dnMisp is a simple, MISP Rest API consumer .Net Standard 2.0 library.
Install-Package dnMisp
dotnet add package dnMisp
The beta version is very focused on the management of IOCs, and the management & administration of organisations and users has not yet been integrated.
Here is a more detailed description of what has and has not been integrated.
-
Events: Get, Add, Update, Remove, Push to ZMQ
-
Attributes: Get, Add, Update, Remove
-
Tag: Add, Remove a tag
-
Proposal: Add
-
Add, Remove:
- malware sample
- hashes
- detection link
- detection name
- attachments
- reg keys
- patterns
- pipes
- mutex
- yara rules
- threat actor
- network activity:
- ip dest, src
- hostname
- domain, domain IP
- URIs
- user Agents
- traffic pattern
- snort rules
- ASNs
- 'other' network activities
- email attributes (source, destination, subject, attachment, header)
- targeting data (email, user, machine, organization, location, external)
- internal reference (links, comments, text, others)
- others (comments, counters, texts)
- galaxies & galaxy clusters
- proposals
- users
- organisations
- servers
- feeds
- sightings
- warning lists
- notice lists
Feels free to contribute to add new or missing features !
| .NET Standard | 2+ |
|---|---|
| .NET | 5+ |
| .NET Core | 2+ |
| .NET Framework 1 | 4.6.1+ |
| Mono | 5.4+ |
| Xamarin.iOS | 10.14+ |
| Xamarin.Mac | 3.8+ |
| Xamarin.Android | 8+ |
| Universal Windows Platform | 10.0.16299+ |
| Unity | 2018.1+ |
How to create a new Misp consumer instance:
MispConsumer _mispClient = MispConsumer.Create<MispConsumer>(
YourConfig.MispUri,
YourConfig.MispAuthKey);Getting an event by its identifier:
/* Get event by event ID */
MispEvent mispEvent = await _mispClient.GetEvent(mispEventId);Download a malware sample by its hash:
/* Download a malware by hash */
MalwareSampleList results = (await _mispClient.DownloadMalware(md5))?.Results;
if (results == null)
return;
foreach (var item in results)
{
string mispEventId = item.EventId;
string base64data = item.Base64;
// Do stuff there
}Using search API:
/* Search events */
RestSearchQuery query = new RestSearchQuery()
{
Tags = new RestSearchOperator<string>
{
Or = {
"ATT&CK:T1064:Scripting",
"VT:attachment",
"YARA:File_Is_Office_Open_XML"
},
Not =
{
"YARA:File_Is_Office_Doc"
}
},
Limit = 10,
Page = 1,
Last = "5d"
};
List<MispEvent> events = await _mispClient.SearchEvent(query);
foreach (var @event in events)
{
// Do stuff there
}Getting full attribute list from a Misp event :
List<dnMisp.Objects.Attribute> attributes = await _mispClient.GetAttributesList(mispEventId);Create Mutex attributes:
var attr = _mispClient.CreateMutex(mispEventId, mutexName, comment: "your comment here");Create Registry Key attributes:
var attr = _mispClient.CreateRegKey(mispEventId, regKey, regValue, comment: "your comment here");You can also use any of the following methods, the same way to create attributes object (note: this does not upload the attribute):
CreateNamedAttribute(string eid, string type, string value, string category, [bool toIDS = False], [string comment = ], [dnMisp.Enums.Distribution distribution = 5], [string data = ], [bool disableCorrelation = True], [dnMisp.Objects.MispObject attachToObject = null]);
CreateEmailSrc(string eid, string value, [string category = Payload delivery], [bool toIds = True], [string comment = ], [dnMisp.Enums.Distribution distribution = 5], [dnMisp.Objects.MispObject attachToObject = null]);
CreateEmailDst(string eid, string value, [string category = Payload delivery], [bool toIds = True], [string comment = ], [dnMisp.Enums.Distribution distribution = 5], [dnMisp.Objects.MispObject attachToObject = null]);
CreateEmailSubject(string eid, string value, [string category = Payload delivery], [bool toIds = True], [string comment = ], [dnMisp.Enums.Distribution distribution = 5], [dnMisp.Objects.MispObject attachToObject = null]);
CreateEmailAttachment(string eid, string value, [string category = Payload delivery], [bool toIds = True], [string comment = ], [dnMisp.Enums.Distribution distribution = 5], [dnMisp.Objects.MispObject attachToObject = null]);
CreateEmailHeader(string eid, string value, [string category = Payload delivery], [bool toIds = True], [string comment = ], [dnMisp.Enums.Distribution distribution = 5], [dnMisp.Objects.MispObject attachToObject = null]);
CreateDetectionLink(string eid, string link, [string category = Antivirus detection], [bool toIds = False], [string comment = ], [dnMisp.Enums.Distribution distribution = 5])
CreateDetectionName(string eid, string name, [string category = Antivirus detection], [bool toIds = False], [string comment = ], [dnMisp.Enums.Distribution distribution = 5])
CreateAttachment(string eid, System.IO.Stream attachment, string filename, [string category = Artifacts dropped], [bool toIds = False], [string comment = ], [dnMisp.Enums.Distribution distribution = 5], [dnMisp.Objects.MispObject attachToObject = null]);
CreateRegKey(string eid, string regKey, string regValue, [string category = Artifacts dropped], [bool toIds = True], [string comment = ], [dnMisp.Enums.Distribution distribution = 5], [dnMisp.Objects.MispObject attachToObject = null]);
CreatePattern(string eid, string pattern, [dnMisp.Enums.PatternType patternType = 0], [string category = Artifacts dropped], [bool toIds = True], [string comment = ], [dnMisp.Enums.Distribution distribution = 5], [dnMisp.Objects.MispObject attachToObject = null]);
CreatePipe(string eid, string namedPipe, [string category = Artifacts dropped], [bool toIds = True], [string comment = ], [dnMisp.Enums.Distribution distribution = 5], [dnMisp.Objects.MispObject attachToObject = null]);
CreateMutex(string eid, string mutex, [string category = Artifacts dropped], [bool toIds = True], [string comment = ], [dnMisp.Enums.Distribution distribution = 5], [dnMisp.Objects.MispObject attachToObject = null]);
CreateYara(string eid, string yara, [string category = Payload delivery], [bool toIds = False], [string comment = ], [dnMisp.Enums.Distribution distribution = 5], [dnMisp.Objects.MispObject attachToObject = null]);
CreateInternalLink(string eid, string value, [string category = Internal reference], [bool toIds = False], [string comment = ], [dnMisp.Enums.Distribution distribution = 5])
CreateInternalComment(string eid, string value, [string category = Internal reference], [bool toIds = False], [string comment = ], [dnMisp.Enums.Distribution distribution = 5])
CreateInternalText(string eid, string value, [string category = Internal reference], [bool toIds = False], [string comment = ], [dnMisp.Enums.Distribution distribution = 5])
CreateInternalOther(string eid, string value, [string category = Internal reference], [bool toIds = False], [string comment = ], [dnMisp.Enums.Distribution distribution = 5])
CreateIPDst(string eid, string value, [string category = Network activity], [bool toIds = True], [string comment = ], [dnMisp.Enums.Distribution distribution = 5], [dnMisp.Objects.MispObject attachToObject = null]);
CreateIPSrc(string eid, string value, [string category = Network activity], [bool toIds = True], [string comment = ], [dnMisp.Enums.Distribution distribution = 5], [dnMisp.Objects.MispObject attachToObject = null]);
CreateHostname(string eid, string value, [string category = Network activity], [bool toIds = True], [string comment = ], [dnMisp.Enums.Distribution distribution = 5], [dnMisp.Objects.MispObject attachToObject = null]);
CreateDomain(string eid, string value, [string category = Network activity], [bool toIds = True], [string comment = ], [dnMisp.Enums.Distribution distribution = 5], [dnMisp.Objects.MispObject attachToObject = null]);
CreateDomainIP(string eid, string domain, string ip, [string category = Network activity], [bool toIds = True], [string comment = ], [dnMisp.Enums.Distribution distribution = 5], [dnMisp.Objects.MispObject attachToObject = null]);
CreateUrl(string eid, string url, [string category = Network activity], [bool toIds = True], [string comment = ], [dnMisp.Enums.Distribution distribution = 5], [dnMisp.Objects.MispObject attachToObject = null]);
CreateUserAgent(string eid, string userAgent, [string category = Network activity], [bool toIds = True], [string comment = ], [dnMisp.Enums.Distribution distribution = 5], [dnMisp.Objects.MispObject attachToObject = null]);
CreateTrafficPattern(string eid, string pattern, [string category = Network activity], [bool toIds = True], [string comment = ], [dnMisp.Enums.Distribution distribution = 5], [dnMisp.Objects.MispObject attachToObject = null]);
CreateSnort(string eid, string snort, [string category = Network activity], [bool toIds = True], [string comment = ], [dnMisp.Enums.Distribution distribution = 5], [dnMisp.Objects.MispObject attachToObject = null]);
CreateASN(string eid, string asn, [string category = Network activity], [bool toIds = True], [string comment = ], [dnMisp.Enums.Distribution distribution = 5], [dnMisp.Objects.MispObject attachToObject = null]);
CreateNetOther(string eid, string value, [string category = Network activity], [bool toIds = True], [string comment = ], [dnMisp.Enums.Distribution distribution = 5], [dnMisp.Objects.MispObject attachToObject = null]);
CreateOtherComment(string eid, string value, [string category = Other], [bool toIds = False], [string comment = ], [dnMisp.Enums.Distribution distribution = 5])
CreateOtherCounter(string eid, string value, [string category = Other], [bool toIds = False], [string comment = ], [dnMisp.Enums.Distribution distribution = 5])
CreateOtherText(string eid, string value, [string category = Other], [bool toIds = False], [string comment = ], [dnMisp.Enums.Distribution distribution = 5], [dnMisp.Objects.MispObject attachToObject = null]);
CreateThreatActor(string eid, string value, [string category = Attribution], [bool toIds = True], [string comment = ], [dnMisp.Enums.Distribution distribution = 5]);
CreateTargetEmail(string eid, string value, [string category = Targeting data], [bool toIds = True], [string comment = ], [dnMisp.Enums.Distribution distribution = 5]);
CreateTargetUser(string eid, string value, [string category = Targeting data], [bool toIds = True], [string comment = ], [dnMisp.Enums.Distribution distribution = 5]);
CreateTargetMachine(string eid, string value, [string category = Targeting data], [bool toIds = True], [string comment = ], [dnMisp.Enums.Distribution distribution = 5]);
CreateTargetOrganization(string eid, string value, [string category = Targeting data], [bool toIds = True], [string comment = ], [dnMisp.Enums.Distribution distribution = 5]);
CreateTargetLocation(string eid, string value, [string category = Targeting data], [bool toIds = True], [string comment = ], [dnMisp.Enums.Distribution distribution = 5]);
CreateTargetExternal(string eid, string value, [string category = Targeting data], [bool toIds = True], [string comment = ], [dnMisp.Enums.Distribution distribution = 5]);Then, you can upload any created attribute:
var response = await _mispClient.AddAttribute(mispEventId, attr);Removing an attribute:
string response = await _mispClient.DeleteAttribute(int.Parse(v.Value), true);Creating new tags:
string response = await _mispClient.AddTag(new TagRequest(new Tag("_TAG_NAME_", Color.FromArgb(254, Color.Orange), isExportable)));Adding tag to a Misp Event:
string response = await _mispClient.AddTag(mispEventId, $"_TAG_NAME_");Creating malware sample Misp Object (this does not upload the sample):
MispMalware mispObj = new MispMalware(
fileStream, // Sample stream content
filename, // Filename)
{
Comment = "Powered by dnMisp" // Your comment here
};Upload a Misp object (malware sample, script, other):
MispObjectUpload response = await _mispClient.AddObject(
mispEventId,
mispObj,
"90" // Misp Object Template ID
);Removing a Misp object:
var response = await _mispClient.RemoveObject(v);- This project is under copyright of the Airbus CERT and distributed under the Apache 2.0 license