def to_cybox(self, exclude=None):
"""
Convert an email to a CybOX Observables.
Pass parameter exclude to specify fields that should not be
included in the returned object.
Returns a tuple of (CybOX object, releasability list).
To get the cybox object as xml or json, call to_xml() or
to_json(), respectively, on the resulting CybOX object.
"""
if exclude == None:
exclude = []
observables = []
obj = EmailMessage()
# Assume there is going to be at least one header
obj.header = EmailHeader()
if 'message_id' not in exclude:
obj.header.message_id = String(self.message_id)
if 'subject' not in exclude:
obj.header.subject = String(self.subject)
if 'sender' not in exclude:
obj.header.sender = Address(self.reply_to, Address.CAT_EMAIL)
if 'reply_to' not in exclude:
obj.header.reply_to = Address(self.reply_to, Address.CAT_EMAIL)
if 'x_originating_ip' not in exclude:
obj.header.x_originating_ip = Address(self.x_originating_ip,
Address.CAT_IPV4)
if 'raw_body' not in exclude:
obj.raw_body = self.raw_body
if 'raw_header' not in exclude:
obj.raw_header = self.raw_header
#copy fields where the names differ between objects
if 'helo' not in exclude and 'email_server' not in exclude:
obj.email_server = String(self.helo)
if ('from_' not in exclude and 'from' not in exclude and
'from_address' not in exclude):
obj.header.from_ = EmailAddress(self.from_address)
if 'date' not in exclude and 'isodate' not in exclude:
obj.header.date = DateTime(self.isodate)
observables.append(Observable(obj))
return (observables, self.releasability)
def to_cybox(self, exclude=None):
"""
Convert an email to a CybOX Observables.
Pass parameter exclude to specify fields that should not be
included in the returned object.
Returns a tuple of (CybOX object, releasability list).
To get the cybox object as xml or json, call to_xml() or
to_json(), respectively, on the resulting CybOX object.
"""
if exclude == None:
exclude = []
observables = []
obj = EmailMessage()
# Assume there is going to be at least one header
obj.header = EmailHeader()
if 'message_id' not in exclude:
obj.header.message_id = String(self.message_id)
if 'subject' not in exclude:
obj.header.subject = String(self.subject)
if 'sender' not in exclude:
obj.header.sender = Address(self.reply_to, Address.CAT_EMAIL)
if 'reply_to' not in exclude:
obj.header.reply_to = Address(self.reply_to, Address.CAT_EMAIL)
if 'x_originating_ip' not in exclude:
obj.header.x_originating_ip = Address(self.x_originating_ip,
Address.CAT_IPV4)
if 'raw_body' not in exclude:
obj.raw_body = self.raw_body
if 'raw_header' not in exclude:
obj.raw_header = self.raw_header
#copy fields where the names differ between objects
if 'helo' not in exclude and 'email_server' not in exclude:
obj.email_server = String(self.helo)
if ('from_' not in exclude and 'from' not in exclude
and 'from_address' not in exclude):
obj.header.from_ = EmailAddress(self.from_address)
if 'date' not in exclude and 'isodate' not in exclude:
obj.header.date = DateTime(self.isodate)
observables.append(Observable(obj))
return (observables, self.releasability)
def __parse_email_message(self, msg):
""" Parses the supplied message
Returns a map of message parts expressed as cybox objects.
Keys: 'message', 'files', 'urls'
"""
files = []
url_list = []
domain_list = []
message = EmailMessage()
# Headers are required (for now)
message.header = self.__create_cybox_headers(msg)
if self.include_attachments:
files = self.__create_cybox_files(msg)
message.attachments = Attachments()
for f in files:
message.attachments.append(f.parent.id_)
f.add_related(message, "Contained_Within", inline=False)
if self.include_raw_headers:
raw_headers_str = self.__get_raw_headers(msg).strip()
if raw_headers_str:
message.raw_header = String(raw_headers_str)
# need this for parsing urls AND raw body text
raw_body = "\n".join(self.__get_raw_body_text(msg)).strip()
if self.include_raw_body and raw_body:
message.raw_body = String(raw_body)
if self.include_urls:
(url_list, domain_list) = self.__parse_urls(raw_body)
if url_list:
links = Links()
for u in url_list:
links.append(LinkReference(u.parent.id_))
if links:
message.links = links
# Return a list of all objects we've built
return [message] + files + url_list + domain_list
def make_cybox_object(type_, name=None, value=None):
"""
Converts type_, name, and value to a CybOX object instance.
:param type_: The object type.
:type type_: str
:param name: The object name.
:type name: str
:param value: The object value.
:type value: str
:returns: CybOX object
"""
if type_ == "Address":
return Address(category=name, address_value=value)
elif type_ == "Email Message":
e = EmailMessage()
e.raw_body = value
return e
#TODO: Http Request Header Fields not implemented?
#elif type_ == "Http Request Header Fields":
#pass
#TODO: Mutex object type is incomplete
#elif type_ == "Mutex":
#return Mutex.object_from_dict({'name': value})
#TODO: use Byte_Run object?
#elif type_ == "String":
#pass
elif type_ == "URI":
#return URI(type_=name, value=value)
r = URI()
r.type_ = name
r.value = value
return r
#TODO: Win_File incomplete
#elif type_ == "Win File":
#TODO: Registry_Key incomplete
#elif type_ == "Win Handle" and name == "RegistryKey":
#return Registry_Key.object_from_dict({'key':value})
raise UnsupportedCybOXObjectTypeError(type_, name)
def make_cybox_object(type_, name=None, value=None):
"""
Converts type_, name, and value to a CybOX object instance.
:param type_: The object type.
:type type_: str
:param name: The object name.
:type name: str
:param value: The object value.
:type value: str
:returns: CybOX object
"""
if type_ == "Address":
return Address(category=name, address_value=value)
elif type_ == "Email Message":
e = EmailMessage()
e.raw_body = value
return e
#TODO: Http Request Header Fields not implemented?
#elif type_ == "Http Request Header Fields":
#pass
#TODO: Mutex object type is incomplete
#elif type_ == "Mutex":
#return Mutex.object_from_dict({'name': value})
#TODO: use Byte_Run object?
#elif type_ == "String":
#pass
elif type_ == "URI":
#return URI(type_=name, value=value)
r = URI()
r.type_ = name
r.value = value
return r
#TODO: Win_File incomplete
#elif type_ == "Win File":
#TODO: Registry_Key incomplete
#elif type_ == "Win Handle" and name == "RegistryKey":
#return Registry_Key.object_from_dict({'key':value})
raise UnsupportedCybOXObjectTypeError(type_, name)
def make_cybox_object(type_, name=None, value=None):
"""
Converts type_, name, and value to a CybOX object instance.
:param type_: The object type.
:type type_: str
:param name: The object name.
:type name: str
:param value: The object value.
:type value: str
:returns: CybOX object
"""
if type_ == "Account":
acct = Account()
acct.description = value
return acct
elif type_ == "Address":
return Address(category=name, address_value=value)
elif type_ == "Email Message":
e = EmailMessage()
e.raw_body = value
return e
elif type_ == "API":
api = API()
api.description = value
return api
elif type_ == "Artifact":
if name == "Data Region":
atype = Artifact.TYPE_GENERIC
elif name == 'FileSystem Fragment':
atype = Artifact.TYPE_FILE_SYSTEM
elif name == 'Memory Region':
atype = Artifact.TYPE_MEMORY
else:
raise UnsupportedCybOXObjectTypeError(type_, name)
return Artifact(value, atype)
elif type_ == "Code":
obj = Code()
obj.code_segment = value
obj.type = name
return obj
elif type_ == "Disk":
disk = Disk()
disk.disk_name = type_
disk.type = name
return disk
elif type_ == "Disk Partition":
disk = DiskPartition()
disk.device_name = type_
disk.type = name
return disk
elif type_ == "DNS Query":
r = URI()
r.value = value
dq = DNSQuestion()
dq.qname = r
d = DNSQuery()
d.question = dq
return d
elif type_ == "DNS Record":
# DNS Record indicators in CRITs are just a free form text box, there
# is no good way to map them into the attributes of a DNSRecord cybox
# object. So just stuff it in the description until someone tells me
# otherwise.
d = StructuredText(value=value)
dr = DNSRecord()
dr.description = d
return dr
elif type_ == "GUI Dialogbox":
obj = GUIDialogbox()
obj.box_text = value
return obj
elif type_ == "GUI Window":
obj = GUIWindow()
obj.window_display_name = value
return obj
elif type_ == "HTTP Request Header Fields" and name and name == "User-Agent":
# TODO/NOTE: HTTPRequestHeaderFields has a ton of fields for info.
# we should revisit this as UI is reworked or CybOX is improved.
obj = HTTPRequestHeaderFields()
obj.user_agent = value
return obj
elif type_ == "Library":
obj = Library()
obj.name = value
obj.type = name
return obj
elif type_ == "Memory":
obj = Memory()
obj.memory_source = value
return obj
elif type_ == "Mutex":
m = Mutex()
m.named = True
m.name = String(value)
return m
elif type_ == "Network Connection":
obj = NetworkConnection()
obj.layer7_protocol = value
return obj
elif type_ == "Pipe":
p = Pipe()
p.named = True
p.name = String(value)
return p
elif type_ == "Port":
p = Port()
try:
p.port_value = PositiveInteger(value)
except ValueError: # XXX: Raise a better exception...
raise UnsupportedCybOXObjectTypeError(type_, name)
return p
elif type_ == "Process":
p = Process()
p.name = String(value)
return p
elif type_ == "String":
c = Custom()
c.custom_name = "crits:String"
c.description = ("This is a generic string used as the value of an "
"Indicator or Object within CRITs.")
c.custom_properties = CustomProperties()
p1 = Property()
p1.name = "value"
p1.description = "Generic String"
p1.value = value
c.custom_properties.append(p1)
return c
elif type_ == "System":
s = System()
s.hostname = String(value)
return s
elif type_ == "URI":
r = URI()
r.type_ = name
r.value = value
return r
elif type_ == "User Account":
obj = UserAccount()
obj.username = value
return obj
elif type_ == "Volume":
obj = Volume()
obj.name = value
return obj
elif type_ == "Win Driver":
w = WinDriver()
w.driver_name = String(value)
return w
elif type_ == "Win Event Log":
obj = WinEventLog()
obj.log = value
return obj
elif type_ == "Win Event":
w = WinEvent()
w.name = String(value)
return w
elif type_ == "Win Handle":
obj = WinHandle()
obj.type_ = name
obj.object_address = value
return obj
elif type_ == "Win Kernel Hook":
obj = WinKernelHook()
obj.description = value
return obj
elif type_ == "Win Mailslot":
obj = WinMailslot()
obj.name = value
return obj
elif type_ == "Win Network Share":
obj = WinNetworkShare()
obj.local_path = value
return obj
elif type_ == "Win Process":
obj = WinProcess()
obj.window_title = value
return obj
elif type_ == "Win Registry Key":
obj = WinRegistryKey()
obj.key = value
return obj
elif type_ == "Win Service":
obj = WinService()
obj.service_name = value
return obj
elif type_ == "Win System":
obj = WinSystem()
obj.product_name = value
return obj
elif type_ == "Win Task":
obj = WinTask()
obj.name = value
return obj
elif type_ == "Win User Account":
obj = WinUser()
obj.security_id = value
return obj
elif type_ == "Win Volume":
obj = WinVolume()
obj.drive_letter = value
return obj
elif type_ == "X509 Certificate":
obj = X509Certificate()
obj.raw_certificate = value
return obj
"""
The following are types that are listed in the 'Indicator Type' box of
the 'New Indicator' dialog in CRITs. These types, unlike those handled
above, cannot be written to or read from CybOX at this point.
The reason for the type being omitted is written as a comment inline.
This can (and should) be revisited as new versions of CybOX are released.
NOTE: You will have to update the corresponding make_crits_object function
with handling for the reverse direction.
In the mean time, these types will raise unsupported errors.
"""
#elif type_ == "Device": # No CybOX API
#elif type_ == "DNS Cache": # No CybOX API
#elif type_ == "GUI": # revisit when CRITs supports width & height specification
#elif type_ == "HTTP Session": # No good mapping between CybOX/CRITs
#elif type_ == "Linux Package": # No CybOX API
#elif type_ == "Network Packet": # No good mapping between CybOX/CRITs
#elif type_ == "Network Route Entry": # No CybOX API
#elif type_ == "Network Route": # No CybOX API
#elif type_ == "Network Subnet": # No CybOX API
#elif type_ == "Semaphore": # No CybOX API
#elif type_ == "Socket": # No good mapping between CybOX/CRITs
#elif type_ == "UNIX File": # No CybOX API
#elif type_ == "UNIX Network Route Entry": # No CybOX API
#elif type_ == "UNIX Pipe": # No CybOX API
#elif type_ == "UNIX Process": # No CybOX API
#elif type_ == "UNIX User Account": # No CybOX API
#elif type_ == "UNIX Volume": # No CybOX API
#elif type_ == "User Session": # No CybOX API
#elif type_ == "Whois": # No good mapping between CybOX/CRITs
#elif type_ == "Win Computer Account": # No CybOX API
#elif type_ == "Win Critical Section": # No CybOX API
#elif type_ == "Win Executable File": # No good mapping between CybOX/CRITs
#elif type_ == "Win File": # No good mapping between CybOX/CRITs
#elif type_ == "Win Kernel": # No CybOX API
#elif type_ == "Win Mutex": # No good mapping between CybOX/CRITs
#elif type_ == "Win Network Route Entry": # No CybOX API
#elif type_ == "Win Pipe": # No good mapping between CybOX/CRITs
#elif type_ == "Win Prefetch": # No CybOX API
#elif type_ == "Win Semaphore": # No CybOX API
#elif type_ == "Win System Restore": # No CybOX API
#elif type_ == "Win Thread": # No good mapping between CybOX/CRITs
#elif type_ == "Win Waitable Timer": # No CybOX API
raise UnsupportedCybOXObjectTypeError(type_, name)
def make_cybox_object(type_, name=None, value=None):
"""
Converts type_, name, and value to a CybOX object instance.
:param type_: The object type.
:type type_: str
:param name: The object name.
:type name: str
:param value: The object value.
:type value: str
:returns: CybOX object
"""
if type_ == "Account":
acct = Account()
acct.description = value
return acct
elif type_ == "Address":
return Address(category=name, address_value=value)
elif type_ == "Email Message":
e = EmailMessage()
e.raw_body = value
return e
elif type_ == "API":
api = API()
api.description = value
return api
elif type_ == "Artifact":
if name == "Data Region":
atype = Artifact.TYPE_GENERIC
elif name == 'FileSystem Fragment':
atype = Artifact.TYPE_FILE_SYSTEM
elif name == 'Memory Region':
atype = Artifact.TYPE_MEMORY
else:
raise UnsupportedCybOXObjectTypeError(type_, name)
return Artifact(value, atype)
elif type_ == "Code":
obj = Code()
obj.code_segment = value
obj.type = name
return obj
elif type_ == "Disk":
disk = Disk()
disk.disk_name = type_
disk.type = name
return disk
elif type_ == "Disk Partition":
disk = DiskPartition()
disk.device_name = type_
disk.type = name
return disk
elif type_ == "DNS Query":
r = URI()
r.value = value
dq = DNSQuestion()
dq.qname = r
d = DNSQuery()
d.question = dq
return d
elif type_ == "DNS Record":
# DNS Record indicators in CRITs are just a free form text box, there
# is no good way to map them into the attributes of a DNSRecord cybox
# object. So just stuff it in the description until someone tells me
# otherwise.
d = StructuredText(value=value)
dr = DNSRecord()
dr.description = d
return dr
elif type_ == "GUI Dialogbox":
obj = GUIDialogbox()
obj.box_text = value
return obj
elif type_ == "GUI Window":
obj = GUIWindow()
obj.window_display_name = value
return obj
elif type_ == "HTTP Request Header Fields" and name and name == "User-Agent":
# TODO/NOTE: HTTPRequestHeaderFields has a ton of fields for info.
# we should revisit this as UI is reworked or CybOX is improved.
obj = HTTPRequestHeaderFields()
obj.user_agent = value
return obj
elif type_ == "Library":
obj = Library()
obj.name = value
obj.type = name
return obj
elif type_ == "Memory":
obj = Memory()
obj.memory_source = value
return obj
elif type_ == "Mutex":
m = Mutex()
m.named = True
m.name = String(value)
return m
elif type_ == "Network Connection":
obj = NetworkConnection()
obj.layer7_protocol = value
return obj
elif type_ == "Pipe":
p = Pipe()
p.named = True
p.name = String(value)
return p
elif type_ == "Port":
p = Port()
try:
p.port_value = PositiveInteger(value)
except ValueError: # XXX: Raise a better exception...
raise UnsupportedCybOXObjectTypeError(type_, name)
return p
elif type_ == "Process":
p = Process()
p.name = String(value)
return p
elif type_ == "String":
c = Custom()
c.custom_name = "crits:String"
c.description = ("This is a generic string used as the value of an "
"Indicator or Object within CRITs.")
c.custom_properties = CustomProperties()
p1 = Property()
p1.name = "value"
p1.description = "Generic String"
p1.value = value
c.custom_properties.append(p1)
return c
elif type_ == "System":
s = System()
s.hostname = String(value)
return s
elif type_ == "URI":
r = URI()
r.type_ = name
r.value = value
return r
elif type_ == "User Account":
obj = UserAccount()
obj.username = value
return obj
elif type_ == "Volume":
obj = Volume()
obj.name = value
return obj
elif type_ == "Win Driver":
w = WinDriver()
w.driver_name = String(value)
return w
elif type_ == "Win Event Log":
obj = WinEventLog()
obj.log = value
return obj
elif type_ == "Win Event":
w = WinEvent()
w.name = String(value)
return w
elif type_ == "Win Handle":
obj = WinHandle()
obj.type_ = name
obj.object_address = value
return obj
elif type_ == "Win Kernel Hook":
obj = WinKernelHook()
obj.description = value
return obj
elif type_ == "Win Mailslot":
obj = WinMailslot()
obj.name = value
return obj
elif type_ == "Win Network Share":
obj = WinNetworkShare()
obj.local_path = value
return obj
elif type_ == "Win Process":
obj = WinProcess()
obj.window_title = value
return obj
elif type_ == "Win Registry Key":
obj = WinRegistryKey()
obj.key = value
return obj
elif type_ == "Win Service":
obj = WinService()
obj.service_name = value
return obj
elif type_ == "Win System":
obj = WinSystem()
obj.product_name = value
return obj
elif type_ == "Win Task":
obj = WinTask()
obj.name = value
return obj
elif type_ == "Win User Account":
obj = WinUser()
obj.security_id = value
return obj
elif type_ == "Win Volume":
obj = WinVolume()
obj.drive_letter = value
return obj
elif type_ == "X509 Certificate":
obj = X509Certificate()
obj.raw_certificate = value
return obj
"""
The following are types that are listed in the 'Indicator Type' box of
the 'New Indicator' dialog in CRITs. These types, unlike those handled
above, cannot be written to or read from CybOX at this point.
The reason for the type being omitted is written as a comment inline.
This can (and should) be revisited as new versions of CybOX are released.
NOTE: You will have to update the corresponding make_crits_object function
with handling for the reverse direction.
In the mean time, these types will raise unsupported errors.
"""
#elif type_ == "Device": # No CybOX API
#elif type_ == "DNS Cache": # No CybOX API
#elif type_ == "GUI": # revisit when CRITs supports width & height specification
#elif type_ == "HTTP Session": # No good mapping between CybOX/CRITs
#elif type_ == "Linux Package": # No CybOX API
#elif type_ == "Network Packet": # No good mapping between CybOX/CRITs
#elif type_ == "Network Route Entry": # No CybOX API
#elif type_ == "Network Route": # No CybOX API
#elif type_ == "Network Subnet": # No CybOX API
#elif type_ == "Semaphore": # No CybOX API
#elif type_ == "Socket": # No good mapping between CybOX/CRITs
#elif type_ == "UNIX File": # No CybOX API
#elif type_ == "UNIX Network Route Entry": # No CybOX API
#elif type_ == "UNIX Pipe": # No CybOX API
#elif type_ == "UNIX Process": # No CybOX API
#elif type_ == "UNIX User Account": # No CybOX API
#elif type_ == "UNIX Volume": # No CybOX API
#elif type_ == "User Session": # No CybOX API
#elif type_ == "Whois": # No good mapping between CybOX/CRITs
#elif type_ == "Win Computer Account": # No CybOX API
#elif type_ == "Win Critical Section": # No CybOX API
#elif type_ == "Win Executable File": # No good mapping between CybOX/CRITs
#elif type_ == "Win File": # No good mapping between CybOX/CRITs
#elif type_ == "Win Kernel": # No CybOX API
#elif type_ == "Win Mutex": # No good mapping between CybOX/CRITs
#elif type_ == "Win Network Route Entry": # No CybOX API
#elif type_ == "Win Pipe": # No good mapping between CybOX/CRITs
#elif type_ == "Win Prefetch": # No CybOX API
#elif type_ == "Win Semaphore": # No CybOX API
#elif type_ == "Win System Restore": # No CybOX API
#elif type_ == "Win Thread": # No good mapping between CybOX/CRITs
#elif type_ == "Win Waitable Timer": # No CybOX API
raise UnsupportedCybOXObjectTypeError(type_, name)
def execute(self, device_info, extracted_data_dir_path):
original_app_path = '/data/data/com.android.email'
headers_db_rel_file_path = os.path.join('databases', 'EmailProvider.db')
bodies_db_rel_file_path = os.path.join('databases', 'EmailProviderBody.db')
original_headers_db_file_path = os.path.join(original_app_path, headers_db_rel_file_path)
original_bodies_db_file_path = os.path.join(original_app_path, bodies_db_rel_file_path)
headers_db_file_path = os.path.join(extracted_data_dir_path, headers_db_rel_file_path)
bodies_db_file_path = os.path.join(extracted_data_dir_path, bodies_db_rel_file_path)
source_objects = [
create_file_object(headers_db_file_path, original_headers_db_file_path),
create_file_object(bodies_db_file_path, original_bodies_db_file_path)
]
inspected_objects = {}
cursor, conn = execute_query(headers_db_file_path, 'SELECT * FROM message')
for row in cursor:
header = EmailHeader()
header.to = row['toList']
header.cc = row['ccList']
header.bcc = row['bccList']
header.from_ = row['fromList']
header.subject = row['subject']
header.in_reply_to = row['replyToList']
header.date = datetime.fromtimestamp(row['timeStamp'] / 1000) # Convert from milliseconds to seconds
header.message_id = row['messageId']
email = EmailMessage()
email.header = header
email.add_related(source_objects[0], ObjectRelationship.TERM_EXTRACTED_FROM, inline=False)
# Add the email to the inspected_objects dict using its _id value as key.
email_id = row['_id']
inspected_objects[email_id] = email
cursor.close()
conn.close()
# Add full raw body to emails.
cursor, conn = execute_query(bodies_db_file_path, 'SELECT _id, htmlContent, textContent FROM body')
for row in cursor:
email_id = row['_id']
email = inspected_objects.get(email_id)
if email is not None:
if row['htmlContent'] != '':
email.raw_body = row['htmlContent']
email.header.content_type = 'text/html'
else:
email.raw_body = row['textContent']
email.header.content_type = 'text/plain'
email.add_related(source_objects[1], ObjectRelationship.TERM_EXTRACTED_FROM, inline=False)
cursor.close()
# Add attachments to emails.
cursor, conn = execute_query(headers_db_file_path,
'SELECT messageKey, contentUri FROM attachment')
# Iteration over attachments
for row in cursor:
# Get current attachment email_id.
email_id = row['messageKey']
# Find email in inspected_objects.
email = inspected_objects.get(email_id)
# If email has non attachments, initialize them.
if email.attachments is None:
email.attachments = Attachments()
# Using contentUri, get attachment folder_prefix and file_name.
attachment_rel_path_dirs = re.search('.*//.*/(.*)/(.*)/.*', row['contentUri'])
# Group(1): contains attachment folder.
# Group(2): contains attachment file_name.
attachment_rel_file_path = os.path.join('databases', attachment_rel_path_dirs.group(1) + '.db_att',
attachment_rel_path_dirs.group(2))
# Build attachment absolute file path in extracted_data.
attachment_file_path = os.path.join(extracted_data_dir_path, attachment_rel_file_path)
# Build attachment original file_path in device.
original_attachment_file_path = os.path.join(original_app_path, attachment_rel_file_path)
# Create attachment source_file.
attachment = create_file_object(attachment_file_path, original_attachment_file_path)
# Add attachment to email's attachments.
email.attachments.append(attachment.parent.id_)
# Add relation between attachment and it's email.
attachment.add_related(email, ObjectRelationship.TERM_CONTAINED_WITHIN, inline=False)
source_objects.append(attachment)
cursor.close()
conn.close()
return inspected_objects.values(), source_objects
def cybox_object_email(obj):
e = EmailMessage()
e.raw_body = obj.raw_body
e.raw_header = obj.raw_header
# Links
e.links = Links()
for link in obj.links.all():
pass
# Attachments
e.attachments = Attachments()
attachment_objects = []
for att in obj.attachments.all():
for meta in att.file_meta.all():
fobj = cybox_object_file(att, meta)
e.attachments.append(fobj.parent.id_)
fobj.add_related(e, "Contained_Within", inline=False)
attachment_objects.append(fobj)
# construct header information
h = EmailHeader()
h.subject = obj.subject
h.date = obj.email_date
h.message_id = obj.message_id
h.content_type = obj.content_type
h.mime_version = obj.mime_version
h.user_agent = obj.user_agent
h.x_mailer = obj.x_mailer
# From
for from_ in obj.from_string.all():
from_address = EmailAddress(from_.sender)
from_address.is_spoofed = from_.is_spoofed
from_address.condition = from_.condition
h.from_ = from_address
# Sender
for sender in obj.sender.all():
sender_address = EmailAddress(sender.sender)
sender_address.is_spoofed = sender.is_spoofed
sender_address.condition = sender.condition
h.sender.add(sender_address)
# To
recipients = EmailRecipients()
for recipient in obj.recipients.all():
rec_address = EmailAddress(recipient.recipient)
rec_address.is_spoofed = recipient.is_spoofed
rec_address.condition = recipient.condition
recipients.append(rec_address)
h.to = recipients
# CC
recipients = EmailRecipients()
for recipient in obj.recipients_cc.all():
rec_address = EmailAddress(recipient.recipient)
rec_address.is_spoofed = recipient.is_spoofed
rec_address.condition = recipient.condition
recipients.append(rec_address)
h.cc = recipients
# BCC
recipients = EmailRecipients()
for recipient in obj.recipients_bcc.all():
rec_address = EmailAddress(recipient.recipient)
rec_address.is_spoofed = recipient.is_spoofed
rec_address.condition = recipient.condition
recipients.append(rec_address)
h.bcc = recipients
e.header = h
return e, attachment_objects
full_email_object.header = EmailHeader()
full_email_object.header.date = xdate
full_email_object.header.date.condition = "Equals"
full_email_object.header.From = xfrom
full_email_object.header.sender = xsender
full_email_object.header.sender.condition = "Equals"
full_email_object.header.reply_to = xreplyto
full_email_object.header.reply_to.condition = "Equals"
full_email_object.header.subject = xsubject
full_email_object.header.subject.condition = "Equals"
full_email_object.header.x_originating_ip = xoriginatingip
full_email_object.header.x_originating_ip.condition = "Equals"
full_email_object.header.x_mailer = xmailer
full_email_object.header.x_mailer.condition = "Equals"
full_email_object.raw_body = xbody
# TODO: Add file hash indicator/observable
# Create descriptions
if hasattachment:
mydescription = "Phishing E-mail - %s\nDate: %s\nSubject: %s\nAttachment: %s\nFrom: %s\nSender: %s\nReply to: %s\nX_Originating_IP: %s\nX_Mailer: %s\nHELO: %s\nRaw Body: \n%s\n\nAnalyst Notes: %s\n\nAttachment Notes:%s\n\n"\
%(xsubject,xdate,xsubject,xfilename,xfrom,xsender,xreplyto,xoriginatingip,xmailer,xhelo,xbody,ecomment,acomment)
combined_indicator = Indicator(title="Phishing E-mail - " + xsubject,
description=mydescription)
else:
mydescription = "Phishing E-mail - %s\nDate: %s\nSubject: %s\nFrom: %s\nSender: %s\nReply to: %s\nX_Originating_IP: %s\nX_Mailer: %s\nHELO: %s\nRaw Body: \n%s\n\nAnalyst Notes: %s\n\n"\
%(xsubject,xdate,xsubject,xfrom,xsender,xreplyto,xoriginatingip,xmailer,xhelo,xbody,ecomment)
combined_indicator = Indicator(title="Phishing E-mail - " + xsubject,
description=mydescription)
def cybox_object_email(obj):
e = EmailMessage()
e.raw_body = obj.raw_body
e.raw_header = obj.raw_header
# Links
e.links = Links()
for link in obj.links.all():
pass
# Attachments
e.attachments = Attachments()
attachment_objects = []
for att in obj.attachments.all():
for meta in att.file_meta.all():
fobj = cybox_object_file(att, meta)
e.attachments.append(fobj.parent.id_)
fobj.add_related(e, "Contained_Within", inline=False)
attachment_objects.append(fobj)
# construct header information
h = EmailHeader()
h.subject = obj.subject
h.date = obj.email_date
h.message_id = obj.message_id
h.content_type = obj.content_type
h.mime_version = obj.mime_version
h.user_agent = obj.user_agent
h.x_mailer = obj.x_mailer
# From
for from_ in obj.from_string.all():
from_address = EmailAddress(from_.sender)
from_address.is_spoofed = from_.is_spoofed
from_address.condition = from_.condition
h.from_ = from_address
# Sender
for sender in obj.sender.all():
sender_address = EmailAddress(sender.sender)
sender_address.is_spoofed = sender.is_spoofed
sender_address.condition = sender.condition
h.sender.add(sender_address)
# To
recipients = EmailRecipients()
for recipient in obj.recipients.all():
rec_address = EmailAddress(recipient.recipient)
rec_address.is_spoofed = recipient.is_spoofed
rec_address.condition = recipient.condition
recipients.append(rec_address)
h.to = recipients
# CC
recipients = EmailRecipients()
for recipient in obj.recipients_cc.all():
rec_address = EmailAddress(recipient.recipient)
rec_address.is_spoofed = recipient.is_spoofed
rec_address.condition = recipient.condition
recipients.append(rec_address)
h.cc = recipients
# BCC
recipients = EmailRecipients()
for recipient in obj.recipients_bcc.all():
rec_address = EmailAddress(recipient.recipient)
rec_address.is_spoofed = recipient.is_spoofed
rec_address.condition = recipient.condition
recipients.append(rec_address)
h.bcc = recipients
e.header = h
return e, attachment_objects
