def main(): stix_package = STIXPackage() ttp = TTP(title="Phishing") stix_package.add_ttp(ttp) # Create the indicator for just the subject email_subject_object = EmailMessage() email_subject_object.header = EmailHeader() email_subject_object.header.subject = "[IMPORTANT] Please Review Before" email_subject_object.header.subject.condition = "StartsWith" email_subject_indicator = Indicator() email_subject_indicator.title = "Malicious E-mail Subject Line" email_subject_indicator.add_indicator_type("Malicious E-mail") email_subject_indicator.observable = email_subject_object email_subject_indicator.confidence = "Low" # Create the indicator for just the attachment file_attachment_object = EmailMessage() file_attachment_object.attachments = Attachments() attached_file_object = File() attached_file_object.file_name = "Final Report" attached_file_object.file_name.condition = "StartsWith" attached_file_object.file_extension = "doc.exe" attached_file_object.file_extension.condition = "Equals" file_attachment_object.add_related(attached_file_object, "Contains", inline=True) file_attachment_object.attachments.append(file_attachment_object.parent.id_) indicator_attachment = Indicator() indicator_attachment.title = "Malicious E-mail Attachment" indicator_attachment.add_indicator_type("Malicious E-mail") indicator_attachment.observable = file_attachment_object indicator_attachment.confidence = "Low" # Create the combined indicator w/ both subject an attachment full_email_object = EmailMessage() full_email_object.attachments = Attachments() # Add the previously referenced file as another reference rather than define it again: full_email_object.attachments.append(file_attachment_object.parent.id_) full_email_object.header = EmailHeader() full_email_object.header.subject = "[IMPORTANT] Please Review Before" full_email_object.header.subject.condition = "StartsWith" combined_indicator = Indicator(title="Malicious E-mail") combined_indicator.add_indicator_type("Malicious E-mail") combined_indicator.confidence = Confidence(value="High") combined_indicator.observable = full_email_object email_subject_indicator.add_indicated_ttp(TTP(idref=ttp.id_)) indicator_attachment.add_indicated_ttp(TTP(idref=ttp.id_)) combined_indicator.add_indicated_ttp(TTP(idref=ttp.id_)) stix_package.indicators = [combined_indicator, email_subject_indicator, indicator_attachment] print stix_package.to_xml()
def generateEmailAttachmentObject(indicator, filename): file_object = File() file_object.file_name = filename email = EmailMessage() email.attachments = Attachments() email.add_related(file_object, "Contains", inline=True) email.attachments.append(file_object.parent.id_) indicator.observable = email
def __get_inspected_objs(self, source_file): email1 = EmailMessage() email1.from_ = '*****@*****.**' email1.to = '*****@*****.**' email1.subject = 'Subject1' email1.date = DateTime('21-06-2015T19:52:00') email1.add_related(source_file, "Extracted_From", inline=False) return [email1]
def main(): m = EmailMessage() m.to = ["*****@*****.**", "*****@*****.**"] m.from_ = "*****@*****.**" m.subject = "New modifications to the specification" a = Address("192.168.1.1", Address.CAT_IPV4) m.add_related(a, "Received_From", inline=False) print(Observables([m, a]).to_xml(encoding=None))
def generateEmailAttachmentObject(indicator, attribute): file_object = File() file_object.file_name = attribute["value"] email = EmailMessage() email.attachments = Attachments() email.add_related(file_object, "Contains", inline=True) file_object.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":file-" + attribute["uuid"] email.attachments.append(file_object.parent.id_) email.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":EmailMessage-" + attribute["uuid"] observable = Observable(email) observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-" + attribute["uuid"] indicator.observable = observable
def generateEmailAttachmentObject(indicator, attribute): file_object = File() file_object.file_name = attribute["value"] file_object.file_name.condition = "Equals" email = EmailMessage() email.attachments = Attachments() email.add_related(file_object, "Contains", inline=True) file_object.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":file-" + attribute["uuid"] email.attachments.append(file_object.parent.id_) email.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":EmailMessage-" + attribute["uuid"] observable = Observable(email) observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-" + attribute["uuid"] indicator.observable = observable
def main(): NS = cybox.utils.Namespace("http://example.com/", "example") cybox.utils.set_id_namespace(NS) m = EmailMessage() m.to = ["*****@*****.**", "*****@*****.**"] m.from_ = "*****@*****.**" m.subject = "New modifications to the specification" a = Address("192.168.1.1", Address.CAT_IPV4) m.add_related(a, "Received_From", inline=False) print Observables([m, a]).to_xml()
def generate_email_attachment_object(self, indicator, attribute): attribute_uuid = attribute.uuid file_object = File() file_object.file_name = attribute.value file_object.file_name.condition = "Equals" file_object.parent.id_ = "{}:FileObject-{}".format(self.namespace_prefix, attribute_uuid) email = EmailMessage() email.attachments = Attachments() email.add_related(file_object, "Contains", inline=True) email.attachments.append(file_object.parent.id_) email.parent.id_ = "{}:EmailMessageObject-{}".format(self.namespace_prefix, attribute_uuid) observable = Observable(email) observable.id_ = "{}:observable-{}".format(self.namespace_prefix, attribute_uuid) indicator.observable = observable
def main(): NS = cybox.utils.Namespace("http://example.com/", "example") cybox.utils.set_id_namespace(NS) m = EmailMessage() m.to = ["*****@*****.**", "*****@*****.**"] m.from_ = "*****@*****.**" m.subject = "New modifications to the specification" a = Address("192.168.1.1", Address.CAT_IPV4) m.add_related(a, "Received_From", inline=False) print(Observables([m, a]).to_xml())
def main(): NS = cybox.utils.Namespace("http://example.com/", "example") cybox.utils.set_id_namespace(NS) # �I�u�W�F�N�g�̍쐬�iEmailMesage) m = EmailMessage() # �I�u�W�F�N�g�Ɋ֘A�t�� m.to = ["*****@*****.**", "*****@*****.**"] m.from_ = "*****@*****.**" m.subject = "New modifications to the specification" # �I�u�W�F�N�g�̍쐬�iAdress) a = Address("192.168.1.1", Address.CAT_IPV4) # �I�u�W�F�N�g�Ԃ̊֘A m.add_related(a, "Received_From", inline=False) a.add_related(m, "Received_to", inline=False) print Observables([m, a]).to_xml()
def execute(self, device_info, extracted_data_dir_path): original_app_path = '/data/data/com.android.email' headers_db_rel_file_path = os.path.join('databases', 'EmailProvider.db') bodies_db_rel_file_path = os.path.join('databases', 'EmailProviderBody.db') original_headers_db_file_path = os.path.join(original_app_path, headers_db_rel_file_path) original_bodies_db_file_path = os.path.join(original_app_path, bodies_db_rel_file_path) headers_db_file_path = os.path.join(extracted_data_dir_path, headers_db_rel_file_path) bodies_db_file_path = os.path.join(extracted_data_dir_path, bodies_db_rel_file_path) source_objects = [ create_file_object(headers_db_file_path, original_headers_db_file_path), create_file_object(bodies_db_file_path, original_bodies_db_file_path) ] inspected_objects = {} cursor, conn = execute_query(headers_db_file_path, 'SELECT * FROM message') for row in cursor: header = EmailHeader() header.to = row['toList'] header.cc = row['ccList'] header.bcc = row['bccList'] header.from_ = row['fromList'] header.subject = row['subject'] header.in_reply_to = row['replyToList'] header.date = datetime.fromtimestamp(row['timeStamp'] / 1000) # Convert from milliseconds to seconds header.message_id = row['messageId'] email = EmailMessage() email.header = header email.add_related(source_objects[0], ObjectRelationship.TERM_EXTRACTED_FROM, inline=False) # Add the email to the inspected_objects dict using its _id value as key. email_id = row['_id'] inspected_objects[email_id] = email cursor.close() conn.close() # Add full raw body to emails. cursor, conn = execute_query(bodies_db_file_path, 'SELECT _id, htmlContent, textContent FROM body') for row in cursor: email_id = row['_id'] email = inspected_objects.get(email_id) if email is not None: if row['htmlContent'] != '': email.raw_body = row['htmlContent'] email.header.content_type = 'text/html' else: email.raw_body = row['textContent'] email.header.content_type = 'text/plain' email.add_related(source_objects[1], ObjectRelationship.TERM_EXTRACTED_FROM, inline=False) cursor.close() # Add attachments to emails. cursor, conn = execute_query(headers_db_file_path, 'SELECT messageKey, contentUri FROM attachment') # Iteration over attachments for row in cursor: # Get current attachment email_id. email_id = row['messageKey'] # Find email in inspected_objects. email = inspected_objects.get(email_id) # If email has non attachments, initialize them. if email.attachments is None: email.attachments = Attachments() # Using contentUri, get attachment folder_prefix and file_name. attachment_rel_path_dirs = re.search('.*//.*/(.*)/(.*)/.*', row['contentUri']) # Group(1): contains attachment folder. # Group(2): contains attachment file_name. attachment_rel_file_path = os.path.join('databases', attachment_rel_path_dirs.group(1) + '.db_att', attachment_rel_path_dirs.group(2)) # Build attachment absolute file path in extracted_data. attachment_file_path = os.path.join(extracted_data_dir_path, attachment_rel_file_path) # Build attachment original file_path in device. original_attachment_file_path = os.path.join(original_app_path, attachment_rel_file_path) # Create attachment source_file. attachment = create_file_object(attachment_file_path, original_attachment_file_path) # Add attachment to email's attachments. email.attachments.append(attachment.parent.id_) # Add relation between attachment and it's email. attachment.add_related(email, ObjectRelationship.TERM_CONTAINED_WITHIN, inline=False) source_objects.append(attachment) cursor.close() conn.close() return inspected_objects.values(), source_objects
def main(): stix_package = STIXPackage() ttp = TTP(title="Phishing") stix_package.add_ttp(ttp) # Create the indicator for just the subject email_subject_object = EmailMessage() email_subject_object.header = EmailHeader() email_subject_object.header.subject = "[IMPORTANT] Please Review Before" email_subject_object.header.subject.condition = "StartsWith" email_subject_indicator = Indicator() email_subject_indicator.title = "Malicious E-mail Subject Line" email_subject_indicator.add_indicator_type("Malicious E-mail") email_subject_indicator.observable = email_subject_object email_subject_indicator.confidence = "Low" # Create the indicator for just the attachment file_attachment_object = EmailMessage() file_attachment_object.attachments = Attachments() attached_file_object = File() attached_file_object.file_name = "Final Report" attached_file_object.file_name.condition = "StartsWith" attached_file_object.file_extension = "doc.exe" attached_file_object.file_extension.condition = "Equals" file_attachment_object.add_related(attached_file_object, "Contains", inline=True) file_attachment_object.attachments.append(attached_file_object.parent.id_) indicator_attachment = Indicator() indicator_attachment.title = "Malicious E-mail Attachment" indicator_attachment.add_indicator_type("Malicious E-mail") indicator_attachment.observable = file_attachment_object indicator_attachment.confidence = "Low" # Create the combined indicator w/ both subject an attachment full_email_object = EmailMessage() full_email_object.attachments = Attachments() # Add the previously referenced file as another reference rather than define it again: full_email_object.attachments.append(attached_file_object.parent.id_) full_email_object.header = EmailHeader() full_email_object.header.subject = "[IMPORTANT] Please Review Before" full_email_object.header.subject.condition = "StartsWith" combined_indicator = Indicator(title="Malicious E-mail") combined_indicator.add_indicator_type("Malicious E-mail") combined_indicator.confidence = Confidence(value="High") combined_indicator.observable = full_email_object email_subject_indicator.add_indicated_ttp(TTP(idref=ttp.id_)) indicator_attachment.add_indicated_ttp(TTP(idref=ttp.id_)) combined_indicator.add_indicated_ttp(TTP(idref=ttp.id_)) stix_package.add_indicator(combined_indicator) stix_package.add_indicator(email_subject_indicator) stix_package.add_indicator(indicator_attachment) print(stix_package.to_xml(encoding=None))
comment['comment'], flags=re.IGNORECASE) else: # no comments acomment = 'none' # Create the indicator for just the attachment file_attachment_object = EmailMessage() file_attachment_object.attachments = Attachments() attached_file_object = File() attached_file_object.file_name = xfilename attached_file_object.file_name.condition = "Equals" file_attachment_object.add_related(attached_file_object, "Contains", inline=True) file_attachment_object.attachments.append( attached_file_object.parent.id_) attachdescription = "Phishing email attachment\nFrom: %s\nSubj: %s\n Filename: %s\nSize: %s\nMD5: %s\nSHA1: %s\nSHA256: %s\nSSDEEP: %s\nAnalyst Notes: %s\n"\ %(xfrom,xsubject,xfilename,xfilesize,xmd5,xsha1,xsha256,xssdeep,acomment) indicator_attachment = Indicator(description=attachdescription) indicator_attachment.title = "Phishing E-mail Attachment" indicator_attachment.add_indicator_type("Malicious E-mail") indicator_attachment.observable = file_attachment_object indicator_attachment.confidence = "High" full_email_object.attachments = Attachments() # Add the previously referenced file as another reference rather than define it again: full_email_object.attachments.append(attached_file_object.parent.id_)