📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • MISP LAB07: Expansion modules
  • 1. Introduction
  • 2. Setup
  • 3. Short introduction into MISP Modules
  • 4. GEO IP and MAC Vendor
  • 5. QR Encoder
  • 6. URL Haus
  • 7. Behind the scenes
  • 8. Activate PDF Export Plugin
  • 9. Security Questions
  • 10. Answers

Was this helpful?

  1. Threat Intelligence

MISP Exercise 7

MISP LAB07: Expansion modules

1. Introduction

In this lab you will learn what MISP Modules are, why they exists and how you can use them. They are not absolutely necessary in MISP, but they could be helpful during any kind of research.

The goal of this Lab is, that you have understood the MISP Modules concept. You should also be able to apply your learned knowledge on other MISP instances.

2. Setup

Start Docker image

Start the docker container with the following command.

cd /home/hacker/misp-docker-image docker-compose up

Connect to MISP by opening your preferred web browser and open the url http://instance-a.misp.localhost.

The MISP instance initialises all labs. Please wait until you are able to see the Hacking-Lab icon.

Login with the folowing credentials

User: investigator-org-a@misp-lab7.com Password: compass

3. Short introduction into MISP Modules

There are currently three different types of MISP Modules:

  • Expansion modules can be used to extend the current core functionalities of MISP

  • Export modules are used to add further export formats to MISP, like PDF

  • Import modules extend the allowed import formats

MISP Modules can be run on the same system or on a remote server. In this case, we already set up the configuration for you.

As you can see, there are already some events there. Visit them and try to get any additional information on the given attributes. Spoiler: This isn't possible. Currently, there are no MISP Modules enabled for that user. Continue with the next step.

4. GEO IP and MAC Vendor

Open the event Lab 7 - Some data about the source and navigate down to the attributes. You should see two attributes, a source IP address and a mac address.

By hovering on the mac address or pressing the magnifier icon, you can display the vendor of this device. The Module queries a database in the background and displays the results for you. If you get an error, please make sure, that your VM is connected to the internet.

5. QR Encoder

In this step, you received a QR code and don't know, what kind of data is saved into it. Navigate back to the event overview and then view the Lab 7 - Unknown QR code event.

Obviously, you could copy that QR code or make a screenshot of it, upload it on any free online QR code decoder, copy the the decoded data and paste it back to MISP. If you have to do that several times, it would be quite annoying. So lets the MISP Module instead.

In order to add the recived information directly to MISP press the little new appeared icon on the right side of the attribute to add enrichment. Then select qrcode: QR code decode. The enrichment window will pop up. You can directly press Submit attributes, no adjustments are needed.

We will get a new attribute!

You now have added a new attribute. Take a look at the type. MISP already recognised, that is a bitcoin wallet address. Submit this address later as a flag. We installed a module for you to check, if the address is associated with cybercrime before. Press the magnifier icon again, but this time next to the new created bitcoin address attribute!

Flag: 16NhhYiQtfASicquYxA5xGZ6YzvpkF94Nt

6. URL Haus

Navigate back to the event overview and then view the Lab 7 - Received URL event.

Then press again on the add enrichment icon next to the attribute. You are going to query the official URLhaus API for more information about the url. So please then select urlhaus: Query of the URLhaus API to get additional information about some attributes on the appeared popup.

Now you have successfully added report and hashes of the malicious file without downloading it.

7. Behind the scenes

In this step you will take a look where you could enable more MISP Modules. Currently there are about 90 modules from the official GitHub repository installed, but not activated.

Login as administrator

username: admin@misp-lab.com password: compass

Navigate to Administration -> Server Settings & Maintenance -> Plugin settings

8. Activate PDF Export Plugin

Press Enrichment to view all installed MISP Expansion Modules and their setting. As you properly noticed, some modules requires an API key. If you want, get one from the provider's site and play around with the functionalities of this module.

You can't see any Export Modules in the Export Tab (click on that one). We haven't activated that already. So please do that by setting the Plugin.Export_services_enable value to true.

MISP uses a REST API in the background to query all available Modules. Refresh the page and click on Export again.

Then scroll down until you can find the PDF Module. Enable the module by setting the Plugin.Export_pdfexport_enabled attribute to true.

If everything worked fine, try to export e MISP Event as pdf

9. Security Questions

  1. Why should even foreign (trustworthy) Modules be used?

  2. What do you think, why does MISP introduced a feature like Modules, when it's already open source?

  3. What would be another useful feature that is not yet implemented in MISP and could be added by yourself?

10. Answers

  1. They can be a gain and improve the work of a analyst.

  2. You won't need a deep understanding of MISP internals as a developer. You don't need a php focus, with support of python a wider range of possibilites is provided.

  3. I don't know yet. Lot of cool modules are allready available: https://github.com/MISP/misp-modules

PreviousMISP Exercise 6NextMISP Exercise 8

Last updated 3 years ago

Was this helpful?