search

CYBEX-P / tahoe

A Cyberthreat Language (CTL) to replace STIX
Other
0 stars 1 forks source link

attributes not nesting in event if part of separte object instances #17

Closed qclassified closed 4 years ago

qclassified commented 4 years ago 
{
    "_id" : ObjectId("5d37f6574ec7ff30b6938cc0"),
    "itype" : "event",
    "malicious" : false,
    "orgid" : "identity--a0564f70-1f49-4cd3-97bf-66249df9f59b",
    "timestamp" : 1498161818.0,
    "uuid" : "event--f8867e83-93bf-4f70-91de-6e9c7f923ad9",
    "data" : {
        "id" : [ 
            "44"
        ],
        "cti_analysis" : [ 
            {
                "snort" : [ 
                    "alert http any any -> any any (msg:\"::[PwC CTD]:: - OrcaRAT implant check-in\"; flow:established,from_client; urilen: 67<>170; content:\" Mozilla/4.0 (compatible\\; MSIE 8.0\\; Windows NT 5.1\\; Trident/4.0\\; .NET CLR 2.0.50727\\; .NET CLR 3.0.04506.30\\; .NET4.0C\\; .NET4.0E)\"; http_user_agent; content:\"GET\"; http_method; pcre:\"/^\\/[A-Za-z0-9+~=]{14,18}\\/[A-Za-z0-9+~=]{33,38}\\/[A-Za-z0-9+~=]{6,9}\\/[A-Za-z0-9+~=]{5,50}\\/[A-Za-z0-9+~=]{5,50}$/U\"; rev:1;)"
                ]
            }, 
            {
                "snort" : [ 
                    "alert tcp any any -> any any (msg:\"::[PwC CTD]:: - OrcaRAT implant check-in\"; flow:established,from_client; urilen: 67<>170; content:\"User-Agent: Mozilla/4.0 (compatible\\; MSIE 8.0\\; Windows NT 5.1\\; Trident/4.0\\; .NET CLR 2.0.50727\\; .NET CLR 3.0.04506.30\\; .NET4.0C\\; .NET4.0E)\"; http_header; content:\"GET\"; http_method; pcre:\"/^\\/[A-Za-z0-9+~=]{14,18}\\/[A-Za-z0-9+~=]{33,38}\\/[A-Za-z0-9+~=]{6,9}\\/[A-Za-z0-9+~=]{5,50}\\/[A-Za-z0-9+~=]{5,50}$/U\"; rev:1;)"
                ]
            }, 
            {
                "snort" : [ 
                    "alert http any any -> any any (msg:\"::[PwC CTD]:: - OrcaRAT implant C2 confirmation response\"; flow:established,from_client; urilen: 67<>170; content:\" Mozilla/4.0 (compatible\\; MSIE 8.0\\; Windows NT 5.1\\; Trident/4.0\\; .NET CLR 2.0.50727\\; .NET CLR 3.0.04506.30\\; .NET4.0C\\; .NET4.0E)\"; http_user_agent; content:\"POST\"; http_method; pcre:\"/^\\/[A-Za-z0-9+~=]{14,18}\\/[A-Za-z0-9+~=]{33,38}\\/[A-Za-z0-9+~=]{6,9}\\/[A-Za-z0-9+~=]{5,50}\\/[A-Za-z0-9+~=]{5,50}$/U\"; rev:1;)"
                ]
            }, 
            {
                "yara" : [ 
                    "rule OrcaRAT\r\n  {\r\n  meta:  \r\n         author = \"PwC Cyber Threat Operations   :: @tlansec\"\r\n         distribution = \"TLP WHITE\"\r\n         sha1 =   \"253a704acd7952677c70e0c2d787791b8359efe2c92a5e77acea028393a85613\"\r\n  strings:\r\n\r\n       $MZ=\"MZ\"\r\n\r\n       $apptype1=\"application/x-ms-application\"\r\n\r\n       $apptype2=\"application/x-ms-xbap\"\r\n\r\n       $apptype3=\"application/vnd.ms-xpsdocument\"\r\n\r\n       $apptype4=\"application/xaml+xml\"\r\n\r\n       $apptype5=\"application/x-shockwave-flash\"\r\n\r\n       $apptype6=\"image/pjpeg\"\r\n\r\n       $err1=\"Set return time error =   %d!\"\r\n\r\n       $err2=\"Set return time   success!\"\r\n\r\n       $err3=\"Quit success!\"\r\n\r\n \r\n\r\ncondition:\r\n\r\n       $MZ at 0 and filesize < 500KB and   (all of ($apptype*) and 1 of ($err*))\r\n  }"
                ]
            }, 
            {
                "snort" : [ 
                    "alert tcp any any -> any any (msg:\"::[PwC CTD]:: - OrcaRAT implant C2 confirmation response\"; flow:established,from_client; urilen: 67<>170; content:\"User-Agent: Mozilla/4.0 (compatible\\; MSIE 8.0\\; Windows NT 5.1\\; Trident/4.0\\; .NET CLR 2.0.50727\\; .NET CLR 3.0.04506.30\\; .NET4.0C\\; .NET4.0E)\"; http_header; content:\"POST\"; http_method; pcre:\"/^\\/[A-Za-z0-9+~=]{14,18}\\/[A-Za-z0-9+~=]{33,38}\\/[A-Za-z0-9+~=]{6,9}\\/[A-Za-z0-9+~=]{5,50}\\/[A-Za-z0-9+~=]{5,50}$/U\";  rev:1;)"
                ]
            }
        ],
        "info" : [ 
            "OSINT OrcaRAT - A whale of a tale blog post by PWC"
        ]
            }
        ]
    }
}
qclassified commented 4 years ago

all the snort rules should be nested in the snort Object

qclassified commented 4 years ago

The reason for this behavior:

Event("...",  [Object("snort", "..."), Object("snort", "...")])

So the objects get nested but not the attributes

qclassified commented 4 years ago

They should not nest, because separate objects of same type might have separate structure and meaning,

for example:

"x_misp_org" : [ 
    {
        "id" : [ 
            "CthulhuSPRL.be"
        ],
        "uuid" : [ 
            "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
        ],
        "name" : [ 
            "CthulhuSPRL.be"
        ]
    }, 
    {
        "uuid" : [ 
            "5ada62b4-d3fc-460a-b786-063a86c50716"
        ],
        "id" : [ 
            "UNR-Feeds"
        ],
        "name" : [ 
            "UNR-Feeds"
        ]
    }
]

here the above data clearly highlights two separate organizations with corresponding name and org uuid. If we merged the data like following:

"x_misp_org" : [ 
    {
        "id" : [ 
            "CthulhuSPRL.be",
        "UNR-Feeds"
        ],
        "uuid" : [ 
            "55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
        "5ada62b4-d3fc-460a-b786-063a86c50716"
        ],
        "name" : [ 
            "CthulhuSPRL.be",
        "UNR-Feeds"
        ]
    }, 
],

We lose the structure and hence vital information like which org uuid belongs to which org etc.