def create_mutex_object(self, mutex_attributes):
cybox_object = maec.cybox.AssociatedObjectType(id=self.generator.generate_obj_id(), type_='Mutex')
mutex_obj = win_mutex_object.WindowsMutexObjectType()
mutex_obj.set_anyAttributes_({'xsi:type' : 'WinMutexObj:WindowsMutexObjectType'})
for key, value in mutex_attributes.items():
if key == 'name':
if len(value) > 0:
mutex_obj.set_Name(maec.common.StringObjectAttributeType(datatype='String',valueOf_=maec.quote_xml(value)))
mutex_obj.set_named(True)
elif key == 'association':
cybox_object.set_association_type(value)
if mutex_obj.hasContent_():
cybox_object.set_Defined_Object(mutex_obj)
return cybox_object
def create_driver_object(self, driver_attributes):
cybox_object = maec.cybox.AssociatedObjectType(id=self.generator.generate_obj_id(), type_='Other')
driver_obj = win_driver_object.WindowsDriverObjectType()
driver_obj.set_anyAttributes_({'xsi:type' : 'WinDriverObj:WindowsDriverObjectType'})
for key, value in driver_attributes.items():
if key == 'name':
if len(value) > 0:
driver_obj.set_Driver_Name(maec.common.StringObjectAttributeType(datatype='String',valueOf_=maec.quote_xml(value)))
elif key == 'association':
cybox_object.set_association_type(value)
if driver_obj.hasContent_():
cybox_object.set_Defined_Object(driver_obj)
return cybox_object
def create_internet_object(self, internet_attributes):
cybox_object = maec.cybox.AssociatedObjectType(id=self.generator.generate_obj_id(), type_='URI')
uriobj = uri_object.URIObjectType()
uriobj.set_anyAttributes_({'xsi:type' : 'URIObj:URIObjectType'})
#set object attributes
for key, value in internet_attributes.items():
if key == 'uri':
if len(value) > 0:
uriobj.set_Value(maec.common.AnyURIObjectAttributeType(datatype='AnyURI', valueOf_=maec.quote_xml(value)))
elif key == 'association':
cybox_object.set_AssociationType(value)
if uriobj.hasContent_():
cybox_object.set_Defined_Object(uriobj)
return cybox_object
def create_service_object(self, service_attributes):
cybox_object = maec.cybox.AssociatedObjectType(id=self.generator.generate_obj_id(), type_='Service/Daemon')
serv_object = win_service_object.WindowsServiceObjectType()
serv_object.set_anyAttributes_({'xsi:type' : 'WinServiceObj:WindowsServiceObjectType'})
for key, value in service_attributes.items():
if key == 'name':
if len(value) > 0:
serv_object.set_Service_Name(maec.common.StringObjectAttributeType(datatype='String',valueOf_=maec.quote_xml(value)))
elif key == 'displayname':
if len(value) > 0:
serv_object.set_Display_Name(maec.common.StringObjectAttributeType(datatype='String',valueOf_=maec.quote_xml(value)))
elif key == 'filename':
continue #revisit
elif key == 'controlcode':
if len(value) > 0:
send_control_effect = maec.cybox.SendControlCodeEffectType(effect_type='ControlCode_Sent', Control_Code=value)
send_control_effect.set_extensiontype_('cybox:SendControlCodeEffectType')
cybox_object.set_Defined_Effect(send_control_effect)
elif key == 'association':
cybox_object.set_association_type(value)
if serv_object.hasContent_():
cybox_object.set_Defined_Object(serv_object)
return cybox_object
def create_process_object(self, process_attributes):
cybox_object = maec.cybox.AssociatedObjectType(id=self.generator.generate_obj_id(), type_='Process')
proc_object = process_object.ProcessObjectType()
proc_object.set_anyAttributes_({'xsi:type' : 'ProcessObj:ProcessObjectType'})
image_info = process_object.ImageInfoType()
for key, value in process_attributes.items():
if key == 'name':
continue
elif key == 'filename':
if value != '':
image_info.set_Path(maec.common.StringObjectAttributeType(datatype='String',valueOf_=maec.quote_xml(value)))
elif key == 'cmd_line':
if value != '':
image_info.set_Command_Line(maec.common.StringObjectAttributeType(datatype='String',valueOf_=maec.quote_xml(value)))
elif key == 'association':
cybox_object.set_association_type(value)
if image_info.hasContent_():
proc_object.set_Image_Info(image_info)
if proc_object.hasContent_():
cybox_object.set_Defined_Object(proc_object)
return cybox_object
def create_memory_object(self, memory_attributes):
cybox_object = maec.cybox.AssociatedObjectType(id=self.generator.generate_obj_id(), type_='Memory Page')
mem_object = memory_object.MemoryObjectType()
mem_object.set_anyAttributes_({'xsi:type' : 'MemoryObj:MemoryObjectType'})
#set object attributes
for key,value in memory_attributes.items():
if key == 'address':
if len(value) > 0:
mem_object.set_Region_Start_Address(maec.common.HexBinaryObjectAttributeType(datatype='hexBinary', valueOf_=maec.quote_xml(value.replace('$',''))))
elif key == 'association':
cybox_object.set_association_type(value)
if mem_object.hasContent_():
cybox_object.set_Defined_Object(mem_object)
return cybox_object
def create_pipe_object(self, pipe_attributes):
cybox_object = maec.cybox.AssociatedObjectType(id=self.generator.generate_obj_id())
pipeobj = win_pipe_object.WindowsPipeObjectType(named='True')
pipeobj.set_anyAttributes_({'xsi:type' : 'WinPipeObj:WindowsPipeObjectType'})
cybox_object.set_type('Pipe')
for key, value in pipe_attributes.items():
if key == 'name' or key == 'filename':
if len(value) > 0:
pipeobj.set_Name(maec.common.StringObjectAttributeType(datatype='String', valueOf_=maec.quote_xml(value)))
elif key == 'controlcode':
if len(value) > 0:
send_control_effect = maec.cybox.SendControlCodeEffectType(effect_type='ControlCode_Sent', Control_Code=value)
send_control_effect.set_extensiontype_('cybox:SendControlCodeEffectType')
cybox_object.set_Defined_Effect(send_control_effect)
elif key == 'association':
cybox_object.set_association_type(value)
if pipeobj.hasContent_():
cybox_object.set_Defined_Object(pipeobj)
return cybox_object
def create_file_system_object(self, file_system_attributes):
cybox_object = maec.cybox.AssociatedObjectType(id=self.generator.generate_obj_id())
fileobj = file_object.FileObjectType()
fileobj.set_anyAttributes_({'xsi:type' : 'FileObj:FileObjectType'})
cybox_object.set_type('File')
fs_hashes = maec.common.HashListType()
for key, value in file_system_attributes.items():
if key == 'md5':
if len(value) > 0:
hash_value = maec.common.HexBinaryObjectAttributeType(datatype='hexBinary', valueOf_=maec.quote_xml(value))
hash_type = maec.common.HashNameType(datatype='String', valueOf_='MD5')
hash = maec.common.HashType(Simple_Hash_Value=hash_value, Type=hash_type)
fs_hashes.add_Hash(hash)
elif key == 'sha1':
if len(value) > 0:
hash_value = maec.common.HexBinaryObjectAttributeType(datatype='hexBinary', valueOf_=maec.quote_xml(value))
hash_type = maec.common.HashNameType(datatype='String', valueOf_='SHA1')
hash = maec.common.HashType(Simple_Hash_Value=hash_value, Type=hash_type)
fs_hashes.add_Hash(hash)
elif key == 'packer':
if len(value) > 0:
packer_list = file_object.PackerListType()
packer = file_object.PackerAttributesType(Name=maec.common.StringObjectAttributeType(datatype='String', valueOf_=maec.quote_xml(value)))
packer_list.add_Packer(packer)
fileobj.set_Packer_List(packer_list)
elif key == 'av_aliases':
cybox_object.set_Domain_specific_Object_Attributes(value)
elif key == 'filename':
if len(value) > 0:
fileobj.set_File_Name(maec.common.StringObjectAttributeType(datatype='String', valueOf_=maec.quote_xml(value)))
elif key == 'filepath':
if len(value) > 0:
filepath = maec.common.StringObjectAttributeType(datatype='String', valueOf_=maec.quote_xml(value))
fileobj.set_File_Path(filepath)
elif key == 'origin':
if len(value) > 0:
uriobj = uri_object.URIObjectType()
uriobj.set_anyAttributes_({'xsi:type' : 'URIObj:URIObjectType'})
uriobj.set_Value(maec.common.AnyURIObjectAttributeType(datatype='AnyURI', valueOf_=maec.quote_xml(value)))
related_objects = maec.cybox.RelatedObjectsType()
related_object = maec.cybox.RelatedObjectType(id=self.generator.generate_obj_id(), type='URI')
related_object.set_Defined_Object(uriobj)
related_objects.add_Related_Object(related_object)
cybox_object.set_Related_Objects(related_objects)
elif key == 'linkname':
if len(value) > 0:
sym_links = file_object.SymLinksListType()
sym_link = maec.common.StringObjectAttributeType(datatype='String', valueOf_=maec.quote_xml(value))
sym_links.add_Sym_Link(sym_link)
fileobj.set_Sym_Links(sym_links)
elif key == 'controlcode':
if len(value) > 0:
send_control_effect = maec.cybox.SendControlCodeEffectType(effect_type='ControlCode_Sent', Control_Code=value)
send_control_effect.set_extensiontype_('cybox:SendControlCodeEffectType')
cybox_object.set_Defined_Effect(send_control_effect)
elif key == 'association':
cybox_object.set_association_type(value)
if fs_hashes.hasContent_():
fileobj.set_Hashes(fs_hashes)
if fileobj.hasContent_():
cybox_object.set_Defined_Object(fileobj)
return cybox_object
def create_registry_object(self, registry_attributes):
cybox_object = maec.cybox.AssociatedObjectType(id=self.generator.generate_obj_id(), type_='Key/Key Group')
reg_object = win_registry_object.WindowsRegistryKeyObjectType()
reg_object.set_anyAttributes_({'xsi:type' : 'WinRegistryKeyObj:WindowsRegistryKeyObjectType'})
registry_value = win_registry_object.RegistryValueType()
#set object attributes
for key, value in registry_attributes.items():
if key == 'hive':
if len(value) > 0:
reg_object.set_Hive(maec.common.StringObjectAttributeType(datatype='String', valueOf_=maec.quote_xml(value)))
elif key == 'key':
if len(value) > 0:
reg_object.set_Key(maec.common.StringObjectAttributeType(datatype='String',valueOf_=maec.quote_xml(value)))
elif key == 'value':
if value != '':
registry_value.set_Name(maec.common.StringObjectAttributeType(datatype='String',valueOf_=maec.quote_xml(value)))
elif registry_attributes.get('valuedata') != '':
registry_value.set_Data(maec.common.StringObjectAttributeType(datatype='String',valueOf_=maec.quote_xml(value)))
elif key == 'valuedata':
if value != '':
registry_value.set_Data(maec.common.StringObjectAttributeType(datatype='String',valueOf_=maec.quote_xml(value)))
elif key == 'association':
cybox_object.set_association_type(value)
if registry_value.hasContent_():
reg_values = win_registry_object.RegistryValuesType()
reg_values.add_Value(registry_value)
reg_object.set_Values(reg_values)
if reg_object.hasContent_():
cybox_object.set_Defined_Object(reg_object)
return cybox_object
def create_module_object(self, module_attributes):
cybox_object = maec.cybox.AssociatedObjectType(id=self.generator.generate_obj_id(), type_="Module")
libobject = library_object.LibraryObjectType()
libobject.set_anyAttributes_({'xsi:type' : 'LibraryObj:LibraryObjectType'})
for key, value in module_attributes.items():
if key == 'name':
if len(value) > 0:
libobject.set_Name(maec.common.StringObjectAttributeType(datatype='String', valueOf_=maec.quote_xml(value)))
elif key == 'association':
cybox_object.set_association_type(value)
if libobject.hasContent_():
cybox_object.set_Defined_Object(libobject)
return cybox_object
def create_socket_object(self, network_attributes):
cybox_object = maec.cybox.AssociatedObjectType(id=self.generator.generate_obj_id(), type_='Socket')
socketobj = socket_object.SocketObjectType()
socketobj.set_anyAttributes_({'xsi:type' : 'SocketObj:SocketObjectType'})
remote_address = socket_object.SocketAddressType()
local_address = socket_object.SocketAddressType()
for key, value in network_attributes.items():
if key == 'socket_type':
if value == 'tcp':
socketobj.set_Type(maec.common.StringObjectAttributeType(datatype='String', valueOf_='SOCK_STREAM'))
elif key == 'remote_port':
if len(value) > 0 and value != '0':
port = socket_object.port_object.PortObjectType()
port.set_Port_Value(maec.common.PositiveIntegerObjectAttributeType(datatype='PositiveInteger', valueOf_=maec.quote_xml(value)))
remote_address.set_Port(port)
elif key == 'remote_address':
if len(value) > 0:
ip_address = socket_object.address_object.AddressObjectType(category='ipv4-addr')
ip_address.set_Address_Value(maec.common.StringObjectAttributeType(datatype='String', valueOf_=maec.quote_xml(value)))
remote_address.set_IP_Address(ip_address)
elif key == 'local_port':
if len(value) > 0 and value != '0':
port = socket_object.port_object.PortObjectType()
port.set_Port_Value(maec.common.PositiveIntegerObjectAttributeType(datatype='PositiveInteger', valueOf_=maec.quote_xml(value)))
local_address.set_Port(port)
elif key == 'local_address':
if len(value) > 0:
ip_address = socket_object.address_object.AddressObjectType(category='ipv4-addr')
ip_address.set_Address_Value(maec.common.StringObjectAttributeType(datatype='String', valueOf_=maec.quote_xml(value)))
local_address.set_IP_Address(ip_address)
elif key == 'islistening':
socketobj.set_is_listening(value)
elif key == 'association':
cybox_object.set_association_type(value)
if remote_address.hasContent_():
socketobj.set_Remote_Address(remote_address)
if local_address.hasContent_():
socketobj.set_Local_Address(local_address)
if socketobj.hasContent_():
cybox_object.set_Defined_Object(socketobj)
return cybox_object
