def from_dict(malware_subject_dict): if not malware_subject_dict: return None malware_subject_ = MalwareSubject(None) malware_subject_.id = malware_subject_dict.get('id') malware_subject_.malware_instance_object_attributes = Object.from_dict(malware_subject_dict.get('malware_instance_object_attributes')) malware_subject_.minor_variants = MinorVariants.from_list(malware_subject_dict.get('minor_variants')) malware_subject_.field_data = None #TODO: add support malware_subject_.analyses = Analyses.from_list(malware_subject_dict.get('analyses')) malware_subject_.findings_bundles = FindingsBundleList.from_dict(malware_subject_dict.get('findings_bundles')) malware_subject_.relationships = MalwareSubjectRelationshipList.from_list(malware_subject_dict.get('id')) return malware_subject_
def from_obj(malware_subject_obj): if not malware_subject_obj: return None malware_subject_ = MalwareSubject(None) malware_subject_.id = malware_subject_obj.get_id() malware_subject_.malware_instance_object_attributes = Object.from_obj(malware_subject_obj.get_Malware_Instance_Object_Attributes()) malware_subject_.minor_variants = MinorVariants.from_obj(malware_subject_obj.get_Minor_Variants()) malware_subject_.field_data = None #TODO: add support malware_subject_.analyses = Analyses.from_obj(malware_subject_obj.get_Analyses()) malware_subject_.findings_bundles = FindingsBundleList.from_obj(malware_subject_obj.get_Findings_Bundles()) malware_subject_.relationships = MalwareSubjectRelationshipList.from_obj(malware_subject_obj.get_Relationships()) return malware_subject_
def from_dict(bundle_dict): if not bundle_dict: return None bundle_ = Bundle(None, None) bundle_.id = bundle_dict.get('id') bundle_.schema_version = bundle_dict.get('schema_version') bundle_.defined_subject = bundle_dict.get('defined_subject') bundle_.content_type = bundle_dict.get('content_type') bundle_.timestamp = datetime.datetime.strptime(bundle_dict.get('timestamp'), "%Y-%m-%dT%H:%M:%S.%f") bundle_.malware_instance_object_attributes = Object.from_dict(bundle_dict.get('malware_instance_object_attributes')) bundle_.av_classifications = AVClassifications.from_list(bundle_dict.get('av_classifications')) bundle_.process_tree = ProcessTree.from_dict(bundle_dict.get('process_tree')) bundle_.behaviors = BehaviorList.from_list(bundle_dict.get('behaviors')) bundle_.actions = ActionList.from_list(bundle_dict.get('actions')) bundle_.candidate_indicators = CandidateIndicatorList.from_list(bundle_dict.get('candidate_indicators')) bundle_.collections = Collections.from_dict(bundle_dict.get('collections')) return bundle_
def from_obj(bundle_obj): if not bundle_obj: return None bundle_ = Bundle(None, None) bundle_.id = bundle_obj.get_id() bundle_.schema_version = bundle_obj.get_schema_version() bundle_.defined_subject = bundle_obj.get_defined_subject() bundle_.content_type = bundle_obj.get_content_type() bundle_.timestamp = bundle_obj.get_timestamp() bundle_.malware_instance_object_attributes = Object.from_obj(bundle_obj.get_Malware_Instance_Object_Attributes()) if bundle_obj.get_AV_Classifications() is not None: bundle_.av_classifications = AVClassifications.from_obj(bundle_obj.get_AV_Classifications()) bundle_.process_tree = ProcessTree.from_obj(bundle_obj.get_Process_Tree()) if bundle_obj.get_Behaviors() is not None : bundle_.behaviors = BehaviorList.from_obj(bundle_obj.get_Behaviors()) if bundle_obj.get_Actions() is not None : bundle_.actions = ActionList.from_obj(bundle_obj.get_Actions()) if bundle_obj.get_Candidate_Indicators() is not None : bundle_.candidate_indicators = CandidateIndicatorList.from_obj(bundle_obj.get_Candidate_Indicators()) bundle_.collections = Collections.from_obj(bundle_obj.get_Collections()) return bundle_
from maec.package.analysis import Analysis from maec.package.malware_subject import MalwareSubject from maec.package.package import Package from maec.id_generator import Generator from maec.utils import MAECNamespaceParser from cybox.core.object import Object from cybox.core.associated_object import AssociatedObject #Instantiate the ID generator class (for automatic ID generation) with our example namespace generator = Generator('example1') #Instantiate the Bundle, Package, MalwareSubject, and Analysis classes bundle = Bundle(id=generator.generate_bundle_id(), defined_subject=False) package = Package(id=generator.generate_package_id()) subject = MalwareSubject(id=generator.generate_malware_subject_id()) analysis = Analysis(id=generator.generate_analysis_id()) #Create the Subject Object Dictionary for use in the Malware Instance Object Attributes subject_object_dict = {'id' : generator.generate_object_id(), 'properties' : {'xsi:type' : 'FileObjectType', 'name' : 'foobar.exe', 'size_in_bytes' : '35532'}} #Set the Malware Instance Object Attributes with an Object constructed from the dictionary subject.set_malware_instance_object_attributes(Object.from_dict(subject_object_dict)) #Create the Associated Object Dictionary for use in the Action associated_object_dict = {'id' : generator.generate_object_id(), 'properties' : {'xsi:type' : 'FileObjectType', 'file_name' : 'abcd.dll', 'size_in_bytes' : '12346'}, 'association_type' : {'value' : 'output', 'xsi:type' : 'maecVocabs:ActionObjectAssociationTypeVocab-1.0'}} #Create the Action from another dictionary action = MalwareAction.from_dict({'id' : generator.generate_malware_action_id(), 'name' : {'value' : 'create file', 'xsi:type' : 'maecVocabs:FileActionNameVocab-1.0'}, 'associated_objects' : [associated_object_dict]}) #Add the Action to the buundle bundle.add_action(action) #Add the Bundle to the Malware Subject subject.add_findings_bundle(bundle) #Add the Malware Subject to the Package package.add_malware_subject(subject) #Export the Package Bindings Object to an XML file and use the namespaceparser for writing out the namespace definitions package.to_xml_file('example1.xml')
def create_object(self, ce1sus_object, event_permissions, user): definition_name = ce1sus_object.definition.name obj = Object() identifier = 'ce1sus:Object-{0}'.format(ce1sus_object.uuid) obj.id_ = identifier # try to find automatic the object container try: clazz = get_class( 'cybox.objects.{0}_object'.format(definition_name.lower()), definition_name) instance = clazz() if definition_name == 'Disk': # TODO: check why this must be set stix bug? setattr(instance, 'type_', None) except ImportError: if definition_name == 'WinEventLog': instance = WinEventLog() # TODO: check why this must be set stix bug? setattr(instance, 'type_', None) elif definition_name == 'UserAccount': instance = UserAccount() elif definition_name == 'WinService': instance = WinService() elif definition_name == 'WindowsRegistryKey': instance = WinRegistryKey() elif definition_name == 'NetworkConnection': instance = NetworkConnection() elif definition_name == 'WinVolume': instance = WinVolume() # TODO: check why this must be set stix bug? setattr(instance, 'drive_type', None) elif definition_name == 'WinKernelHook': instance = WinKernelHook() elif definition_name == 'WinDriver': instance = WinDriver() elif definition_name == 'DomainName': instance = DomainName() # TODO: try to map it manually elif definition_name == 'email': instance = EmailMessage() else: raise Ce1susStixMapperException( 'Required to map manually {0}'.format(definition_name)) obj.properties = instance attributes = ce1sus_object.get_attributes_for_permissions( event_permissions, user) for attribute in attributes: self.map_attribtue(instance, attribute) rel_objects = ce1sus_object.get_related_objects_for_permissions( event_permissions, user) for rel_object in rel_objects: ob = self.create_object(rel_object.object, event_permissions, user) if ob: rel_obj = self.create_related_object(rel_object, event_permissions, user) # cybox_rel_object = RelatedObject(properties=ob.properties, relationship=rel_object.relation) obj.related_objects.append(rel_obj) return obj
def from_dict(statefulmeasure_dict): sm = StatefulMeasure() sm.object_ = Object.from_dict(statefulmeasure_dict.get('object')) return sm
def from_obj(statefulmeasure_obj): sm = StatefulMeasure() sm.object_ = Object.from_obj(statefulmeasure_obj.get_Object()) return sm
def from_dict(object_dict): if not object_dict: return None obj = Object.from_dict(object_dict, AssociatedObject()) obj.association_type_ = VocabString.from_dict(object_dict.get('association_type', None)) return obj
def from_obj(object_obj): if not object_obj: return None obj = Object.from_obj(object_obj, AssociatedObject()) obj.association_type_ = VocabString.from_obj(object_obj.get_Association_Type()) return obj
def vt_report_to_maec_package(vt_report_input, options = None): """Accept a VirusTotal report (as a Python structure) and return a corresponding MAEC Package API object.""" NS = Namespace("https://github.com/MAECProject/vt-to-maec", "VirusTotalToMAEC") maec.utils.set_id_namespace(NS) package = Package() # if only one result, make it a list of one result if type(vt_report_input) != list: vt_report_list = [vt_report_input] else: vt_report_list = vt_report_input for idx, vt_report in enumerate(vt_report_list): # if VirusTotal has never seen this MD5 if vt_report["response_code"] == 0: sys.stderr.write("WARNING: Skipping file #" + str(idx+1) + " (" + vt_report["resource"] + "); this MD5 is unknown to VirusTotal\n") sys.stderr.flush(); continue if vt_report["response_code"] == -1: sys.stderr.write("WARNING: VirusTotal had an unexpected error on file #" + str(idx+1) + " (" + vt_report["resource"] + "): " + vt_report.get("verbose_message", "no message provided") + "\n") sys.stderr.flush(); continue malware_subject = MalwareSubject() # create the file object and add hashes file_dict = {} file_dict['xsi:type'] = 'WindowsExecutableFileObjectType' file_dict['hashes'] = [ {'type' : 'MD5', 'simple_hash_value': vt_report["md5"] }, {'type' : 'SHA1', 'simple_hash_value': vt_report["sha1"] }, {'type' : 'SHA256', 'simple_hash_value': vt_report["sha256"] } ] # set the object as the defined object object_dict = {} object_dict['id'] = maec.utils.idgen.create_id(prefix="object") object_dict['properties'] = file_dict # bind the object to the malware subject object malware_subject.set_malware_instance_object_attributes(Object.from_dict(object_dict)) # create the analysis and add it to the subject analysis = Analysis() analysis.type_ = 'triage' analysis.method = 'static' analysis.complete_datetime = vt_report["scan_date"].replace(" ", "T") analysis.add_tool(ToolInformation.from_dict({'id' : maec.utils.idgen.create_id(prefix="tool"), 'vendor' : 'VirusTotal', 'name' : 'VirusTotal' })) malware_subject.add_analysis(analysis) bundle_obj = Bundle() for vendor, scan in vt_report["scans"].items(): if scan["result"] is not None: bundle_obj.add_av_classification(AVClassification.from_dict({ 'classification_name' : scan["result"], 'vendor' : vendor })) # add bundle to subject, bundle to analysis, and subject to package malware_subject.add_findings_bundle(bundle_obj) analysis.set_findings_bundle(bundle_obj.id_) package.add_malware_subject(malware_subject) package.__input_namespaces__["https://github.com/MAECProject/vt-to-maec"] = "VirusTotalToMAEC" if options: if options.normalize_bundles: malware_subject.normalize_bundles() if options.deduplicate_bundles: malware_subject.deduplicate_bundles() if options.dereference_bundles: malware_subject.dereference_bundles() return package
def object_from_dict(cls, associated_object_dict): """Create the Associated Object Python object representation from an input dictionary""" associated_obj = Object.object_from_dict(associated_object_dict,core_binding.AssociatedObjectType()) for key, value in associated_object_dict.items(): if key == 'association_type' and utils.test_value(value): associated_obj.set_association_type(value) return associated_obj
def dict_from_object(cls, associated_obj): """Parse and return a dictionary for an Associated Object""" associated_object_dict = Object.dict_from_object(associated_obj) if associated_obj.get_association_type() is not None: associated_object_dict['association_type'] = associated_obj.get_association_type() return associated_object_dict