def test_setting_maec_property_fails(self):
try:
m = MAECInstance()
m.maec = "foo"
except ImportError as e:
self.assertTrue(
all(x in str(e) for x in ("No module named", "maec")))
def test_etree(self):
parser = mixbox.xml.get_xml_parser()
tree = etree.parse(StringIO(self.XML), parser=parser)
ext = MAECInstance()
ext.maec = tree
self._test_xml(ext)
def test_etree(self):
parser = stix.utils.parser.get_xml_parser()
tree = etree.parse(StringIO(self.XML), parser=parser)
ext = MAECInstance()
ext.maec = tree
self._test_xml(ext)
def test_etree_dict(self):
parser = mixbox.xml.get_xml_parser()
tree = etree.parse(StringIO(self.XML), parser=parser)
ext = MAECInstance()
ext.maec = tree
d = ext.to_dict()
ext2 = MAECInstance.from_dict(d)
self._test_xml(ext2)
def test_etree_dict(self):
parser = stix.utils.parser.get_xml_parser()
tree = etree.parse(StringIO(self.XML), parser=parser)
ext = MAECInstance()
ext.maec = tree
d = ext.to_dict()
ext2 = MAECInstance.from_dict(d)
self._test_xml(ext2)
def test_add_name_type(self):
maec_malware_instance = MAECInstance()
maec_malware_instance.add_name("Poison Ivy Variant v4392-acc")
maec_malware_instance.add_type("Remote Access Trojan")
maec_xml = text_type(maec_malware_instance.to_xml())
self.assertTrue("Poison Ivy Variant v4392-acc" in maec_xml)
self.assertTrue("Remote Access Trojan" in maec_xml)
def wrap_maec(maec_package, file_name=None):
"""Wrap a MAEC Package in a STIX TTP/Package. Return the newly created STIX Package.
Args:
maec_package: the ``maec.package.package.Package`` instance to wrap in STIX.
file_name: the name of the input file from which the MAEC Package originated,
to be used in the Title of the STIX TTP that wraps the MAEC Package. Optional.
Returns:
A ``stix.STIXPackage`` instance with a single TTP that wraps the input MAEC Package.
"""
# Set the namespace to be used in the STIX Package
stix.utils.set_id_namespace(
{"https://github.com/MAECProject/maec-to-stix": "MAECtoSTIX"})
# Create the STIX MAEC Instance
maec_malware_instance = MAECInstance()
maec_malware_instance.maec = maec_package
# Create the STIX TTP that includes the MAEC Instance
ttp = TTP()
ttp.behavior = Behavior()
ttp.behavior.add_malware_instance(maec_malware_instance)
# Create the STIX Package and add the TTP to it
stix_package = STIXPackage()
stix_package.add_ttp(ttp)
# Create the STIX Header and add it to the Package
stix_header = STIXHeader()
if file_name:
stix_header.title = "STIX TTP wrapper around MAEC file: " + str(
file_name)
stix_header.add_package_intent("Malware Characterization")
# Add the Information Source to the STIX Header
tool_info = ToolInformation()
stix_header.information_source = InformationSource()
tool_info.name = "MAEC to STIX"
tool_info.version = str(maec_to_stix.__version__)
stix_header.information_source.tools = ToolInformationList(tool_info)
stix_package.stix_header = stix_header
return stix_package
def wrap_maec(maec_package, file_name=None):
"""Wrap a MAEC Package in a STIX TTP/Package. Return the newly created STIX Package.
Args:
maec_package: the ``maec.package.package.Package`` instance to wrap in STIX.
file_name: the name of the input file from which the MAEC Package originated,
to be used in the Title of the STIX TTP that wraps the MAEC Package. Optional.
Returns:
A ``stix.STIXPackage`` instance with a single TTP that wraps the input MAEC Package.
"""
# Set the namespace to be used in the STIX Package
stix.utils.set_id_namespace({"https://github.com/MAECProject/maec-to-stix":"MAECtoSTIX"})
# Create the STIX MAEC Instance
maec_malware_instance = MAECInstance()
maec_malware_instance.maec = maec_package
# Create the STIX TTP that includes the MAEC Instance
ttp = TTP()
ttp.behavior = Behavior()
ttp.behavior.add_malware_instance(maec_malware_instance)
# Create the STIX Package and add the TTP to it
stix_package = STIXPackage()
stix_package.add_ttp(ttp)
# Create the STIX Header and add it to the Package
stix_header = STIXHeader()
if file_name:
stix_header.title = "STIX TTP wrapper around MAEC file: " + str(file_name)
stix_header.add_package_intent("Malware Characterization")
# Add the Information Source to the STIX Header
tool_info = ToolInformation()
stix_header.information_source = InformationSource()
tool_info.name = "MAEC to STIX"
tool_info.version = str(maec_to_stix.__version__)
stix_header.information_source.tools = ToolInformationList(tool_info)
stix_package.stix_header = stix_header
return stix_package
def test_add_name_type(self):
maec_malware_instance = MAECInstance()
maec_malware_instance.add_name("Poison Ivy Variant v4392-acc")
maec_malware_instance.add_type("Remote Access Trojan")
maec_xml = text_type(maec_malware_instance.to_xml())
self.assertTrue("Poison Ivy Variant v4392-acc" in maec_xml)
self.assertTrue("Remote Access Trojan" in maec_xml)
def _add_stix_ttp(self, malware_subject):
"""Create and add a STIX TTP for a MAEC Malware Subject.
Args:
malware_subject: the ``maec.malware_subject.MalwareSubject`` for which the STIX TTP will be created.
Returns:
The ID of the newly created STIX TTP.
"""
# Create the STIX TTP that includes the MAEC Instance
ttp = TTP()
ttp.behavior = Behavior()
# Add a MAEC Package with just the Malware Subject
# For capturing the identity of the malware binary that the Indicators target
maec_package = Package()
new_malware_subject = MalwareSubject()
new_malware_subject.malware_instance_object_attributes = malware_subject.malware_instance_object_attributes
maec_package.add_malware_subject(new_malware_subject)
maec_malware_instance = MAECInstance()
maec_malware_instance.maec = maec_package
ttp.behavior.add_malware_instance(maec_malware_instance)
self.stix_package.add_ttp(ttp)
return ttp.id_
def _add_stix_ttp(self, malware_subject):
"""Create and add a STIX TTP for a MAEC Malware Subject.
Args:
malware_subject: the ``maec.malware_subject.MalwareSubject`` for which the STIX TTP will be created.
Returns:
The ID of the newly created STIX TTP.
"""
# Create the STIX TTP that includes the MAEC Instance
ttp = TTP()
ttp.behavior = Behavior()
# Add a MAEC Package with just the Malware Subject
# For capturing the identity of the malware binary that the Indicators target
maec_package = Package()
new_malware_subject = MalwareSubject()
new_malware_subject.malware_instance_object_attributes = malware_subject.malware_instance_object_attributes
maec_package.add_malware_subject(new_malware_subject)
maec_malware_instance = MAECInstance()
maec_malware_instance.maec = maec_package
ttp.behavior.add_malware_instance(maec_malware_instance)
self.stix_package.add_ttp(ttp)
return ttp.id_
def main():
maec_malware_instance = MAECInstance()
maec_malware_instance.add_name("Poison Ivy Variant v4392-acc")
maec_malware_instance.add_type("Remote Access Trojan")
maec_malware_instance.maec = etree.fromstring(
MAEC_XML, parser=etree.ETCompatXMLParser())
ttp = TTP(title="Poison Ivy Variant v4392-acc")
ttp.behavior = Behavior()
ttp.behavior.add_malware_instance(maec_malware_instance)
stix_package = STIXPackage()
stix_package.add_ttp(ttp)
print stix_package.to_xml()
def main():
maec_malware_instance = MAECInstance()
maec_malware_instance.add_name("Poison Ivy Variant v4392-acc")
maec_malware_instance.add_type("Remote Access Trojan")
maec_malware_instance.maec = etree.fromstring(MAEC_XML, parser=etree.ETCompatXMLParser())
ttp = TTP(title="Poison Ivy Variant v4392-acc")
ttp.behavior = Behavior()
ttp.behavior.add_malware_instance(maec_malware_instance)
stix_package = STIXPackage()
stix_package.add_ttp(ttp)
print(stix_package.to_xml(encoding=None))
def test_handling_maec_object_fails(self):
try:
MAECInstance().from_dict(PythonMAECTests._full_dict)
except ImportError as e:
self.assertTrue(
all(x in str(e) for x in ("No module named", "maec")))
ttp.resources = resource
related_ttp = RelatedTTP(TTP(idref=ttp.id_))
# TTP - Related Threat Actor (basic; by id)
ta = ThreatActor(title='Adversary Bravo')
ta.observed_ttps.append(related_ttp)
# TTP - Related TTP2 (Malware; by id)
ttp2 = TTP(title='Poison Ivy Variant')
malware_instance = MalwareInstance(title='Poison Ivy Variant d1c6')
malware_instance.description = 'Attack Pattern Description'
malware_instance.short_description = 'Attack Pattern Short Description'
malware_instance.add_type(MalwareType('Remote Access Trojan'))
maec = MAECInstance()
maec.add_name('Poison Ivy Variant v4392-acc')
maec.add_type(MalwareType('Exploit Kits'))
ttp2.behavior = Behavior()
ttp2.behavior.add_malware_instance(malware_instance)
ttp2.behavior.add_malware_instance(maec)
# TTP2 - Victim Targeting
victim_targeting = VictimTargeting()
victim_targeting.add_targeted_system(SystemType('Enterprise Systems'))
victim_targeting.add_targeted_information(
InformationType('Information Assets - User Credentials'))
identity = CIQIdentity3_0Instance()
# identity.name = 'Bob Ricca'
def test_setting_maec_property_fails(self):
try:
m = MAECInstance()
m.maec = "foo"
except ImportError as e:
self.assertTrue(all(x in str(e) for x in ("No module named", "maec")))
