def create_file_hash_observable(fn, hash_value):
    '''Create a CybOX Observable representing a file hash.'''
    hash_ = Hash(hash_value)
    file_ = File()
    file_.file_name = fn
    file_.add_hash(hash_)
    return Observable(file_)
def main():
    # Create a CyboX File Object
    f = File()

    # This automatically detects that it's an MD5 hash based on the length
    f.add_hash("4EC0027BEF4D7E1786A04D021FA8A67F")

    # Create an Indicator with the File Hash Object created above.
    indicator = Indicator()
    indicator.title = "File Hash Example"
    indicator.description = (
        "An indicator containing a File observable with an associated hash"
    )
    indicator.set_producer_identity("The MITRE Corporation")
    indicator.set_produced_time(utils.dates.now())

    # Add The File Object to the Indicator. This will promote the CybOX Object
    # to a CybOX Observable internally.
    indicator.add_object(f)

    # Create a STIX Package
    stix_package = STIXPackage()

    # Create the STIX Header and add a description.
    stix_header = STIXHeader()
    stix_header.description = "File Hash Indicator Example"
    stix_package.stix_header = stix_header

    # Add our Indicator object. The add() method will inspect the input and
    # append it to the `stix_package.indicators` collection.
    stix_package.add(indicator)

    # Print the XML!
    print(stix_package.to_xml())
Example #3
0
def main():
    f = File()
    f.add_hash("4EC0027BEF4D7E1786A04D021FA8A67F")
    
    indicator = Indicator()
    indicator.title = "File Hash Example"
    indicator.description = "An indicator containing a File observable with an associated hash"
    indicator.set_producer_identity("The MITRE Corporation")
    indicator.set_produced_time(datetime.now(tzutc()))
    indicator.add_object(f)
    
    party_name = PartyName(name_lines=["Foo", "Bar"], person_names=["John Smith", "Jill Smith"], organisation_names=["Foo Inc.", "Bar Corp."])
    ident_spec = STIXCIQIdentity3_0(party_name=party_name)
    ident_spec.add_electronic_address_identifier("*****@*****.**")
    ident_spec.add_free_text_line("Demonstrating Free Text!")
    ident_spec.add_contact_number("555-555-5555")
    ident_spec.add_contact_number("555-555-5556")
    identity = CIQIdentity3_0Instance(specification=ident_spec)
    indicator.set_producer_identity(identity)
    
    stix_package = STIXPackage()
    stix_header = STIXHeader()
    stix_header.description = "Example"
    stix_package.stix_header = stix_header
    stix_package.add_indicator(indicator)
    
    xml = stix_package.to_xml() 
    print(xml)
Example #4
0
    def test_fields(self):
        f = File()
        f.file_name = "blah.exe"
        self.assertEqual(String, type(f.file_name))

        f.file_path = "C:\\Temp"
        self.assertEqual(FilePath, type(f.file_path))
def main():
    # Create our CybOX Simple Hash Value
    shv = Hash()
    shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F"

    # Create a CybOX File Object and add the Hash we created above.
    f = File()
    h = Hash(shv, Hash.TYPE_MD5)
    f.add_hash(h)

    # Create the STIX Package
    stix_package = STIXPackage()

    # Create the STIX Header and add a description.
    stix_header = STIXHeader()
    stix_header.description = "Simple File Hash Observable Example"
    stix_package.stix_header = stix_header

    # Add the File Hash Observable to the STIX Package. The add() method will
    # inspect the input and add it to the top-level stix_package.observables
    # collection.
    stix_package.add(f)

    # Print the XML!
    print(stix_package.to_xml())
Example #6
0
    def to_cybox(self, exclude=None):
        if exclude == None:
            exclude = []

        observables = []
        f = File()
        for attr in ['md5', 'sha1', 'sha256']:
            if attr not in exclude:
                val = getattr(self, attr, None)
                if val:
                    setattr(f, attr, val)
        if self.ssdeep and 'ssdeep' not in exclude:
            f.add_hash(Hash(self.ssdeep, Hash.TYPE_SSDEEP))
        if 'size' not in exclude and 'size_in_bytes' not in exclude:
            f.size_in_bytes = UnsignedLong(self.size)
        if 'filename' not in exclude and 'file_name' not in exclude:
            f.file_name = self.filename
        # create an Artifact object for the binary if it exists
        if 'filedata' not in exclude:
            data = self.filedata.read()
            if data:
                data = base64.b64encode(data)
                a = Artifact(data=data, type_=Artifact.TYPE_FILE)
                observables.append(Observable(a))
        #if 'filetype' not in exclude and 'file_format' not in exclude:
            #NOTE: this doesn't work because the CybOX File object does not
            #   have any support built in for setting the filetype to a
            #   CybOX-binding friendly object (e.g., calling .to_dict() on
            #   the resulting CybOX object fails on this field.
            #f.file_format = self.filetype
        observables.append(Observable(f))
        return (observables, self.releasability)
def main():
    stix_package = STIXPackage()
    ttp = TTP(title="Phishing")
    stix_package.add_ttp(ttp)

    # Create the indicator for just the subject
    email_subject_object = EmailMessage()
    email_subject_object.header = EmailHeader()
    email_subject_object.header.subject = "[IMPORTANT] Please Review Before"
    email_subject_object.header.subject.condition = "StartsWith"
    
    email_subject_indicator = Indicator()
    email_subject_indicator.title = "Malicious E-mail Subject Line"
    email_subject_indicator.add_indicator_type("Malicious E-mail")
    email_subject_indicator.observable = email_subject_object
    email_subject_indicator.confidence = "Low"

    # Create the indicator for just the attachment

    file_attachment_object = EmailMessage()
    file_attachment_object.attachments = Attachments()

    attached_file_object = File()
    attached_file_object.file_name = "Final Report"
    attached_file_object.file_name.condition = "StartsWith"
    attached_file_object.file_extension = "doc.exe"
    attached_file_object.file_extension.condition = "Equals"

    file_attachment_object.add_related(attached_file_object, "Contains", inline=True)
    file_attachment_object.attachments.append(file_attachment_object.parent.id_)
    
    indicator_attachment = Indicator()
    indicator_attachment.title = "Malicious E-mail Attachment"
    indicator_attachment.add_indicator_type("Malicious E-mail")
    indicator_attachment.observable = file_attachment_object
    indicator_attachment.confidence = "Low"

    # Create the combined indicator w/ both subject an attachment
    full_email_object = EmailMessage()
    full_email_object.attachments = Attachments()

    # Add the previously referenced file as another reference rather than define it again:
    full_email_object.attachments.append(file_attachment_object.parent.id_)

    full_email_object.header = EmailHeader()
    full_email_object.header.subject = "[IMPORTANT] Please Review Before"
    full_email_object.header.subject.condition = "StartsWith"

    combined_indicator = Indicator(title="Malicious E-mail")
    combined_indicator.add_indicator_type("Malicious E-mail")
    combined_indicator.confidence = Confidence(value="High")
    combined_indicator.observable = full_email_object
    
    email_subject_indicator.add_indicated_ttp(TTP(idref=ttp.id_))
    indicator_attachment.add_indicated_ttp(TTP(idref=ttp.id_))
    combined_indicator.add_indicated_ttp(TTP(idref=ttp.id_))
    
    stix_package.indicators = [combined_indicator, email_subject_indicator, indicator_attachment]
    print stix_package.to_xml()
Example #8
0
        def _sha256(keypair):
            shv = Hash()
            shv.simple_hash_value = keypair.get('observable')

            f = File()
            h = Hash(shv, Hash.TYPE_SHA256)
            f.add_hash(h)
            return f
Example #9
0
        def _md5(keypair):
            shv = Hash()
            shv.simple_hash_value = keypair.get('observable')

            f = File()
            h = Hash(shv, Hash.TYPE_MD5)
            f.add_hash(h)
            return f
Example #10
0
    def test_add_hash_string(self):
        s = "ffffffffffffffffffff"
        f = File()
        f.add_hash(s)

        h = f.hashes[0]
        self.assertEqual(s, str(h.simple_hash_value))
        self.assertEqual(Hash.TYPE_OTHER, h.type_)
Example #11
0
def generateEmailAttachmentObject(indicator, filename):
    file_object = File()
    file_object.file_name = filename
    email = EmailMessage()
    email.attachments = Attachments()
    email.add_related(file_object, "Contains", inline=True)
    email.attachments.append(file_object.parent.id_)
    indicator.observable = email
Example #12
0
    def test_add_hash_string(self):
        s = "ffffffffffffffffffff"
        f = File()
        f.add_hash(s)

        h = f.hashes[0]
        self.assertEqual(s, str(h.simple_hash_value))
        self.assertEqual(Hash.TYPE_OTHER, h.type_)
Example #13
0
        def _sha1(keypair):
            shv = Hash()
            shv.simple_hash_value = keypair.get('indicator')

            f = File()
            h = Hash(shv, Hash.TYPE_SHA1)
            f.add_hash(h)
            return f
Example #14
0
def main():
    mydata = loaddata()
    '''
    Your Namespace
    '''
    #    NAMESPACE = {sanitizer(mydata["NSXURL"]) : (mydata["NS"])}
    #    set_id_namespace(NAMESPACE)
    NAMESPACE = Namespace(sanitizer(mydata['NSXURL']), sanitizer(mydata['NS']))
    set_id_namespace(NAMESPACE)  # new ids will be prefixed by "myNS"

    wrapper = STIXPackage()
    info_src = InformationSource()
    info_src.identity = Identity(name=sanitizer(mydata["Identity"]))

    marking_specification = MarkingSpecification()
    marking_specification.controlled_structure = "//node() | //@*"
    tlp = TLPMarkingStructure()
    tlp.color = sanitizer(mydata["TLP_COLOR"])
    marking_specification.marking_structures.append(tlp)

    handling = Marking()
    handling.add_marking(marking_specification)

    timestamp = datetime.datetime.fromtimestamp(
        time.time()).strftime('%Y-%m-%d %H:%M:%S')
    MyTITLE = sanitizer(mydata["Title"])
    SHORT = timestamp

    DESCRIPTION = sanitizer(mydata["Description"])

    wrapper.stix_header = STIXHeader(information_source=info_src,
                                     title=MyTITLE,
                                     description=DESCRIPTION,
                                     short_description=SHORT)
    wrapper.stix_header.handling = handling

    indiDom = Indicator()
    indiDom.title = MyTITLE
    indiDom.add_indicator_type("IP Watchlist")

    for key in mydata["IOC"].keys():
        myip = Address(address_value=sanitizer(key), category=Address.CAT_IPV4)
        myip.condition = "Equals"

        obsu = Observable(myip)

        #if mydata[key].size:
        for idx, mydata["IOC"][key] in enumerate(mydata["IOC"][key]):
            ioc = File()
            ioc.add_hash(sanitizer(mydata["IOC"][key]))

            myip.add_related(ioc, "Downloaded")

        indiDom.add_observable(obsu)

    wrapper.add_indicator(indiDom)

    print(wrapper.to_xml())
Example #15
0
    def test_fields_not_shared(self):
        # In a previous version of TypedFields, all objects of the same type
        # shared a single value of each field. Obviously this was a mistake.
        f = File()
        f.file_name = "README.txt"
        self.assertEqual("README.txt", f.file_name)

        f2 = File()
        self.assertEqual(None, f2.file_name)
Example #16
0
    def test_fields_not_shared(self):
        # In a previous version of TypedFields, all objects of the same type
        # shared a single value of each field. Obviously this was a mistake.
        f = File()
        f.file_name = "README.txt"
        self.assertEqual("README.txt", f.file_name)

        f2 = File()
        self.assertEqual(None, f2.file_name)
Example #17
0
    def test_set_hashes(self):
        f = File()
        f.md5 = EMPTY_MD5
        f.sha1 = EMPTY_SHA1
        f.sha256 = EMPTY_SHA256

        self.assertEqual(EMPTY_MD5, f.md5)
        self.assertEqual(EMPTY_SHA1, f.sha1)
        self.assertEqual(EMPTY_SHA256, f.sha256)
Example #18
0
def main():
    # Create a CybOX File Object with a contained hash
    f = File()
    f.add_hash("4EC0027BEF4D7E1786A04D021FA8A67F")

    # Create an Indicator with the File Hash Object created above.
    indicator = Indicator()
    indicator.title = "File Hash Example"
    indicator.description = (
        "An indicator containing a File observable with an associated hash")
    indicator.set_producer_identity("The MITRE Corporation")
    indicator.set_produced_time(utils.dates.now())

    # Add The File Object to the Indicator. This will promote the CybOX Object
    # to a CybOX Observable internally.
    indicator.add_object(f)

    # Build our STIX CIQ Identity object
    party_name = stix_ciq.PartyName(name_lines=("Foo", "Bar"),
                                    person_names=("John Smith", "Jill Smith"),
                                    organisation_names=("Foo Inc.",
                                                        "Bar Corp."))
    ident_spec = stix_ciq.STIXCIQIdentity3_0(party_name=party_name)
    ident_spec.add_electronic_address_identifier("*****@*****.**")
    ident_spec.add_free_text_line("Demonstrating Free Text!")
    ident_spec.add_contact_number("555-555-5555")
    ident_spec.add_contact_number("555-555-5556")

    # Build and add a CIQ Address
    addr = stix_ciq.Address(free_text_address='1234 Example Lane.',
                            country='USA',
                            administrative_area='An Admin Area')
    ident_spec.add_address(addr)
    identity = stix_ciq.CIQIdentity3_0Instance(specification=ident_spec)

    # Set the Indicator producer identity to our CIQ Identity
    indicator.set_producer_identity(identity)

    # Build our STIX Package
    stix_package = STIXPackage()

    # Build a STIX Header and add a description
    stix_header = STIXHeader()
    stix_header.description = "STIX CIQ Identity Extension Example"

    # Set the STIX Header on our STIX Package
    stix_package.stix_header = stix_header

    # Add our Indicator object. The add() method will inspect the input and
    # append it to the `stix_package.indicators` collection.
    stix_package.add(indicator)

    # Print the XML!
    print(stix_package.to_xml())

    # Print a dictionary!
    pprint(stix_package.to_dict())
    def test_file_path(self):
        file_path_string = "%WinDir%\abcd.dll"
        normalized_file_path_string = "CSIDL_WINDOWS\abcd.dll"

        file_obj = File()
        file_obj.file_path = file_path_string

        normalize_object_properties(file_obj)

        self.assertEqual(file_obj.file_path.value, normalized_file_path_string)
Example #20
0
def create_file_hash_observable(filename, hash_value):
    hash_ = Hash(hash_value)
    file_ = File()
    file_.file_name = filename
    file_.add_hash(hash_)
    file_observable = Observable(file_)
    file_observable.title = "Malware Artifact - File Hash"
    file_observable.description = "File hash derived from sandboxed malware sample."
    file_observable.short_description = "File hash from malware."
    return file_observable
Example #21
0
    def test_file_path(self):
        file_path_string = "%WinDir%\abcd.dll"
        normalized_file_path_string = "CSIDL_WINDOWS\abcd.dll"

        file_obj = File()
        file_obj.file_path = file_path_string

        normalize_object_properties(file_obj)

        self.assertEqual(file_obj.file_path.value, normalized_file_path_string)
Example #22
0
def create_file_hash_observable(filename, hash_value):
    hash_ = Hash(hash_value)
    file_ = File()
    file_.file_name = filename
    file_.add_hash(hash_)
    file_observable = Observable(file_)
    file_observable.title = "Malware Artifact - File Hash"
    file_observable.description = "File hash derived from sandboxed malware sample."
    file_observable.short_description = "File hash from malware."
    return file_observable
Example #23
0
    def to_cybox_observable(self):
        """
            Convert a Certificate to a CybOX Observables.
            Returns a tuple of (CybOX object, releasability list).

            To get the cybox object as xml or json, call to_xml() or
            to_json(), respectively, on the resulting CybOX object.
        """
        custom_prop = Property(
        )  # make a custom property so CRITs import can identify Certificate exports
        custom_prop.name = "crits_type"
        custom_prop.description = "Indicates the CRITs type of the object this CybOX object represents"
        custom_prop._value = "Certificate"
        obj = File()  # represent cert information as file
        obj.md5 = self.md5
        obj.file_name = self.filename
        obj.file_format = self.filetype
        obj.size_in_bytes = self.size
        obj.custom_properties = CustomProperties()
        obj.custom_properties.append(custom_prop)
        obs = Observable(obj)
        obs.description = self.description
        data = self.filedata.read()
        if data:  # if cert data available
            a = Artifact(data, Artifact.TYPE_FILE)  # create artifact w/data
            a.packaging.append(Base64Encoding())
            obj.add_related(a, "Child_Of")  # relate artifact to file
        return ([obs], self.releasability)
Example #24
0
def resolvePatternObservable(indicator, attribute):
    new_object = None
    if attribute["type"] == "pattern-in-file":
        byte_run = ByteRun()
        byte_run.byte_run_data = attribute["value"]
        new_object = File()
        new_object.byte_runs = ByteRuns(byte_run)
    # custom properties are not implemented in the API yet
    # elif attribute["type"] == "pattern-in-memory":
    # elif attribute["type"] == "pattern-in-traffic":
    return new_object
Example #25
0
def resolvePatternObservable(attribute):
    new_object = None
    if attribute["type"] == "pattern-in-file":
        byte_run = ByteRun()
        byte_run.byte_run_data = attribute["value"]
        new_object = File()
        new_object.byte_runs = ByteRuns(byte_run)
    # custom properties are not implemented in the API yet
    # elif attribute["type"] == "pattern-in-memory":
    # elif attribute["type"] == "pattern-in-traffic":
    return new_object
Example #26
0
    def test_observables_property_standard(self):
        f = File()
        f.file_name = "README.txt"
        obs = Observable(f)
        ind = Indicator()
        ind.observable = obs

        ind2 = Indicator.from_dict(ind.to_dict())

        self.assertEqual([obs.to_dict()],
                         [x.to_dict() for x in ind2.observables])
Example #27
0
def returnAttachmentComposition(attribute):
    file_object = File()
    file_object.file_name = attribute["value"]
    observable = Observable()
    if "data" in attribute:
        artifact = Artifact(data = attribute["data"])
        composition = ObservableComposition(observables = [artifact, file_object])
        observable.observable_composition = composition
    else:
        observable = Observable(file_object)
    return observable
Example #28
0
    def test_observables_property_standard(self):
        f = File()
        f.file_name = "README.txt"
        obs = Observable(f)
        ind = Indicator()
        ind.observable = obs

        ind2 = Indicator.from_dict(ind.to_dict())

        self.assertEqual([obs.to_dict()],
                         [x.to_dict() for x in ind2.observables])
Example #29
0
def returnAttachmentComposition(attribute):
    file_object = File()
    file_object.file_name = attribute["value"]
    observable = Observable()
    if "data" in attribute:
        artifact = Artifact(data=attribute["data"])
        composition = ObservableComposition(
            observables=[artifact, file_object])
        observable.observable_composition = composition
    else:
        observable = Observable(file_object)
    return observable
Example #30
0
def generateEmailAttachmentObject(indicator, attribute):
    file_object = File()
    file_object.file_name = attribute["value"]
    email = EmailMessage()
    email.attachments = Attachments()
    email.add_related(file_object, "Contains", inline=True)
    file_object.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":file-" + attribute["uuid"]
    email.attachments.append(file_object.parent.id_)
    email.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":EmailMessage-" + attribute["uuid"]
    observable = Observable(email)
    observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-" + attribute["uuid"]
    indicator.observable = observable
Example #31
0
    def add_raw_indicator(self , orig_indicator, ts=None):
        indicator_value = orig_indicator
        if not self._is_ascii(indicator_value):
            return False

        indicator_type, _ = guess_type(indicator_value)
        # Create a CyboX File Object
        if indicator_type == StixItemType.IPADDR:
            title = "Malicious IPv4 - %s" % indicator_value
            descr = "Malicious IPv4 involved with %s" % self._pkg.stix_header.title
            cybox = Address(indicator_value , Address.CAT_IPV4)
        elif indicator_type == StixItemType.DOMAIN:
            title = "Malicious domain - %s" % indicator_value
            descr = "Malicious domain involved with %s" % self._pkg.stix_header.title
            cybox = DomainName()
            cybox.value = indicator_value
        elif indicator_type == StixItemType.MD5:
            title = "Malicious MD5 - %s" % indicator_value
            descr = "Malicious MD5 involved with %s" % self._pkg.stix_header.title
            cybox = File()
            cybox.add_hash(indicator_value )
        elif indicator_type == StixItemType.SHA256:
            title = "Malicious SHA256 - %s" % indicator_value
            descr = "Malicious SHA256 involved with %s" % self._pkg.stix_header.title
            cybox = File()
            cybox.add_hash(indicator_value )
        elif indicator_type == StixItemType.SHA1:
            title = "Malicious SHA1 - %s" % indicator_value
            descr = "Malicious SHA1 involved with %s" % self._pkg.stix_header.title
            cybox = File()
            cybox.add_hash(indicator_value )
        elif indicator_type == StixItemType.URL:
            title = "Malicious URL - %s" % indicator_value
            descr = "Malicious URL involved with %s" % self._pkg.stix_header.title
            cybox = URI()
            cybox.value = indicator_value
            cybox.type_ = URI.TYPE_URL

        if indicator_type == StixItemType.UNKNOWN:
            return False

        indicator = Indicator()
        indicator.title = title
        indicator.description = descr
        indicator.add_object(cybox)
        indicator.set_producer_identity(self.__author)
        if ts:
            indicator.set_produced_time(ts)
        else:
            indicator.set_produced_time(utils.dates.now())

        self._add(indicator)
        return True
Example #32
0
def generateEmailAttachmentObject(indicator, attribute):
    file_object = File()
    file_object.file_name = attribute["value"]
    file_object.file_name.condition = "Equals"
    email = EmailMessage()
    email.attachments = Attachments()
    email.add_related(file_object, "Contains", inline=True)
    file_object.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":file-" + attribute["uuid"]
    email.attachments.append(file_object.parent.id_)
    email.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":EmailMessage-" + attribute["uuid"]
    observable = Observable(email)
    observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-" + attribute["uuid"]
    indicator.observable = observable
Example #33
0
def cybox_object_file(obj, meta=None):
    # TODO: missing File_Custom_Properties
    f = File()
    if obj.md5_hash != 'No MD5':
        f.add_hash(Hash(obj.md5_hash))
    if obj.sha256_hash != 'No SHA256':
        f.add_hash(Hash(obj.sha256_hash))
    if meta:
        f.file_name = meta.file_name
        f.file_extension = meta.file_extension
        f.file_path = meta.file_path
        f.size_in_bytes = meta.file_size
    return f
Example #34
0
 def add_file_dropped_observable(self, filename):
     if filename in self.__files:
         return
     self.__files.add(filename)
     #hash_ = Hash(hash_value)
     file_ = File()
     file_.file_name = filename
     #file_.add_hash(hash_)
     file_observable = Observable(file_)
     file_observable.title = "Malware Artifact - File Dropped"
     file_observable.description = "File Dropped derived from sandboxed malware sample."
     file_observable.short_description = "File Dropped from malware."
     self.hash_indicator.add_observable(file_observable)
Example #35
0
def md5(hash, provider, reporttime):
    vuln = Vulnerability()
    vuln.cve_id = "MD5-" + hash
    vuln.description = "maliciousMD5"
    et = ExploitTarget(title=provider + " observable")
    et.add_vulnerability(vuln)
    # Create a CyboX File Object
    f = File()
    # This automatically detects that it's an MD5 hash based on the length
    f.add_hash(hash)

    # Create an Indicator with the File Hash Object created above.
    indicator = Indicator()
    indicator.title = "MD5-" + hash
    indicator.description = ("Malicious hash " + hash + " reported from " +
                             provider)
    indicator.set_producer_identity(provider)
    indicator.set_produced_time(reporttime)

    # Add The File Object to the Indicator. This will promote the CybOX Object
    # to a CybOX Observable internally.

    indicator.add_observable(f)

    # Create a STIX Package
    stix_package = STIXPackage()

    stix_package.add(et)
    stix_package.add(indicator)

    # Print the XML!
    #print(stix_package.to_xml())
    f = open('/opt/TARDIS/Observables/MD5/' + hash + '.xml', 'w')
    f.write(stix_package.to_xml())
    f.close()
Example #36
0
 def generate_email_attachment_object(self, indicator, attribute):
     attribute_uuid = attribute.uuid
     file_object = File()
     file_object.file_name = attribute.value
     file_object.file_name.condition = "Equals"
     file_object.parent.id_ = "{}:FileObject-{}".format(self.namespace_prefix, attribute_uuid)
     email = EmailMessage()
     email.attachments = Attachments()
     email.add_related(file_object, "Contains", inline=True)
     email.attachments.append(file_object.parent.id_)
     email.parent.id_ = "{}:EmailMessageObject-{}".format(self.namespace_prefix, attribute_uuid)
     observable = Observable(email)
     observable.id_ = "{}:observable-{}".format(self.namespace_prefix, attribute_uuid)
     indicator.observable = observable
Example #37
0
def main():
    print '<?xml version="1.0" encoding="UTF-8"?>'

    s = SimpleHashValue()
    s.condition = "IsInSet"
    s.value_set = ["4EC0027BEF4D7E1786A04D021FA8A67F",
                   "21F0027ACF4D9017861B1D021FA8CF76",
                   "2B4D027BEF4D7E1786A04D021FA8CC01"]

    f = File()
    h = Hash(s, Hash.TYPE_MD5)
    f.add_hash(h)

    print Observables(f).to_xml()
Example #38
0
def hash_indicator(hashes=[]):
    hashlist = Indicator()
    hashlist.add_indicator_type("File Hash Watchlist")

    for h in hashes:
        file = File()
        hash = Hash(
            hash_value = h,
            #type_ = "MD5",
        )
        file.add_hash(hash)
        hashlist.add_observable(file)

    return hashlist
Example #39
0
    def to_cybox_observable(self):
        """
            Convert a Certificate to a CybOX Observables.
            Returns a tuple of (CybOX object, releasability list).

            To get the cybox object as xml or json, call to_xml() or
            to_json(), respectively, on the resulting CybOX object.
        """
        custom_prop = Property() # make a custom property so CRITs import can identify Certificate exports
        custom_prop.name = "crits_type"
        custom_prop.description = "Indicates the CRITs type of the object this CybOX object represents"
        custom_prop._value = "Certificate"
        obj = File() # represent cert information as file
        obj.md5 = self.md5
        obj.file_name = self.filename
        obj.file_format = self.filetype
        obj.size_in_bytes = self.size
        obj.custom_properties = CustomProperties()
        obj.custom_properties.append(custom_prop)
        obs = Observable(obj)
        obs.description = self.description
        data = self.filedata.read()
        if data: # if cert data available
            a = Artifact(data, Artifact.TYPE_FILE) # create artifact w/data
            a.packaging.append(Base64Encoding())
            obj.add_related(a, "Child_Of") # relate artifact to file
        return ([obs], self.releasability)
Example #40
0
def main():
    shv = Hash()
    shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F"

    f = File()
    h = Hash(shv, Hash.TYPE_MD5)
    f.add_hash(h)

    stix_package = STIXPackage()
    stix_header = STIXHeader()
    stix_header.description = "Example 03"
    stix_package.stix_header = stix_header
    stix_package.add_observable(f)

    print(stix_package.to_xml())
 def from_obj(win_file_obj, file_class = None):
     if not win_file_obj:
         return None
     if not file_class:
         win_file_ = File.from_obj(win_file_obj, WinFile())
     else:
         win_file_ = File.from_obj(win_file_obj, file_class)
     win_file_.filename_accessed_time = DateTime.from_obj(win_file_obj.get_Filename_Accessed_Time())
     win_file_.filename_created_time = DateTime.from_obj(win_file_obj.get_Filename_Created_Time())
     win_file_.filename_modified_time = DateTime.from_obj(win_file_obj.get_Filename_Modified_Time())
     win_file_.drive = String.from_obj(win_file_obj.get_Drive())
     win_file_.security_id = String.from_obj(win_file_obj.get_Security_ID())
     win_file_.security_type = String.from_obj(win_file_obj.get_Security_Type())
     win_file_.stream_list = StreamList.from_obj(win_file_obj.get_Stream_List())
     return win_file_
 def from_dict(win_file_dict, file_class = None):
     if not win_file_dict:
         return None
     if not file_class:
         win_file_ = File.from_dict(win_file_dict, WinFile())
     else:
         win_file_ = File.from_dict(win_file_dict, file_class)
     win_file_.filename_accessed_time = DateTime.from_dict(win_file_dict.get('filename_accessed_time'))
     win_file_.filename_created_time = DateTime.from_dict(win_file_dict.get('filename_created_time'))
     win_file_.filename_modified_time = DateTime.from_dict(win_file_dict.get('filename_modified_time'))
     win_file_.drive = String.from_dict(win_file_dict.get('drive'))
     win_file_.security_id = String.from_dict(win_file_dict.get('security_id'))
     win_file_.security_type = String.from_dict(win_file_dict.get('security_type'))
     win_file_.stream_list = StreamList.from_list(win_file_dict.get('stream_list'))
     return win_file_
Example #43
0
    def test_observables_property_composition(self):
        f1 = File()
        f1.file_name = "README.txt"
        f2 = File()
        f2.file_name = "README2.txt"
        obs1 = Observable(f1)
        obs2 = Observable(f2)

        comp = Observable(ObservableComposition('AND', [obs1, obs2]))

        ind = Indicator()
        ind.observable = comp
        ind2 = Indicator.from_dict(ind.to_dict())
        self.assertEqual([obs1.to_dict(), obs2.to_dict()],
                         [x.to_dict() for x in ind2.observables])
Example #44
0
 def __get_source_objs(self):
     f1 = File()
     f1.file_name = 'emailprovider.db'
     f1.file_path = '/data/data/com.android.providers.email/databases/'
     f1.file_format = 'SQLite 3.x database'
     f1.size_in_bytes = '2374'
     f1.add_hash(Hash("a7a0390e99406f8975a1895860f55f2f"))
     return [f1]
Example #45
0
    def test_get_hashes(self):
        f = File()
        f.add_hash(Hash(EMPTY_MD5))
        f.add_hash(Hash(EMPTY_SHA1))
        f.add_hash(Hash(EMPTY_SHA224))
        f.add_hash(Hash(EMPTY_SHA256))
        f.add_hash(Hash(EMPTY_SHA384))
        f.add_hash(Hash(EMPTY_SHA512))

        self.assertEqual(EMPTY_MD5, f.md5)
        self.assertEqual(EMPTY_SHA1, f.sha1)
        self.assertEqual(EMPTY_SHA224, f.sha224)
        self.assertEqual(EMPTY_SHA256, f.sha256)
        self.assertEqual(EMPTY_SHA384, f.sha384)
        self.assertEqual(EMPTY_SHA512, f.sha512)
Example #46
0
def main():
    shv = Hash()
    shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F"
    
    f = File()
    h = Hash(shv, Hash.TYPE_MD5)
    f.add_hash(h)
    
    stix_package = STIXPackage()
    stix_header = STIXHeader()
    stix_header.description = "Example 03"
    stix_package.stix_header = stix_header
    stix_package.add_observable(f)
    
    print(stix_package.to_xml())
Example #47
0
def main():
    print '<?xml version="1.0" encoding="UTF-8"?>'

    attachment = File()
    attachment.file_name = "FooBar Specification (critical revision).doc"
    attachment.add_hash(Hash("4EC0027BEF4D7E1786A04D021FA8A67F"))

    email = EmailMessage()
    email.attachments.append(attachment)
    email.subject = String("New modifications to the specification")
    email.to = EmailRecipients(EmailAddress("*****@*****.**"),
                               EmailAddress("*****@*****.**"))
    email.from_ = EmailAddress("*****@*****.**")


    print Observables(email).to_xml()
Example #48
0
    def object_from_dict(cls, win_file_dict, win_file_obj = None):
        """Create the Win File Object object representation from an input dictionary"""
        if win_file_obj == None:
            win_file_obj = File.object_from_dict(win_file_doct, win_file_binding.WindowsFileObjectType())
            win_file_obj.set_anyAttributes_({'xsi:type' : 'WinFileObj:WinFileObjectType'})
        
        for key, value in win_file_dict.items():
            if key == 'filename_accesssed_time' and utils.test_value(value): 
                win_file_obj.set_Filename_Accessed_Time(Base_Object_Attribute.object_from_dict(common_types_binding.DateTimeObjectAttributeType(datatype='DateTime'),value))
            elif key == 'filename_created_time' and utils.test_value(value): 
                win_file_obj.set_Filename_Created_Time(Base_Object_Attribute.object_from_dict(common_types_binding.DateTimeObjectAttributeType(datatype='DateTime'),value))
            elif key == 'filename_modified_time' and utils.test_value(value): 
                win_file_obj.set_Filename_Modified_Time(Base_Object_Attribute.object_from_dict(common_types_binding.DateTimeObjectAttributeType(datatype='DateTime'),value))
            elif key == 'drive' and utils.test_value(value): 
                win_file_obj.set_Drive(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'),value))
            elif key == 'security_id' and utils.test_value(value): 
                win_file_obj.set_Security_ID(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'),value))
            elif key == 'security_type' and utils.test_value(value): 
                win_file_obj.set_Security_Type(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'),value))
            elif key == 'stream_list':
                stream_list_obj = win_file_binding.StreamListType()
                for stream_dict in value:
                    stream_obj = Stream.object_from_dict(stream_dict)
                    if stream_obj.hasContent_() : stream_list_obj.add_Stream(stream_obj)
                if stream_list_obj.hasContent_() : win_file_obj.set_Stream_List(stream_list_obj)

        return win_file_obj
Example #49
0
 def return_attachment_composition(self, attribute):
     file_object = File()
     file_object.file_name = attribute.value
     file_object.parent.id_ = "{}:FileObject-{}".format(self.namespace_prefix, attribute.uuid)
     if 'data' in attribute:
         observable_artifact = self.create_artifact_object(attribute, artifact="a")
         observable_file = Observable(file_object)
         observable_file.id_ = "{}:observable-file-{}".format(self.namespace_prefix, attribute.uuid)
         observable = Observable()
         composition = ObservableComposition(observables=[observable_artifact, observable_file])
         observable.observable_composition = composition
     else:
         observable = Observable(file_object)
     observable.id_ = "{}:observable-{}".format(self.namespace_prefix, attribute.uuid)
     if attribute.comment:
         observable.description = attribute.comment
     return observable
Example #50
0
 def generate_file_observable(self, filename, h_value, fuzzy):
     file_object = File()
     if filename:
         if '/' in filename or '\\' in filename:
             file_object.file_path = ntpath.dirname(filename)
             file_object.file_path.condition = "Equals"
             file_object.file_name = ntpath.basename(filename)
             file_object.file_name.condition = "Equals"
         else:
             file_object.file_name = filename
             file_object.file_name.condition = "Equals"
     if h_value:
         file_object.add_hash(Hash(hash_value=h_value, exact=True))
         if fuzzy:
             try:
                 self.resolve_fuzzy(file_object, h_value, "Hashes")
             except KeyError:
                 field_type = ""
                 for f in file_object._fields:
                     if f.name == "Hashes":
                         field_type = f
                         break
                 if field_type:
                     self.resolve_fuzzy(file_object, h_value, field_type)
     return file_object
Example #51
0
def add_malware(hashVal, TTPTitle, malware_uuid):
    malware_instance = MalwareInstance()
    malware_instance.add_name(TTPTitle)
    # malware_instance.add_type("Malware")

    ttp = TTP(title=TTPTitle)
    ttp.behavior = Behavior()
    ttp.behavior.add_malware_instance(malware_instance)

    file_object = File()
    file_object.add_hash(Hash(hashVal))
    file_object.hashes[0].simple_hash_value.condition = "Equals"

    indicator = Indicator(id_="indicator-{0}".format(malware_uuid),
                          title="File hash")
    indicator.add_indicator_type("File Hash Watchlist")
    indicator.add_observable(file_object)
    indicator.add_indicated_ttp(TTP(idref=ttp.id_))
    return (indicator)
Example #52
0
def main():
    f = File()

    # This automatically detects that it's an MD5 hash based on the length
    f.add_hash("4EC0027BEF4D7E1786A04D021FA8A67F")

    indicator = Indicator()
    indicator.title = "File Hash Example"
    indicator.description = "An indicator containing a File observable with an associated hash"
    indicator.set_producer_identity("The MITRE Corporation")
    indicator.set_produced_time(datetime.now(tzutc()))
    indicator.add_object(f)

    stix_package = STIXPackage()
    stix_header = STIXHeader()
    stix_header.description = "Example "
    stix_package.stix_header = stix_header
    stix_package.add_indicator(indicator)

    print(stix_package.to_xml())
Example #53
0
def returnAttachmentComposition(attribute):
    file_object = File()
    file_object.file_name = attribute["value"]
    file_object.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":file-" + attribute["uuid"]
    observable = Observable()
    if "data" in attribute:
        artifact = Artifact(data = attribute["data"])
        artifact.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":artifact-" + attribute["uuid"]
        observable_artifact = Observable(artifact)
        observable_artifact.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-artifact-" + attribute["uuid"]
        observable_file = Observable(file_object)
        observable_file.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-file-" + attribute["uuid"]
        composition = ObservableComposition(observables = [observable_artifact, observable_file])
        observable.observable_composition = composition
    else:
        observable = Observable(file_object)
    observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-" + attribute["uuid"]
    if attribute["comment"] != "":
        observable.description = attribute["comment"]
    return observable
Example #54
0
    def to_cybox(self, exclude=None):
        if exclude == None:
            exclude = []

        observables = []
        f = File()
        for attr in ['md5', 'sha1', 'sha256']:
            if attr not in exclude:
                val = getattr(self, attr, None)
                if val:
                    setattr(f, attr, val)
        if self.ssdeep and 'ssdeep' not in exclude:
            f.add_hash(Hash(self.ssdeep, Hash.TYPE_SSDEEP))
        if 'size' not in exclude and 'size_in_bytes' not in exclude:
            f.size_in_bytes = UnsignedLong(self.size)
        if 'filename' not in exclude and 'file_name' not in exclude:
            f.file_name = self.filename
        # create an Artifact object for the binary if it exists
        if 'filedata' not in exclude:
            data = self.filedata.read()
            if data:
                data = base64.b64encode(data)
                a = Artifact(data=data, type_=Artifact.TYPE_FILE)
                observables.append(Observable(a))
        #if 'filetype' not in exclude and 'file_format' not in exclude:
        #NOTE: this doesn't work because the CybOX File object does not
        #   have any support built in for setting the filetype to a
        #   CybOX-binding friendly object (e.g., calling .to_dict() on
        #   the resulting CybOX object fails on this field.
        #f.file_format = self.filetype
        observables.append(Observable(f))
        return (observables, self.releasability)
def main():
    h = Hash("a7a0390e99406f8975a1895860f55f2f")

    f = File()
    f.file_name = "bad_file24.exe"
    f.file_path = "AppData\Mozilla"
    f.file_extension = ".exe"
    f.size_in_bytes = 3282
    f.add_hash(h)

    o = Observable(f)
    o.description = "This observable specifies a specific file observation."

    print(Observables(o).to_xml())
Example #56
0
def create_file_object(file_path, original_file_path):
    """
    :type file_path: string
    :type original_file_path: string
    :rtype: File
    """
    f = File()
    f.file_name = os.path.basename(file_path)
    f.file_extension = os.path.splitext(file_path)[1]
    f.file_path = original_file_path
    f.file_format = magic.from_file(file_path)
    f.size_in_bytes = os.path.getsize(file_path)
    f.sha256 = sha256_checksum(file_path)
    return f
Example #57
0
def main():
    shv = Hash()
    shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F"

    f = File()
    h = Hash(shv, Hash.TYPE_MD5)
    f.add_hash(h)

    indicator = Indicator()
    indicator.title = "File Hash Example"
    indicator.description = "An indicator containing a File observable with an associated hash"
    indicator.set_producer_identity("The MITRE Corporation")
    indicator.set_produced_time(datetime.now())
    indicator.add_object(f)

    stix_package = STIXPackage()
    stix_header = STIXHeader()
    stix_header.description = "Example 02"
    stix_package.stix_header = stix_header
    stix_package.add_indicator(indicator)

    print(stix_package.to_xml())
Example #58
0
def generateFileObservable(filenameValue, hashValue):
    file_object = File()
    if (filenameValue != ""):
        if (("/" in filenameValue) or ("\\" in filenameValue)):
            file_object.file_path = ntpath.dirname(filenameValue)
            file_object.file_name = ntpath.basename(filenameValue)
        else:
            file_object.file_name = filenameValue
        if (hashValue != ""):
            file_object.add_hash(Hash(hashValue))
    return file_object
Example #59
0
    def test_set_hashes(self):
        f = File()
        f.md5 = EMPTY_MD5
        f.sha1 = EMPTY_SHA1
        f.sha224 = EMPTY_SHA224
        f.sha256 = EMPTY_SHA256
        f.sha384 = EMPTY_SHA384
        f.sha512 = EMPTY_SHA512

        self.assertEqual(EMPTY_MD5, f.md5)
        self.assertEqual(EMPTY_SHA1, f.sha1)
        self.assertEqual(EMPTY_SHA224, f.sha224)
        self.assertEqual(EMPTY_SHA256, f.sha256)
        self.assertEqual(EMPTY_SHA384, f.sha384)
        self.assertEqual(EMPTY_SHA512, f.sha512)
Example #60
0
    def __create_cybox_files(self, msg):
        """Returns a list of CybOX File objects from the message.

        Attachments can be identified within multipart messages by their
        Content-Disposition header.
        Ex: Content-Disposition: attachment; filename="foobar.jpg"
        """

        files = []

        if self.__verbose_output:
            sys.stderr.write("** parsing attachments\n")

        # extract the email attachments into their own FileObjectType objects
        if msg.is_multipart():
            for part in msg.get_payload():
                if 'content-disposition' in part:
                    # if it's an attachment-type, pull out the filename
                    # and calculate the size in bytes

                    file_name = part.get_filename(failobj='')
                    file_data = part.get_payload(decode=True)

                    #PGP Encrypted could come back as None and ''
                    if file_name or file_data:
                        f = File()

                        #Do what we can with what came back from the payload parsing
                        if file_name:
                            f.file_name = file_name
                            f.file_extension = os.path.splitext(file_name)[1]

                        if file_data:
                            f.size = len(file_data)

                            hashes = []
                            hashes.append(hashlib.md5(file_data).hexdigest())
                            hashes.append(hashlib.sha1(file_data).hexdigest())
                            hashes.append(hashlib.sha256(file_data).hexdigest())
                            hashes.append(hashlib.sha384(file_data).hexdigest())

                            for hash in hashes:
                                f.add_hash(hash)

                        files.append(f)
                        #TODO: add support for created and modified dates
                        #modified_date = self.__get_attachment_modified_date(part)
                        #created_date = self.__get_attachment_created_date(part)

                        if self.__verbose_output:
                            sys.stderr.write("** creating file object for: %s, size: %d bytes\n" % (f.file_name, f.size))

        return files