Example #1
0
 def __create_cybox_main_file(self, fdict):
     f = File()
     f.file_name = String(fdict['filename'])
     try:
         f.file_extension = String('.'+fdict['filename'].rsplit('.')[-1])
     except:
         f.file_extension = ""
     f.size_in_bytes = int(fdict['size'])
     f.add_hash(Hash(fdict['md5'], type_="MD5", exact=True))
     f.add_hash(Hash(fdict['sha1'], type_="SHA1", exact=True))
     f.add_hash(Hash(fdict['sha256'], type_="SHA256", exact=True))
     return f
def _dostix(hashes):
    '''This function creates a STIX packages containing hashes.'''
    print("[+] Creating STIX Package")
    title = SETTINGS['stix']['ind_title'] + " " + str(datetime.datetime.now())
    _custom_namespace(SETTINGS['stix']['ns'], SETTINGS['stix']['ns_prefix'])
    stix_package = STIXPackage()
    stix_package.stix_header = STIXHeader()
    stix_package.stix_header.title = title
    stix_package.stix_header.handling = _marking()
    try:
        indicator = Indicator()
        indicator.set_producer_identity(SETTINGS['stix']['producer'])
        indicator.set_produced_time(indicator.timestamp)
        indicator.set_received_time(indicator.timestamp)
        indicator.add_kill_chain_phase(PHASE_DELIVERY)
        indicator.confidence = "Low"

        indicator.title = title
        indicator.add_indicator_type("File Hash Watchlist")
        indicator.description = SETTINGS['stix']['ind_desc']

        try:
            indicator.add_indicated_ttp(
                TTP(idref=SETTINGS['indicated_ttp'],
                    timestamp=indicator.timestamp))
            indicator.suggested_coas.append(
                CourseOfAction(idref=SETTINGS['suggested_coa'],
                               timestamp=indicator.timestamp))
        except KeyError:
            pass

        for info in hashes:
            try:
                file_name = info['filename']
                file_object = File()
                file_object.file_name = file_name
                file_object.file_name.condition = "Equals"
                file_object.file_extension = "." + file_name.split('.')[-1]
                file_object.file_extension.condition = "Equals"
                file_object.size_in_bytes = info['filesize']
                file_object.size_in_bytes.condition = "Equals"
                file_object.file_format = info['fileformat']
                file_object.file_format.condition = "Equals"
                file_object.add_hash(Hash(info['md5']))
                file_object.add_hash(Hash(info['sha1']))
                file_object.add_hash(Hash(info['sha256']))
                file_object.add_hash(Hash(info['sha512']))
                file_object.add_hash(Hash(info['ssdeep'], Hash.TYPE_SSDEEP))
                for hashobj in file_object.hashes:
                    hashobj.simple_hash_value.condition = "Equals"
                    hashobj.type_.condition = "Equals"
                file_obs = Observable(file_object)
                file_obs.title = "File: " + file_name
                indicator.add_observable(file_obs)
            except TypeError:
                pass
        stix_package.add_indicator(indicator)
        return stix_package
    except KeyError:
        pass
def main():
    stix_package = STIXPackage()
    ttp = TTP(title="Phishing")
    stix_package.add_ttp(ttp)

    # Create the indicator for just the subject
    email_subject_object = EmailMessage()
    email_subject_object.header = EmailHeader()
    email_subject_object.header.subject = "[IMPORTANT] Please Review Before"
    email_subject_object.header.subject.condition = "StartsWith"
    
    email_subject_indicator = Indicator()
    email_subject_indicator.title = "Malicious E-mail Subject Line"
    email_subject_indicator.add_indicator_type("Malicious E-mail")
    email_subject_indicator.observable = email_subject_object
    email_subject_indicator.confidence = "Low"

    # Create the indicator for just the attachment

    file_attachment_object = EmailMessage()
    file_attachment_object.attachments = Attachments()

    attached_file_object = File()
    attached_file_object.file_name = "Final Report"
    attached_file_object.file_name.condition = "StartsWith"
    attached_file_object.file_extension = "doc.exe"
    attached_file_object.file_extension.condition = "Equals"

    file_attachment_object.add_related(attached_file_object, "Contains", inline=True)
    file_attachment_object.attachments.append(file_attachment_object.parent.id_)
    
    indicator_attachment = Indicator()
    indicator_attachment.title = "Malicious E-mail Attachment"
    indicator_attachment.add_indicator_type("Malicious E-mail")
    indicator_attachment.observable = file_attachment_object
    indicator_attachment.confidence = "Low"

    # Create the combined indicator w/ both subject an attachment
    full_email_object = EmailMessage()
    full_email_object.attachments = Attachments()

    # Add the previously referenced file as another reference rather than define it again:
    full_email_object.attachments.append(file_attachment_object.parent.id_)

    full_email_object.header = EmailHeader()
    full_email_object.header.subject = "[IMPORTANT] Please Review Before"
    full_email_object.header.subject.condition = "StartsWith"

    combined_indicator = Indicator(title="Malicious E-mail")
    combined_indicator.add_indicator_type("Malicious E-mail")
    combined_indicator.confidence = Confidence(value="High")
    combined_indicator.observable = full_email_object
    
    email_subject_indicator.add_indicated_ttp(TTP(idref=ttp.id_))
    indicator_attachment.add_indicated_ttp(TTP(idref=ttp.id_))
    combined_indicator.add_indicated_ttp(TTP(idref=ttp.id_))
    
    stix_package.indicators = [combined_indicator, email_subject_indicator, indicator_attachment]
    print stix_package.to_xml()
Example #4
0
    def __create_cybox_files(self, msg):
        """Returns a list of CybOX File objects from the message.

        Attachments can be identified within multipart messages by their
        Content-Disposition header.
        Ex: Content-Disposition: attachment; filename="foobar.jpg"
        """

        files = []

        if self.__verbose_output:
            sys.stderr.write("** parsing attachments\n")

        # extract the email attachments into their own FileObjectType objects
        if msg.is_multipart():
            for part in msg.get_payload():
                if 'content-disposition' in part:
                    # if it's an attachment-type, pull out the filename
                    # and calculate the size in bytes

                    file_name = part.get_filename(failobj='')
                    file_data = part.get_payload(decode=True)

                    #PGP Encrypted could come back as None and ''
                    if file_name or file_data:
                        f = File()

                        #Do what we can with what came back from the payload parsing
                        if file_name:
                            f.file_name = file_name
                            f.file_extension = os.path.splitext(file_name)[1]

                        if file_data:
                            f.size = len(file_data)

                            hashes = []
                            hashes.append(hashlib.md5(file_data).hexdigest())
                            hashes.append(hashlib.sha1(file_data).hexdigest())
                            hashes.append(hashlib.sha256(file_data).hexdigest())
                            hashes.append(hashlib.sha384(file_data).hexdigest())

                            for hash in hashes:
                                f.add_hash(hash)

                        files.append(f)
                        #TODO: add support for created and modified dates
                        #modified_date = self.__get_attachment_modified_date(part)
                        #created_date = self.__get_attachment_created_date(part)

                        if self.__verbose_output:
                            sys.stderr.write("** creating file object for: %s, size: %d bytes\n" % (f.file_name, f.size))

        return files
Example #5
0
def cybox_object_file(obj, meta=None):
    # TODO: missing File_Custom_Properties
    f = File()
    if obj.md5_hash != 'No MD5':
        f.add_hash(Hash(obj.md5_hash))
    if obj.sha256_hash != 'No SHA256':
        f.add_hash(Hash(obj.sha256_hash))
    if meta:
        f.file_name = meta.file_name
        f.file_extension = meta.file_extension
        f.file_path = meta.file_path
        f.size_in_bytes = meta.file_size
    return f
Example #6
0
def cybox_object_file(obj, meta=None):
    # TODO: missing File_Custom_Properties
    f = File()
    if obj.md5_hash != 'No MD5':
        f.add_hash(Hash(obj.md5_hash))
    if obj.sha256_hash != 'No SHA256':
        f.add_hash(Hash(obj.sha256_hash))
    if meta:
        f.file_name = meta.file_name
        f.file_extension = meta.file_extension
        f.file_path = meta.file_path
        f.size_in_bytes = meta.file_size
    return f
def main():
    h = Hash("a7a0390e99406f8975a1895860f55f2f")

    f = File()
    f.file_name = "bad_file24.exe"
    f.file_path = "AppData\Mozilla"
    f.file_extension = ".exe"
    f.size_in_bytes = 3282
    f.add_hash(h)

    o = Observable(f)
    o.description = "This observable specifies a specific file observation."

    print(Observables(o).to_xml())
Example #8
0
def create_file_object(file_path, original_file_path):
    """
    :type file_path: string
    :type original_file_path: string
    :rtype: File
    """
    f = File()
    f.file_name = os.path.basename(file_path)
    f.file_extension = os.path.splitext(file_path)[1]
    f.file_path = original_file_path
    f.file_format = magic.from_file(file_path)
    f.size_in_bytes = os.path.getsize(file_path)
    f.sha256 = sha256_checksum(file_path)
    return f
def main():
    h = Hash("a7a0390e99406f8975a1895860f55f2f")

    f = File()
    f.file_name = "bad_file24.exe"
    f.file_path = "AppData\Mozilla"
    f.file_extension = ".exe"
    f.size_in_bytes = 3282
    f.add_hash(h)

    o = Observable(f)
    o.description = "This observable specifies a specific file observation."

    print(Observables(o).to_xml())
def main():
    NS = cybox.utils.Namespace("http://example.com/", "example")
    cybox.utils.set_id_namespace(NS)

    h = Hash("a7a0390e99406f8975a1895860f55f2f")

    f = File()
    f.file_name = "bad_file24.exe"
    f.file_path = "AppData\Mozilla"
    f.file_extension = ".exe"
    f.size_in_bytes = 3282
    f.add_hash(h)

    o = Observable(f)
    o.description = "This observable specifies a specific file observation."

    print Observables(o).to_xml()
def main():
    NS = cybox.utils.Namespace("http://example.com/", "example")
    cybox.utils.set_id_namespace(NS)

    h = Hash("a7a0390e99406f8975a1895860f55f2f")

    f = File()
    f.file_name = "bad_file24.exe"
    f.file_path = "AppData\Mozilla"
    f.file_extension = ".exe"
    f.size_in_bytes = 3282
    f.add_hash(h)

    o = Observable(f)
    o.description = "This observable specifies a specific file observation."

    print Observables(o).to_xml()
Example #12
0
 def __create_cybox_dropped_files(self, dropps, main_sha256):
     dropped = []
     if not dropps:
         return dropped
     for item in dropps:
         """ skip original file """
         if item['sha256'] == main_sha256:
             continue
         f = File()
         f.file_name = String(item['name'])
         f.file_extension = String('.'+item['name'].rsplit('.')[-1])
         f.size_in_bytes = int(item['size'])
         f.add_hash(Hash(item['md5'], type_="MD5", exact=True))
         f.add_hash(Hash(item['sha1'], type_="SHA1", exact=True))
         f.add_hash(Hash(item['sha256'], type_="SHA256", exact=True))
         dropped.append(f)
     return dropped
Example #13
0
def cap2cybox(capob):
  NS = cybox.utils.Namespace("http://example.com/","lift_s")
  cybox.utils.set_id_namespace(NS)

  #ファイル情報
  files = File()
  root, ext = os.path.splitext(fpath)
  path = FilePath(root)
  files.file_name = os.path.basename(fpath)
  files.file_path = path
  files.file_extension = ext

  capObser = Observable(files)
  capObser.description = u'ファイル情報'
  ls = [capObser]
  for ob in ls:
    capob.add(ob)
  return capob
Example #14
0
def main():
    stix_package = STIXPackage()
    ttp = TTP(title="Phishing")
    stix_package.add_ttp(ttp)

    # Create the indicator for just the subject
    email_subject_object = EmailMessage()
    email_subject_object.header = EmailHeader()
    email_subject_object.header.subject = "[IMPORTANT] Please Review Before"
    email_subject_object.header.subject.condition = "StartsWith"

    email_subject_indicator = Indicator()
    email_subject_indicator.title = "Malicious E-mail Subject Line"
    email_subject_indicator.add_indicator_type("Malicious E-mail")
    email_subject_indicator.observable = email_subject_object
    email_subject_indicator.confidence = "Low"

    # Create the indicator for just the attachment

    file_attachment_object = EmailMessage()
    file_attachment_object.attachments = Attachments()

    attached_file_object = File()
    attached_file_object.file_name = "Final Report"
    attached_file_object.file_name.condition = "StartsWith"
    attached_file_object.file_extension = "doc.exe"
    attached_file_object.file_extension.condition = "Equals"

    file_attachment_object.add_related(attached_file_object,
                                       "Contains",
                                       inline=True)
    file_attachment_object.attachments.append(attached_file_object.parent.id_)

    indicator_attachment = Indicator()
    indicator_attachment.title = "Malicious E-mail Attachment"
    indicator_attachment.add_indicator_type("Malicious E-mail")
    indicator_attachment.observable = file_attachment_object
    indicator_attachment.confidence = "Low"

    # Create the combined indicator w/ both subject an attachment
    full_email_object = EmailMessage()
    full_email_object.attachments = Attachments()

    # Add the previously referenced file as another reference rather than define it again:
    full_email_object.attachments.append(attached_file_object.parent.id_)

    full_email_object.header = EmailHeader()
    full_email_object.header.subject = "[IMPORTANT] Please Review Before"
    full_email_object.header.subject.condition = "StartsWith"

    combined_indicator = Indicator(title="Malicious E-mail")
    combined_indicator.add_indicator_type("Malicious E-mail")
    combined_indicator.confidence = Confidence(value="High")
    combined_indicator.observable = full_email_object

    email_subject_indicator.add_indicated_ttp(TTP(idref=ttp.id_))
    indicator_attachment.add_indicated_ttp(TTP(idref=ttp.id_))
    combined_indicator.add_indicated_ttp(TTP(idref=ttp.id_))

    stix_package.add_indicator(combined_indicator)
    stix_package.add_indicator(email_subject_indicator)
    stix_package.add_indicator(indicator_attachment)
    print(stix_package.to_xml(encoding=None))
Example #15
0
def _dostix(hashes):
    '''This function creates a STIX packages containing hashes.'''
    print("[+] Creating STIX Package")
    title = SETTINGS['stix']['ind_title'] + " " + str(datetime.datetime.now())
    _custom_namespace(SETTINGS['stix']['ns'], SETTINGS['stix']['ns_prefix'])
    stix_package = STIXPackage()
    stix_package.stix_header = STIXHeader()
    stix_package.stix_header.title = title
    stix_package.stix_header.handling = _marking()
    try:
        indicator = Indicator()
        indicator.set_producer_identity(SETTINGS['stix']['producer'])
        indicator.set_produced_time(indicator.timestamp)
        indicator.set_received_time(indicator.timestamp)
        indicator.add_kill_chain_phase(PHASE_DELIVERY)
        indicator.confidence = "Low"

        indicator.title = title
        indicator.add_indicator_type("File Hash Watchlist")
        indicator.description = SETTINGS['stix']['ind_desc']

        try:
            indicator.add_indicated_ttp(
                TTP(idref=SETTINGS['indicated_ttp'],
                    timestamp=indicator.timestamp))
            indicator.suggested_coas.append(
                CourseOfAction(
                    idref=SETTINGS['suggested_coa'],
                    timestamp=indicator.timestamp))
        except KeyError:
            pass

        for info in hashes:
            try:
                file_name = info['filename']
                file_object = File()
                file_object.file_name = file_name
                file_object.file_name.condition = "Equals"
                file_object.file_extension = "." + file_name.split('.')[-1]
                file_object.file_extension.condition = "Equals"
                file_object.size_in_bytes = info['filesize']
                file_object.size_in_bytes.condition = "Equals"
                file_object.file_format = info['fileformat']
                file_object.file_format.condition = "Equals"
                file_object.add_hash(Hash(info['md5']))
                file_object.add_hash(Hash(info['sha1']))
                file_object.add_hash(Hash(info['sha256']))
                file_object.add_hash(Hash(info['sha512']))
                file_object.add_hash(Hash(info['ssdeep'], Hash.TYPE_SSDEEP))
                for hashobj in file_object.hashes:
                    hashobj.simple_hash_value.condition = "Equals"
                    hashobj.type_.condition = "Equals"
                file_obs = Observable(file_object)
                file_obs.title = "File: " + file_name
                indicator.add_observable(file_obs)
            except TypeError:
                pass
        stix_package.add_indicator(indicator)
        return stix_package
    except KeyError:
        pass