def test_remove_marking_mark_one_selector_from_multiple_ones():
after = Malware(
granular_markings=[
{
"selectors": ["description"],
"marking_ref": MARKING_IDS[0],
},
],
**MALWARE_KWARGS
)
before = Malware(
granular_markings=[
{
"selectors": ["description", "modified"],
"marking_ref": MARKING_IDS[0],
},
],
**MALWARE_KWARGS
)
before = markings.remove_markings(before, [MARKING_IDS[0]], ["modified"])
for m in before["granular_markings"]:
assert m in after["granular_markings"]
def Get_Malware(self, Detection: str):
try:
MalwareX = self.API.malware.read(filters={
"key": "name",
"values": [Detection],
})
except:
return None
if not MalwareX:
MalwareX = Malware(name=Detection, is_family=False)
return MalwareX
def test_set_marking_mark_same_property_same_marking():
before = Malware(
granular_markings=[
{
"selectors": ["description"],
"marking_ref": MARKING_IDS[0],
},
],
**MALWARE_KWARGS
)
after = Malware(
granular_markings=[
{
"selectors": ["description"],
"marking_ref": MARKING_IDS[0],
},
],
**MALWARE_KWARGS
)
before = markings.set_markings(before, [MARKING_IDS[0]], ["description"])
for m in before["granular_markings"]:
assert m in after["granular_markings"]
def test_remove_marking_mark_mutilple_selector_multiple_refs():
before = Malware(granular_markings=[
{
"selectors": ["description", "modified"],
"marking_ref": MARKING_IDS[0],
},
{
"selectors": ["description", "modified"],
"marking_ref": MARKING_IDS[1],
},
],
**MALWARE_KWARGS)
before = markings.remove_markings(before, [MARKING_IDS[0], MARKING_IDS[1]],
["description", "modified"])
assert "granular_markings" not in before
def test_set_marking_bad_selector(marking):
before = Malware(
granular_markings=[
{
"selectors": ["description"],
"marking_ref": MARKING_IDS[0],
},
],
**MALWARE_KWARGS
)
after = Malware(
granular_markings=[
{
"selectors": ["description"],
"marking_ref": MARKING_IDS[0],
},
],
**MALWARE_KWARGS
)
with pytest.raises(InvalidSelectorError):
before = markings.set_markings(before, marking[0], marking[1])
assert before == after
identityPym = Identity(id="identity--7865b6d2-a4af-45c5-b582-afe5ec376c33",
created="2013-04-14T13:07:49.812Z",
modified="2013-04-14T13:07:49.812Z",
name="Pym Technologies",
identity_class="organization",
contact_information="*****@*****.**",
sectors=["technology"],
spec_version="2.1",
type="identity")
malware = Malware(
id="malware--ae560258-a5cb-4be8-8f05-013d6712295f",
created="2014-02-20T09:16:08.989Z",
modified="2014-02-20T09:16:08.989Z",
created_by_ref=identityPym.id,
name="Online Job Site Trojan",
description=
"Trojan that is disguised as the executable file resume.pdf., it also creates a registry key.",
malware_types=["remote-access-trojan"],
spec_version="2.1",
type="malware",
is_family="false")
fileMalicious = File(hashes={
"MD5": "1717b7fff97d37a1e1a0029d83492de1",
"SHA-1": "c79a326f8411e9488bdc3779753e1e3489aaedea"
},
name="resume.pdf",
size=83968,
id="file--364fe3e5-b1f4-5ba3-b951-ee5983b3538d",
spec_version="2.1")
"""Tests for the Data Markings API."""
MALWARE_KWARGS = MALWARE_KWARGS_CONST.copy()
MALWARE_KWARGS.update({
'id': MALWARE_ID,
'type': 'malware',
'created': FAKE_TIME,
'modified': FAKE_TIME,
})
@pytest.mark.parametrize(
"data", [
(
Malware(**MALWARE_KWARGS),
Malware(
object_marking_refs=[MARKING_IDS[0]],
**MALWARE_KWARGS
),
MARKING_IDS[0],
),
(
MALWARE_KWARGS,
dict(
object_marking_refs=[MARKING_IDS[0]],
**MALWARE_KWARGS
),
MARKING_IDS[0],
),
(
def test_add_markings_bad_markings(data):
before = Malware(**MALWARE_KWARGS)
with pytest.raises(exceptions.InvalidValueError):
before = markings.add_markings(before, data, None)
assert "object_marking_refs" not in before
"marking_ref": MARKING_IDS[1],
},
],
**MALWARE_KWARGS)
before = markings.add_markings(before, [MARKING_IDS[0], MARKING_IDS[1]],
["description"])
for m in before["granular_markings"]:
assert m in after["granular_markings"]
@pytest.mark.parametrize(
"data",
[
(
Malware(**MALWARE_KWARGS),
Malware(granular_markings=[
{
"selectors": ["description", "name"],
"marking_ref": MARKING_IDS[0],
},
],
**MALWARE_KWARGS),
MARKING_IDS[0],
),
(
MALWARE_KWARGS,
dict(granular_markings=[
{
"selectors": ["description", "name"],
"marking_ref": MARKING_IDS[0],
with open("domains.txt") as f:
domains = list(set([a.strip() for a in f.read().split()]))
with open("files.txt") as f:
filenames = list(set([a.strip() for a in f.read().split()]))
with open("processes.txt") as f:
processes = list(set([a.strip() for a in f.read().split()]))
with open("emails.txt") as f:
emails = list(set([a.strip() for a in f.read().split()]))
res = []
malware = Malware(name="Pegasus",
is_family=False,
description="IOCs for Pegasus")
res.append(malware)
for d in domains:
i = Indicator(indicator_types=["malicious-activity"],
pattern="[domain-name:value='{}']".format(d),
pattern_type="stix")
res.append(i)
res.append(Relationship(i, 'indicates', malware))
for p in processes:
i = Indicator(indicator_types=["malicious-activity"],
pattern="[process:name='{}']".format(p),
pattern_type="stix")
res.append(i)
res.append(Relationship(i, 'indicates', malware))
indicator = Indicator(
id="indicator--d81f86b9-975b-4c0b-875e-810c5ad45a4f",
created="2014-06-29T13:49:37.079Z",
modified="2014-06-29T13:49:37.079Z",
name="Malicious site hosting downloader",
description=
"This organized threat actor group operates to create profit from all types of crime.",
indicator_types=["malicious-activity"],
pattern="[url:value = 'http://x4z9arb.cn/4712/']",
pattern_type="stix",
valid_from="2014-06-29T13:49:37.079000Z")
foothold = KillChainPhase(kill_chain_name="mandiant-attack-lifecycle-model",
phase_name="establish-foothold")
malware = Malware(
id="malware--162d917e-766f-4611-b5d6-652791454fca",
created="2014-06-30T09:15:17.182Z",
modified="2014-06-30T09:15:17.182Z",
name="x4z9arb backdoor",
malware_types=["backdoor", "remote-access-trojan"],
description=
"This malware attempts to download remote files after establishing a foothold as a backdoor.",
kill_chain_phases=[foothold],
is_family="false")
relationship = Relationship(indicator, 'indicates', malware)
bundle = Bundle(objects=[indicator, malware, relationship])
with open('certificates.yaml') as f:
r = yaml.load(f, Loader=yaml.BaseLoader)
for entry in r:
app = entry['name'].lower()
indicators_by_name[app]['certificates'].add(entry['certificate'])
with open('appid.yaml') as f:
r = yaml.load(f, Loader=yaml.BaseLoader)
for entry in r:
app = entry['name'].lower()
indicators_by_name[app]['appids'].add(entry['package'])
res = []
for app_name, entries in indicators_by_name.items():
malware = Malware(name=app_name,
is_family=False,
description="Stalkerware applications")
res.append(malware)
for d in entries['domains']:
i = Indicator(indicator_types=["malicious-activity"],
pattern="[domain-name:value='{}']".format(d),
pattern_type="stix")
res.append(i)
res.append(Relationship(i, 'indicates', malware))
for h in entries['sha256']:
i = Indicator(indicator_types=["malicious-activity"],
pattern="[file:hashes.sha256='{}']".format(h),
pattern_type="stix")
res.append(i)
res.append(Relationship(i, 'indicates', malware))
from stix2.v21 import (Indicator, Malware, Relationship, Bundle)
indicator = Indicator(
id="indicator--a932fcc6-e032-476c-826f-cb970a5a1ade",
created="2014-02-20T09:16:08.989Z",
modified="2014-02-20T09:16:08.989Z",
name="File hash for Poison Ivy variant",
description=
"This file hash indicates that a sample of Poison Ivy is present.",
indicator_types=["malicious-activity"],
pattern=
"[file:hashes.'SHA-256' = 'ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c']",
pattern_type="stix",
valid_from="2014-02-20T09:00:00.000000Z")
malware = Malware(id="malware--fdd60b30-b67c-41e3-b0b9-f01faf20d111",
created="2014-02-20T09:16:08.989Z",
modified="2014-02-20T09:16:08.989Z",
name="Poison Ivy",
malware_types=["remote-access-trojan"],
is_family="false")
relationship = Relationship(indicator, 'indicates', malware)
bundle = Bundle(objects=[indicator, malware, relationship])
