def create_maec(inputfile, outpath, verbose_error_mode):

    if os.path.isfile(inputfile):    

        #Create the main parser object
        parser = gparser.parser()

        try:
            open_file = parser.open_file(inputfile)
            
            if not open_file:
                print('\nError: Error in parsing input file. Please check to ensure that it is valid XML and conforms to the GFI Sandbox output schema.')
                return
            
            #Parse the file to get the actions and processes
            parser.parse_document()

            #Create the MAEC package
            package = Package()

            #Add the analysis
            package.add_malware_subject(parser.malware_subject)

            #Finally, Export the results
            package.to_xml_file(outpath, {"https://github.com/MAECProject/gfi-sandbox-to-maec":"GFISandboxToMAEC"})

            print "Wrote to " + outpath

        except Exception, err:
           print('\nError: %s\n' % str(err))
           if verbose_error_mode:
                traceback.print_exc()
Beispiel #2
0
def merge_packages(package_list, namespace = None):
    '''Merge a list of input MAEC Packages and return a merged Package instance.'''
    malware_subjects = []
    # Instantiate the ID generator class (for automatic ID generation)
    if not namespace:
        NS = Namespace("https://github.com/MAECProject/python-maec", "merged")
    else:
        NS = namespace
    maec.utils.set_id_namespace(NS)
    # Build the list of Malware Subjects
    for package in package_list:
        for malware_subject in package.malware_subjects:
            malware_subjects.append(malware_subject)
    # Merge the Malware Subjects
    merged_subjects = merge_malware_subjects(malware_subjects)
    # Merge the input namespace/schemaLocation dictionaries
    merged_namespaces = {}
    merged_schemalocations = {}
    for package in package_list:
        merged_namespaces.update(package.__input_namespaces__)
        merged_schemalocations.update(package.__input_schemalocations__)
    # Create a new Package with the merged Malware Subjects
    merged_package = Package()
    merged_package.malware_subjects = MalwareSubjectList(merged_subjects)
    merged_package.__input_namespaces__ = merged_namespaces
    merged_package.__input_schemalocations__ = merged_schemalocations
    return merged_package
def generate_package_from_parser(input_parser, options=None, from_md5=False):
    """Take a populated ThreatExpert parser object and return a MAEC package object."""
    
    try:
        # Parse the file to get the actions and processes
        input_parser.parse_document()
    except:
        if from_md5:
            raise Exception("Fetched document is not a valid ThreatExpert report. It is likely that this file has never been reported to ThreatExpert.")
        else:
            raise Exception("Input document is not a valid ThreatExpert report.")

    # Create the MAEC Package
    package = Package()

    # Add the namespace to the package
    package.__input_namespaces__["ThreatExpertToMAEC"] = "https://github.com/MAECProject/threatexpert-to-maec"
    
    # Add the analysis
    for malware_subject in input_parser.maec_subjects:
        
        if options:
            if options.normalize_bundles:
                malware_subject.normalize_bundles()
            if options.deduplicate_bundles:
                malware_subject.deduplicate_bundles()
            if options.dereference_bundles:
                malware_subject.dereference_bundles()
        
        package.add_malware_subject(malware_subject)
        
    return package
Beispiel #4
0
def maec_s(maecs):
    print "maec"
    maec_obj = package_binding.parse(maecs)
    obs = Package.from_obj(maec_obj)
    pac = Package(obs)
    dic = pac.to_dict()
    print "name:",dic["id"]["malware_subjects"][0]["findings_bundles"]["bundle"][0]["process_tree"]["root_process"]["name"]
    print "pid:",dic["id"]["malware_subjects"][0]["findings_bundles"]["bundle"][0]["process_tree"]["root_process"]["pid"]
    print "spawned_process:",dic["id"]["malware_subjects"][0]["findings_bundles"]["bundle"][0]["process_tree"]["root_process"]["spawned_process"]
    print "id:",dic["id"]["malware_subjects"][0]["findings_bundles"]["bundle"][0]["process_tree"]["root_process"]["id"]
Beispiel #5
0
    def _maec_from_dict(cls, d):
        if _MAEC_INSTALLED:
            return maecPackage.from_dict(d)

        raise ValueError(
            "Unable to parse 'maec' value in dictionary. Please " "install python-maec to parse dictionary value."
        )
 def test_maec_wrapped_in_stix(self):
     maec_package = Package.from_xml(self._maec_package)[0]
     stix_package = wrap_maec(maec_package)
     stix_ttp = stix_package.ttps[0]
     malware_instances = stix_ttp.behavior.malware_instances
     wrapped_maec_package = malware_instances[0].maec
     self.assertEqual(wrapped_maec_package.to_xml(include_namespaces=False,pretty=False),
                      self._wrapped_maec_package)
Beispiel #7
0
    def _maec_from_dict(cls, d):
        if _MAEC_INSTALLED:
            return maecPackage.from_dict(d)

        raise ValueError(
            "Unable to parse 'maec' value in dictionary. Please "
            "install python-maec to parse dictionary value."
        )
Beispiel #8
0
def merge_packages(package_list, output_file):
    '''Merge a list of input MAEC Packages and write them to an output Package file'''
    malware_subjects = []
    # Instantiate the ID generator class (for automatic ID generation)
    NS = Namespace("https://github.com/MAECProject/python-maec", "merged")
    maec.utils.set_id_namespace(NS)
    # Build the list of Malware Subjects
    for package in package_list:
        for malware_subject in package.malware_subjects:
            malware_subjects.append(malware_subject)
    # Merge the Malware Subjects
    merged_subjects = merge_malware_subjects(malware_subjects)
    # Create a new Package with the merged Malware Subjects
    merged_package = Package()
    merged_package.malware_subjects = MalwareSubjectList(merged_subjects)
    # Write the Package to the output file
    merged_package.to_xml_file(output_file, {"https://github.com/MAECProject/python-maec":"merged"})
def create_maec(inputfile, outpath, verbose_error_mode, options):

    if os.path.isfile(inputfile):    

        #Create the main parser object
        parser = anparser.parser()
        
        try:
            open_file = parser.open_file(inputfile)
            
            if not open_file:
                print('\nError: Error in parsing input file. Please check to ensure that it is valid XML and conforms to the Anbuis output schema.')
                return
            
            #Parse the file to get the actions and processes
            parser.parse_document()

            #Create the MAEC package
            package = Package()
            
            #Add the analysis
            for subject in parser.maec_subjects:
                package.add_malware_subject(subject)
                
                if options:
                    if options.normalize_bundles:
                        subject.normalize_bundles()
                    if options.deduplicate_bundles:
                        subject.deduplicate_bundles()
                    if options.dereference_bundles:
                        subject.dereference_bundles()
                
            ##Finally, Export the results
            package.to_xml_file(outpath,
                {"https://github.com/MAECProject/anubis-to-maec":"AnubisToMAEC"})

            print "Wrote to " + outpath
            
        except Exception, err:
            print('\nError: %s\n' % str(err))
            if verbose_error_mode:
                traceback.print_exc()
Beispiel #10
0
    def _add_stix_ttp(self, malware_subject):
        """Create and add a STIX TTP for a MAEC Malware Subject.
        Args:
            malware_subject: the ``maec.malware_subject.MalwareSubject`` for which the STIX TTP will be created.

        Returns:
            The ID of the newly created STIX TTP.
        """
        # Create the STIX TTP that includes the MAEC Instance
        ttp = TTP()
        ttp.behavior = Behavior()
        # Add a MAEC Package with just the Malware Subject
        # For capturing the identity of the malware binary that the Indicators target
        maec_package = Package()
        new_malware_subject = MalwareSubject()
        new_malware_subject.malware_instance_object_attributes = malware_subject.malware_instance_object_attributes
        maec_package.add_malware_subject(new_malware_subject)
        maec_malware_instance = MAECInstance()
        maec_malware_instance.maec = maec_package
        ttp.behavior.add_malware_instance(maec_malware_instance)
        self.stix_package.add_ttp(ttp)
        return ttp.id_
Beispiel #11
0
    def _add_stix_ttp(self, malware_subject):
        """Create and add a STIX TTP for a MAEC Malware Subject.
        Args:
            malware_subject: the ``maec.malware_subject.MalwareSubject`` for which the STIX TTP will be created.

        Returns:
            The ID of the newly created STIX TTP.
        """
        # Create the STIX TTP that includes the MAEC Instance
        ttp = TTP()
        ttp.behavior = Behavior()
        # Add a MAEC Package with just the Malware Subject
        # For capturing the identity of the malware binary that the Indicators target
        maec_package = Package()
        new_malware_subject = MalwareSubject()
        new_malware_subject.malware_instance_object_attributes = malware_subject.malware_instance_object_attributes
        maec_package.add_malware_subject(new_malware_subject)
        maec_malware_instance = MAECInstance()
        maec_malware_instance.maec = maec_package
        ttp.behavior.add_malware_instance(maec_malware_instance)
        self.stix_package.add_ttp(ttp)
        return ttp.id_
Beispiel #12
0
    def from_obj(cls, obj):
        if not obj:
            return None

        return_obj = cls()

        if _MAEC_INSTALLED:
            obj.MAEC = maecPackage.from_obj(obj.MAEC)
        else:
            obj.MAEC = obj.MAEC

        return_obj = super(MAECInstance, cls).from_obj(obj)

        return return_obj
Beispiel #13
0
    def from_obj(cls, obj, return_obj=None):
        if not obj:
            return None
        if not return_obj:
            return_obj = cls()

        super(MAECInstance, cls).from_obj(obj, return_obj)

        if _MAEC_INSTALLED:
            return_obj.maec = maecPackage.from_obj(obj.MAEC)
        else:
            return_obj.maec = obj.MAEC

        return return_obj
Beispiel #14
0
    def from_obj(cls, obj, return_obj=None):
        if not obj:
            return None
        if not return_obj:
            return_obj = cls()
        
        super(MAECInstance, cls).from_obj(obj, return_obj)

        if _MAEC_INSTALLED:
            return_obj.maec = maecPackage.from_obj(obj.MAEC)
        else:
            return_obj.maec = obj.MAEC

        return return_obj
def generate_package_from_parser(input_parser, options=None):
    # Parse the file and perform the translation into MAEC
    input_parser.parse_document()

    # Create the MAEC Package
    package = Package()

    # Get the Malware Subject
    malware_subject = input_parser.malware_subject

    # Check for the existence of the options structure and if any are set
    # If so, perform the appropriate actions
    if options:
        if options.normalize_bundles:
            malware_subject.normalize_bundles()
        if options.deduplicate_bundles:
            malware_subject.deduplicate_bundles()
        if options.dereference_bundles:
            malware_subject.dereference_bundles()

    # Add the Malware Subject
    package.add_malware_subject(malware_subject)

    return package
Beispiel #16
0
def generate_package_from_parser(input_parser, options=None):
    # Parse the file and perform the translation into MAEC
    input_parser.parse_document()

    # Create the MAEC Package
    package = Package()

    # Get the Malware Subject
    malware_subject = input_parser.malware_subject

    # Check for the existence of the options structure and if any are set
    # If so, perform the appropriate actions
    if options:
        if options.normalize_bundles:
            malware_subject.normalize_bundles()
        if options.deduplicate_bundles:
            malware_subject.deduplicate_bundles()
        if options.dereference_bundles:
            malware_subject.dereference_bundles()

    # Add the Malware Subject
    package.add_malware_subject(malware_subject)

    return package
Beispiel #17
0
    def parse_xml(self, xml_file, check_version=True):
        """Creates a python-maec Bundle or Package object from the supplied xml_file.

        Arguments:
        xml_file -- A filename/path or a file-like object reprenting a MAEC instance (i.e. Package or Bundle) document
        check_version -- Inspect the version before parsing.
        """
        parser = etree.ETCompatXMLParser(huge_tree=True, resolve_entities=False)
        tree = etree.parse(xml_file, parser=parser)

        api_obj = None
        binding_obj = self.parse_xml_to_obj(xml_file, check_version)
        if self.is_package:
            from maec.package.package import Package # resolve circular dependencies
            api_obj = Package.from_obj(binding_obj)
        elif self.is_bundle:
            from maec.bundle.bundle import Bundle # resolve circular dependencies
            api_obj = Bundle.from_obj(binding_obj)
        self._apply_input_namespaces(tree, api_obj)

        return api_obj
    def generate_oval(self):
        #Basic input file checking
        if os.path.isfile(self.infilename):    
            #Try parsing the MAEC file with both bindings
            package_obj = package_binding.parse(self.infilename)
            bundle_obj = bundle_binding.parse(self.infilename)
            try:
                sys.stdout.write('Generating ' + self.outfilename + ' from ' + self.infilename + '...')
                #Test whether the input is a Package or Bundle and process accordingly
                if bundle_obj.hasContent_():
                    maec_bundle = Bundle.from_obj(bundle_obj)
                    self.process_bundle(maec_bundle)
                elif package_obj.hasContent_():
                    maec_package = Package.from_obj(package_obj)
                    for malware_subject in maec_package.malware_subjects:
                        for maec_bundle in malware_subject.findings_bundles.bundles:
                            self.process_bundle(maec_bundle)

                #Build up the OVAL document from the parsed data and corresponding objects
                self.__build_oval_document()

                if len(self.converted_ids) > 0:
                    #Export to the output file
                    outfile = open(self.outfilename, 'w')
                    self.ovaldefroot.export(outfile, 0, namespacedef_='xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:win-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows http://oval.mitre.org/language/version5.7/ovaldefinition/complete/windows-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 http://oval.mitre.org/language/version5.7/ovaldefinition/complete/oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 http://oval.mitre.org/language/version5.7/ovaldefinition/complete/oval-common-schema.xsd"')
                    sys.stdout.write('Done\n')
                else:
                    sys.stdout.write('no OVAL output written; 0 actions were converted.\n')
                if self.stat_mode:
                    print '\n**Converted Actions**'
                    for action_id in self.converted_ids:
                        print 'Action ' + action_id + ' converted successfully'
                    print '**Skipped Actions**'
                    for action_id in self.skipped_actions:
                        print 'Action ' + action_id + ' skipped; incompatible action/object type or missing object attributes'

            except Exception, err:
                print('\nError: %s\n' % str(err))
                if self.verbose_mode:
                    traceback.print_exc()
Beispiel #19
0
    def from_dict(cls, d, return_obj=None):
        if not d:
            return None
        if not return_obj:
            return_obj = cls()

        super(MAECInstance, cls).from_dict(d, return_obj)

        if 'maec' in d:
            maec = d['maec']

            if isinstance(maec, dict):
                if not _MAEC_INSTALLED:
                    raise ValueError(
                        "Unable to parse 'maec' value in dictionary. Please "
                        "install python-maec to parse dictionary value.")

                return_obj.maec = maecPackage.from_dict(maec)
            else:
                parser = stix.utils.parser.get_xml_parser()
                return_obj.maec = etree.parse(StringIO(maec), parser=parser)

        return return_obj
    def from_dict(cls, d, return_obj=None):
        if not d:
            return None
        if not return_obj:
            return_obj = cls()
            
        super(MAECInstance, cls).from_dict(d, return_obj)

        if 'maec' in d:
            maec = d['maec']

            if isinstance(maec, dict):
                if not _MAEC_INSTALLED:
                    raise ValueError(
                        "Unable to parse 'maec' value in dictionary. Please "
                        "install python-maec to parse dictionary value."
                    )

                return_obj.maec = maecPackage.from_dict(maec)
            else:
                parser = stix.utils.parser.get_xml_parser()
                return_obj.maec = etree.parse(StringIO(maec), parser=parser)
        
        return return_obj
 def test_positive_stix_indicators(self):
     maec_package = Package.from_xml(self._maec_package_positive)[0]
     extractor = IndicatorExtractor(maec_package)
     stix_package = extractor.extract()
     self.assertEquals(len(stix_package.indicators), 4)
Beispiel #22
0
from maec.package.package import Package
from maec.package.malware_subject import MalwareSubject
from maec.package.analysis import Analysis
from maec.bundle.bundle import Bundle
from maec.bundle.malware_action import MalwareAction
from maec.bundle.process_tree import ProcessTree, ProcessTreeNode
from cybox.objects.win_executable_file_object import WinExecutableFile
from cybox.common import ToolInformation, VocabString

# サンプルの名前空間に(自動ID生成用の)IDジェネレータクラスをインスタンス化
NS = Namespace("http://example.com/", "example")
maec.utils.set_id_namespace(NS)

# インスタンス化:Bundle, Package, MalwareSubject, Analysis classes
bundle = Bundle(defined_subject=False)
package = Package()
subject = MalwareSubject()
analysis = Analysis()


# Populate the Analysis with the metadata relating to the Analysis that was performed
analysis.method = "dynamic"
analysis.type_ = "triage"
analysis.set_findings_bundle(bundle.id_)
t = ToolInformation()
t.name = "APIMonitor"
t.vendor = "APIMonitor"
analysis.add_tool(t)

# Malware Instance Object Attribures内で使うためのオブジェクトを作成(マルウェアを含んだファイル?)
subject_object = Object() #オブジェクト
 def test_stix_ttp_malware_instances(self):
     maec_package = Package.from_xml(self._maec_package)[0]
     stix_package = wrap_maec(maec_package)
     stix_ttp = stix_package.ttps[0]
     malware_instances = stix_ttp.behavior.malware_instances
     self.assertEquals(len(malware_instances), 1)
# Code for MAEC In-depth Analysis Idiom
from maec.package.package import Package
from maec.package.malware_subject import MalwareSubject
from maec.package.analysis import Analysis
from maec.bundle.bundle import Bundle, BehaviorReference
from maec.bundle.malware_action import MalwareAction
from maec.bundle.capability import Capability, CapabilityObjective, CapabilityList
from maec.bundle.behavior import Behavior, BehavioralActions, BehavioralActionReference
from cybox.core import Object, AssociatedObject, AssociatedObjects
from cybox.objects.win_executable_file_object import WinExecutableFile
from cybox.objects.win_hook_object import WinHook
from cybox.common import VocabString

# Set up the necessary Package, Malware Subject, Analysis Bundle Instances
p = Package()
ms = MalwareSubject()
b = Bundle()
a = Analysis()

# Set the Malware_Instance_Object_Attributes on the Malware Subject
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = WinExecutableFile()
ms.malware_instance_object_attributes.properties.size_in_bytes = "210564"
ms.malware_instance_object_attributes.properties.add_hash("B6C39FF68346DCC8B67AA060DEFE40C2")

# Populate the Analysis with the metadata relating to the Analysis that was performed
a.method = "static"
a.type_ = "in-depth"
a.set_findings_bundle(b.id_)

# Set the requisite attributes on the Bundle and populate it with the In-depth Analysis findings
 def __init__(self, pefile_parser):
     self.pefile_parser = pefile_parser
     NS = Namespace("http://code.google.com/p/pefile/", "pefile")
     maec.utils.set_id_namespace(NS)
     self.package = Package()
     self.generate_maec()
 def test_stix_ttp(self):
     maec_package = Package.from_xml(self._maec_package)[0]
     stix_package = wrap_maec(maec_package)
     self.assertEquals(len(stix_package.ttps), 1)
# Code for MAEC In-depth Analysis Idiom
from maec.package.package import Package
from maec.package.malware_subject import MalwareSubject
from maec.package.analysis import Analysis
from maec.bundle.bundle import Bundle, BehaviorReference
from maec.bundle.malware_action import MalwareAction
from maec.bundle.capability import Capability, CapabilityObjective, CapabilityList
from maec.bundle.behavior import Behavior, BehavioralActions, BehavioralActionReference
from cybox.core import Object, AssociatedObject, AssociatedObjects
from cybox.objects.win_executable_file_object import WinExecutableFile
from cybox.objects.win_hook_object import WinHook
from cybox.common import VocabString

# Set up the necessary Package, Malware Subject, Analysis Bundle Instances
p = Package()
ms = MalwareSubject()
b = Bundle()
a = Analysis()

# Set the Malware_Instance_Object_Attributes on the Malware Subject
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = WinExecutableFile()
ms.malware_instance_object_attributes.properties.size_in_bytes = "210564"
ms.malware_instance_object_attributes.properties.add_hash(
    "B6C39FF68346DCC8B67AA060DEFE40C2")

# Populate the Analysis with the metadata relating to the Analysis that was performed
a.method = "static"
a.type_ = "in-depth"
a.set_findings_bundle(b.id_)
Beispiel #28
0
class PefileToMAEC(object):
    def __init__(self, pefile_parser):
        self.pefile_parser = pefile_parser
        NS = Namespace("http://code.google.com/p/pefile/", "pefile")
        maec.utils.set_id_namespace(NS)
        self.package = Package()
        self.generate_maec()

    def create_object_dict(self, properties_dict):
        object_dict = {'id': maec.utils.idgen.create_id(prefix="object"), 'properties': properties_dict}
        return object_dict

    def populate(self, entry_dict, static_bundle, malware_subject=None):
        if 'file' in entry_dict and len(entry_dict['file'].keys()) > 1:
            file_dict = self.create_object_dict(entry_dict['file'])
            if malware_subject:
                malware_subject.malware_instance_object_attributes = Object.from_dict(file_dict)
                # Add the hashes for the Malware Instance Object Attributes
                data = open(self.pefile_parser.infile, 'rb').read()
                if data:
                    md5_hash = hashlib.md5(data).hexdigest()
                    sha1_hash = hashlib.sha1(data).hexdigest()
                    malware_subject.malware_instance_object_attributes.properties.add_hash(md5_hash)
                    malware_subject.malware_instance_object_attributes.properties.add_hash(sha1_hash)
            else:
                static_bundle.add_object(Object.from_dict(file_dict))
        if 'pe' in entry_dict and len(entry_dict['pe'].keys()) > 1:
            pe_dict = self.create_object_dict(entry_dict['pe'])
            static_bundle.add_object(Object.from_dict(pe_dict))

    def generate_analysis(self, static_bundle):
        analysis = Analysis()
        analysis.type = 'triage'
        analysis.method = 'static'
        analysis.add_tool(ToolInformation.from_dict({'id': maec.utils.idgen.create_id(prefix="tool"),
                'vendor': 'Ero Carrera',
                'name': 'pefile'}))
        findings_bundle_reference = []
        if self.bundle_has_content(static_bundle):
            findings_bundle_reference.append(BundleReference.from_dict({'bundle_idref':static_bundle.id_}))
        analysis.findings_bundle_reference = findings_bundle_reference
        return analysis

    def bundle_has_content(self, bundle):
        if bundle.actions and len(bundle.actions) > 0:
            return True
        if bundle.objects and len(bundle.objects) > 0:
            return True
        if bundle.behaviors and len(bundle.behaviors) > 0:
            return True
        return False

    def generate_malware_subjects(self):
        entry_dict = self.pefile_parser.entry_dict
        malware_subject = MalwareSubject()
        entry_dict['id'] = malware_subject
        static_bundle = Bundle(None, False, '4.1', 'static analysis tool output')
        self.populate(entry_dict, static_bundle, malware_subject)
        malware_subject.add_analysis(self.generate_analysis(static_bundle))
        if self.bundle_has_content(static_bundle):
            malware_subject.add_findings_bundle(static_bundle)
        self.package.add_malware_subject(malware_subject)
        
    def generate_maec(self):
        self.generate_malware_subjects()
Beispiel #29
0
from maec.bundle.bundle import Bundle
from maec.bundle.malware_action import MalwareAction
from maec.package.analysis import Analysis
from maec.package.malware_subject import MalwareSubject
from maec.package.package import Package
from maec.id_generator import Generator
from maec.utils import MAECNamespaceParser
from cybox.core.object import Object 
from cybox.core.associated_object import AssociatedObject

#Instantiate the ID generator class (for automatic ID generation) with our example namespace
generator = Generator('example1')
#Instantiate the Bundle, Package, MalwareSubject, and Analysis classes
bundle = Bundle(id=generator.generate_bundle_id(), defined_subject=False)
package = Package(id=generator.generate_package_id())
subject = MalwareSubject(id=generator.generate_malware_subject_id())
analysis = Analysis(id=generator.generate_analysis_id())
#Create the Subject Object Dictionary for use in the Malware Instance Object Attributes
subject_object_dict = {'id' : generator.generate_object_id(), 'properties' : {'xsi:type' : 'FileObjectType', 'name' : 'foobar.exe', 'size_in_bytes' : '35532'}}
#Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(Object.from_dict(subject_object_dict))
#Create the Associated Object Dictionary for use in the Action
associated_object_dict = {'id' : generator.generate_object_id(), 'properties' : {'xsi:type' : 'FileObjectType', 'file_name' : 'abcd.dll', 'size_in_bytes' : '12346'}, 'association_type' : {'value' : 'output', 'xsi:type' : 'maecVocabs:ActionObjectAssociationTypeVocab-1.0'}}
#Create the Action from another dictionary
action = MalwareAction.from_dict({'id' : generator.generate_malware_action_id(), 'name' : {'value' : 'create file', 'xsi:type' : 'maecVocabs:FileActionNameVocab-1.0'}, 'associated_objects' : [associated_object_dict]})
#Add the Action to the buundle
bundle.add_action(action)
#Add the Bundle to the Malware Subject
subject.add_findings_bundle(bundle)
#Add the Malware Subject to the Package
 def test_positive_stix_indicators(self):
     maec_package = Package.from_xml(self._maec_package_positive)[0]
     extractor = IndicatorExtractor(maec_package)
     stix_package = extractor.extract()
     self.assertEquals(len(stix_package.indicators), 4)
 def test_negative_stix_indicators(self):
     maec_package = Package.from_xml(self._maec_package_negative)[0]
     extractor = IndicatorExtractor(maec_package)
     stix_package = extractor.extract()
     self.assertEquals(stix_package, None)
# Code for MAEC Related Malware Idiom
from maec.package.package import Package
from maec.package.malware_subject import (MalwareSubject, MalwareSubjectRelationship, 
                                          MalwareSubjectRelationshipList, MalwareSubjectReference)
from cybox.common import VocabString
from cybox.core import Object
from cybox.objects.file_object import File

# Set up the necessary Package and Malware Subject instances
p = Package()
ms1 = MalwareSubject()
ms2 = MalwareSubject()
ms3 = MalwareSubject()
ms4 = MalwareSubject()

# Set the Malware_Instance_Object_Attributes on the first Malware Subject
ms1.malware_instance_object_attributes = Object()
ms1.malware_instance_object_attributes.properties = File()
ms1.malware_instance_object_attributes.properties.file_name = "dg003_improve_8080_V132.exe"
ms1.malware_instance_object_attributes.properties.size_in_bytes = "196608"
ms1.malware_instance_object_attributes.properties.add_hash("4EC0027BEF4D7E1786A04D021FA8A67F")

# Set the Malware_Instance_Object_Attributes on the second Malware Subject
ms2.malware_instance_object_attributes = Object()
ms2.malware_instance_object_attributes.properties = File()
ms2.malware_instance_object_attributes.properties.file_name = "msvcr.dll"

# Set the Malware_Instance_Object_Attributes on the third Malware Subject
ms3.malware_instance_object_attributes = Object()
ms3.malware_instance_object_attributes.properties = File()
ms3.malware_instance_object_attributes.properties.file_name = "fvcwin32.exe"
Beispiel #33
0
from cybox.objects.file_object import File
from maec.bundle.bundle import Bundle
from maec.bundle.malware_action import MalwareAction
from maec.bundle.capability import Capability
from maec.package.analysis import Analysis
from maec.package.malware_subject import MalwareSubject
from maec.package.package import Package
from cybox.utils import Namespace
import maec.utils

# Instantiate the ID generator class (for automatic ID generation) with our example namespace
NS = Namespace("http://example.com/", "example")
maec.utils.set_id_namespace(NS)
# Instantiate the Bundle, Package, MalwareSubject, and Analysis classes
bundle = Bundle(defined_subject=False)
package = Package()
subject = MalwareSubject()
analysis = Analysis()
# Create the Object for use in the Malware Instance Object Attributes
subject_object = Object()
subject_object.properties = File()
subject_object.properties.name = "foobar.exe"
subject_object.properties.size_in_bytes = "35532"
subject_object.properties.hashes = HashList()
subject_object.properties.hashes.append(Hash("8743b52063cd84097a65d1633f5c74f5"))
# Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(subject_object)
# Create the Associated Object Dictionary for use in the Action
associated_object = AssociatedObject()
associated_object.properties = File()
associated_object.properties.file_name = "abcd.dll"
 def test_negative_stix_indicators(self):
     maec_package = Package.from_xml(self._maec_package_negative)[0]
     extractor = IndicatorExtractor(maec_package)
     stix_package = extractor.extract()
     self.assertEquals(stix_package, None)
def vt_report_to_maec_package(vt_report_input, options = None):
    """Accept a VirusTotal report (as a Python structure) and return a corresponding MAEC Package API object."""
    NS = Namespace("https://github.com/MAECProject/vt-to-maec", "VirusTotalToMAEC")
    maec.utils.set_id_namespace(NS)
    
    package = Package()

    # if only one result, make it a list of one result
    if type(vt_report_input) != list:
        vt_report_list = [vt_report_input]
    else:
        vt_report_list = vt_report_input

    for idx, vt_report in enumerate(vt_report_list):
        # if VirusTotal has never seen this MD5
        if vt_report["response_code"] == 0:
            sys.stderr.write("WARNING: Skipping file #" + str(idx+1) + " (" + vt_report["resource"] + "); this MD5 is unknown to VirusTotal\n")
            sys.stderr.flush();
            continue
        if vt_report["response_code"] == -1:
            sys.stderr.write("WARNING: VirusTotal had an unexpected error on file #" + str(idx+1) + " (" + vt_report["resource"] + "): " +
                             vt_report.get("verbose_message", "no message provided") + "\n")
            sys.stderr.flush();
            continue
        
        malware_subject = MalwareSubject()
        
        # create the file object and add hashes
        file_dict = {}
        file_dict['xsi:type'] = 'WindowsExecutableFileObjectType'
        file_dict['hashes'] = [
            {'type' : 'MD5', 'simple_hash_value': vt_report["md5"] },
            {'type' : 'SHA1', 'simple_hash_value': vt_report["sha1"] },
            {'type' : 'SHA256', 'simple_hash_value': vt_report["sha256"] }
        ]
        
        # set the object as the defined object
        object_dict = {}
        object_dict['id'] = maec.utils.idgen.create_id(prefix="object")
        object_dict['properties'] = file_dict
        
        # bind the object to the malware subject object
        malware_subject.set_malware_instance_object_attributes(Object.from_dict(object_dict))
        
        # create the analysis and add it to the subject
        analysis = Analysis()
        analysis.type_ = 'triage'
        analysis.method = 'static'
        analysis.complete_datetime = vt_report["scan_date"].replace(" ", "T")
        analysis.add_tool(ToolInformation.from_dict({'id' : maec.utils.idgen.create_id(prefix="tool"),
                           'vendor' : 'VirusTotal',
                           'name' : 'VirusTotal' }))
        malware_subject.add_analysis(analysis)
        
        bundle_obj = Bundle()
        
        for vendor, scan in vt_report["scans"].items():
            if scan["result"] is not None:
                bundle_obj.add_av_classification(AVClassification.from_dict({ 'classification_name' : scan["result"], 'vendor' : vendor }))
        
        # add bundle to subject, bundle to analysis, and subject to package
        malware_subject.add_findings_bundle(bundle_obj)
        analysis.set_findings_bundle(bundle_obj.id_)
        package.add_malware_subject(malware_subject)
        
        package.__input_namespaces__["https://github.com/MAECProject/vt-to-maec"] = "VirusTotalToMAEC"
        
        if options:
            if options.normalize_bundles:
                malware_subject.normalize_bundles()
            if options.deduplicate_bundles:
                malware_subject.deduplicate_bundles()
            if options.dereference_bundles:
                malware_subject.dereference_bundles()
        
    return package
Beispiel #36
0
 def __init__(self, pefile_parser):
     self.pefile_parser = pefile_parser
     NS = Namespace("http://code.google.com/p/pefile/", "pefile")
     maec.utils.set_id_namespace(NS)
     self.package = Package()
     self.generate_maec()
class PefileToMAEC(object):
    def __init__(self, pefile_parser):
        self.pefile_parser = pefile_parser
        NS = Namespace("http://code.google.com/p/pefile/", "pefile")
        maec.utils.set_id_namespace(NS)
        self.package = Package()
        self.generate_maec()

    def create_object_dict(self, properties_dict):
        object_dict = {'id': maec.utils.idgen.create_id(prefix="object"), 'properties': properties_dict}
        return object_dict

    def populate(self, entry_dict, static_bundle, malware_subject=None):
        if 'file' in entry_dict and len(entry_dict['file'].keys()) > 1:
            file_dict = self.create_object_dict(entry_dict['file'])
            if malware_subject:
                malware_subject.malware_instance_object_attributes = Object.from_dict(file_dict)
                # Add the hashes for the Malware Instance Object Attributes
                data = open(self.pefile_parser.infile, 'rb').read()
                if data:
                    md5_hash = hashlib.md5(data).hexdigest()
                    sha1_hash = hashlib.sha1(data).hexdigest()
                    malware_subject.malware_instance_object_attributes.properties.add_hash(md5_hash)
                    malware_subject.malware_instance_object_attributes.properties.add_hash(sha1_hash)
            else:
                static_bundle.add_object(Object.from_dict(file_dict))
        if 'pe' in entry_dict and len(entry_dict['pe'].keys()) > 1:
            pe_dict = self.create_object_dict(entry_dict['pe'])
            static_bundle.add_object(Object.from_dict(pe_dict))

    def generate_analysis(self, static_bundle):
        analysis = Analysis()
        analysis.type = 'triage'
        analysis.method = 'static'
        analysis.add_tool(ToolInformation.from_dict({'id': maec.utils.idgen.create_id(prefix="tool"),
                'vendor': 'Ero Carrera',
                'name': 'pefile'}))
        findings_bundle_reference = []
        if self.bundle_has_content(static_bundle):
            findings_bundle_reference.append(BundleReference.from_dict({'bundle_idref':static_bundle.id_}))
        analysis.findings_bundle_reference = findings_bundle_reference
        return analysis

    def bundle_has_content(self, bundle):
        if bundle.actions and len(bundle.actions) > 0:
            return True
        if bundle.objects and len(bundle.objects) > 0:
            return True
        if bundle.behaviors and len(bundle.behaviors) > 0:
            return True
        return False

    def generate_malware_subjects(self):
        entry_dict = self.pefile_parser.entry_dict
        malware_subject = MalwareSubject()
        entry_dict['id'] = malware_subject
        static_bundle = Bundle(None, False, '4.1', 'static analysis tool output')
        self.populate(entry_dict, static_bundle, malware_subject)
        malware_subject.add_analysis(self.generate_analysis(static_bundle))
        if self.bundle_has_content(static_bundle):
            malware_subject.add_findings_bundle(static_bundle)
        self.package.add_malware_subject(malware_subject)
        
    def generate_maec(self):
        self.generate_malware_subjects()