def test_process_image_info_path(self):
file_path_string = "C:\Windows\System32\abcd.dll"
normalized_file_path_string = "CSIDL_SYSTEM\abcd.dll"
process_obj = Process()
process_obj.image_info = ImageInfo()
process_obj.image_info.path = file_path_string
normalize_object_properties(process_obj)
self.assertEqual(process_obj.image_info.path.value, normalized_file_path_string)
def test_process_image_info_path(self):
file_path_string = "C:\Windows\System32\abcd.dll"
normalized_file_path_string = "CSIDL_SYSTEM\abcd.dll"
process_obj = Process()
process_obj.image_info = ImageInfo()
process_obj.image_info.path = file_path_string
normalize_object_properties(process_obj)
self.assertEqual(process_obj.image_info.path.value,
normalized_file_path_string)
def from_dict(win_process_dict, win_process_cls = None):
if not win_process_dict:
return None
if win_process_cls == None:
winprocess_ = Process.from_dict(win_process_dict, WinProcess())
else:
winprocess_ = Process.from_dict(win_process_dict, win_process_cls)
winprocess_.aslr_enabled = win_process_dict.get('aslr_enabled')
winprocess_.dep_enabled = win_process_dict.get('dep_enabled')
winprocess_.handle_list = WinHandleList.from_list(win_process_dict.get('handle_list'))
winprocess_.priority = String.from_dict(win_process_dict.get('priority'))
winprocess_.section_list = [Memory.from_dict(x) for x in win_process_dict.get('section_list', [])]
winprocess_.security_id = String.from_dict(win_process_dict.get('security_id'))
winprocess_.startup_info = StartupInfo.from_dict(win_process_dict.get('startup_info'))
winprocess_.security_type = String.from_dict(win_process_dict.get('security_type'))
winprocess_.window_title = String.from_dict(win_process_dict.get('window_title'))
return winprocess_
def from_dict(process_tree_node_dict):
if not process_tree_node_dict:
return None
process_tree_node_ = Process.from_dict(process_tree_node_dict, ProcessTreeNode())
process_tree_node_.id = process_tree_node_dict.get('id')
process_tree_node_.parent_action_idref = process_tree_node_dict.get('parent_action_idref')
process_tree_node_.initiated_actions = ActionReferenceList.from_list(process_tree_node_dict.get('initiated_actions'))
process_tree_node_.spawned_processes = [ProcessTreeNode.from_dict(x) for x in process_tree_node_dict.get('spawned_processes', [])]
process_tree_node_.injected_processes = [ProcessTreeNode.from_dict(x) for x in process_tree_node_dict.get('injected_processes', [])]
return process_tree_node_
def from_obj(process_tree_node_obj):
if not process_tree_node_obj:
return None
process_tree_node_ = Process.from_obj(process_tree_node_obj, ProcessTreeNode())
process_tree_node_.id = process_tree_node_obj.get_id()
process_tree_node_.parent_action_idref = process_tree_node_obj.get_parent_action_idref()
if process_tree_node_obj.get_Initiated_Actions() is not None:
process_tree_node_.initiated_actions = ActionReferenceList.from_obj(process_tree_node_obj.get_Initiated_Actions())
process_tree_node_.spawned_processes = [ProcessTreeNode.from_obj(x) for x in process_tree_node_obj.get_Spawned_Process()]
process_tree_node_.injected_processes = [ProcessTreeNode.from_obj(x) for x in process_tree_node_obj.get_Injected_Process()]
return process_tree_node_
def from_obj(win_process_obj, win_process_cls = None):
if not win_process_obj:
return None
if win_process_cls == None:
winprocess_ = Process.from_obj(win_process_obj, WinProcess())
else:
winprocess_ = Process.from_obj(win_process_obj, win_process_cls)
winprocess_.aslr_enabled = win_process_obj.get_aslr_enabled()
winprocess_.dep_enabled = win_process_obj.get_dep_enabled()
winprocess_.handle_list = WinHandleList.from_obj(win_process_obj.get_Handle_List())
winprocess_.priority = String.from_obj(win_process_obj.get_Priority())
if win_process_obj.get_Section_List() is not None:
winprocess_.section_list = [Memory.from_obj(x) for x in win_process_obj.get_Section_List().get_Memory_Section()]
winprocess_.security_id = String.from_obj(win_process_obj.get_Security_ID())
winprocess_.startup_info = StartupInfo.from_obj(win_process_obj.get_Startup_Info())
winprocess_.security_type = String.from_obj(win_process_obj.get_Security_Type())
winprocess_.window_title = String.from_obj(win_process_obj.get_Window_Title())
return winprocess_
def _set_search_items_from_process_object(patterns, prop):
u'''
extract and set search key/value items from Cybox binding Process Object
'''
if prop is None or type(prop) != ProcessObjectType:
return
# translate cybox.bindings object to cybox.objects object
obj = Process.from_obj(prop)
# Process
if obj.name is not None:
process = unicode(obj.name)
if process[0] == '[' and process[len(process) - 1] == ']':
_add_search_item(patterns, u"ProcessName",
process[1:len(process) - 2].split(','))
else:
_add_search_item(patterns, u"ProcessName", process)
def createDynamicIndicators(stix_package, dynamicindicators):
filescreated = False
processesstarted = False
regkeyscreated = False
mutexescreated = False
hostscontacted = False
hasdynamicindicators = False
# Here we are just testing to see if the report had any
# of the various dynamic indicator types so we know whether
# or not to process them at all
if len(dynamicindicators['droppedfiles']) > 0:
filescreated = True
hasdynamicindicators = True
if len(dynamicindicators['processes']) > 0:
processesstarted = True
hasdynamicindicators = True
if len(dynamicindicators['regkeys']) > 0:
regkeyscreated = True
hasdynamicindicators = True
if len(dynamicindicators['mutexes']) > 0:
mutexescreated = True
hasdynamicindicators = True
if len(dynamicindicators['hosts']) > 0:
hostscontacted = True
hasdynamicindicators = True
if not hasdynamicindicators:
return
if filescreated:
createdfilesind = Indicator()
for createdfile in dynamicindicators['droppedfiles']:
createdfilename = File()
createdfilename.file_name = createdfile[0]
createdfilename.size_in_bytes = createdfile[1]
createdfilename.md5 = createdfile[2]
createdfilename.sha1 = createdfile[3]
createdfilename.sha256 = createdfile[4]
createdfilesind.add_observable(Observable(createdfilename))
stix_package.add_indicator(createdfilesind)
if processesstarted:
procindicator = Indicator()
for process in dynamicindicators['processes']:
# Process name
processname = process[0]
# Process pid
processpid = process[1]
# Process parent pid
processparentpid = process[2]
proc = Process()
proc.name = processname
proc.pid = processpid
proc.parent_pid = processparentpid
procindicator.add_observable(Observable(proc))
stix_package.add_indicator(procindicator)
if regkeyscreated:
regindicator = Indicator()
keypath = WinRegistryKey()
for regkey in dynamicindicators['regkeys']:
keypath = WinRegistryKey()
keypath.key = regkey
regindicator.add_observable(Observable(keypath))
stix_package.add_indicator(regindicator)
if not mutexescreated:
mutexind = Indicator()
for mutex in dynamicindicators['mutexes']:
winhandle = WinHandle()
winhandle.name = mutex
winmutex = WinMutex()
winmutex.handle = winhandle
mutexind.add_observable(Observable(winmutex))
stix_package.add_indicator(mutexind)
if hostscontacted:
networkconnectionind = Indicator()
for host in dynamicindicators['hosts']:
networkconnection = NetworkConnection()
socketaddress = SocketAddress()
socketaddress.ip_address = host
networkconnection.destination_socket_address = socketaddress
networkconnectionind.add_observable(Observable(networkconnection))
stix_package.add_indicator(networkconnectionind)
return
def make_cybox_object(type_, name=None, value=None):
"""
Converts type_, name, and value to a CybOX object instance.
:param type_: The object type.
:type type_: str
:param name: The object name.
:type name: str
:param value: The object value.
:type value: str
:returns: CybOX object
"""
if type_ == "Account":
acct = Account()
acct.description = value
return acct
elif type_ == "Address":
return Address(category=name, address_value=value)
elif type_ == "Email Message":
e = EmailMessage()
e.raw_body = value
return e
elif type_ == "API":
api = API()
api.description = value
return api
elif type_ == "Artifact":
if name == "Data Region":
atype = Artifact.TYPE_GENERIC
elif name == 'FileSystem Fragment':
atype = Artifact.TYPE_FILE_SYSTEM
elif name == 'Memory Region':
atype = Artifact.TYPE_MEMORY
else:
raise UnsupportedCybOXObjectTypeError(type_, name)
return Artifact(value, atype)
elif type_ == "Code":
obj = Code()
obj.code_segment = value
obj.type = name
return obj
elif type_ == "Disk":
disk = Disk()
disk.disk_name = type_
disk.type = name
return disk
elif type_ == "Disk Partition":
disk = DiskPartition()
disk.device_name = type_
disk.type = name
return disk
elif type_ == "DNS Query":
r = URI()
r.value = value
dq = DNSQuestion()
dq.qname = r
d = DNSQuery()
d.question = dq
return d
elif type_ == "DNS Record":
# DNS Record indicators in CRITs are just a free form text box, there
# is no good way to map them into the attributes of a DNSRecord cybox
# object. So just stuff it in the description until someone tells me
# otherwise.
d = StructuredText(value=value)
dr = DNSRecord()
dr.description = d
return dr
elif type_ == "GUI Dialogbox":
obj = GUIDialogbox()
obj.box_text = value
return obj
elif type_ == "GUI Window":
obj = GUIWindow()
obj.window_display_name = value
return obj
elif type_ == "HTTP Request Header Fields" and name and name == "User-Agent":
# TODO/NOTE: HTTPRequestHeaderFields has a ton of fields for info.
# we should revisit this as UI is reworked or CybOX is improved.
obj = HTTPRequestHeaderFields()
obj.user_agent = value
return obj
elif type_ == "Library":
obj = Library()
obj.name = value
obj.type = name
return obj
elif type_ == "Memory":
obj = Memory()
obj.memory_source = value
return obj
elif type_ == "Mutex":
m = Mutex()
m.named = True
m.name = String(value)
return m
elif type_ == "Network Connection":
obj = NetworkConnection()
obj.layer7_protocol = value
return obj
elif type_ == "Pipe":
p = Pipe()
p.named = True
p.name = String(value)
return p
elif type_ == "Port":
p = Port()
try:
p.port_value = PositiveInteger(value)
except ValueError: # XXX: Raise a better exception...
raise UnsupportedCybOXObjectTypeError(type_, name)
return p
elif type_ == "Process":
p = Process()
p.name = String(value)
return p
elif type_ == "String":
c = Custom()
c.custom_name = "crits:String"
c.description = ("This is a generic string used as the value of an "
"Indicator or Object within CRITs.")
c.custom_properties = CustomProperties()
p1 = Property()
p1.name = "value"
p1.description = "Generic String"
p1.value = value
c.custom_properties.append(p1)
return c
elif type_ == "System":
s = System()
s.hostname = String(value)
return s
elif type_ == "URI":
r = URI()
r.type_ = name
r.value = value
return r
elif type_ == "User Account":
obj = UserAccount()
obj.username = value
return obj
elif type_ == "Volume":
obj = Volume()
obj.name = value
return obj
elif type_ == "Win Driver":
w = WinDriver()
w.driver_name = String(value)
return w
elif type_ == "Win Event Log":
obj = WinEventLog()
obj.log = value
return obj
elif type_ == "Win Event":
w = WinEvent()
w.name = String(value)
return w
elif type_ == "Win Handle":
obj = WinHandle()
obj.type_ = name
obj.object_address = value
return obj
elif type_ == "Win Kernel Hook":
obj = WinKernelHook()
obj.description = value
return obj
elif type_ == "Win Mailslot":
obj = WinMailslot()
obj.name = value
return obj
elif type_ == "Win Network Share":
obj = WinNetworkShare()
obj.local_path = value
return obj
elif type_ == "Win Process":
obj = WinProcess()
obj.window_title = value
return obj
elif type_ == "Win Registry Key":
obj = WinRegistryKey()
obj.key = value
return obj
elif type_ == "Win Service":
obj = WinService()
obj.service_name = value
return obj
elif type_ == "Win System":
obj = WinSystem()
obj.product_name = value
return obj
elif type_ == "Win Task":
obj = WinTask()
obj.name = value
return obj
elif type_ == "Win User Account":
obj = WinUser()
obj.security_id = value
return obj
elif type_ == "Win Volume":
obj = WinVolume()
obj.drive_letter = value
return obj
elif type_ == "X509 Certificate":
obj = X509Certificate()
obj.raw_certificate = value
return obj
"""
The following are types that are listed in the 'Indicator Type' box of
the 'New Indicator' dialog in CRITs. These types, unlike those handled
above, cannot be written to or read from CybOX at this point.
The reason for the type being omitted is written as a comment inline.
This can (and should) be revisited as new versions of CybOX are released.
NOTE: You will have to update the corresponding make_crits_object function
with handling for the reverse direction.
In the mean time, these types will raise unsupported errors.
"""
#elif type_ == "Device": # No CybOX API
#elif type_ == "DNS Cache": # No CybOX API
#elif type_ == "GUI": # revisit when CRITs supports width & height specification
#elif type_ == "HTTP Session": # No good mapping between CybOX/CRITs
#elif type_ == "Linux Package": # No CybOX API
#elif type_ == "Network Packet": # No good mapping between CybOX/CRITs
#elif type_ == "Network Route Entry": # No CybOX API
#elif type_ == "Network Route": # No CybOX API
#elif type_ == "Network Subnet": # No CybOX API
#elif type_ == "Semaphore": # No CybOX API
#elif type_ == "Socket": # No good mapping between CybOX/CRITs
#elif type_ == "UNIX File": # No CybOX API
#elif type_ == "UNIX Network Route Entry": # No CybOX API
#elif type_ == "UNIX Pipe": # No CybOX API
#elif type_ == "UNIX Process": # No CybOX API
#elif type_ == "UNIX User Account": # No CybOX API
#elif type_ == "UNIX Volume": # No CybOX API
#elif type_ == "User Session": # No CybOX API
#elif type_ == "Whois": # No good mapping between CybOX/CRITs
#elif type_ == "Win Computer Account": # No CybOX API
#elif type_ == "Win Critical Section": # No CybOX API
#elif type_ == "Win Executable File": # No good mapping between CybOX/CRITs
#elif type_ == "Win File": # No good mapping between CybOX/CRITs
#elif type_ == "Win Kernel": # No CybOX API
#elif type_ == "Win Mutex": # No good mapping between CybOX/CRITs
#elif type_ == "Win Network Route Entry": # No CybOX API
#elif type_ == "Win Pipe": # No good mapping between CybOX/CRITs
#elif type_ == "Win Prefetch": # No CybOX API
#elif type_ == "Win Semaphore": # No CybOX API
#elif type_ == "Win System Restore": # No CybOX API
#elif type_ == "Win Thread": # No good mapping between CybOX/CRITs
#elif type_ == "Win Waitable Timer": # No CybOX API
raise UnsupportedCybOXObjectTypeError(type_, name)
def addsec_to_cybox(as_obtype, as_obdata):
#
# Addition Security to CybOX mappings, for discrete/separate observables
#
# 30: DataTypeSymbolName
if as_obtype == 30:
a = API()
a.function_name = as_obdata
return a
# 32: DataTypeLibraryName
if as_obtype == 32:
l = Library()
l.name = as_obdata
l.path = as_obdata
return l
# 14: DataTypeUsername
if as_obtype == 14:
u = UserAccount()
u.username = as_obdata
return u
# 10: DataTypeFile
if as_obtype == 10:
f = File()
f.full_path = as_obdata
return f
# 23: DataTypeHostname
if as_obtype == 23:
h = Hostname()
h.hostname_value = as_obdata
return h
# 29: DataTypeEnvString
if as_obtype == 29:
# Here, Process is meant to represent the hosting process; then we
# attach the actual environment variable value
p = Process()
p.environment_variable_list = as_obdata
return p
# 17: DataTypeApplication
if as_obtype == 17:
# Particularly on Android, identification of an installed package fits
# somewhere between File and Process, but not quite either. The closest
# fit is around LinuxPackage, which is what we use. We should technically
# derive from it, but we're trying to keep things simple.
p = LinuxPackage()
p.name = as_obdata
return p
# 11: DataTypeX509
# 12: DataTypeX509Subject
# 13: DataTypeX509Issuer
if as_obtype == 11 or as_obtype == 12 or as_obtype == 13:
c = X509Certificate()
if as_obtype == 11: c.raw_certificate = as_obdata.encode('hex')
if as_obtype == 12: c.certificate.subject = as_obdata
if as_obtype == 13: c.certificate.issuer = as_obdata
return c
# 2: DataTypeSHA1Hash
# 7: DataTypeVersionString
# 18: DataTypeString
# 31: DataTypePropertyName
# TODO: find the proper CybOX to represent these; for now, we don't
# report them
return None
def make_cybox_object(type_, value=None):
"""
Converts type_, name, and value to a CybOX object instance.
:param type_: The object type.
:type type_: str
:param value: The object value.
:type value: str
:returns: CybOX object
"""
if type_ == IndicatorTypes.USER_ID:
acct = Account()
acct.description = value
return acct
elif type_ in IPTypes.values():
if type_ == IPTypes.IPV4_ADDRESS:
name = 'ipv4-addr'
elif type_ == IPTypes.IPV6_ADDRESS:
name = 'ipv6-addr'
elif type_ == IPTypes.IPV4_SUBNET:
name = 'ipv4-net'
elif type_ == IPTypes.IPV6_SUBNET:
name = 'ipv6-net'
return Address(category=name, address_value=value)
elif type_ == IndicatorTypes.API_KEY:
api = API()
api.description = value
return api
elif type_ == IndicatorTypes.DOMAIN:
obj = DomainName()
obj.value = value
elif type_ == IndicatorTypes.USER_AGENT:
obj = HTTPRequestHeaderFields()
obj.user_agent = value
return obj
elif type_ == IndicatorTypes.MUTEX:
m = Mutex()
m.named = True
m.name = String(value)
return m
elif type_ in (IndicatorTypes.SOURCE_PORT,
IndicatorTypes.DEST_PORT):
p = Port()
try:
p.port_value = PositiveInteger(value)
except ValueError: # XXX: Raise a better exception...
raise UnsupportedCybOXObjectTypeError(type_, name)
return p
elif type_ == IndicatorTypes.PROCESS_NAME:
p = Process()
p.name = String(value)
return p
elif type_ == IndicatorTypes.URI:
r = URI()
r.type_ = 'URL'
r.value = value
return r
elif type_ in (IndicatorTypes.REGISTRY_KEY,
IndicatorTypes.REG_KEY_CREATED,
IndicatorTypes.REG_KEY_DELETED,
IndicatorTypes.REG_KEY_ENUMERATED,
IndicatorTypes.REG_KEY_MONITORED,
IndicatorTypes.REG_KEY_OPENED):
obj = WinRegistryKey()
obj.key = value
return obj
"""
The following are types that are listed in the 'Indicator Type' box of
the 'New Indicator' dialog in CRITs. These types, unlike those handled
above, cannot be written to or read from CybOX at this point.
The reason for the type being omitted is written as a comment inline.
This can (and should) be revisited as new versions of CybOX are released.
NOTE: You will have to update the corresponding make_crits_object function
with handling for the reverse direction.
In the mean time, these types will raise unsupported errors.
"""
#elif type_ == "Device": # No CybOX API
#elif type_ == "DNS Cache": # No CybOX API
#elif type_ == "GUI": # revisit when CRITs supports width & height specification
#elif type_ == "HTTP Session": # No good mapping between CybOX/CRITs
#elif type_ == "Linux Package": # No CybOX API
#elif type_ == "Network Packet": # No good mapping between CybOX/CRITs
#elif type_ == "Network Route Entry": # No CybOX API
#elif type_ == "Network Route": # No CybOX API
#elif type_ == "Network Subnet": # No CybOX API
#elif type_ == "Semaphore": # No CybOX API
#elif type_ == "Socket": # No good mapping between CybOX/CRITs
#elif type_ == "UNIX File": # No CybOX API
#elif type_ == "UNIX Network Route Entry": # No CybOX API
#elif type_ == "UNIX Pipe": # No CybOX API
#elif type_ == "UNIX Process": # No CybOX API
#elif type_ == "UNIX User Account": # No CybOX API
#elif type_ == "UNIX Volume": # No CybOX API
#elif type_ == "User Session": # No CybOX API
#elif type_ == "Whois": # No good mapping between CybOX/CRITs
#elif type_ == "Win Computer Account": # No CybOX API
#elif type_ == "Win Critical Section": # No CybOX API
#elif type_ == "Win Executable File": # No good mapping between CybOX/CRITs
#elif type_ == "Win File": # No good mapping between CybOX/CRITs
#elif type_ == "Win Kernel": # No CybOX API
#elif type_ == "Win Mutex": # No good mapping between CybOX/CRITs
#elif type_ == "Win Network Route Entry": # No CybOX API
#elif type_ == "Win Pipe": # No good mapping between CybOX/CRITs
#elif type_ == "Win Prefetch": # No CybOX API
#elif type_ == "Win Semaphore": # No CybOX API
#elif type_ == "Win System Restore": # No CybOX API
#elif type_ == "Win Thread": # No good mapping between CybOX/CRITs
#elif type_ == "Win Waitable Timer": # No CybOX API
raise UnsupportedCybOXObjectTypeError(type_, name)
def create_discovery_method_instance(self,argument_list=None,child_pid_list=None,creation_time =None,is_hidden=None,image_info=None,extracted_features=None,environment_variable_list=None,
kernel_time=None,name=None,network_connection_list=None,parent_pid=None,pid=None,port_list=None,start_time=None,user_time=None,username=None):
instance = Process()
instance.argument_list= argument_list
instance.child_pid_list=child_pid_list
instance.creation_time = DateTime(creation_time)
instance.username=username
instance.user_time = Duration(user_time)
instance.start_time = DateTime(start_time)
instance.port_list =port_list
instance.pid = pid
instance.parent_pid = parent_pid
if network_connection_list is not None and (all(isinstance(x,NetworkConnection ) for x in network_connection_list)):
instance.network_connection_list = NetworkConnectionList()
for netcon in network_connection_list:
instance.network_connection_list.append(netcon)
else:
instance.network_connection_list= None
instance.name = name
instance.kernel_time = Duration(kernel_time)
if environment_variable_list is not None and (all(isinstance(x,EnvironmentVariable ) for x in environment_variable_list)):
instance.environment_variable_list = EnvironmentVariableList()
for envar in environment_variable_list:
instance.environment_variable_list.append(envar)
else:
instance.environment_variable_list =None
instance.extracted_features =extracted_features
instance.image_info = image_info
instance.is_hidden= is_hidden
return instance
from cybox.objects.file_object import File
from cybox.objects.win_service_object import WinService
from cybox.objects.win_registry_key_object import WinRegistryKey
# this can be changed to an output file
outfd = sys.stdout
# create an Observable object:
observables_doc = Observables([])
# add some different observables:
# you don't have to use every member and there are other members that are not being utilized here:
observables_doc.add(Process.from_dict({"name": "Process.exe",
"pid": 90,
"parent_pid": 10,
#"creation_time": "",
"image_info": {"command_line": "Process.exe /c blah.txt"}}))
observables_doc.add(File.from_dict({"file_name": "file.txt",
"file_extension": "txt",
"file_path": "path\\to\\file.txt"}))
observables_doc.add(helper.create_ipv4_observable("192.168.1.101"))
observables_doc.add(helper.create_url_observable("somedomain.com"))
observables_doc.add(WinService.from_dict({"service_name": "Service Name",
"display_name": "Service Display name",
"startup_type": "Service type",