PyMISP - (ab)using MISP API with PyMISP MISP - Malware Information Sharing Platform & Threat Sharing

Similar documents
Deep-dive into PyMISP MISP - Malware Information Sharing Platform & Threat Sharing

Extending MISP with Python modules MISP - Malware Information Sharing Platform & Threat Sharing

Extending MISP with Python modules MISP - Malware Information Sharing Platform & Threat Sharing

Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP

Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP

Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP

MISP Training: Galaxies

MISP Galaxy. Threat Sharing. Team CIRCL. MISP CIRCL

Incident Response tactics with Compromise Indicators

Yes, the Library will be accessible via the new PULSE and the existing desktop version of PULSE.

cve-search - a free software to collect, search and analyse common vulnerabilities and exposures in software Freedom #0 in action

Administering your Enterprise Geodatabase using Python. Jill Penney

git Tutorial Nicola Chiapolini Physik-Institut University of Zurich March 16, 2015

Discovery and Access of Geospatial Resources using the Geoportal Extension. Marten Hogeweg Geoportal Extension Product Manager

WeatherHawk Weather Station Protocol

ST-Links. SpatialKit. Version 3.0.x. For ArcMap. ArcMap Extension for Directly Connecting to Spatial Databases. ST-Links Corporation.

Tryton Technical Training

git Tutorial Nicola Chiapolini Physik-Institut University of Zurich June 8, 2015

git Tutorial Nicola Chiapolini Physik-Institut University of Zurich January 26, 2015

git Tutorial Nicola Chiapolini University of St. Gallen September 12, 2017

GPS Mapping with Esri s Collector App. What We ll Cover

Geodatabase Programming with Python John Yaist

TECDIS and TELchart ECS Weather Overlay Guide

Geodatabase Programming with Python

new interface and features

Finnish Open Data Portal for Meteorological Data

Esri UC2013. Technical Workshop.

Using the File Geodatabase API. Lance Shipman David Sousa

Search for the Dubai in the remap search bar:

CAD: Introduction to using CAD Data in ArcGIS. Kyle Williams & Jeff Reinhart

ArcGIS Pro Q&A Session. NWGIS Conference, October 11, 2017 With John Sharrard, Esri GIS Solutions Engineer

OSGIS Platform. Storing and distributing PostGIS, Deegree, UMN Map Server Desktop visualization JUMP, QGIS, Thuban, udig, gvsig

Search for the Dubai in the remap search bar:

Please click the link below to view the YouTube video offering guidance to purchasers:

Using CAD data in ArcGIS

TENANT INSTRUCTOR REFERENCE GUIDE

SteelSmart System Cold Formed Steel Design Software Download & Installation Instructions

Mass Asset Additions. Overview. Effective mm/dd/yy Page 1 of 47 Rev 1. Copyright Oracle, All rights reserved.

Apex Python library. Release 1.0.1

Search for the Gulf of Carpentaria in the remap search bar:

The impacts of Open Government initiatives on SDIs

Data-Sharing Agreement

PDQ Tracker High Level Requirements

Steve Pietersen Office Telephone No

The File Geodatabase API. Craig Gillgrass Lance Shipman

Operator manual. Simrad ITI Trawl instrumentation system

ArcGIS Enterprise: Administration Workflows STUDENT EDITION

Dynamics Beer And Johnston Solution Manual READ ONLINE

Bloomsburg University Weather Viewer Quick Start Guide. Software Version 1.2 Date 4/7/2014

Data-Sharing Agreement

ISO INTERNATIONAL STANDARD. Geographic information Spatial referencing by coordinates

Orienteering maps as a part of national heritage - the Czech case

Introduction to Spark

LED Lighting Facts: Manufacturer Guide

The World Bank and the Open Geospatial Web. Chris Holmes

Lesser Sunda - Banda Seascape Atlas

Virtual Beach Making Nowcast Predictions

IUCLID Substance Data

Arboretum Explorer: Using GIS to map the Arnold Arboretum

MapOSMatic, free city maps for everyone!

SCAUG Community Maps Building a Living Atlas of the World

Performing. Geospatial Analysis. Using Latitude and Longitude Data. Ginger Ni - Software Engineer

LED Lighting Facts: Product Submission Guide

Performing Advanced Cartography with Esri Production Mapping

epistasis Documentation

PI SERVER 2012 Do. More. Faster. Now! Copyr i g h t 2012 O S Is o f t, L L C. 1

ArcGIS Earth an Intro

IntelMQ - a KISS incident handling automation project (IHAP)

OPEN ACCESS GEOLOGY: USING THE INSTITUTIONAL REPOSITORY TO HOST STATE GEOLOGICAL SURVEY PUBLICATIONS

Introduction to Google Mapping Tools

DP Project Development Pvt. Ltd.

Chuck Cartledge, PhD. 21 January 2018

Arup Nanda Starwood Hotels

Substance identification and how to report it in IUCLID 6

mylab: Chemical Safety Module Last Updated: January 19, 2018

ON SITE SYSTEMS Chemical Safety Assistant

From Geographics Stella to Bentley Map Stella Map. Kimmo Soukki, Account Manager Bentley Finland

It s about time... The only timeline tool you ll ever need!

Calibrated Virtual Urban Water Systems software tool for one partner city. Software

Basics HTTP. requests. Ryan E. Freckleton. PySprings. May 24, 2016

European Commission STUDY ON INTERIM EVALUATION OF EUROPEAN MARINE OBSERVATION AND DATA NETWORK. Executive Summary

Android Security Mechanisms

7 GEOMATICS BUSINESS SOLUTIONS - ANNUAL REPORT 2006

Introduction to Google Drive Objectives:

Animating Maps: Visual Analytics meets Geoweb 2.0

Citrine Informatics. Experimental design, PIF details, and data workshop. Chris Borg 26 February Citrine Informatics

Data Uploads 6: Instructions for Inventory

Erfassung und Speicherung von Forschungsdaten im Fachbereich Chemie

Iowa Department of Transportation Office of Transportation Data GIS / CAD Integration

Creation and modification of a geological model Program: Stratigraphy

Data Exchange Formats (DEFs)

ArcGIS for INSPIRE. Paul Hardy. ArcGIS. ArcGIS for INSPIRE Enables Esri ArcGIS users to implement and comply with INSPIRE. INSPIRE Data Themes

UltraWeatherBug3 HSPI User s Guide A HomeSeer HS3 plug-in to access live local weather conditions, forecasts and severe weather alerts

pygaps Release 1.2.0

Evaluating Travel Impedance Agreement among Online Road Network Data Providers

Deep dive into analytics using Aggregation. Boaz

User Manual for Range Tool for Article 12 (Birds Directive) & Article 17 (Habitats Directive)

McIDAS-V Tutorial Displaying Point Observations from ADDE Datasets updated July 2016 (software version 1.6)

Presenting Tree Inventory. Tomislav Sapic GIS Technologist Faculty of Natural Resources Management Lakehead University

Transcription:

PyMISP - (ab)using MISP API with PyMISP MISP - Malware Information Sharing Platform & Threat Sharing Alexandre Dulaunoy Andras Iklody Raphaël Vinot TLP:WHITE http://www.misp-project.org/ Twitter: @MISPProject MISP Training Luxembourg 20170207

PyMISP - Basics Installation (v2.4.56 - Python 3 highly recommended): pip3 install pymisp Get your auth key from: https://misppriv.circl.lu/events/automation Fetch the repository to get the examples: git clone https://github.com/misp/pymisp.git 2 of 12

PyMISP - Examples PyMISP needs to be installed Usage: Create examples/keys.py with the following content m i s p u r l = h t t p s : / / m i s p p r i v. c i r c l. l u misp key = <API KEY> m i s p v e r i f y c e r t = True Proxy support: p r o x i e s = { h t t p : h t t p : / / 1 2 7. 0. 0. 1 : 8 1 2 3, h t t p s : h t t p : / / 1 2 7. 0. 0. 1 : 8 1 2 3, } PyMISP ( m i s p u r l, misp key, m i s p v e r i f y c e r t, j s o n, p r o x i e s=p r o x i e s ) 3 of 12

PyMISP - Examples All the examples have help if you do script.py -h searchall.py: Search in the whole database for a value last.py: Returns all the most recent events (on a timeframe) get.py: Return a specific event tags.py: Returns all the tags activted on the platform get network activity.py: Returns network indicators create events.py: Create an event up.py: Update an event add named attribute.py: Add attribute in MISP instance easily upload.py: Upload a malware sample 4 of 12

PyMISP - Examples copy list.py: Copy files from one MISP instance to an other sighting.py: Update sightings on an attribute stats.py: Returns the stats of a MISP instance {add,edit,create} user.py : Add, Edit, Create a user on MISP test sign.py: Sign and verify a MISP Event make neo4j.py: Search MISP Events matching a value and push them into neo4j 5 of 12

PyMISP - Usage Basic example from pymisp import PyMISP a p i = PyMISP ( u r l, apikey, v e r i f y c e r t=true, j s o n, debug=f a l s e, p r o x i e s=none ) response = api.< function > i f r e s p o n s e [ e r r o r ] : # <something went wrong> e l s e : # <do something with the output> 6 of 12

PyMISP - Capabilities Events: get, add, update, publish, delete, add/remove tag,... Add file attributes: hashes, registry key, patterns, pipe, mutex Update sightings Add network attributes: IP dest/src, hostname, domain, url, UA,... Add Email attributes: source, destination, subject, attachment,... Upload/download samples Proposals: add, edit, accept, discard Full text search and search by attributes Get STIX event Export statistics And more, look at the api file 7 of 12

PyMISP - Core methods Get a MISP event as JSON: get Create a new event: new event Add an attribute to existing event: add named attribute Upload a sample: upload sample Download a sample: download samples Get all events matching a value: search all 8 of 12

MISPEvent Pythonic representation of a MISP event Easy manipulation and validation Loading an existing event Updating (including mark an attribute as deleted) Load and add attachments to send to the MISP instance Signing and verifying a MISP Event (GPG) Dump to JSON 9 of 12

MISPEvent - Usecase from pymisp import MISPEvent, EncodeUpdate # C r e a t e a new e v e n t with d e f a u l t v a l u e s e v e n t = MISPEvent ( ) # Load an e x i s t i n g JSON dump ( o p t i o n a l ) e v e n t. l o a d ( Path / to / e v e n t. j s o n ) e v e n t. i n f o = My c o o l e v e n t # Duh. # Add an a t t r i b u t e o f type ip d s t e v e n t. a d d a t t r i b u t e ( ip d s t, 8. 8. 8. 8 ) # Mark an a t t r i b u t e as d e l e t e d ( From 2. 4. 6 0 ) e v e n t. d e l e t e a t t r i b u t e ( <A t t r i b u t e UUID> ) # Dump as j s o n e v e n t a s j s o n d u m p = j s o n. dumps ( event, c l s=encodeupdate ) 10 of 12

PyMISP - Tools Libraries requiring specfic 3rd party dependencies Callable via PyMISP for specific usecases Curently implemented: MISP Event to and from STIX Package OpenIOC to MISP Event MISP to Neo4J 11 of 12

PyMISP - Situational Awareness (WiP) High level view of the type of attributes Searchable over a timeframe & tag 12 of 12

PyMISP - Feed generator Used to generate the CIRCL OSINT feed Export events as json based on tags, organisation, events,... Automatically update the dumps and the metadata file Comparable to a lighweight TAXII interface 13 of 12

PyMISP - Feed generator - Config file u r l = key = s s l = True o u t p u t d i r = output # f i l t e r s = { tag : t l p : w h i t e feed e x p o r t! p r i v i n t, org : CIRCL } f i l t e r s = {} v a l i d a t t r i b u t e d i s t r i b u t i o n l e v e l s = [ 0, 1, 2, 3, 4, 5 ] 14 of 12

Q&A https://github.com/misp/pymisp https://github.com/misp/ We welcome new functionalities and pull requests. 15 of 12

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback