def create_file_hash_observable(fn, hash_value):
'''Create a CybOX Observable representing a file hash.'''
hash_ = Hash(hash_value)
file_ = File()
file_.file_name = fn
file_.add_hash(hash_)
return Observable(file_)
def main():
# Create a CyboX File Object
f = File()
# This automatically detects that it's an MD5 hash based on the length
f.add_hash("4EC0027BEF4D7E1786A04D021FA8A67F")
# Create an Indicator with the File Hash Object created above.
indicator = Indicator()
indicator.title = "File Hash Example"
indicator.description = (
"An indicator containing a File observable with an associated hash"
)
indicator.set_producer_identity("The MITRE Corporation")
indicator.set_produced_time(utils.dates.now())
# Add The File Object to the Indicator. This will promote the CybOX Object
# to a CybOX Observable internally.
indicator.add_object(f)
# Create a STIX Package
stix_package = STIXPackage()
# Create the STIX Header and add a description.
stix_header = STIXHeader()
stix_header.description = "File Hash Indicator Example"
stix_package.stix_header = stix_header
# Add our Indicator object. The add() method will inspect the input and
# append it to the `stix_package.indicators` collection.
stix_package.add(indicator)
# Print the XML!
print(stix_package.to_xml())
def main():
f = File()
f.add_hash("4EC0027BEF4D7E1786A04D021FA8A67F")
indicator = Indicator()
indicator.title = "File Hash Example"
indicator.description = "An indicator containing a File observable with an associated hash"
indicator.set_producer_identity("The MITRE Corporation")
indicator.set_produced_time(datetime.now(tzutc()))
indicator.add_object(f)
party_name = PartyName(name_lines=["Foo", "Bar"], person_names=["John Smith", "Jill Smith"], organisation_names=["Foo Inc.", "Bar Corp."])
ident_spec = STIXCIQIdentity3_0(party_name=party_name)
ident_spec.add_electronic_address_identifier("*****@*****.**")
ident_spec.add_free_text_line("Demonstrating Free Text!")
ident_spec.add_contact_number("555-555-5555")
ident_spec.add_contact_number("555-555-5556")
identity = CIQIdentity3_0Instance(specification=ident_spec)
indicator.set_producer_identity(identity)
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "Example"
stix_package.stix_header = stix_header
stix_package.add_indicator(indicator)
xml = stix_package.to_xml()
print(xml)
def test_fields(self):
f = File()
f.file_name = "blah.exe"
self.assertEqual(String, type(f.file_name))
f.file_path = "C:\\Temp"
self.assertEqual(FilePath, type(f.file_path))
def main():
# Create our CybOX Simple Hash Value
shv = Hash()
shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F"
# Create a CybOX File Object and add the Hash we created above.
f = File()
h = Hash(shv, Hash.TYPE_MD5)
f.add_hash(h)
# Create the STIX Package
stix_package = STIXPackage()
# Create the STIX Header and add a description.
stix_header = STIXHeader()
stix_header.description = "Simple File Hash Observable Example"
stix_package.stix_header = stix_header
# Add the File Hash Observable to the STIX Package. The add() method will
# inspect the input and add it to the top-level stix_package.observables
# collection.
stix_package.add(f)
# Print the XML!
print(stix_package.to_xml())
def to_cybox(self, exclude=None):
if exclude == None:
exclude = []
observables = []
f = File()
for attr in ['md5', 'sha1', 'sha256']:
if attr not in exclude:
val = getattr(self, attr, None)
if val:
setattr(f, attr, val)
if self.ssdeep and 'ssdeep' not in exclude:
f.add_hash(Hash(self.ssdeep, Hash.TYPE_SSDEEP))
if 'size' not in exclude and 'size_in_bytes' not in exclude:
f.size_in_bytes = UnsignedLong(self.size)
if 'filename' not in exclude and 'file_name' not in exclude:
f.file_name = self.filename
# create an Artifact object for the binary if it exists
if 'filedata' not in exclude:
data = self.filedata.read()
if data:
data = base64.b64encode(data)
a = Artifact(data=data, type_=Artifact.TYPE_FILE)
observables.append(Observable(a))
#if 'filetype' not in exclude and 'file_format' not in exclude:
#NOTE: this doesn't work because the CybOX File object does not
# have any support built in for setting the filetype to a
# CybOX-binding friendly object (e.g., calling .to_dict() on
# the resulting CybOX object fails on this field.
#f.file_format = self.filetype
observables.append(Observable(f))
return (observables, self.releasability)
def main():
stix_package = STIXPackage()
ttp = TTP(title="Phishing")
stix_package.add_ttp(ttp)
# Create the indicator for just the subject
email_subject_object = EmailMessage()
email_subject_object.header = EmailHeader()
email_subject_object.header.subject = "[IMPORTANT] Please Review Before"
email_subject_object.header.subject.condition = "StartsWith"
email_subject_indicator = Indicator()
email_subject_indicator.title = "Malicious E-mail Subject Line"
email_subject_indicator.add_indicator_type("Malicious E-mail")
email_subject_indicator.observable = email_subject_object
email_subject_indicator.confidence = "Low"
# Create the indicator for just the attachment
file_attachment_object = EmailMessage()
file_attachment_object.attachments = Attachments()
attached_file_object = File()
attached_file_object.file_name = "Final Report"
attached_file_object.file_name.condition = "StartsWith"
attached_file_object.file_extension = "doc.exe"
attached_file_object.file_extension.condition = "Equals"
file_attachment_object.add_related(attached_file_object, "Contains", inline=True)
file_attachment_object.attachments.append(file_attachment_object.parent.id_)
indicator_attachment = Indicator()
indicator_attachment.title = "Malicious E-mail Attachment"
indicator_attachment.add_indicator_type("Malicious E-mail")
indicator_attachment.observable = file_attachment_object
indicator_attachment.confidence = "Low"
# Create the combined indicator w/ both subject an attachment
full_email_object = EmailMessage()
full_email_object.attachments = Attachments()
# Add the previously referenced file as another reference rather than define it again:
full_email_object.attachments.append(file_attachment_object.parent.id_)
full_email_object.header = EmailHeader()
full_email_object.header.subject = "[IMPORTANT] Please Review Before"
full_email_object.header.subject.condition = "StartsWith"
combined_indicator = Indicator(title="Malicious E-mail")
combined_indicator.add_indicator_type("Malicious E-mail")
combined_indicator.confidence = Confidence(value="High")
combined_indicator.observable = full_email_object
email_subject_indicator.add_indicated_ttp(TTP(idref=ttp.id_))
indicator_attachment.add_indicated_ttp(TTP(idref=ttp.id_))
combined_indicator.add_indicated_ttp(TTP(idref=ttp.id_))
stix_package.indicators = [combined_indicator, email_subject_indicator, indicator_attachment]
print stix_package.to_xml()
def _sha256(keypair):
shv = Hash()
shv.simple_hash_value = keypair.get('observable')
f = File()
h = Hash(shv, Hash.TYPE_SHA256)
f.add_hash(h)
return f
def _md5(keypair):
shv = Hash()
shv.simple_hash_value = keypair.get('observable')
f = File()
h = Hash(shv, Hash.TYPE_MD5)
f.add_hash(h)
return f
def test_add_hash_string(self):
s = "ffffffffffffffffffff"
f = File()
f.add_hash(s)
h = f.hashes[0]
self.assertEqual(s, str(h.simple_hash_value))
self.assertEqual(Hash.TYPE_OTHER, h.type_)
def generateEmailAttachmentObject(indicator, filename):
file_object = File()
file_object.file_name = filename
email = EmailMessage()
email.attachments = Attachments()
email.add_related(file_object, "Contains", inline=True)
email.attachments.append(file_object.parent.id_)
indicator.observable = email
def test_add_hash_string(self):
s = "ffffffffffffffffffff"
f = File()
f.add_hash(s)
h = f.hashes[0]
self.assertEqual(s, str(h.simple_hash_value))
self.assertEqual(Hash.TYPE_OTHER, h.type_)
def _sha1(keypair):
shv = Hash()
shv.simple_hash_value = keypair.get('indicator')
f = File()
h = Hash(shv, Hash.TYPE_SHA1)
f.add_hash(h)
return f
def main():
mydata = loaddata()
'''
Your Namespace
'''
# NAMESPACE = {sanitizer(mydata["NSXURL"]) : (mydata["NS"])}
# set_id_namespace(NAMESPACE)
NAMESPACE = Namespace(sanitizer(mydata['NSXURL']), sanitizer(mydata['NS']))
set_id_namespace(NAMESPACE) # new ids will be prefixed by "myNS"
wrapper = STIXPackage()
info_src = InformationSource()
info_src.identity = Identity(name=sanitizer(mydata["Identity"]))
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = sanitizer(mydata["TLP_COLOR"])
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
timestamp = datetime.datetime.fromtimestamp(
time.time()).strftime('%Y-%m-%d %H:%M:%S')
MyTITLE = sanitizer(mydata["Title"])
SHORT = timestamp
DESCRIPTION = sanitizer(mydata["Description"])
wrapper.stix_header = STIXHeader(information_source=info_src,
title=MyTITLE,
description=DESCRIPTION,
short_description=SHORT)
wrapper.stix_header.handling = handling
indiDom = Indicator()
indiDom.title = MyTITLE
indiDom.add_indicator_type("IP Watchlist")
for key in mydata["IOC"].keys():
myip = Address(address_value=sanitizer(key), category=Address.CAT_IPV4)
myip.condition = "Equals"
obsu = Observable(myip)
#if mydata[key].size:
for idx, mydata["IOC"][key] in enumerate(mydata["IOC"][key]):
ioc = File()
ioc.add_hash(sanitizer(mydata["IOC"][key]))
myip.add_related(ioc, "Downloaded")
indiDom.add_observable(obsu)
wrapper.add_indicator(indiDom)
print(wrapper.to_xml())
def test_fields_not_shared(self):
# In a previous version of TypedFields, all objects of the same type
# shared a single value of each field. Obviously this was a mistake.
f = File()
f.file_name = "README.txt"
self.assertEqual("README.txt", f.file_name)
f2 = File()
self.assertEqual(None, f2.file_name)
def test_fields_not_shared(self):
# In a previous version of TypedFields, all objects of the same type
# shared a single value of each field. Obviously this was a mistake.
f = File()
f.file_name = "README.txt"
self.assertEqual("README.txt", f.file_name)
f2 = File()
self.assertEqual(None, f2.file_name)
def test_set_hashes(self):
f = File()
f.md5 = EMPTY_MD5
f.sha1 = EMPTY_SHA1
f.sha256 = EMPTY_SHA256
self.assertEqual(EMPTY_MD5, f.md5)
self.assertEqual(EMPTY_SHA1, f.sha1)
self.assertEqual(EMPTY_SHA256, f.sha256)
def main():
# Create a CybOX File Object with a contained hash
f = File()
f.add_hash("4EC0027BEF4D7E1786A04D021FA8A67F")
# Create an Indicator with the File Hash Object created above.
indicator = Indicator()
indicator.title = "File Hash Example"
indicator.description = (
"An indicator containing a File observable with an associated hash")
indicator.set_producer_identity("The MITRE Corporation")
indicator.set_produced_time(utils.dates.now())
# Add The File Object to the Indicator. This will promote the CybOX Object
# to a CybOX Observable internally.
indicator.add_object(f)
# Build our STIX CIQ Identity object
party_name = stix_ciq.PartyName(name_lines=("Foo", "Bar"),
person_names=("John Smith", "Jill Smith"),
organisation_names=("Foo Inc.",
"Bar Corp."))
ident_spec = stix_ciq.STIXCIQIdentity3_0(party_name=party_name)
ident_spec.add_electronic_address_identifier("*****@*****.**")
ident_spec.add_free_text_line("Demonstrating Free Text!")
ident_spec.add_contact_number("555-555-5555")
ident_spec.add_contact_number("555-555-5556")
# Build and add a CIQ Address
addr = stix_ciq.Address(free_text_address='1234 Example Lane.',
country='USA',
administrative_area='An Admin Area')
ident_spec.add_address(addr)
identity = stix_ciq.CIQIdentity3_0Instance(specification=ident_spec)
# Set the Indicator producer identity to our CIQ Identity
indicator.set_producer_identity(identity)
# Build our STIX Package
stix_package = STIXPackage()
# Build a STIX Header and add a description
stix_header = STIXHeader()
stix_header.description = "STIX CIQ Identity Extension Example"
# Set the STIX Header on our STIX Package
stix_package.stix_header = stix_header
# Add our Indicator object. The add() method will inspect the input and
# append it to the `stix_package.indicators` collection.
stix_package.add(indicator)
# Print the XML!
print(stix_package.to_xml())
# Print a dictionary!
pprint(stix_package.to_dict())
def test_file_path(self):
file_path_string = "%WinDir%\abcd.dll"
normalized_file_path_string = "CSIDL_WINDOWS\abcd.dll"
file_obj = File()
file_obj.file_path = file_path_string
normalize_object_properties(file_obj)
self.assertEqual(file_obj.file_path.value, normalized_file_path_string)
def create_file_hash_observable(filename, hash_value):
hash_ = Hash(hash_value)
file_ = File()
file_.file_name = filename
file_.add_hash(hash_)
file_observable = Observable(file_)
file_observable.title = "Malware Artifact - File Hash"
file_observable.description = "File hash derived from sandboxed malware sample."
file_observable.short_description = "File hash from malware."
return file_observable
def test_file_path(self):
file_path_string = "%WinDir%\abcd.dll"
normalized_file_path_string = "CSIDL_WINDOWS\abcd.dll"
file_obj = File()
file_obj.file_path = file_path_string
normalize_object_properties(file_obj)
self.assertEqual(file_obj.file_path.value, normalized_file_path_string)
def create_file_hash_observable(filename, hash_value):
hash_ = Hash(hash_value)
file_ = File()
file_.file_name = filename
file_.add_hash(hash_)
file_observable = Observable(file_)
file_observable.title = "Malware Artifact - File Hash"
file_observable.description = "File hash derived from sandboxed malware sample."
file_observable.short_description = "File hash from malware."
return file_observable
def to_cybox_observable(self):
"""
Convert a Certificate to a CybOX Observables.
Returns a tuple of (CybOX object, releasability list).
To get the cybox object as xml or json, call to_xml() or
to_json(), respectively, on the resulting CybOX object.
"""
custom_prop = Property(
) # make a custom property so CRITs import can identify Certificate exports
custom_prop.name = "crits_type"
custom_prop.description = "Indicates the CRITs type of the object this CybOX object represents"
custom_prop._value = "Certificate"
obj = File() # represent cert information as file
obj.md5 = self.md5
obj.file_name = self.filename
obj.file_format = self.filetype
obj.size_in_bytes = self.size
obj.custom_properties = CustomProperties()
obj.custom_properties.append(custom_prop)
obs = Observable(obj)
obs.description = self.description
data = self.filedata.read()
if data: # if cert data available
a = Artifact(data, Artifact.TYPE_FILE) # create artifact w/data
a.packaging.append(Base64Encoding())
obj.add_related(a, "Child_Of") # relate artifact to file
return ([obs], self.releasability)
def resolvePatternObservable(indicator, attribute):
new_object = None
if attribute["type"] == "pattern-in-file":
byte_run = ByteRun()
byte_run.byte_run_data = attribute["value"]
new_object = File()
new_object.byte_runs = ByteRuns(byte_run)
# custom properties are not implemented in the API yet
# elif attribute["type"] == "pattern-in-memory":
# elif attribute["type"] == "pattern-in-traffic":
return new_object
def resolvePatternObservable(attribute):
new_object = None
if attribute["type"] == "pattern-in-file":
byte_run = ByteRun()
byte_run.byte_run_data = attribute["value"]
new_object = File()
new_object.byte_runs = ByteRuns(byte_run)
# custom properties are not implemented in the API yet
# elif attribute["type"] == "pattern-in-memory":
# elif attribute["type"] == "pattern-in-traffic":
return new_object
def test_observables_property_standard(self):
f = File()
f.file_name = "README.txt"
obs = Observable(f)
ind = Indicator()
ind.observable = obs
ind2 = Indicator.from_dict(ind.to_dict())
self.assertEqual([obs.to_dict()],
[x.to_dict() for x in ind2.observables])
def returnAttachmentComposition(attribute):
file_object = File()
file_object.file_name = attribute["value"]
observable = Observable()
if "data" in attribute:
artifact = Artifact(data = attribute["data"])
composition = ObservableComposition(observables = [artifact, file_object])
observable.observable_composition = composition
else:
observable = Observable(file_object)
return observable
def test_observables_property_standard(self):
f = File()
f.file_name = "README.txt"
obs = Observable(f)
ind = Indicator()
ind.observable = obs
ind2 = Indicator.from_dict(ind.to_dict())
self.assertEqual([obs.to_dict()],
[x.to_dict() for x in ind2.observables])
def returnAttachmentComposition(attribute):
file_object = File()
file_object.file_name = attribute["value"]
observable = Observable()
if "data" in attribute:
artifact = Artifact(data=attribute["data"])
composition = ObservableComposition(
observables=[artifact, file_object])
observable.observable_composition = composition
else:
observable = Observable(file_object)
return observable
def generateEmailAttachmentObject(indicator, attribute):
file_object = File()
file_object.file_name = attribute["value"]
email = EmailMessage()
email.attachments = Attachments()
email.add_related(file_object, "Contains", inline=True)
file_object.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":file-" + attribute["uuid"]
email.attachments.append(file_object.parent.id_)
email.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":EmailMessage-" + attribute["uuid"]
observable = Observable(email)
observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-" + attribute["uuid"]
indicator.observable = observable
def add_raw_indicator(self , orig_indicator, ts=None):
indicator_value = orig_indicator
if not self._is_ascii(indicator_value):
return False
indicator_type, _ = guess_type(indicator_value)
# Create a CyboX File Object
if indicator_type == StixItemType.IPADDR:
title = "Malicious IPv4 - %s" % indicator_value
descr = "Malicious IPv4 involved with %s" % self._pkg.stix_header.title
cybox = Address(indicator_value , Address.CAT_IPV4)
elif indicator_type == StixItemType.DOMAIN:
title = "Malicious domain - %s" % indicator_value
descr = "Malicious domain involved with %s" % self._pkg.stix_header.title
cybox = DomainName()
cybox.value = indicator_value
elif indicator_type == StixItemType.MD5:
title = "Malicious MD5 - %s" % indicator_value
descr = "Malicious MD5 involved with %s" % self._pkg.stix_header.title
cybox = File()
cybox.add_hash(indicator_value )
elif indicator_type == StixItemType.SHA256:
title = "Malicious SHA256 - %s" % indicator_value
descr = "Malicious SHA256 involved with %s" % self._pkg.stix_header.title
cybox = File()
cybox.add_hash(indicator_value )
elif indicator_type == StixItemType.SHA1:
title = "Malicious SHA1 - %s" % indicator_value
descr = "Malicious SHA1 involved with %s" % self._pkg.stix_header.title
cybox = File()
cybox.add_hash(indicator_value )
elif indicator_type == StixItemType.URL:
title = "Malicious URL - %s" % indicator_value
descr = "Malicious URL involved with %s" % self._pkg.stix_header.title
cybox = URI()
cybox.value = indicator_value
cybox.type_ = URI.TYPE_URL
if indicator_type == StixItemType.UNKNOWN:
return False
indicator = Indicator()
indicator.title = title
indicator.description = descr
indicator.add_object(cybox)
indicator.set_producer_identity(self.__author)
if ts:
indicator.set_produced_time(ts)
else:
indicator.set_produced_time(utils.dates.now())
self._add(indicator)
return True
def generateEmailAttachmentObject(indicator, attribute):
file_object = File()
file_object.file_name = attribute["value"]
file_object.file_name.condition = "Equals"
email = EmailMessage()
email.attachments = Attachments()
email.add_related(file_object, "Contains", inline=True)
file_object.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":file-" + attribute["uuid"]
email.attachments.append(file_object.parent.id_)
email.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":EmailMessage-" + attribute["uuid"]
observable = Observable(email)
observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-" + attribute["uuid"]
indicator.observable = observable
def cybox_object_file(obj, meta=None):
# TODO: missing File_Custom_Properties
f = File()
if obj.md5_hash != 'No MD5':
f.add_hash(Hash(obj.md5_hash))
if obj.sha256_hash != 'No SHA256':
f.add_hash(Hash(obj.sha256_hash))
if meta:
f.file_name = meta.file_name
f.file_extension = meta.file_extension
f.file_path = meta.file_path
f.size_in_bytes = meta.file_size
return f
def add_file_dropped_observable(self, filename):
if filename in self.__files:
return
self.__files.add(filename)
#hash_ = Hash(hash_value)
file_ = File()
file_.file_name = filename
#file_.add_hash(hash_)
file_observable = Observable(file_)
file_observable.title = "Malware Artifact - File Dropped"
file_observable.description = "File Dropped derived from sandboxed malware sample."
file_observable.short_description = "File Dropped from malware."
self.hash_indicator.add_observable(file_observable)
def md5(hash, provider, reporttime):
vuln = Vulnerability()
vuln.cve_id = "MD5-" + hash
vuln.description = "maliciousMD5"
et = ExploitTarget(title=provider + " observable")
et.add_vulnerability(vuln)
# Create a CyboX File Object
f = File()
# This automatically detects that it's an MD5 hash based on the length
f.add_hash(hash)
# Create an Indicator with the File Hash Object created above.
indicator = Indicator()
indicator.title = "MD5-" + hash
indicator.description = ("Malicious hash " + hash + " reported from " +
provider)
indicator.set_producer_identity(provider)
indicator.set_produced_time(reporttime)
# Add The File Object to the Indicator. This will promote the CybOX Object
# to a CybOX Observable internally.
indicator.add_observable(f)
# Create a STIX Package
stix_package = STIXPackage()
stix_package.add(et)
stix_package.add(indicator)
# Print the XML!
#print(stix_package.to_xml())
f = open('/opt/TARDIS/Observables/MD5/' + hash + '.xml', 'w')
f.write(stix_package.to_xml())
f.close()
def generate_email_attachment_object(self, indicator, attribute):
attribute_uuid = attribute.uuid
file_object = File()
file_object.file_name = attribute.value
file_object.file_name.condition = "Equals"
file_object.parent.id_ = "{}:FileObject-{}".format(self.namespace_prefix, attribute_uuid)
email = EmailMessage()
email.attachments = Attachments()
email.add_related(file_object, "Contains", inline=True)
email.attachments.append(file_object.parent.id_)
email.parent.id_ = "{}:EmailMessageObject-{}".format(self.namespace_prefix, attribute_uuid)
observable = Observable(email)
observable.id_ = "{}:observable-{}".format(self.namespace_prefix, attribute_uuid)
indicator.observable = observable
def main():
print '<?xml version="1.0" encoding="UTF-8"?>'
s = SimpleHashValue()
s.condition = "IsInSet"
s.value_set = ["4EC0027BEF4D7E1786A04D021FA8A67F",
"21F0027ACF4D9017861B1D021FA8CF76",
"2B4D027BEF4D7E1786A04D021FA8CC01"]
f = File()
h = Hash(s, Hash.TYPE_MD5)
f.add_hash(h)
print Observables(f).to_xml()
def hash_indicator(hashes=[]):
hashlist = Indicator()
hashlist.add_indicator_type("File Hash Watchlist")
for h in hashes:
file = File()
hash = Hash(
hash_value = h,
#type_ = "MD5",
)
file.add_hash(hash)
hashlist.add_observable(file)
return hashlist
def to_cybox_observable(self):
"""
Convert a Certificate to a CybOX Observables.
Returns a tuple of (CybOX object, releasability list).
To get the cybox object as xml or json, call to_xml() or
to_json(), respectively, on the resulting CybOX object.
"""
custom_prop = Property() # make a custom property so CRITs import can identify Certificate exports
custom_prop.name = "crits_type"
custom_prop.description = "Indicates the CRITs type of the object this CybOX object represents"
custom_prop._value = "Certificate"
obj = File() # represent cert information as file
obj.md5 = self.md5
obj.file_name = self.filename
obj.file_format = self.filetype
obj.size_in_bytes = self.size
obj.custom_properties = CustomProperties()
obj.custom_properties.append(custom_prop)
obs = Observable(obj)
obs.description = self.description
data = self.filedata.read()
if data: # if cert data available
a = Artifact(data, Artifact.TYPE_FILE) # create artifact w/data
a.packaging.append(Base64Encoding())
obj.add_related(a, "Child_Of") # relate artifact to file
return ([obs], self.releasability)
def main():
shv = Hash()
shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F"
f = File()
h = Hash(shv, Hash.TYPE_MD5)
f.add_hash(h)
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "Example 03"
stix_package.stix_header = stix_header
stix_package.add_observable(f)
print(stix_package.to_xml())
def from_obj(win_file_obj, file_class = None):
if not win_file_obj:
return None
if not file_class:
win_file_ = File.from_obj(win_file_obj, WinFile())
else:
win_file_ = File.from_obj(win_file_obj, file_class)
win_file_.filename_accessed_time = DateTime.from_obj(win_file_obj.get_Filename_Accessed_Time())
win_file_.filename_created_time = DateTime.from_obj(win_file_obj.get_Filename_Created_Time())
win_file_.filename_modified_time = DateTime.from_obj(win_file_obj.get_Filename_Modified_Time())
win_file_.drive = String.from_obj(win_file_obj.get_Drive())
win_file_.security_id = String.from_obj(win_file_obj.get_Security_ID())
win_file_.security_type = String.from_obj(win_file_obj.get_Security_Type())
win_file_.stream_list = StreamList.from_obj(win_file_obj.get_Stream_List())
return win_file_
def from_dict(win_file_dict, file_class = None):
if not win_file_dict:
return None
if not file_class:
win_file_ = File.from_dict(win_file_dict, WinFile())
else:
win_file_ = File.from_dict(win_file_dict, file_class)
win_file_.filename_accessed_time = DateTime.from_dict(win_file_dict.get('filename_accessed_time'))
win_file_.filename_created_time = DateTime.from_dict(win_file_dict.get('filename_created_time'))
win_file_.filename_modified_time = DateTime.from_dict(win_file_dict.get('filename_modified_time'))
win_file_.drive = String.from_dict(win_file_dict.get('drive'))
win_file_.security_id = String.from_dict(win_file_dict.get('security_id'))
win_file_.security_type = String.from_dict(win_file_dict.get('security_type'))
win_file_.stream_list = StreamList.from_list(win_file_dict.get('stream_list'))
return win_file_
def test_observables_property_composition(self):
f1 = File()
f1.file_name = "README.txt"
f2 = File()
f2.file_name = "README2.txt"
obs1 = Observable(f1)
obs2 = Observable(f2)
comp = Observable(ObservableComposition('AND', [obs1, obs2]))
ind = Indicator()
ind.observable = comp
ind2 = Indicator.from_dict(ind.to_dict())
self.assertEqual([obs1.to_dict(), obs2.to_dict()],
[x.to_dict() for x in ind2.observables])
def __get_source_objs(self):
f1 = File()
f1.file_name = 'emailprovider.db'
f1.file_path = '/data/data/com.android.providers.email/databases/'
f1.file_format = 'SQLite 3.x database'
f1.size_in_bytes = '2374'
f1.add_hash(Hash("a7a0390e99406f8975a1895860f55f2f"))
return [f1]
def test_get_hashes(self):
f = File()
f.add_hash(Hash(EMPTY_MD5))
f.add_hash(Hash(EMPTY_SHA1))
f.add_hash(Hash(EMPTY_SHA224))
f.add_hash(Hash(EMPTY_SHA256))
f.add_hash(Hash(EMPTY_SHA384))
f.add_hash(Hash(EMPTY_SHA512))
self.assertEqual(EMPTY_MD5, f.md5)
self.assertEqual(EMPTY_SHA1, f.sha1)
self.assertEqual(EMPTY_SHA224, f.sha224)
self.assertEqual(EMPTY_SHA256, f.sha256)
self.assertEqual(EMPTY_SHA384, f.sha384)
self.assertEqual(EMPTY_SHA512, f.sha512)
def main():
shv = Hash()
shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F"
f = File()
h = Hash(shv, Hash.TYPE_MD5)
f.add_hash(h)
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "Example 03"
stix_package.stix_header = stix_header
stix_package.add_observable(f)
print(stix_package.to_xml())
def main():
print '<?xml version="1.0" encoding="UTF-8"?>'
attachment = File()
attachment.file_name = "FooBar Specification (critical revision).doc"
attachment.add_hash(Hash("4EC0027BEF4D7E1786A04D021FA8A67F"))
email = EmailMessage()
email.attachments.append(attachment)
email.subject = String("New modifications to the specification")
email.to = EmailRecipients(EmailAddress("*****@*****.**"),
EmailAddress("*****@*****.**"))
email.from_ = EmailAddress("*****@*****.**")
print Observables(email).to_xml()
def object_from_dict(cls, win_file_dict, win_file_obj = None):
"""Create the Win File Object object representation from an input dictionary"""
if win_file_obj == None:
win_file_obj = File.object_from_dict(win_file_doct, win_file_binding.WindowsFileObjectType())
win_file_obj.set_anyAttributes_({'xsi:type' : 'WinFileObj:WinFileObjectType'})
for key, value in win_file_dict.items():
if key == 'filename_accesssed_time' and utils.test_value(value):
win_file_obj.set_Filename_Accessed_Time(Base_Object_Attribute.object_from_dict(common_types_binding.DateTimeObjectAttributeType(datatype='DateTime'),value))
elif key == 'filename_created_time' and utils.test_value(value):
win_file_obj.set_Filename_Created_Time(Base_Object_Attribute.object_from_dict(common_types_binding.DateTimeObjectAttributeType(datatype='DateTime'),value))
elif key == 'filename_modified_time' and utils.test_value(value):
win_file_obj.set_Filename_Modified_Time(Base_Object_Attribute.object_from_dict(common_types_binding.DateTimeObjectAttributeType(datatype='DateTime'),value))
elif key == 'drive' and utils.test_value(value):
win_file_obj.set_Drive(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'),value))
elif key == 'security_id' and utils.test_value(value):
win_file_obj.set_Security_ID(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'),value))
elif key == 'security_type' and utils.test_value(value):
win_file_obj.set_Security_Type(Base_Object_Attribute.object_from_dict(common_types_binding.StringObjectAttributeType(datatype='String'),value))
elif key == 'stream_list':
stream_list_obj = win_file_binding.StreamListType()
for stream_dict in value:
stream_obj = Stream.object_from_dict(stream_dict)
if stream_obj.hasContent_() : stream_list_obj.add_Stream(stream_obj)
if stream_list_obj.hasContent_() : win_file_obj.set_Stream_List(stream_list_obj)
return win_file_obj
def return_attachment_composition(self, attribute):
file_object = File()
file_object.file_name = attribute.value
file_object.parent.id_ = "{}:FileObject-{}".format(self.namespace_prefix, attribute.uuid)
if 'data' in attribute:
observable_artifact = self.create_artifact_object(attribute, artifact="a")
observable_file = Observable(file_object)
observable_file.id_ = "{}:observable-file-{}".format(self.namespace_prefix, attribute.uuid)
observable = Observable()
composition = ObservableComposition(observables=[observable_artifact, observable_file])
observable.observable_composition = composition
else:
observable = Observable(file_object)
observable.id_ = "{}:observable-{}".format(self.namespace_prefix, attribute.uuid)
if attribute.comment:
observable.description = attribute.comment
return observable
def generate_file_observable(self, filename, h_value, fuzzy):
file_object = File()
if filename:
if '/' in filename or '\\' in filename:
file_object.file_path = ntpath.dirname(filename)
file_object.file_path.condition = "Equals"
file_object.file_name = ntpath.basename(filename)
file_object.file_name.condition = "Equals"
else:
file_object.file_name = filename
file_object.file_name.condition = "Equals"
if h_value:
file_object.add_hash(Hash(hash_value=h_value, exact=True))
if fuzzy:
try:
self.resolve_fuzzy(file_object, h_value, "Hashes")
except KeyError:
field_type = ""
for f in file_object._fields:
if f.name == "Hashes":
field_type = f
break
if field_type:
self.resolve_fuzzy(file_object, h_value, field_type)
return file_object
def add_malware(hashVal, TTPTitle, malware_uuid):
malware_instance = MalwareInstance()
malware_instance.add_name(TTPTitle)
# malware_instance.add_type("Malware")
ttp = TTP(title=TTPTitle)
ttp.behavior = Behavior()
ttp.behavior.add_malware_instance(malware_instance)
file_object = File()
file_object.add_hash(Hash(hashVal))
file_object.hashes[0].simple_hash_value.condition = "Equals"
indicator = Indicator(id_="indicator-{0}".format(malware_uuid),
title="File hash")
indicator.add_indicator_type("File Hash Watchlist")
indicator.add_observable(file_object)
indicator.add_indicated_ttp(TTP(idref=ttp.id_))
return (indicator)
def main():
f = File()
# This automatically detects that it's an MD5 hash based on the length
f.add_hash("4EC0027BEF4D7E1786A04D021FA8A67F")
indicator = Indicator()
indicator.title = "File Hash Example"
indicator.description = "An indicator containing a File observable with an associated hash"
indicator.set_producer_identity("The MITRE Corporation")
indicator.set_produced_time(datetime.now(tzutc()))
indicator.add_object(f)
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "Example "
stix_package.stix_header = stix_header
stix_package.add_indicator(indicator)
print(stix_package.to_xml())
def returnAttachmentComposition(attribute):
file_object = File()
file_object.file_name = attribute["value"]
file_object.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":file-" + attribute["uuid"]
observable = Observable()
if "data" in attribute:
artifact = Artifact(data = attribute["data"])
artifact.parent.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":artifact-" + attribute["uuid"]
observable_artifact = Observable(artifact)
observable_artifact.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-artifact-" + attribute["uuid"]
observable_file = Observable(file_object)
observable_file.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-file-" + attribute["uuid"]
composition = ObservableComposition(observables = [observable_artifact, observable_file])
observable.observable_composition = composition
else:
observable = Observable(file_object)
observable.id_ = cybox.utils.idgen.__generator.namespace.prefix + ":observable-" + attribute["uuid"]
if attribute["comment"] != "":
observable.description = attribute["comment"]
return observable
def to_cybox(self, exclude=None):
if exclude == None:
exclude = []
observables = []
f = File()
for attr in ['md5', 'sha1', 'sha256']:
if attr not in exclude:
val = getattr(self, attr, None)
if val:
setattr(f, attr, val)
if self.ssdeep and 'ssdeep' not in exclude:
f.add_hash(Hash(self.ssdeep, Hash.TYPE_SSDEEP))
if 'size' not in exclude and 'size_in_bytes' not in exclude:
f.size_in_bytes = UnsignedLong(self.size)
if 'filename' not in exclude and 'file_name' not in exclude:
f.file_name = self.filename
# create an Artifact object for the binary if it exists
if 'filedata' not in exclude:
data = self.filedata.read()
if data:
data = base64.b64encode(data)
a = Artifact(data=data, type_=Artifact.TYPE_FILE)
observables.append(Observable(a))
#if 'filetype' not in exclude and 'file_format' not in exclude:
#NOTE: this doesn't work because the CybOX File object does not
# have any support built in for setting the filetype to a
# CybOX-binding friendly object (e.g., calling .to_dict() on
# the resulting CybOX object fails on this field.
#f.file_format = self.filetype
observables.append(Observable(f))
return (observables, self.releasability)
def main():
h = Hash("a7a0390e99406f8975a1895860f55f2f")
f = File()
f.file_name = "bad_file24.exe"
f.file_path = "AppData\Mozilla"
f.file_extension = ".exe"
f.size_in_bytes = 3282
f.add_hash(h)
o = Observable(f)
o.description = "This observable specifies a specific file observation."
print(Observables(o).to_xml())
def create_file_object(file_path, original_file_path):
"""
:type file_path: string
:type original_file_path: string
:rtype: File
"""
f = File()
f.file_name = os.path.basename(file_path)
f.file_extension = os.path.splitext(file_path)[1]
f.file_path = original_file_path
f.file_format = magic.from_file(file_path)
f.size_in_bytes = os.path.getsize(file_path)
f.sha256 = sha256_checksum(file_path)
return f
def main():
shv = Hash()
shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F"
f = File()
h = Hash(shv, Hash.TYPE_MD5)
f.add_hash(h)
indicator = Indicator()
indicator.title = "File Hash Example"
indicator.description = "An indicator containing a File observable with an associated hash"
indicator.set_producer_identity("The MITRE Corporation")
indicator.set_produced_time(datetime.now())
indicator.add_object(f)
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "Example 02"
stix_package.stix_header = stix_header
stix_package.add_indicator(indicator)
print(stix_package.to_xml())
def generateFileObservable(filenameValue, hashValue):
file_object = File()
if (filenameValue != ""):
if (("/" in filenameValue) or ("\\" in filenameValue)):
file_object.file_path = ntpath.dirname(filenameValue)
file_object.file_name = ntpath.basename(filenameValue)
else:
file_object.file_name = filenameValue
if (hashValue != ""):
file_object.add_hash(Hash(hashValue))
return file_object
def test_set_hashes(self):
f = File()
f.md5 = EMPTY_MD5
f.sha1 = EMPTY_SHA1
f.sha224 = EMPTY_SHA224
f.sha256 = EMPTY_SHA256
f.sha384 = EMPTY_SHA384
f.sha512 = EMPTY_SHA512
self.assertEqual(EMPTY_MD5, f.md5)
self.assertEqual(EMPTY_SHA1, f.sha1)
self.assertEqual(EMPTY_SHA224, f.sha224)
self.assertEqual(EMPTY_SHA256, f.sha256)
self.assertEqual(EMPTY_SHA384, f.sha384)
self.assertEqual(EMPTY_SHA512, f.sha512)
def __create_cybox_files(self, msg):
"""Returns a list of CybOX File objects from the message.
Attachments can be identified within multipart messages by their
Content-Disposition header.
Ex: Content-Disposition: attachment; filename="foobar.jpg"
"""
files = []
if self.__verbose_output:
sys.stderr.write("** parsing attachments\n")
# extract the email attachments into their own FileObjectType objects
if msg.is_multipart():
for part in msg.get_payload():
if 'content-disposition' in part:
# if it's an attachment-type, pull out the filename
# and calculate the size in bytes
file_name = part.get_filename(failobj='')
file_data = part.get_payload(decode=True)
#PGP Encrypted could come back as None and ''
if file_name or file_data:
f = File()
#Do what we can with what came back from the payload parsing
if file_name:
f.file_name = file_name
f.file_extension = os.path.splitext(file_name)[1]
if file_data:
f.size = len(file_data)
hashes = []
hashes.append(hashlib.md5(file_data).hexdigest())
hashes.append(hashlib.sha1(file_data).hexdigest())
hashes.append(hashlib.sha256(file_data).hexdigest())
hashes.append(hashlib.sha384(file_data).hexdigest())
for hash in hashes:
f.add_hash(hash)
files.append(f)
#TODO: add support for created and modified dates
#modified_date = self.__get_attachment_modified_date(part)
#created_date = self.__get_attachment_created_date(part)
if self.__verbose_output:
sys.stderr.write("** creating file object for: %s, size: %d bytes\n" % (f.file_name, f.size))
return files
