def create_discovery_method_instance(self,argument_list=None,child_pid_list=None,creation_time =None,is_hidden=None,image_info=None,extracted_features=None,environment_variable_list=None, kernel_time=None,name=None,network_connection_list=None,parent_pid=None,pid=None,port_list=None,start_time=None,user_time=None,username=None): instance = Process() instance.argument_list= argument_list instance.child_pid_list=child_pid_list instance.creation_time = DateTime(creation_time) instance.username=username instance.user_time = Duration(user_time) instance.start_time = DateTime(start_time) instance.port_list =port_list instance.pid = pid instance.parent_pid = parent_pid if network_connection_list is not None and (all(isinstance(x,NetworkConnection ) for x in network_connection_list)): instance.network_connection_list = NetworkConnectionList() for netcon in network_connection_list: instance.network_connection_list.append(netcon) else: instance.network_connection_list= None instance.name = name instance.kernel_time = Duration(kernel_time) if environment_variable_list is not None and (all(isinstance(x,EnvironmentVariable ) for x in environment_variable_list)): instance.environment_variable_list = EnvironmentVariableList() for envar in environment_variable_list: instance.environment_variable_list.append(envar) else: instance.environment_variable_list =None instance.extracted_features =extracted_features instance.image_info = image_info instance.is_hidden= is_hidden return instance
def createDynamicIndicators(stix_package, dynamicindicators): filescreated = False processesstarted = False regkeyscreated = False mutexescreated = False hostscontacted = False hasdynamicindicators = False # Here we are just testing to see if the report had any # of the various dynamic indicator types so we know whether # or not to process them at all if len(dynamicindicators['droppedfiles']) > 0: filescreated = True hasdynamicindicators = True if len(dynamicindicators['processes']) > 0: processesstarted = True hasdynamicindicators = True if len(dynamicindicators['regkeys']) > 0: regkeyscreated = True hasdynamicindicators = True if len(dynamicindicators['mutexes']) > 0: mutexescreated = True hasdynamicindicators = True if len(dynamicindicators['hosts']) > 0: hostscontacted = True hasdynamicindicators = True if not hasdynamicindicators: return if filescreated: createdfilesind = Indicator() for createdfile in dynamicindicators['droppedfiles']: createdfilename = File() createdfilename.file_name = createdfile[0] createdfilename.size_in_bytes = createdfile[1] createdfilename.md5 = createdfile[2] createdfilename.sha1 = createdfile[3] createdfilename.sha256 = createdfile[4] createdfilesind.add_observable(Observable(createdfilename)) stix_package.add_indicator(createdfilesind) if processesstarted: procindicator = Indicator() for process in dynamicindicators['processes']: # Process name processname = process[0] # Process pid processpid = process[1] # Process parent pid processparentpid = process[2] proc = Process() proc.name = processname proc.pid = processpid proc.parent_pid = processparentpid procindicator.add_observable(Observable(proc)) stix_package.add_indicator(procindicator) if regkeyscreated: regindicator = Indicator() keypath = WinRegistryKey() for regkey in dynamicindicators['regkeys']: keypath = WinRegistryKey() keypath.key = regkey regindicator.add_observable(Observable(keypath)) stix_package.add_indicator(regindicator) if not mutexescreated: mutexind = Indicator() for mutex in dynamicindicators['mutexes']: winhandle = WinHandle() winhandle.name = mutex winmutex = WinMutex() winmutex.handle = winhandle mutexind.add_observable(Observable(winmutex)) stix_package.add_indicator(mutexind) if hostscontacted: networkconnectionind = Indicator() for host in dynamicindicators['hosts']: networkconnection = NetworkConnection() socketaddress = SocketAddress() socketaddress.ip_address = host networkconnection.destination_socket_address = socketaddress networkconnectionind.add_observable(Observable(networkconnection)) stix_package.add_indicator(networkconnectionind) return
def addsec_to_cybox(as_obtype, as_obdata): # # Addition Security to CybOX mappings, for discrete/separate observables # # 30: DataTypeSymbolName if as_obtype == 30: a = API() a.function_name = as_obdata return a # 32: DataTypeLibraryName if as_obtype == 32: l = Library() l.name = as_obdata l.path = as_obdata return l # 14: DataTypeUsername if as_obtype == 14: u = UserAccount() u.username = as_obdata return u # 10: DataTypeFile if as_obtype == 10: f = File() f.full_path = as_obdata return f # 23: DataTypeHostname if as_obtype == 23: h = Hostname() h.hostname_value = as_obdata return h # 29: DataTypeEnvString if as_obtype == 29: # Here, Process is meant to represent the hosting process; then we # attach the actual environment variable value p = Process() p.environment_variable_list = as_obdata return p # 17: DataTypeApplication if as_obtype == 17: # Particularly on Android, identification of an installed package fits # somewhere between File and Process, but not quite either. The closest # fit is around LinuxPackage, which is what we use. We should technically # derive from it, but we're trying to keep things simple. p = LinuxPackage() p.name = as_obdata return p # 11: DataTypeX509 # 12: DataTypeX509Subject # 13: DataTypeX509Issuer if as_obtype == 11 or as_obtype == 12 or as_obtype == 13: c = X509Certificate() if as_obtype == 11: c.raw_certificate = as_obdata.encode('hex') if as_obtype == 12: c.certificate.subject = as_obdata if as_obtype == 13: c.certificate.issuer = as_obdata return c # 2: DataTypeSHA1Hash # 7: DataTypeVersionString # 18: DataTypeString # 31: DataTypePropertyName # TODO: find the proper CybOX to represent these; for now, we don't # report them return None