-
Notifications
You must be signed in to change notification settings - Fork 9
/
get_malicious.py
executable file
·136 lines (103 loc) · 4.49 KB
/
get_malicious.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
#!/usr/bin/python3
import IndicatorTypes
# Get a nested key from a dict, without having to do loads of ifs
def getValue(results, keys):
if type(keys) is list and len(keys) > 0:
if type(results) is dict:
key = keys.pop(0)
if key in results:
return getValue(results[key], keys)
else:
return None
else:
if type(results) is list and len(results) > 0:
return getValue(results[0], keys)
else:
return results
else:
return results
def hostname(otx, hostname):
alerts = []
result = otx.get_indicator_details_by_section(IndicatorTypes.HOSTNAME, hostname, 'general')
# Return nothing if it's in the whitelist
validation = getValue(result, ['validation'])
if not validation:
pulses = getValue(result, ['pulse_info', 'pulses'])
if pulses:
for pulse in pulses:
if 'name' in pulse:
alerts.append('In pulse: ' + pulse['name'])
result = otx.get_indicator_details_by_section(IndicatorTypes.DOMAIN, hostname, 'general')
# Return nothing if it's in the whitelist
validation = getValue(result, ['validation'])
if not validation:
pulses = getValue(result, ['pulse_info', 'pulses'])
if pulses:
for pulse in pulses:
if 'name' in pulse:
alerts.append('In pulse: ' + pulse['name'])
return alerts
def ip(otx, ip):
alerts = []
result = otx.get_indicator_details_by_section(IndicatorTypes.IPv4, ip, 'general')
# Return nothing if it's in the whitelist
validation = getValue(result, ['validation'])
if not validation:
pulses = getValue(result, ['pulse_info', 'pulses'])
if pulses:
for pulse in pulses:
if 'name' in pulse:
alerts.append('In pulse: ' + pulse['name'])
return alerts
def url(otx, url):
alerts = []
result = otx.get_indicator_details_full(IndicatorTypes.URL, url)
google = getValue( result, ['url_list', 'url_list', 'result', 'safebrowsing'])
if google and 'response_code' in str(google):
alerts.append({'google_safebrowsing': 'malicious'})
clamav = getValue( result, ['url_list', 'url_list', 'result', 'multiav','matches','clamav'])
if clamav:
alerts.append({'clamav': clamav})
avast = getValue( result, ['url_list', 'url_list', 'result', 'multiav','matches','avast'])
if avast:
alerts.append({'avast': avast})
# Get the file analysis too, if it exists
has_analysis = getValue( result, ['url_list','url_list', 'result', 'urlworker', 'has_file_analysis'])
if has_analysis:
hash = getValue( result, ['url_list','url_list', 'result', 'urlworker', 'sha256'])
file_alerts = file(otx, hash)
if file_alerts:
for alert in file_alerts:
alerts.append(alert)
# Todo: Check file page
return alerts
def file(otx, hash):
alerts = []
hash_type = IndicatorTypes.FILE_HASH_MD5
if len(hash) == 64:
hash_type = IndicatorTypes.FILE_HASH_SHA256
if len(hash) == 40:
hash_type = IndicatorTypes.FILE_HASH_SHA1
result = otx.get_indicator_details_full(hash_type, hash)
avg = getValue( result, ['analysis','analysis','plugins','avg','results','detection'])
if avg:
alerts.append({'avg': avg})
clamav = getValue( result, ['analysis','analysis','plugins','clamav','results','detection'])
if clamav:
alerts.append({'clamav': clamav})
avast = getValue( result, ['analysis','analysis','plugins','avast','results','detection'])
if avast:
alerts.append({'avast': avast})
microsoft = getValue( result, ['analysis','analysis','plugins','cuckoo','result','virustotal','scans','Microsoft','result'])
if microsoft:
alerts.append({'microsoft': microsoft})
symantec = getValue( result, ['analysis','analysis','plugins','cuckoo','result','virustotal','scans','Symantec','result'])
if symantec:
alerts.append({'symantec': symantec})
kaspersky = getValue( result, ['analysis','analysis','plugins','cuckoo','result','virustotal','scans','Kaspersky','result'])
if kaspersky:
alerts.append({'kaspersky': kaspersky})
suricata = getValue( result, ['analysis','analysis','plugins','cuckoo','result','suricata','rules','name'])
if suricata and 'trojan' in str(suricata).lower():
alerts.append({'suricata': suricata})
return alerts