[zerofox] Update ZeroFox Connector (#2207)

OpenCTI-Platform · Jun 11, 2024 · 33468b1 · 33468b1
1 parent 94d0f21
commit 33468b1
Show file tree

Hide file tree

Showing 8 changed files with 130 additions and 57 deletions.
diff --git a/external-import/zerofox/src/collectors/mappers/botnetToInfrastructure.py b/external-import/zerofox/src/collectors/mappers/botnetToInfrastructure.py
@@ -1,6 +1,7 @@
 from typing import List, Union
 
 from stix2 import Infrastructure, Location, Relationship
+from stix2.v21.vocab import INFRASTRUCTURE_TYPE_COMMAND_AND_CONTROL
 from zerofox.domain.botnet import Botnet
 
 
@@ -10,7 +11,7 @@ def botnet_to_infrastructure(
     objects = []
 
     botnet = Infrastructure(
-        name=f"Botnet -- {entry.bot_name}",
+        name=f"{entry.bot_name}",
         labels=entry.tags,
         created=now,
         first_seen=entry.listed_at,
@@ -19,7 +20,7 @@ def botnet_to_infrastructure(
     objects.append(botnet)
 
     ip_address = Infrastructure(
-        name=f"IP Address -- {entry.ip_address}",
+        name=f"{entry.ip_address}",
         infrastructure_types="botnet",
     )
     objects.append(ip_address)
@@ -58,12 +59,12 @@ def get_location_objects(entry, ip_address):
 
 def get_c2_objects(entry, botnet):
     c2_domain = Infrastructure(
-        name=f"Command and Control -- {entry.c2_domain}",
-        infrastructure_types="command-and-control",
+        name=f"{entry.c2_domain}",
+        infrastructure_types=INFRASTRUCTURE_TYPE_COMMAND_AND_CONTROL,
     )
     c2_ip = Infrastructure(
-        name=f"IP Address -- {entry.c2_ip_address}",
-        infrastructure_types="command-and-control",
+        name=f"{entry.c2_ip_address}",
+        infrastructure_types=INFRASTRUCTURE_TYPE_COMMAND_AND_CONTROL,
     )
     domain_ip_rel = Relationship(
         source_ref=c2_domain.id,

diff --git a/external-import/zerofox/src/collectors/mappers/c2DomainsToInfrastructure.py b/external-import/zerofox/src/collectors/mappers/c2DomainsToInfrastructure.py
@@ -9,7 +9,7 @@ def c2_domains_to_infrastructure(
     now: str, entry: C2Domain
 ) -> List[Union[Infrastructure, Relationship, IPv4Address, IPv6Address]]:
     infrastructure = Infrastructure(
-        name=f"Command and Control -- {entry.domain}",
+        name=f"{entry.domain}",
         labels=entry.tags,
         created=now,
         first_seen=entry.created_at,

diff --git a/external-import/zerofox/src/collectors/mappers/exploitToTool.py b/external-import/zerofox/src/collectors/mappers/exploitToTool.py
@@ -8,7 +8,7 @@ def exploit_to_tool(
     now: str, entry: Exploit
 ) -> List[Union[Tool, Vulnerability, Relationship]]:
     tool = Tool(
-        name=f"Exploit -- {entry.cve}",
+        name=f"{entry.cve}",
         description=f"```{entry.exploit}```",
         created=now,
         external_references=[

diff --git a/external-import/zerofox/src/collectors/mappers/malwareToMalware.py b/external-import/zerofox/src/collectors/mappers/malwareToMalware.py
@@ -1,52 +1,71 @@
 from typing import List, Union
 
-from stix2 import URL
+from stix2 import URL, File, Indicator
 from stix2 import Malware as stixMalware
 from stix2 import Relationship
+from stix2.v21.vocab import PATTERN_TYPE_STIX
 from zerofox.domain.malware import Malware
 
 
 def malware_to_malware(
     now: str, entry: Malware
-) -> List[Union[stixMalware, Relationship, URL]]:
-    malware = stixMalware(
-        name=f"Malware -- {entry.sha256}",
-        labels=entry.tags,
-        created=now,
-        first_seen=entry.created_at,
-        malware_types="unknown",
-        is_family=False,
-    )
+) -> List[Union[URL, File, Indicator, Relationship, stixMalware]]:
     urls = [URL(value=c2) for c2 in entry.c2] if entry.c2 else []
     malware_families = (
-        [
-            stixMalware(name=f"Malware family:{family}", is_family=True)
-            for family in entry.family
-        ]
+        [stixMalware(name=family, is_family=True) for family in entry.family]
         if entry.family
         else []
     )
+    present_hashes = {}
 
-    return (
-        [malware]
-        + urls
-        + [
-            Relationship(
-                source_ref=malware.id,
-                target_ref=domain_name.id,
-                relationship_type="communicates-with",
-                start_time=entry.created_at,
-            )
-            for domain_name in urls
-        ]
-        + malware_families
-        + [
+    if entry.sha512:
+        present_hashes["SHA-512"] = entry.sha512
+    if entry.sha1:
+        present_hashes["SHA-1"] = entry.sha1
+    if entry.md5:
+        present_hashes["MD5"] = entry.md5
+
+    file = File(
+        name=entry.sha256,
+        hashes={
+            "SHA-256": entry.sha256,
+        }
+        | present_hashes,
+    )
+
+    pattern_string = f"[file:hashes.'SHA-256' = '{entry.sha256}'"
+    for k, v in present_hashes.items():
+        pattern_string += f" OR file:hashes.'{k}' = '{v}'"
+    pattern_string += "]"
+
+    indicator = Indicator(
+        name=entry.sha256,
+        pattern_type=PATTERN_TYPE_STIX,
+        pattern=pattern_string,
+    )
+
+    file_indicator_rel = Relationship(
+        source_ref=indicator.id, target_ref=file.id, relationship_type="based-on"
+    )
+
+    malware_indicators_rel = (
+        [
             Relationship(
-                source_ref=malware.id,
+                source_ref=indicator.id,
                 target_ref=family.id,
-                relationship_type="variant-of",
-                start_time=entry.created_at,
+                relationship_type="indicates",
             )
             for family in malware_families
         ]
+        if malware_families
+        else []
+    )
+
+    return (
+        urls
+        + malware_families
+        + malware_indicators_rel
+        + [file_indicator_rel]
+        + [file]
+        + [indicator]
     )
diff --git a/external-import/zerofox/src/collectors/mappers/phishingToInfrastructure.py b/external-import/zerofox/src/collectors/mappers/phishingToInfrastructure.py
@@ -22,7 +22,7 @@ def phishing_to_infrastructure(now: str, entry: Phishing) -> List[
     ]
 ]:
     phishing = Infrastructure(
-        name=f"Phishing domain -- {entry.domain}",
+        name=f"{entry.domain}",
         created=now,
         infrastructure_types=["phishing"],
         first_seen=entry.scanned,

diff --git a/external-import/zerofox/src/collectors/mappers/ransomwareToMalware.py b/external-import/zerofox/src/collectors/mappers/ransomwareToMalware.py
@@ -1,23 +1,76 @@
-from typing import List
+from typing import List, Union
 
+from stix2 import File, Indicator
 from stix2 import Malware as stixMalware
+from stix2 import Relationship
+from stix2.v21.vocab import PATTERN_TYPE_STIX
 from zerofox.domain.ransomware import Ransomware
 
 
-def ransomware_to_malware(now: str, entry: Ransomware) -> List[stixMalware]:
-    ransomware_name = (
-        entry.ransomware_name[0]
-        if entry.ransomware_name and len(entry.ransomware_name) > 0
-        else ""
-    )
-    ransomware = stixMalware(
-        name=f"Ransomware {ransomware_name} -- {entry.sha256}",
-        description=f"Ransomware with note -- {entry.ransom_note}",
+def ransomware_to_malware(
+    now: str, entry: Ransomware
+) -> List[Union[Relationship, Indicator, File, stixMalware]]:
+    ransomware_name = ""
+    family = False
+
+    if entry.ransomware_name and len(entry.ransomware_name) > 0:
+        ransomware_name = entry.ransomware_name[0]
+        family = True
+    else:
+        ransomware_name = entry.sha256
+
+    malware = stixMalware(
+        name=f"{ransomware_name}",
+        description=f"```{entry.ransom_note}```",
         labels=entry.tags,
         first_seen=entry.created_at,
         created=now,
         malware_types="ransomware",
-        is_family=False,
+        is_family=family,
+    )
+
+    present_hashes = {}
+
+    if entry.sha512:
+        present_hashes["SHA-512"] = entry.sha512
+    if entry.sha1:
+        present_hashes["SHA-1"] = entry.sha1
+    if entry.md5:
+        present_hashes["MD5"] = entry.md5
+
+    file = File(
+        name=entry.sha256,
+        hashes={
+            "SHA-256": entry.sha256,
+        }
+        | present_hashes,
     )
 
-    return [ransomware]
+    pattern_string = f"[file:hashes.'SHA-256' = '{entry.sha256}'"
+    for k, v in present_hashes.items():
+        pattern_string += f" OR file:hashes.'{k}' = '{v}'"
+    pattern_string += "]"
+
+    indicator = Indicator(
+        name=entry.sha256,
+        pattern_type=PATTERN_TYPE_STIX,
+        pattern=pattern_string,
+    )
+
+    file_indicator_rel = Relationship(
+        source_ref=indicator.id, target_ref=file.id, relationship_type="based-on"
+    )
+
+    malware_indicators_rel = Relationship(
+        source_ref=indicator.id,
+        target_ref=malware.id,
+        relationship_type="indicates",
+    )
+
+    return (
+        [malware]
+        + [file]
+        + [indicator]
+        + [file_indicator_rel]
+        + [malware_indicators_rel]
+    )
diff --git a/external-import/zerofox/src/zerofox/domain/malware.py b/external-import/zerofox/src/zerofox/domain/malware.py
@@ -8,8 +8,8 @@
 class Malware(BaseModel):
     created_at: datetime
     family: list[str] | None
-    md5: str
-    sha1: str
+    md5: str | None
+    sha1: str | None
     sha256: str
     sha512: str | None
     tags: list[str]

diff --git a/external-import/zerofox/src/zerofox/domain/ransomware.py b/external-import/zerofox/src/zerofox/domain/ransomware.py
@@ -7,10 +7,10 @@
 
 class Ransomware(BaseModel):
     created_at: datetime
-    md5: str
-    sha1: str
+    md5: str | None
+    sha1: str | None
     sha256: str
-    sha512: str
+    sha512: str | None
     emails: list[str] | None
     ransom_note: str
     ransomware_name: list[str] | None