def add_registry_observable(self, mode, value): if (mode, value) in self.__regkeys: return self.__regkeys.add((mode, value)) # FIXME value is not parse properly _key = '\\'.join(value.split('\\')[3:]) hive = value.split('\\')[2] reg_object = WinRegistryKey.from_dict({'key': _key, 'hive': hive}) reg_observable = Observable(reg_object) reg_observable.title = "Malware Artifact - Registry" reg_observable.description = "Registry access derived from sandboxed malware sample." reg_observable.short_description = "Registry access from malware." self.reg_indicator.add_observable(reg_observable)
observables_doc.add(WinService.from_dict({"service_name": "Service Name", "display_name": "Service Display name", "startup_type": "Service type", "service_status": "Status", "service_dll": "Somedll.dll", "started_as": "Start", "group_name": "Group name", "startup_command_line": "Commandline"})) observables_doc.add(WinRegistryKey.from_dict({"hive": "SYSTEM", "key": "some\\registry\\key", "number_values": 2, "values": [{"name": "Something", "datatype": "REG_DWORD", #or whatever it is... "data": "Something else"}, {"name": "Another", "datatype": "REG_BINARY", #or whatever it is... "data": base64.b64encode("\x90\x90\x90")}], #binary stuff must be normalized, base64 is the usual "number_subkeys": 1, # subkeys have the same members as keys: "subkeys": [{"key": "SubkeyName", "number_values": 1, "values": [{"name": "SubkeyVal", "datatype": "REG_DWORD", "data": "Subkey val data"}]}] })) observables_doc.add(Mutex.from_dict({"name": "Some_MUTEX!!!"})) # we can also specify conditions: proc = Process.from_dict({"name": "anotherProcess.exe", "pid": 102, "parent_pid": 10, "image_info": {"command_line": "anotherProcess.exe /c blahblah.bat"}}) proc.name.condition = "Equals"