def test_fields(self):
f = File()
f.file_name = "blah.exe"
self.assertEqual(String, type(f.file_name))
f.file_path = "C:\\Temp"
self.assertEqual(FilePath, type(f.file_path))
def generate_file_observable(self, filename, h_value, fuzzy):
file_object = File()
if filename:
if '/' in filename or '\\' in filename:
file_object.file_path = ntpath.dirname(filename)
file_object.file_path.condition = "Equals"
file_object.file_name = ntpath.basename(filename)
file_object.file_name.condition = "Equals"
else:
file_object.file_name = filename
file_object.file_name.condition = "Equals"
if h_value:
file_object.add_hash(Hash(hash_value=h_value, exact=True))
if fuzzy:
try:
self.resolve_fuzzy(file_object, h_value, "Hashes")
except KeyError:
field_type = ""
for f in file_object._fields:
if f.name == "Hashes":
field_type = f
break
if field_type:
self.resolve_fuzzy(file_object, h_value, field_type)
return file_object
def test_fields(self):
f = File()
f.file_name = "blah.exe"
self.assertEqual(String, type(f.file_name))
f.file_path = "C:\\Temp"
self.assertEqual(FilePath, type(f.file_path))
def __get_source_objs(self):
f1 = File()
f1.file_name = 'emailprovider.db'
f1.file_path = '/data/data/com.android.providers.email/databases/'
f1.file_format = 'SQLite 3.x database'
f1.size_in_bytes = '2374'
f1.add_hash(Hash("a7a0390e99406f8975a1895860f55f2f"))
return [f1]
def test_file_path(self):
file_path_string = "%WinDir%\abcd.dll"
normalized_file_path_string = "CSIDL_WINDOWS\abcd.dll"
file_obj = File()
file_obj.file_path = file_path_string
normalize_object_properties(file_obj)
self.assertEqual(file_obj.file_path.value, normalized_file_path_string)
def test_file_path(self):
file_path_string = "%WinDir%\abcd.dll"
normalized_file_path_string = "CSIDL_WINDOWS\abcd.dll"
file_obj = File()
file_obj.file_path = file_path_string
normalize_object_properties(file_obj)
self.assertEqual(file_obj.file_path.value, normalized_file_path_string)
def generateFileObservable(filenameValue, hashValue):
file_object = File()
if (filenameValue != ""):
if (("/" in filenameValue) or ("\\" in filenameValue)):
file_object.file_path = ntpath.dirname(filenameValue)
file_object.file_name = ntpath.basename(filenameValue)
else:
file_object.file_name = filenameValue
if (hashValue != ""):
file_object.add_hash(Hash(hashValue))
return file_object
def generateFileObservable(filenameValue, hashValue):
file_object = File()
if (filenameValue != ""):
if (("/" in filenameValue) or ("\\" in filenameValue)):
file_object.file_path = ntpath.dirname(filenameValue)
file_object.file_name = ntpath.basename(filenameValue)
else:
file_object.file_name = filenameValue
if (hashValue != ""):
file_object.add_hash(Hash(hashValue))
return file_object
def cybox_object_file(obj, meta=None):
# TODO: missing File_Custom_Properties
f = File()
if obj.md5_hash != 'No MD5':
f.add_hash(Hash(obj.md5_hash))
if obj.sha256_hash != 'No SHA256':
f.add_hash(Hash(obj.sha256_hash))
if meta:
f.file_name = meta.file_name
f.file_extension = meta.file_extension
f.file_path = meta.file_path
f.size_in_bytes = meta.file_size
return f
def cybox_object_file(obj, meta=None):
# TODO: missing File_Custom_Properties
f = File()
if obj.md5_hash != 'No MD5':
f.add_hash(Hash(obj.md5_hash))
if obj.sha256_hash != 'No SHA256':
f.add_hash(Hash(obj.sha256_hash))
if meta:
f.file_name = meta.file_name
f.file_extension = meta.file_extension
f.file_path = meta.file_path
f.size_in_bytes = meta.file_size
return f
def main():
h = Hash("a7a0390e99406f8975a1895860f55f2f")
f = File()
f.file_name = "bad_file24.exe"
f.file_path = "AppData\Mozilla"
f.file_extension = ".exe"
f.size_in_bytes = 3282
f.add_hash(h)
o = Observable(f)
o.description = "This observable specifies a specific file observation."
print(Observables(o).to_xml())
def generateFileObservable(filenameValue, hashValue):
file_object = File()
if (filenameValue != ""):
if (("/" in filenameValue) or ("\\" in filenameValue)):
file_object.file_path = ntpath.dirname(filenameValue)
file_object.file_path.condition = "Equals"
file_object.file_name = ntpath.basename(filenameValue)
file_object.file_name.condition = "Equals"
else:
file_object.file_name = filenameValue
file_object.file_name.condition = "Equals"
if (hashValue != ""):
file_object.add_hash(Hash(hash_value=hashValue, exact=True))
return file_object
def create_file_object(file_path, original_file_path):
"""
:type file_path: string
:type original_file_path: string
:rtype: File
"""
f = File()
f.file_name = os.path.basename(file_path)
f.file_extension = os.path.splitext(file_path)[1]
f.file_path = original_file_path
f.file_format = magic.from_file(file_path)
f.size_in_bytes = os.path.getsize(file_path)
f.sha256 = sha256_checksum(file_path)
return f
def main():
h = Hash("a7a0390e99406f8975a1895860f55f2f")
f = File()
f.file_name = "bad_file24.exe"
f.file_path = "AppData\Mozilla"
f.file_extension = ".exe"
f.size_in_bytes = 3282
f.add_hash(h)
o = Observable(f)
o.description = "This observable specifies a specific file observation."
print(Observables(o).to_xml())
def main():
print '<?xml version="1.0" encoding="UTF-8"?>'
h1 = Hash("59a7078444ee3c862e4c08b601ed7e01", exact=True)
h2 = Hash("98e969b49ff2aedf66b94eb82c54b916f1a634cd", exact=True)
h3 = Hash("1706c7cd14a5c9bbf674b21f9c4f873ac04b7a6f1f2202cd0c5977c48968d188", exact=True)
f = File()
f.file_name = "notepad.exe"
f.file_path = "C:\Temp"
f.add_hash(h1)
f.add_hash(h2)
f.add_hash(h3)
print Observables(f).to_xml()
def create_file_observable(ct, bol):
obj = File()
obj.file_path = d[ct]['ttylog']
obj.accessed_time = d[ct]['timestamp']
obj.custom_properties = CustomProperties()
if bol == False:
obj.size_in_bytes = d[ct]['size']
create_custom_properties(obj, "session_Duration", d[ct]['duration'])
create_custom_properties(obj, "Event_Name", d[ct]['eventid'])
create_custom_properties(obj, "Message", d[ct]['message'])
create_custom_properties(obj, "Service", d[ct]['system'])
create_custom_properties(obj, "Host", d[ct]['sensor'])
create_custom_properties(obj, "Source_IP_Address", d[ct]['src_ip'])
return obj
def main():
NS = cybox.utils.Namespace("http://example.com/", "example")
cybox.utils.set_id_namespace(NS)
h = Hash("a7a0390e99406f8975a1895860f55f2f")
f = File()
f.file_name = "bad_file24.exe"
f.file_path = "AppData\Mozilla"
f.file_extension = ".exe"
f.size_in_bytes = 3282
f.add_hash(h)
o = Observable(f)
o.description = "This observable specifies a specific file observation."
print Observables(o).to_xml()
def main():
NS = cybox.utils.Namespace("http://example.com/", "example")
cybox.utils.set_id_namespace(NS)
h = Hash("a7a0390e99406f8975a1895860f55f2f")
f = File()
f.file_name = "bad_file24.exe"
f.file_path = "AppData\Mozilla"
f.file_extension = ".exe"
f.size_in_bytes = 3282
f.add_hash(h)
o = Observable(f)
o.description = "This observable specifies a specific file observation."
print Observables(o).to_xml()
def cap2cybox(capob):
NS = cybox.utils.Namespace("http://example.com/","lift_s")
cybox.utils.set_id_namespace(NS)
#ファイル情報
files = File()
root, ext = os.path.splitext(fpath)
path = FilePath(root)
files.file_name = os.path.basename(fpath)
files.file_path = path
files.file_extension = ext
capObser = Observable(files)
capObser.description = u'ファイル情報'
ls = [capObser]
for ob in ls:
capob.add(ob)
return capob
def generateFileObservable(filenameValue, hashValue, fuzzy):
file_object = File()
if (filenameValue != ""):
if (("/" in filenameValue) or ("\\" in filenameValue)):
file_object.file_path = ntpath.dirname(filenameValue)
file_object.file_path.condition = "Equals"
file_object.file_name = ntpath.basename(filenameValue)
file_object.file_name.condition = "Equals"
else:
file_object.file_name = filenameValue
file_object.file_name.condition = "Equals"
if (hashValue != ""):
file_object.add_hash(Hash(hash_value=hashValue, exact=True))
if (fuzzy):
file_object._fields["Hashes"]._inner[0].simple_hash_value = None
file_object._fields["Hashes"]._inner[
0].fuzzy_hash_value = hashValue
file_object._fields["Hashes"]._inner[
0].fuzzy_hash_value.condition = "Equals"
file_object._fields["Hashes"]._inner[0].type_ = Hash.TYPE_SSDEEP
file_object._fields["Hashes"]._inner[0].type_.condition = "Equals"
return file_object
def main():
stix_package = STIXPackage()
malware_instance = MalwareInstance()
malware_instance.add_name("plugin1.exe")
#not really remote access but am not sure what else to put
malware_instance.add_type("Remote Access Trojan")
ttp = TTP(title="Install+plugin1.exe")
ttp.behavior = Behavior()
ttp.behavior.add_malware_instance(malware_instance)
#observable 1 Install+plugin1.exe
file_object = File()
file_object.file_name = "Install+plugin1.exe"
file_object.add_hash(
Hash("164ecfc36893ee368a3c4cb2fd500b58262f1b87de1e68df74390db0b5445915"
))
file_object.hashes[0].simple_hash_value.condition = "Equals"
#observable 2 plugin1.exe
#http://cybox.readthedocs.io/en/stable/examples.html#creating-observables
file_plugin1 = File()
file_plugin1.file_name = "plugin1.exe"
file_plugin1.file_path = "C:\\Users\\Default\\AppData\\Local\\temp\plugin1"
file_plugin1.add_hash(
Hash("ae768b62f5fef4dd604e1b736bdbc3ed30417ef4f67bff74bb57f779d794d6df"
))
file_plugin1.hashes[0].simple_hash_value.condition = "Equals"
#observable 3 registry key
#http://cybox.readthedocs.io/en/stable/api/coverage.html
registry_object = WinRegistryKey()
registry_object.name = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Google Ultron Updater"
#observable 4 network traffic
#http://stixproject.github.io/documentation/idioms/malware-hash/
#I couldn't figure out how to correctly indicate the source, dest or protocol
addr = Address(address_value="192.168.52.219", category=Address.CAT_IPV4)
#indicator 1 Install+plugin1.exe
indicator = Indicator(title="File hash for Install+plugin.exe")
indicator.add_indicator_type("File Hash Watchlist")
indicator.add_observable(file_object)
indicator.add_indicated_ttp(TTP(idref=ttp.id_))
#indicator 2 plugin1.exe
indicator2 = Indicator(title="File hash for plugin1.exe")
indicator2.add_indicator_type("File Hash Watchlist")
indicator2.add_observable(file_plugin1)
indicator2.add_indicated_ttp(TTP(idref=ttp.id_))
#indicator3 registry key
indicator3 = Indicator(title="Registry entry for Install+plugin.exe")
indicator3.add_indicator_type("Malware Artifacts")
indicator3.add_observable(registry_object)
indicator3.add_indicated_ttp(TTP(idref=ttp.id_))
#indicator4 network traffic
indicator4 = Indicator(title="Network Traffic for plugine1.exe")
indicator.add_indicator_type("IP Watchlist")
indicator4.add_observable(Observable(addr))
indicator4.add_indicated_ttp(TTP(idref=ttp.id_))
stix_package.add_indicator(indicator)
stix_package.add_indicator(indicator2)
stix_package.add_indicator(indicator3)
stix_package.add_indicator(indicator4)
stix_package.add_ttp(ttp)
print(stix_package.to_xml(encoding=None))
