0f3507a9747",
|
||||
"value": "TAG-53"
|
||||
},
|
||||
{
|
||||
"description": "This group of cybercriminals is named Malteiroby SCILabs, they operate and distribute the URSA/Mispadu banking trojan.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/",
|
||||
"https://blog.scilabs.mx/cyber-threat-profile-malteiro/"
|
||||
]
|
||||
},
|
||||
"related": [
|
||||
{
|
||||
"dest-uuid": "d27eea57-e55f-40b1-9690-55c2c8500876",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"likely\""
|
||||
],
|
||||
"type": "delivers"
|
||||
}
|
||||
],
|
||||
"uuid": "ba57c28a-47d0-46ba-a933-9aed69f7b84f",
|
||||
"value": "Malteiro"
|
||||
}
|
||||
],
|
||||
"version": 257
|
||||
}
|
||||
|
|
9
galaxies/sigma-rules.json
Normal file
9
galaxies/sigma-rules.json
Normal file
|
@ -0,0 +1,9 @@
|
|||
{
|
||||
"description": "Sigma Rules are used to detect suspicious behaviors related to threat actors, malware and tools",
|
||||
"icon": "link",
|
||||
"name": "Sigma-Rules",
|
||||
"namespace": "misp",
|
||||
"type": "sigma-rules",
|
||||
"uuid": "9cf7cd2e-d5f1-48c4-9909-7896ba1c96b2",
|
||||
"version": 1
|
||||
}
|
3
tools/sigma/config.ini
Normal file
3
tools/sigma/config.ini
Normal file
|
@ -0,0 +1,3 @@
|
|||
[MISP]
|
||||
cluster_path = ../../clusters/
|
||||
mitre_attack_cluster = mitre-attack-pattern.json
|
268
tools/sigma/sigma-to-galaxy.py
Normal file
268
tools/sigma/sigma-to-galaxy.py
Normal file
|
@ -0,0 +1,268 @@
|
|||
"""
|
||||
|
||||
Author: Jose Luis Sanchez Martinez
|
||||
Twitter: @Joseliyo_Jstnk
|
||||
date: 2022/11/18
|
||||
Modified: 2023/01/03
|
||||
GitHub: https://github.com/jstnk9/MISP
|
||||
Description: This script can create MISP Galaxies from Sigma Rules. It can be done setting the path
|
||||
where you have stored your sigma rules in the system.
|
||||
Examples: python sigma-to-galaxy -p "C:\lab\sigma\rules\" -r
|
||||
MISP Galaxy: https://github.com/MISP/misp-galaxy
|
||||
|
||||
"""
|
||||
|
||||
import os, json, yaml, argparse, uuid, configparser, time
|
||||
|
||||
unique_uuid = '9cf7cd2e-d5f1-48c4-9909-7896ba1c96b2'
|
||||
|
||||
|
||||
def main(args):
|
||||
uuidGalaxy = create_galaxy_json()
|
||||
galaxyCluster = create_cluster(uuidGalaxy=unique_uuid)
|
||||
valuesData = create_cluster_value(args.inputPath, args.recursive, galaxyCluster)
|
||||
galaxyCluster["values"].extend(valuesData)
|
||||
galaxyCluster = createRelations(galaxyCluster)
|
||||
create_cluster_json(galaxyCluster)
|
||||
check_duplicates(galaxyCluster)
|
||||
|
||||
|
||||
def createRelations(galaxyCluster):
|
||||
"""
|
||||
:param galaxyCluster: Content of the cluster with all the values related to the Sigma Rules
|
||||
|
||||
:return galaxyCluster: Content of the cluster adding the relation between sigma rule and MITRE technique
|
||||
"""
|
||||
for obj in galaxyCluster["values"]:
|
||||
for attack in obj["meta"]["tags"]:
|
||||
if attack.startswith("attack.t"):
|
||||
with open(
|
||||
config["MISP"]["cluster_path"]
|
||||
+ config["MISP"]["mitre_attack_cluster"],
|
||||
"r",
|
||||
) as mitreCluster:
|
||||
data = json.load(mitreCluster)
|
||||
for technique in data["values"]:
|
||||
if (
|
||||
technique["meta"]["external_id"]
|
||||
== attack.split(".", 1)[1].upper()
|
||||
):
|
||||
if obj.get("related"):
|
||||
obj["related"].append(
|
||||
{
|
||||
"dest-uuid": "%s" % (technique["uuid"]),
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "related-to",
|
||||
}
|
||||
)
|
||||
else:
|
||||
obj["related"] = []
|
||||
obj["related"].append(
|
||||
{
|
||||
"dest-uuid": "%s" % (technique["uuid"]),
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "related-to",
|
||||
}
|
||||
)
|
||||
|
||||
return galaxyCluster
|
||||
|
||||
|
||||
def check_duplicates(galaxy):
|
||||
"""
|
||||
:param galaxy: Content of the cluster with all the values
|
||||
|
||||
:return res:
|
||||
"""
|
||||
galaxiesObj = {}
|
||||
for val in galaxy["values"]:
|
||||
obj = {}
|
||||
if galaxiesObj.get(val["value"]):
|
||||
galaxiesObj[val["value"]].append(val["uuid"])
|
||||
else:
|
||||
galaxiesObj[val["value"]] = []
|
||||
galaxiesObj[val["value"]].append(val["uuid"])
|
||||
|
||||
for k, v in galaxiesObj.items():
|
||||
if len(v) > 1:
|
||||
print("[*] Title duplicated: %s " % (k))
|
||||
for ids in v:
|
||||
print(" %s" % (ids))
|
||||
|
||||
|
||||
def create_cluster_json(galaxyCluster):
|
||||
"""
|
||||
:param galaxyCluster: Content of the cluster with all the values related to the Sigma Rules
|
||||
|
||||
This function finally creates the sigma-cluster.json file with all the information.
|
||||
"""
|
||||
with open("sigma-cluster.json", "w") as f:
|
||||
json.dump(galaxyCluster, f)
|
||||
|
||||
|
||||
def parseYaml(inputPath, yamlFile):
|
||||
"""
|
||||
:param inputPath: Path where is stored the Sigma Rule to parse.
|
||||
:param yamlFile: Content of the Sigma Rule.
|
||||
|
||||
This function can convert a Sigma Rule to JSON (dict)
|
||||
|
||||
:return jsonData: Sigma rule converted to dict.
|
||||
"""
|
||||
fullPath = os.path.join(inputPath, yamlFile)
|
||||
with open(fullPath, encoding='utf-8') as f:
|
||||
jsonData = yaml.load(f, Loader=yaml.FullLoader)
|
||||
return jsonData
|
||||
|
||||
|
||||
def create_cluster(uuidGalaxy=unique_uuid):
|
||||
"""
|
||||
:param uuidGalaxy: Is the uuid4 generated for the galaxy JSON file previously.
|
||||
|
||||
This function creates the JSON file of the path /app/files/misp-galaxy/clusters without values.
|
||||
|
||||
:return cluster: Dict with the basic information needed for the JSON file.
|
||||
"""
|
||||
version = int(time.strftime("%Y%m%d"))
|
||||
cluster = {
|
||||
"authors": ["@Joseliyo_Jstnk"],
|
||||
"category": "rules",
|
||||
"description": "MISP galaxy cluster based on Sigma Rules.",
|
||||
"name": "Sigma-Rules",
|
||||
"source": "https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma",
|
||||
"type": "sigma-rules",
|
||||
"uuid": uuidGalaxy,
|
||||
"values": [],
|
||||
"version": version
|
||||
}
|
||||
|
||||
return cluster
|
||||
|
||||
|
||||
def create_cluster_value(pathsigma, recursive, galaxyCluster):
|
||||
"""
|
||||
:param pathsigma: Is the path established with the -p parameter
|
||||
:param recurisve: If true, it can recursively navigate through every subfolder of :pathsigma:
|
||||
:param galaxyCluster: Dictionary with the information needed for the cluster JSON file
|
||||
|
||||
This function makes a loop in every subfolder to identify Sigma Rules and after that..
|
||||
1. It parse the YAML file to dict
|
||||
2. Once it's a dict, it call the function to parse the dict and start creating the
|
||||
values of the cluster
|
||||
|
||||
IMPORTANT: Sigma rules must ends with .yml and not .yaml
|
||||
|
||||
:return valuesData: Array with every Sigma Rule parsed into a dict.
|
||||
"""
|
||||
valuesData = []
|
||||
if recursive == True:
|
||||
for dirpath, dirs, files in os.walk(pathsigma):
|
||||
if os.name == 'nt':
|
||||
path = dirpath.split('/')[0]
|
||||
else:
|
||||
path = dirpath
|
||||
|
||||
for f in files:
|
||||
if f.endswith(".yml"):
|
||||
jsonData = parseYaml(path, f)
|
||||
valuesData.append(
|
||||
parse_sigma_to_cluster(jsonData, f, path.split("rules")[1])
|
||||
)
|
||||
|
||||
return valuesData
|
||||
|
||||
|
||||
def parse_sigma_to_cluster(jsonData, sigmaFile, sigmaPath):
|
||||
"""
|
||||
:param jsonData: Is the Sigma Rule parsed to dict.
|
||||
:param sigmaFile: Is the Sigma Rule filename.
|
||||
:param sigmaPath: Is the path where are stored the Sigma Rules.
|
||||
|
||||
This function parse the dict of the Sigma Rule to fill all the fields needed for the MISP Galaxy.
|
||||
|
||||
:return valueData: Dict with all the fields filled ready to be added in the cluster JSON file.
|
||||
|
||||
"""
|
||||
valueData = {}
|
||||
valueData["description"] = jsonData.get("description", "No established description")
|
||||
valueData["uuid"] = jsonData.get("id", "No established id")
|
||||
valueData["value"] = jsonData.get("title", "No established title")
|
||||
valueData["meta"] = {}
|
||||
valueData["meta"]["refs"] = []
|
||||
if jsonData.get("references"):
|
||||
for rf in jsonData.get("references"):
|
||||
valueData["meta"]["refs"].append(rf)
|
||||
valueData["meta"]["refs"] = [
|
||||
*set(valueData["meta"]["refs"])
|
||||
] # Removing duplicated references
|
||||
valueData["meta"]["tags"] = jsonData.get("tags", "No established tags")
|
||||
valueData["meta"]["creation_date"] = jsonData.get("date", "No established date")
|
||||
valueData["meta"]["filename"] = sigmaFile
|
||||
valueData["meta"]["author"] = jsonData.get("author", "No established author")
|
||||
valueData["meta"]["level"] = jsonData.get("level", "No established level")
|
||||
valueData["meta"]["falsepositive"] = jsonData.get(
|
||||
"falsepositives", "No established falsepositives"
|
||||
)
|
||||
valueData["meta"]["refs"].append(
|
||||
"https://github.com/SigmaHQ/sigma/tree/master/rules%s/%s"
|
||||
% (sigmaPath.replace("\\", "/"), sigmaFile)
|
||||
) # this value only works if you set the path like it was cloned from github
|
||||
valueData["meta"]["logsource.category"] = jsonData.get("logsource").get(
|
||||
"category", "No established category"
|
||||
)
|
||||
valueData["meta"]["logsource.product"] = jsonData.get("logsource").get(
|
||||
"product", "No established product"
|
||||
)
|
||||
return valueData
|
||||
|
||||
|
||||
def create_galaxy_json():
|
||||
"""
|
||||
This method creates first the galaxy JSON stored in the path /app/files/misp-galaxy/galaxies
|
||||
The information of this JSON is basic.
|
||||
|
||||
:return uuidGalaxy: Return the uuid needed for the cluster JSON File which is created after this.
|
||||
"""
|
||||
uuidGalaxy = unique_uuid
|
||||
galaxy = {
|
||||
"description": "Sigma Rules are used to detect suspicious behaviors related to threat actors, malware and tools",
|
||||
"icon": "link",
|
||||
"name": "Sigma-Rules",
|
||||
"namespace": "misp",
|
||||
"type": "sigma-rules",
|
||||
"uuid": uuidGalaxy,
|
||||
"version": 1,
|
||||
}
|
||||
with open("sigma-rules.json", "w") as f:
|
||||
json.dump(galaxy, f)
|
||||
|
||||
return uuidGalaxy
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
config = configparser.ConfigParser()
|
||||
config.read("config.ini")
|
||||
parser = argparse.ArgumentParser(
|
||||
description="This script can convert your sigma rules in MISP galaxies, generating both files needed for cluster and galaxies. If you need more information about how to import it, please, go to https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma"
|
||||
)
|
||||
parser.add_argument(
|
||||
"-p",
|
||||
"--path",
|
||||
dest="inputPath",
|
||||
required=True,
|
||||
default="None",
|
||||
help="Path with your sigma rules.",
|
||||
)
|
||||
parser.add_argument(
|
||||
"-r",
|
||||
"--recursive",
|
||||
dest="recursive",
|
||||
action="store_true",
|
||||
help="If you have subfolders on the initial path and you want to convert all of them, use -r to do it recursive.",
|
||||
)
|
||||
args = parser.parse_args()
|
||||
main(args)
|
5
tools/sigma/update.sh
Normal file
5
tools/sigma/update.sh
Normal file
|
@ -0,0 +1,5 @@
|
|||
#!/bin/bash
|
||||
rm -rf sigma
|
||||
git clone https://github.com/SigmaHQ/sigma
|
||||
python3 sigma-to-galaxy.py -r -p ./sigma/rules
|
||||
cat sigma-cluster.json | jq -S . >../../clusters/sigma-rules.json
|
Loading…
Reference in a new issue