diff --git a/analyzers/CyberChef/CyberChefFromBase64.json b/analyzers/CyberChef/CyberChefFromBase64.json new file mode 100644 index 000000000..794963796 --- /dev/null +++ b/analyzers/CyberChef/CyberChefFromBase64.json @@ -0,0 +1,24 @@ +{ + "name": "CyberChef_FromBase64", + "version": "1.0", + "author": "Wes Lambert", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Convert Base64 with CyberChef Server", + "dataTypeList": ["other"], + "baseConfig": "CyberChef", + "config": { + "service": "FromBase64" + }, + "command": "CyberChef/cyberchef.py", + "configurationItems": [ + { + "name": "url", + "description": "CyberChef Server URL", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "http://192.168.1.178:3000/" + } + ] +} diff --git a/analyzers/CyberChef/CyberChefFromCharCode.json b/analyzers/CyberChef/CyberChefFromCharCode.json new file mode 100644 index 000000000..cf77d7f67 --- /dev/null +++ b/analyzers/CyberChef/CyberChefFromCharCode.json @@ -0,0 +1,24 @@ +{ + "name": "CyberChef_FromCharCode", + "version": "1.0", + "author": "Wes Lambert", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Convert Char Code with CyberChef Server", + "dataTypeList": ["other"], + "baseConfig": "CyberChef", + "config": { + "service": "FromCharCode" + }, + "command": "CyberChef/cyberchef.py", + "configurationItems": [ + { + "name": "url", + "description": "CyberChef Server URL", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "http://192.168.1.178:3000/" + } + ] +} diff --git a/analyzers/CyberChef/CyberChefFromHex.json b/analyzers/CyberChef/CyberChefFromHex.json new file mode 100644 index 000000000..ab97d10cb --- /dev/null +++ b/analyzers/CyberChef/CyberChefFromHex.json @@ -0,0 +1,24 @@ +{ + "name": "CyberChef_FromHex", + "version": "1.0", + "author": "Wes Lambert", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Convert Hex with CyberChef Server", + "dataTypeList": ["other"], + "baseConfig": "CyberChef", + "config": { + "service": "FromHex" + }, + "command": "CyberChef/cyberchef.py", + "configurationItems": [ + { + "name": "url", + "description": "CyberChef Server URL", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "http://192.168.1.178:3000/" + } + ] +} diff --git a/analyzers/CyberChef/cyberchef.py b/analyzers/CyberChef/cyberchef.py new file mode 100755 index 000000000..b3392e9c2 --- /dev/null +++ b/analyzers/CyberChef/cyberchef.py @@ -0,0 +1,53 @@ +#!/usr/bin/env python3 +# encoding: utf-8 + +import json +import requests +from cortexutils.analyzer import Analyzer + +class CyberchefAnalyzer(Analyzer): + def __init__(self): + Analyzer.__init__(self) + self.observable = self.get_param('data', None, 'Data missing!') + self.service = self.get_param('config.service', None, 'Service is missing') + self.url = self.get_param('config.url', None, 'URL is missing') + + def summary(self, raw): + taxonomies = [] + level = 'info' + namespace = 'CyberChef' + + # Set predicate for input + predicate = 'input_data' + taxonomies.append(self.build_taxonomy(level, namespace, predicate, raw['input_data'])) + + # Set predicate for output_data + predicate = 'output_data' + taxonomies.append(self.build_taxonomy(level, namespace, predicate, raw['output_data'])) + + return {"taxonomies": taxonomies} + + def run(self): + try: + observable = str(self.observable) + url = self.url + if self.service == 'FromHex': + data = {"input": observable, "recipe":{"op":"From Hex", "args": ["Auto"]}} + elif self.service == "FromBase64": + data = { "input": observable, "recipe":[{"op":"From Base64","args":["A-Za-z0-9+/=",True]}]} + elif self.service == "FromCharCode": + # Recipe from https://github.com/mattnotmax/cyberchef-recipes#recipe-3---from-charcode + data = { "input": observable, "recipe":[{"op":"Regular expression","args":["User defined","([0-9]{2,3}(,\\s|))+",True,True,False,False,False,False,"List matches"]},{"op":"From Charcode","args":["Comma",10]},{"op":"Regular expression","args":["User defined","([0-9]{2,3}(,\\s|))+",True,True,False,False,False,False,"List matches"]},{"op":"From Charcode","args":["Space",10]}]} + headers = { 'Content-Type': 'application/json' } + r = requests.post(url.strip('/') + '/bake', headers=headers, data=json.dumps(data)) + if r.status_code == 200: + output_data = "".join([chr(x) for x in r.json().get('value', [])]) + self.report({ 'input_data': observable, 'output_data': output_data }) + else: + self.error('Server responded with %d: %s' % (r.status_code, r.text)) + except: + self.error("Could not convert provided data.") + +if __name__ == '__main__': + CyberchefAnalyzer().run() + diff --git a/analyzers/CyberChef/long.html b/analyzers/CyberChef/long.html new file mode 100644 index 000000000..e4be416d8 --- /dev/null +++ b/analyzers/CyberChef/long.html @@ -0,0 +1,16 @@ +
+
+ CyberChef Data Conversion +
+
+ + + + + + + + +
InputOutput
{{content.input_data | ellipsis:40}}{{content.output_data}}
+
+
diff --git a/analyzers/CyberChef/requirements.txt b/analyzers/CyberChef/requirements.txt new file mode 100644 index 000000000..ea4658251 --- /dev/null +++ b/analyzers/CyberChef/requirements.txt @@ -0,0 +1,2 @@ +cortexutils +dnspython diff --git a/analyzers/CyberChef/short.html b/analyzers/CyberChef/short.html new file mode 100644 index 000000000..5fc0dabfb --- /dev/null +++ b/analyzers/CyberChef/short.html @@ -0,0 +1,3 @@ + + {{t.namespace}}:{{t.predicate}}="{{t.value}}" +