def test_setting_maec_property_fails(self): try: m = MAECInstance() m.maec = "foo" except ImportError as e: self.assertTrue( all(x in str(e) for x in ("No module named", "maec")))
def test_etree(self): parser = mixbox.xml.get_xml_parser() tree = etree.parse(StringIO(self.XML), parser=parser) ext = MAECInstance() ext.maec = tree self._test_xml(ext)
def test_etree(self): parser = stix.utils.parser.get_xml_parser() tree = etree.parse(StringIO(self.XML), parser=parser) ext = MAECInstance() ext.maec = tree self._test_xml(ext)
def test_etree_dict(self): parser = mixbox.xml.get_xml_parser() tree = etree.parse(StringIO(self.XML), parser=parser) ext = MAECInstance() ext.maec = tree d = ext.to_dict() ext2 = MAECInstance.from_dict(d) self._test_xml(ext2)
def test_etree_dict(self): parser = stix.utils.parser.get_xml_parser() tree = etree.parse(StringIO(self.XML), parser=parser) ext = MAECInstance() ext.maec = tree d = ext.to_dict() ext2 = MAECInstance.from_dict(d) self._test_xml(ext2)
def test_add_name_type(self): maec_malware_instance = MAECInstance() maec_malware_instance.add_name("Poison Ivy Variant v4392-acc") maec_malware_instance.add_type("Remote Access Trojan") maec_xml = text_type(maec_malware_instance.to_xml()) self.assertTrue("Poison Ivy Variant v4392-acc" in maec_xml) self.assertTrue("Remote Access Trojan" in maec_xml)
def wrap_maec(maec_package, file_name=None): """Wrap a MAEC Package in a STIX TTP/Package. Return the newly created STIX Package. Args: maec_package: the ``maec.package.package.Package`` instance to wrap in STIX. file_name: the name of the input file from which the MAEC Package originated, to be used in the Title of the STIX TTP that wraps the MAEC Package. Optional. Returns: A ``stix.STIXPackage`` instance with a single TTP that wraps the input MAEC Package. """ # Set the namespace to be used in the STIX Package stix.utils.set_id_namespace( {"https://github.com/MAECProject/maec-to-stix": "MAECtoSTIX"}) # Create the STIX MAEC Instance maec_malware_instance = MAECInstance() maec_malware_instance.maec = maec_package # Create the STIX TTP that includes the MAEC Instance ttp = TTP() ttp.behavior = Behavior() ttp.behavior.add_malware_instance(maec_malware_instance) # Create the STIX Package and add the TTP to it stix_package = STIXPackage() stix_package.add_ttp(ttp) # Create the STIX Header and add it to the Package stix_header = STIXHeader() if file_name: stix_header.title = "STIX TTP wrapper around MAEC file: " + str( file_name) stix_header.add_package_intent("Malware Characterization") # Add the Information Source to the STIX Header tool_info = ToolInformation() stix_header.information_source = InformationSource() tool_info.name = "MAEC to STIX" tool_info.version = str(maec_to_stix.__version__) stix_header.information_source.tools = ToolInformationList(tool_info) stix_package.stix_header = stix_header return stix_package
def wrap_maec(maec_package, file_name=None): """Wrap a MAEC Package in a STIX TTP/Package. Return the newly created STIX Package. Args: maec_package: the ``maec.package.package.Package`` instance to wrap in STIX. file_name: the name of the input file from which the MAEC Package originated, to be used in the Title of the STIX TTP that wraps the MAEC Package. Optional. Returns: A ``stix.STIXPackage`` instance with a single TTP that wraps the input MAEC Package. """ # Set the namespace to be used in the STIX Package stix.utils.set_id_namespace({"https://github.com/MAECProject/maec-to-stix":"MAECtoSTIX"}) # Create the STIX MAEC Instance maec_malware_instance = MAECInstance() maec_malware_instance.maec = maec_package # Create the STIX TTP that includes the MAEC Instance ttp = TTP() ttp.behavior = Behavior() ttp.behavior.add_malware_instance(maec_malware_instance) # Create the STIX Package and add the TTP to it stix_package = STIXPackage() stix_package.add_ttp(ttp) # Create the STIX Header and add it to the Package stix_header = STIXHeader() if file_name: stix_header.title = "STIX TTP wrapper around MAEC file: " + str(file_name) stix_header.add_package_intent("Malware Characterization") # Add the Information Source to the STIX Header tool_info = ToolInformation() stix_header.information_source = InformationSource() tool_info.name = "MAEC to STIX" tool_info.version = str(maec_to_stix.__version__) stix_header.information_source.tools = ToolInformationList(tool_info) stix_package.stix_header = stix_header return stix_package
def _add_stix_ttp(self, malware_subject): """Create and add a STIX TTP for a MAEC Malware Subject. Args: malware_subject: the ``maec.malware_subject.MalwareSubject`` for which the STIX TTP will be created. Returns: The ID of the newly created STIX TTP. """ # Create the STIX TTP that includes the MAEC Instance ttp = TTP() ttp.behavior = Behavior() # Add a MAEC Package with just the Malware Subject # For capturing the identity of the malware binary that the Indicators target maec_package = Package() new_malware_subject = MalwareSubject() new_malware_subject.malware_instance_object_attributes = malware_subject.malware_instance_object_attributes maec_package.add_malware_subject(new_malware_subject) maec_malware_instance = MAECInstance() maec_malware_instance.maec = maec_package ttp.behavior.add_malware_instance(maec_malware_instance) self.stix_package.add_ttp(ttp) return ttp.id_
def main(): maec_malware_instance = MAECInstance() maec_malware_instance.add_name("Poison Ivy Variant v4392-acc") maec_malware_instance.add_type("Remote Access Trojan") maec_malware_instance.maec = etree.fromstring( MAEC_XML, parser=etree.ETCompatXMLParser()) ttp = TTP(title="Poison Ivy Variant v4392-acc") ttp.behavior = Behavior() ttp.behavior.add_malware_instance(maec_malware_instance) stix_package = STIXPackage() stix_package.add_ttp(ttp) print stix_package.to_xml()
def main(): maec_malware_instance = MAECInstance() maec_malware_instance.add_name("Poison Ivy Variant v4392-acc") maec_malware_instance.add_type("Remote Access Trojan") maec_malware_instance.maec = etree.fromstring(MAEC_XML, parser=etree.ETCompatXMLParser()) ttp = TTP(title="Poison Ivy Variant v4392-acc") ttp.behavior = Behavior() ttp.behavior.add_malware_instance(maec_malware_instance) stix_package = STIXPackage() stix_package.add_ttp(ttp) print(stix_package.to_xml(encoding=None))
def test_handling_maec_object_fails(self): try: MAECInstance().from_dict(PythonMAECTests._full_dict) except ImportError as e: self.assertTrue( all(x in str(e) for x in ("No module named", "maec")))
ttp.resources = resource related_ttp = RelatedTTP(TTP(idref=ttp.id_)) # TTP - Related Threat Actor (basic; by id) ta = ThreatActor(title='Adversary Bravo') ta.observed_ttps.append(related_ttp) # TTP - Related TTP2 (Malware; by id) ttp2 = TTP(title='Poison Ivy Variant') malware_instance = MalwareInstance(title='Poison Ivy Variant d1c6') malware_instance.description = 'Attack Pattern Description' malware_instance.short_description = 'Attack Pattern Short Description' malware_instance.add_type(MalwareType('Remote Access Trojan')) maec = MAECInstance() maec.add_name('Poison Ivy Variant v4392-acc') maec.add_type(MalwareType('Exploit Kits')) ttp2.behavior = Behavior() ttp2.behavior.add_malware_instance(malware_instance) ttp2.behavior.add_malware_instance(maec) # TTP2 - Victim Targeting victim_targeting = VictimTargeting() victim_targeting.add_targeted_system(SystemType('Enterprise Systems')) victim_targeting.add_targeted_information( InformationType('Information Assets - User Credentials')) identity = CIQIdentity3_0Instance() # identity.name = 'Bob Ricca'
def test_setting_maec_property_fails(self): try: m = MAECInstance() m.maec = "foo" except ImportError as e: self.assertTrue(all(x in str(e) for x in ("No module named", "maec")))