def main():
pkg = STIXPackage()
file_object1 = File()
file_object1.file_name = "readme.doc.exe"
file_object1.size_in_bytes = 40891
file_object1.add_hash(
Hash("e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
))
observable1 = Observable(file_object1)
file_object2 = File()
file_object2.file_name = "readme.doc.exe"
file_object2.size_in_bytes = 40891
file_object2.add_hash(
Hash("d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592"
))
observable2 = Observable(file_object2)
incident = Incident(title="Malicious files detected")
related_observable1 = RelatedObservable(
observable1, relationship="Malicious Artifact Detected")
related_observable2 = RelatedObservable(
observable2, relationship="Malicious Artifact Detected")
incident.related_observables.append(related_observable1)
incident.related_observables.append(related_observable2)
pkg.add_incident(incident)
print(pkg.to_xml(encoding=None))
def test_autotype_md5(self):
"""32-character hash is assumed to be MD5"""
h = Hash(EMPTY_MD5)
self.assertEqual(h.type_, Hash.TYPE_MD5)
h2 = Hash(self.md5)
self.assertEqual(h2.type_, Hash.TYPE_MD5)
def _dostix(hashes):
'''This function creates a STIX packages containing hashes.'''
print("[+] Creating STIX Package")
title = SETTINGS['stix']['ind_title'] + " " + str(datetime.datetime.now())
_custom_namespace(SETTINGS['stix']['ns'], SETTINGS['stix']['ns_prefix'])
stix_package = STIXPackage()
stix_package.stix_header = STIXHeader()
stix_package.stix_header.title = title
stix_package.stix_header.handling = _marking()
try:
indicator = Indicator()
indicator.set_producer_identity(SETTINGS['stix']['producer'])
indicator.set_produced_time(indicator.timestamp)
indicator.set_received_time(indicator.timestamp)
indicator.add_kill_chain_phase(PHASE_DELIVERY)
indicator.confidence = "Low"
indicator.title = title
indicator.add_indicator_type("File Hash Watchlist")
indicator.description = SETTINGS['stix']['ind_desc']
try:
indicator.add_indicated_ttp(
TTP(idref=SETTINGS['indicated_ttp'],
timestamp=indicator.timestamp))
indicator.suggested_coas.append(
CourseOfAction(idref=SETTINGS['suggested_coa'],
timestamp=indicator.timestamp))
except KeyError:
pass
for info in hashes:
try:
file_name = info['filename']
file_object = File()
file_object.file_name = file_name
file_object.file_name.condition = "Equals"
file_object.file_extension = "." + file_name.split('.')[-1]
file_object.file_extension.condition = "Equals"
file_object.size_in_bytes = info['filesize']
file_object.size_in_bytes.condition = "Equals"
file_object.file_format = info['fileformat']
file_object.file_format.condition = "Equals"
file_object.add_hash(Hash(info['md5']))
file_object.add_hash(Hash(info['sha1']))
file_object.add_hash(Hash(info['sha256']))
file_object.add_hash(Hash(info['sha512']))
file_object.add_hash(Hash(info['ssdeep'], Hash.TYPE_SSDEEP))
for hashobj in file_object.hashes:
hashobj.simple_hash_value.condition = "Equals"
hashobj.type_.condition = "Equals"
file_obs = Observable(file_object)
file_obs.title = "File: " + file_name
indicator.add_observable(file_obs)
except TypeError:
pass
stix_package.add_indicator(indicator)
return stix_package
except KeyError:
pass
def test_autotype_sha224(self):
"""56-character hash is assumed to be SHA-224"""
h = Hash(EMPTY_SHA224)
self.assertEqual(h.type_, Hash.TYPE_SHA224)
h2 = Hash(self.sha224)
self.assertEqual(h2.type_, Hash.TYPE_SHA224)
def test_autotype_sha256(self):
"""64-character hash is assumed to be SHA-256"""
h = Hash(EMPTY_SHA256)
self.assertEqual(h.type_, Hash.TYPE_SHA256)
h2 = Hash(self.sha256)
self.assertEqual(h2.type_, Hash.TYPE_SHA256)
def test_autotype_sha512(self):
"""128-character hash is assumed to be SHA-512"""
h = Hash(EMPTY_SHA512)
self.assertEqual(h.type_, Hash.TYPE_SHA512)
h2 = Hash(self.sha512)
self.assertEqual(h2.type_, Hash.TYPE_SHA512)
def main():
# Create our CybOX Simple Hash Value
shv = Hash()
shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F"
# Create a CybOX File Object and add the Hash we created above.
f = File()
h = Hash(shv, Hash.TYPE_MD5)
f.add_hash(h)
# Create the STIX Package
stix_package = STIXPackage()
# Create the STIX Header and add a description.
stix_header = STIXHeader()
stix_header.description = "Simple File Hash Observable Example"
stix_package.stix_header = stix_header
# Add the File Hash Observable to the STIX Package. The add() method will
# inspect the input and add it to the top-level stix_package.observables
# collection.
stix_package.add(f)
# Print the XML!
print(stix_package.to_xml())
def test_autotype_sha1(self):
"""40-character hash is assumed to be SHA-1"""
h = Hash(EMPTY_SHA1)
self.assertEqual(h.type_, Hash.TYPE_SHA1)
h2 = Hash(self.sha1)
self.assertEqual(h2.type_, Hash.TYPE_SHA1)
def _sha256(self, keypair):
shv = Hash()
shv.simple_hash_value = keypair.get('observable')
f = File()
h = Hash(shv, Hash.TYPE_SHA256)
f.add_hash(h)
return f
def _sha256(keypair):
shv = Hash()
shv.simple_hash_value = keypair.get('indicator')
f = File()
h = Hash(shv, Hash.TYPE_SHA256)
f.add_hash(h)
return f
def _md5(keypair):
shv = Hash()
shv.simple_hash_value = keypair.get('indicator')
f = File()
h = Hash(shv, Hash.TYPE_MD5)
f.add_hash(h)
return f
def cybox_object_file(obj, meta=None):
# TODO: missing File_Custom_Properties
f = File()
if obj.md5_hash != 'No MD5':
f.add_hash(Hash(obj.md5_hash))
if obj.sha256_hash != 'No SHA256':
f.add_hash(Hash(obj.sha256_hash))
if meta:
f.file_name = meta.file_name
f.file_extension = meta.file_extension
f.file_path = meta.file_path
f.size_in_bytes = meta.file_size
return f
def test_autotype(self):
h = Hash()
h.simple_hash_value = "0123456789abcdef0123456789abcdef"
self.assertEqual(h.type_, Hash.TYPE_MD5)
h.type_ = Hash.TYPE_OTHER
self.assertEqual(h.type_, Hash.TYPE_OTHER)
h.simple_hash_value = "0123456789abcdef0123456789abcdef"
self.assertEqual(h.type_, Hash.TYPE_OTHER)
h2 = Hash()
h2.type_ = Hash.TYPE_OTHER
h2.simple_hash_value = "0123456789abcdef0123456789abcdef"
self.assertEqual(h2.type_, Hash.TYPE_OTHER)
def main():
shv = Hash()
shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F"
f = File()
h = Hash(shv, Hash.TYPE_MD5)
f.add_hash(h)
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "Example 03"
stix_package.stix_header = stix_header
stix_package.add_observable(f)
print(stix_package.to_xml())
def test_xml_output(self):
h = Hash(self.md5)
h2 = cybox.test.round_trip(h)
self.assertEqual(str(h2), EMPTY_MD5)
s = h2.to_xml()
self.assertTrue(EMPTY_MD5.encode("utf-8") in s)
def generate_file_observable(self, filename, h_value, fuzzy):
file_object = File()
if filename:
if '/' in filename or '\\' in filename:
file_object.file_path = ntpath.dirname(filename)
file_object.file_path.condition = "Equals"
file_object.file_name = ntpath.basename(filename)
file_object.file_name.condition = "Equals"
else:
file_object.file_name = filename
file_object.file_name.condition = "Equals"
if h_value:
file_object.add_hash(Hash(hash_value=h_value, exact=True))
if fuzzy:
try:
self.resolve_fuzzy(file_object, h_value, "Hashes")
except KeyError:
field_type = ""
for f in file_object._fields:
if f.name == "Hashes":
field_type = f
break
if field_type:
self.resolve_fuzzy(file_object, h_value, field_type)
return file_object
def to_cybox(self, exclude=None):
if exclude == None:
exclude = []
observables = []
f = File()
for attr in ['md5', 'sha1', 'sha256']:
if attr not in exclude:
val = getattr(self, attr, None)
if val:
setattr(f, attr, val)
if self.ssdeep and 'ssdeep' not in exclude:
f.add_hash(Hash(self.ssdeep, Hash.TYPE_SSDEEP))
if 'size' not in exclude and 'size_in_bytes' not in exclude:
f.size_in_bytes = UnsignedLong(self.size)
if 'filename' not in exclude and 'file_name' not in exclude:
f.file_name = self.filename
# create an Artifact object for the binary if it exists
if 'filedata' not in exclude:
data = self.filedata.read()
if data:
data = base64.b64encode(data)
a = Artifact(data=data, type_=Artifact.TYPE_FILE)
observables.append(Observable(a))
#if 'filetype' not in exclude and 'file_format' not in exclude:
#NOTE: this doesn't work because the CybOX File object does not
# have any support built in for setting the filetype to a
# CybOX-binding friendly object (e.g., calling .to_dict() on
# the resulting CybOX object fails on this field.
#f.file_format = self.filetype
observables.append(Observable(f))
return (observables, self.releasability)
def create_file_hash_observable(fn, hash_value):
'''Create a CybOX Observable representing a file hash.'''
hash_ = Hash(hash_value)
file_ = File()
file_.file_name = fn
file_.add_hash(hash_)
return Observable(file_)
def main():
file_hash = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
stix_header = STIXHeader(
title="File Hash Reputation Service Results",
package_intents=["Indicators - Malware Artifacts"])
stix_package = STIXPackage(stix_header=stix_header)
indicator = Indicator(
title=
"File Reputation for SHA256=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
)
indicator.add_indicator_type("File Hash Watchlist")
file_object = File()
file_object.add_hash(Hash(file_hash))
file_object.hashes[0].simple_hash_value.condition = "Equals"
file_object.hashes[0].type_.condition = "Equals"
indicator.add_observable(file_object)
indicator.add_indicated_ttp(TTP(title="Malicious file"))
indicator.confidence = Confidence(value=VocabString('75'))
indicator.confidence.value.vocab_name = "Percentage"
indicator.confidence.value.vocab_reference = "https://en.wikipedia.org/wiki/Percentage"
stix_package.add_indicator(indicator)
print(stix_package.to_xml(encoding=None))
def __get_source_objs(self):
f1 = File()
f1.file_name = 'emailprovider.db'
f1.file_path = '/data/data/com.android.providers.email/databases/'
f1.file_format = 'SQLite 3.x database'
f1.size_in_bytes = '2374'
f1.add_hash(Hash("a7a0390e99406f8975a1895860f55f2f"))
return [f1]
def addsec_to_cybox_file(as_observables):
f = File()
for observable in as_observables:
if observable.dataType == 10: # DataTypeFile
f.full_path = observable.data
elif observable.dataType == 2: # DataTypeSHA1 (binary bytes)
f.sha1 = Hash(observable.data.encode('hex'))
return f
def test_add_vocabstring(self):
from cybox.common import Hash
from cybox.common.vocabs import ActionName
action = ActionName(ActionName.TERM_ADD_USER)
h = Hash()
h.type_ = action
self.assertEqual(action, h.type_)
def test_round_trip(self):
t = HashName(Hash.TYPE_MD5)
h = Hash(self.md5, t)
hash2 = cybox.test.round_trip(h)
self.assertEqual(hash2.simple_hash_value, self.md5)
#TODO: make this really pass
self.assertEqual(hash2.type_.value, t.value)
def create_file_hash_observable(filename, hash_value):
hash_ = Hash(hash_value)
file_ = File()
file_.file_name = filename
file_.add_hash(hash_)
file_observable = Observable(file_)
file_observable.title = "Malware Artifact - File Hash"
file_observable.description = "File hash derived from sandboxed malware sample."
file_observable.short_description = "File hash from malware."
return file_observable
def test_add_bad_value(self):
from cybox.common import Hash
h = Hash()
self.assertRaises(
ValueError,
setattr,
h,
'type_',
"BAD VALUE"
)
def generateFileObservable(filenameValue, hashValue):
file_object = File()
if (filenameValue != ""):
if (("/" in filenameValue) or ("\\" in filenameValue)):
file_object.file_path = ntpath.dirname(filenameValue)
file_object.file_name = ntpath.basename(filenameValue)
else:
file_object.file_name = filenameValue
if (hashValue != ""):
file_object.add_hash(Hash(hashValue))
return file_object
def addsec_to_cybox_cert(as_observables):
c = X509Certificate()
for observable in as_observables:
if observable.dataType == 11: # DataTypeX509
c.raw_certificate = observable.data
elif observable.dataType == 12: # DataTypeX509Subject
c.certificate.subject = observable.data
elif observable.dataType == 13: # DataTypeX509Issuer
c.certificate.issuer = observable.data
elif observable.dataType == 2: # DataTypeSHA1 (binary bytes)
c.certificate_signature.signature = Hash(
observable.data.encode('hex'))
return c
def main():
shv = Hash()
shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F"
f = File()
h = Hash(shv, Hash.TYPE_MD5)
f.add_hash(h)
indicator = Indicator()
indicator.title = "File Hash Example"
indicator.description = "An indicator containing a File observable with an associated hash"
indicator.set_producer_identity("The MITRE Corporation")
indicator.set_produced_time(datetime.now())
indicator.add_object(f)
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "Example 02"
stix_package.stix_header = stix_header
stix_package.add_indicator(indicator)
print(stix_package.to_xml())
def generateFileObservable(filenameValue, hashValue):
file_object = File()
if (filenameValue != ""):
if (("/" in filenameValue) or ("\\" in filenameValue)):
file_object.file_path = ntpath.dirname(filenameValue)
file_object.file_path.condition = "Equals"
file_object.file_name = ntpath.basename(filenameValue)
file_object.file_name.condition = "Equals"
else:
file_object.file_name = filenameValue
file_object.file_name.condition = "Equals"
if (hashValue != ""):
file_object.add_hash(Hash(hash_value=hashValue, exact=True))
return file_object
def main():
h = Hash("a7a0390e99406f8975a1895860f55f2f")
f = File()
f.file_name = "bad_file24.exe"
f.file_path = "AppData\Mozilla"
f.file_extension = ".exe"
f.size_in_bytes = 3282
f.add_hash(h)
o = Observable(f)
o.description = "This observable specifies a specific file observation."
print(Observables(o).to_xml())
