def createDNSObs(self, DNSOBJ):
DNSObs = []
DNSRel = []
for host in DNSOBJ:
IP = IPv4Address(value=host["ip"])
DNS = DomainName(
value=host["domain"]
) # , resolves_to_refs=IP.id) ref https://github.com/OpenCTI-Platform/client-python/issues/155
Rel = Relationship(
source_ref=DNS.id, target_ref=IP.id, relationship_type="resolves-to"
)
if self.CreateIndicator:
STIXPattern = self.getStixPattern(host["domain"], "FQDN")
DNSind = Indicator(
name=host["domain"], pattern=STIXPattern, pattern_type="stix"
)
STIXPattern = self.getStixPattern(host["ip"], "ipv4")
IPind = Indicator(
name=host["ip"], pattern=STIXPattern, pattern_type="stix"
)
DNSObs.append(DNSind)
DNSObs.append(IPind)
DNSObs.append(IP)
DNSObs.append(DNS)
DNSRel.append(Rel)
return [DNSObs, DNSRel]
def createBinarieObs(self, objects):
exec = ["PE32", "script", "batch", "intel", "executable", "HTML"]
exec_files = []
iocs = []
for payload in objects:
for value in exec:
if value.lower() in payload.type:
exec_files.append(payload)
for file in exec_files:
hashes = {
"MD5": file.md5.upper(),
"SHA-1": file.sha1.upper(),
"SHA-256": file.sha256.upper(),
"SHA-512": file.sha512.upper(),
"SSDEEP": file.ssdeep.upper(),
}
iocs.append(
File(hashes=hashes, size=file.size, name=file.name, mime_type=file.type)
)
if self.CreateIndicator:
STIXPattern = self.getStixPattern(file.sha256.upper(), "sha256")
fileind = Indicator(
name=file.name, pattern=STIXPattern, pattern_type="stix"
)
iocs.append(fileind)
return iocs
def createPrimaryBinary(self, file: cuckooReportDropped, external_references):
hashes = {
"MD5": file.md5.upper(),
"SHA-1": file.sha1.upper(),
"SHA-256": file.sha256.upper(),
"SHA-512": file.sha512.upper(),
"SSDEEP": file.ssdeep.upper(),
}
STIXPattern = self.getStixPattern(file.sha256, "sha256")
size = 0
try:
if file.size:
size = file.size
except:
pass
Filex = File(hashes=hashes, size=size, name=file.name, mime_type=file.type)
ind = Indicator(
name=file.name,
pattern=STIXPattern,
pattern_type="stix",
external_references=external_references,
)
rel = Relationship(
source_ref=Filex.id, relationship_type="based-on", target_ref=ind.id
)
return [Filex, ind, rel]
def _get_indicator_object(indicator, stip_identity):
name = indicator['title']
description = indicator['title']
type_ = indicator['type']
value = indicator['value']
indicator_types = 'compromised'
if type_ == fec.JSON_OBJECT_TYPE_IPV4:
pattern = '[ipv4-addr:value = \'%s\']' % (value)
elif type_ == fec.JSON_OBJECT_TYPE_URI:
pattern = '[url:value = \'%s\']' % (value)
elif type_ == fec.JSON_OBJECT_TYPE_MD5:
pattern = '[file:hashes.\'MD5\' = \'%s\']' % (value)
elif type_ == fec.JSON_OBJECT_TYPE_SHA1:
pattern = '[file:hashes.\'SHA1\' = \'%s\']' % (value)
elif type_ == fec.JSON_OBJECT_TYPE_SHA256:
pattern = '[file:hashes.\'SHA256\' = \'%s\']' % (value)
elif type_ == fec.JSON_OBJECT_TYPE_SHA512:
pattern = '[file:hashes.\'SHA512\' = \'%s\']' % (value)
elif type_ == fec.JSON_OBJECT_TYPE_FILE_NAME:
pattern = '[file:name = \'%s\']' % (value)
else:
return None
indicator_o = Indicator(name=name,
description=description,
indicator_types=indicator_types,
pattern=pattern,
created_by_ref=stip_identity)
return indicator_o
def createIPObs(self, hosts):
IPObs = []
for host in hosts:
IPObs.append(IPv4Address(value=host))
if self.CreateIndicator:
STIXPattern = self.getStixPattern(host, "ipv4")
IPind = Indicator(name=host, pattern=STIXPattern, pattern_type="stix")
IPObs.append(IPind)
return IPObs
def _get_indicator_object(indicator, stip_identity, tlp_marking_object):
name = indicator['title']
description = indicator['title']
type_ = indicator['type']
value = indicator['value']
try:
indicator_types = [indicator['stix2_indicator_types']]
except KeyError:
indicator_types = ['malicious-activity']
if type_ == fec.JSON_OBJECT_TYPE_IPV4:
pattern = '[ipv4-addr:value = \'%s\']' % (value)
elif type_ == fec.JSON_OBJECT_TYPE_URI:
pattern = '[url:value = \'%s\']' % (value)
elif type_ == fec.JSON_OBJECT_TYPE_MD5:
pattern = '[file:hashes.\'MD5\' = \'%s\']' % (value)
elif type_ == fec.JSON_OBJECT_TYPE_SHA1:
pattern = '[file:hashes.\'SHA-1\' = \'%s\']' % (value)
elif type_ == fec.JSON_OBJECT_TYPE_SHA256:
pattern = '[file:hashes.\'SHA-256\' = \'%s\']' % (value)
elif type_ == fec.JSON_OBJECT_TYPE_SHA512:
pattern = '[file:hashes.\'SHA-512\' = \'%s\']' % (value)
elif type_ == fec.JSON_OBJECT_TYPE_FILE_NAME:
pattern = '[file:name = \'%s\']' % (value)
elif type_ == fec.JSON_OBJECT_TYPE_DOMAIN:
pattern = '[domain-name:value = \'%s\']' % (value)
elif type_ == fec.JSON_OBJECT_TYPE_EMAIL_ADDRESS:
pattern = '[email-addr:value = \'%s\']' % (value)
else:
return None
indicator_o = Indicator(
name=name,
description=description,
created_by_ref=stip_identity,
object_marking_refs=[tlp_marking_object],
indicator_types=indicator_types,
pattern=pattern,
pattern_type='stix',
valid_from=datetime.datetime.now(tz=pytz.utc))
return indicator_o