def create_discovery_method_instance(self,argument_list=None,child_pid_list=None,creation_time =None,is_hidden=None,image_info=None,extracted_features=None,environment_variable_list=None,
kernel_time=None,name=None,network_connection_list=None,parent_pid=None,pid=None,port_list=None,start_time=None,user_time=None,username=None):
instance = Process()
instance.argument_list= argument_list
instance.child_pid_list=child_pid_list
instance.creation_time = DateTime(creation_time)
instance.username=username
instance.user_time = Duration(user_time)
instance.start_time = DateTime(start_time)
instance.port_list =port_list
instance.pid = pid
instance.parent_pid = parent_pid
if network_connection_list is not None and (all(isinstance(x,NetworkConnection ) for x in network_connection_list)):
instance.network_connection_list = NetworkConnectionList()
for netcon in network_connection_list:
instance.network_connection_list.append(netcon)
else:
instance.network_connection_list= None
instance.name = name
instance.kernel_time = Duration(kernel_time)
if environment_variable_list is not None and (all(isinstance(x,EnvironmentVariable ) for x in environment_variable_list)):
instance.environment_variable_list = EnvironmentVariableList()
for envar in environment_variable_list:
instance.environment_variable_list.append(envar)
else:
instance.environment_variable_list =None
instance.extracted_features =extracted_features
instance.image_info = image_info
instance.is_hidden= is_hidden
return instance
def createDynamicIndicators(stix_package, dynamicindicators):
filescreated = False
processesstarted = False
regkeyscreated = False
mutexescreated = False
hostscontacted = False
hasdynamicindicators = False
# Here we are just testing to see if the report had any
# of the various dynamic indicator types so we know whether
# or not to process them at all
if len(dynamicindicators['droppedfiles']) > 0:
filescreated = True
hasdynamicindicators = True
if len(dynamicindicators['processes']) > 0:
processesstarted = True
hasdynamicindicators = True
if len(dynamicindicators['regkeys']) > 0:
regkeyscreated = True
hasdynamicindicators = True
if len(dynamicindicators['mutexes']) > 0:
mutexescreated = True
hasdynamicindicators = True
if len(dynamicindicators['hosts']) > 0:
hostscontacted = True
hasdynamicindicators = True
if not hasdynamicindicators:
return
if filescreated:
createdfilesind = Indicator()
for createdfile in dynamicindicators['droppedfiles']:
createdfilename = File()
createdfilename.file_name = createdfile[0]
createdfilename.size_in_bytes = createdfile[1]
createdfilename.md5 = createdfile[2]
createdfilename.sha1 = createdfile[3]
createdfilename.sha256 = createdfile[4]
createdfilesind.add_observable(Observable(createdfilename))
stix_package.add_indicator(createdfilesind)
if processesstarted:
procindicator = Indicator()
for process in dynamicindicators['processes']:
# Process name
processname = process[0]
# Process pid
processpid = process[1]
# Process parent pid
processparentpid = process[2]
proc = Process()
proc.name = processname
proc.pid = processpid
proc.parent_pid = processparentpid
procindicator.add_observable(Observable(proc))
stix_package.add_indicator(procindicator)
if regkeyscreated:
regindicator = Indicator()
keypath = WinRegistryKey()
for regkey in dynamicindicators['regkeys']:
keypath = WinRegistryKey()
keypath.key = regkey
regindicator.add_observable(Observable(keypath))
stix_package.add_indicator(regindicator)
if not mutexescreated:
mutexind = Indicator()
for mutex in dynamicindicators['mutexes']:
winhandle = WinHandle()
winhandle.name = mutex
winmutex = WinMutex()
winmutex.handle = winhandle
mutexind.add_observable(Observable(winmutex))
stix_package.add_indicator(mutexind)
if hostscontacted:
networkconnectionind = Indicator()
for host in dynamicindicators['hosts']:
networkconnection = NetworkConnection()
socketaddress = SocketAddress()
socketaddress.ip_address = host
networkconnection.destination_socket_address = socketaddress
networkconnectionind.add_observable(Observable(networkconnection))
stix_package.add_indicator(networkconnectionind)
return
