MISP Exercise 7

MISP LAB07: Expansion modules

1. Introduction

In this lab you will learn what MISP Modules are, why they exists and how you can use them. They are not absolutely necessary in MISP, but they could be helpful during any kind of research.

The goal of this Lab is, that you have understood the MISP Modules concept. You should also be able to apply your learned knowledge on other MISP instances.

2. Setup

Start Docker image

Start the docker container with the following command.

cd /home/hacker/misp-docker-image docker-compose up

Connect to MISP by opening your preferred web browser and open the url http://instance-a.misp.localhost.

The MISP instance initialises all labs. Please wait until you are able to see the Hacking-Lab icon.

Login with the folowing credentials

User: investigator-org-a@misp-lab7.com Password: compass

3. Short introduction into MISP Modules

There are currently three different types of MISP Modules:

  • Expansion modules can be used to extend the current core functionalities of MISP

  • Export modules are used to add further export formats to MISP, like PDF

  • Import modules extend the allowed import formats

MISP Modules can be run on the same system or on a remote server. In this case, we already set up the configuration for you.

As you can see, there are already some events there. Visit them and try to get any additional information on the given attributes. Spoiler: This isn't possible. Currently, there are no MISP Modules enabled for that user. Continue with the next step.

4. GEO IP and MAC Vendor

Open the event Lab 7 - Some data about the source and navigate down to the attributes. You should see two attributes, a source IP address and a mac address.

By hovering on the mac address or pressing the magnifier icon, you can display the vendor of this device. The Module queries a database in the background and displays the results for you. If you get an error, please make sure, that your VM is connected to the internet.

5. QR Encoder

In this step, you received a QR code and don't know, what kind of data is saved into it. Navigate back to the event overview and then view the Lab 7 - Unknown QR code event.

Obviously, you could copy that QR code or make a screenshot of it, upload it on any free online QR code decoder, copy the the decoded data and paste it back to MISP. If you have to do that several times, it would be quite annoying. So lets the MISP Module instead.

In order to add the recived information directly to MISP press the little new appeared icon on the right side of the attribute to add enrichment. Then select qrcode: QR code decode. The enrichment window will pop up. You can directly press Submit attributes, no adjustments are needed.

We will get a new attribute!

You now have added a new attribute. Take a look at the type. MISP already recognised, that is a bitcoin wallet address. Submit this address later as a flag. We installed a module for you to check, if the address is associated with cybercrime before. Press the magnifier icon again, but this time next to the new created bitcoin address attribute!

Flag: 16NhhYiQtfASicquYxA5xGZ6YzvpkF94Nt

6. URL Haus

Navigate back to the event overview and then view the Lab 7 - Received URL event.

Then press again on the add enrichment icon next to the attribute. You are going to query the official URLhaus API for more information about the url. So please then select urlhaus: Query of the URLhaus API to get additional information about some attributes on the appeared popup.

Now you have successfully added report and hashes of the malicious file without downloading it.

7. Behind the scenes

In this step you will take a look where you could enable more MISP Modules. Currently there are about 90 modules from the official GitHub repository installed, but not activated.

Login as administrator

username: admin@misp-lab.com password: compass

Navigate to Administration -> Server Settings & Maintenance -> Plugin settings

8. Activate PDF Export Plugin

Press Enrichment to view all installed MISP Expansion Modules and their setting. As you properly noticed, some modules requires an API key. If you want, get one from the provider's site and play around with the functionalities of this module.

You can't see any Export Modules in the Export Tab (click on that one). We haven't activated that already. So please do that by setting the Plugin.Export_services_enable value to true.

MISP uses a REST API in the background to query all available Modules. Refresh the page and click on Export again.

Then scroll down until you can find the PDF Module. Enable the module by setting the Plugin.Export_pdfexport_enabled attribute to true.

If everything worked fine, try to export e MISP Event as pdf

9. Security Questions

  1. Why should even foreign (trustworthy) Modules be used?

  2. What do you think, why does MISP introduced a feature like Modules, when it's already open source?

  3. What would be another useful feature that is not yet implemented in MISP and could be added by yourself?

10. Answers

  1. They can be a gain and improve the work of a analyst.

  2. You won't need a deep understanding of MISP internals as a developer. You don't need a php focus, with support of python a wider range of possibilites is provided.

  3. I don't know yet. Lot of cool modules are allready available: https://github.com/MISP/misp-modules

PreviousMISP Exercise 6NextMISP Exercise 8

Last updated