Created
December 20, 2020 01:53
-
-
Save n3l5/78f13d492d67f2444938684a5e97874f to your computer and use it in GitHub Desktop.
Custom MISP upload script to add a file(s) as a new event and add as objects; add the file object and the pe info. (but no sections data); additonally will tag it. **heavily borrowed code from the upload.py in the PyMISP samples.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# -*- coding: utf-8 -*- | |
from pymisp import ExpandedPyMISP, MISPEvent, MISPAttribute, MISPObject, MISPT | |
from pymisp import PyMISP | |
from pymisp.tools import make_binary_objects | |
from keys import misp_url, misp_key, misp_verifycert | |
from pathlib import Path | |
import hashlib | |
import magic | |
import re | |
import pefile | |
#this section is optional if you use the keys import above | |
#misp_url = 'https://MISPURL/' | |
#misp_key = 'APIKEYHERE' # The MISP auth key can be found on the MISP web interface under the automation section | |
#misp_verifycert = True | |
proxies = { 'http': 'http://PROXYHOST:PROXYPORT', 'https': 'https://PROXYHOST:PROXYPORT' } | |
MALWARE_DIR = 'SOMEDIR' #optional static...can replace with arg here | |
def sha256hash(file): | |
BSIZE = 65536 | |
hnd = open(file, 'rb') | |
hash256 = hashlib.sha256() | |
while True: | |
info = hnd.read(BSIZE) | |
if not info: | |
break | |
hash256.update(info) | |
return hash256.hexdigest() | |
misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert, proxies=proxies) | |
files = [] | |
p = Path(MALWARE_DIR) | |
if p.is_file(): | |
files = [p] | |
elif p.is_dir(): | |
files = [f for f in p.glob('**/*') if f.is_file()] | |
else: | |
print('invalid upload path (must be file or dir)') | |
exit(0) | |
# Create attributes | |
for f in files: | |
f256hash = sha256hash(f) | |
magictype = magic.from_file(str(f)) | |
if re.match(r'^PE[0-9]{2}\s\S*\s\([A-Z]{3}\)|^PE[0-9]{2}\+\s\S*\s\([a-z]', magictype): | |
p = pefile.PE(f) | |
imphash = p.get_imphash() | |
#make the event | |
eventname = "Malware Sample - {}".format(f256hash) | |
m = MISPEvent() | |
m.info = eventname | |
m.distribution = 1 | |
make_event = misp.add_event(m) | |
#get eventid and uuid | |
eventid = make_event['Event']['id'] | |
eventuuid = make_event['Event']['uuid'] | |
#add file object and general pe info | |
fo, peo, seos = make_binary_objects(str(f)) | |
if peo: | |
r1 = misp.add_object(eventid, peo, pythonify=True) | |
if fo: | |
r2 = misp.add_object(eventid, fo, pythonify=True) | |
for ref in fo.ObjectReference: | |
fo2 = misp.add_object_reference(ref) | |
#add tag to event | |
tag = 'veris:action:malware' | |
add_tag = misp.tag(eventuuid, tag) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment