def __create_cybox_main_file(self, fdict):
f = File()
f.file_name = String(fdict['filename'])
try:
f.file_extension = String('.'+fdict['filename'].rsplit('.')[-1])
except:
f.file_extension = ""
f.size_in_bytes = int(fdict['size'])
f.add_hash(Hash(fdict['md5'], type_="MD5", exact=True))
f.add_hash(Hash(fdict['sha1'], type_="SHA1", exact=True))
f.add_hash(Hash(fdict['sha256'], type_="SHA256", exact=True))
return f
def _dostix(hashes):
'''This function creates a STIX packages containing hashes.'''
print("[+] Creating STIX Package")
title = SETTINGS['stix']['ind_title'] + " " + str(datetime.datetime.now())
_custom_namespace(SETTINGS['stix']['ns'], SETTINGS['stix']['ns_prefix'])
stix_package = STIXPackage()
stix_package.stix_header = STIXHeader()
stix_package.stix_header.title = title
stix_package.stix_header.handling = _marking()
try:
indicator = Indicator()
indicator.set_producer_identity(SETTINGS['stix']['producer'])
indicator.set_produced_time(indicator.timestamp)
indicator.set_received_time(indicator.timestamp)
indicator.add_kill_chain_phase(PHASE_DELIVERY)
indicator.confidence = "Low"
indicator.title = title
indicator.add_indicator_type("File Hash Watchlist")
indicator.description = SETTINGS['stix']['ind_desc']
try:
indicator.add_indicated_ttp(
TTP(idref=SETTINGS['indicated_ttp'],
timestamp=indicator.timestamp))
indicator.suggested_coas.append(
CourseOfAction(idref=SETTINGS['suggested_coa'],
timestamp=indicator.timestamp))
except KeyError:
pass
for info in hashes:
try:
file_name = info['filename']
file_object = File()
file_object.file_name = file_name
file_object.file_name.condition = "Equals"
file_object.file_extension = "." + file_name.split('.')[-1]
file_object.file_extension.condition = "Equals"
file_object.size_in_bytes = info['filesize']
file_object.size_in_bytes.condition = "Equals"
file_object.file_format = info['fileformat']
file_object.file_format.condition = "Equals"
file_object.add_hash(Hash(info['md5']))
file_object.add_hash(Hash(info['sha1']))
file_object.add_hash(Hash(info['sha256']))
file_object.add_hash(Hash(info['sha512']))
file_object.add_hash(Hash(info['ssdeep'], Hash.TYPE_SSDEEP))
for hashobj in file_object.hashes:
hashobj.simple_hash_value.condition = "Equals"
hashobj.type_.condition = "Equals"
file_obs = Observable(file_object)
file_obs.title = "File: " + file_name
indicator.add_observable(file_obs)
except TypeError:
pass
stix_package.add_indicator(indicator)
return stix_package
except KeyError:
pass
def main():
stix_package = STIXPackage()
ttp = TTP(title="Phishing")
stix_package.add_ttp(ttp)
# Create the indicator for just the subject
email_subject_object = EmailMessage()
email_subject_object.header = EmailHeader()
email_subject_object.header.subject = "[IMPORTANT] Please Review Before"
email_subject_object.header.subject.condition = "StartsWith"
email_subject_indicator = Indicator()
email_subject_indicator.title = "Malicious E-mail Subject Line"
email_subject_indicator.add_indicator_type("Malicious E-mail")
email_subject_indicator.observable = email_subject_object
email_subject_indicator.confidence = "Low"
# Create the indicator for just the attachment
file_attachment_object = EmailMessage()
file_attachment_object.attachments = Attachments()
attached_file_object = File()
attached_file_object.file_name = "Final Report"
attached_file_object.file_name.condition = "StartsWith"
attached_file_object.file_extension = "doc.exe"
attached_file_object.file_extension.condition = "Equals"
file_attachment_object.add_related(attached_file_object, "Contains", inline=True)
file_attachment_object.attachments.append(file_attachment_object.parent.id_)
indicator_attachment = Indicator()
indicator_attachment.title = "Malicious E-mail Attachment"
indicator_attachment.add_indicator_type("Malicious E-mail")
indicator_attachment.observable = file_attachment_object
indicator_attachment.confidence = "Low"
# Create the combined indicator w/ both subject an attachment
full_email_object = EmailMessage()
full_email_object.attachments = Attachments()
# Add the previously referenced file as another reference rather than define it again:
full_email_object.attachments.append(file_attachment_object.parent.id_)
full_email_object.header = EmailHeader()
full_email_object.header.subject = "[IMPORTANT] Please Review Before"
full_email_object.header.subject.condition = "StartsWith"
combined_indicator = Indicator(title="Malicious E-mail")
combined_indicator.add_indicator_type("Malicious E-mail")
combined_indicator.confidence = Confidence(value="High")
combined_indicator.observable = full_email_object
email_subject_indicator.add_indicated_ttp(TTP(idref=ttp.id_))
indicator_attachment.add_indicated_ttp(TTP(idref=ttp.id_))
combined_indicator.add_indicated_ttp(TTP(idref=ttp.id_))
stix_package.indicators = [combined_indicator, email_subject_indicator, indicator_attachment]
print stix_package.to_xml()
def __create_cybox_files(self, msg):
"""Returns a list of CybOX File objects from the message.
Attachments can be identified within multipart messages by their
Content-Disposition header.
Ex: Content-Disposition: attachment; filename="foobar.jpg"
"""
files = []
if self.__verbose_output:
sys.stderr.write("** parsing attachments\n")
# extract the email attachments into their own FileObjectType objects
if msg.is_multipart():
for part in msg.get_payload():
if 'content-disposition' in part:
# if it's an attachment-type, pull out the filename
# and calculate the size in bytes
file_name = part.get_filename(failobj='')
file_data = part.get_payload(decode=True)
#PGP Encrypted could come back as None and ''
if file_name or file_data:
f = File()
#Do what we can with what came back from the payload parsing
if file_name:
f.file_name = file_name
f.file_extension = os.path.splitext(file_name)[1]
if file_data:
f.size = len(file_data)
hashes = []
hashes.append(hashlib.md5(file_data).hexdigest())
hashes.append(hashlib.sha1(file_data).hexdigest())
hashes.append(hashlib.sha256(file_data).hexdigest())
hashes.append(hashlib.sha384(file_data).hexdigest())
for hash in hashes:
f.add_hash(hash)
files.append(f)
#TODO: add support for created and modified dates
#modified_date = self.__get_attachment_modified_date(part)
#created_date = self.__get_attachment_created_date(part)
if self.__verbose_output:
sys.stderr.write("** creating file object for: %s, size: %d bytes\n" % (f.file_name, f.size))
return files
def cybox_object_file(obj, meta=None):
# TODO: missing File_Custom_Properties
f = File()
if obj.md5_hash != 'No MD5':
f.add_hash(Hash(obj.md5_hash))
if obj.sha256_hash != 'No SHA256':
f.add_hash(Hash(obj.sha256_hash))
if meta:
f.file_name = meta.file_name
f.file_extension = meta.file_extension
f.file_path = meta.file_path
f.size_in_bytes = meta.file_size
return f
def cybox_object_file(obj, meta=None):
# TODO: missing File_Custom_Properties
f = File()
if obj.md5_hash != 'No MD5':
f.add_hash(Hash(obj.md5_hash))
if obj.sha256_hash != 'No SHA256':
f.add_hash(Hash(obj.sha256_hash))
if meta:
f.file_name = meta.file_name
f.file_extension = meta.file_extension
f.file_path = meta.file_path
f.size_in_bytes = meta.file_size
return f
def main():
h = Hash("a7a0390e99406f8975a1895860f55f2f")
f = File()
f.file_name = "bad_file24.exe"
f.file_path = "AppData\Mozilla"
f.file_extension = ".exe"
f.size_in_bytes = 3282
f.add_hash(h)
o = Observable(f)
o.description = "This observable specifies a specific file observation."
print(Observables(o).to_xml())
def create_file_object(file_path, original_file_path):
"""
:type file_path: string
:type original_file_path: string
:rtype: File
"""
f = File()
f.file_name = os.path.basename(file_path)
f.file_extension = os.path.splitext(file_path)[1]
f.file_path = original_file_path
f.file_format = magic.from_file(file_path)
f.size_in_bytes = os.path.getsize(file_path)
f.sha256 = sha256_checksum(file_path)
return f
def main():
h = Hash("a7a0390e99406f8975a1895860f55f2f")
f = File()
f.file_name = "bad_file24.exe"
f.file_path = "AppData\Mozilla"
f.file_extension = ".exe"
f.size_in_bytes = 3282
f.add_hash(h)
o = Observable(f)
o.description = "This observable specifies a specific file observation."
print(Observables(o).to_xml())
def main():
NS = cybox.utils.Namespace("http://example.com/", "example")
cybox.utils.set_id_namespace(NS)
h = Hash("a7a0390e99406f8975a1895860f55f2f")
f = File()
f.file_name = "bad_file24.exe"
f.file_path = "AppData\Mozilla"
f.file_extension = ".exe"
f.size_in_bytes = 3282
f.add_hash(h)
o = Observable(f)
o.description = "This observable specifies a specific file observation."
print Observables(o).to_xml()
def main():
NS = cybox.utils.Namespace("http://example.com/", "example")
cybox.utils.set_id_namespace(NS)
h = Hash("a7a0390e99406f8975a1895860f55f2f")
f = File()
f.file_name = "bad_file24.exe"
f.file_path = "AppData\Mozilla"
f.file_extension = ".exe"
f.size_in_bytes = 3282
f.add_hash(h)
o = Observable(f)
o.description = "This observable specifies a specific file observation."
print Observables(o).to_xml()
def __create_cybox_dropped_files(self, dropps, main_sha256):
dropped = []
if not dropps:
return dropped
for item in dropps:
""" skip original file """
if item['sha256'] == main_sha256:
continue
f = File()
f.file_name = String(item['name'])
f.file_extension = String('.'+item['name'].rsplit('.')[-1])
f.size_in_bytes = int(item['size'])
f.add_hash(Hash(item['md5'], type_="MD5", exact=True))
f.add_hash(Hash(item['sha1'], type_="SHA1", exact=True))
f.add_hash(Hash(item['sha256'], type_="SHA256", exact=True))
dropped.append(f)
return dropped
def cap2cybox(capob):
NS = cybox.utils.Namespace("http://example.com/","lift_s")
cybox.utils.set_id_namespace(NS)
#ファイル情報
files = File()
root, ext = os.path.splitext(fpath)
path = FilePath(root)
files.file_name = os.path.basename(fpath)
files.file_path = path
files.file_extension = ext
capObser = Observable(files)
capObser.description = u'ファイル情報'
ls = [capObser]
for ob in ls:
capob.add(ob)
return capob
def main():
stix_package = STIXPackage()
ttp = TTP(title="Phishing")
stix_package.add_ttp(ttp)
# Create the indicator for just the subject
email_subject_object = EmailMessage()
email_subject_object.header = EmailHeader()
email_subject_object.header.subject = "[IMPORTANT] Please Review Before"
email_subject_object.header.subject.condition = "StartsWith"
email_subject_indicator = Indicator()
email_subject_indicator.title = "Malicious E-mail Subject Line"
email_subject_indicator.add_indicator_type("Malicious E-mail")
email_subject_indicator.observable = email_subject_object
email_subject_indicator.confidence = "Low"
# Create the indicator for just the attachment
file_attachment_object = EmailMessage()
file_attachment_object.attachments = Attachments()
attached_file_object = File()
attached_file_object.file_name = "Final Report"
attached_file_object.file_name.condition = "StartsWith"
attached_file_object.file_extension = "doc.exe"
attached_file_object.file_extension.condition = "Equals"
file_attachment_object.add_related(attached_file_object,
"Contains",
inline=True)
file_attachment_object.attachments.append(attached_file_object.parent.id_)
indicator_attachment = Indicator()
indicator_attachment.title = "Malicious E-mail Attachment"
indicator_attachment.add_indicator_type("Malicious E-mail")
indicator_attachment.observable = file_attachment_object
indicator_attachment.confidence = "Low"
# Create the combined indicator w/ both subject an attachment
full_email_object = EmailMessage()
full_email_object.attachments = Attachments()
# Add the previously referenced file as another reference rather than define it again:
full_email_object.attachments.append(attached_file_object.parent.id_)
full_email_object.header = EmailHeader()
full_email_object.header.subject = "[IMPORTANT] Please Review Before"
full_email_object.header.subject.condition = "StartsWith"
combined_indicator = Indicator(title="Malicious E-mail")
combined_indicator.add_indicator_type("Malicious E-mail")
combined_indicator.confidence = Confidence(value="High")
combined_indicator.observable = full_email_object
email_subject_indicator.add_indicated_ttp(TTP(idref=ttp.id_))
indicator_attachment.add_indicated_ttp(TTP(idref=ttp.id_))
combined_indicator.add_indicated_ttp(TTP(idref=ttp.id_))
stix_package.add_indicator(combined_indicator)
stix_package.add_indicator(email_subject_indicator)
stix_package.add_indicator(indicator_attachment)
print(stix_package.to_xml(encoding=None))
def _dostix(hashes):
'''This function creates a STIX packages containing hashes.'''
print("[+] Creating STIX Package")
title = SETTINGS['stix']['ind_title'] + " " + str(datetime.datetime.now())
_custom_namespace(SETTINGS['stix']['ns'], SETTINGS['stix']['ns_prefix'])
stix_package = STIXPackage()
stix_package.stix_header = STIXHeader()
stix_package.stix_header.title = title
stix_package.stix_header.handling = _marking()
try:
indicator = Indicator()
indicator.set_producer_identity(SETTINGS['stix']['producer'])
indicator.set_produced_time(indicator.timestamp)
indicator.set_received_time(indicator.timestamp)
indicator.add_kill_chain_phase(PHASE_DELIVERY)
indicator.confidence = "Low"
indicator.title = title
indicator.add_indicator_type("File Hash Watchlist")
indicator.description = SETTINGS['stix']['ind_desc']
try:
indicator.add_indicated_ttp(
TTP(idref=SETTINGS['indicated_ttp'],
timestamp=indicator.timestamp))
indicator.suggested_coas.append(
CourseOfAction(
idref=SETTINGS['suggested_coa'],
timestamp=indicator.timestamp))
except KeyError:
pass
for info in hashes:
try:
file_name = info['filename']
file_object = File()
file_object.file_name = file_name
file_object.file_name.condition = "Equals"
file_object.file_extension = "." + file_name.split('.')[-1]
file_object.file_extension.condition = "Equals"
file_object.size_in_bytes = info['filesize']
file_object.size_in_bytes.condition = "Equals"
file_object.file_format = info['fileformat']
file_object.file_format.condition = "Equals"
file_object.add_hash(Hash(info['md5']))
file_object.add_hash(Hash(info['sha1']))
file_object.add_hash(Hash(info['sha256']))
file_object.add_hash(Hash(info['sha512']))
file_object.add_hash(Hash(info['ssdeep'], Hash.TYPE_SSDEEP))
for hashobj in file_object.hashes:
hashobj.simple_hash_value.condition = "Equals"
hashobj.type_.condition = "Equals"
file_obs = Observable(file_object)
file_obs.title = "File: " + file_name
indicator.add_observable(file_obs)
except TypeError:
pass
stix_package.add_indicator(indicator)
return stix_package
except KeyError:
pass
