-
Notifications
You must be signed in to change notification settings - Fork 2
/
background.js
193 lines (143 loc) · 14.1 KB
/
background.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
/*
* Get from https://misp.local/attributes/describeTypes.json instead
const menuItems = '[{ "Internal reference": { "desc": "Reference used by the publishing party (e.g. ticket number)", "types": ["text", "link", "comment", "other", "hex"] } }, { "Targeting data": { "desc": "Internal Attack Targeting and Compromise Information", "formdesc": "Targeting information to include recipient email, infected machines, department, and or locations.", "types": ["target-user", "target-email", "target-machine", "target-org", "target-location", "target-external", "comment"] } }, { "Antivirus detection": { "desc": "All the info about how the malware is detected by the antivirus products", "formdesc": "List of anti-virus vendors detecting the malware or information on detection performance (e.g. 13/43 or 67%). Attachment with list of detection or link to VirusTotal could be placed here as well.", "types": ["link", "comment", "text", "hex", "attachment", "other"] } }, { "Payload delivery": { "desc": "Information about how the malware is delivered", "formdesc": "Information about the way the malware payload is initially delivered, for example information about the email or web-site, vulnerability used, originating IP etc. Malware sample itself should be attached here.", "types": ["md5", "sha1", "sha224", "sha256", "sha384", "sha512", "sha512/224", "sha512/256", "ssdeep", "imphash", "impfuzzy", "authentihash", "pehash", "tlsh", "filename", "filename|md5", "filename|sha1", "filename|sha224", "filename|sha256", "filename|sha384", "filename|sha512", "filename|sha512/224", "filename|sha512/256", "filename|authentihash", "filename|ssdeep", "filename|tlsh", "filename|imphash", "filename|impfuzzy", "filename|pehash", "ip-src", "ip-dst", "hostname", "domain", "email-src", "email-dst", "email-subject", "email-attachment", "email-body", "url", "user-agent", "AS", "pattern-in-file", "pattern-in-traffic", "yara", "sigma", "attachment", "malware-sample", "link", "malware-type", "comment", "text", "hex", "vulnerability", "x509-fingerprint-sha1", "other", "ip-dst|port", "ip-src|port", "hostname|port", "email-dst-display-name", "email-src-display-name", "email-header", "email-reply-to", "email-x-mailer", "email-mime-boundary", "email-thread-index", "email-message-id", "mobile-application-id", "whois-registrant-email"] } }, { "Artifacts dropped": { "desc": "Any artifact (files, registry keys etc.) dropped by the malware or other modifications to the system", "types": ["md5", "sha1", "sha224", "sha256", "sha384", "sha512", "sha512/224", "sha512/256", "ssdeep", "imphash", "impfuzzy", "authentihash", "filename", "filename|md5", "filename|sha1", "filename|sha224", "filename|sha256", "filename|sha384", "filename|sha512", "filename|sha512/224", "filename|sha512/256", "filename|authentihash", "filename|ssdeep", "filename|tlsh", "filename|imphash", "filename|impfuzzy", "filename|pehash", "regkey", "regkey|value", "pattern-in-file", "pattern-in-memory", "pdb", "yara", "sigma", "attachment", "malware-sample", "named pipe", "mutex", "windows-scheduled-task", "windows-service-name", "windows-service-displayname", "comment", "text", "hex", "x509-fingerprint-sha1", "other", "cookie"] } }, { "Payload installation": { "desc": "Info on where the malware gets installed in the system", "formdesc": "Location where the payload was placed in the system and the way it was installed. For example, a filename|md5 type attribute can be added here.", "types": ["md5", "sha1", "sha224", "sha256", "sha384", "sha512", "sha512/224", "sha512/256", "ssdeep", "imphash", "impfuzzy", "authentihash", "pehash", "tlsh", "filename", "filename|md5", "filename|sha1", "filename|sha224", "filename|sha256", "filename|sha384", "filename|sha512", "filename|sha512/224", "filename|sha512/256", "filename|authentihash", "filename|ssdeep", "filename|tlsh", "filename|imphash", "filename|impfuzzy", "filename|pehash", "pattern-in-file", "pattern-in-traffic", "pattern-in-memory", "yara", "sigma", "vulnerability", "attachment", "malware-sample", "malware-type", "comment", "text", "hex", "x509-fingerprint-sha1", "mobile-application-id", "other"] } }, { "Persistence mechanism": { "desc": "Mechanisms used by the malware to start at boot", "formdesc": "Mechanisms used by the malware to start at boot. This could be a registry key, legitimate driver modification, LNK file in startup", "types": ["filename", "regkey", "regkey|value", "comment", "text", "other", "hex"] } }, { "Network activity": { "desc": "Information about network traffic generated by the malware", "types": ["ip-src", "ip-dst", "ip-dst|port", "ip-src|port", "port", "hostname", "domain", "domain|ip", "email-dst", "url", "uri", "user-agent", "http-method", "AS", "snort", "pattern-in-file", "pattern-in-traffic", "attachment", "comment", "text", "x509-fingerprint-sha1", "other", "hex", "cookie"] } }, { "Payload type": { "desc": "Information about the final payload(s)", "formdesc": "Information about the final payload(s). Can contain a function of the payload, e.g. keylogger, RAT, or a name if identified, such as Poison Ivy.", "types": ["comment", "text", "other"] } }, { "Attribution": { "desc": "Identification of the group, organisation, or country behind the attack", "types": ["threat-actor", "campaign-name", "campaign-id", "whois-registrant-phone", "whois-registrant-email", "whois-registrant-name", "whois-registrar", "whois-creation-date", "comment", "text", "x509-fingerprint-sha1", "other"] } }, { "External analysis": { "desc": "Any other result from additional analysis of the malware like tools output", "formdesc": "Any other result from additional analysis of the malware like tools output Examples: pdf-parser output, automated sandbox analysis, reverse engineering report.", "types": ["md5", "sha1", "sha256", "filename", "filename|md5", "filename|sha1", "filename|sha256", "ip-src", "ip-dst", "ip-dst|port", "ip-src|port", "hostname", "domain", "domain|ip", "url", "user-agent", "regkey", "regkey|value", "AS", "snort", "pattern-in-file", "pattern-in-traffic", "pattern-in-memory", "vulnerability", "attachment", "malware-sample", "link", "comment", "text", "x509-fingerprint-sha1", "github-repository", "other", "cortex"] } }, { "Financial fraud": { "desc": "Financial Fraud indicators", "formdesc": "Financial Fraud indicators, for example: IBAN Numbers, BIC codes, Credit card numbers, etc.", "types": ["btc", "iban", "bic", "bank-account-nr", "aba-rtn", "bin", "cc-number", "prtn", "phone-number", "comment", "text", "other", "hex"] } }, { "Support Tool": { "desc": "Tools supporting analysis or detection of the event", "types": ["link", "text", "attachment", "comment", "other", "hex"] } }, { "Social network": { "desc": "Social networks and platforms", "types": ["comment", "text", "other", "size-in-bytes", "counter", "datetime", "cpe", "port", "float", "hex", "phone-number"] } }]'
const menuItemsObj = JSON.parse(menuItems);
*/
function __post_request(url, payload){
return fetch(url,
{ method: 'POST',
credentials: 'include',
body: payload,
headers: {'Accept': 'application/json', 'Content-Type': 'application/json; charset=UTF-8'}
})
.then(response => {
if (response.ok){
return response.json().catch(error => { return Promise.reject (new ResponseError(`Invalid JSON: ${error.message}`))})
}
return Promise.reject(new Error(`HTTP error: ${response.status}`));
}).catch(error => {return Promise.reject(new Error(error.message))});
}
function __get_request(url){
return fetch(url,
{ method: 'GET',
credentials: 'include',
headers: {'Accept': 'application/json', 'Content-Type': 'application/json; charset=UTF-8'}
})
.then(response => {
if (response.ok){
return response.json().catch(error => { return Promise.reject (new ResponseError(`Invalid JSON: ${error.message}`))})
}
return Promise.reject(new Error(`HTTP error: ${response.status}`));
}).catch(error => {return Promise.reject(new Error(error.message))});
}
function findMISP() {
chrome.tabs.query({'url': `${misp_base_url}*`}, function(result) {
if(result instanceof Array){
console.log(result[0]["id"]);
}
else {
console.log("There is no MISP window!");
}
});
}
function serveButtons(info, tab, settings){
if (info["menuItemId"] === "newTab") {
chrome.tabs.create({url: `${settings.mispUrl}/`}, function (tab) {});
}
else if (info["menuItemId"] === "search") {
// https://github.com/MISP/MISP/blob/2.4/app/View/Attributes/search.ctp
let query = `document.getElementById("AttributeKeyword").value = "${info.selectionText}"; document.getElementsByTagName("button")[0].click();`;
chrome.tabs.create({url: `${settings.mispUrl}/attributes/search`}, function (tab) {
chrome.tabs.onUpdated.addListener(function (tabId, changeInfo, tab) {
if (tabId === tab.id && changeInfo.status === 'complete') {
chrome.tabs.executeScript(null, {code: query});
}
});
});
}
// Here first an event is created and the freetext filled manually for the user to review.
else if (info["menuItemId"] === "freetext") {
let event_json = `{ "Event": { "orgc_id": ${settings.defaultOrg}, "org_id": ${settings.defaultOrg}, "info": "Freetext-Import from ${tab.url}"}}`;
let post_result = __post_request(`${settings.mispUrl}/events/`, event_json);
//{"Event":{"id":"834","orgc_id":"1","org_id":"1","date":"2017-10-08","threat_level_id":"4",
// "info":"Freetext-Import from chrome://extensions/","published":false,"uuid":"59da34b1-f7f0-4871-8492-09000a00020f","attribute_count":"0","analysis":"0","timestamp":"1507472561","distribution":"1","proposal_email_lock":false,"locked":false,"publish_timestamp":"0","sharing_group_id":"0","disable_correlation":false,"event_creator_email":"[email protected]","Org":{"id":"1","name":"ADMIN","uuid":"59d7fba2-9090-45f7-b17a-04c90a00020f"},"Orgc":{"id":"1","name":"ADMIN","uuid":"59d7fba2-9090-45f7-b17a-04c90a00020f"},"Attribute":[],"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[],"Object":[]}}
post_result.then(function(result){
//`importChoiceSelect('/events/freeTextImport/834', 'freetext', 'popover_form')`;
let input_freetext = `document.getElementsByClassName("input-xxlarge")[0].value="${info.selectionText}"; document.getElementById("submitButton").click();`;
chrome.tabs.create({url: `${settings.mispUrl}/events/freeTextImport/${result.Event.id}`}, function (tab) {
chrome.tabs.onUpdated.addListener(function (tabId, changeInfo, tab) {
if (tabId === tab.id && changeInfo.status === 'complete') {
chrome.tabs.executeScript(null, {code: input_freetext});
}
});
});
});
}
/*
// Adding indicators
else if (info["parentMenuItem"].startsWith("single") || info["parentMenuItem"].startsWith("multi")) {
let [mode, cat, type] = info["menuItemId"].split("/");
if (mode === "single") {
let attribute = {};
attribute.category = cat;
attribute.type = type;
attribute.value = info["selectionText"];
console.log(JSON.stringify(attribute));
chrome.storage.local.get(function (store) {
if (typeof(store["attributes"]) !== 'undefined' && store["attributes"] instanceof Array) {
store["attributes"].push(attribute);
} else {
store["attributes"] = [attribute];
}
chrome.storage.local.set(store);
});
}
else {
console.log("TODO");
}
}
*/
}
function onClickHandler(info, tab) {
/* info:
* {"editable":false,"frameId":0,"menuItemId":"single/Persistence mechanism/filename",
* "pageUrl":"chrome://extensions/","parentMenuItemId":"single/Persistence mechanism",
* "selectionText":"as23trr32ed32e32e"}
*
* tab:
* {"active":true,"audible":false,"autoDiscardable":true,"discarded":false,
* "favIconUrl":"","height":965,"highlighted":true,"id":6,"incognito":false,
* "index":2,"mutedInfo":{"muted":false},"pinned":false,"selected":true,
* "status":"complete","title":"Extensions","url":"chrome://extensions/","width":1920,"windowId":1}
*/
// I don't understand asynchronous functions well enough yet to refactor this
let settings = chrome.storage.local.get({settingsObj: {'mispUrl': 'https://default.local', 'defaultOrg': '1', 'defaultOrgName': 'Default Org (1)'}},
function(result) { serveButtons(info, tab, result.settingsObj) });
}
chrome.runtime.onInstalled.addListener(function() {
// Go to MISP shortcut
chrome.contextMenus.create({"title": "MISPnomer: Goto MISP", "id": "newTab", "contexts": ["page"]});
// Search and freetext menu
chrome.contextMenus.create({"title": "Search attribute", "id": "search", "contexts": ["selection"]});
chrome.contextMenus.create({"title": "Freetext import", "id": "freetext", "contexts": ["selection"]});
/*
// Adding attributes menu
chrome.contextMenus.create({"title": "Add attribute(s)", "id": "add", "contexts": ["selection"]});
// Submenu adding all categories and types
// <for array of categories>
for (let i = 0; i < menuItemsObj.length; i++){
let current_obj = menuItemsObj[i];
let misp_category = Object.keys(current_obj)[0];
chrome.contextMenus.create(
{"title": misp_category, "parentId": "add", "id": `${misp_category}`, "contexts": ["selection"]});
let misp_attribute = current_obj[misp_category]["types"];
// <for object of types>
for (let j = 0; j < misp_attribute.length; j++){
let misp_attr = misp_attribute[j];
chrome.contextMenus.create(
{"title": misp_attr, "parentId": `${misp_category}`, "id": `${misp_category}/${misp_attr}`, "contexts": ["selection"]});
}// </for array of categories>
}// </for array of categories>
*/
});
chrome.contextMenus.onClicked.addListener(onClickHandler);