support for md5 and sha1 hashes

9b · Dec 24, 2018 · 537f913 · 537f913
1 parent 5ab8b60
commit 537f913
Showing 1 changed file with 18 additions and 9 deletions.
diff --git a/misp_modules/modules/export_mod/nexthinkexport.py b/misp_modules/modules/export_mod/nexthinkexport.py
@@ -10,7 +10,7 @@
 
 misperrors = {"error": "Error"}
 
-types_to_use = ['sha1']
+types_to_use = ['sha1', 'md5']
 
 userConfig = {
 
@@ -29,16 +29,26 @@
 
 
 def handle_sha1(value, period):
-    return '''
-    (select ((binary (executable_name version)) (user (name)) (device (name last_ip_address)) (execution (binary_path start_time)))
-	(from (binary user device execution)
-    (where binary (eq hash (sha1 %s))))
-    (between now-%s now)
-	(limit 1000))
+    query = '''select ((binary (executable_name version)) (user (name)) (device (name last_ip_address)) (execution (binary_path start_time)))
+(from (binary user device execution)
+(where binary (eq sha1 (sha1 %s)))
+(between now-%s now))
+(limit 1000)
     ''' % (value, period)
+    return query.replace('\n', ' ')
+
+def handle_md5(value, period):
+    query = '''select ((binary (executable_name version)) (user (name)) (device (name last_ip_address)) (execution (binary_path start_time)))
+(from (binary user device execution)
+(where binary (eq hash (md5 %s)))
+(between now-%s now))
+(limit 1000)
+    ''' % (value, period)
+    return query.replace('\n', ' ')
 
 handlers = {
-    'sha1': handle_sha1
+    'sha1': handle_sha1,
+    'md5': handle_md5
 }
 
 def handler(q=False):
@@ -56,7 +66,6 @@ def handler(q=False):
     r = {"response": [], "data": str(base64.b64encode(bytes(output, 'utf-8')), 'utf-8')}
     return r
 
-
 def introspection():
     modulesetup = {}
     try: