def createDNSObs(self, DNSOBJ): DNSObs = [] DNSRel = [] for host in DNSOBJ: IP = IPv4Address(value=host["ip"]) DNS = DomainName( value=host["domain"] ) # , resolves_to_refs=IP.id) ref https://github.com/OpenCTI-Platform/client-python/issues/155 Rel = Relationship( source_ref=DNS.id, target_ref=IP.id, relationship_type="resolves-to" ) if self.CreateIndicator: STIXPattern = self.getStixPattern(host["domain"], "FQDN") DNSind = Indicator( name=host["domain"], pattern=STIXPattern, pattern_type="stix" ) STIXPattern = self.getStixPattern(host["ip"], "ipv4") IPind = Indicator( name=host["ip"], pattern=STIXPattern, pattern_type="stix" ) DNSObs.append(DNSind) DNSObs.append(IPind) DNSObs.append(IP) DNSObs.append(DNS) DNSRel.append(Rel) return [DNSObs, DNSRel]
def createBinarieObs(self, objects): exec = ["PE32", "script", "batch", "intel", "executable", "HTML"] exec_files = [] iocs = [] for payload in objects: for value in exec: if value.lower() in payload.type: exec_files.append(payload) for file in exec_files: hashes = { "MD5": file.md5.upper(), "SHA-1": file.sha1.upper(), "SHA-256": file.sha256.upper(), "SHA-512": file.sha512.upper(), "SSDEEP": file.ssdeep.upper(), } iocs.append( File(hashes=hashes, size=file.size, name=file.name, mime_type=file.type) ) if self.CreateIndicator: STIXPattern = self.getStixPattern(file.sha256.upper(), "sha256") fileind = Indicator( name=file.name, pattern=STIXPattern, pattern_type="stix" ) iocs.append(fileind) return iocs
def createPrimaryBinary(self, file: cuckooReportDropped, external_references): hashes = { "MD5": file.md5.upper(), "SHA-1": file.sha1.upper(), "SHA-256": file.sha256.upper(), "SHA-512": file.sha512.upper(), "SSDEEP": file.ssdeep.upper(), } STIXPattern = self.getStixPattern(file.sha256, "sha256") size = 0 try: if file.size: size = file.size except: pass Filex = File(hashes=hashes, size=size, name=file.name, mime_type=file.type) ind = Indicator( name=file.name, pattern=STIXPattern, pattern_type="stix", external_references=external_references, ) rel = Relationship( source_ref=Filex.id, relationship_type="based-on", target_ref=ind.id ) return [Filex, ind, rel]
def _get_indicator_object(indicator, stip_identity): name = indicator['title'] description = indicator['title'] type_ = indicator['type'] value = indicator['value'] indicator_types = 'compromised' if type_ == fec.JSON_OBJECT_TYPE_IPV4: pattern = '[ipv4-addr:value = \'%s\']' % (value) elif type_ == fec.JSON_OBJECT_TYPE_URI: pattern = '[url:value = \'%s\']' % (value) elif type_ == fec.JSON_OBJECT_TYPE_MD5: pattern = '[file:hashes.\'MD5\' = \'%s\']' % (value) elif type_ == fec.JSON_OBJECT_TYPE_SHA1: pattern = '[file:hashes.\'SHA1\' = \'%s\']' % (value) elif type_ == fec.JSON_OBJECT_TYPE_SHA256: pattern = '[file:hashes.\'SHA256\' = \'%s\']' % (value) elif type_ == fec.JSON_OBJECT_TYPE_SHA512: pattern = '[file:hashes.\'SHA512\' = \'%s\']' % (value) elif type_ == fec.JSON_OBJECT_TYPE_FILE_NAME: pattern = '[file:name = \'%s\']' % (value) else: return None indicator_o = Indicator(name=name, description=description, indicator_types=indicator_types, pattern=pattern, created_by_ref=stip_identity) return indicator_o
def createIPObs(self, hosts): IPObs = [] for host in hosts: IPObs.append(IPv4Address(value=host)) if self.CreateIndicator: STIXPattern = self.getStixPattern(host, "ipv4") IPind = Indicator(name=host, pattern=STIXPattern, pattern_type="stix") IPObs.append(IPind) return IPObs
def _get_indicator_object(indicator, stip_identity, tlp_marking_object): name = indicator['title'] description = indicator['title'] type_ = indicator['type'] value = indicator['value'] try: indicator_types = [indicator['stix2_indicator_types']] except KeyError: indicator_types = ['malicious-activity'] if type_ == fec.JSON_OBJECT_TYPE_IPV4: pattern = '[ipv4-addr:value = \'%s\']' % (value) elif type_ == fec.JSON_OBJECT_TYPE_URI: pattern = '[url:value = \'%s\']' % (value) elif type_ == fec.JSON_OBJECT_TYPE_MD5: pattern = '[file:hashes.\'MD5\' = \'%s\']' % (value) elif type_ == fec.JSON_OBJECT_TYPE_SHA1: pattern = '[file:hashes.\'SHA-1\' = \'%s\']' % (value) elif type_ == fec.JSON_OBJECT_TYPE_SHA256: pattern = '[file:hashes.\'SHA-256\' = \'%s\']' % (value) elif type_ == fec.JSON_OBJECT_TYPE_SHA512: pattern = '[file:hashes.\'SHA-512\' = \'%s\']' % (value) elif type_ == fec.JSON_OBJECT_TYPE_FILE_NAME: pattern = '[file:name = \'%s\']' % (value) elif type_ == fec.JSON_OBJECT_TYPE_DOMAIN: pattern = '[domain-name:value = \'%s\']' % (value) elif type_ == fec.JSON_OBJECT_TYPE_EMAIL_ADDRESS: pattern = '[email-addr:value = \'%s\']' % (value) else: return None indicator_o = Indicator( name=name, description=description, created_by_ref=stip_identity, object_marking_refs=[tlp_marking_object], indicator_types=indicator_types, pattern=pattern, pattern_type='stix', valid_from=datetime.datetime.now(tz=pytz.utc)) return indicator_o