def test_fields(self): f = File() f.file_name = "blah.exe" self.assertEqual(String, type(f.file_name)) f.file_path = "C:\\Temp" self.assertEqual(FilePath, type(f.file_path))
def generate_file_observable(self, filename, h_value, fuzzy): file_object = File() if filename: if '/' in filename or '\\' in filename: file_object.file_path = ntpath.dirname(filename) file_object.file_path.condition = "Equals" file_object.file_name = ntpath.basename(filename) file_object.file_name.condition = "Equals" else: file_object.file_name = filename file_object.file_name.condition = "Equals" if h_value: file_object.add_hash(Hash(hash_value=h_value, exact=True)) if fuzzy: try: self.resolve_fuzzy(file_object, h_value, "Hashes") except KeyError: field_type = "" for f in file_object._fields: if f.name == "Hashes": field_type = f break if field_type: self.resolve_fuzzy(file_object, h_value, field_type) return file_object
def __get_source_objs(self): f1 = File() f1.file_name = 'emailprovider.db' f1.file_path = '/data/data/com.android.providers.email/databases/' f1.file_format = 'SQLite 3.x database' f1.size_in_bytes = '2374' f1.add_hash(Hash("a7a0390e99406f8975a1895860f55f2f")) return [f1]
def test_file_path(self): file_path_string = "%WinDir%\abcd.dll" normalized_file_path_string = "CSIDL_WINDOWS\abcd.dll" file_obj = File() file_obj.file_path = file_path_string normalize_object_properties(file_obj) self.assertEqual(file_obj.file_path.value, normalized_file_path_string)
def generateFileObservable(filenameValue, hashValue): file_object = File() if (filenameValue != ""): if (("/" in filenameValue) or ("\\" in filenameValue)): file_object.file_path = ntpath.dirname(filenameValue) file_object.file_name = ntpath.basename(filenameValue) else: file_object.file_name = filenameValue if (hashValue != ""): file_object.add_hash(Hash(hashValue)) return file_object
def cybox_object_file(obj, meta=None): # TODO: missing File_Custom_Properties f = File() if obj.md5_hash != 'No MD5': f.add_hash(Hash(obj.md5_hash)) if obj.sha256_hash != 'No SHA256': f.add_hash(Hash(obj.sha256_hash)) if meta: f.file_name = meta.file_name f.file_extension = meta.file_extension f.file_path = meta.file_path f.size_in_bytes = meta.file_size return f
def main(): h = Hash("a7a0390e99406f8975a1895860f55f2f") f = File() f.file_name = "bad_file24.exe" f.file_path = "AppData\Mozilla" f.file_extension = ".exe" f.size_in_bytes = 3282 f.add_hash(h) o = Observable(f) o.description = "This observable specifies a specific file observation." print(Observables(o).to_xml())
def generateFileObservable(filenameValue, hashValue): file_object = File() if (filenameValue != ""): if (("/" in filenameValue) or ("\\" in filenameValue)): file_object.file_path = ntpath.dirname(filenameValue) file_object.file_path.condition = "Equals" file_object.file_name = ntpath.basename(filenameValue) file_object.file_name.condition = "Equals" else: file_object.file_name = filenameValue file_object.file_name.condition = "Equals" if (hashValue != ""): file_object.add_hash(Hash(hash_value=hashValue, exact=True)) return file_object
def create_file_object(file_path, original_file_path): """ :type file_path: string :type original_file_path: string :rtype: File """ f = File() f.file_name = os.path.basename(file_path) f.file_extension = os.path.splitext(file_path)[1] f.file_path = original_file_path f.file_format = magic.from_file(file_path) f.size_in_bytes = os.path.getsize(file_path) f.sha256 = sha256_checksum(file_path) return f
def main(): print '<?xml version="1.0" encoding="UTF-8"?>' h1 = Hash("59a7078444ee3c862e4c08b601ed7e01", exact=True) h2 = Hash("98e969b49ff2aedf66b94eb82c54b916f1a634cd", exact=True) h3 = Hash("1706c7cd14a5c9bbf674b21f9c4f873ac04b7a6f1f2202cd0c5977c48968d188", exact=True) f = File() f.file_name = "notepad.exe" f.file_path = "C:\Temp" f.add_hash(h1) f.add_hash(h2) f.add_hash(h3) print Observables(f).to_xml()
def create_file_observable(ct, bol): obj = File() obj.file_path = d[ct]['ttylog'] obj.accessed_time = d[ct]['timestamp'] obj.custom_properties = CustomProperties() if bol == False: obj.size_in_bytes = d[ct]['size'] create_custom_properties(obj, "session_Duration", d[ct]['duration']) create_custom_properties(obj, "Event_Name", d[ct]['eventid']) create_custom_properties(obj, "Message", d[ct]['message']) create_custom_properties(obj, "Service", d[ct]['system']) create_custom_properties(obj, "Host", d[ct]['sensor']) create_custom_properties(obj, "Source_IP_Address", d[ct]['src_ip']) return obj
def main(): NS = cybox.utils.Namespace("http://example.com/", "example") cybox.utils.set_id_namespace(NS) h = Hash("a7a0390e99406f8975a1895860f55f2f") f = File() f.file_name = "bad_file24.exe" f.file_path = "AppData\Mozilla" f.file_extension = ".exe" f.size_in_bytes = 3282 f.add_hash(h) o = Observable(f) o.description = "This observable specifies a specific file observation." print Observables(o).to_xml()
def cap2cybox(capob): NS = cybox.utils.Namespace("http://example.com/","lift_s") cybox.utils.set_id_namespace(NS) #ファイル情報 files = File() root, ext = os.path.splitext(fpath) path = FilePath(root) files.file_name = os.path.basename(fpath) files.file_path = path files.file_extension = ext capObser = Observable(files) capObser.description = u'ファイル情報' ls = [capObser] for ob in ls: capob.add(ob) return capob
def generateFileObservable(filenameValue, hashValue, fuzzy): file_object = File() if (filenameValue != ""): if (("/" in filenameValue) or ("\\" in filenameValue)): file_object.file_path = ntpath.dirname(filenameValue) file_object.file_path.condition = "Equals" file_object.file_name = ntpath.basename(filenameValue) file_object.file_name.condition = "Equals" else: file_object.file_name = filenameValue file_object.file_name.condition = "Equals" if (hashValue != ""): file_object.add_hash(Hash(hash_value=hashValue, exact=True)) if (fuzzy): file_object._fields["Hashes"]._inner[0].simple_hash_value = None file_object._fields["Hashes"]._inner[ 0].fuzzy_hash_value = hashValue file_object._fields["Hashes"]._inner[ 0].fuzzy_hash_value.condition = "Equals" file_object._fields["Hashes"]._inner[0].type_ = Hash.TYPE_SSDEEP file_object._fields["Hashes"]._inner[0].type_.condition = "Equals" return file_object
def main(): stix_package = STIXPackage() malware_instance = MalwareInstance() malware_instance.add_name("plugin1.exe") #not really remote access but am not sure what else to put malware_instance.add_type("Remote Access Trojan") ttp = TTP(title="Install+plugin1.exe") ttp.behavior = Behavior() ttp.behavior.add_malware_instance(malware_instance) #observable 1 Install+plugin1.exe file_object = File() file_object.file_name = "Install+plugin1.exe" file_object.add_hash( Hash("164ecfc36893ee368a3c4cb2fd500b58262f1b87de1e68df74390db0b5445915" )) file_object.hashes[0].simple_hash_value.condition = "Equals" #observable 2 plugin1.exe #http://cybox.readthedocs.io/en/stable/examples.html#creating-observables file_plugin1 = File() file_plugin1.file_name = "plugin1.exe" file_plugin1.file_path = "C:\\Users\\Default\\AppData\\Local\\temp\plugin1" file_plugin1.add_hash( Hash("ae768b62f5fef4dd604e1b736bdbc3ed30417ef4f67bff74bb57f779d794d6df" )) file_plugin1.hashes[0].simple_hash_value.condition = "Equals" #observable 3 registry key #http://cybox.readthedocs.io/en/stable/api/coverage.html registry_object = WinRegistryKey() registry_object.name = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Google Ultron Updater" #observable 4 network traffic #http://stixproject.github.io/documentation/idioms/malware-hash/ #I couldn't figure out how to correctly indicate the source, dest or protocol addr = Address(address_value="192.168.52.219", category=Address.CAT_IPV4) #indicator 1 Install+plugin1.exe indicator = Indicator(title="File hash for Install+plugin.exe") indicator.add_indicator_type("File Hash Watchlist") indicator.add_observable(file_object) indicator.add_indicated_ttp(TTP(idref=ttp.id_)) #indicator 2 plugin1.exe indicator2 = Indicator(title="File hash for plugin1.exe") indicator2.add_indicator_type("File Hash Watchlist") indicator2.add_observable(file_plugin1) indicator2.add_indicated_ttp(TTP(idref=ttp.id_)) #indicator3 registry key indicator3 = Indicator(title="Registry entry for Install+plugin.exe") indicator3.add_indicator_type("Malware Artifacts") indicator3.add_observable(registry_object) indicator3.add_indicated_ttp(TTP(idref=ttp.id_)) #indicator4 network traffic indicator4 = Indicator(title="Network Traffic for plugine1.exe") indicator.add_indicator_type("IP Watchlist") indicator4.add_observable(Observable(addr)) indicator4.add_indicated_ttp(TTP(idref=ttp.id_)) stix_package.add_indicator(indicator) stix_package.add_indicator(indicator2) stix_package.add_indicator(indicator3) stix_package.add_indicator(indicator4) stix_package.add_ttp(ttp) print(stix_package.to_xml(encoding=None))