2017-11-02 12:21:24 +01:00
|
|
|
"""STIX 2.1 Cyber Observable Objects.
|
2017-05-03 23:35:33 +02:00
|
|
|
|
2017-05-09 17:03:19 +02:00
|
|
|
Embedded observable object types, such as Email MIME Component, which is
|
2020-03-22 03:22:36 +01:00
|
|
|
embedded in Email Message objects, inherit from ``_STIXBase21`` instead of
|
|
|
|
|
_Observable and do not have a ``_type`` attribute.
|
2017-05-09 17:03:19 +02:00
|
|
|
"""
|
|
|
|
|
|
2017-09-01 22:37:49 +02:00
|
|
|
from collections import OrderedDict
|
2018-07-10 21:20:16 +02:00
|
|
|
import itertools
|
2017-08-14 16:29:17 +02:00
|
|
|
|
2021-07-03 02:54:54 +02:00
|
|
|
from ..custom import _custom_observable_builder
|
2020-02-19 15:24:27 +01:00
|
|
|
from ..exceptions import AtLeastOnePropertyError, DependentPropertiesError
|
2018-07-13 17:10:05 +02:00
|
|
|
from ..properties import (
|
2020-01-29 00:13:36 +01:00
|
|
|
BinaryProperty, BooleanProperty, DictionaryProperty,
|
2018-07-13 17:10:05 +02:00
|
|
|
EmbeddedObjectProperty, EnumProperty, ExtensionsProperty, FloatProperty,
|
2019-07-17 21:48:09 +02:00
|
|
|
HashesProperty, HexProperty, IDProperty, IntegerProperty, ListProperty,
|
2020-07-10 02:13:53 +02:00
|
|
|
OpenVocabProperty, ReferenceProperty, StringProperty, TimestampProperty,
|
|
|
|
|
TypeProperty,
|
2018-07-13 17:10:05 +02:00
|
|
|
)
|
2020-03-22 03:22:36 +01:00
|
|
|
from .base import _Extension, _Observable, _STIXBase21
|
2021-07-07 02:40:50 +02:00
|
|
|
from .common import CustomExtension, GranularMarking
|
2020-07-10 02:13:53 +02:00
|
|
|
from .vocab import (
|
2021-07-03 02:54:54 +02:00
|
|
|
ACCOUNT_TYPE, ENCRYPTION_ALGORITHM, HASHING_ALGORITHM,
|
2020-07-10 02:13:53 +02:00
|
|
|
NETWORK_SOCKET_ADDRESS_FAMILY, NETWORK_SOCKET_TYPE,
|
|
|
|
|
WINDOWS_INTEGRITY_LEVEL, WINDOWS_PEBINARY_TYPE, WINDOWS_REGISTRY_DATATYPE,
|
|
|
|
|
WINDOWS_SERVICE_START_TYPE, WINDOWS_SERVICE_STATUS, WINDOWS_SERVICE_TYPE,
|
|
|
|
|
)
|
2017-05-03 23:35:33 +02:00
|
|
|
|
|
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class Artifact(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_4jegwl6ojbes>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-03 23:35:33 +02:00
|
|
|
_type = 'artifact'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2020-10-20 01:23:30 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('mime_type', StringProperty()),
|
|
|
|
|
('payload_bin', BinaryProperty()),
|
|
|
|
|
('url', StringProperty()),
|
2020-07-10 22:57:22 +02:00
|
|
|
('hashes', HashesProperty(HASHING_ALGORITHM, spec_version="2.1")),
|
2020-07-10 02:13:53 +02:00
|
|
|
('encryption_algorithm', EnumProperty(ENCRYPTION_ALGORITHM)),
|
2018-07-12 20:31:14 +02:00
|
|
|
('decryption_key', StringProperty()),
|
2019-08-27 23:36:45 +02:00
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2020-11-10 02:58:34 +01:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["hashes", "payload_bin"]
|
2017-05-03 23:35:33 +02:00
|
|
|
|
2017-05-18 15:48:01 +02:00
|
|
|
def _check_object_constraints(self):
|
|
|
|
|
super(Artifact, self)._check_object_constraints()
|
2019-09-18 16:56:42 +02:00
|
|
|
self._check_mutually_exclusive_properties(['payload_bin', 'url'])
|
2018-06-30 00:38:04 +02:00
|
|
|
self._check_properties_dependency(['hashes'], ['url'])
|
Changes so File object creation doesn't violate on of the MUSTs
Added three new exceptions: DependentPropertiestError, AtLeastOnePropertyError, MutuallyExclusivePropertiesError
Added tests for NetworkTraffic, Process, URL, WindowsRegistryKey and X509Certificate
Added error tests for EmailMessage, NetworkTraffic, Artifact,
Added interproperty checker methods to the base class: _check_mutually_exclusive_properties, _check_at_least_one_property and _check_properties_dependency
Added interproperty checkers to Artifact, EmailMIMEComponent, EmailMessage, NetworkTraffic
Made NetworkTraffic.protocols required
Added X509V3ExtenstionsType class
Use EmbeddedObjectProperty for X509Certificate.x509_v3_extensions
2017-05-11 21:22:46 +02:00
|
|
|
|
2017-05-03 23:35:33 +02:00
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class AutonomousSystem(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_27gux0aol9e3>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-04 00:19:30 +02:00
|
|
|
_type = 'autonomous-system'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2020-10-20 01:23:30 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-10-11 19:30:26 +02:00
|
|
|
('number', IntegerProperty(required=True)),
|
2017-08-14 16:29:17 +02:00
|
|
|
('name', StringProperty()),
|
|
|
|
|
('rir', StringProperty()),
|
2019-08-27 23:36:45 +02:00
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2020-11-10 02:58:34 +01:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["number"]
|
2017-05-04 00:19:30 +02:00
|
|
|
|
|
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class Directory(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_lyvpga5hlw52>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
_type = 'directory'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2020-10-20 01:23:30 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('path', StringProperty(required=True)),
|
|
|
|
|
('path_enc', StringProperty()),
|
2017-05-09 03:03:15 +02:00
|
|
|
# these are not the created/modified timestamps of the object itself
|
2019-07-17 21:48:09 +02:00
|
|
|
('ctime', TimestampProperty()),
|
|
|
|
|
('mtime', TimestampProperty()),
|
|
|
|
|
('atime', TimestampProperty()),
|
2019-08-27 23:36:45 +02:00
|
|
|
('contains_refs', ListProperty(ReferenceProperty(valid_types=['file', 'directory'], spec_version='2.1'))),
|
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2020-11-10 02:58:34 +01:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["path"]
|
2017-05-09 03:03:15 +02:00
|
|
|
|
|
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class DomainName(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_prhhksbxbg87>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
_type = 'domain-name'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2020-10-20 01:23:30 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('value', StringProperty(required=True)),
|
2019-08-27 23:36:45 +02:00
|
|
|
('resolves_to_refs', ListProperty(ReferenceProperty(valid_types=['ipv4-addr', 'ipv6-addr', 'domain-name'], spec_version='2.1'))),
|
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2020-11-10 02:58:34 +01:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["value"]
|
2017-05-09 03:03:15 +02:00
|
|
|
|
|
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class EmailAddress(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_wmenahkvqmgj>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-07-12 23:02:51 +02:00
|
|
|
_type = 'email-addr'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2020-10-20 01:23:30 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('value', StringProperty(required=True)),
|
|
|
|
|
('display_name', StringProperty()),
|
2019-08-27 23:36:45 +02:00
|
|
|
('belongs_to_ref', ReferenceProperty(valid_types='user-account', spec_version='2.1')),
|
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2020-11-10 02:58:34 +01:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["value"]
|
2017-05-05 18:32:02 +02:00
|
|
|
|
|
|
|
|
|
2020-03-22 03:22:36 +01:00
|
|
|
class EmailMIMEComponent(_STIXBase21):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_qpo5x7d8mefq>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2017-08-14 16:29:17 +02:00
|
|
|
('body', StringProperty()),
|
2020-11-10 02:58:34 +01:00
|
|
|
('body_raw_ref', ReferenceProperty(valid_types=['artifact', 'file'], spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('content_type', StringProperty()),
|
|
|
|
|
('content_disposition', StringProperty()),
|
|
|
|
|
])
|
2017-05-09 17:03:19 +02:00
|
|
|
|
2017-05-18 15:48:01 +02:00
|
|
|
def _check_object_constraints(self):
|
|
|
|
|
super(EmailMIMEComponent, self)._check_object_constraints()
|
2018-06-30 00:38:04 +02:00
|
|
|
self._check_at_least_one_property(['body', 'body_raw_ref'])
|
Changes so File object creation doesn't violate on of the MUSTs
Added three new exceptions: DependentPropertiestError, AtLeastOnePropertyError, MutuallyExclusivePropertiesError
Added tests for NetworkTraffic, Process, URL, WindowsRegistryKey and X509Certificate
Added error tests for EmailMessage, NetworkTraffic, Artifact,
Added interproperty checker methods to the base class: _check_mutually_exclusive_properties, _check_at_least_one_property and _check_properties_dependency
Added interproperty checkers to Artifact, EmailMIMEComponent, EmailMessage, NetworkTraffic
Made NetworkTraffic.protocols required
Added X509V3ExtenstionsType class
Use EmbeddedObjectProperty for X509Certificate.x509_v3_extensions
2017-05-11 21:22:46 +02:00
|
|
|
|
2017-05-09 17:03:19 +02:00
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class EmailMessage(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_grboc7sq5514>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 17:03:19 +02:00
|
|
|
_type = 'email-message'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2020-10-20 01:23:30 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('is_multipart', BooleanProperty(required=True)),
|
|
|
|
|
('date', TimestampProperty()),
|
|
|
|
|
('content_type', StringProperty()),
|
2019-09-05 01:08:34 +02:00
|
|
|
('from_ref', ReferenceProperty(valid_types='email-addr', spec_version='2.1')),
|
|
|
|
|
('sender_ref', ReferenceProperty(valid_types='email-addr', spec_version='2.1')),
|
|
|
|
|
('to_refs', ListProperty(ReferenceProperty(valid_types='email-addr', spec_version='2.1'))),
|
|
|
|
|
('cc_refs', ListProperty(ReferenceProperty(valid_types='email-addr', spec_version='2.1'))),
|
|
|
|
|
('bcc_refs', ListProperty(ReferenceProperty(valid_types='email-addr', spec_version='2.1'))),
|
2019-08-27 23:36:45 +02:00
|
|
|
('message_id', StringProperty()),
|
2017-08-14 16:29:17 +02:00
|
|
|
('subject', StringProperty()),
|
|
|
|
|
('received_lines', ListProperty(StringProperty)),
|
2018-07-10 21:20:16 +02:00
|
|
|
('additional_header_fields', DictionaryProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('body', StringProperty()),
|
|
|
|
|
('body_multipart', ListProperty(EmbeddedObjectProperty(type=EmailMIMEComponent))),
|
2019-09-05 01:08:34 +02:00
|
|
|
('raw_email_ref', ReferenceProperty(valid_types='artifact', spec_version='2.1')),
|
2019-08-27 23:36:45 +02:00
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2020-11-10 02:58:34 +01:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["from_ref", "subject", "body"]
|
2017-05-09 17:03:19 +02:00
|
|
|
|
2017-05-18 15:48:01 +02:00
|
|
|
def _check_object_constraints(self):
|
|
|
|
|
super(EmailMessage, self)._check_object_constraints()
|
2018-06-30 00:38:04 +02:00
|
|
|
self._check_properties_dependency(['is_multipart'], ['body_multipart'])
|
|
|
|
|
if self.get('is_multipart') is True and self.get('body'):
|
2017-06-08 16:09:18 +02:00
|
|
|
# 'body' MAY only be used if is_multipart is false.
|
2018-06-30 00:38:04 +02:00
|
|
|
raise DependentPropertiesError(self.__class__, [('is_multipart', 'body')])
|
Changes so File object creation doesn't violate on of the MUSTs
Added three new exceptions: DependentPropertiestError, AtLeastOnePropertyError, MutuallyExclusivePropertiesError
Added tests for NetworkTraffic, Process, URL, WindowsRegistryKey and X509Certificate
Added error tests for EmailMessage, NetworkTraffic, Artifact,
Added interproperty checker methods to the base class: _check_mutually_exclusive_properties, _check_at_least_one_property and _check_properties_dependency
Added interproperty checkers to Artifact, EmailMIMEComponent, EmailMessage, NetworkTraffic
Made NetworkTraffic.protocols required
Added X509V3ExtenstionsType class
Use EmbeddedObjectProperty for X509Certificate.x509_v3_extensions
2017-05-11 21:22:46 +02:00
|
|
|
|
2017-05-09 17:03:19 +02:00
|
|
|
|
2017-05-18 20:04:28 +02:00
|
|
|
class ArchiveExt(_Extension):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_xi3g7dwaigs6>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-08-24 00:36:24 +02:00
|
|
|
_type = 'archive-ext'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-11-10 02:58:34 +01:00
|
|
|
('contains_refs', ListProperty(ReferenceProperty(valid_types=['file', 'directory'], spec_version='2.1'), required=True)),
|
2017-08-14 16:29:17 +02:00
|
|
|
('comment', StringProperty()),
|
|
|
|
|
])
|
2017-05-12 17:22:23 +02:00
|
|
|
|
|
|
|
|
|
2020-03-22 03:22:36 +01:00
|
|
|
class AlternateDataStream(_STIXBase21):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_8i2ts0xicqea>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2017-08-14 16:29:17 +02:00
|
|
|
('name', StringProperty(required=True)),
|
2020-07-10 22:57:22 +02:00
|
|
|
('hashes', HashesProperty(HASHING_ALGORITHM, spec_version="2.1")),
|
2017-08-14 16:29:17 +02:00
|
|
|
('size', IntegerProperty()),
|
|
|
|
|
])
|
2017-05-15 19:48:41 +02:00
|
|
|
|
|
|
|
|
|
2017-05-18 20:04:28 +02:00
|
|
|
class NTFSExt(_Extension):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_o6cweepfrsci>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-08-24 00:36:24 +02:00
|
|
|
_type = 'ntfs-ext'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2017-08-14 16:29:17 +02:00
|
|
|
('sid', StringProperty()),
|
|
|
|
|
('alternate_data_streams', ListProperty(EmbeddedObjectProperty(type=AlternateDataStream))),
|
|
|
|
|
])
|
2017-05-15 19:48:41 +02:00
|
|
|
|
|
|
|
|
|
2017-05-18 20:04:28 +02:00
|
|
|
class PDFExt(_Extension):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_8xmpb2ghp9km>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-08-24 00:36:24 +02:00
|
|
|
_type = 'pdf-ext'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2017-08-14 16:29:17 +02:00
|
|
|
('version', StringProperty()),
|
|
|
|
|
('is_optimized', BooleanProperty()),
|
2018-07-10 21:20:16 +02:00
|
|
|
('document_info_dict', DictionaryProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('pdfid0', StringProperty()),
|
|
|
|
|
('pdfid1', StringProperty()),
|
|
|
|
|
])
|
2017-05-15 19:48:41 +02:00
|
|
|
|
|
|
|
|
|
2017-05-18 20:04:28 +02:00
|
|
|
class RasterImageExt(_Extension):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_u5z7i2ox8w4x>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-08-24 00:36:24 +02:00
|
|
|
_type = 'raster-image-ext'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2017-08-14 16:29:17 +02:00
|
|
|
('image_height', IntegerProperty()),
|
2018-06-25 14:55:12 +02:00
|
|
|
('image_width', IntegerProperty()),
|
2017-08-14 16:29:17 +02:00
|
|
|
('bits_per_pixel', IntegerProperty()),
|
2018-07-10 21:20:16 +02:00
|
|
|
('exif_tags', DictionaryProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2017-05-15 19:48:41 +02:00
|
|
|
|
|
|
|
|
|
2020-03-22 03:22:36 +01:00
|
|
|
class WindowsPEOptionalHeaderType(_STIXBase21):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_29l09w731pzc>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2017-08-14 16:29:17 +02:00
|
|
|
('magic_hex', HexProperty()),
|
|
|
|
|
('major_linker_version', IntegerProperty()),
|
|
|
|
|
('minor_linker_version', IntegerProperty()),
|
2018-10-15 21:02:59 +02:00
|
|
|
('size_of_code', IntegerProperty(min=0)),
|
|
|
|
|
('size_of_initialized_data', IntegerProperty(min=0)),
|
|
|
|
|
('size_of_uninitialized_data', IntegerProperty(min=0)),
|
2017-08-14 16:29:17 +02:00
|
|
|
('address_of_entry_point', IntegerProperty()),
|
|
|
|
|
('base_of_code', IntegerProperty()),
|
|
|
|
|
('base_of_data', IntegerProperty()),
|
|
|
|
|
('image_base', IntegerProperty()),
|
|
|
|
|
('section_alignment', IntegerProperty()),
|
|
|
|
|
('file_alignment', IntegerProperty()),
|
|
|
|
|
('major_os_version', IntegerProperty()),
|
|
|
|
|
('minor_os_version', IntegerProperty()),
|
|
|
|
|
('major_image_version', IntegerProperty()),
|
|
|
|
|
('minor_image_version', IntegerProperty()),
|
|
|
|
|
('major_subsystem_version', IntegerProperty()),
|
|
|
|
|
('minor_subsystem_version', IntegerProperty()),
|
|
|
|
|
('win32_version_value_hex', HexProperty()),
|
2018-10-15 21:02:59 +02:00
|
|
|
('size_of_image', IntegerProperty(min=0)),
|
|
|
|
|
('size_of_headers', IntegerProperty(min=0)),
|
2017-08-14 16:29:17 +02:00
|
|
|
('checksum_hex', HexProperty()),
|
|
|
|
|
('subsystem_hex', HexProperty()),
|
|
|
|
|
('dll_characteristics_hex', HexProperty()),
|
2018-10-15 21:02:59 +02:00
|
|
|
('size_of_stack_reserve', IntegerProperty(min=0)),
|
|
|
|
|
('size_of_stack_commit', IntegerProperty(min=0)),
|
2017-08-14 16:29:17 +02:00
|
|
|
('size_of_heap_reserve', IntegerProperty()),
|
|
|
|
|
('size_of_heap_commit', IntegerProperty()),
|
|
|
|
|
('loader_flags_hex', HexProperty()),
|
|
|
|
|
('number_of_rva_and_sizes', IntegerProperty()),
|
2020-07-10 22:57:22 +02:00
|
|
|
('hashes', HashesProperty(HASHING_ALGORITHM, spec_version="2.1")),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2017-05-15 19:48:41 +02:00
|
|
|
|
2017-05-18 15:48:01 +02:00
|
|
|
def _check_object_constraints(self):
|
|
|
|
|
super(WindowsPEOptionalHeaderType, self)._check_object_constraints()
|
2017-05-17 21:33:28 +02:00
|
|
|
self._check_at_least_one_property()
|
|
|
|
|
|
2017-05-15 19:48:41 +02:00
|
|
|
|
2020-03-22 03:22:36 +01:00
|
|
|
class WindowsPESection(_STIXBase21):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_ioapwyd8oimw>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2017-08-14 16:29:17 +02:00
|
|
|
('name', StringProperty(required=True)),
|
2018-10-15 21:02:59 +02:00
|
|
|
('size', IntegerProperty(min=0)),
|
2017-08-14 16:29:17 +02:00
|
|
|
('entropy', FloatProperty()),
|
2020-07-10 22:57:22 +02:00
|
|
|
('hashes', HashesProperty(HASHING_ALGORITHM, spec_version="2.1")),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2017-05-15 19:48:41 +02:00
|
|
|
|
|
|
|
|
|
2017-05-18 20:04:28 +02:00
|
|
|
class WindowsPEBinaryExt(_Extension):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_gg5zibddf9bs>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-08-24 00:36:24 +02:00
|
|
|
_type = 'windows-pebinary-ext'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-07-10 02:13:53 +02:00
|
|
|
('pe_type', OpenVocabProperty(WINDOWS_PEBINARY_TYPE, required=True)),
|
2017-08-14 16:29:17 +02:00
|
|
|
('imphash', StringProperty()),
|
|
|
|
|
('machine_hex', HexProperty()),
|
2018-10-15 21:02:59 +02:00
|
|
|
('number_of_sections', IntegerProperty(min=0)),
|
2017-08-14 16:29:17 +02:00
|
|
|
('time_date_stamp', TimestampProperty(precision='second')),
|
|
|
|
|
('pointer_to_symbol_table_hex', HexProperty()),
|
2018-10-15 21:02:59 +02:00
|
|
|
('number_of_symbols', IntegerProperty(min=0)),
|
|
|
|
|
('size_of_optional_header', IntegerProperty(min=0)),
|
2017-08-14 16:29:17 +02:00
|
|
|
('characteristics_hex', HexProperty()),
|
2020-07-10 22:57:22 +02:00
|
|
|
('file_header_hashes', HashesProperty(HASHING_ALGORITHM, spec_version="2.1")),
|
2017-08-14 16:29:17 +02:00
|
|
|
('optional_header', EmbeddedObjectProperty(type=WindowsPEOptionalHeaderType)),
|
|
|
|
|
('sections', ListProperty(EmbeddedObjectProperty(type=WindowsPESection))),
|
|
|
|
|
])
|
2017-05-15 19:48:41 +02:00
|
|
|
|
|
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class File(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_99bl2dibcztv>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-03 23:35:33 +02:00
|
|
|
_type = 'file'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2020-10-20 01:23:30 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2020-07-10 22:57:22 +02:00
|
|
|
('hashes', HashesProperty(HASHING_ALGORITHM, spec_version="2.1")),
|
2018-10-15 21:02:59 +02:00
|
|
|
('size', IntegerProperty(min=0)),
|
2017-08-14 16:29:17 +02:00
|
|
|
('name', StringProperty()),
|
|
|
|
|
('name_enc', StringProperty()),
|
|
|
|
|
('magic_number_hex', HexProperty()),
|
|
|
|
|
('mime_type', StringProperty()),
|
2019-07-17 21:48:09 +02:00
|
|
|
('ctime', TimestampProperty()),
|
|
|
|
|
('mtime', TimestampProperty()),
|
|
|
|
|
('atime', TimestampProperty()),
|
2019-09-05 01:08:34 +02:00
|
|
|
('parent_directory_ref', ReferenceProperty(valid_types='directory', spec_version='2.1')),
|
2019-11-06 16:11:12 +01:00
|
|
|
('contains_refs', ListProperty(ReferenceProperty(valid_types=["SCO"], spec_version='2.1'))),
|
2019-09-05 01:08:34 +02:00
|
|
|
('content_ref', ReferenceProperty(valid_types='artifact', spec_version='2.1')),
|
2019-08-27 23:36:45 +02:00
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2020-11-10 02:58:34 +01:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2020-03-05 23:18:32 +01:00
|
|
|
_id_contributing_properties = ["hashes", "name", "parent_directory_ref", "extensions"]
|
2017-05-09 03:03:15 +02:00
|
|
|
|
2017-05-18 15:48:01 +02:00
|
|
|
def _check_object_constraints(self):
|
|
|
|
|
super(File, self)._check_object_constraints()
|
2018-06-30 00:38:04 +02:00
|
|
|
self._check_at_least_one_property(['hashes', 'name'])
|
2017-05-09 21:28:32 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class IPv4Address(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_ki1ufj1ku8s0>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
_type = 'ipv4-addr'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2020-10-20 01:23:30 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('value', StringProperty(required=True)),
|
2019-09-05 01:08:34 +02:00
|
|
|
('resolves_to_refs', ListProperty(ReferenceProperty(valid_types='mac-addr', spec_version='2.1'))),
|
|
|
|
|
('belongs_to_refs', ListProperty(ReferenceProperty(valid_types='autonomous-system', spec_version='2.1'))),
|
2019-08-27 23:36:45 +02:00
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2020-11-10 02:58:34 +01:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["value"]
|
2017-05-09 03:03:15 +02:00
|
|
|
|
|
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class IPv6Address(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_oeggeryskriq>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
_type = 'ipv6-addr'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2020-10-20 01:23:30 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('value', StringProperty(required=True)),
|
2019-09-05 01:08:34 +02:00
|
|
|
('resolves_to_refs', ListProperty(ReferenceProperty(valid_types='mac-addr', spec_version='2.1'))),
|
|
|
|
|
('belongs_to_refs', ListProperty(ReferenceProperty(valid_types='autonomous-system', spec_version='2.1'))),
|
2019-08-27 23:36:45 +02:00
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2020-11-10 02:58:34 +01:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["value"]
|
2017-05-09 03:03:15 +02:00
|
|
|
|
|
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class MACAddress(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_f92nr9plf58y>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
_type = 'mac-addr'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2020-10-20 01:23:30 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('value', StringProperty(required=True)),
|
2019-08-27 23:36:45 +02:00
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2020-11-10 02:58:34 +01:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["value"]
|
2017-05-09 03:03:15 +02:00
|
|
|
|
|
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class Mutex(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_84hwlkdmev1w>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
_type = 'mutex'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2020-10-20 01:23:30 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-10-06 20:24:46 +02:00
|
|
|
('name', StringProperty(required=True)),
|
2019-08-27 23:36:45 +02:00
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2020-11-10 02:58:34 +01:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["name"]
|
2017-05-09 03:03:15 +02:00
|
|
|
|
|
|
|
|
|
2017-05-18 20:04:28 +02:00
|
|
|
class HTTPRequestExt(_Extension):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_b0e376hgtml8>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-08-24 00:36:24 +02:00
|
|
|
_type = 'http-request-ext'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2017-08-14 16:29:17 +02:00
|
|
|
('request_method', StringProperty(required=True)),
|
|
|
|
|
('request_value', StringProperty(required=True)),
|
|
|
|
|
('request_version', StringProperty()),
|
2018-07-10 21:20:16 +02:00
|
|
|
('request_header', DictionaryProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('message_body_length', IntegerProperty()),
|
2020-11-10 02:58:34 +01:00
|
|
|
('message_body_data_ref', ReferenceProperty(valid_types='artifact', spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2017-05-15 19:48:41 +02:00
|
|
|
|
|
|
|
|
|
2017-05-18 20:04:28 +02:00
|
|
|
class ICMPExt(_Extension):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_ozypx0lmkebv>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-08-24 00:36:24 +02:00
|
|
|
_type = 'icmp-ext'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2017-08-14 16:29:17 +02:00
|
|
|
('icmp_type_hex', HexProperty(required=True)),
|
|
|
|
|
('icmp_code_hex', HexProperty(required=True)),
|
|
|
|
|
])
|
2017-05-15 19:48:41 +02:00
|
|
|
|
|
|
|
|
|
2017-05-18 20:04:28 +02:00
|
|
|
class SocketExt(_Extension):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_8jamupj9ubdv>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-08-24 00:36:24 +02:00
|
|
|
_type = 'socket-ext'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-07-10 02:13:53 +02:00
|
|
|
('address_family', EnumProperty(NETWORK_SOCKET_ADDRESS_FAMILY, required=True)),
|
2017-08-14 16:29:17 +02:00
|
|
|
('is_blocking', BooleanProperty()),
|
|
|
|
|
('is_listening', BooleanProperty()),
|
2018-07-10 21:20:16 +02:00
|
|
|
('options', DictionaryProperty(spec_version='2.1')),
|
2020-07-10 02:13:53 +02:00
|
|
|
('socket_type', EnumProperty(NETWORK_SOCKET_TYPE)),
|
2018-10-15 21:02:59 +02:00
|
|
|
('socket_descriptor', IntegerProperty(min=0)),
|
2017-10-23 14:04:18 +02:00
|
|
|
('socket_handle', IntegerProperty()),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2017-05-15 19:48:41 +02:00
|
|
|
|
2019-11-22 19:24:09 +01:00
|
|
|
def _check_object_constraints(self):
|
|
|
|
|
super(SocketExt, self)._check_object_constraints()
|
|
|
|
|
|
|
|
|
|
options = self.get('options')
|
|
|
|
|
|
|
|
|
|
if options is not None:
|
2019-12-18 17:24:00 +01:00
|
|
|
acceptable_prefixes = ["SO_", "ICMP_", "ICMP6_", "IP_", "IPV6_", "MCAST_", "TCP_", "IRLMP_"]
|
2019-11-22 19:24:09 +01:00
|
|
|
for key, val in options.items():
|
2019-12-18 17:24:00 +01:00
|
|
|
if key[:key.find('_') + 1] not in acceptable_prefixes:
|
2019-11-22 19:24:09 +01:00
|
|
|
raise ValueError("Incorrect options key")
|
|
|
|
|
if not isinstance(val, int):
|
|
|
|
|
raise ValueError("Options value must be an integer")
|
|
|
|
|
|
2017-05-15 19:48:41 +02:00
|
|
|
|
2017-05-18 20:04:28 +02:00
|
|
|
class TCPExt(_Extension):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_k2njqio7f142>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-08-24 00:36:24 +02:00
|
|
|
_type = 'tcp-ext'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2017-08-14 16:29:17 +02:00
|
|
|
('src_flags_hex', HexProperty()),
|
|
|
|
|
('dst_flags_hex', HexProperty()),
|
|
|
|
|
])
|
2017-05-15 19:48:41 +02:00
|
|
|
|
|
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class NetworkTraffic(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_rgnc3w40xy>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
_type = 'network-traffic'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2020-10-20 01:23:30 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('start', TimestampProperty()),
|
|
|
|
|
('end', TimestampProperty()),
|
|
|
|
|
('is_active', BooleanProperty()),
|
2019-08-27 23:36:45 +02:00
|
|
|
('src_ref', ReferenceProperty(valid_types=['ipv4-addr', 'ipv6-addr', 'mac-addr', 'domain-name'], spec_version='2.1')),
|
|
|
|
|
('dst_ref', ReferenceProperty(valid_types=['ipv4-addr', 'ipv6-addr', 'mac-addr', 'domain-name'], spec_version='2.1')),
|
2018-10-15 21:02:59 +02:00
|
|
|
('src_port', IntegerProperty(min=0, max=65535)),
|
|
|
|
|
('dst_port', IntegerProperty(min=0, max=65535)),
|
2017-08-14 16:29:17 +02:00
|
|
|
('protocols', ListProperty(StringProperty, required=True)),
|
2018-10-15 21:02:59 +02:00
|
|
|
('src_byte_count', IntegerProperty(min=0)),
|
|
|
|
|
('dst_byte_count', IntegerProperty(min=0)),
|
|
|
|
|
('src_packets', IntegerProperty(min=0)),
|
|
|
|
|
('dst_packets', IntegerProperty(min=0)),
|
2018-07-10 21:20:16 +02:00
|
|
|
('ipfix', DictionaryProperty(spec_version='2.1')),
|
2019-09-05 01:08:34 +02:00
|
|
|
('src_payload_ref', ReferenceProperty(valid_types='artifact', spec_version='2.1')),
|
|
|
|
|
('dst_payload_ref', ReferenceProperty(valid_types='artifact', spec_version='2.1')),
|
|
|
|
|
('encapsulates_refs', ListProperty(ReferenceProperty(valid_types='network-traffic', spec_version='2.1'))),
|
|
|
|
|
('encapsulated_by_ref', ReferenceProperty(valid_types='network-traffic', spec_version='2.1')),
|
2019-08-27 23:36:45 +02:00
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2020-11-10 02:58:34 +01:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2021-06-26 04:48:00 +02:00
|
|
|
_id_contributing_properties = ["start", "end", "src_ref", "dst_ref", "src_port", "dst_port", "protocols", "extensions"]
|
2017-05-09 03:03:15 +02:00
|
|
|
|
2017-05-18 15:48:01 +02:00
|
|
|
def _check_object_constraints(self):
|
|
|
|
|
super(NetworkTraffic, self)._check_object_constraints()
|
2018-06-30 00:38:04 +02:00
|
|
|
self._check_at_least_one_property(['src_ref', 'dst_ref'])
|
Changes so File object creation doesn't violate on of the MUSTs
Added three new exceptions: DependentPropertiestError, AtLeastOnePropertyError, MutuallyExclusivePropertiesError
Added tests for NetworkTraffic, Process, URL, WindowsRegistryKey and X509Certificate
Added error tests for EmailMessage, NetworkTraffic, Artifact,
Added interproperty checker methods to the base class: _check_mutually_exclusive_properties, _check_at_least_one_property and _check_properties_dependency
Added interproperty checkers to Artifact, EmailMIMEComponent, EmailMessage, NetworkTraffic
Made NetworkTraffic.protocols required
Added X509V3ExtenstionsType class
Use EmbeddedObjectProperty for X509Certificate.x509_v3_extensions
2017-05-11 21:22:46 +02:00
|
|
|
|
2018-10-15 21:02:59 +02:00
|
|
|
start = self.get('start')
|
|
|
|
|
end = self.get('end')
|
|
|
|
|
is_active = self.get('is_active')
|
|
|
|
|
|
|
|
|
|
if end and is_active is not False:
|
|
|
|
|
msg = "{0.id} 'is_active' must be False if 'end' is present"
|
|
|
|
|
raise ValueError(msg.format(self))
|
|
|
|
|
|
|
|
|
|
if end and is_active is True:
|
|
|
|
|
msg = "{0.id} if 'is_active' is True, 'end' must not be included"
|
|
|
|
|
raise ValueError(msg.format(self))
|
|
|
|
|
|
2021-06-26 04:48:00 +02:00
|
|
|
if start and end and end < start:
|
|
|
|
|
msg = "{0.id} 'end' must be greater than or equal to 'start'"
|
2018-10-15 21:02:59 +02:00
|
|
|
raise ValueError(msg.format(self))
|
|
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
|
2017-05-18 20:04:28 +02:00
|
|
|
class WindowsProcessExt(_Extension):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_oyegq07gjf5t>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-08-24 00:36:24 +02:00
|
|
|
_type = 'windows-process-ext'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2017-08-14 16:29:17 +02:00
|
|
|
('aslr_enabled', BooleanProperty()),
|
|
|
|
|
('dep_enabled', BooleanProperty()),
|
|
|
|
|
('priority', StringProperty()),
|
|
|
|
|
('owner_sid', StringProperty()),
|
|
|
|
|
('window_title', StringProperty()),
|
2018-07-10 21:20:16 +02:00
|
|
|
('startup_info', DictionaryProperty(spec_version='2.1')),
|
2020-07-10 02:13:53 +02:00
|
|
|
('integrity_level', EnumProperty(WINDOWS_INTEGRITY_LEVEL)),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2017-05-15 19:48:41 +02:00
|
|
|
|
|
|
|
|
|
2017-05-18 20:04:28 +02:00
|
|
|
class WindowsServiceExt(_Extension):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_lbcvc2ahx1s0>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-08-24 00:36:24 +02:00
|
|
|
_type = 'windows-service-ext'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2018-07-12 20:31:14 +02:00
|
|
|
('service_name', StringProperty()),
|
2017-08-14 16:29:17 +02:00
|
|
|
('descriptions', ListProperty(StringProperty)),
|
|
|
|
|
('display_name', StringProperty()),
|
|
|
|
|
('group_name', StringProperty()),
|
2020-07-10 02:13:53 +02:00
|
|
|
('start_type', EnumProperty(WINDOWS_SERVICE_START_TYPE)),
|
2020-11-10 02:58:34 +01:00
|
|
|
('service_dll_refs', ListProperty(ReferenceProperty(valid_types='file', spec_version='2.1'))),
|
2020-07-10 02:13:53 +02:00
|
|
|
('service_type', EnumProperty(WINDOWS_SERVICE_TYPE)),
|
|
|
|
|
('service_status', EnumProperty(WINDOWS_SERVICE_STATUS)),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2017-05-15 19:48:41 +02:00
|
|
|
|
|
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class Process(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_hpppnm86a1jm>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
_type = 'process'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2020-10-20 01:23:30 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
2019-08-19 19:35:17 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('is_hidden', BooleanProperty()),
|
|
|
|
|
('pid', IntegerProperty()),
|
2017-05-09 03:03:15 +02:00
|
|
|
# this is not the created timestamps of the object itself
|
2019-08-27 23:36:45 +02:00
|
|
|
('created_time', TimestampProperty()),
|
2017-08-14 16:29:17 +02:00
|
|
|
('cwd', StringProperty()),
|
|
|
|
|
('command_line', StringProperty()),
|
2018-07-10 21:20:16 +02:00
|
|
|
('environment_variables', DictionaryProperty(spec_version='2.1')),
|
2019-09-05 01:08:34 +02:00
|
|
|
('opened_connection_refs', ListProperty(ReferenceProperty(valid_types='network-traffic', spec_version='2.1'))),
|
|
|
|
|
('creator_user_ref', ReferenceProperty(valid_types='user-account', spec_version='2.1')),
|
|
|
|
|
('image_ref', ReferenceProperty(valid_types='file', spec_version='2.1')),
|
|
|
|
|
('parent_ref', ReferenceProperty(valid_types='process', spec_version='2.1')),
|
|
|
|
|
('child_refs', ListProperty(ReferenceProperty(valid_types='process', spec_version='2.1'))),
|
2019-08-27 23:36:45 +02:00
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2020-11-10 02:58:34 +01:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = []
|
2017-05-09 03:03:15 +02:00
|
|
|
|
2017-05-18 15:48:01 +02:00
|
|
|
def _check_object_constraints(self):
|
|
|
|
|
# no need to check windows-service-ext, since it has a required property
|
|
|
|
|
super(Process, self)._check_object_constraints()
|
2017-05-17 21:33:28 +02:00
|
|
|
try:
|
|
|
|
|
self._check_at_least_one_property()
|
2018-06-30 00:38:04 +02:00
|
|
|
if 'windows-process-ext' in self.get('extensions', {}):
|
|
|
|
|
self.extensions['windows-process-ext']._check_at_least_one_property()
|
2017-05-17 21:33:28 +02:00
|
|
|
except AtLeastOnePropertyError as enclosing_exc:
|
2017-06-08 16:09:18 +02:00
|
|
|
if 'extensions' not in self:
|
2017-05-17 21:33:28 +02:00
|
|
|
raise enclosing_exc
|
|
|
|
|
else:
|
2018-06-30 00:38:04 +02:00
|
|
|
if 'windows-process-ext' in self.get('extensions', {}):
|
|
|
|
|
self.extensions['windows-process-ext']._check_at_least_one_property()
|
2017-05-17 21:33:28 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class Software(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_7rkyhtkdthok>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
_type = 'software'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2020-10-20 01:23:30 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('name', StringProperty(required=True)),
|
|
|
|
|
('cpe', StringProperty()),
|
2020-03-02 22:57:18 +01:00
|
|
|
('swid', StringProperty()),
|
2017-08-14 16:29:17 +02:00
|
|
|
('languages', ListProperty(StringProperty)),
|
|
|
|
|
('vendor', StringProperty()),
|
|
|
|
|
('version', StringProperty()),
|
2019-08-27 23:36:45 +02:00
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2020-11-10 02:58:34 +01:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2020-03-22 04:56:09 +01:00
|
|
|
_id_contributing_properties = ["name", "cpe", "swid", "vendor", "version"]
|
2017-05-09 03:03:15 +02:00
|
|
|
|
|
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class URL(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_ah3hict2dez0>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
_type = 'url'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2020-10-20 01:23:30 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('value', StringProperty(required=True)),
|
2019-08-27 23:36:45 +02:00
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2020-11-10 02:58:34 +01:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["value"]
|
2017-05-09 03:03:15 +02:00
|
|
|
|
|
|
|
|
|
2017-05-18 20:04:28 +02:00
|
|
|
class UNIXAccountExt(_Extension):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_hodiamlggpw5>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-08-24 00:36:24 +02:00
|
|
|
_type = 'unix-account-ext'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2017-08-14 16:29:17 +02:00
|
|
|
('gid', IntegerProperty()),
|
|
|
|
|
('groups', ListProperty(StringProperty)),
|
|
|
|
|
('home_dir', StringProperty()),
|
|
|
|
|
('shell', StringProperty()),
|
|
|
|
|
])
|
2017-05-15 19:48:41 +02:00
|
|
|
|
|
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class UserAccount(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_azo70vgj1vm2>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
_type = 'user-account'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2020-10-20 01:23:30 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2018-07-12 20:31:14 +02:00
|
|
|
('user_id', StringProperty()),
|
|
|
|
|
('credential', StringProperty()),
|
2017-08-14 16:29:17 +02:00
|
|
|
('account_login', StringProperty()),
|
2020-07-10 02:13:53 +02:00
|
|
|
('account_type', OpenVocabProperty(ACCOUNT_TYPE)),
|
2017-08-14 16:29:17 +02:00
|
|
|
('display_name', StringProperty()),
|
|
|
|
|
('is_service_account', BooleanProperty()),
|
|
|
|
|
('is_privileged', BooleanProperty()),
|
|
|
|
|
('can_escalate_privs', BooleanProperty()),
|
|
|
|
|
('is_disabled', BooleanProperty()),
|
|
|
|
|
('account_created', TimestampProperty()),
|
|
|
|
|
('account_expires', TimestampProperty()),
|
2018-07-12 20:31:14 +02:00
|
|
|
('credential_last_changed', TimestampProperty()),
|
2017-08-14 16:29:17 +02:00
|
|
|
('account_first_login', TimestampProperty()),
|
|
|
|
|
('account_last_login', TimestampProperty()),
|
2019-08-27 23:36:45 +02:00
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2020-11-10 02:58:34 +01:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["account_type", "user_id", "account_login"]
|
2017-05-09 03:03:15 +02:00
|
|
|
|
|
|
|
|
|
2020-03-22 03:22:36 +01:00
|
|
|
class WindowsRegistryValueType(_STIXBase21):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_u7n4ndghs3qq>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
_type = 'windows-registry-value-type'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2018-07-12 20:31:14 +02:00
|
|
|
('name', StringProperty()),
|
2017-08-14 16:29:17 +02:00
|
|
|
('data', StringProperty()),
|
2020-07-10 02:13:53 +02:00
|
|
|
('data_type', EnumProperty(WINDOWS_REGISTRY_DATATYPE)),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2017-05-09 03:03:15 +02:00
|
|
|
|
|
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class WindowsRegistryKey(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_luvw8wjlfo3y>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
_type = 'windows-registry-key'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2020-10-20 01:23:30 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2018-07-12 20:31:14 +02:00
|
|
|
('key', StringProperty()),
|
2017-08-14 16:29:17 +02:00
|
|
|
('values', ListProperty(EmbeddedObjectProperty(type=WindowsRegistryValueType))),
|
2017-05-09 03:03:15 +02:00
|
|
|
# this is not the modified timestamps of the object itself
|
2019-07-17 21:48:09 +02:00
|
|
|
('modified_time', TimestampProperty()),
|
2019-09-05 01:08:34 +02:00
|
|
|
('creator_user_ref', ReferenceProperty(valid_types='user-account', spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('number_of_subkeys', IntegerProperty()),
|
2019-08-27 23:36:45 +02:00
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2020-11-10 02:58:34 +01:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["key", "values"]
|
2017-05-09 03:03:15 +02:00
|
|
|
|
|
|
|
|
|
2020-11-05 18:56:30 +01:00
|
|
|
class X509V3ExtensionsType(_STIXBase21):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_oudvonxzdlku>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
Changes so File object creation doesn't violate on of the MUSTs
Added three new exceptions: DependentPropertiestError, AtLeastOnePropertyError, MutuallyExclusivePropertiesError
Added tests for NetworkTraffic, Process, URL, WindowsRegistryKey and X509Certificate
Added error tests for EmailMessage, NetworkTraffic, Artifact,
Added interproperty checker methods to the base class: _check_mutually_exclusive_properties, _check_at_least_one_property and _check_properties_dependency
Added interproperty checkers to Artifact, EmailMIMEComponent, EmailMessage, NetworkTraffic
Made NetworkTraffic.protocols required
Added X509V3ExtenstionsType class
Use EmbeddedObjectProperty for X509Certificate.x509_v3_extensions
2017-05-11 21:22:46 +02:00
|
|
|
_type = 'x509-v3-extensions-type'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2017-08-14 16:29:17 +02:00
|
|
|
('basic_constraints', StringProperty()),
|
|
|
|
|
('name_constraints', StringProperty()),
|
|
|
|
|
('policy_constraints', StringProperty()),
|
|
|
|
|
('key_usage', StringProperty()),
|
|
|
|
|
('extended_key_usage', StringProperty()),
|
|
|
|
|
('subject_key_identifier', StringProperty()),
|
|
|
|
|
('authority_key_identifier', StringProperty()),
|
|
|
|
|
('subject_alternative_name', StringProperty()),
|
|
|
|
|
('issuer_alternative_name', StringProperty()),
|
|
|
|
|
('subject_directory_attributes', StringProperty()),
|
|
|
|
|
('crl_distribution_points', StringProperty()),
|
|
|
|
|
('inhibit_any_policy', StringProperty()),
|
|
|
|
|
('private_key_usage_period_not_before', TimestampProperty()),
|
|
|
|
|
('private_key_usage_period_not_after', TimestampProperty()),
|
|
|
|
|
('certificate_policies', StringProperty()),
|
|
|
|
|
('policy_mappings', StringProperty()),
|
|
|
|
|
])
|
2017-05-11 21:42:56 +02:00
|
|
|
|
Changes so File object creation doesn't violate on of the MUSTs
Added three new exceptions: DependentPropertiestError, AtLeastOnePropertyError, MutuallyExclusivePropertiesError
Added tests for NetworkTraffic, Process, URL, WindowsRegistryKey and X509Certificate
Added error tests for EmailMessage, NetworkTraffic, Artifact,
Added interproperty checker methods to the base class: _check_mutually_exclusive_properties, _check_at_least_one_property and _check_properties_dependency
Added interproperty checkers to Artifact, EmailMIMEComponent, EmailMessage, NetworkTraffic
Made NetworkTraffic.protocols required
Added X509V3ExtenstionsType class
Use EmbeddedObjectProperty for X509Certificate.x509_v3_extensions
2017-05-11 21:22:46 +02:00
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class X509Certificate(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2021-07-07 21:03:28 +02:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_8abcy1o5x9w1>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
_type = 'x509-certificate'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2020-10-20 01:23:30 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('is_self_signed', BooleanProperty()),
|
2020-07-10 22:57:22 +02:00
|
|
|
('hashes', HashesProperty(HASHING_ALGORITHM, spec_version="2.1")),
|
2017-08-14 16:29:17 +02:00
|
|
|
('version', StringProperty()),
|
|
|
|
|
('serial_number', StringProperty()),
|
|
|
|
|
('signature_algorithm', StringProperty()),
|
|
|
|
|
('issuer', StringProperty()),
|
|
|
|
|
('validity_not_before', TimestampProperty()),
|
|
|
|
|
('validity_not_after', TimestampProperty()),
|
|
|
|
|
('subject', StringProperty()),
|
|
|
|
|
('subject_public_key_algorithm', StringProperty()),
|
|
|
|
|
('subject_public_key_modulus', StringProperty()),
|
|
|
|
|
('subject_public_key_exponent', IntegerProperty()),
|
2020-11-05 18:56:30 +01:00
|
|
|
('x509_v3_extensions', EmbeddedObjectProperty(type=X509V3ExtensionsType)),
|
2019-08-27 23:36:45 +02:00
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2020-11-10 02:58:34 +01:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["hashes", "serial_number"]
|
2017-06-14 15:34:42 +02:00
|
|
|
|
2019-11-22 19:24:09 +01:00
|
|
|
def _check_object_constraints(self):
|
|
|
|
|
super(X509Certificate, self)._check_object_constraints()
|
|
|
|
|
|
2019-11-25 21:52:50 +01:00
|
|
|
att_list = [
|
|
|
|
|
'is_self_signed', 'hashes', 'version', 'serial_number',
|
|
|
|
|
'signature_algorithm', 'issuer', 'validity_not_before',
|
|
|
|
|
'validity_not_after', 'subject', 'subject_public_key_algorithm',
|
|
|
|
|
'subject_public_key_modulus', 'subject_public_key_exponent',
|
|
|
|
|
'x509_v3_extensions',
|
|
|
|
|
]
|
|
|
|
|
self._check_at_least_one_property(att_list)
|
2019-11-22 19:24:09 +01:00
|
|
|
|
2017-06-14 15:34:42 +02:00
|
|
|
|
2020-11-11 00:32:58 +01:00
|
|
|
def CustomObservable(type='x-custom-observable', properties=None, id_contrib_props=None, extension_name=None):
|
2017-09-22 17:03:25 +02:00
|
|
|
"""Custom STIX Cyber Observable Object type decorator.
|
|
|
|
|
|
|
|
|
|
Example:
|
2018-07-10 21:20:16 +02:00
|
|
|
>>> from stix2.v21 import CustomObservable
|
|
|
|
|
>>> from stix2.properties import IntegerProperty, StringProperty
|
2017-09-22 17:03:25 +02:00
|
|
|
>>> @CustomObservable('x-custom-observable', [
|
|
|
|
|
... ('property1', StringProperty(required=True)),
|
|
|
|
|
... ('property2', IntegerProperty()),
|
|
|
|
|
... ])
|
|
|
|
|
... class MyNewObservableType():
|
|
|
|
|
... pass
|
2017-06-14 15:34:42 +02:00
|
|
|
|
2017-08-24 00:36:24 +02:00
|
|
|
"""
|
2018-07-10 21:20:16 +02:00
|
|
|
def wrapper(cls):
|
2021-01-13 23:52:15 +01:00
|
|
|
_properties = list(
|
2021-07-03 03:10:52 +02:00
|
|
|
itertools.chain(
|
|
|
|
|
[
|
|
|
|
|
('type', TypeProperty(type, spec_version='2.1')),
|
|
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
2021-07-07 02:40:50 +02:00
|
|
|
('id', IDProperty(type, spec_version='2.1')),
|
2021-07-03 03:10:52 +02:00
|
|
|
],
|
2021-01-13 23:52:15 +01:00
|
|
|
properties,
|
2021-07-03 03:10:52 +02:00
|
|
|
[
|
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
|
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1')),
|
|
|
|
|
],
|
|
|
|
|
),
|
2021-01-13 23:52:15 +01:00
|
|
|
)
|
2020-11-11 00:32:58 +01:00
|
|
|
if extension_name:
|
Make extension instances work the same as other objects, with
respect to properties. Before, properties were declared on
toplevel-property-extension extensions as if they were going
to be used in the normal way (as actual properties on instances
of the extension), but they were not used that way, and there
was some ugly hackage to make it work. Despite the fact that
property instances were given during extension registration,
they were not used to typecheck, set defaults, etc on toplevel
property extension properties.
I changed how registration and object initialization works with
respect to properties associated with extensions. Now,
extensions work the same as any other object and code is
cleaner. Property instances associated with registered toplevel
extensions are used to enforce requirements like any other
object.
Added some unit tests specifically for property cleaning for
extensions.
Property order (for those contexts where it matters) is updated
to be spec-defined, toplevel extension, custom.
2021-07-06 20:27:40 +02:00
|
|
|
@CustomExtension(type=extension_name, properties={})
|
2020-11-11 00:32:58 +01:00
|
|
|
class NameExtension:
|
2020-12-23 03:41:46 +01:00
|
|
|
extension_type = 'new-sco'
|
2020-11-11 00:32:58 +01:00
|
|
|
|
|
|
|
|
extension = extension_name.split('--')[1]
|
|
|
|
|
extension = extension.replace('-', '')
|
2020-12-23 22:07:30 +01:00
|
|
|
NameExtension.__name__ = 'ExtensionDefinition' + extension
|
2020-11-11 00:32:58 +01:00
|
|
|
cls.with_extension = extension_name
|
2020-03-22 03:22:36 +01:00
|
|
|
return _custom_observable_builder(cls, type, _properties, '2.1', _Observable, id_contrib_props)
|
2018-07-10 21:20:16 +02:00
|
|
|
return wrapper
|