diff --git a/example-data/README.md b/example-data/README.md new file mode 100644 index 0000000..47b97ce --- /dev/null +++ b/example-data/README.md @@ -0,0 +1,12 @@ + +This is a simple python script that generates a JSON document which is used +to represent the cyber intelligence data contained within the McAfee Intelligence +report entitled: +* "Malicious Document Targets Pyeongchang Olympics" + +A copy of the report is available here: +* https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf + +Wanted to put together a starting point for discussing the object model, so I +felt this was a great place to begin. + diff --git a/example-data/dump_dot.py b/example-data/dump_dot.py new file mode 100644 index 0000000..ed017c9 --- /dev/null +++ b/example-data/dump_dot.py @@ -0,0 +1,21 @@ +#!/usr/bin/env python3 +import json + +# Dump example-data.json to a DOT graph, but exclude item #33 which +# is the event TLO that everything is related to. This would basically +# diagram an entire event. + +g = json.loads(open('example-data.json','rb').read()) + +print("graph G {") +for o in g['observables']: + print(" n{id}[label=\"{val}\"]".format(id=o['id'], val=o['value'])) +for t in g['targets']: + print(" n{id}[label=\"{val}\"]".format(id=t['id'], val=t['target_name'])) + +for r in g['relationships']: + if r['from'] == 33 or r['to'] == 33: + continue + print(" n{id1} -- n{id2}".format(id1=r['from'], id2=r['to'])) + +print("}") diff --git a/example-data/example-data.dot b/example-data/example-data.dot new file mode 100644 index 0000000..32d8c99 --- /dev/null +++ b/example-data/example-data.dot @@ -0,0 +1,68 @@ +graph G { + n1[label="농식품부, 평창 동계올림픽 대비 축산악취 방지대책 관련기관 회의 개최.doc"] + n2[label="Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics.doc"] + n3[label="43.249.39.152"] + n4[label="info@nctc.go.kr"] + n5[label="ospf1-apac-sg.stickyadstv.com"] + n6[label="https://www.thlsystems.forfirst.cz/images/adv_s3.png"] + n7[label="/images/adv_s3.png"] + n8[label="adv_s3.png"] + n9[label="adv_s3.png"] + n10[label="www.thlsystems.forfirst.cz"] + n11[label="&&set xmd=echo iex (ls env:tjdm).value ^| powershell -noni -noex -execut bypass -noprofile -wind hidden – && cmd /C%xmd%"] + n12[label="https://www.thlsystems.forfirst.cz:443/components/com_tags/views/login/process.php"] + n13[label="https://www.thlsystems.forfirst.cz/components/com_tags/views/login/process.php"] + n14[label="/components/com_tags/views/login/process.php"] + n15[label="/com_tags/views/login/process.php"] + n16[label="https://200.122.181.63:443/components/com_tags/views/news.php"] + n17[label="/components/com_tags/views/news.php"] + n18[label="/components/com_tags/"] + n19[label="200.122.181.63"] + n20[label="C:\Windows\system32\schtasks.exe” /Create /F /SC DAILY /ST 14:00 /TN “MS Remoute Update” /TR C:\Users\Ops03\AppData\Local\view.hta"] + n21[label="C:\Users\Ops03\AppData\Local\view.hta"] + n22[label="%AppData%\Local\view.hta"] + n23[label="view.hta"] + n24[label="81.31.47.101"] + n25[label="thlsystems.forfirst.cz"] + n26[label="https://www.thlsystems.forfirst.cz/components/com_tags/views/admin/get.php"] + n27[label="/components/com_tags/views/admin/get.php"] + n28[label="mafra.go.kr.jeojang.ga"] + n29[label="위험 경보 (전국야생조류 분변 고병원성 AI(H5N6형) 검출).docx"] + n30[label="c388b693d10e2b84af52ab2c29eb9328e47c3c16"] + n31[label="8ad0a56e3db1e2cd730031bdcae2dbba3f7aba9c"] + n32[label="Ice Hockey"] + n1 -- n31 + n29 -- n30 + n2 -- n1 + n31 -- n32 + n31 -- n3 + n31 -- n4 + n31 -- n5 + n31 -- n6 + n6 -- n7 + n6 -- n8 + n8 -- n9 + n6 -- n10 + n9 -- n11 + n9 -- n12 + n12 -- n13 + n12 -- n14 + n12 -- n15 + n12 -- n10 + n13 -- n14 + n13 -- n15 + n13 -- n10 + n9 -- n21 + n21 -- n16 + n16 -- n17 + n16 -- n18 + n16 -- n19 + n20 -- n9 + n21 -- n22 + n21 -- n23 + n10 -- n25 + n25 -- n24 + n21 -- n26 + n26 -- n27 + n19 -- n28 +} diff --git a/example-data/example-data.dot.pdf b/example-data/example-data.dot.pdf new file mode 100644 index 0000000..9436404 Binary files /dev/null and b/example-data/example-data.dot.pdf differ diff --git a/example-data/example-data.json b/example-data/example-data.json new file mode 100644 index 0000000..1e3ec71 --- /dev/null +++ b/example-data/example-data.json @@ -0,0 +1 @@ +{"observables": [{"value": "\ub18d\uc2dd\ud488\ubd80, \ud3c9\ucc3d \ub3d9\uacc4\uc62c\ub9bc\ud53d \ub300\ube44 \ucd95\uc0b0\uc545\ucde8 \ubc29\uc9c0\ub300\ucc45 \uad00\ub828\uae30\uad00 \ud68c\uc758 \uac1c\ucd5c.doc", "observation_type": "file-name", "id": 1, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics.doc", "observation_type": "file-name", "id": 2, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "43.249.39.152", "observation_type": "ipv4-addr", "id": 3, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "info@nctc.go.kr", "observation_type": "email-addr", "id": 4, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "ospf1-apac-sg.stickyadstv.com", "observation_type": "domain-name", "id": 5, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "https://www.thlsystems.forfirst.cz/images/adv_s3.png", "observation_type": "url", "id": 6, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "/images/adv_s3.png", "observation_type": "url", "id": 7, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "adv_s3.png", "observation_type": "url", "id": 8, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "adv_s3.png", "observation_type": "file-name", "id": 9, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "www.thlsystems.forfirst.cz", "observation_type": "domain-name", "id": 10, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "&&set xmd=echo iex (ls env:tjdm).value ^| powershell -noni -noex -execut bypass -noprofile -wind hidden \u2013 && cmd /C%xmd%", "observation_type": "artifact", "observation_subtype": "string-cmd", "id": 11, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "https://www.thlsystems.forfirst.cz:443/components/com_tags/views/login/process.php", "observation_type": "url", "id": 12, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "https://www.thlsystems.forfirst.cz/components/com_tags/views/login/process.php", "observation_type": "url", "id": 13, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "/components/com_tags/views/login/process.php", "observation_type": "url", "id": 14, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "/com_tags/views/login/process.php", "observation_type": "url", "id": 15, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "https://200.122.181.63:443/components/com_tags/views/news.php", "observation_type": "url", "id": 16, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "/components/com_tags/views/news.php", "observation_type": "url", "id": 17, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "/components/com_tags/", "observation_type": "url", "id": 18, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "200.122.181.63", "observation_type": "ipv4-addr", "id": 19, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "C:\\Windows\\system32\\schtasks.exe\u201d /Create /F /SC DAILY /ST 14:00 /TN \u201cMS Remoute Update\u201d /TR C:\\Users\\Ops03\\AppData\\Local\\view.hta", "observation_type": "artifact", "observation_subtype": "string-cmd", "id": 20, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "C:\\Users\\Ops03\\AppData\\Local\\view.hta", "observation_type": "file-path", "id": 21, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "%AppData%\\Local\\view.hta", "observation_type": "file-path", "id": 22, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "view.hta", "observation_type": "file-name", "id": 23, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "81.31.47.101", "observation_type": "ipv4-addr", "id": 24, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "thlsystems.forfirst.cz", "observation_type": "domain-name", "id": 25, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "https://www.thlsystems.forfirst.cz/components/com_tags/views/admin/get.php", "observation_type": "url", "id": 26, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "/components/com_tags/views/admin/get.php", "observation_type": "url", "id": 27, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "mafra.go.kr.jeojang.ga", "observation_type": "domain-name", "id": 28, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "\uc704\ud5d8 \uacbd\ubcf4 (\uc804\uad6d\uc57c\uc0dd\uc870\ub958 \ubd84\ubcc0 \uace0\ubcd1\uc6d0\uc131 AI(H5N6\ud615) \uac80\ucd9c).docx", "observation_type": "file-name", "id": 29, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "c388b693d10e2b84af52ab2c29eb9328e47c3c16", "observation_type": "file-sha1", "id": 30, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}, {"value": "8ad0a56e3db1e2cd730031bdcae2dbba3f7aba9c", "observation_type": "file-sha1", "id": 31, "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}], "relationships": [{"from": 1, "to": 31, "rel_type": "Related To"}, {"from": 29, "to": 30, "rel_type": "Related To"}, {"from": 2, "to": 1, "rel_type": "Translated From"}, {"from": 31, "to": 32, "rel_type": "Received By"}, {"from": 31, "to": 3, "rel_type": "Sent From"}, {"from": 31, "to": 4, "rel_type": "Sent From"}, {"from": 31, "to": 5, "rel_type": "Sent From"}, {"from": 31, "to": 6, "rel_type": "Contacted"}, {"from": 6, "to": 7, "rel_type": "Derived"}, {"from": 6, "to": 8, "rel_type": "Derived"}, {"from": 8, "to": 9, "rel_type": "Derived"}, {"from": 6, "to": 10, "rel_type": "Derived"}, {"from": 9, "to": 11, "rel_type": "Executed"}, {"from": 9, "to": 12, "rel_type": "Contacted"}, {"from": 12, "to": 13, "rel_type": "Derived"}, {"from": 12, "to": 14, "rel_type": "Derived"}, {"from": 12, "to": 15, "rel_type": "Derived"}, {"from": 12, "to": 10, "rel_type": "Derived"}, {"from": 13, "to": 14, "rel_type": "Derived"}, {"from": 13, "to": 15, "rel_type": "Derived"}, {"from": 13, "to": 10, "rel_type": "Derived"}, {"from": 9, "to": 21, "rel_type": "Wrote"}, {"from": 21, "to": 16, "rel_type": "Contacted"}, {"from": 16, "to": 17, "rel_type": "Derived"}, {"from": 16, "to": 18, "rel_type": "Derived"}, {"from": 16, "to": 19, "rel_type": "Derived"}, {"from": 20, "to": 9, "rel_type": "Executed By"}, {"from": 21, "to": 22, "rel_type": "Derived"}, {"from": 21, "to": 23, "rel_type": "Derived"}, {"from": 10, "to": 25, "rel_type": "Subdomain Of"}, {"from": 25, "to": 24, "rel_type": "Resolved To"}, {"from": 21, "to": 26, "rel_type": "Contacted"}, {"from": 26, "to": 27, "rel_type": "Derived"}, {"from": 19, "to": 28, "rel_type": "Resolved From"}, {"from": 33, "to": 32, "rel_type": "Reported"}, {"from": 33, "to": 1, "rel_type": "Reported"}, {"from": 33, "to": 2, "rel_type": "Reported"}, {"from": 33, "to": 3, "rel_type": "Reported"}, {"from": 33, "to": 4, "rel_type": "Reported"}, {"from": 33, "to": 5, "rel_type": "Reported"}, {"from": 33, "to": 6, "rel_type": "Reported"}, {"from": 33, "to": 7, "rel_type": "Reported"}, {"from": 33, "to": 8, "rel_type": "Reported"}, {"from": 33, "to": 9, "rel_type": "Reported"}, {"from": 33, "to": 10, "rel_type": "Reported"}, {"from": 33, "to": 11, "rel_type": "Reported"}, {"from": 33, "to": 12, "rel_type": "Reported"}, {"from": 33, "to": 13, "rel_type": "Reported"}, {"from": 33, "to": 14, "rel_type": "Reported"}, {"from": 33, "to": 15, "rel_type": "Reported"}, {"from": 33, "to": 16, "rel_type": "Reported"}, {"from": 33, "to": 17, "rel_type": "Reported"}, {"from": 33, "to": 18, "rel_type": "Reported"}, {"from": 33, "to": 19, "rel_type": "Reported"}, {"from": 33, "to": 20, "rel_type": "Reported"}, {"from": 33, "to": 21, "rel_type": "Reported"}, {"from": 33, "to": 22, "rel_type": "Reported"}, {"from": 33, "to": 23, "rel_type": "Reported"}, {"from": 33, "to": 24, "rel_type": "Reported"}, {"from": 33, "to": 25, "rel_type": "Reported"}, {"from": 33, "to": 26, "rel_type": "Reported"}, {"from": 33, "to": 27, "rel_type": "Reported"}, {"from": 33, "to": 28, "rel_type": "Reported"}, {"from": 33, "to": 29, "rel_type": "Reported"}, {"from": 33, "to": 30, "rel_type": "Reported"}, {"from": 33, "to": 31, "rel_type": "Reported"}], "targets": [{"id": 32, "target_email": "icehockey@pyeongchang2018.com", "target_name": "Ice Hockey", "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}], "events": [{"id": 33, "event_start": "2017-12-22T00:00:00.000Z", "event_end": "2017-12-28T00:00:00.000Z", "event_reported": "2018-01-06T00:00:00.000Z", "event_threat": "Phishing", "event_type": "Blog Post", "event_title": "Malicious Document Targets Pyeongchang Olympics", "source": [{"name": "McAfee OSINT", "tlp": "white", "instances": [{"reference": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", "method": "blog post"}, {"reference": "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf", "method": "APTnotes archive"}]}]}]} diff --git a/example-data/generate-example-data.py b/example-data/generate-example-data.py new file mode 100644 index 0000000..3629a8e --- /dev/null +++ b/example-data/generate-example-data.py @@ -0,0 +1,273 @@ +#!/usr/bin/env python3 +import json +# +# This is a simple python script that generates a JSON document which is used +# to represent the cyber intelligence data contained within the McAfee Intelligence +# report entitled: +# * "Malicious Document Targets Pyeongchang Olympics" +# +# A copy of this is available here: +# * https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf +# + +report_sourcename = "McAfee OSINT" +report_refname = "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/" +report_permanent_archive = "https://www.threatminer.org/_reports/2018/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf" + +# All of these things are coming from a common source, so let us define a "source Access" object +# to work from +mcafee_osint_source_access = { + 'name': report_sourcename, # Use the name I defined earlier, continue to use this an FK + 'default_tlp': 'white', # By default, this will be TLP:WHITE to any roles the source is + # extended to. + 'active': True # Set this as active (deactivation flag so we can preserve "old" sources) +} + +# I'm just gonna use numeric Ids below for the sake of brevity, but these could easily be translated to stringified BSON ObjectId +# values if desired, to support the GUID concept +observables = [ + {'value': '농식품부, 평창 동계올림픽 대비 축산악취 방지대책 관련기관 회의 개최.doc', + 'observation_type': 'file-name', + 'id': 1}, + {'value': 'Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics.doc', + 'observation_type': 'file-name', + 'id': 2}, + {'value': '43.249.39.152', + 'observation_type': 'ipv4-addr', + 'id': 3}, + {'value': 'info@nctc.go.kr', + 'observation_type': 'email-addr', + 'id': 4}, + {'value': 'ospf1-apac-sg.stickyadstv.com', + 'observation_type': 'domain-name', + 'id': 5}, + {'value': 'https://www.thlsystems.forfirst.cz/images/adv_s3.png', + 'observation_type': 'url', + 'id': 6}, + {'value': '/images/adv_s3.png', + 'observation_type': 'url', + 'id': 7}, + {'value': 'adv_s3.png', + 'observation_type': 'url', + 'id': 8}, + {'value': 'adv_s3.png', + 'observation_type': 'file-name', + 'id': 9}, + {'value': 'www.thlsystems.forfirst.cz', + 'observation_type': 'domain-name', + 'id': 10}, + {'value': '&&set xmd=echo iex (ls env:tjdm).value ^| powershell -noni -noex -execut bypass -noprofile -wind hidden – && cmd /C%xmd%', + 'observation_type': 'artifact', + 'observation_subtype': 'string-cmd', + 'id': 11}, + {'value': 'https://www.thlsystems.forfirst.cz:443/components/com_tags/views/login/process.php', + 'observation_type': 'url', + 'id': 12}, + {'value': 'https://www.thlsystems.forfirst.cz/components/com_tags/views/login/process.php', + 'observation_type': 'url', + 'id': 13}, + {'value': '/components/com_tags/views/login/process.php', + 'observation_type': 'url', + 'id': 14}, + {'value': '/com_tags/views/login/process.php', + 'observation_type': 'url', + 'id': 15}, + {'value': 'https://200.122.181.63:443/components/com_tags/views/news.php', + 'observation_type': 'url', + 'id': 16}, + {'value': '/components/com_tags/views/news.php', + 'observation_type': 'url', + 'id': 17}, + {'value': '/components/com_tags/', + 'observation_type': 'url', + 'id': 18}, + {'value': '200.122.181.63', + 'observation_type': 'ipv4-addr', + 'id': 19}, + {'value': 'C:\\Windows\\system32\\schtasks.exe” /Create /F /SC DAILY /ST 14:00 /TN “MS Remoute Update” /TR C:\\Users\\Ops03\\AppData\\Local\\view.hta', + 'observation_type': 'artifact', + 'observation_subtype': 'string-cmd', + 'id': 20}, + {'value': 'C:\\Users\\Ops03\\AppData\\Local\\view.hta', + 'observation_type': 'file-path', + 'id': 21}, + {'value': '%AppData%\\Local\\view.hta', + 'observation_type': 'file-path', + 'id': 22}, + {'value': 'view.hta', + 'observation_type': 'file-name', + 'id': 23}, + {'value': '81.31.47.101', + 'observation_type': 'ipv4-addr', + 'id': 24}, + {'value': 'thlsystems.forfirst.cz', + 'observation_type': 'domain-name', + 'id': 25}, + {'value': 'https://www.thlsystems.forfirst.cz/components/com_tags/views/admin/get.php', + 'observation_type': 'url', + 'id': 26}, + {'value': '/components/com_tags/views/admin/get.php', + 'observation_type': 'url', + 'id': 27}, + {'value': 'mafra.go.kr.jeojang.ga', + 'observation_type': 'domain-name', + 'id': 28}, + {'value': '위험 경보 (전국야생조류 분변 고병원성 AI(H5N6형) 검출).docx', + 'observation_type': 'file-name', + 'id': 29}, + {'value': 'c388b693d10e2b84af52ab2c29eb9328e47c3c16', + 'observation_type': 'file-sha1', + 'id': 30}, + {'value': '8ad0a56e3db1e2cd730031bdcae2dbba3f7aba9c', + 'observation_type': 'file-sha1', + 'id': 31}, +] + +targets = [ + {'id': 32, + 'target_email': 'icehockey@pyeongchang2018.com', + 'target_name': 'Ice Hockey'} +] + +events = [ + {'id': 33, + 'event_start': '2017-12-22T00:00:00.000Z', + 'event_end': '2017-12-28T00:00:00.000Z', + 'event_reported': '2018-01-06T00:00:00.000Z', + 'event_threat': 'Phishing', + 'event_type': 'Blog Post', + 'event_title': 'Malicious Document Targets Pyeongchang Olympics', + } +] + +# In general, I try to make relationships adhere to the following English convention: +# {from} was {rel_type} {to} +# +relationships = [ + {'from': 1, + 'to': 31, + 'rel_type': 'Related To'}, # Opp = Related To + {'from': 29, + 'to': 30, + 'rel_type': 'Related To'}, # Opp = Related To + {'from': 2, + 'to': 1, + 'rel_type': 'Translated From'}, # Opp = Translated From + {'from': 31, + 'to': 32, # Note that this is referring to the one "target" reported + 'rel_type': 'Received By'}, # Opp = Received + {'from': 31, + 'to': 3, + 'rel_type': 'Sent From'}, # Opp = Sent + {'from': 31, + 'to': 4, + 'rel_type': 'Sent From'}, # Opp = Sent + {'from': 31, + 'to': 5, + 'rel_type': 'Sent From'}, # Opp = Sent + {'from': 31, + 'to': 6, + 'rel_type': 'Contacted'}, # Opp = Contacted From + {'from': 6, + 'to': 7, + 'rel_type': 'Derived'}, # Opp = Derived From + {'from': 6, + 'to': 8, + 'rel_type': 'Derived'}, # Opp = Derived From + {'from': 8, + 'to': 9, + 'rel_type': 'Derived'}, # Opp = Derived From + {'from': 6, + 'to': 10, + 'rel_type': 'Derived'}, # Opp = Derived From + {'from': 9, + 'to': 11, + 'rel_type': 'Executed'}, # Opp = Executed By + {'from': 9, + 'to': 12, + 'rel_type': 'Contacted'}, # Opp = Contacted From + {'from': 12, + 'to': 13, + 'rel_type': 'Derived'}, # Opp = Derived From + {'from': 12, + 'to': 14, + 'rel_type': 'Derived'}, # Opp = Derived From + {'from': 12, + 'to': 15, + 'rel_type': 'Derived'}, # Opp = Derived From + {'from': 12, + 'to': 10, + 'rel_type': 'Derived'}, # Opp = Derived From + {'from': 13, + 'to': 14, + 'rel_type': 'Derived'}, # Opp = Derived From + {'from': 13, + 'to': 15, + 'rel_type': 'Derived'}, # Opp = Derived From + {'from': 13, + 'to': 10, + 'rel_type': 'Derived'}, # Opp = Derived From + {'from': 9, + 'to': 21, + 'rel_type': 'Wrote'}, # Opp = Written By + {'from': 21, + 'to': 16, + 'rel_type': 'Contacted'}, # Opp = Contacted From + {'from': 16, + 'to': 17, + 'rel_type': 'Derived'}, # Opp = Derived From + {'from': 16, + 'to': 18, + 'rel_type': 'Derived'}, # Opp = Derived From + {'from': 16, + 'to': 19, + 'rel_type': 'Derived'}, # Opp = Derived From + {'from': 20, + 'to': 9, + 'rel_type': 'Executed By'}, # Opp = Executed + {'from': 21, + 'to': 22, + 'rel_type': 'Derived'}, # Opp = Derived From + {'from': 21, + 'to': 23, + 'rel_type': 'Derived'}, # Opp = Derived From + {'from': 10, + 'to': 25, + 'rel_type': 'Subdomain Of'}, # Opp = Superdomain Of + {'from': 25, + 'to': 24, + 'rel_type': 'Resolved To'}, # Opp = Resolved From + {'from': 21, + 'to': 26, + 'rel_type': 'Contacted'}, # Opp = Contacted From + {'from': 26, + 'to': 27, + 'rel_type': 'Derived'}, # Opp = Derived From + {'from': 19, + 'to': 28, + 'rel_type': 'Resolved From'}, # Opp = Resolved To + {'from': 33, + 'to': 32, + 'rel_type': 'Reported'}, # Opp = Reported By +] + +# Forge a relationship between all observables and the Event. There's probably some +# argument to be had about handling "Derived" objects. My opinion is that you choose +# to do it arbitrarily in the way that makes sense to you. Just be consistent internally. +for o in observables: + relationships.append({'from': 33, 'to': o['id'], 'rel_type': 'Reported'}) + +# Finally, add source/reference/tlp information to every thing that's a real TLO. Again, +# be consistent internally about what constitutes a "Source" but don't set any hard +# expectations around this. +for collection in [observables, targets, events]: + for o in collection: + o['source'] = [] + o['source'].append({'name': mcafee_osint_source_access['name'], + 'tlp': mcafee_osint_source_access['default_tlp'], + 'instances': []}) + o['source'][-1]['instances'].append({'reference': report_refname, 'method': 'blog post'}) + o['source'][-1]['instances'].append({'reference': report_permanent_archive, 'method': 'APTnotes archive'}) + +# Figure I'd just dump it to stdout +print(json.dumps({'observables': observables, 'relationships': relationships, 'targets': targets, 'events': events}))