# Set the Malware Instance Object Attributes with an Object constructed from the dictionary subject.set_malware_instance_object_attributes(subject_object) # Create the Associated Object Dictionary for use in the Action associated_object = AssociatedObject() associated_object.properties = File() associated_object.properties.file_name = "abcd.dll" associated_object.properties.size_in_bytes = "123456" associated_object.association_type = AssociationType() associated_object.association_type.value = "output" associated_object.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" # Create the Action from another dictionary action = MalwareAction() action.name = "create file" action.name.xsi_type = "maecVocabs:FileActionNameVocab-1.0" action.associated_objects = AssociatedObjects() action.associated_objects.append(associated_object) # Add the Action to the Bundle bundle.add_action(action) # Create the Capability from another dictionary capability = Capability() capability.name = "persistence" # Add the Capability to the Bundle bundle.add_capability(capability) # Add the Bundle to the Malware Subject subject.add_findings_bundle(bundle) # Add the Malware Subject to the Package package.add_malware_subject(subject) # Export the Package Bindings Object to an XML file and use the namespaceparser for writing out the namespace definitions package.to_xml_file("sample_maec_package.xml", {"http://example.com/": "example"}) print "Wrote to sample_maec_package.xml"
o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act.associated_objects.append(o1) # Create the behavior bhv = Behavior() bhv.action_composition = BehavioralActions() bhv.action_composition.action_reference = [BehavioralActionReference()] bhv.action_composition.action_reference[0].action_id = act.id_ # Create the capability cap = Capability() cap.name = "spying" obj = CapabilityObjective() obj.name = VocabString() obj.name.value = "capture keyboard input" obj.name.xsi_type = "maecVocabs:SpyingTacticalObjectivesVocab-1.0" obj.behavior_reference = [BehaviorReference()] obj.behavior_reference[0].behavior_idref = bhv.id_ cap.add_tactical_objective(obj) # Build up the full Package/Malware Subject/Analysis/Bundle hierarchy p.add_malware_subject(ms) b.add_action(act) b.add_behavior(bhv) b.add_capability(cap) ms.add_analysis(a) ms.add_findings_bundle(b) # Output the built up Package to XML print p.to_xml(namespace_dict={"example.com": "example"})
act.associated_objects.append(o1) # Create the behavior bhv = Behavior() bhv.action_composition = BehavioralActions() bhv.action_composition.action_reference = [BehavioralActionReference()] bhv.action_composition.action_reference[0].action_id = act.id_ # Create the capability cap = Capability() cap.name = "spying" obj = CapabilityObjective() obj.name = VocabString() obj.name.value = "capture keyboard input" obj.name.xsi_type = "maecVocabs:SpyingTacticalObjectivesVocab-1.0" obj.behavior_reference = [BehaviorReference()] obj.behavior_reference[0].behavior_idref = bhv.id_ cap.add_tactical_objective(obj) # Build up the full Package/Malware Subject/Analysis/Bundle hierarchy p.add_malware_subject(ms) b.add_action(act) b.add_behavior(bhv) b.add_capability(cap) ms.add_analysis(a) ms.add_findings_bundle(b) # Output the built up Package to XML print p.to_xml(namespace_dict={"example.com" : "example"})