def create_stix_file(): # List of indicators to be deduped hostnames = [] ips = [] urls = [] md5s = [] sha1s = [] # Set namespace NAMESPACE = {PRODUCER_URL: PRODUCER_NAME} set_id_namespace(NAMESPACE) # JSON load the POSTed request data try: data_recv = request.data data = json.loads(data_recv) except: return make_response( jsonify({'Error': "Unable to decode json object"}), 400) # Parse the JSON object try: # Get MD5 of sample malware_sample = data['alert']['explanation']['malware-detected'][ 'malware'] count = 0 sample_hash = "" try: for entry in malware_sample: if "md5sum" in malware_sample[count]: sample_hash = malware_sample[count]['md5sum'] count += 1 except: if "md5sum" in malware_sample: sample_hash = malware_sample['md5sum'] # If all else fails if sample_hash == "": sample_hash = "Unknown" # Indicators # Domains domain_indicator = Indicator() domain_indicator.title = "Malware Artifacts - Domain" domain_indicator.type = "Malware Artifacts" domain_indicator.description = ( "Domains derived from sandboxed malware sample. MD5 Hash: " + sample_hash) domain_indicator.short_description = ("Domainss from " + sample_hash) domain_indicator.set_producer_identity(PRODUCER_NAME) domain_indicator.set_produced_time(utils.dates.now()) domain_indicator.indicator_types.append("Domain Watchlist") # IPs ip_indicator = Indicator() ip_indicator.title = "Malware Artifacts - IP" ip_indicator.description = ( "IPs derived from sandboxed malware sample. MD5 Hash: " + sample_hash) ip_indicator.short_description = ("IPs from " + sample_hash) ip_indicator.set_producer_identity(PRODUCER_NAME) ip_indicator.set_produced_time(utils.dates.now()) ip_indicator.indicator_types.append("IP Watchlist") # URLs url_indicator = Indicator() url_indicator.title = "Malware Artifacts - URL" url_indicator.description = ( "URLs derived from sandboxed malware sample. MD5 Hash: " + sample_hash) url_indicator.short_description = ("URLs from " + sample_hash) url_indicator.set_producer_identity(PRODUCER_NAME) url_indicator.set_produced_time(utils.dates.now()) url_indicator.indicator_types.append("URL Watchlist") # Hashs hash_indicator = Indicator() hash_indicator.title = "Malware Artifacts - File Hash" hash_indicator.description = ( "File hashes derived from sandboxed malware sample. MD5 Hash: " + sample_hash) hash_indicator.short_description = ("Hash from " + sample_hash) hash_indicator.set_producer_identity(PRODUCER_NAME) hash_indicator.set_produced_time(utils.dates.now()) hash_indicator.indicator_types.append("File Hash Watchlist") # Create a STIX Package stix_package = STIXPackage() # Create the STIX Header and add a description. stix_header = STIXHeader({"Indicators - Malware Artifacts"}) stix_header.description = PRODUCER_NAME + ": FireEye Sample ID " + str( data['alert']['id']) stix_package.stix_header = stix_header if "network" in data['alert']['explanation']['os-changes']: # Add indicators for network for entry in data['alert']['explanation']['os-changes']['network']: if "hostname" in entry: hostnames.append(entry['hostname']) if "ipaddress" in entry: ips.append(entry['ipaddress']) if "http_request" in entry: domain = re.search('~~Host:\s(.*?)~~', entry['http_request']) url = re.search('^.*\s(.*?)\sHTTP', entry['http_request']) if domain: domain_name = domain.group(1) if url: url_string = url.group(1) urls.append(domain_name + url_string) # Add indicators for files for entry in data['alert']['explanation']['os-changes']['network']: if "md5sum" in entry['processinfo']: filename = re.search('([\w-]+\..*)', entry['processinfo']['imagepath']) if filename: md5s.append((filename.group(1), entry['processinfo']['md5sum'])) if "process" in data['alert']['explanation']['os-changes']: # Add indicators from process for entry in data['alert']['explanation']['os-changes']['process']: if "md5sum" in entry: filename = re.search('([\w-]+\..*)', entry['value']) if filename: md5s.append((filename.group(1), entry['md5sum'])) if "sha1sum" in entry: filename = re.search('([\w-]+\..*)', entry['value']) if filename: sha1s.append((filename.group(1), entry['sha1sum'])) # Dedupe lists for hostname in set(hostnames): hostname_observable = create_domain_name_observable(hostname) domain_indicator.add_observable(hostname_observable) for ip in set(ips): ip_observable = create_ipv4_observable(ip) ip_indicator.add_observable(ip_observable) for url in set(urls): url_observable = create_url_observable(url) url_indicator.add_observable(url_observable) for hash in set(md5s): hash_observable = create_file_hash_observable(hash[0], hash[1]) hash_indicator.add_observable(hash_observable) for hash in set(sha1s): hash_observable = create_file_hash_observable(hash[0], hash[1]) hash_indicator.add_observable(hash_observable) # Add those to the package stix_package.add(domain_indicator) stix_package.add(ip_indicator) stix_package.add(url_indicator) stix_package.add(hash_indicator) # Save to file save_as = SAVE_DIRECTORY + "/fireeye_" + str( data['alert']['id']) + ".xml" f = open(save_as, 'w') f.write(stix_package.to_xml()) f.close # Return success response return make_response( jsonify({'Success': "STIX document succesfully generated"}), 200) # Unable to parse object except: return make_response(jsonify({'Error': "Unable to parse JSON object"}), 400)
def __init__(self, alert): self.__urls = set() self.__domains = set() self.__ipv4 = set() self.__hashes = set() self.__regkeys = set() self.__files = set() self.__emails = set() PRODUCER_NAME = alert.product # Domains domain_indicator = Indicator() domain_indicator.title = "Malware Artifacts - Domain" domain_indicator.type = "Malware Artifacts" domain_indicator.description = ("Domains derived from sandboxed malware sample. AlertID: %d" % alert.id) domain_indicator.short_description = ("Domains from %d" % alert.id) domain_indicator.set_producer_identity(PRODUCER_NAME) domain_indicator.set_produced_time(utils.dates.now()) domain_indicator.indicator_types.append(IndicatorType_1_1.TERM_DOMAIN_WATCHLIST) self.domain_indicator = domain_indicator # IPs ip_indicator = Indicator() ip_indicator.title = "Malware Artifacts - IP" ip_indicator.description = ("IPs derived from sandboxed malware sample. AlertID: %d" % alert.id) ip_indicator.short_description = ("IPs from %d" % alert.id) ip_indicator.set_producer_identity(PRODUCER_NAME) ip_indicator.set_produced_time(utils.dates.now()) ip_indicator.indicator_types.append(IndicatorType_1_1.TERM_IP_WATCHLIST) self.ip_indicator = ip_indicator # URLs url_indicator = Indicator() url_indicator.title = "Malware Artifacts - URL" url_indicator.description = ("URLs derived from sandboxed malware sample. AlertID: %d" % alert.id) url_indicator.short_description = ("URLs from %d" % alert.id) url_indicator.set_producer_identity(PRODUCER_NAME) url_indicator.set_produced_time(utils.dates.now()) url_indicator.indicator_types.append(IndicatorType_1_1.TERM_URL_WATCHLIST) self.url_indicator = url_indicator # Hashs hash_indicator = Indicator() hash_indicator.title = "Malware Artifacts - Files" hash_indicator.description = ("Files derived from sandboxed malware sample. AlertID: %d" % alert.id) hash_indicator.short_description = ("File from %d" % alert.id) hash_indicator.set_producer_identity(PRODUCER_NAME) hash_indicator.set_produced_time(utils.dates.now()) hash_indicator.indicator_types.append(IndicatorType_1_1.TERM_FILE_HASH_WATCHLIST) self.hash_indicator = hash_indicator # Registry reg_indicator = Indicator() reg_indicator.title = "Malware Artifacts - Registry entries" reg_indicator.description = ("File hashes derived from sandboxed malware sample. AlertID: %d" % alert.id) reg_indicator.short_description = ("Registry entries from %d" % alert.id) reg_indicator.set_producer_identity(PRODUCER_NAME) reg_indicator.set_produced_time(utils.dates.now()) reg_indicator.indicator_types.append(IndicatorType_1_1.TERM_MALWARE_ARTIFACTS) self.reg_indicator = reg_indicator # email_indicator email_indicator = Indicator() email_indicator.title = "Malware Artifacts - Malicious " email_indicator.description = ("Email headers. AlertID: %d" % alert.id) email_indicator.short_description = ("Email headers from %d" % alert.id) email_indicator.set_producer_identity(PRODUCER_NAME) email_indicator.set_produced_time(utils.dates.now()) email_indicator.indicator_types.append(IndicatorType_1_1.TERM_MALICIOUS_EMAIL ) self.email_indicator = email_indicator # Create a STIX Package self.stix_package = STIXPackage() # Create the STIX Header and add a description. stix_header = STIXHeader({"Indicators - Malware Artifacts"}) stix_header.description = "FireEye Sample ID %d" % alert.id self.stix_package.stix_header = stix_header
def create_stix_file(): # List of indicators to be deduped hostnames = [] ips = [] urls = [] md5s = [] sha1s = [] # Set namespace NAMESPACE = {PRODUCER_URL: PRODUCER_NAME} set_id_namespace(NAMESPACE) # JSON load the POSTed request data try: data_recv = request.data data = json.loads(data_recv) except: return make_response(jsonify({"Error": "Unable to decode json object"}), 400) # Parse the JSON object try: # Get MD5 of sample malware_sample = data["alert"]["explanation"]["malware-detected"]["malware"] count = 0 sample_hash = "" try: for entry in malware_sample: if "md5sum" in malware_sample[count]: sample_hash = malware_sample[count]["md5sum"] count += 1 except: if "md5sum" in malware_sample: sample_hash = malware_sample["md5sum"] # If all else fails if sample_hash == "": sample_hash = "Unknown" # Indicators # Domains domain_indicator = Indicator() domain_indicator.title = "Malware Artifacts - Domain" domain_indicator.type = "Malware Artifacts" domain_indicator.description = "Domains derived from sandboxed malware sample. MD5 Hash: " + sample_hash domain_indicator.short_description = "Domainss from " + sample_hash domain_indicator.set_producer_identity(PRODUCER_NAME) domain_indicator.set_produced_time(utils.dates.now()) domain_indicator.indicator_types.append("Domain Watchlist") # IPs ip_indicator = Indicator() ip_indicator.title = "Malware Artifacts - IP" ip_indicator.description = "IPs derived from sandboxed malware sample. MD5 Hash: " + sample_hash ip_indicator.short_description = "IPs from " + sample_hash ip_indicator.set_producer_identity(PRODUCER_NAME) ip_indicator.set_produced_time(utils.dates.now()) ip_indicator.indicator_types.append("IP Watchlist") # URLs url_indicator = Indicator() url_indicator.title = "Malware Artifacts - URL" url_indicator.description = "URLs derived from sandboxed malware sample. MD5 Hash: " + sample_hash url_indicator.short_description = "URLs from " + sample_hash url_indicator.set_producer_identity(PRODUCER_NAME) url_indicator.set_produced_time(utils.dates.now()) url_indicator.indicator_types.append("URL Watchlist") # Hashs hash_indicator = Indicator() hash_indicator.title = "Malware Artifacts - File Hash" hash_indicator.description = "File hashes derived from sandboxed malware sample. MD5 Hash: " + sample_hash hash_indicator.short_description = "Hash from " + sample_hash hash_indicator.set_producer_identity(PRODUCER_NAME) hash_indicator.set_produced_time(utils.dates.now()) hash_indicator.indicator_types.append("File Hash Watchlist") # Create a STIX Package stix_package = STIXPackage() # Create the STIX Header and add a description. stix_header = STIXHeader({"Indicators - Malware Artifacts"}) stix_header.description = PRODUCER_NAME + ": FireEye Sample ID " + str(data["alert"]["id"]) stix_package.stix_header = stix_header if "network" in data["alert"]["explanation"]["os-changes"]: # Add indicators for network for entry in data["alert"]["explanation"]["os-changes"]["network"]: if "hostname" in entry: hostnames.append(entry["hostname"]) if "ipaddress" in entry: ips.append(entry["ipaddress"]) if "http_request" in entry: domain = re.search("~~Host:\s(.*?)~~", entry["http_request"]) url = re.search("^.*\s(.*?)\sHTTP", entry["http_request"]) if domain: domain_name = domain.group(1) if url: url_string = url.group(1) urls.append(domain_name + url_string) # Add indicators for files for entry in data["alert"]["explanation"]["os-changes"]["network"]: if "md5sum" in entry["processinfo"]: filename = re.search("([\w-]+\..*)", entry["processinfo"]["imagepath"]) if filename: md5s.append((filename.group(1), entry["processinfo"]["md5sum"])) if "process" in data["alert"]["explanation"]["os-changes"]: # Add indicators from process for entry in data["alert"]["explanation"]["os-changes"]["process"]: if "md5sum" in entry: filename = re.search("([\w-]+\..*)", entry["value"]) if filename: md5s.append((filename.group(1), entry["md5sum"])) if "sha1sum" in entry: filename = re.search("([\w-]+\..*)", entry["value"]) if filename: sha1s.append((filename.group(1), entry["sha1sum"])) # Dedupe lists for hostname in set(hostnames): hostname_observable = create_domain_name_observable(hostname) domain_indicator.add_observable(hostname_observable) for ip in set(ips): ip_observable = create_ipv4_observable(ip) ip_indicator.add_observable(ip_observable) for url in set(urls): url_observable = create_url_observable(url) url_indicator.add_observable(url_observable) for hash in set(md5s): hash_observable = create_file_hash_observable(hash[0], hash[1]) hash_indicator.add_observable(hash_observable) for hash in set(sha1s): hash_observable = create_file_hash_observable(hash[0], hash[1]) hash_indicator.add_observable(hash_observable) # Add those to the package stix_package.add(domain_indicator) stix_package.add(ip_indicator) stix_package.add(url_indicator) stix_package.add(hash_indicator) # Save to file save_as = SAVE_DIRECTORY + "/fireeye_" + str(data["alert"]["id"]) + ".xml" f = open(save_as, "w") f.write(stix_package.to_xml()) f.close # Return success response return make_response(jsonify({"Success": "STIX document succesfully generated"}), 200) # Unable to parse object except: return make_response(jsonify({"Error": "Unable to parse JSON object"}), 400)