def main(): pkg = STIXPackage() file_object1 = File() file_object1.file_name = "readme.doc.exe" file_object1.size_in_bytes = 40891 file_object1.add_hash( Hash("e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" )) observable1 = Observable(file_object1) file_object2 = File() file_object2.file_name = "readme.doc.exe" file_object2.size_in_bytes = 40891 file_object2.add_hash( Hash("d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592" )) observable2 = Observable(file_object2) incident = Incident(title="Malicious files detected") related_observable1 = RelatedObservable( observable1, relationship="Malicious Artifact Detected") related_observable2 = RelatedObservable( observable2, relationship="Malicious Artifact Detected") incident.related_observables.append(related_observable1) incident.related_observables.append(related_observable2) pkg.add_incident(incident) print(pkg.to_xml(encoding=None))
def test_autotype_md5(self): """32-character hash is assumed to be MD5""" h = Hash(EMPTY_MD5) self.assertEqual(h.type_, Hash.TYPE_MD5) h2 = Hash(self.md5) self.assertEqual(h2.type_, Hash.TYPE_MD5)
def _dostix(hashes): '''This function creates a STIX packages containing hashes.''' print("[+] Creating STIX Package") title = SETTINGS['stix']['ind_title'] + " " + str(datetime.datetime.now()) _custom_namespace(SETTINGS['stix']['ns'], SETTINGS['stix']['ns_prefix']) stix_package = STIXPackage() stix_package.stix_header = STIXHeader() stix_package.stix_header.title = title stix_package.stix_header.handling = _marking() try: indicator = Indicator() indicator.set_producer_identity(SETTINGS['stix']['producer']) indicator.set_produced_time(indicator.timestamp) indicator.set_received_time(indicator.timestamp) indicator.add_kill_chain_phase(PHASE_DELIVERY) indicator.confidence = "Low" indicator.title = title indicator.add_indicator_type("File Hash Watchlist") indicator.description = SETTINGS['stix']['ind_desc'] try: indicator.add_indicated_ttp( TTP(idref=SETTINGS['indicated_ttp'], timestamp=indicator.timestamp)) indicator.suggested_coas.append( CourseOfAction(idref=SETTINGS['suggested_coa'], timestamp=indicator.timestamp)) except KeyError: pass for info in hashes: try: file_name = info['filename'] file_object = File() file_object.file_name = file_name file_object.file_name.condition = "Equals" file_object.file_extension = "." + file_name.split('.')[-1] file_object.file_extension.condition = "Equals" file_object.size_in_bytes = info['filesize'] file_object.size_in_bytes.condition = "Equals" file_object.file_format = info['fileformat'] file_object.file_format.condition = "Equals" file_object.add_hash(Hash(info['md5'])) file_object.add_hash(Hash(info['sha1'])) file_object.add_hash(Hash(info['sha256'])) file_object.add_hash(Hash(info['sha512'])) file_object.add_hash(Hash(info['ssdeep'], Hash.TYPE_SSDEEP)) for hashobj in file_object.hashes: hashobj.simple_hash_value.condition = "Equals" hashobj.type_.condition = "Equals" file_obs = Observable(file_object) file_obs.title = "File: " + file_name indicator.add_observable(file_obs) except TypeError: pass stix_package.add_indicator(indicator) return stix_package except KeyError: pass
def test_autotype_sha224(self): """56-character hash is assumed to be SHA-224""" h = Hash(EMPTY_SHA224) self.assertEqual(h.type_, Hash.TYPE_SHA224) h2 = Hash(self.sha224) self.assertEqual(h2.type_, Hash.TYPE_SHA224)
def test_autotype_sha256(self): """64-character hash is assumed to be SHA-256""" h = Hash(EMPTY_SHA256) self.assertEqual(h.type_, Hash.TYPE_SHA256) h2 = Hash(self.sha256) self.assertEqual(h2.type_, Hash.TYPE_SHA256)
def test_autotype_sha512(self): """128-character hash is assumed to be SHA-512""" h = Hash(EMPTY_SHA512) self.assertEqual(h.type_, Hash.TYPE_SHA512) h2 = Hash(self.sha512) self.assertEqual(h2.type_, Hash.TYPE_SHA512)
def main(): # Create our CybOX Simple Hash Value shv = Hash() shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F" # Create a CybOX File Object and add the Hash we created above. f = File() h = Hash(shv, Hash.TYPE_MD5) f.add_hash(h) # Create the STIX Package stix_package = STIXPackage() # Create the STIX Header and add a description. stix_header = STIXHeader() stix_header.description = "Simple File Hash Observable Example" stix_package.stix_header = stix_header # Add the File Hash Observable to the STIX Package. The add() method will # inspect the input and add it to the top-level stix_package.observables # collection. stix_package.add(f) # Print the XML! print(stix_package.to_xml())
def test_autotype_sha1(self): """40-character hash is assumed to be SHA-1""" h = Hash(EMPTY_SHA1) self.assertEqual(h.type_, Hash.TYPE_SHA1) h2 = Hash(self.sha1) self.assertEqual(h2.type_, Hash.TYPE_SHA1)
def _sha256(self, keypair): shv = Hash() shv.simple_hash_value = keypair.get('observable') f = File() h = Hash(shv, Hash.TYPE_SHA256) f.add_hash(h) return f
def _sha256(keypair): shv = Hash() shv.simple_hash_value = keypair.get('indicator') f = File() h = Hash(shv, Hash.TYPE_SHA256) f.add_hash(h) return f
def _md5(keypair): shv = Hash() shv.simple_hash_value = keypair.get('indicator') f = File() h = Hash(shv, Hash.TYPE_MD5) f.add_hash(h) return f
def cybox_object_file(obj, meta=None): # TODO: missing File_Custom_Properties f = File() if obj.md5_hash != 'No MD5': f.add_hash(Hash(obj.md5_hash)) if obj.sha256_hash != 'No SHA256': f.add_hash(Hash(obj.sha256_hash)) if meta: f.file_name = meta.file_name f.file_extension = meta.file_extension f.file_path = meta.file_path f.size_in_bytes = meta.file_size return f
def test_autotype(self): h = Hash() h.simple_hash_value = "0123456789abcdef0123456789abcdef" self.assertEqual(h.type_, Hash.TYPE_MD5) h.type_ = Hash.TYPE_OTHER self.assertEqual(h.type_, Hash.TYPE_OTHER) h.simple_hash_value = "0123456789abcdef0123456789abcdef" self.assertEqual(h.type_, Hash.TYPE_OTHER) h2 = Hash() h2.type_ = Hash.TYPE_OTHER h2.simple_hash_value = "0123456789abcdef0123456789abcdef" self.assertEqual(h2.type_, Hash.TYPE_OTHER)
def main(): shv = Hash() shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F" f = File() h = Hash(shv, Hash.TYPE_MD5) f.add_hash(h) stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = "Example 03" stix_package.stix_header = stix_header stix_package.add_observable(f) print(stix_package.to_xml())
def test_xml_output(self): h = Hash(self.md5) h2 = cybox.test.round_trip(h) self.assertEqual(str(h2), EMPTY_MD5) s = h2.to_xml() self.assertTrue(EMPTY_MD5.encode("utf-8") in s)
def generate_file_observable(self, filename, h_value, fuzzy): file_object = File() if filename: if '/' in filename or '\\' in filename: file_object.file_path = ntpath.dirname(filename) file_object.file_path.condition = "Equals" file_object.file_name = ntpath.basename(filename) file_object.file_name.condition = "Equals" else: file_object.file_name = filename file_object.file_name.condition = "Equals" if h_value: file_object.add_hash(Hash(hash_value=h_value, exact=True)) if fuzzy: try: self.resolve_fuzzy(file_object, h_value, "Hashes") except KeyError: field_type = "" for f in file_object._fields: if f.name == "Hashes": field_type = f break if field_type: self.resolve_fuzzy(file_object, h_value, field_type) return file_object
def to_cybox(self, exclude=None): if exclude == None: exclude = [] observables = [] f = File() for attr in ['md5', 'sha1', 'sha256']: if attr not in exclude: val = getattr(self, attr, None) if val: setattr(f, attr, val) if self.ssdeep and 'ssdeep' not in exclude: f.add_hash(Hash(self.ssdeep, Hash.TYPE_SSDEEP)) if 'size' not in exclude and 'size_in_bytes' not in exclude: f.size_in_bytes = UnsignedLong(self.size) if 'filename' not in exclude and 'file_name' not in exclude: f.file_name = self.filename # create an Artifact object for the binary if it exists if 'filedata' not in exclude: data = self.filedata.read() if data: data = base64.b64encode(data) a = Artifact(data=data, type_=Artifact.TYPE_FILE) observables.append(Observable(a)) #if 'filetype' not in exclude and 'file_format' not in exclude: #NOTE: this doesn't work because the CybOX File object does not # have any support built in for setting the filetype to a # CybOX-binding friendly object (e.g., calling .to_dict() on # the resulting CybOX object fails on this field. #f.file_format = self.filetype observables.append(Observable(f)) return (observables, self.releasability)
def create_file_hash_observable(fn, hash_value): '''Create a CybOX Observable representing a file hash.''' hash_ = Hash(hash_value) file_ = File() file_.file_name = fn file_.add_hash(hash_) return Observable(file_)
def main(): file_hash = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' stix_header = STIXHeader( title="File Hash Reputation Service Results", package_intents=["Indicators - Malware Artifacts"]) stix_package = STIXPackage(stix_header=stix_header) indicator = Indicator( title= "File Reputation for SHA256=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" ) indicator.add_indicator_type("File Hash Watchlist") file_object = File() file_object.add_hash(Hash(file_hash)) file_object.hashes[0].simple_hash_value.condition = "Equals" file_object.hashes[0].type_.condition = "Equals" indicator.add_observable(file_object) indicator.add_indicated_ttp(TTP(title="Malicious file")) indicator.confidence = Confidence(value=VocabString('75')) indicator.confidence.value.vocab_name = "Percentage" indicator.confidence.value.vocab_reference = "https://en.wikipedia.org/wiki/Percentage" stix_package.add_indicator(indicator) print(stix_package.to_xml(encoding=None))
def __get_source_objs(self): f1 = File() f1.file_name = 'emailprovider.db' f1.file_path = '/data/data/com.android.providers.email/databases/' f1.file_format = 'SQLite 3.x database' f1.size_in_bytes = '2374' f1.add_hash(Hash("a7a0390e99406f8975a1895860f55f2f")) return [f1]
def addsec_to_cybox_file(as_observables): f = File() for observable in as_observables: if observable.dataType == 10: # DataTypeFile f.full_path = observable.data elif observable.dataType == 2: # DataTypeSHA1 (binary bytes) f.sha1 = Hash(observable.data.encode('hex')) return f
def test_add_vocabstring(self): from cybox.common import Hash from cybox.common.vocabs import ActionName action = ActionName(ActionName.TERM_ADD_USER) h = Hash() h.type_ = action self.assertEqual(action, h.type_)
def test_round_trip(self): t = HashName(Hash.TYPE_MD5) h = Hash(self.md5, t) hash2 = cybox.test.round_trip(h) self.assertEqual(hash2.simple_hash_value, self.md5) #TODO: make this really pass self.assertEqual(hash2.type_.value, t.value)
def create_file_hash_observable(filename, hash_value): hash_ = Hash(hash_value) file_ = File() file_.file_name = filename file_.add_hash(hash_) file_observable = Observable(file_) file_observable.title = "Malware Artifact - File Hash" file_observable.description = "File hash derived from sandboxed malware sample." file_observable.short_description = "File hash from malware." return file_observable
def test_add_bad_value(self): from cybox.common import Hash h = Hash() self.assertRaises( ValueError, setattr, h, 'type_', "BAD VALUE" )
def generateFileObservable(filenameValue, hashValue): file_object = File() if (filenameValue != ""): if (("/" in filenameValue) or ("\\" in filenameValue)): file_object.file_path = ntpath.dirname(filenameValue) file_object.file_name = ntpath.basename(filenameValue) else: file_object.file_name = filenameValue if (hashValue != ""): file_object.add_hash(Hash(hashValue)) return file_object
def addsec_to_cybox_cert(as_observables): c = X509Certificate() for observable in as_observables: if observable.dataType == 11: # DataTypeX509 c.raw_certificate = observable.data elif observable.dataType == 12: # DataTypeX509Subject c.certificate.subject = observable.data elif observable.dataType == 13: # DataTypeX509Issuer c.certificate.issuer = observable.data elif observable.dataType == 2: # DataTypeSHA1 (binary bytes) c.certificate_signature.signature = Hash( observable.data.encode('hex')) return c
def main(): shv = Hash() shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F" f = File() h = Hash(shv, Hash.TYPE_MD5) f.add_hash(h) indicator = Indicator() indicator.title = "File Hash Example" indicator.description = "An indicator containing a File observable with an associated hash" indicator.set_producer_identity("The MITRE Corporation") indicator.set_produced_time(datetime.now()) indicator.add_object(f) stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = "Example 02" stix_package.stix_header = stix_header stix_package.add_indicator(indicator) print(stix_package.to_xml())
def generateFileObservable(filenameValue, hashValue): file_object = File() if (filenameValue != ""): if (("/" in filenameValue) or ("\\" in filenameValue)): file_object.file_path = ntpath.dirname(filenameValue) file_object.file_path.condition = "Equals" file_object.file_name = ntpath.basename(filenameValue) file_object.file_name.condition = "Equals" else: file_object.file_name = filenameValue file_object.file_name.condition = "Equals" if (hashValue != ""): file_object.add_hash(Hash(hash_value=hashValue, exact=True)) return file_object
def main(): h = Hash("a7a0390e99406f8975a1895860f55f2f") f = File() f.file_name = "bad_file24.exe" f.file_path = "AppData\Mozilla" f.file_extension = ".exe" f.size_in_bytes = 3282 f.add_hash(h) o = Observable(f) o.description = "This observable specifies a specific file observation." print(Observables(o).to_xml())