Ejemplo n.º 1
0
    def test_autotype(self):
        h = Hash()
        h.simple_hash_value = "0123456789abcdef0123456789abcdef"
        self.assertEqual(h.type_, Hash.TYPE_MD5)
        h.type_ = Hash.TYPE_OTHER
        self.assertEqual(h.type_, Hash.TYPE_OTHER)
        h.simple_hash_value = "0123456789abcdef0123456789abcdef"
        self.assertEqual(h.type_, Hash.TYPE_OTHER)

        h2 = Hash()
        h2.type_ = Hash.TYPE_OTHER
        h2.simple_hash_value = "0123456789abcdef0123456789abcdef"
        self.assertEqual(h2.type_, Hash.TYPE_OTHER)
Ejemplo n.º 2
0
    def test_autotype(self):
        h = Hash()
        h.simple_hash_value = "0123456789abcdef0123456789abcdef"
        self.assertEqual(h.type_, Hash.TYPE_MD5)
        h.type_ = Hash.TYPE_OTHER
        self.assertEqual(h.type_, Hash.TYPE_OTHER)
        h.simple_hash_value = "0123456789abcdef0123456789abcdef"
        self.assertEqual(h.type_, Hash.TYPE_OTHER)

        h2 = Hash()
        h2.type_ = Hash.TYPE_OTHER
        h2.simple_hash_value = "0123456789abcdef0123456789abcdef"
        self.assertEqual(h2.type_, Hash.TYPE_OTHER)
Ejemplo n.º 3
0
def main():
    # Create our CybOX Simple Hash Value
    shv = Hash()
    shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F"

    # Create a CybOX File Object and add the Hash we created above.
    f = File()
    h = Hash(shv, Hash.TYPE_MD5)
    f.add_hash(h)

    # Create the STIX Package
    stix_package = STIXPackage()

    # Create the STIX Header and add a description.
    stix_header = STIXHeader()
    stix_header.description = "Simple File Hash Observable Example"
    stix_package.stix_header = stix_header

    # Add the File Hash Observable to the STIX Package. The add() method will
    # inspect the input and add it to the top-level stix_package.observables
    # collection.
    stix_package.add(f)

    # Print the XML!
    print(stix_package.to_xml())
Ejemplo n.º 4
0
        def _sha256(keypair):
            shv = Hash()
            shv.simple_hash_value = keypair.get('indicator')

            f = File()
            h = Hash(shv, Hash.TYPE_SHA256)
            f.add_hash(h)
            return f
Ejemplo n.º 5
0
        def _md5(keypair):
            shv = Hash()
            shv.simple_hash_value = keypair.get('indicator')

            f = File()
            h = Hash(shv, Hash.TYPE_MD5)
            f.add_hash(h)
            return f
Ejemplo n.º 6
0
    def _sha256(self, keypair):
        shv = Hash()
        shv.simple_hash_value = keypair.get('observable')

        f = File()
        h = Hash(shv, Hash.TYPE_SHA256)
        f.add_hash(h)
        return f
Ejemplo n.º 7
0
        def _sha256(keypair):
            shv = Hash()
            shv.simple_hash_value = keypair.get('observable')

            f = File()
            h = Hash(shv, Hash.TYPE_SHA256)
            f.add_hash(h)
            return f
Ejemplo n.º 8
0
        def _md5(keypair):
            shv = Hash()
            shv.simple_hash_value = keypair.get('observable')

            f = File()
            h = Hash(shv, Hash.TYPE_MD5)
            f.add_hash(h)
            return f
Ejemplo n.º 9
0
        def _sha1(keypair):
            shv = Hash()
            shv.simple_hash_value = keypair.get('indicator')

            f = File()
            h = Hash(shv, Hash.TYPE_SHA1)
            f.add_hash(h)
            return f
Ejemplo n.º 10
0
def main():
    shv = Hash()
    shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F"
    
    f = File()
    h = Hash(shv, Hash.TYPE_MD5)
    f.add_hash(h)
    
    stix_package = STIXPackage()
    stix_header = STIXHeader()
    stix_header.description = "Example 03"
    stix_package.stix_header = stix_header
    stix_package.add_observable(f)
    
    print(stix_package.to_xml())
Ejemplo n.º 11
0
def main():
    shv = Hash()
    shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F"

    f = File()
    h = Hash(shv, Hash.TYPE_MD5)
    f.add_hash(h)

    stix_package = STIXPackage()
    stix_header = STIXHeader()
    stix_header.description = "Example 03"
    stix_package.stix_header = stix_header
    stix_package.add_observable(f)

    print(stix_package.to_xml())
Ejemplo n.º 12
0
def main():
    shv = Hash()
    shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F"

    f = File()
    h = Hash(shv, Hash.TYPE_MD5)
    f.add_hash(h)

    indicator = Indicator()
    indicator.title = "File Hash Example"
    indicator.description = "An indicator containing a File observable with an associated hash"
    indicator.set_producer_identity("The MITRE Corporation")
    indicator.set_produced_time(datetime.now())
    indicator.add_object(f)

    stix_package = STIXPackage()
    stix_header = STIXHeader()
    stix_header.description = "Example 02"
    stix_package.stix_header = stix_header
    stix_package.add_indicator(indicator)

    print(stix_package.to_xml())
Ejemplo n.º 13
0
def main():
    shv = Hash()
    shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F"
    
    f = File()
    h = Hash(shv, Hash.TYPE_MD5)
    f.add_hash(h)
    
    indicator = Indicator()
    indicator.title = "File Hash Example"
    indicator.description = "An indicator containing a File observable with an associated hash"
    indicator.set_producer_identity("The MITRE Corporation")
    indicator.set_produced_time(datetime.now())
    indicator.add_object(f)
    
    stix_package = STIXPackage()
    stix_header = STIXHeader()
    stix_header.description = "Example 02"
    stix_package.stix_header = stix_header
    stix_package.add_indicator(indicator)
    
    print(stix_package.to_xml())
Ejemplo n.º 14
0
def stix(json):
    """
    Created a stix file based on a json file that is being handed over
    """
    # Create a new STIXPackage
    stix_package = STIXPackage()

    # Create a new STIXHeader
    stix_header = STIXHeader()

    # Add Information Source. This is where we will add the tool information.
    stix_header.information_source = InformationSource()

    # Create a ToolInformation object. Use the initialization parameters
    # to set the tool and vendor names.
    #
    # Note: This is an instance of cybox.common.ToolInformation and NOT
    # stix.common.ToolInformation.
    tool = ToolInformation(
        tool_name="viper2stix",
        tool_vendor="The Viper group http://viper.li - developed by Alexander Jaeger https://github.com/deralexxx/viper2stix"
    )
        
    #Adding your identity to the header
    identity = Identity()
    identity.name = Config.get('stix', 'producer_name')
    stix_header.information_source.identity=identity
    

    # Set the Information Source "tools" section to a
    # cybox.common.ToolInformationList which contains our tool that we
    # created above.
    stix_header.information_source.tools = ToolInformationList(tool)

    stix_header.title = Config.get('stix', 'title')
    # Set the produced time to now
    stix_header.information_source.time = Time()
    stix_header.information_source.time.produced_time = datetime.now()
    
    
    marking_specification = MarkingSpecification()
    marking_specification.controlled_structure = "../../../descendant-or-self::node()"
    tlp = TLPMarkingStructure()
    tlp.color = Config.get('stix', 'TLP')
    marking_specification.marking_structures.append(tlp)

    handling = Marking()
    handling.add_marking(marking_specification)
    

  

    # Set the header description
    stix_header.description =  Config.get('stix', 'description')

    # Set the STIXPackage header
    stix_package.stix_header = stix_header
    
    stix_package.stix_header.handling = handling
    try:
        pp = pprint.PrettyPrinter(indent=5)
        pp.pprint(json['default'])
        #for key, value in json['default'].iteritems():
        #    print key, value
        for item in json['default']:
            #logger.debug("item %s", item)
            indicator = Indicator()
            indicator.title = "File Hash"
            indicator.description = (
            "An indicator containing a File observable with an associated hash"
            )    
            # Create a CyboX File Object
            f = File()
            
            sha_value = item['sha256']
            if sha_value is not None:    
                sha256 = Hash()
                sha256.simple_hash_value = sha_value   
                h = Hash(sha256, Hash.TYPE_SHA256)
                f.add_hash(h)
            sha1_value = item['sha1']
            if sha_value is not None:    
                sha1 = Hash()
                sha1.simple_hash_value = sha1_value   
                h = Hash(sha1, Hash.TYPE_SHA1)
                f.add_hash(h)
            sha512_value = item['sha512']
            if sha_value is not None:    
                sha512 = Hash()
                sha512.simple_hash_value = sha512_value   
                h = Hash(sha512, Hash.TYPE_SHA512)
                f.add_hash(h)

            f.add_hash(item['md5'])
            
            #adding the md5 hash to the title as well
            stix_header.title+=' '+item['md5']
            #print(item['type'])
            f.size_in_bytes=item['size']
            f.file_format=item['type']
            f.file_name = item['name']
            indicator.description = "File hash served by a Viper instance"
            indicator.add_object(f)
            stix_package.add_indicator(indicator)
    except Exception, e:
        logger.error('Error: %s',format(e))
        return False
Ejemplo n.º 15
0
def createMetaData(stix_package, metadata, strings):
    indicator = Indicator()

    fl = WinExecutableFile()
    if metadata["malfilename"] != "":
        fl.file_name = metadata["malfilename"]
    if metadata["malmd5"] != "":
        fl.md5 = metadata["malmd5"]
    if metadata["malsha1"] != "":
        fl.sha1 = metadata["malsha1"]
    if metadata["malsha256"] != "":
        fl.sha256 = metadata["malsha256"]
    if metadata["malsha512"] != "":
        fl.sha512 = metadata["malsha512"]
    if metadata["malmd54k"] != "":
        md54k = Hash()
        md54k.simple_hash_value = metadata["malmd54k"]
        h = Hash(md54k, Hash.TYPE_OTHER)
        fl.add_hash(h)
    if metadata["malssdeep"] != "":
        ssdeep = Hash()
        ssdeep.simple_hash_value = metadata["malssdeep"]
        h = Hash(ssdeep, Hash.TYPE_SSDEEP)
        fl.add_hash(h)
    if metadata["malfilesize"] != "":
        fl.size_in_bytes = metadata["malfilesize"]
    if metadata["malfiletype"] != "":
        fl.file_format = metadata["malfiletype"]

    # peindicator = Indicator()
    peimportlist = PEImportList()
    peimport = PEImport()
    peimportedfunctions = PEImportedFunctions()
    if len(metadata['iocimports']) > 0:
        for importfunc in metadata['iocimports']:
            peif = PEImportedFunction()
            peif.function_name = importfunc
            peimportedfunctions.append(peif)

        peimport.imported_functions = peimportedfunctions
    peimportlist.append(peimport)

    peexports = PEExports()
    peexportedfunctions = PEExportedFunctions()
    if len(metadata['iocexports']) > 0:
        for exportfunc in metadata['iocexports']:
            peef = PEExportedFunction()
            peef.function_name = exportfunc
            peexportedfunctions.append(peef)

        peexports.exported_functions = peexportedfunctions

    pesectionlist = PESectionList()
    if len(metadata['badpesections']) > 0:
        for section in metadata['badpesections']:
            pesection = PESection()
            pesectionheader = PESectionHeaderStruct()
            entropy = Entropy()
            pesectionheader.name = section[0]
            if len(section[1]) > 0:
                data_size = section[1].replace("0x", "")
                if len(data_size) % 2 != 0:
                    data_size = "0" + data_size
            pesectionheader.size_of_raw_data = data_size
            entropy.value = float(section[2])
            pesection.entropy = entropy
            pesection.section_header = pesectionheader
            pesectionlist.append(pesection)

    peresourcelist = PEResourceList()
    peversioninforesource = PEVersionInfoResource()
    if len(metadata['versioninfo']) > 0:
        peversioninforesource.comments = str(
            metadata['versioninfo']['Comments']) if (
                metadata['versioninfo']['Comments'] is not None) else ""
        peversioninforesource.companyname = str(
            metadata['versioninfo']['CompanyName']) if (
                metadata['versioninfo']['CompanyName'] is not None) else ""
        peversioninforesource.filedescription = str(
            metadata['versioninfo']['FileDescription']) if (
                metadata['versioninfo']['FileDescription'] is not None) else ""
        peversioninforesource.fileversion = str(
            metadata['versioninfo']['FileVersion']).replace(", ", ".") if (
                metadata['versioninfo']['FileVersion'] is not None) else ""
        peversioninforesource.internalname = str(
            metadata['versioninfo']['InternalName']) if (
                metadata['versioninfo']['InternalName'] is not None) else ""
        peversioninforesource.langid = ""
        peversioninforesource.legalcopyright = str(
            metadata['versioninfo']['LegalCopyright']) if (
                metadata['versioninfo']['LegalCopyright'] is not None) else ""
        peversioninforesource.originalfilename = str(
            metadata['versioninfo']['OriginalFilename']) if (
                metadata['versioninfo']['OriginalFilename']
                is not None) else ""
        peversioninforesource.privatebuild = str(
            metadata['versioninfo']['PrivateBuild']) if (
                metadata['versioninfo']['PrivateBuild'] is not None) else ""
        peversioninforesource.productname = str(
            metadata['versioninfo']['ProductName']) if (
                metadata['versioninfo']['ProductName'] is not None) else ""
        peversioninforesource.productversion = str(
            metadata['versioninfo']['ProductVersion']).replace(", ", ".") if (
                metadata['versioninfo']['ProductVersion'] is not None) else ""
        peversioninforesource.specialbuild = str(
            metadata['versioninfo']['SpecialBuild']) if (
                metadata['versioninfo']['SpecialBuild'] is not None) else ""

        peresourcelist.append(peversioninforesource)

    fl.imports = peimportlist
    fl.exports = peexports
    fl.sections = pesectionlist
    fl.resources = peresourcelist

    addStrings(fl, strings)

    indicator.add_observable(Observable(fl))

    stix_package.add_indicator(indicator)
    return fl
Ejemplo n.º 16
0
def main():
    # get args
    parser = argparse.ArgumentParser ( description = "Parse a given CSV and output STIX XML" 
    , formatter_class=argparse.ArgumentDefaultsHelpFormatter )

    parser.add_argument("--infile","-f", help="input CSV", default = "in.csv")

    args = parser.parse_args()

    # setup header
    contain_pkg = STIXPackage()
    stix_header = STIXHeader()
    stix_header.title = "Indicators"
    stix_header.add_package_intent ("Indicators")
    # XXX add Information_Source and Handling
    contain_pkg.stix_header = stix_header


    # create kill chain with three options (pre, post, unknown), relate as needed
    pre = KillChainPhase(phase_id="stix:KillChainPhase-1a3c67f7-5623-4621-8d67-74963d1c5fee", name="Pre-infection indicator", ordinality=1)
    post = KillChainPhase(phase_id="stix:KillChainPhase-d5459305-1a27-4f50-9875-23793d75e4fe", name="Post-infection indicator", ordinality=2)
    chain = KillChain(id_="stix:KillChain-3fbfebf2-25a7-47b9-ad8b-3f65e56e402d", name="Degenerate Cyber Kill Chain"  )
    chain.definer = "U5"

    chain.kill_chain_phases = [pre, post]
    contain_pkg.ttps.kill_chains.append(chain)

    # read input data
    fd = open (args.infile, "rb") 
    infile = csv.DictReader(fd)

    for row in infile:
        # create indicator for each row
        error = False
        ind = Indicator()
        ind.add_alternative_id(row['ControlGroupID'])
        ind.title = "Indicator with ID " + row['IndicatorID'] 
        ind.description = row['Notes']
        ind.producer = InformationSource()
        ind.producer.description = row['Reference']

        # XXX unknown purpose for 'Malware' field - omitted
            # if the field denotes a specific malware family, we might relate as 'Malware TTP' to the indicator

        # set chain phase
        if 'Pre' in row['Infection Type']:
            ind.kill_chain_phases.append(KillChainPhaseReference(phase_id="stix:KillChainPhase-1a3c67f7-5623-4621-8d67-74963d1c5fee",kill_chain_id="stix:KillChain-3fbfebf2-25a7-47b9-ad8b-3f65e56e402d"))
        elif 'Post' in row['Infection Type']:
            ind.kill_chain_phases.append(KillChainPhaseReference(phase_id="stix:KillChainPhase-1a3c67f7-5623-4621-8d67-74963d1c5fee",kill_chain_id="stix:KillChain-3fbfebf2-25a7-47b9-ad8b-3f65e56e402d"))
 

        ind_type = row['Indicator Type']
        if 'IP' in ind_type:
            
            ind.add_indicator_type( "IP Watchlist")
            ind_obj = SocketAddress()
            ind_obj.ip_address = row['Indicator']
            ind_obj.ip_address.condition= "Equals"
            if row['indValue']:
                port = Port()
                # pull port out, since it's in form "TCP Port 42"
                port.port_value = row['indValue'].split()[-1] 
                port.layer4_protocol = row['indValue'].split()[0] 
                port.port_value.condition= "Equals"
                ind_obj.port = port


        elif 'Domain' in ind_type:
            ind.add_indicator_type ("Domain Watchlist")
            ind_obj = DomainName()
            ind_obj.value = row['Indicator']
            ind_obj.value.condition= "Equals"

        elif 'Email' in ind_type:
            # parse out which part of the email is being
            # i.e. "Sender: attach | Subject: whatever"
            tag = row['Indicator'].split(':')[0]
            val = row['Indicator'].split(':')[1]
            ind.add_indicator_type ("Malicious E-mail")
            ind_obj = EmailMessage()
            
            if "Subject" in tag:
                ind_obj.subject = val
                ind_obj.subject.condition= "Equals"
            elif "Sender" in tag:
                ind_obj.sender = val
                ind_obj.sender.condition= "Equals"
            
            elif "Attachment" in tag:
                # make inline File to store filename 
                file_obj = File()
                file_obj.id_ = cybox.utils.create_id(prefix="File")
                file_obj.file_name = val
                file_obj.file_name.condition = "Equals"
                ind_obj.add_related(file_obj, "Contains")
                
                attach = Attachments()
                attach.append(file_obj.id_)
                
                ind_obj.attachments = attach
                
        elif 'User Agent' in ind_type:
            ind.add_indicator_type( VocabString(row['Indicator Type']))
            
            fields = HTTPRequestHeaderFields()
            fields.user_agent = row['Indicator']
            fields.user_agent.condition = "Equals"
            header = HTTPRequestHeader()
            header.parsed_header = fields

            thing = HTTPRequestResponse()
            thing.http_client_request = HTTPClientRequest()
            thing.http_client_request.http_request_header = header

            ind_obj = HTTPSession()
            ind_obj.http_request_response = [thing]
            
        elif 'URI' in ind_type:
            ind.add_indicator_type( VocabString(row['Indicator Type']))
    
            thing = HTTPRequestResponse()
            thing.http_client_request = HTTPClientRequest()
            thing.http_client_request.http_request_line = HTTPRequestLine()
            thing.http_client_request.http_request_line.http_method = row['Indicator'].split()[0]
            thing.http_client_request.http_request_line.http_method.condition = "Equals" 
            thing.http_client_request.http_request_line.value = row['Indicator'].split()[1]
            thing.http_client_request.http_request_line.value.condition = "Equals" 

            ind_obj = HTTPSession()
            ind_obj.http_request_response = [thing]


        elif 'File' in ind_type:
            ind.add_indicator_type( VocabString(row['Indicator Type']))
            ind_obj = File()
            ind_obj.file_name = row['Indicator']
            ind_obj.file_name.condition = "Equals"
            digest = Hash()
            # XXX assumes that hash digests are stored in this field in real data
            digest.simple_hash_value = row['indValue'].strip()
            digest.simple_hash_value.condition = "Equals"
            digest.type_.condition = "Equals"

            ind_obj.add_hash(digest)

        elif 'Registry' in ind_type:
            ind.add_indicator_type( VocabString(row['Indicator Type']))
            
            ind_obj = WinRegistryKey()
            keys = RegistryValues()
            key = RegistryValue()
            key.name = row['Indicator']
            key.name.condition = "Equals"
            key.data = row['indValue']
            key.data.condition = "Equals"
            keys.append(key)
            ind_obj.values = keys

        elif 'Mutex' in ind_type:
            ind.add_indicator_type (VocabString(row['Indicator Type']))
            ind_obj = Mutex()
            ind_obj.name = row['Indicator']
            ind_obj.name.condition= "Equals"

        else:
            print "ERR type not supported: " + ind_type + " <- will be omitted from output"
            error = True

        # finalize indicator
        if not error:
            ind.add_object(ind_obj)
            contain_pkg.add_indicator(ind)

    # DONE looping

    print contain_pkg.to_xml()