def createDynamicIndicators(stix_package, dynamicindicators):
filescreated = False
processesstarted = False
regkeyscreated = False
mutexescreated = False
hostscontacted = False
hasdynamicindicators = False
# Here we are just testing to see if the report had any
# of the various dynamic indicator types so we know whether
# or not to process them at all
if len(dynamicindicators['droppedfiles']) > 0:
filescreated = True
hasdynamicindicators = True
if len(dynamicindicators['processes']) > 0:
processesstarted = True
hasdynamicindicators = True
if len(dynamicindicators['regkeys']) > 0:
regkeyscreated = True
hasdynamicindicators = True
if len(dynamicindicators['mutexes']) > 0:
mutexescreated = True
hasdynamicindicators = True
if len(dynamicindicators['hosts']) > 0:
hostscontacted = True
hasdynamicindicators = True
if not hasdynamicindicators:
return
if filescreated:
createdfilesind = Indicator()
for createdfile in dynamicindicators['droppedfiles']:
createdfilename = File()
createdfilename.file_name = createdfile[0]
createdfilename.size_in_bytes = createdfile[1]
createdfilename.md5 = createdfile[2]
createdfilename.sha1 = createdfile[3]
createdfilename.sha256 = createdfile[4]
createdfilesind.add_observable(Observable(createdfilename))
stix_package.add_indicator(createdfilesind)
if processesstarted:
procindicator = Indicator()
for process in dynamicindicators['processes']:
# Process name
processname = process[0]
# Process pid
processpid = process[1]
# Process parent pid
processparentpid = process[2]
proc = Process()
proc.name = processname
proc.pid = processpid
proc.parent_pid = processparentpid
procindicator.add_observable(Observable(proc))
stix_package.add_indicator(procindicator)
if regkeyscreated:
regindicator = Indicator()
keypath = WinRegistryKey()
for regkey in dynamicindicators['regkeys']:
keypath = WinRegistryKey()
keypath.key = regkey
regindicator.add_observable(Observable(keypath))
stix_package.add_indicator(regindicator)
if not mutexescreated:
mutexind = Indicator()
for mutex in dynamicindicators['mutexes']:
winhandle = WinHandle()
winhandle.name = mutex
winmutex = WinMutex()
winmutex.handle = winhandle
mutexind.add_observable(Observable(winmutex))
stix_package.add_indicator(mutexind)
if hostscontacted:
networkconnectionind = Indicator()
for host in dynamicindicators['hosts']:
networkconnection = NetworkConnection()
socketaddress = SocketAddress()
socketaddress.ip_address = host
networkconnection.destination_socket_address = socketaddress
networkconnectionind.add_observable(Observable(networkconnection))
stix_package.add_indicator(networkconnectionind)
return
