def __create_cybox_main_file(self, fdict): f = File() f.file_name = String(fdict['filename']) try: f.file_extension = String('.'+fdict['filename'].rsplit('.')[-1]) except: f.file_extension = "" f.size_in_bytes = int(fdict['size']) f.add_hash(Hash(fdict['md5'], type_="MD5", exact=True)) f.add_hash(Hash(fdict['sha1'], type_="SHA1", exact=True)) f.add_hash(Hash(fdict['sha256'], type_="SHA256", exact=True)) return f
def _dostix(hashes): '''This function creates a STIX packages containing hashes.''' print("[+] Creating STIX Package") title = SETTINGS['stix']['ind_title'] + " " + str(datetime.datetime.now()) _custom_namespace(SETTINGS['stix']['ns'], SETTINGS['stix']['ns_prefix']) stix_package = STIXPackage() stix_package.stix_header = STIXHeader() stix_package.stix_header.title = title stix_package.stix_header.handling = _marking() try: indicator = Indicator() indicator.set_producer_identity(SETTINGS['stix']['producer']) indicator.set_produced_time(indicator.timestamp) indicator.set_received_time(indicator.timestamp) indicator.add_kill_chain_phase(PHASE_DELIVERY) indicator.confidence = "Low" indicator.title = title indicator.add_indicator_type("File Hash Watchlist") indicator.description = SETTINGS['stix']['ind_desc'] try: indicator.add_indicated_ttp( TTP(idref=SETTINGS['indicated_ttp'], timestamp=indicator.timestamp)) indicator.suggested_coas.append( CourseOfAction(idref=SETTINGS['suggested_coa'], timestamp=indicator.timestamp)) except KeyError: pass for info in hashes: try: file_name = info['filename'] file_object = File() file_object.file_name = file_name file_object.file_name.condition = "Equals" file_object.file_extension = "." + file_name.split('.')[-1] file_object.file_extension.condition = "Equals" file_object.size_in_bytes = info['filesize'] file_object.size_in_bytes.condition = "Equals" file_object.file_format = info['fileformat'] file_object.file_format.condition = "Equals" file_object.add_hash(Hash(info['md5'])) file_object.add_hash(Hash(info['sha1'])) file_object.add_hash(Hash(info['sha256'])) file_object.add_hash(Hash(info['sha512'])) file_object.add_hash(Hash(info['ssdeep'], Hash.TYPE_SSDEEP)) for hashobj in file_object.hashes: hashobj.simple_hash_value.condition = "Equals" hashobj.type_.condition = "Equals" file_obs = Observable(file_object) file_obs.title = "File: " + file_name indicator.add_observable(file_obs) except TypeError: pass stix_package.add_indicator(indicator) return stix_package except KeyError: pass
def main(): stix_package = STIXPackage() ttp = TTP(title="Phishing") stix_package.add_ttp(ttp) # Create the indicator for just the subject email_subject_object = EmailMessage() email_subject_object.header = EmailHeader() email_subject_object.header.subject = "[IMPORTANT] Please Review Before" email_subject_object.header.subject.condition = "StartsWith" email_subject_indicator = Indicator() email_subject_indicator.title = "Malicious E-mail Subject Line" email_subject_indicator.add_indicator_type("Malicious E-mail") email_subject_indicator.observable = email_subject_object email_subject_indicator.confidence = "Low" # Create the indicator for just the attachment file_attachment_object = EmailMessage() file_attachment_object.attachments = Attachments() attached_file_object = File() attached_file_object.file_name = "Final Report" attached_file_object.file_name.condition = "StartsWith" attached_file_object.file_extension = "doc.exe" attached_file_object.file_extension.condition = "Equals" file_attachment_object.add_related(attached_file_object, "Contains", inline=True) file_attachment_object.attachments.append(file_attachment_object.parent.id_) indicator_attachment = Indicator() indicator_attachment.title = "Malicious E-mail Attachment" indicator_attachment.add_indicator_type("Malicious E-mail") indicator_attachment.observable = file_attachment_object indicator_attachment.confidence = "Low" # Create the combined indicator w/ both subject an attachment full_email_object = EmailMessage() full_email_object.attachments = Attachments() # Add the previously referenced file as another reference rather than define it again: full_email_object.attachments.append(file_attachment_object.parent.id_) full_email_object.header = EmailHeader() full_email_object.header.subject = "[IMPORTANT] Please Review Before" full_email_object.header.subject.condition = "StartsWith" combined_indicator = Indicator(title="Malicious E-mail") combined_indicator.add_indicator_type("Malicious E-mail") combined_indicator.confidence = Confidence(value="High") combined_indicator.observable = full_email_object email_subject_indicator.add_indicated_ttp(TTP(idref=ttp.id_)) indicator_attachment.add_indicated_ttp(TTP(idref=ttp.id_)) combined_indicator.add_indicated_ttp(TTP(idref=ttp.id_)) stix_package.indicators = [combined_indicator, email_subject_indicator, indicator_attachment] print stix_package.to_xml()
def __create_cybox_files(self, msg): """Returns a list of CybOX File objects from the message. Attachments can be identified within multipart messages by their Content-Disposition header. Ex: Content-Disposition: attachment; filename="foobar.jpg" """ files = [] if self.__verbose_output: sys.stderr.write("** parsing attachments\n") # extract the email attachments into their own FileObjectType objects if msg.is_multipart(): for part in msg.get_payload(): if 'content-disposition' in part: # if it's an attachment-type, pull out the filename # and calculate the size in bytes file_name = part.get_filename(failobj='') file_data = part.get_payload(decode=True) #PGP Encrypted could come back as None and '' if file_name or file_data: f = File() #Do what we can with what came back from the payload parsing if file_name: f.file_name = file_name f.file_extension = os.path.splitext(file_name)[1] if file_data: f.size = len(file_data) hashes = [] hashes.append(hashlib.md5(file_data).hexdigest()) hashes.append(hashlib.sha1(file_data).hexdigest()) hashes.append(hashlib.sha256(file_data).hexdigest()) hashes.append(hashlib.sha384(file_data).hexdigest()) for hash in hashes: f.add_hash(hash) files.append(f) #TODO: add support for created and modified dates #modified_date = self.__get_attachment_modified_date(part) #created_date = self.__get_attachment_created_date(part) if self.__verbose_output: sys.stderr.write("** creating file object for: %s, size: %d bytes\n" % (f.file_name, f.size)) return files
def cybox_object_file(obj, meta=None): # TODO: missing File_Custom_Properties f = File() if obj.md5_hash != 'No MD5': f.add_hash(Hash(obj.md5_hash)) if obj.sha256_hash != 'No SHA256': f.add_hash(Hash(obj.sha256_hash)) if meta: f.file_name = meta.file_name f.file_extension = meta.file_extension f.file_path = meta.file_path f.size_in_bytes = meta.file_size return f
def main(): h = Hash("a7a0390e99406f8975a1895860f55f2f") f = File() f.file_name = "bad_file24.exe" f.file_path = "AppData\Mozilla" f.file_extension = ".exe" f.size_in_bytes = 3282 f.add_hash(h) o = Observable(f) o.description = "This observable specifies a specific file observation." print(Observables(o).to_xml())
def create_file_object(file_path, original_file_path): """ :type file_path: string :type original_file_path: string :rtype: File """ f = File() f.file_name = os.path.basename(file_path) f.file_extension = os.path.splitext(file_path)[1] f.file_path = original_file_path f.file_format = magic.from_file(file_path) f.size_in_bytes = os.path.getsize(file_path) f.sha256 = sha256_checksum(file_path) return f
def main(): NS = cybox.utils.Namespace("http://example.com/", "example") cybox.utils.set_id_namespace(NS) h = Hash("a7a0390e99406f8975a1895860f55f2f") f = File() f.file_name = "bad_file24.exe" f.file_path = "AppData\Mozilla" f.file_extension = ".exe" f.size_in_bytes = 3282 f.add_hash(h) o = Observable(f) o.description = "This observable specifies a specific file observation." print Observables(o).to_xml()
def __create_cybox_dropped_files(self, dropps, main_sha256): dropped = [] if not dropps: return dropped for item in dropps: """ skip original file """ if item['sha256'] == main_sha256: continue f = File() f.file_name = String(item['name']) f.file_extension = String('.'+item['name'].rsplit('.')[-1]) f.size_in_bytes = int(item['size']) f.add_hash(Hash(item['md5'], type_="MD5", exact=True)) f.add_hash(Hash(item['sha1'], type_="SHA1", exact=True)) f.add_hash(Hash(item['sha256'], type_="SHA256", exact=True)) dropped.append(f) return dropped
def cap2cybox(capob): NS = cybox.utils.Namespace("http://example.com/","lift_s") cybox.utils.set_id_namespace(NS) #ファイル情報 files = File() root, ext = os.path.splitext(fpath) path = FilePath(root) files.file_name = os.path.basename(fpath) files.file_path = path files.file_extension = ext capObser = Observable(files) capObser.description = u'ファイル情報' ls = [capObser] for ob in ls: capob.add(ob) return capob
def main(): stix_package = STIXPackage() ttp = TTP(title="Phishing") stix_package.add_ttp(ttp) # Create the indicator for just the subject email_subject_object = EmailMessage() email_subject_object.header = EmailHeader() email_subject_object.header.subject = "[IMPORTANT] Please Review Before" email_subject_object.header.subject.condition = "StartsWith" email_subject_indicator = Indicator() email_subject_indicator.title = "Malicious E-mail Subject Line" email_subject_indicator.add_indicator_type("Malicious E-mail") email_subject_indicator.observable = email_subject_object email_subject_indicator.confidence = "Low" # Create the indicator for just the attachment file_attachment_object = EmailMessage() file_attachment_object.attachments = Attachments() attached_file_object = File() attached_file_object.file_name = "Final Report" attached_file_object.file_name.condition = "StartsWith" attached_file_object.file_extension = "doc.exe" attached_file_object.file_extension.condition = "Equals" file_attachment_object.add_related(attached_file_object, "Contains", inline=True) file_attachment_object.attachments.append(attached_file_object.parent.id_) indicator_attachment = Indicator() indicator_attachment.title = "Malicious E-mail Attachment" indicator_attachment.add_indicator_type("Malicious E-mail") indicator_attachment.observable = file_attachment_object indicator_attachment.confidence = "Low" # Create the combined indicator w/ both subject an attachment full_email_object = EmailMessage() full_email_object.attachments = Attachments() # Add the previously referenced file as another reference rather than define it again: full_email_object.attachments.append(attached_file_object.parent.id_) full_email_object.header = EmailHeader() full_email_object.header.subject = "[IMPORTANT] Please Review Before" full_email_object.header.subject.condition = "StartsWith" combined_indicator = Indicator(title="Malicious E-mail") combined_indicator.add_indicator_type("Malicious E-mail") combined_indicator.confidence = Confidence(value="High") combined_indicator.observable = full_email_object email_subject_indicator.add_indicated_ttp(TTP(idref=ttp.id_)) indicator_attachment.add_indicated_ttp(TTP(idref=ttp.id_)) combined_indicator.add_indicated_ttp(TTP(idref=ttp.id_)) stix_package.add_indicator(combined_indicator) stix_package.add_indicator(email_subject_indicator) stix_package.add_indicator(indicator_attachment) print(stix_package.to_xml(encoding=None))
def _dostix(hashes): '''This function creates a STIX packages containing hashes.''' print("[+] Creating STIX Package") title = SETTINGS['stix']['ind_title'] + " " + str(datetime.datetime.now()) _custom_namespace(SETTINGS['stix']['ns'], SETTINGS['stix']['ns_prefix']) stix_package = STIXPackage() stix_package.stix_header = STIXHeader() stix_package.stix_header.title = title stix_package.stix_header.handling = _marking() try: indicator = Indicator() indicator.set_producer_identity(SETTINGS['stix']['producer']) indicator.set_produced_time(indicator.timestamp) indicator.set_received_time(indicator.timestamp) indicator.add_kill_chain_phase(PHASE_DELIVERY) indicator.confidence = "Low" indicator.title = title indicator.add_indicator_type("File Hash Watchlist") indicator.description = SETTINGS['stix']['ind_desc'] try: indicator.add_indicated_ttp( TTP(idref=SETTINGS['indicated_ttp'], timestamp=indicator.timestamp)) indicator.suggested_coas.append( CourseOfAction( idref=SETTINGS['suggested_coa'], timestamp=indicator.timestamp)) except KeyError: pass for info in hashes: try: file_name = info['filename'] file_object = File() file_object.file_name = file_name file_object.file_name.condition = "Equals" file_object.file_extension = "." + file_name.split('.')[-1] file_object.file_extension.condition = "Equals" file_object.size_in_bytes = info['filesize'] file_object.size_in_bytes.condition = "Equals" file_object.file_format = info['fileformat'] file_object.file_format.condition = "Equals" file_object.add_hash(Hash(info['md5'])) file_object.add_hash(Hash(info['sha1'])) file_object.add_hash(Hash(info['sha256'])) file_object.add_hash(Hash(info['sha512'])) file_object.add_hash(Hash(info['ssdeep'], Hash.TYPE_SSDEEP)) for hashobj in file_object.hashes: hashobj.simple_hash_value.condition = "Equals" hashobj.type_.condition = "Equals" file_obs = Observable(file_object) file_obs.title = "File: " + file_name indicator.add_observable(file_obs) except TypeError: pass stix_package.add_indicator(indicator) return stix_package except KeyError: pass