def test_remove_marking_mark_one_selector_from_multiple_ones(): after = Malware( granular_markings=[ { "selectors": ["description"], "marking_ref": MARKING_IDS[0], }, ], **MALWARE_KWARGS ) before = Malware( granular_markings=[ { "selectors": ["description", "modified"], "marking_ref": MARKING_IDS[0], }, ], **MALWARE_KWARGS ) before = markings.remove_markings(before, [MARKING_IDS[0]], ["modified"]) for m in before["granular_markings"]: assert m in after["granular_markings"]
def Get_Malware(self, Detection: str): try: MalwareX = self.API.malware.read(filters={ "key": "name", "values": [Detection], }) except: return None if not MalwareX: MalwareX = Malware(name=Detection, is_family=False) return MalwareX
def test_set_marking_mark_same_property_same_marking(): before = Malware( granular_markings=[ { "selectors": ["description"], "marking_ref": MARKING_IDS[0], }, ], **MALWARE_KWARGS ) after = Malware( granular_markings=[ { "selectors": ["description"], "marking_ref": MARKING_IDS[0], }, ], **MALWARE_KWARGS ) before = markings.set_markings(before, [MARKING_IDS[0]], ["description"]) for m in before["granular_markings"]: assert m in after["granular_markings"]
def test_remove_marking_mark_mutilple_selector_multiple_refs(): before = Malware(granular_markings=[ { "selectors": ["description", "modified"], "marking_ref": MARKING_IDS[0], }, { "selectors": ["description", "modified"], "marking_ref": MARKING_IDS[1], }, ], **MALWARE_KWARGS) before = markings.remove_markings(before, [MARKING_IDS[0], MARKING_IDS[1]], ["description", "modified"]) assert "granular_markings" not in before
def test_set_marking_bad_selector(marking): before = Malware( granular_markings=[ { "selectors": ["description"], "marking_ref": MARKING_IDS[0], }, ], **MALWARE_KWARGS ) after = Malware( granular_markings=[ { "selectors": ["description"], "marking_ref": MARKING_IDS[0], }, ], **MALWARE_KWARGS ) with pytest.raises(InvalidSelectorError): before = markings.set_markings(before, marking[0], marking[1]) assert before == after
identityPym = Identity(id="identity--7865b6d2-a4af-45c5-b582-afe5ec376c33", created="2013-04-14T13:07:49.812Z", modified="2013-04-14T13:07:49.812Z", name="Pym Technologies", identity_class="organization", contact_information="*****@*****.**", sectors=["technology"], spec_version="2.1", type="identity") malware = Malware( id="malware--ae560258-a5cb-4be8-8f05-013d6712295f", created="2014-02-20T09:16:08.989Z", modified="2014-02-20T09:16:08.989Z", created_by_ref=identityPym.id, name="Online Job Site Trojan", description= "Trojan that is disguised as the executable file resume.pdf., it also creates a registry key.", malware_types=["remote-access-trojan"], spec_version="2.1", type="malware", is_family="false") fileMalicious = File(hashes={ "MD5": "1717b7fff97d37a1e1a0029d83492de1", "SHA-1": "c79a326f8411e9488bdc3779753e1e3489aaedea" }, name="resume.pdf", size=83968, id="file--364fe3e5-b1f4-5ba3-b951-ee5983b3538d", spec_version="2.1")
"""Tests for the Data Markings API.""" MALWARE_KWARGS = MALWARE_KWARGS_CONST.copy() MALWARE_KWARGS.update({ 'id': MALWARE_ID, 'type': 'malware', 'created': FAKE_TIME, 'modified': FAKE_TIME, }) @pytest.mark.parametrize( "data", [ ( Malware(**MALWARE_KWARGS), Malware( object_marking_refs=[MARKING_IDS[0]], **MALWARE_KWARGS ), MARKING_IDS[0], ), ( MALWARE_KWARGS, dict( object_marking_refs=[MARKING_IDS[0]], **MALWARE_KWARGS ), MARKING_IDS[0], ), (
def test_add_markings_bad_markings(data): before = Malware(**MALWARE_KWARGS) with pytest.raises(exceptions.InvalidValueError): before = markings.add_markings(before, data, None) assert "object_marking_refs" not in before
"marking_ref": MARKING_IDS[1], }, ], **MALWARE_KWARGS) before = markings.add_markings(before, [MARKING_IDS[0], MARKING_IDS[1]], ["description"]) for m in before["granular_markings"]: assert m in after["granular_markings"] @pytest.mark.parametrize( "data", [ ( Malware(**MALWARE_KWARGS), Malware(granular_markings=[ { "selectors": ["description", "name"], "marking_ref": MARKING_IDS[0], }, ], **MALWARE_KWARGS), MARKING_IDS[0], ), ( MALWARE_KWARGS, dict(granular_markings=[ { "selectors": ["description", "name"], "marking_ref": MARKING_IDS[0],
with open("domains.txt") as f: domains = list(set([a.strip() for a in f.read().split()])) with open("files.txt") as f: filenames = list(set([a.strip() for a in f.read().split()])) with open("processes.txt") as f: processes = list(set([a.strip() for a in f.read().split()])) with open("emails.txt") as f: emails = list(set([a.strip() for a in f.read().split()])) res = [] malware = Malware(name="Pegasus", is_family=False, description="IOCs for Pegasus") res.append(malware) for d in domains: i = Indicator(indicator_types=["malicious-activity"], pattern="[domain-name:value='{}']".format(d), pattern_type="stix") res.append(i) res.append(Relationship(i, 'indicates', malware)) for p in processes: i = Indicator(indicator_types=["malicious-activity"], pattern="[process:name='{}']".format(p), pattern_type="stix") res.append(i) res.append(Relationship(i, 'indicates', malware))
indicator = Indicator( id="indicator--d81f86b9-975b-4c0b-875e-810c5ad45a4f", created="2014-06-29T13:49:37.079Z", modified="2014-06-29T13:49:37.079Z", name="Malicious site hosting downloader", description= "This organized threat actor group operates to create profit from all types of crime.", indicator_types=["malicious-activity"], pattern="[url:value = 'http://x4z9arb.cn/4712/']", pattern_type="stix", valid_from="2014-06-29T13:49:37.079000Z") foothold = KillChainPhase(kill_chain_name="mandiant-attack-lifecycle-model", phase_name="establish-foothold") malware = Malware( id="malware--162d917e-766f-4611-b5d6-652791454fca", created="2014-06-30T09:15:17.182Z", modified="2014-06-30T09:15:17.182Z", name="x4z9arb backdoor", malware_types=["backdoor", "remote-access-trojan"], description= "This malware attempts to download remote files after establishing a foothold as a backdoor.", kill_chain_phases=[foothold], is_family="false") relationship = Relationship(indicator, 'indicates', malware) bundle = Bundle(objects=[indicator, malware, relationship])
with open('certificates.yaml') as f: r = yaml.load(f, Loader=yaml.BaseLoader) for entry in r: app = entry['name'].lower() indicators_by_name[app]['certificates'].add(entry['certificate']) with open('appid.yaml') as f: r = yaml.load(f, Loader=yaml.BaseLoader) for entry in r: app = entry['name'].lower() indicators_by_name[app]['appids'].add(entry['package']) res = [] for app_name, entries in indicators_by_name.items(): malware = Malware(name=app_name, is_family=False, description="Stalkerware applications") res.append(malware) for d in entries['domains']: i = Indicator(indicator_types=["malicious-activity"], pattern="[domain-name:value='{}']".format(d), pattern_type="stix") res.append(i) res.append(Relationship(i, 'indicates', malware)) for h in entries['sha256']: i = Indicator(indicator_types=["malicious-activity"], pattern="[file:hashes.sha256='{}']".format(h), pattern_type="stix") res.append(i) res.append(Relationship(i, 'indicates', malware))
from stix2.v21 import (Indicator, Malware, Relationship, Bundle) indicator = Indicator( id="indicator--a932fcc6-e032-476c-826f-cb970a5a1ade", created="2014-02-20T09:16:08.989Z", modified="2014-02-20T09:16:08.989Z", name="File hash for Poison Ivy variant", description= "This file hash indicates that a sample of Poison Ivy is present.", indicator_types=["malicious-activity"], pattern= "[file:hashes.'SHA-256' = 'ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c']", pattern_type="stix", valid_from="2014-02-20T09:00:00.000000Z") malware = Malware(id="malware--fdd60b30-b67c-41e3-b0b9-f01faf20d111", created="2014-02-20T09:16:08.989Z", modified="2014-02-20T09:16:08.989Z", name="Poison Ivy", malware_types=["remote-access-trojan"], is_family="false") relationship = Relationship(indicator, 'indicates', malware) bundle = Bundle(objects=[indicator, malware, relationship])