def _get_gti_info(self, reputations_dict):
gti_dict = {}
# Information for GTI file provider
if FileProvider.GTI in reputations_dict:
gti_rep = reputations_dict[FileProvider.GTI]
gti_dict["File Provider"] = "GTI"
gti_dict["Create Date"] = EpochMixin.to_localtime_string(gti_rep[ReputationProp.CREATE_DATE])
trust_level = self._get_trust_level(gti_rep[ReputationProp.TRUST_LEVEL])
if trust_level:
gti_dict["Trust Level"] = trust_level
# Retrieve the GTI reputation attributes
if ReputationProp.ATTRIBUTES in gti_rep:
gti_rep_attribs = gti_rep[ReputationProp.ATTRIBUTES]
attribs_dict = {}
# Get prevalence (if it exists)
if FileGtiAttrib.PREVALENCE in gti_rep_attribs:
attribs_dict["Prevalence"] = gti_rep_attribs[FileGtiAttrib.PREVALENCE]
# Get First Contact Date (if it exists)
if FileGtiAttrib.FIRST_CONTACT in gti_rep_attribs:
attribs_dict["First Contact"] = EpochMixin.to_localtime_string(gti_rep_attribs[
FileGtiAttrib.FIRST_CONTACT])
gti_dict["Attributes"] = attribs_dict
return gti_dict
def _get_atd_info(self, reputations_dict):
atd_dict = {}
# Information for Advanced Threat Defense file provider
if FileProvider.ATD in reputations_dict:
atd_rep = reputations_dict[FileProvider.ATD]
atd_dict["File Provider"] = "ATD"
atd_dict["Create Date"] = EpochMixin.to_localtime_string(atd_rep[ReputationProp.CREATE_DATE])
trust_level = self._get_trust_level(atd_rep[ReputationProp.TRUST_LEVEL])
if trust_level:
atd_dict["Trust Level"] = trust_level
# Retrieve the ATD reputation attributes
if ReputationProp.ATTRIBUTES in atd_rep:
atd_rep_attribs = atd_rep[ReputationProp.ATTRIBUTES]
attribs_dict = {}
# Get Trust scores
if AtdAttrib.GAM_SCORE in atd_rep_attribs:
attribs_dict["GAM Score"] = self._get_atd_trust_level(atd_rep, AtdAttrib.GAM_SCORE)
if AtdAttrib.AV_ENGINE_SCORE in atd_rep_attribs:
attribs_dict["AV Engine Score"] = self._get_atd_trust_level(atd_rep, AtdAttrib.AV_ENGINE_SCORE)
if AtdAttrib.GAM_SCORE in atd_rep_attribs:
attribs_dict["Sandbox Score"] = self._get_atd_trust_level(atd_rep, AtdAttrib.SANDBOX_SCORE)
if AtdAttrib.GAM_SCORE in atd_rep_attribs:
attribs_dict["Verdict"] = self._get_atd_trust_level(atd_rep, AtdAttrib.VERDICT)
if AtdAttrib.BEHAVIORS in atd_rep_attribs:
attribs_dict["Behaviors"] = atd_rep_attribs[AtdAttrib.BEHAVIORS]
atd_dict["Attributes"] = attribs_dict
return atd_dict
def _get_mwg_info(self, reputations_dict):
mwg_dict = {}
# Information for file provider
if FileProvider.MWG in reputations_dict:
mwg_rep = reputations_dict[FileProvider.MWG]
mwg_dict["File Provider"] = "MWG"
mwg_dict["Create Date"] = EpochMixin.to_localtime_string(mwg_rep[ReputationProp.CREATE_DATE])
trust_level = self._get_trust_level(mwg_rep[ReputationProp.TRUST_LEVEL])
if trust_level:
mwg_dict["Trust Level"] = trust_level
return mwg_dict
def _get_gti_info(self, reputations_dict, hit):
# Information for GTI file provider
if FileProvider.GTI in reputations_dict:
gti_rep = reputations_dict[FileProvider.GTI]
trust_level = self._get_trust_level(gti_rep[ReputationProp.TRUST_LEVEL])
if trust_level:
# Not a hit until trust level has been verified to less than or equal to MIGHT BE MALICIOUS
hit.append(StringProp(name="GTI Trust Level", value=trust_level))
# Retrieve the GTI reputation attributes
gti_rep_attribs = gti_rep[ReputationProp.ATTRIBUTES]
# Get prevalence (if it exists)
if FileGtiAttrib.PREVALENCE in gti_rep_attribs:
hit.append(StringProp(name="GTI Prevalence", value=gti_rep_attribs[FileGtiAttrib.PREVALENCE]))
# Get First Contact Date (if it exists)
if FileGtiAttrib.FIRST_CONTACT in gti_rep_attribs:
hit.append(StringProp(name="GTI First Contact", value=EpochMixin.to_localtime_string(
gti_rep_attribs[FileGtiAttrib.FIRST_CONTACT])))
return hit
def _get_enterprise_info(self, reputations_dict):
ent_dict = {}
# Information for Enterprise file provider
if FileProvider.ENTERPRISE in reputations_dict:
ent_rep = reputations_dict[FileProvider.ENTERPRISE]
ent_dict["File Provider"] = "Enterprise"
ent_dict["Create Date"] = EpochMixin.to_localtime_string(ent_rep[ReputationProp.CREATE_DATE])
trust_level = self._get_trust_level(ent_rep[ReputationProp.TRUST_LEVEL])
if trust_level:
ent_dict["Trust Level"] = trust_level
# Retrieve the enterprise reputation attributes
if ReputationProp.ATTRIBUTES in ent_rep:
ent_rep_attribs = ent_rep[ReputationProp.ATTRIBUTES]
attribs_dict = {}
if FileEnterpriseAttrib.PREVALENCE in ent_rep_attribs:
attribs_dict["Prevalence"] = ent_rep_attribs[FileEnterpriseAttrib.PREVALENCE]
if FileEnterpriseAttrib.ENTERPRISE_SIZE in ent_rep_attribs:
attribs_dict["Enterprise Size"] = ent_rep_attribs[FileEnterpriseAttrib.ENTERPRISE_SIZE]
if FileEnterpriseAttrib.FIRST_CONTACT in ent_rep_attribs:
attribs_dict["First Contact"] = FileEnterpriseAttrib.to_localtime_string(
ent_rep_attribs[FileEnterpriseAttrib.FIRST_CONTACT])
if FileEnterpriseAttrib.PARENT_AVG_LOCAL_REP in ent_rep_attribs:
attribs_dict["Parent Avg Local Rep"] = self._get_trust_level(int(ent_rep_attribs[
FileEnterpriseAttrib.PARENT_AVG_LOCAL_REP]))
if FileEnterpriseAttrib.PARENT_FILE_REPS in ent_rep_attribs:
attribs_dict["Parent File Reps"] = FileEnterpriseAttrib.to_aggregate_tuple(ent_rep_attribs[
FileEnterpriseAttrib.PARENT_FILE_REPS])
if FileEnterpriseAttrib.CHILD_FILE_REPS in ent_rep_attribs:
attribs_dict["Child File Reps"] = FileEnterpriseAttrib.to_aggregate_tuple(ent_rep_attribs[
FileEnterpriseAttrib.CHILD_FILE_REPS])
if FileEnterpriseAttrib.AVG_LOCAL_REP in ent_rep_attribs:
attribs_dict["Average Local Rep"] = self._get_trust_level(int(ent_rep_attribs[
FileEnterpriseAttrib.AVG_LOCAL_REP]))
if FileEnterpriseAttrib.MAX_LOCAL_REP in ent_rep_attribs:
attribs_dict["Max Local Rep"] = self._get_trust_level(int(ent_rep_attribs[
FileEnterpriseAttrib.MAX_LOCAL_REP]))
if FileEnterpriseAttrib.MIN_LOCAL_REP in ent_rep_attribs:
attribs_dict["Min Local Rep"] = self._get_trust_level(int(ent_rep_attribs[
FileEnterpriseAttrib.MIN_LOCAL_REP]))
if FileEnterpriseAttrib.DETECTION_COUNT in ent_rep_attribs:
attribs_dict["Detection Count"] = ent_rep_attribs[FileEnterpriseAttrib.DETECTION_COUNT]
if FileEnterpriseAttrib.FILE_NAME_COUNT in ent_rep_attribs:
attribs_dict["File Name Count"] = ent_rep_attribs[FileEnterpriseAttrib.FILE_NAME_COUNT]
if FileEnterpriseAttrib.LAST_DETECTION_TIME in ent_rep_attribs:
attribs_dict["Last Detection Time"] = FileEnterpriseAttrib.to_localtime_string(
ent_rep_attribs[FileEnterpriseAttrib.FIRST_CONTACT])
if FileEnterpriseAttrib.IS_PREVALENT in ent_rep_attribs:
attribs_dict["Is Prevalent"] = ent_rep_attribs[FileEnterpriseAttrib.IS_PREVALENT]
if FileEnterpriseAttrib.PARENT_MIN_LOCAL_REP in ent_rep_attribs:
attribs_dict["Parent Min Local Rep"] = self._get_trust_level(int(ent_rep_attribs[
FileEnterpriseAttrib.PARENT_MIN_LOCAL_REP]))
if FileEnterpriseAttrib.PARENT_MAX_LOCAL_REP in ent_rep_attribs:
attribs_dict["Parent Max Local Rep"] = self._get_trust_level(int(ent_rep_attribs[
FileEnterpriseAttrib.PARENT_MAX_LOCAL_REP]))
ent_dict["Attributes"] = attribs_dict
return ent_dict
def parseTIEResults(reputations_dict):
proc_result = {}
tiekey = 0
strtiekey = str(tiekey)
strResult = ""
# Display the Global Threat Intelligence
if FileProvider.GTI in reputations_dict:
gti_rep = reputations_dict[FileProvider.GTI]
proc_result[strtiekey] = {}
proc_result[strtiekey][
'title'] = "Global Threat Intelligence (GTI) Test Date:"
proc_result[strtiekey]['value'] = EpochMixin.to_localtime_string(
gti_rep[ReputationProp.CREATE_DATE])
strResult += proc_result[strtiekey]['title'] + proc_result[strtiekey][
'value'] + "\n"
tiekey += 1
strtiekey = str(tiekey)
#Get GTI Trust Level
proc_result[strtiekey] = {}
proc_result[strtiekey][
'title'] = "Global Threat Intelligence (GTI) trust level:"
trustValue = gti_rep[ReputationProp.TRUST_LEVEL]
proc_result[strtiekey]['value'] = trustLevel(trustValue)
strResult += proc_result[strtiekey]['title'] + proc_result[strtiekey][
'value'] + "\n"
tiekey += 1
strtiekey = str(tiekey)
# Display the Enterprise reputation information
if FileProvider.ENTERPRISE in reputations_dict:
ent_rep = reputations_dict[FileProvider.ENTERPRISE]
# Retrieve the enterprise reputation attributes
ent_rep_attribs = ent_rep[ReputationProp.ATTRIBUTES]
#Get Enterprise Trust Level
proc_result[strtiekey] = {}
proc_result[strtiekey]['title'] = "Enterprise trust level:"
trustValue = ent_rep[ReputationProp.TRUST_LEVEL]
proc_result[strtiekey]['value'] = trustLevel(trustValue)
strResult += proc_result[strtiekey]['title'] + proc_result[strtiekey][
'value'] + "\n"
tiekey += 1
strtiekey = str(tiekey)
# Display prevalence (if it exists)
if FileEnterpriseAttrib.PREVALENCE in ent_rep_attribs:
proc_result[strtiekey] = {}
proc_result[strtiekey]['title'] = "Enterprise prevalence:"
proc_result[strtiekey]['value'] = ent_rep_attribs[
FileEnterpriseAttrib.PREVALENCE]
strResult += proc_result[strtiekey]['title'] + proc_result[
strtiekey]['value'] + "\n"
tiekey += 1
strtiekey = str(tiekey)
# Display first contact date (if it exists)
if FileEnterpriseAttrib.FIRST_CONTACT in ent_rep_attribs:
proc_result[strtiekey] = {}
proc_result[strtiekey]['title'] = "First contact: "
proc_result[strtiekey][
'value'] = FileEnterpriseAttrib.to_localtime_string(
ent_rep_attribs[FileEnterpriseAttrib.FIRST_CONTACT])
strResult += proc_result[strtiekey]['title'] + proc_result[
strtiekey]['value'] + "\n"
tiekey += 1
strtiekey = str(tiekey)
#These are lookup conversions for the ATD trust_score
valueDict = {}
valueDict['-1'] = "Known Trusted"
valueDict['0'] = "Most Likely Trusted"
valueDict['1'] = "Might Be Trusted"
valueDict['2'] = "Unknown"
valueDict['3'] = "Might Be Malicious"
valueDict['4'] = "Most Likely Malicious"
valueDict['5'] = "Known Malicious"
valueDict['-2'] = "Not Set"
# Display the ATD reputation information
if FileProvider.ATD in reputations_dict:
atd_rep = reputations_dict[FileProvider.ATD]
# Retrieve the ATD reputation attributes
atd_rep_attribs = atd_rep[ReputationProp.ATTRIBUTES]
proc_result[strtiekey] = {}
proc_result[strtiekey]['title'] = "ATD Test Date: "
proc_result[strtiekey]['value'] = EpochMixin.to_localtime_string(
atd_rep[ReputationProp.CREATE_DATE])
strResult += proc_result[strtiekey]['title'] + proc_result[strtiekey][
'value'] + "\n"
tiekey += 1
strtiekey = str(tiekey)
# Display GAM Score (if it exists)
if AtdAttrib.GAM_SCORE in atd_rep_attribs:
proc_result[strtiekey] = {}
proc_result[strtiekey]['title'] = "ATD Gateway AntiMalware Score: "
proc_result[strtiekey]['value'] = valueDict[atd_rep_attribs[
AtdAttrib.GAM_SCORE]]
strResult += proc_result[strtiekey]['title'] + proc_result[
strtiekey]['value'] + "\n"
tiekey += 1
strtiekey = str(tiekey)
# Display AV Engine Score (if it exists)
if AtdAttrib.AV_ENGINE_SCORE in atd_rep_attribs:
proc_result[strtiekey] = {}
proc_result[strtiekey]['title'] = "ATD AV Engine Score: "
proc_result[strtiekey]['value'] = valueDict[atd_rep_attribs[
AtdAttrib.AV_ENGINE_SCORE]]
strResult += proc_result[strtiekey]['title'] + proc_result[
strtiekey]['value'] + "\n"
tiekey += 1
strtiekey = str(tiekey)
# Display Sandbox Score (if it exists)
if AtdAttrib.SANDBOX_SCORE in atd_rep_attribs:
proc_result[strtiekey] = {}
proc_result[strtiekey]['title'] = "ATD Sandbox Score: "
proc_result[strtiekey]['value'] = valueDict[atd_rep_attribs[
AtdAttrib.SANDBOX_SCORE]]
strResult += proc_result[strtiekey]['title'] + proc_result[
strtiekey]['value'] + "\n"
tiekey += 1
strtiekey = str(tiekey)
# Display Verdict (if it exists)
if AtdAttrib.VERDICT in atd_rep_attribs:
proc_result[strtiekey] = {}
proc_result[strtiekey]['title'] = "ATD Verdict: "
proc_result[strtiekey]['value'] = valueDict[atd_rep_attribs[
AtdAttrib.VERDICT]]
strResult += proc_result[strtiekey]['title'] + proc_result[
strtiekey]['value'] + "\n"
tiekey += 1
strtiekey = str(tiekey)
return strResult
def run(self):
"""Runs TIE processing
@return: TIE results
"""
log.info("Processing TIE reputation analysis.")
self.key = "tie"
timeout = int(self.options.get("timeout", 60))
scan = int(self.options.get("scan", 0))
# Evaluate the original sample against TIE reputation
if self.task["category"] == "file":
# Create the client
with DxlClient(config) as client:
# Connect to the fabric
client.connect()
tie_client = TieClient(client)
#Generate relevant hash information
md5_hex = File(self.file_path).get_md5()
sha1_hex = File(self.file_path).get_sha1()
sha256_hex = File(self.file_path).get_sha256()
#Request raw json reputation results
reputations_dict = \
tie_client.get_file_reputation({
HashType.MD5: md5_hex,
HashType.SHA1: sha1_hex,
HashType.SHA256: sha256_hex
})
#debug
log.info("Raw TIE results: " +
json.dumps(reputations_dict,
sort_keys=True,
indent=4,
separators=(',', ': ')))
#initialize result array and tiekey counter for each result
proc_result = {}
tiekey = 0
strtiekey = str(tiekey)
# Display the Global Threat Intelligence
if FileProvider.GTI in reputations_dict:
gti_rep = reputations_dict[FileProvider.GTI]
proc_result[strtiekey] = {}
proc_result[strtiekey][
'title'] = "Global Threat Intelligence (GTI) Test Date:"
proc_result[strtiekey][
'value'] = EpochMixin.to_localtime_string(
gti_rep[ReputationProp.CREATE_DATE])
tiekey += 1
strtiekey = str(tiekey)
#Set GTI Trust Level
proc_result[strtiekey] = {}
proc_result[strtiekey][
'title'] = "Global Threat Intelligence (GTI) trust level:"
trustValue = gti_rep[ReputationProp.TRUST_LEVEL]
proc_result[strtiekey]['value'] = self.trustLevel(
trustValue)
tiekey += 1
strtiekey = str(tiekey)
# Display the Enterprise reputation information
if FileProvider.ENTERPRISE in reputations_dict:
ent_rep = reputations_dict[FileProvider.ENTERPRISE]
# Retrieve the enterprise reputation attributes
ent_rep_attribs = ent_rep[ReputationProp.ATTRIBUTES]
# Display prevalence (if it exists)
if FileEnterpriseAttrib.PREVALENCE in ent_rep_attribs:
proc_result[strtiekey] = {}
proc_result[strtiekey][
'title'] = "Enterprise prevalence:"
proc_result[strtiekey]['value'] = ent_rep_attribs[
FileEnterpriseAttrib.PREVALENCE]
tiekey += 1
strtiekey = str(tiekey)
# Display first contact date (if it exists)
if FileEnterpriseAttrib.FIRST_CONTACT in ent_rep_attribs:
proc_result[strtiekey] = {}
proc_result[strtiekey]['title'] = "First contact: "
proc_result[strtiekey][
'value'] = FileEnterpriseAttrib.to_localtime_string(
ent_rep_attribs[
FileEnterpriseAttrib.FIRST_CONTACT])
tiekey += 1
strtiekey = str(tiekey)
#These are lookup conversions for the ATD trust_score
valueDict = {}
valueDict['-1'] = "Known Trusted"
valueDict['0'] = "Most Likely Trusted"
valueDict['1'] = "Might Be Trusted"
valueDict['2'] = "Unknown"
valueDict['3'] = "Might Be Malicious"
valueDict['4'] = "Most Likely Malicious"
valueDict['5'] = "Known Malicious"
valueDict['-2'] = "Not Set"
# Display the ATD reputation information
if FileProvider.ATD in reputations_dict:
atd_rep = reputations_dict[FileProvider.ATD]
# Retrieve the ATD reputation attributes
atd_rep_attribs = atd_rep[ReputationProp.ATTRIBUTES]
proc_result[strtiekey] = {}
proc_result[strtiekey]['title'] = "ATD Test Date: "
proc_result[strtiekey][
'value'] = EpochMixin.to_localtime_string(
atd_rep[ReputationProp.CREATE_DATE])
tiekey += 1
strtiekey = str(tiekey)
# Display GAM Score (if it exists)
if AtdAttrib.GAM_SCORE in atd_rep_attribs:
proc_result[strtiekey] = {}
proc_result[strtiekey][
'title'] = "ATD Gateway AntiMalware Score: "
proc_result[strtiekey]['value'] = valueDict[
atd_rep_attribs[AtdAttrib.GAM_SCORE]]
tiekey += 1
strtiekey = str(tiekey)
# Display AV Engine Score (if it exists)
if AtdAttrib.AV_ENGINE_SCORE in atd_rep_attribs:
proc_result[strtiekey] = {}
proc_result[strtiekey][
'title'] = "ATD AV Engine Score: "
proc_result[strtiekey]['value'] = valueDict[
atd_rep_attribs[AtdAttrib.AV_ENGINE_SCORE]]
tiekey += 1
strtiekey = str(tiekey)
# Display Sandbox Score (if it exists)
if AtdAttrib.SANDBOX_SCORE in atd_rep_attribs:
proc_result[strtiekey] = {}
proc_result[strtiekey]['title'] = "ATD Sandbox Score: "
proc_result[strtiekey]['value'] = valueDict[
atd_rep_attribs[AtdAttrib.SANDBOX_SCORE]]
tiekey += 1
strtiekey = str(tiekey)
# Display Verdict (if it exists)
if AtdAttrib.VERDICT in atd_rep_attribs:
proc_result[strtiekey] = {}
proc_result[strtiekey]['title'] = "ATD Verdict: "
proc_result[strtiekey]['value'] = valueDict[
atd_rep_attribs[AtdAttrib.VERDICT]]
tiekey += 1
strtiekey = str(tiekey)
results = proc_result
elif self.task["category"] == "url":
return
elif self.task["category"] == "baseline":
return
elif self.task["category"] == "service":
return
else:
raise CuckooProcessingError("Unsupported task category: %s" %
self.task["category"])
log.info("Finished processing TIE reputation analysis.")
return results