コード例 #1
0
    def test_process_image_info_path(self):
        file_path_string = "C:\Windows\System32\abcd.dll"
        normalized_file_path_string = "CSIDL_SYSTEM\abcd.dll"

        process_obj = Process()
        process_obj.image_info = ImageInfo()
        process_obj.image_info.path = file_path_string

        normalize_object_properties(process_obj)

        self.assertEqual(process_obj.image_info.path.value, normalized_file_path_string)
コード例 #2
0
    def test_process_image_info_path(self):
        file_path_string = "C:\Windows\System32\abcd.dll"
        normalized_file_path_string = "CSIDL_SYSTEM\abcd.dll"

        process_obj = Process()
        process_obj.image_info = ImageInfo()
        process_obj.image_info.path = file_path_string

        normalize_object_properties(process_obj)

        self.assertEqual(process_obj.image_info.path.value,
                         normalized_file_path_string)
コード例 #3
0
    def from_dict(win_process_dict, win_process_cls = None):
        if not win_process_dict:
            return None
        if win_process_cls == None:
            winprocess_ = Process.from_dict(win_process_dict, WinProcess())
        else:
            winprocess_ = Process.from_dict(win_process_dict, win_process_cls)

        winprocess_.aslr_enabled = win_process_dict.get('aslr_enabled')
        winprocess_.dep_enabled = win_process_dict.get('dep_enabled')
        winprocess_.handle_list = WinHandleList.from_list(win_process_dict.get('handle_list'))
        winprocess_.priority = String.from_dict(win_process_dict.get('priority'))
        winprocess_.section_list = [Memory.from_dict(x) for x in win_process_dict.get('section_list', [])]
        winprocess_.security_id = String.from_dict(win_process_dict.get('security_id'))
        winprocess_.startup_info = StartupInfo.from_dict(win_process_dict.get('startup_info'))
        winprocess_.security_type = String.from_dict(win_process_dict.get('security_type'))
        winprocess_.window_title = String.from_dict(win_process_dict.get('window_title'))

        return winprocess_
コード例 #4
0
ファイル: process_tree.py プロジェクト: akreffett/python-maec
 def from_dict(process_tree_node_dict):
     if not process_tree_node_dict:
         return None
     process_tree_node_ = Process.from_dict(process_tree_node_dict, ProcessTreeNode())
     process_tree_node_.id = process_tree_node_dict.get('id')
     process_tree_node_.parent_action_idref = process_tree_node_dict.get('parent_action_idref')
     process_tree_node_.initiated_actions = ActionReferenceList.from_list(process_tree_node_dict.get('initiated_actions'))
     process_tree_node_.spawned_processes = [ProcessTreeNode.from_dict(x) for x in process_tree_node_dict.get('spawned_processes', [])]
     process_tree_node_.injected_processes = [ProcessTreeNode.from_dict(x) for x in process_tree_node_dict.get('injected_processes', [])]
     return process_tree_node_
コード例 #5
0
ファイル: process_tree.py プロジェクト: akreffett/python-maec
 def from_obj(process_tree_node_obj):
     if not process_tree_node_obj:
         return None
     process_tree_node_ = Process.from_obj(process_tree_node_obj, ProcessTreeNode())
     process_tree_node_.id = process_tree_node_obj.get_id()
     process_tree_node_.parent_action_idref = process_tree_node_obj.get_parent_action_idref()
     if process_tree_node_obj.get_Initiated_Actions() is not None:
         process_tree_node_.initiated_actions = ActionReferenceList.from_obj(process_tree_node_obj.get_Initiated_Actions())
     process_tree_node_.spawned_processes = [ProcessTreeNode.from_obj(x) for x in process_tree_node_obj.get_Spawned_Process()]
     process_tree_node_.injected_processes = [ProcessTreeNode.from_obj(x) for x in process_tree_node_obj.get_Injected_Process()]
     return process_tree_node_
コード例 #6
0
    def from_obj(win_process_obj, win_process_cls = None):
        if not win_process_obj:
            return None
        if win_process_cls == None:
            winprocess_ = Process.from_obj(win_process_obj, WinProcess())
        else:
            winprocess_ = Process.from_obj(win_process_obj, win_process_cls)

        winprocess_.aslr_enabled = win_process_obj.get_aslr_enabled()
        winprocess_.dep_enabled = win_process_obj.get_dep_enabled()
        winprocess_.handle_list = WinHandleList.from_obj(win_process_obj.get_Handle_List())
        winprocess_.priority = String.from_obj(win_process_obj.get_Priority())
        if win_process_obj.get_Section_List() is not None:
            winprocess_.section_list = [Memory.from_obj(x) for x in win_process_obj.get_Section_List().get_Memory_Section()]
        winprocess_.security_id = String.from_obj(win_process_obj.get_Security_ID())
        winprocess_.startup_info = StartupInfo.from_obj(win_process_obj.get_Startup_Info())
        winprocess_.security_type = String.from_obj(win_process_obj.get_Security_Type())
        winprocess_.window_title = String.from_obj(win_process_obj.get_Window_Title())

        return winprocess_
コード例 #7
0
ファイル: common.py プロジェクト: wushian/SysmonSearch
def _set_search_items_from_process_object(patterns, prop):
    u'''
    extract and set search key/value items from Cybox binding Process Object
    '''
    if prop is None or type(prop) != ProcessObjectType:
        return
    # translate cybox.bindings object to cybox.objects object
    obj = Process.from_obj(prop)

    # Process
    if obj.name is not None:
        process = unicode(obj.name)
        if process[0] == '[' and process[len(process) - 1] == ']':
            _add_search_item(patterns, u"ProcessName",
                             process[1:len(process) - 2].split(','))
        else:
            _add_search_item(patterns, u"ProcessName", process)
コード例 #8
0
def createDynamicIndicators(stix_package, dynamicindicators):
    filescreated = False
    processesstarted = False
    regkeyscreated = False
    mutexescreated = False
    hostscontacted = False
    hasdynamicindicators = False

    # Here we are just testing to see if the report had any
    # of the various dynamic indicator types so we know whether
    # or not to process them at all
    if len(dynamicindicators['droppedfiles']) > 0:
        filescreated = True
        hasdynamicindicators = True
    if len(dynamicindicators['processes']) > 0:
        processesstarted = True
        hasdynamicindicators = True
    if len(dynamicindicators['regkeys']) > 0:
        regkeyscreated = True
        hasdynamicindicators = True
    if len(dynamicindicators['mutexes']) > 0:
        mutexescreated = True
        hasdynamicindicators = True
    if len(dynamicindicators['hosts']) > 0:
        hostscontacted = True
        hasdynamicindicators = True

    if not hasdynamicindicators:
        return

    if filescreated:
        createdfilesind = Indicator()
        for createdfile in dynamicindicators['droppedfiles']:
            createdfilename = File()
            createdfilename.file_name = createdfile[0]
            createdfilename.size_in_bytes = createdfile[1]
            createdfilename.md5 = createdfile[2]
            createdfilename.sha1 = createdfile[3]
            createdfilename.sha256 = createdfile[4]
            createdfilesind.add_observable(Observable(createdfilename))

        stix_package.add_indicator(createdfilesind)
    if processesstarted:
        procindicator = Indicator()
        for process in dynamicindicators['processes']:
            # Process name
            processname = process[0]
            # Process pid
            processpid = process[1]
            # Process parent pid
            processparentpid = process[2]

        proc = Process()
        proc.name = processname
        proc.pid = processpid
        proc.parent_pid = processparentpid
        procindicator.add_observable(Observable(proc))

        stix_package.add_indicator(procindicator)
    if regkeyscreated:
        regindicator = Indicator()
        keypath = WinRegistryKey()

        for regkey in dynamicindicators['regkeys']:
            keypath = WinRegistryKey()
            keypath.key = regkey
            regindicator.add_observable(Observable(keypath))

        stix_package.add_indicator(regindicator)
    if not mutexescreated:
        mutexind = Indicator()
        for mutex in dynamicindicators['mutexes']:
            winhandle = WinHandle()
            winhandle.name = mutex
            winmutex = WinMutex()
            winmutex.handle = winhandle
            mutexind.add_observable(Observable(winmutex))
        stix_package.add_indicator(mutexind)
    if hostscontacted:
        networkconnectionind = Indicator()
        for host in dynamicindicators['hosts']:
            networkconnection = NetworkConnection()
            socketaddress = SocketAddress()
            socketaddress.ip_address = host
            networkconnection.destination_socket_address = socketaddress
            networkconnectionind.add_observable(Observable(networkconnection))
        stix_package.add_indicator(networkconnectionind)
        return
コード例 #9
0
def make_cybox_object(type_, name=None, value=None):
    """
    Converts type_, name, and value to a CybOX object instance.

    :param type_: The object type.
    :type type_: str
    :param name: The object name.
    :type name: str
    :param value: The object value.
    :type value: str
    :returns: CybOX object
    """

    if type_ == "Account":
        acct = Account()
        acct.description = value
        return acct
    elif type_ == "Address":
        return Address(category=name, address_value=value)
    elif type_ == "Email Message":
        e = EmailMessage()
        e.raw_body = value
        return e
    elif type_ == "API":
        api = API()
        api.description = value
        return api
    elif type_ == "Artifact":
        if name == "Data Region":
            atype = Artifact.TYPE_GENERIC
        elif name == 'FileSystem Fragment':
            atype = Artifact.TYPE_FILE_SYSTEM
        elif name == 'Memory Region':
            atype = Artifact.TYPE_MEMORY
        else:
            raise UnsupportedCybOXObjectTypeError(type_, name)
        return Artifact(value, atype)
    elif type_ == "Code":
        obj = Code()
        obj.code_segment = value
        obj.type = name
        return obj
    elif type_ == "Disk":
        disk = Disk()
        disk.disk_name = type_
        disk.type = name
        return disk
    elif type_ == "Disk Partition":
        disk = DiskPartition()
        disk.device_name = type_
        disk.type = name
        return disk
    elif type_ == "DNS Query":
        r = URI()
        r.value = value
        dq = DNSQuestion()
        dq.qname = r
        d = DNSQuery()
        d.question = dq
        return d
    elif type_ == "DNS Record":
        # DNS Record indicators in CRITs are just a free form text box, there
        # is no good way to map them into the attributes of a DNSRecord cybox
        # object. So just stuff it in the description until someone tells me
        # otherwise.
        d = StructuredText(value=value)
        dr = DNSRecord()
        dr.description = d
        return dr
    elif type_ == "GUI Dialogbox":
        obj = GUIDialogbox()
        obj.box_text = value
        return obj
    elif type_ == "GUI Window":
        obj = GUIWindow()
        obj.window_display_name = value
        return obj
    elif type_ == "HTTP Request Header Fields" and name and name == "User-Agent":
        # TODO/NOTE: HTTPRequestHeaderFields has a ton of fields for info.
        #    we should revisit this as UI is reworked or CybOX is improved.
        obj = HTTPRequestHeaderFields()
        obj.user_agent = value
        return obj
    elif type_ == "Library":
        obj = Library()
        obj.name = value
        obj.type = name
        return obj
    elif type_ == "Memory":
        obj = Memory()
        obj.memory_source = value
        return obj
    elif type_ == "Mutex":
        m = Mutex()
        m.named = True
        m.name = String(value)
        return m
    elif type_ == "Network Connection":
        obj = NetworkConnection()
        obj.layer7_protocol = value
        return obj
    elif type_ == "Pipe":
        p = Pipe()
        p.named = True
        p.name = String(value)
        return p
    elif type_ == "Port":
        p = Port()
        try:
            p.port_value = PositiveInteger(value)
        except ValueError:  # XXX: Raise a better exception...
            raise UnsupportedCybOXObjectTypeError(type_, name)
        return p
    elif type_ == "Process":
        p = Process()
        p.name = String(value)
        return p
    elif type_ == "String":
        c = Custom()
        c.custom_name = "crits:String"
        c.description = ("This is a generic string used as the value of an "
                         "Indicator or Object within CRITs.")
        c.custom_properties = CustomProperties()

        p1 = Property()
        p1.name = "value"
        p1.description = "Generic String"
        p1.value = value
        c.custom_properties.append(p1)
        return c
    elif type_ == "System":
        s = System()
        s.hostname = String(value)
        return s
    elif type_ == "URI":
        r = URI()
        r.type_ = name
        r.value = value
        return r
    elif type_ == "User Account":
        obj = UserAccount()
        obj.username = value
        return obj
    elif type_ == "Volume":
        obj = Volume()
        obj.name = value
        return obj
    elif type_ == "Win Driver":
        w = WinDriver()
        w.driver_name = String(value)
        return w
    elif type_ == "Win Event Log":
        obj = WinEventLog()
        obj.log = value
        return obj
    elif type_ == "Win Event":
        w = WinEvent()
        w.name = String(value)
        return w
    elif type_ == "Win Handle":
        obj = WinHandle()
        obj.type_ = name
        obj.object_address = value
        return obj
    elif type_ == "Win Kernel Hook":
        obj = WinKernelHook()
        obj.description = value
        return obj
    elif type_ == "Win Mailslot":
        obj = WinMailslot()
        obj.name = value
        return obj
    elif type_ == "Win Network Share":
        obj = WinNetworkShare()
        obj.local_path = value
        return obj
    elif type_ == "Win Process":
        obj = WinProcess()
        obj.window_title = value
        return obj
    elif type_ == "Win Registry Key":
        obj = WinRegistryKey()
        obj.key = value
        return obj
    elif type_ == "Win Service":
        obj = WinService()
        obj.service_name = value
        return obj
    elif type_ == "Win System":
        obj = WinSystem()
        obj.product_name = value
        return obj
    elif type_ == "Win Task":
        obj = WinTask()
        obj.name = value
        return obj
    elif type_ == "Win User Account":
        obj = WinUser()
        obj.security_id = value
        return obj
    elif type_ == "Win Volume":
        obj = WinVolume()
        obj.drive_letter = value
        return obj
    elif type_ == "X509 Certificate":
        obj = X509Certificate()
        obj.raw_certificate = value
        return obj
    """
    The following are types that are listed in the 'Indicator Type' box of
    the 'New Indicator' dialog in CRITs. These types, unlike those handled
    above, cannot be written to or read from CybOX at this point.

    The reason for the type being omitted is written as a comment inline.
    This can (and should) be revisited as new versions of CybOX are released.
    NOTE: You will have to update the corresponding make_crits_object function
    with handling for the reverse direction.

    In the mean time, these types will raise unsupported errors.
    """
    #elif type_ == "Device": # No CybOX API
    #elif type_ == "DNS Cache": # No CybOX API
    #elif type_ == "GUI": # revisit when CRITs supports width & height specification
    #elif type_ == "HTTP Session": # No good mapping between CybOX/CRITs
    #elif type_ == "Linux Package": # No CybOX API
    #elif type_ == "Network Packet": # No good mapping between CybOX/CRITs
    #elif type_ == "Network Route Entry": # No CybOX API
    #elif type_ == "Network Route": # No CybOX API
    #elif type_ == "Network Subnet": # No CybOX API
    #elif type_ == "Semaphore": # No CybOX API
    #elif type_ == "Socket": # No good mapping between CybOX/CRITs
    #elif type_ == "UNIX File": # No CybOX API
    #elif type_ == "UNIX Network Route Entry": # No CybOX API
    #elif type_ == "UNIX Pipe": # No CybOX API
    #elif type_ == "UNIX Process": # No CybOX API
    #elif type_ == "UNIX User Account": # No CybOX API
    #elif type_ == "UNIX Volume": # No CybOX API
    #elif type_ == "User Session": # No CybOX API
    #elif type_ == "Whois": # No good mapping between CybOX/CRITs
    #elif type_ == "Win Computer Account": # No CybOX API
    #elif type_ == "Win Critical Section": # No CybOX API
    #elif type_ == "Win Executable File": # No good mapping between CybOX/CRITs
    #elif type_ == "Win File": # No good mapping between CybOX/CRITs
    #elif type_ == "Win Kernel": # No CybOX API
    #elif type_ == "Win Mutex": # No good mapping between CybOX/CRITs
    #elif type_ == "Win Network Route Entry": # No CybOX API
    #elif type_ == "Win Pipe": # No good mapping between CybOX/CRITs
    #elif type_ == "Win Prefetch": # No CybOX API
    #elif type_ == "Win Semaphore": # No CybOX API
    #elif type_ == "Win System Restore": # No CybOX API
    #elif type_ == "Win Thread": # No good mapping between CybOX/CRITs
    #elif type_ == "Win Waitable Timer": # No CybOX API
    raise UnsupportedCybOXObjectTypeError(type_, name)
コード例 #10
0
ファイル: addsec_to_stix.py プロジェクト: heindl/stix_toolkit
def addsec_to_cybox(as_obtype, as_obdata):
    #
    # Addition Security to CybOX mappings, for discrete/separate observables
    #

    # 30: DataTypeSymbolName
    if as_obtype == 30:
        a = API()
        a.function_name = as_obdata
        return a

    # 32: DataTypeLibraryName
    if as_obtype == 32:
        l = Library()
        l.name = as_obdata
        l.path = as_obdata
        return l

    # 14: DataTypeUsername
    if as_obtype == 14:
        u = UserAccount()
        u.username = as_obdata
        return u

    # 10: DataTypeFile
    if as_obtype == 10:
        f = File()
        f.full_path = as_obdata
        return f

    # 23: DataTypeHostname
    if as_obtype == 23:
        h = Hostname()
        h.hostname_value = as_obdata
        return h

    # 29: DataTypeEnvString
    if as_obtype == 29:
        # Here, Process is meant to represent the hosting process; then we
        # attach the actual environment variable value
        p = Process()
        p.environment_variable_list = as_obdata
        return p

    # 17: DataTypeApplication
    if as_obtype == 17:
        # Particularly on Android, identification of an installed package fits
        # somewhere between File and Process, but not quite either.  The closest
        # fit is around LinuxPackage, which is what we use.  We should technically
        # derive from it, but we're trying to keep things simple.
        p = LinuxPackage()
        p.name = as_obdata
        return p

    # 11: DataTypeX509
    # 12: DataTypeX509Subject
    # 13: DataTypeX509Issuer
    if as_obtype == 11 or as_obtype == 12 or as_obtype == 13:
        c = X509Certificate()
        if as_obtype == 11: c.raw_certificate = as_obdata.encode('hex')
        if as_obtype == 12: c.certificate.subject = as_obdata
        if as_obtype == 13: c.certificate.issuer = as_obdata
        return c

    # 2: DataTypeSHA1Hash
    # 7: DataTypeVersionString
    # 18: DataTypeString
    # 31: DataTypePropertyName
    # TODO: find the proper CybOX to represent these; for now, we don't
    # report them
    return None
コード例 #11
0
def make_cybox_object(type_, value=None):
    """
    Converts type_, name, and value to a CybOX object instance.

    :param type_: The object type.
    :type type_: str
    :param value: The object value.
    :type value: str
    :returns: CybOX object
    """

    if type_ == IndicatorTypes.USER_ID:
        acct = Account()
        acct.description = value
        return acct
    elif type_ in IPTypes.values():
        if type_ == IPTypes.IPV4_ADDRESS:
            name = 'ipv4-addr'
        elif type_ == IPTypes.IPV6_ADDRESS:
            name = 'ipv6-addr'
        elif type_ == IPTypes.IPV4_SUBNET:
            name = 'ipv4-net'
        elif type_ == IPTypes.IPV6_SUBNET:
            name = 'ipv6-net'
        return Address(category=name, address_value=value)
    elif type_ == IndicatorTypes.API_KEY:
        api = API()
        api.description = value
        return api
    elif type_ == IndicatorTypes.DOMAIN:
        obj = DomainName()
        obj.value = value
    elif type_ == IndicatorTypes.USER_AGENT:
        obj = HTTPRequestHeaderFields()
        obj.user_agent = value
        return obj
    elif type_ == IndicatorTypes.MUTEX:
        m = Mutex()
        m.named = True
        m.name = String(value)
        return m
    elif type_ in (IndicatorTypes.SOURCE_PORT,
                   IndicatorTypes.DEST_PORT):
        p = Port()
        try:
            p.port_value = PositiveInteger(value)
        except ValueError: # XXX: Raise a better exception...
            raise UnsupportedCybOXObjectTypeError(type_, name)
        return p
    elif type_ == IndicatorTypes.PROCESS_NAME:
        p = Process()
        p.name = String(value)
        return p
    elif type_ == IndicatorTypes.URI:
        r = URI()
        r.type_ = 'URL'
        r.value = value
        return r
    elif type_ in (IndicatorTypes.REGISTRY_KEY,
                   IndicatorTypes.REG_KEY_CREATED,
                   IndicatorTypes.REG_KEY_DELETED,
                   IndicatorTypes.REG_KEY_ENUMERATED,
                   IndicatorTypes.REG_KEY_MONITORED,
                   IndicatorTypes.REG_KEY_OPENED):
        obj = WinRegistryKey()
        obj.key = value
        return obj
    """
    The following are types that are listed in the 'Indicator Type' box of
    the 'New Indicator' dialog in CRITs. These types, unlike those handled
    above, cannot be written to or read from CybOX at this point.

    The reason for the type being omitted is written as a comment inline.
    This can (and should) be revisited as new versions of CybOX are released.
    NOTE: You will have to update the corresponding make_crits_object function
    with handling for the reverse direction.

    In the mean time, these types will raise unsupported errors.
    """
    #elif type_ == "Device": # No CybOX API
    #elif type_ == "DNS Cache": # No CybOX API
    #elif type_ == "GUI": # revisit when CRITs supports width & height specification
    #elif type_ == "HTTP Session": # No good mapping between CybOX/CRITs
    #elif type_ == "Linux Package": # No CybOX API
    #elif type_ == "Network Packet": # No good mapping between CybOX/CRITs
    #elif type_ == "Network Route Entry": # No CybOX API
    #elif type_ == "Network Route": # No CybOX API
    #elif type_ == "Network Subnet": # No CybOX API
    #elif type_ == "Semaphore": # No CybOX API
    #elif type_ == "Socket": # No good mapping between CybOX/CRITs
    #elif type_ == "UNIX File": # No CybOX API
    #elif type_ == "UNIX Network Route Entry": # No CybOX API
    #elif type_ == "UNIX Pipe": # No CybOX API
    #elif type_ == "UNIX Process": # No CybOX API
    #elif type_ == "UNIX User Account": # No CybOX API
    #elif type_ == "UNIX Volume": # No CybOX API
    #elif type_ == "User Session": # No CybOX API
    #elif type_ == "Whois": # No good mapping between CybOX/CRITs
    #elif type_ == "Win Computer Account": # No CybOX API
    #elif type_ == "Win Critical Section": # No CybOX API
    #elif type_ == "Win Executable File": # No good mapping between CybOX/CRITs
    #elif type_ == "Win File": # No good mapping between CybOX/CRITs
    #elif type_ == "Win Kernel": # No CybOX API
    #elif type_ == "Win Mutex": # No good mapping between CybOX/CRITs
    #elif type_ == "Win Network Route Entry": # No CybOX API
    #elif type_ == "Win Pipe": # No good mapping between CybOX/CRITs
    #elif type_ == "Win Prefetch": # No CybOX API
    #elif type_ == "Win Semaphore": # No CybOX API
    #elif type_ == "Win System Restore": # No CybOX API
    #elif type_ == "Win Thread": # No good mapping between CybOX/CRITs
    #elif type_ == "Win Waitable Timer": # No CybOX API
    raise UnsupportedCybOXObjectTypeError(type_, name)
コード例 #12
0
    def create_discovery_method_instance(self,argument_list=None,child_pid_list=None,creation_time =None,is_hidden=None,image_info=None,extracted_features=None,environment_variable_list=None,
                                     kernel_time=None,name=None,network_connection_list=None,parent_pid=None,pid=None,port_list=None,start_time=None,user_time=None,username=None):
        instance = Process()
        instance.argument_list= argument_list
        instance.child_pid_list=child_pid_list
        instance.creation_time = DateTime(creation_time)
        instance.username=username
        instance.user_time = Duration(user_time)
        instance.start_time = DateTime(start_time)
        instance.port_list =port_list
        instance.pid = pid
        instance.parent_pid = parent_pid
        if network_connection_list is not None and (all(isinstance(x,NetworkConnection ) for x in network_connection_list)):
            instance.network_connection_list = NetworkConnectionList()
            for netcon in network_connection_list:
                instance.network_connection_list.append(netcon)
        else:
            instance.network_connection_list= None

        instance.name = name
        instance.kernel_time = Duration(kernel_time)
        if environment_variable_list is not None and (all(isinstance(x,EnvironmentVariable ) for x in environment_variable_list)):
            instance.environment_variable_list = EnvironmentVariableList()
            for envar in environment_variable_list:
                instance.environment_variable_list.append(envar)
        else:
            instance.environment_variable_list =None

        instance.extracted_features =extracted_features
        instance.image_info = image_info
        instance.is_hidden= is_hidden
        return instance
コード例 #13
0
from cybox.objects.file_object import File 
from cybox.objects.win_service_object import WinService
from cybox.objects.win_registry_key_object import WinRegistryKey


# this can be changed to an output file
outfd = sys.stdout

# create an Observable object: 
observables_doc = Observables([])

# add some different observables:
# you don't have to use every member and there are other members that are not being utilized here:
observables_doc.add(Process.from_dict({"name": "Process.exe",
                                       "pid": 90,  
                                       "parent_pid": 10,
                                       #"creation_time": "",  
                                       "image_info": {"command_line": "Process.exe /c blah.txt"}}))

observables_doc.add(File.from_dict({"file_name": "file.txt",
                                    "file_extension": "txt",
                                    "file_path": "path\\to\\file.txt"}))
                                    

observables_doc.add(helper.create_ipv4_observable("192.168.1.101"))

observables_doc.add(helper.create_url_observable("somedomain.com"))

observables_doc.add(WinService.from_dict({"service_name": "Service Name",
                                  "display_name": "Service Display name",
                                  "startup_type": "Service type",