MISP/misp-galaxy
6
0
Fork 0
mirror of https://github.com/MISP/misp-galaxy.git synced 2024-11-22 14:57:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fix [tidal] check for existing sub clusters

Browse source
This commit is contained in:
niclas 2024-03-06 09:19:11 +01:00
parent 03c6e3cb00
commit c28a001b4f
2 changed files with 30 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
clusters/tidal-software.json
View file

@ -22752,6 +22752,10 @@
{
"dest-uuid": "a4700431-6578-489f-9782-52e394277296",
"type": "similar"
},
{
"dest-uuid": "49d0ae81-d51b-4534-b1e0-08371a47ef79",
"type": "similar"
}
],
"uuid": "6812793e-6342-4da6-b77f-ed29fab1fd9a",
@ -30905,20 +30909,6 @@
"uuid": "2143f749-d7b8-43c0-8041-8aeb486142c2",
"value": "TestWindowRemoteAgent"
},
{
"description": "Based on similar descriptions of functionality, it appears S0146, as named by FireEye, is the same as Stage 4 of a backdoor named DNSMessenger by Cisco's Talos Intelligence Group. However, FireEye appears to break DNSMessenger into two parts: S0145 and S0146. <sup>[[Cisco DNSMessenger March 2017](https://app.tidalcyber.com/references/49f22ba2-5aca-4204-858e-c2499a7050ae)]</sup> <sup>[[FireEye FIN7 March 2017](https://app.tidalcyber.com/references/7987bb91-ec41-42f8-bd2d-dabc26509a08)]</sup>",
"meta": {
"id": "1b0ec06d-0748-42ea-912f-e23f14d94b95"
},
"related": [
{
"dest-uuid": "49d0ae81-d51b-4534-b1e0-08371a47ef79",
"type": "similar"
}
],
"uuid": "6812793e-6342-4da6-b77f-ed29fab1fd9a",
"value": "DNSMessenger - Associated Software"
},
{
"description": "[TEXTMATE](https://app.tidalcyber.com/software/49d0ae81-d51b-4534-b1e0-08371a47ef79) is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with [POWERSOURCE](https://app.tidalcyber.com/software/a4700431-6578-489f-9782-52e394277296) in February 2017. <sup>[[FireEye FIN7 March 2017](https://app.tidalcyber.com/references/7987bb91-ec41-42f8-bd2d-dabc26509a08)]</sup>",
"meta": {
@ -30942,10 +30932,6 @@
{
"dest-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47",
"type": "similar"
},
{
"dest-uuid": "6812793e-6342-4da6-b77f-ed29fab1fd9a",
"type": "similar"
}
],
"uuid": "49d0ae81-d51b-4534-b1e0-08371a47ef79",

26
tools/tidal-api/models/cluster.py
View file

@ -221,6 +221,19 @@ class GroupCluster(Cluster):
)
if self.subs:
for associated_group in entry.get("associated_groups"):
found = False
for x in self.values:
if associated_group.get("associated_group_id") == x.get("uuid"):
x["related"].append(
{
"dest-uuid": entry.get("id"),
"type": "similar",
}
)
found = True
break
if found:
continue
associated_meta = AssociatedGroupsMeta(
id=associated_group.get("id"),
owner_id=associated_group.get("owner_id"),
@ -322,6 +335,19 @@ class SoftwareCluster(Cluster):
)
if self.subs:
for associated_software in entry.get("associated_software"):
found = False
for x in self.values:
if associated_software.get("associated_software_id") == x.get("uuid"):
x["related"].append(
{
"dest-uuid": entry.get("id"),
"type": "similar",
}
)
found = True
break
if found:
continue
associated_meta = AssociatedSoftwareMeta(
id=associated_software.get("id"),
owner_id=associated_software.get("owner_id"),