• Stars
    star
    156
  • Rank 239,589 (Top 5 %)
  • Language
    Python
  • License
    GNU Affero Genera...
  • Created over 8 years ago
  • Updated about 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Set of Maltego transforms to inferface with a MISP Threat Sharing instance, and also to explore the whole MITRE ATT&CK dataset.

logo

This is a Maltego MISP integration tool allowing you to view (read-only) data from a MISP instance. It also allows browsing through the MITRE ATT&CK entities. (no MISP connection needed)

This user guide should help you through the installation of MISP-Maltego, and should guide you how to use it through a few use-cases. As this is a collaborative project, do not hesitate to propose changes, write other use-cases or raise feature requests for missing features.

Quick start

Currently supported MISP elements are : Event, Attribute, Object (incl relations), Tag, Taxonomy, Galaxy (incl relations).

Once installed you can start by creating a MISPEvent entity, then load the Machine EventToAll or the transform EventToAttributes.

Alternatively initiate a transform on an existing Maltego entity. The currently supported entities are: AS, DNSName, Domain, EmailAddress, File, Hash, IPv4Address, NSRecord, Person, PhoneNumber, URL, Website

For MITRE ATT&CK pivoting, feel free to start with an Attack Technique, Software, Threat Actor, or MISPGalaxy. Create your entity, enter a keyword such as %gama% and use the Search in MISP transform to get started.

Installation

Transform Hub

Open the Transform Hub, locate ATT&CK - MISP and press the Install button.

Your transforms will go through Paterva's servers and ours. See the Transform Hub Disclaimer for more information.

  • ATT&CK transforms do not require a MISP server or API key to be configured.
  • MISP transforms requires your MISP server to be reachable from the internet! To enter your MISP server URL and key click Details on the Transform Hub item and then Settings at the bottom right.

Local Transform Installation

If you trust nobody, or just want to connect to your local MISP server you can install everything as local transforms.

These instructions have been tested on Ubuntu 18.04 LTS, but should be similar on other systems.

  1. Download and install Maltego
  2. Install using pip: sudo pip3 install MISP-maltego
  3. Generate the Maltego bundle: canari create-profile MISP_maltego
  4. Import this bundle in Maltego.
    1. Open Maltego
    2. Click on the home button (Maltego icon, top-left corner).
    3. Click on 'Import'
    4. Click on 'Import Configuration'.
    5. Load the MISP_maltego.mtz file and follow the prompts.
  5. Edit $HOME/.canari/MISP_maltego.conf and enter your misp_url and misp_key

Custom Entities

MISP-Maltego tries to use as much as possible the default Paterva entities, or the most popular from the community. It however comes with a few custom entities:

  • MISPEvent: A representation of an Event on MISP, containing Attributes (MISP) / Entities (Maltego)
  • MISPObject: A way to group associated attributes in a structured way.
  • MISPGalaxy: A Tag containing much more metadata. Please refer to the MISP Galaxy for more information. MITRE ATT&CK is for example completely available through MISPGalaxy entities (see use-cases for an example)
  • Attack Technique: Attack patterns or techniques, see MITRE ATT&CK for more information.
  • Threat Actor: Threat actor or intrusion sets.
  • Software: Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK.

Use Cases

Transform on existing data

In this use case we will be using already existing entities and will initiate a transform using MISP. The currently supported entities are: AS, DNSName, Domain, EmailAddress, File, Hash, IPv4Address, NSRecord, Person, PhoneNumber, URL, Website.

Example:

  • create an entity domain with the value 1dnscontrol.com.
  • right click and choose Local Transforms > MISP_maltego > Domain To Event
    animated screenshot
  • continue loading transforms on the MISP Event

Transform from MISP Event ID

While MISP already has a graphing capability we would like to use the power of Maltego to look at the data and expand the work.

  • Create a MISP Event and give it an event id, or UUID
  • One manual way is to right click and choose Local Transforms > MISP_maltego > Event To Attributes
    • Notice the event is transformed to Attributes, Objects, Tags, Galaxies and related MISP Events
    • You can now further transform on an Object > Object To Attributes and see the content of the object machine transforms
  • Alternatively you can also use the Maltego Machine to speed up things.
    • Click on the MISP Event and in the left menu choose Event to All in the Machines section. machine transforms
    • Notice that the whole event, objects and such will get expanded with data from your MISP instance. animated screenshot
  • You can now further transform on any data.

Which data is already in MISP?

If you use MISP as central database it can be quite convenient to know which data is present in MISP, and which data is not; especially after using a number of other transforms. To permit this MISP-Maltego will always add a green bookmark to all the data that is present in MISP. green bookmark

Searching in MISP using keywords

As with the MISP attribute search through the MISP Web UI you can use % wildcards at the front and end to specify the substring. You might be tempted to always use %keyword%, but bare in mind how databases indexes work; a search for keyword% will always be much faster than %keyword. Search in MISP

Transform from Galaxy

Galaxies are actually tags with much more contextual data. Examples are threat actors, malware families, but also the whole MITRE ATT&CK data is available as Galaxy. All this data comes from the MISP Galaxy repository. Today the integration is not done using a MISP server because of limitations in MISP. You might encounter Galaxies when transforming from MISP Events or Attributes. An alternative use-case is by starting immediately from a Galaxy. There are 3 ways to manually create a good Galaxy Entity.

  1. Using a find capability (see below)
  2. Create the Galaxy and set the UUID. You can find the UUIDs in the MISP Galaxy repository.
  3. Create the Galaxy with the right tag name; for example: misp-galaxy:

To use the magical search feature:

  • Create a MISP Galaxy and type the keyword as value.
  • Run the Galaxy To Relation transform, notice the search results will appear as connected entities
  • Remove the non-relevant entities, including the your search-keyword animated galaxy search

Visualize MITRE ATT&CK

Apply the same steps for MITRE ATT&CK browsing:

animated ATTACK

You might end up with such a graph:

ATTACK

Visualise common ATT&CK patterns

Having access to a large amount of Threat information through MISP Threat Sharing communities gives you outstanding opportunities to aggregate this information and take the process of trying to understand how all this data fits together telling a broader story to the next level. We are transforming technical data or indicators of compromise (IOCs) into cyber threat intelligence. This is where the analytical challenge begins. [read more]

Massively large MISP event? Think before you transform.

In some communities such as the COVID-19 MISP some events contain tens of thousands attributes. Loading all the attributes from these events might not be a good idea if you do not have Maltego XL. You can see the amount of attributes and objects in the Event properties, so you can think before you click:

object countattribute count

License

This software is licensed under GNU Affero General Public License version 3

  • Copyright (C) 2018 Christophe Vandeplas

Note: Before being rewritten from scratch this project was maintained by Emmanuel Bouillon. The code is available in the v1 branch.

The logo is CC-BY-SA and was designed by Françoise Penninckx

The icons in the intelligence-icons folder are from intelligence-icons licensed CC-BY-SA - Françoise Penninckx, Brett Jordan

More Repositories

1

MISP

MISP (core software) - Open Source Threat Intelligence and Sharing Platform
PHP
4,717
star
2

misp-galaxy

Clusters and elements to attach to MISP events or attributes (like threat actors)
Python
439
star
3

misp-warninglists

Warning lists to inform users of MISP about potential false-positives or other information in indicators
Python
412
star
4

PyMISP

Python library using the MISP Rest API
Python
381
star
5

misp-modules

Modules for expansion services, enrichment, import and export in MISP and other tools.
Python
344
star
6

misp-training

MISP trainings, threat intel and information sharing training materials with source code
TeX
316
star
7

x_old_misp_docker

MISP Docker (XME edition)
Shell
283
star
8

misp-book

User guide of MISP
Shell
253
star
9

misp-taxonomies

Taxonomies used in MISP taxonomy system and can be used by other information sharing tool.
Python
237
star
10

misp-dashboard

A live dashboard for a real-time overview of threat intelligence from MISP instances
JavaScript
184
star
11

misp-docker

A production ready Dockered MISP
Shell
156
star
12

docker-misp

Automated Docker MISP container - Malware Information Sharing Platform and Threat Sharing
Dockerfile
100
star
13

misp-objects

Definition, description and relationship types of MISP objects
Python
83
star
14

MISP-Taxii-Server

An OpenTAXII Configuration for MISP
Python
79
star
15

mail_to_misp

Connect your mail client/infrastructure to MISP in order to create events based on the information contained within mails.
Python
67
star
16

MISP-STIX-Converter

A utility repo to assist with converting between MISP and STIX formats
Python
64
star
17

misp-cloud

misp-cloud - Cloud-ready images of MISP
Shell
64
star
18

misp-stix

MISP-STIX-Converter - Python library to handle the conversion between MISP and STIX formats
Python
49
star
19

best-practices-in-threat-intelligence

Best practices in threat intelligence
HTML
44
star
20

misp-playbooks

MISP Playbooks
Jupyter Notebook
41
star
21

misp-rfc

Specifications used in the MISP project including MISP core format
HTML
41
star
22

misp-vagrant

Deploy MISP Project software with Vagrant.
Shell
41
star
23

threat-actor-intelligence-server

A simple ReST server to lookup threat actors (by name, synonym or UUID) and returning the corresponding MISP galaxy information about the known threat actors.
Python
37
star
24

intelligence-icons

intelligence-icons is a collection of icons and diagrams for building training and marketing materials around Intelligence sharing; including but not limited to CTI, MISP Threat Sharing, STIX 2.
JavaScript
35
star
25

misp-compliance

Legal, procedural and policies document templates for operating MISP and information sharing communities
33
star
26

misp-packer

Build Automated Machine Images for MISP
Shell
29
star
27

MISPego

Maltego Transform to put entities into MISP events
Python
26
star
28

misp-training-lea

Practical Information Sharing between Law Enforcement and CSIRT communities using MISP
TeX
26
star
29

PyTaxonomies

Python module to use the MISP Taxonomies
Python
26
star
30

misp-workbench

MISP Workbench
Python
26
star
31

PyMISPWarningLists

Pythonic way to work with the warning lists defined there: https://github.com/MISP/misp-warninglists
Python
26
star
32

misp-wireshark

Lua plugin to extract data from Wireshark and convert it into MISP format
Lua
23
star
33

ansible

MISP - Ansible installation script
PHP
22
star
34

misp-website

MISP website (hugo-based)
HTML
21
star
35

misp-takedown

A curses-style interface for automatic takedown notification based on MISP events.
Python
20
star
36

misp-graph

A tool to convert MISP XML files (events and attributes) into graphs
Python
20
star
37

PyMISPGalaxies

Pythonic way to work with the galaxies defined there: https://github.com/MISP/misp-galaxy
Python
17
star
38

misp-grafana

A real-time Grafana dashboard using MISP ZeroMQ message queue and InfluxDB
Python
13
star
39

misp-privacy-aware-exchange

A privacy-aware exchange module to securely and privately share your indicators
Python
13
star
40

misp-sighting-server

MISP sighting server is a fast sighting server to store and look-up sightings on attributes (network indicators, file hashes, system indicators) in a space efficient way.
Python
13
star
41

data-processing

Scripts to process big chunks of data from MISP and do in depth correlations on samples.
Python
12
star
42

yara-misp

Export MISP attributes in Yara
Python
12
star
43

misp-workflow-blueprints

Library of blueprints usable in MISP Workflows
Shell
11
star
44

MISP-sizer

Sizing your MISP instance
JavaScript
11
star
45

cexf

Common Exercise Format - CEXF
Python
10
star
46

misp-guard

misp-guard is a mitmproxy addon that inspects and blocks outgoing events to external MISP instances via sync mechanisms (pull/push) based on a set of customizable block rules.
Python
10
star
47

misp-bump

Simple and secure synchronisation of MISP instances with mobile phones
Java
9
star
48

evtx-toolkit

Tool to read EVTX files including SYSMON and convert to JSON, MISP Objects and Graph stream
Python
9
star
49

misp-decaying-models

MISP decaying models
Shell
9
star
50

threat-intelligence-browser

A browser for the threat intelligence knowledge base of the MISP project galaxies
JavaScript
9
star
51

MISP-presentations

8
star
52

misp-noticelist

Notice lists to inform users of MISP about legal or technical implication for some attributes, categories and objects
8
star
53

dockerized_training_environment

A training environment, with docker.
Python
8
star
54

misp-opendata

Tool to submit / delete data from MISP to opendata portal
Python
8
star
55

MISP-RPM

RPM packages for MISP
Makefile
8
star
56

misp-standard.org

misp-standard.org website
HTML
7
star
57

PyIntel471

Python API for PyIntel471
Python
7
star
58

misp-bloomfilter

A tool to create bloom filters from MISP records to share IOCs with others without breaking confidentiality.
Python
6
star
59

matrix-misp-bot

Very basic MISP bot for matrix.
Python
6
star
60

misp-expansion

MISP expansion - a browser extension (Firefox and Chrome) to lookup on MISP
JavaScript
5
star
61

misp-darwin

MISP darwin is a model and tools to automatically translate in natural language technical or structured information from MISP
Python
5
star
62

mail_to_misp_test

Test emails for mail to misp
4
star
63

LuaMISP

Lua Library to create and manipulate MISP entities
Lua
3
star
64

pdf_fonts

PDF Fonts used by PyMISP PDFtools export to support internalization
3
star
65

misp-usage-statistics

MISP usage statistics using bokeh (as a static webpage)
Python
3
star
66

misp-sighting-tools

Tools to support sighting from various sources (e.g. network pcap) to sight attributes in MISP instances
Python
3
star
67

misp-monitoring

Tools and documentation related to MISP instance monitoring in production/corporate environments
Shell
3
star
68

pypraware

Python Privacy Aware (pypraware) module containing script for misp-privacy-aware-exchange
Python
3
star
69

misp-stix-tests

STIX files for testing misp-stix and various libraries
2
star
70

misp_dockerized_testing

Test MISP instances using a dockerized infrastructure
Python
2
star
71

widget-collection

PHP
1
star
72

cakephp

CakePHP (v2.x branch + updates)
PHP
1
star
73

PyMISPObjectTemplates

Python API to create and update MISP Object templates
Python
1
star