mirror of
https://github.com/mvt-project/mvt.git
synced 2026-02-12 16:42:45 +00:00
052c4e207b
* Improves STIX2 support and testing * Adds documentation on STIX2 support in MVT --------- Co-authored-by: Donncha Ó Cearbhaill <donncha.ocearbhaill@amnesty.org>
107 lines
3.2 KiB
Python
107 lines
3.2 KiB
Python
# Mobile Verification Toolkit (MVT)
|
|
# Copyright (c) 2021-2023 The MVT Authors.
|
|
# Use of this software is governed by the MVT License 1.1 that can be found at
|
|
# https://license.mvt.re/1.1/
|
|
|
|
import os
|
|
|
|
from stix2.v21 import Bundle, Indicator, Malware, Relationship
|
|
|
|
|
|
def generate_test_stix_file(file_path):
|
|
if os.path.isfile(file_path):
|
|
os.remove(file_path)
|
|
|
|
domains = ["example.org"]
|
|
processes = ["Launch"]
|
|
emails = ["foobar@example.org"]
|
|
filenames = ["/var/foobar/txt"]
|
|
android_property = ["sys.foobar"]
|
|
sha256 = ["570cd76bf49cf52e0cb347a68bdcf0590b2eaece134e1b1eba7e8d66261bdbe6"]
|
|
sha1 = ["da0611a300a9ce9aa7a09d1212f203fca5856794"]
|
|
urls = ["http://example.com/thisisbad"]
|
|
|
|
res = []
|
|
malware = Malware(name="TestMalware", is_family=False, description="")
|
|
res.append(malware)
|
|
for d in domains:
|
|
i = Indicator(
|
|
indicator_types=["malicious-activity"],
|
|
pattern="[domain-name:value='{}']".format(d),
|
|
pattern_type="stix",
|
|
)
|
|
res.append(i)
|
|
res.append(Relationship(i, "indicates", malware))
|
|
|
|
for p in processes:
|
|
i = Indicator(
|
|
indicator_types=["malicious-activity"],
|
|
pattern="[process:name='{}']".format(p),
|
|
pattern_type="stix",
|
|
)
|
|
res.append(i)
|
|
res.append(Relationship(i, "indicates", malware))
|
|
|
|
for f in filenames:
|
|
i = Indicator(
|
|
indicator_types=["malicious-activity"],
|
|
pattern="[file:name='{}']".format(f),
|
|
pattern_type="stix",
|
|
)
|
|
res.append(i)
|
|
res.append(Relationship(i, "indicates", malware))
|
|
|
|
for e in emails:
|
|
i = Indicator(
|
|
indicator_types=["malicious-activity"],
|
|
pattern="[email-addr:value='{}']".format(e),
|
|
pattern_type="stix",
|
|
)
|
|
res.append(i)
|
|
res.append(Relationship(i, "indicates", malware))
|
|
|
|
for p in android_property:
|
|
i = Indicator(
|
|
indicator_types=["malicious-activity"],
|
|
pattern="[android-property:name='{}']".format(p),
|
|
pattern_type="stix",
|
|
)
|
|
res.append(i)
|
|
res.append(Relationship(i, "indicates", malware))
|
|
|
|
for h in sha256:
|
|
i = Indicator(
|
|
indicator_types=["malicious-activity"],
|
|
pattern="[file:hashes.sha256='{}']".format(h),
|
|
pattern_type="stix",
|
|
)
|
|
res.append(i)
|
|
res.append(Relationship(i, "indicates", malware))
|
|
|
|
for h in sha1:
|
|
i = Indicator(
|
|
indicator_types=["malicious-activity"],
|
|
pattern="[file:hashes.sha1='{}']".format(h),
|
|
pattern_type="stix",
|
|
)
|
|
res.append(i)
|
|
res.append(Relationship(i, "indicates", malware))
|
|
|
|
for u in urls:
|
|
i = Indicator(
|
|
indicator_types=["malicious-activity"],
|
|
pattern="[url:value='{}']".format(u),
|
|
pattern_type="stix",
|
|
)
|
|
res.append(i)
|
|
res.append(Relationship(i, "indicates", malware))
|
|
|
|
bundle = Bundle(objects=res)
|
|
with open(file_path, "w+", encoding="utf-8") as f:
|
|
f.write(bundle.serialize(pretty=True))
|
|
|
|
|
|
if __name__ == "__main__":
|
|
generate_test_stix_file("test.stix2")
|
|
print("test.stix2 file created")
|