Пример #1
0
    def test_add_collections(self):
        o = Bundle()

        o.add_named_action_collection("Actions")
        ma = MalwareAction()
        o.add_action(ma, "Actions")
        self.assertTrue(
            o.collections.action_collections.has_collection("Actions"))

        o.add_named_object_collection("Objects")
        obj = Object()
        o.add_object(obj, "Objects")
        self.assertTrue(
            o.collections.object_collections.has_collection("Objects"))

        o.add_named_behavior_collection("Behaviors")
        b = Behavior()
        o.add_behavior(b, "Behaviors")
        self.assertTrue(
            o.collections.behavior_collections.has_collection("Behaviors"))

        o.add_named_candidate_indicator_collection("Indicators")
        ci = CandidateIndicator()
        o.add_candidate_indicator(ci, "Indicators")
        self.assertTrue(
            o.collections.candidate_indicator_collections.has_collection(
                "Indicators"))
Пример #2
0
def mkActionList(subject,mkclass):  
    token= {
            "registry_reads":       registry_reads,
            "file_reads":           file_reads,
            "loaded_libraries":     loaded_libraries,
            #"process":              process_action,
            #"overview":             overview,
            "registry_deletions":   registry_deletions,
            "file_writes":          file_writes,
            #"process_interactions": process_interactions,
            #"raised_exceptions":    raised_exceptions,
            "mutex_opens":          mutex_opens,
            "dns_queries":          dns_queries,
            "mutex_creates":        mutex_create,
            "file_deletes":         file_delete,
            "modified_libraries" :  modified_libraries,
            "http_conversations" :  http_conversations            
            }
    b = Behavior()
    ba = BehavioralAction()
    bas = BehavioralActions()
    #ba.behavioral_ordering
    bas.action = ba
    b.description = subject['overview']['analysis_reason']
    bls = []
    als = []
    for k,v in subject.items():
        if token.has_key(k):
            actions = []
            for n in v:
                act = token[k](n)               # ActionListの作成
                mkclass.bundle.actions.append(act)
                actions.append(act)
                mkclass.bundle.als.append(act)
            else:                               # Bundleにまとめる
                if len(actions) == 0:
                    print "action Null:", k 
                bas.action = actions
                b.action_composition = bas
                bls.append(b)
        else:
            print "This Key is not Checked:",k
    else:
        if als is None :
            print "ActionListNone:",subject['overview']
        mkSubject.xmlwrite(ActionList(als),BehaviorList(bls))
Пример #3
0
 def create_behavior(self,id=None,description=None,ordinal_position=None,status=None,duration=None,behavior_purpose=None,discovery_method=None,action=None,action_equivalence_reference=None,
                     action_reference=None,associated_code=None):
     behavior = Behavior(id=id,description=description)
     behavior.ordinal_position = ordinal_position
     behavior.status = status
     behavior.duration = duration
     if isinstance(behavior_purpose,BehaviorPurpose):
         behavior.purpose = behavior_purpose
     behavior.discovery_method = discovery_method
     if action is not None or action_equivalence_reference is not None or action_reference is not None:
         behavior.action_composition= BehavioralActions()
         behavior.action_composition.action= action
         behavior.action_composition.action_reference= action_reference
         behavior.action_composition.action_equivalence_reference = action_equivalence_reference
     if associated_code is not None:
         behavior.associated_code = AssociatedCode()
         for code in associated_code:
             if isinstance(code,Code):
                 behavior.associated_code.append(code)
     return behavior
Пример #4
0
 def test_to_xml_no_encoding(self):
     b = Behavior()
     b.description = UNICODE_STR
     xml = b.to_xml(encoding=None)
     self.assertTrue(isinstance(xml, unicode))
     self.assertTrue(UNICODE_STR in xml)
Пример #5
0
 def test_to_xml_default_encoded(self):
     b = Behavior()
     b.description = UNICODE_STR
     xml = b.to_xml()
     self.assertTrue(UNICODE_STR in xml.decode('utf-8'))
Пример #6
0
 def test_to_xml_utf16_encoded(self):
     encoding = 'utf-16'
     b = Behavior()
     b.description = UNICODE_STR
     xml = b.to_xml(encoding=encoding)
     self.assertTrue(UNICODE_STR in xml.decode(encoding))
Пример #7
0
 def test_behavior(self):
     behavior = Behavior()
     behavior.description = UNICODE_STR
     behavior2 = round_trip(behavior)
     self.assertEqual(behavior.description, behavior2.description)
Пример #8
0
 def test_to_xml_no_encoding(self):
     b = Behavior()
     b.description = UNICODE_STR
     xml = b.to_xml(encoding=None)
     self.assertTrue(isinstance(xml, text_type))
     self.assertTrue(UNICODE_STR in xml)
Пример #9
0
 def test_to_xml_default_encoded(self):
     b = Behavior()
     b.description = UNICODE_STR
     xml = b.to_xml()
     self.assertTrue(UNICODE_STR in xml.decode('utf-8'))
Пример #10
0
 def test_to_xml_utf16_encoded(self):
     encoding = 'utf-16'
     b = Behavior()
     b.description = UNICODE_STR
     xml = b.to_xml(encoding=encoding)
     self.assertTrue(UNICODE_STR in xml.decode(encoding))
Пример #11
0
 def test_behavior(self):
     behavior = Behavior()
     behavior.description = UNICODE_STR
     behavior2 = round_trip(behavior)
     self.assertEqual(behavior.description, behavior2.description)
# Create the add windows hook action
act = MalwareAction()
act.name = "add windows hook"
act.name.xsi_type = "maecVocabs:HookingActionNameVocab-1.0"
act.associated_objects = AssociatedObjects()
o1 = AssociatedObject()
o1.properties = WinHook()
o1.properties.type_ = "WH_KEYBOARD_LL"
o1.association_type = VocabString()
o1.association_type.value = "output"
o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0"
act.associated_objects.append(o1)

# Create the behavior
bhv = Behavior()
bhv.action_composition = BehavioralActions()
bhv.action_composition.action_reference = [BehavioralActionReference()]
bhv.action_composition.action_reference[0].action_id = act.id_

# Create the capability
cap = Capability()
cap.name = "spying"
obj = CapabilityObjective()
obj.name = VocabString()
obj.name.value = "capture keyboard input"
obj.name.xsi_type = "maecVocabs:SpyingTacticalObjectivesVocab-1.0"
obj.behavior_reference = [BehaviorReference()]
obj.behavior_reference[0].behavior_idref = bhv.id_
cap.add_tactical_objective(obj)
# Create the add windows hook action
act = MalwareAction()
act.name = "add windows hook"
act.name.xsi_type = "maecVocabs:HookingActionNameVocab-1.0"
act.associated_objects = AssociatedObjects()
o1 = AssociatedObject()
o1.properties = WinHook()
o1.properties.type_ = "WH_KEYBOARD_LL"
o1.association_type = VocabString()
o1.association_type.value = "output"
o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0"
act.associated_objects.append(o1)

# Create the behavior
bhv = Behavior()
bhv.action_composition = BehavioralActions()
bhv.action_composition.action_reference = [BehavioralActionReference()]
bhv.action_composition.action_reference[0].action_id = act.id_

# Create the capability
cap = Capability()
cap.name = "spying"
obj = CapabilityObjective()
obj.name = VocabString()
obj.name.value = "capture keyboard input"
obj.name.xsi_type = "maecVocabs:SpyingTacticalObjectivesVocab-1.0"
obj.behavior_reference = [BehaviorReference()]
obj.behavior_reference[0].behavior_idref = bhv.id_
cap.add_tactical_objective(obj)