def test_add_collections(self): o = Bundle() o.add_named_action_collection("Actions") ma = MalwareAction() o.add_action(ma, "Actions") self.assertTrue( o.collections.action_collections.has_collection("Actions")) o.add_named_object_collection("Objects") obj = Object() o.add_object(obj, "Objects") self.assertTrue( o.collections.object_collections.has_collection("Objects")) o.add_named_behavior_collection("Behaviors") b = Behavior() o.add_behavior(b, "Behaviors") self.assertTrue( o.collections.behavior_collections.has_collection("Behaviors")) o.add_named_candidate_indicator_collection("Indicators") ci = CandidateIndicator() o.add_candidate_indicator(ci, "Indicators") self.assertTrue( o.collections.candidate_indicator_collections.has_collection( "Indicators"))
def test_add_collections(self): o = Bundle() o.add_named_action_collection("Actions") ma = MalwareAction() o.add_action(ma, "Actions") self.assertTrue(o.collections.action_collections.has_collection("Actions")) o.add_named_object_collection("Objects") obj = Object() o.add_object(obj, "Objects") self.assertTrue(o.collections.object_collections.has_collection("Objects")) o.add_named_behavior_collection("Behaviors") b = Behavior() o.add_behavior(b, "Behaviors") self.assertTrue(o.collections.behavior_collections.has_collection("Behaviors")) o.add_named_candidate_indicator_collection("Indicators") ci = CandidateIndicator() o.add_candidate_indicator(ci, "Indicators") self.assertTrue(o.collections.candidate_indicator_collections.has_collection("Indicators"))
from maec.bundle.malware_action import MalwareAction from maec.utils import IDGenerator, set_id_method from cybox.core import Object, AssociatedObjects, AssociatedObject, AssociationType from cybox.objects.file_object import File # Instantiate the MAEC/CybOX Entities set_id_method(IDGenerator.METHOD_INT) b = Bundle() a = MalwareAction() ao = AssociatedObject() # Build the Associated Object for use in the Action ao.properties = File() ao.properties.file_name = "badware.exe" ao.properties.size_in_bytes = "123456" ao.association_type = AssociationType() ao.association_type.value = 'output' ao.association_type.xsi_type = 'maecVocabs:ActionObjectAssociationTypeVocab-1.0' # Build the Action and add the Associated Object to it a.name = 'create file' a.name.xsi_type = 'maecVocabs:FileActionNameVocab-1.0' a.associated_objects = AssociatedObjects() a.associated_objects.append(ao) # Add the Action to the Bundle b.add_action(a) # Output the Bundle to stdout print b.to_xml(include_namespaces = False)
o1.properties = WinExecutableFile() o1.properties.file_name = "Zcxaxz.exe" o1.properties.size_in_bytes = "332288" o1.association_type = VocabString() o1.association_type.value = "output" o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act1.associated_objects.append(o1) # Create the second, create mutex action act2 = MalwareAction() act2.name = "create mutex" act2.name.xsi_type = "SynchronizationActionNameVocab-1.0" act2.associated_objects = AssociatedObjects() o2 = AssociatedObject() o2.properties = WinMutex() o2.properties.name = "redem-Mutex" o2.association_type = VocabString() o2.association_type.value = "output" o2.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act2.associated_objects.append(o2) # Build up the full Package/Malware Subject/Analysis/Bundle hierarchy p.add_malware_subject(ms) b.add_action(act1) b.add_action(act2) ms.add_analysis(a) ms.add_findings_bundle(b) # Output the built up Package to XML print p.to_xml()
from maec.package.analysis import Analysis from maec.package.malware_subject import MalwareSubject from maec.package.package import Package from maec.id_generator import Generator from maec.utils import MAECNamespaceParser from cybox.core.object import Object from cybox.core.associated_object import AssociatedObject #Instantiate the ID generator class (for automatic ID generation) with our example namespace generator = Generator('example1') #Instantiate the Bundle, Package, MalwareSubject, and Analysis classes bundle = Bundle(id=generator.generate_bundle_id(), defined_subject=False) package = Package(id=generator.generate_package_id()) subject = MalwareSubject(id=generator.generate_malware_subject_id()) analysis = Analysis(id=generator.generate_analysis_id()) #Create the Subject Object Dictionary for use in the Malware Instance Object Attributes subject_object_dict = {'id' : generator.generate_object_id(), 'properties' : {'xsi:type' : 'FileObjectType', 'name' : 'foobar.exe', 'size_in_bytes' : '35532'}} #Set the Malware Instance Object Attributes with an Object constructed from the dictionary subject.set_malware_instance_object_attributes(Object.from_dict(subject_object_dict)) #Create the Associated Object Dictionary for use in the Action associated_object_dict = {'id' : generator.generate_object_id(), 'properties' : {'xsi:type' : 'FileObjectType', 'file_name' : 'abcd.dll', 'size_in_bytes' : '12346'}, 'association_type' : {'value' : 'output', 'xsi:type' : 'maecVocabs:ActionObjectAssociationTypeVocab-1.0'}} #Create the Action from another dictionary action = MalwareAction.from_dict({'id' : generator.generate_malware_action_id(), 'name' : {'value' : 'create file', 'xsi:type' : 'maecVocabs:FileActionNameVocab-1.0'}, 'associated_objects' : [associated_object_dict]}) #Add the Action to the buundle bundle.add_action(action) #Add the Bundle to the Malware Subject subject.add_findings_bundle(bundle) #Add the Malware Subject to the Package package.add_malware_subject(subject) #Export the Package Bindings Object to an XML file and use the namespaceparser for writing out the namespace definitions package.to_xml_file('example1.xml')
act1.associated_objects.append(o1) # Create the Process Tree p_tree = ProcessTree() # Create the root process root_p = ProcessTreeNode() root_p.name = "first_process.exe" root_p.add_initiated_action(act1.id_) # Create the spawned process spawned_p = ProcessTreeNode() spawned_p.name = "malproc.exe" # Add the spawned process to the root process root_p.add_spawned_process(spawned_p) # Set the root process in the process_tree p_tree.set_root_process(root_p) # Build up the full Package/Malware Subject/Analysis/Bundle hierarchy p.add_malware_subject(ms) b.add_action(act1) b.set_process_tree(p_tree) ms.add_analysis(a) ms.add_findings_bundle(b) # Output the built up Package to XML print p.to_xml()
p_node.pid = 3408 p_node.name = "word.exe" #プロセスの設定 P2 = ProcessTreeNode() P2.pid = 3768 P2.parent_pid = 3408 P2.name = "SenPen.exe" p_node.add_spawned_process(P2) #ProcessTreeの設定 p_tree = ProcessTree() p_tree.set_root_process(p_node) #Check #p_tree.to_xml_file('ProcessTree.xml', {"http://LIFT-S.com/":"LIFT-S"}) # パッケージへMalwareSubjectを追加 package.add_malware_subject(subject) # バンドルへActionを追加 bundle.add_action(act1) bundle.set_process_tree(p_tree) # Add the Bundle to the Malware Subject # Malware Subjectへバンドルを追加 subject.add_findings_bundle(bundle) subject.add_analysis(analysis) # Export the Package Bindings Object to an XML file and use the namespaceparser for writing out the namespace definitions package.to_xml_file('MalAnalyze_seminor.xml', {"http://LIFT-S.com/":"LIFT-S"}) print "Wrote to sample_maec_package.xml"
o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act.associated_objects.append(o1) # Create the behavior bhv = Behavior() bhv.action_composition = BehavioralActions() bhv.action_composition.action_reference = [BehavioralActionReference()] bhv.action_composition.action_reference[0].action_id = act.id_ # Create the capability cap = Capability() cap.name = "spying" obj = CapabilityObjective() obj.name = VocabString() obj.name.value = "capture keyboard input" obj.name.xsi_type = "maecVocabs:SpyingTacticalObjectivesVocab-1.0" obj.behavior_reference = [BehaviorReference()] obj.behavior_reference[0].behavior_idref = bhv.id_ cap.add_tactical_objective(obj) # Build up the full Package/Malware Subject/Analysis/Bundle hierarchy p.add_malware_subject(ms) b.add_action(act) b.add_behavior(bhv) b.add_capability(cap) ms.add_analysis(a) ms.add_findings_bundle(b) # Output the built up Package to XML print p.to_xml(namespace_dict={"example.com": "example"})
act.associated_objects.append(o1) # Create the behavior bhv = Behavior() bhv.action_composition = BehavioralActions() bhv.action_composition.action_reference = [BehavioralActionReference()] bhv.action_composition.action_reference[0].action_id = act.id_ # Create the capability cap = Capability() cap.name = "spying" obj = CapabilityObjective() obj.name = VocabString() obj.name.value = "capture keyboard input" obj.name.xsi_type = "maecVocabs:SpyingTacticalObjectivesVocab-1.0" obj.behavior_reference = [BehaviorReference()] obj.behavior_reference[0].behavior_idref = bhv.id_ cap.add_tactical_objective(obj) # Build up the full Package/Malware Subject/Analysis/Bundle hierarchy p.add_malware_subject(ms) b.add_action(act) b.add_behavior(bhv) b.add_capability(cap) ms.add_analysis(a) ms.add_findings_bundle(b) # Output the built up Package to XML print p.to_xml(namespace_dict={"example.com" : "example"})