2017-11-02 12:21:24 +01:00
|
|
|
"""STIX 2.1 Cyber Observable Objects.
|
2017-05-03 23:35:33 +02:00
|
|
|
|
2017-05-09 17:03:19 +02:00
|
|
|
Embedded observable object types, such as Email MIME Component, which is
|
2020-03-22 03:22:36 +01:00
|
|
|
embedded in Email Message objects, inherit from ``_STIXBase21`` instead of
|
|
|
|
_Observable and do not have a ``_type`` attribute.
|
2017-05-09 17:03:19 +02:00
|
|
|
"""
|
|
|
|
|
2017-09-01 22:37:49 +02:00
|
|
|
from collections import OrderedDict
|
2018-07-10 21:20:16 +02:00
|
|
|
import itertools
|
2017-08-14 16:29:17 +02:00
|
|
|
|
2018-07-11 14:11:47 +02:00
|
|
|
from ..custom import _custom_extension_builder, _custom_observable_builder
|
2020-02-19 15:24:27 +01:00
|
|
|
from ..exceptions import AtLeastOnePropertyError, DependentPropertiesError
|
2018-07-13 17:10:05 +02:00
|
|
|
from ..properties import (
|
2020-01-29 00:13:36 +01:00
|
|
|
BinaryProperty, BooleanProperty, DictionaryProperty,
|
2018-07-13 17:10:05 +02:00
|
|
|
EmbeddedObjectProperty, EnumProperty, ExtensionsProperty, FloatProperty,
|
2019-07-17 21:48:09 +02:00
|
|
|
HashesProperty, HexProperty, IDProperty, IntegerProperty, ListProperty,
|
2020-06-05 22:55:41 +02:00
|
|
|
ReferenceProperty, StringProperty, TimestampProperty, TypeProperty,
|
2018-07-13 17:10:05 +02:00
|
|
|
)
|
2020-03-22 03:22:36 +01:00
|
|
|
from .base import _Extension, _Observable, _STIXBase21
|
2019-08-27 23:36:45 +02:00
|
|
|
from .common import GranularMarking
|
2017-05-03 23:35:33 +02:00
|
|
|
|
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class Artifact(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_rqwyxo6gp7cv>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-03 23:35:33 +02:00
|
|
|
_type = 'artifact'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('mime_type', StringProperty()),
|
|
|
|
('payload_bin', BinaryProperty()),
|
|
|
|
('url', StringProperty()),
|
2018-07-12 20:31:14 +02:00
|
|
|
('hashes', HashesProperty(spec_version='2.1')),
|
|
|
|
('encryption_algorithm', StringProperty()),
|
|
|
|
('decryption_key', StringProperty()),
|
2018-07-10 21:20:16 +02:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1', enclosing_type=_type)),
|
2019-08-27 23:36:45 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["hashes", "payload_bin"]
|
2017-05-03 23:35:33 +02:00
|
|
|
|
2017-05-18 15:48:01 +02:00
|
|
|
def _check_object_constraints(self):
|
|
|
|
super(Artifact, self)._check_object_constraints()
|
2019-09-18 16:56:42 +02:00
|
|
|
self._check_mutually_exclusive_properties(['payload_bin', 'url'])
|
2018-06-30 00:38:04 +02:00
|
|
|
self._check_properties_dependency(['hashes'], ['url'])
|
Changes so File object creation doesn't violate on of the MUSTs
Added three new exceptions: DependentPropertiestError, AtLeastOnePropertyError, MutuallyExclusivePropertiesError
Added tests for NetworkTraffic, Process, URL, WindowsRegistryKey and X509Certificate
Added error tests for EmailMessage, NetworkTraffic, Artifact,
Added interproperty checker methods to the base class: _check_mutually_exclusive_properties, _check_at_least_one_property and _check_properties_dependency
Added interproperty checkers to Artifact, EmailMIMEComponent, EmailMessage, NetworkTraffic
Made NetworkTraffic.protocols required
Added X509V3ExtenstionsType class
Use EmbeddedObjectProperty for X509Certificate.x509_v3_extensions
2017-05-11 21:22:46 +02:00
|
|
|
|
2017-05-03 23:35:33 +02:00
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class AutonomousSystem(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_bxebwa6l91fb>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-04 00:19:30 +02:00
|
|
|
_type = 'autonomous-system'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-10-11 19:30:26 +02:00
|
|
|
('number', IntegerProperty(required=True)),
|
2017-08-14 16:29:17 +02:00
|
|
|
('name', StringProperty()),
|
|
|
|
('rir', StringProperty()),
|
2018-07-10 21:20:16 +02:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1', enclosing_type=_type)),
|
2019-08-27 23:36:45 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["number"]
|
2017-05-04 00:19:30 +02:00
|
|
|
|
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class Directory(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_vhpkn06q7fvl>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
_type = 'directory'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('path', StringProperty(required=True)),
|
|
|
|
('path_enc', StringProperty()),
|
2017-05-09 03:03:15 +02:00
|
|
|
# these are not the created/modified timestamps of the object itself
|
2019-07-17 21:48:09 +02:00
|
|
|
('ctime', TimestampProperty()),
|
|
|
|
('mtime', TimestampProperty()),
|
|
|
|
('atime', TimestampProperty()),
|
2019-08-27 23:36:45 +02:00
|
|
|
('contains_refs', ListProperty(ReferenceProperty(valid_types=['file', 'directory'], spec_version='2.1'))),
|
2018-07-10 21:20:16 +02:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1', enclosing_type=_type)),
|
2019-08-27 23:36:45 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["path"]
|
2017-05-09 03:03:15 +02:00
|
|
|
|
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class DomainName(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_i2zf5h7vnrd9>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
_type = 'domain-name'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('value', StringProperty(required=True)),
|
2019-08-27 23:36:45 +02:00
|
|
|
('resolves_to_refs', ListProperty(ReferenceProperty(valid_types=['ipv4-addr', 'ipv6-addr', 'domain-name'], spec_version='2.1'))),
|
2018-07-10 21:20:16 +02:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1', enclosing_type=_type)),
|
2019-08-27 23:36:45 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["value"]
|
2017-05-09 03:03:15 +02:00
|
|
|
|
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class EmailAddress(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_am7srelb9c14>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-07-12 23:02:51 +02:00
|
|
|
_type = 'email-addr'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('value', StringProperty(required=True)),
|
|
|
|
('display_name', StringProperty()),
|
2019-08-27 23:36:45 +02:00
|
|
|
('belongs_to_ref', ReferenceProperty(valid_types='user-account', spec_version='2.1')),
|
2018-07-10 21:20:16 +02:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1', enclosing_type=_type)),
|
2019-08-27 23:36:45 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["value"]
|
2017-05-05 18:32:02 +02:00
|
|
|
|
|
|
|
|
2020-03-22 03:22:36 +01:00
|
|
|
class EmailMIMEComponent(_STIXBase21):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_kzv52qqc0xw1>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2017-08-14 16:29:17 +02:00
|
|
|
('body', StringProperty()),
|
2020-06-05 22:55:41 +02:00
|
|
|
('body_raw_ref', ReferenceProperty(valid_types=['artifact', 'file'], spec_version="2.1")),
|
2017-08-14 16:29:17 +02:00
|
|
|
('content_type', StringProperty()),
|
|
|
|
('content_disposition', StringProperty()),
|
|
|
|
])
|
2017-05-09 17:03:19 +02:00
|
|
|
|
2017-05-18 15:48:01 +02:00
|
|
|
def _check_object_constraints(self):
|
|
|
|
super(EmailMIMEComponent, self)._check_object_constraints()
|
2018-06-30 00:38:04 +02:00
|
|
|
self._check_at_least_one_property(['body', 'body_raw_ref'])
|
Changes so File object creation doesn't violate on of the MUSTs
Added three new exceptions: DependentPropertiestError, AtLeastOnePropertyError, MutuallyExclusivePropertiesError
Added tests for NetworkTraffic, Process, URL, WindowsRegistryKey and X509Certificate
Added error tests for EmailMessage, NetworkTraffic, Artifact,
Added interproperty checker methods to the base class: _check_mutually_exclusive_properties, _check_at_least_one_property and _check_properties_dependency
Added interproperty checkers to Artifact, EmailMIMEComponent, EmailMessage, NetworkTraffic
Made NetworkTraffic.protocols required
Added X509V3ExtenstionsType class
Use EmbeddedObjectProperty for X509Certificate.x509_v3_extensions
2017-05-11 21:22:46 +02:00
|
|
|
|
2017-05-09 17:03:19 +02:00
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class EmailMessage(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_loz634bn09om>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 17:03:19 +02:00
|
|
|
_type = 'email-message'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('is_multipart', BooleanProperty(required=True)),
|
|
|
|
('date', TimestampProperty()),
|
|
|
|
('content_type', StringProperty()),
|
2019-09-05 01:08:34 +02:00
|
|
|
('from_ref', ReferenceProperty(valid_types='email-addr', spec_version='2.1')),
|
|
|
|
('sender_ref', ReferenceProperty(valid_types='email-addr', spec_version='2.1')),
|
|
|
|
('to_refs', ListProperty(ReferenceProperty(valid_types='email-addr', spec_version='2.1'))),
|
|
|
|
('cc_refs', ListProperty(ReferenceProperty(valid_types='email-addr', spec_version='2.1'))),
|
|
|
|
('bcc_refs', ListProperty(ReferenceProperty(valid_types='email-addr', spec_version='2.1'))),
|
2019-08-27 23:36:45 +02:00
|
|
|
('message_id', StringProperty()),
|
2017-08-14 16:29:17 +02:00
|
|
|
('subject', StringProperty()),
|
|
|
|
('received_lines', ListProperty(StringProperty)),
|
2018-07-10 21:20:16 +02:00
|
|
|
('additional_header_fields', DictionaryProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('body', StringProperty()),
|
|
|
|
('body_multipart', ListProperty(EmbeddedObjectProperty(type=EmailMIMEComponent))),
|
2019-09-05 01:08:34 +02:00
|
|
|
('raw_email_ref', ReferenceProperty(valid_types='artifact', spec_version='2.1')),
|
2018-07-10 21:20:16 +02:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1', enclosing_type=_type)),
|
2019-08-27 23:36:45 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["from_ref", "subject", "body"]
|
2017-05-09 17:03:19 +02:00
|
|
|
|
2017-05-18 15:48:01 +02:00
|
|
|
def _check_object_constraints(self):
|
|
|
|
super(EmailMessage, self)._check_object_constraints()
|
2018-06-30 00:38:04 +02:00
|
|
|
self._check_properties_dependency(['is_multipart'], ['body_multipart'])
|
|
|
|
if self.get('is_multipart') is True and self.get('body'):
|
2017-06-08 16:09:18 +02:00
|
|
|
# 'body' MAY only be used if is_multipart is false.
|
2018-06-30 00:38:04 +02:00
|
|
|
raise DependentPropertiesError(self.__class__, [('is_multipart', 'body')])
|
Changes so File object creation doesn't violate on of the MUSTs
Added three new exceptions: DependentPropertiestError, AtLeastOnePropertyError, MutuallyExclusivePropertiesError
Added tests for NetworkTraffic, Process, URL, WindowsRegistryKey and X509Certificate
Added error tests for EmailMessage, NetworkTraffic, Artifact,
Added interproperty checker methods to the base class: _check_mutually_exclusive_properties, _check_at_least_one_property and _check_properties_dependency
Added interproperty checkers to Artifact, EmailMIMEComponent, EmailMessage, NetworkTraffic
Made NetworkTraffic.protocols required
Added X509V3ExtenstionsType class
Use EmbeddedObjectProperty for X509Certificate.x509_v3_extensions
2017-05-11 21:22:46 +02:00
|
|
|
|
2017-05-09 17:03:19 +02:00
|
|
|
|
2017-05-18 20:04:28 +02:00
|
|
|
class ArchiveExt(_Extension):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_mm25z9wuw4tr>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-08-24 00:36:24 +02:00
|
|
|
_type = 'archive-ext'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-06-05 22:55:41 +02:00
|
|
|
('contains_refs', ListProperty(ReferenceProperty(valid_types=['file', 'directory'], spec_version="2.1"), required=True)),
|
2017-08-14 16:29:17 +02:00
|
|
|
('comment', StringProperty()),
|
|
|
|
])
|
2017-05-12 17:22:23 +02:00
|
|
|
|
|
|
|
|
2020-03-22 03:22:36 +01:00
|
|
|
class AlternateDataStream(_STIXBase21):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_nbqgazg6fsma>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2017-08-14 16:29:17 +02:00
|
|
|
('name', StringProperty(required=True)),
|
2018-07-12 20:31:14 +02:00
|
|
|
('hashes', HashesProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('size', IntegerProperty()),
|
|
|
|
])
|
2017-05-15 19:48:41 +02:00
|
|
|
|
|
|
|
|
2017-05-18 20:04:28 +02:00
|
|
|
class NTFSExt(_Extension):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_tb77nk1g3y6f>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-08-24 00:36:24 +02:00
|
|
|
_type = 'ntfs-ext'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2017-08-14 16:29:17 +02:00
|
|
|
('sid', StringProperty()),
|
|
|
|
('alternate_data_streams', ListProperty(EmbeddedObjectProperty(type=AlternateDataStream))),
|
|
|
|
])
|
2017-05-15 19:48:41 +02:00
|
|
|
|
|
|
|
|
2017-05-18 20:04:28 +02:00
|
|
|
class PDFExt(_Extension):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_30hzxqrmkg8w>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-08-24 00:36:24 +02:00
|
|
|
_type = 'pdf-ext'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2017-08-14 16:29:17 +02:00
|
|
|
('version', StringProperty()),
|
|
|
|
('is_optimized', BooleanProperty()),
|
2018-07-10 21:20:16 +02:00
|
|
|
('document_info_dict', DictionaryProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('pdfid0', StringProperty()),
|
|
|
|
('pdfid1', StringProperty()),
|
|
|
|
])
|
2017-05-15 19:48:41 +02:00
|
|
|
|
|
|
|
|
2017-05-18 20:04:28 +02:00
|
|
|
class RasterImageExt(_Extension):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_20mnz0u5ppxr>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-08-24 00:36:24 +02:00
|
|
|
_type = 'raster-image-ext'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2017-08-14 16:29:17 +02:00
|
|
|
('image_height', IntegerProperty()),
|
2018-06-25 14:55:12 +02:00
|
|
|
('image_width', IntegerProperty()),
|
2017-08-14 16:29:17 +02:00
|
|
|
('bits_per_pixel', IntegerProperty()),
|
2018-07-10 21:20:16 +02:00
|
|
|
('exif_tags', DictionaryProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2017-05-15 19:48:41 +02:00
|
|
|
|
|
|
|
|
2020-03-22 03:22:36 +01:00
|
|
|
class WindowsPEOptionalHeaderType(_STIXBase21):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_wyp5qdc2wugy>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2017-08-14 16:29:17 +02:00
|
|
|
('magic_hex', HexProperty()),
|
|
|
|
('major_linker_version', IntegerProperty()),
|
|
|
|
('minor_linker_version', IntegerProperty()),
|
2018-10-15 21:02:59 +02:00
|
|
|
('size_of_code', IntegerProperty(min=0)),
|
|
|
|
('size_of_initialized_data', IntegerProperty(min=0)),
|
|
|
|
('size_of_uninitialized_data', IntegerProperty(min=0)),
|
2017-08-14 16:29:17 +02:00
|
|
|
('address_of_entry_point', IntegerProperty()),
|
|
|
|
('base_of_code', IntegerProperty()),
|
|
|
|
('base_of_data', IntegerProperty()),
|
|
|
|
('image_base', IntegerProperty()),
|
|
|
|
('section_alignment', IntegerProperty()),
|
|
|
|
('file_alignment', IntegerProperty()),
|
|
|
|
('major_os_version', IntegerProperty()),
|
|
|
|
('minor_os_version', IntegerProperty()),
|
|
|
|
('major_image_version', IntegerProperty()),
|
|
|
|
('minor_image_version', IntegerProperty()),
|
|
|
|
('major_subsystem_version', IntegerProperty()),
|
|
|
|
('minor_subsystem_version', IntegerProperty()),
|
|
|
|
('win32_version_value_hex', HexProperty()),
|
2018-10-15 21:02:59 +02:00
|
|
|
('size_of_image', IntegerProperty(min=0)),
|
|
|
|
('size_of_headers', IntegerProperty(min=0)),
|
2017-08-14 16:29:17 +02:00
|
|
|
('checksum_hex', HexProperty()),
|
|
|
|
('subsystem_hex', HexProperty()),
|
|
|
|
('dll_characteristics_hex', HexProperty()),
|
2018-10-15 21:02:59 +02:00
|
|
|
('size_of_stack_reserve', IntegerProperty(min=0)),
|
|
|
|
('size_of_stack_commit', IntegerProperty(min=0)),
|
2017-08-14 16:29:17 +02:00
|
|
|
('size_of_heap_reserve', IntegerProperty()),
|
|
|
|
('size_of_heap_commit', IntegerProperty()),
|
|
|
|
('loader_flags_hex', HexProperty()),
|
|
|
|
('number_of_rva_and_sizes', IntegerProperty()),
|
2018-07-12 20:31:14 +02:00
|
|
|
('hashes', HashesProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2017-05-15 19:48:41 +02:00
|
|
|
|
2017-05-18 15:48:01 +02:00
|
|
|
def _check_object_constraints(self):
|
|
|
|
super(WindowsPEOptionalHeaderType, self)._check_object_constraints()
|
2017-05-17 21:33:28 +02:00
|
|
|
self._check_at_least_one_property()
|
|
|
|
|
2017-05-15 19:48:41 +02:00
|
|
|
|
2020-03-22 03:22:36 +01:00
|
|
|
class WindowsPESection(_STIXBase21):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_wiqw87xsov3t>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2017-08-14 16:29:17 +02:00
|
|
|
('name', StringProperty(required=True)),
|
2018-10-15 21:02:59 +02:00
|
|
|
('size', IntegerProperty(min=0)),
|
2017-08-14 16:29:17 +02:00
|
|
|
('entropy', FloatProperty()),
|
2018-07-12 20:31:14 +02:00
|
|
|
('hashes', HashesProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2017-05-15 19:48:41 +02:00
|
|
|
|
|
|
|
|
2017-05-18 20:04:28 +02:00
|
|
|
class WindowsPEBinaryExt(_Extension):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_5f9bgdmj91h5>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-08-24 00:36:24 +02:00
|
|
|
_type = 'windows-pebinary-ext'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2017-08-14 16:29:17 +02:00
|
|
|
('pe_type', StringProperty(required=True)), # open_vocab
|
|
|
|
('imphash', StringProperty()),
|
|
|
|
('machine_hex', HexProperty()),
|
2018-10-15 21:02:59 +02:00
|
|
|
('number_of_sections', IntegerProperty(min=0)),
|
2017-08-14 16:29:17 +02:00
|
|
|
('time_date_stamp', TimestampProperty(precision='second')),
|
|
|
|
('pointer_to_symbol_table_hex', HexProperty()),
|
2018-10-15 21:02:59 +02:00
|
|
|
('number_of_symbols', IntegerProperty(min=0)),
|
|
|
|
('size_of_optional_header', IntegerProperty(min=0)),
|
2017-08-14 16:29:17 +02:00
|
|
|
('characteristics_hex', HexProperty()),
|
2018-07-12 20:31:14 +02:00
|
|
|
('file_header_hashes', HashesProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('optional_header', EmbeddedObjectProperty(type=WindowsPEOptionalHeaderType)),
|
|
|
|
('sections', ListProperty(EmbeddedObjectProperty(type=WindowsPESection))),
|
|
|
|
])
|
2017-05-15 19:48:41 +02:00
|
|
|
|
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class File(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_vq03pryd7u32>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-03 23:35:33 +02:00
|
|
|
_type = 'file'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2018-07-12 20:31:14 +02:00
|
|
|
('hashes', HashesProperty(spec_version='2.1')),
|
2018-10-15 21:02:59 +02:00
|
|
|
('size', IntegerProperty(min=0)),
|
2017-08-14 16:29:17 +02:00
|
|
|
('name', StringProperty()),
|
|
|
|
('name_enc', StringProperty()),
|
|
|
|
('magic_number_hex', HexProperty()),
|
|
|
|
('mime_type', StringProperty()),
|
2019-07-17 21:48:09 +02:00
|
|
|
('ctime', TimestampProperty()),
|
|
|
|
('mtime', TimestampProperty()),
|
|
|
|
('atime', TimestampProperty()),
|
2019-09-05 01:08:34 +02:00
|
|
|
('parent_directory_ref', ReferenceProperty(valid_types='directory', spec_version='2.1')),
|
2019-11-06 16:11:12 +01:00
|
|
|
('contains_refs', ListProperty(ReferenceProperty(valid_types=["SCO"], spec_version='2.1'))),
|
2019-09-05 01:08:34 +02:00
|
|
|
('content_ref', ReferenceProperty(valid_types='artifact', spec_version='2.1')),
|
2018-07-10 21:20:16 +02:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1', enclosing_type=_type)),
|
2019-08-27 23:36:45 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2020-03-05 23:18:32 +01:00
|
|
|
_id_contributing_properties = ["hashes", "name", "parent_directory_ref", "extensions"]
|
2017-05-09 03:03:15 +02:00
|
|
|
|
2017-05-18 15:48:01 +02:00
|
|
|
def _check_object_constraints(self):
|
|
|
|
super(File, self)._check_object_constraints()
|
2018-06-30 00:38:04 +02:00
|
|
|
self._check_at_least_one_property(['hashes', 'name'])
|
2017-05-09 21:28:32 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class IPv4Address(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_ta83c412bfsc>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
_type = 'ipv4-addr'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('value', StringProperty(required=True)),
|
2019-09-05 01:08:34 +02:00
|
|
|
('resolves_to_refs', ListProperty(ReferenceProperty(valid_types='mac-addr', spec_version='2.1'))),
|
|
|
|
('belongs_to_refs', ListProperty(ReferenceProperty(valid_types='autonomous-system', spec_version='2.1'))),
|
2018-07-10 21:20:16 +02:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1', enclosing_type=_type)),
|
2019-08-27 23:36:45 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["value"]
|
2017-05-09 03:03:15 +02:00
|
|
|
|
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class IPv6Address(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_f76hsv2pvwwq>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
_type = 'ipv6-addr'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('value', StringProperty(required=True)),
|
2019-09-05 01:08:34 +02:00
|
|
|
('resolves_to_refs', ListProperty(ReferenceProperty(valid_types='mac-addr', spec_version='2.1'))),
|
|
|
|
('belongs_to_refs', ListProperty(ReferenceProperty(valid_types='autonomous-system', spec_version='2.1'))),
|
2018-07-10 21:20:16 +02:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1', enclosing_type=_type)),
|
2019-08-27 23:36:45 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["value"]
|
2017-05-09 03:03:15 +02:00
|
|
|
|
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class MACAddress(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_6lhrrdef8852>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
_type = 'mac-addr'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('value', StringProperty(required=True)),
|
2018-07-10 21:20:16 +02:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1', enclosing_type=_type)),
|
2019-08-27 23:36:45 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["value"]
|
2017-05-09 03:03:15 +02:00
|
|
|
|
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class Mutex(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_u65ia5eoc7cv>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
_type = 'mutex'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-10-06 20:24:46 +02:00
|
|
|
('name', StringProperty(required=True)),
|
2018-07-10 21:20:16 +02:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1', enclosing_type=_type)),
|
2019-08-27 23:36:45 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["name"]
|
2017-05-09 03:03:15 +02:00
|
|
|
|
|
|
|
|
2017-05-18 20:04:28 +02:00
|
|
|
class HTTPRequestExt(_Extension):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_60k6dn28qicj>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-08-24 00:36:24 +02:00
|
|
|
_type = 'http-request-ext'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2017-08-14 16:29:17 +02:00
|
|
|
('request_method', StringProperty(required=True)),
|
|
|
|
('request_value', StringProperty(required=True)),
|
|
|
|
('request_version', StringProperty()),
|
2018-07-10 21:20:16 +02:00
|
|
|
('request_header', DictionaryProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('message_body_length', IntegerProperty()),
|
2020-06-05 22:55:41 +02:00
|
|
|
('message_body_data_ref', ReferenceProperty(valid_types='artifact', spec_version="2.1")),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2017-05-15 19:48:41 +02:00
|
|
|
|
|
|
|
|
2017-05-18 20:04:28 +02:00
|
|
|
class ICMPExt(_Extension):
|
2018-06-11 20:37:45 +02:00
|
|
|
# TODO: Add link
|
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_3g6wds21zwzl>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-08-24 00:36:24 +02:00
|
|
|
_type = 'icmp-ext'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2017-08-14 16:29:17 +02:00
|
|
|
('icmp_type_hex', HexProperty(required=True)),
|
|
|
|
('icmp_code_hex', HexProperty(required=True)),
|
|
|
|
])
|
2017-05-15 19:48:41 +02:00
|
|
|
|
|
|
|
|
2017-05-18 20:04:28 +02:00
|
|
|
class SocketExt(_Extension):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_f54f1hripxsg>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-08-24 00:36:24 +02:00
|
|
|
_type = 'socket-ext'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2018-07-13 17:10:05 +02:00
|
|
|
(
|
|
|
|
'address_family', EnumProperty(
|
|
|
|
allowed=[
|
|
|
|
"AF_UNSPEC",
|
|
|
|
"AF_INET",
|
|
|
|
"AF_IPX",
|
|
|
|
"AF_APPLETALK",
|
|
|
|
"AF_NETBIOS",
|
|
|
|
"AF_INET6",
|
|
|
|
"AF_IRDA",
|
|
|
|
"AF_BTH",
|
|
|
|
], required=True,
|
|
|
|
),
|
|
|
|
),
|
2017-08-14 16:29:17 +02:00
|
|
|
('is_blocking', BooleanProperty()),
|
|
|
|
('is_listening', BooleanProperty()),
|
2018-07-13 17:10:05 +02:00
|
|
|
(
|
|
|
|
'protocol_family', EnumProperty(allowed=[
|
|
|
|
"PF_INET",
|
|
|
|
"PF_IPX",
|
|
|
|
"PF_APPLETALK",
|
|
|
|
"PF_INET6",
|
|
|
|
"PF_AX25",
|
|
|
|
"PF_NETROM",
|
|
|
|
]),
|
|
|
|
),
|
2018-07-10 21:20:16 +02:00
|
|
|
('options', DictionaryProperty(spec_version='2.1')),
|
2018-07-13 17:10:05 +02:00
|
|
|
(
|
|
|
|
'socket_type', EnumProperty(allowed=[
|
|
|
|
"SOCK_STREAM",
|
|
|
|
"SOCK_DGRAM",
|
|
|
|
"SOCK_RAW",
|
|
|
|
"SOCK_RDM",
|
|
|
|
"SOCK_SEQPACKET",
|
|
|
|
]),
|
|
|
|
),
|
2018-10-15 21:02:59 +02:00
|
|
|
('socket_descriptor', IntegerProperty(min=0)),
|
2017-10-23 14:04:18 +02:00
|
|
|
('socket_handle', IntegerProperty()),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2017-05-15 19:48:41 +02:00
|
|
|
|
2019-11-22 19:24:09 +01:00
|
|
|
def _check_object_constraints(self):
|
|
|
|
super(SocketExt, self)._check_object_constraints()
|
|
|
|
|
|
|
|
options = self.get('options')
|
|
|
|
|
|
|
|
if options is not None:
|
2019-12-18 17:24:00 +01:00
|
|
|
acceptable_prefixes = ["SO_", "ICMP_", "ICMP6_", "IP_", "IPV6_", "MCAST_", "TCP_", "IRLMP_"]
|
2019-11-22 19:24:09 +01:00
|
|
|
for key, val in options.items():
|
2019-12-18 17:24:00 +01:00
|
|
|
if key[:key.find('_') + 1] not in acceptable_prefixes:
|
2019-11-22 19:24:09 +01:00
|
|
|
raise ValueError("Incorrect options key")
|
|
|
|
if not isinstance(val, int):
|
|
|
|
raise ValueError("Options value must be an integer")
|
|
|
|
|
2017-05-15 19:48:41 +02:00
|
|
|
|
2017-05-18 20:04:28 +02:00
|
|
|
class TCPExt(_Extension):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_2z78x4m8ewcw>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-08-24 00:36:24 +02:00
|
|
|
_type = 'tcp-ext'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2017-08-14 16:29:17 +02:00
|
|
|
('src_flags_hex', HexProperty()),
|
|
|
|
('dst_flags_hex', HexProperty()),
|
|
|
|
])
|
2017-05-15 19:48:41 +02:00
|
|
|
|
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class NetworkTraffic(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_e5nyr5squmsd>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
_type = 'network-traffic'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('start', TimestampProperty()),
|
|
|
|
('end', TimestampProperty()),
|
|
|
|
('is_active', BooleanProperty()),
|
2019-08-27 23:36:45 +02:00
|
|
|
('src_ref', ReferenceProperty(valid_types=['ipv4-addr', 'ipv6-addr', 'mac-addr', 'domain-name'], spec_version='2.1')),
|
|
|
|
('dst_ref', ReferenceProperty(valid_types=['ipv4-addr', 'ipv6-addr', 'mac-addr', 'domain-name'], spec_version='2.1')),
|
2018-10-15 21:02:59 +02:00
|
|
|
('src_port', IntegerProperty(min=0, max=65535)),
|
|
|
|
('dst_port', IntegerProperty(min=0, max=65535)),
|
2017-08-14 16:29:17 +02:00
|
|
|
('protocols', ListProperty(StringProperty, required=True)),
|
2018-10-15 21:02:59 +02:00
|
|
|
('src_byte_count', IntegerProperty(min=0)),
|
|
|
|
('dst_byte_count', IntegerProperty(min=0)),
|
|
|
|
('src_packets', IntegerProperty(min=0)),
|
|
|
|
('dst_packets', IntegerProperty(min=0)),
|
2018-07-10 21:20:16 +02:00
|
|
|
('ipfix', DictionaryProperty(spec_version='2.1')),
|
2019-09-05 01:08:34 +02:00
|
|
|
('src_payload_ref', ReferenceProperty(valid_types='artifact', spec_version='2.1')),
|
|
|
|
('dst_payload_ref', ReferenceProperty(valid_types='artifact', spec_version='2.1')),
|
|
|
|
('encapsulates_refs', ListProperty(ReferenceProperty(valid_types='network-traffic', spec_version='2.1'))),
|
|
|
|
('encapsulated_by_ref', ReferenceProperty(valid_types='network-traffic', spec_version='2.1')),
|
2018-07-10 21:20:16 +02:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1', enclosing_type=_type)),
|
2019-08-27 23:36:45 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["start", "src_ref", "dst_ref", "src_port", "dst_port", "protocols"]
|
2017-05-09 03:03:15 +02:00
|
|
|
|
2017-05-18 15:48:01 +02:00
|
|
|
def _check_object_constraints(self):
|
|
|
|
super(NetworkTraffic, self)._check_object_constraints()
|
2018-06-30 00:38:04 +02:00
|
|
|
self._check_at_least_one_property(['src_ref', 'dst_ref'])
|
Changes so File object creation doesn't violate on of the MUSTs
Added three new exceptions: DependentPropertiestError, AtLeastOnePropertyError, MutuallyExclusivePropertiesError
Added tests for NetworkTraffic, Process, URL, WindowsRegistryKey and X509Certificate
Added error tests for EmailMessage, NetworkTraffic, Artifact,
Added interproperty checker methods to the base class: _check_mutually_exclusive_properties, _check_at_least_one_property and _check_properties_dependency
Added interproperty checkers to Artifact, EmailMIMEComponent, EmailMessage, NetworkTraffic
Made NetworkTraffic.protocols required
Added X509V3ExtenstionsType class
Use EmbeddedObjectProperty for X509Certificate.x509_v3_extensions
2017-05-11 21:22:46 +02:00
|
|
|
|
2018-10-15 21:02:59 +02:00
|
|
|
start = self.get('start')
|
|
|
|
end = self.get('end')
|
|
|
|
is_active = self.get('is_active')
|
|
|
|
|
|
|
|
if end and is_active is not False:
|
|
|
|
msg = "{0.id} 'is_active' must be False if 'end' is present"
|
|
|
|
raise ValueError(msg.format(self))
|
|
|
|
|
|
|
|
if end and is_active is True:
|
|
|
|
msg = "{0.id} if 'is_active' is True, 'end' must not be included"
|
|
|
|
raise ValueError(msg.format(self))
|
|
|
|
|
|
|
|
if start and end and end <= start:
|
|
|
|
msg = "{0.id} 'end' must be greater than 'start'"
|
|
|
|
raise ValueError(msg.format(self))
|
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
|
2017-05-18 20:04:28 +02:00
|
|
|
class WindowsProcessExt(_Extension):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_4wfs4ve800kf>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-08-24 00:36:24 +02:00
|
|
|
_type = 'windows-process-ext'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2017-08-14 16:29:17 +02:00
|
|
|
('aslr_enabled', BooleanProperty()),
|
|
|
|
('dep_enabled', BooleanProperty()),
|
|
|
|
('priority', StringProperty()),
|
|
|
|
('owner_sid', StringProperty()),
|
|
|
|
('window_title', StringProperty()),
|
2018-07-10 21:20:16 +02:00
|
|
|
('startup_info', DictionaryProperty(spec_version='2.1')),
|
2018-10-15 21:02:59 +02:00
|
|
|
(
|
|
|
|
'integrity_level', EnumProperty(allowed=[
|
|
|
|
"low",
|
|
|
|
"medium",
|
|
|
|
"high",
|
|
|
|
"system",
|
2018-10-17 13:56:10 +02:00
|
|
|
]),
|
|
|
|
),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2017-05-15 19:48:41 +02:00
|
|
|
|
|
|
|
|
2017-05-18 20:04:28 +02:00
|
|
|
class WindowsServiceExt(_Extension):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_s2rmoe7djlt>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-08-24 00:36:24 +02:00
|
|
|
_type = 'windows-service-ext'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2018-07-12 20:31:14 +02:00
|
|
|
('service_name', StringProperty()),
|
2017-08-14 16:29:17 +02:00
|
|
|
('descriptions', ListProperty(StringProperty)),
|
|
|
|
('display_name', StringProperty()),
|
|
|
|
('group_name', StringProperty()),
|
2018-07-13 17:10:05 +02:00
|
|
|
(
|
|
|
|
'start_type', EnumProperty(allowed=[
|
|
|
|
"SERVICE_AUTO_START",
|
|
|
|
"SERVICE_BOOT_START",
|
|
|
|
"SERVICE_DEMAND_START",
|
|
|
|
"SERVICE_DISABLED",
|
|
|
|
"SERVICE_SYSTEM_ALERT",
|
|
|
|
]),
|
|
|
|
),
|
2020-06-05 22:55:41 +02:00
|
|
|
('service_dll_refs', ListProperty(ReferenceProperty(valid_types='file', spec_version="2.1"))),
|
2018-07-13 17:10:05 +02:00
|
|
|
(
|
|
|
|
'service_type', EnumProperty(allowed=[
|
|
|
|
"SERVICE_KERNEL_DRIVER",
|
|
|
|
"SERVICE_FILE_SYSTEM_DRIVER",
|
|
|
|
"SERVICE_WIN32_OWN_PROCESS",
|
|
|
|
"SERVICE_WIN32_SHARE_PROCESS",
|
|
|
|
]),
|
|
|
|
),
|
|
|
|
(
|
|
|
|
'service_status', EnumProperty(allowed=[
|
|
|
|
"SERVICE_CONTINUE_PENDING",
|
|
|
|
"SERVICE_PAUSE_PENDING",
|
|
|
|
"SERVICE_PAUSED",
|
|
|
|
"SERVICE_RUNNING",
|
|
|
|
"SERVICE_START_PENDING",
|
|
|
|
"SERVICE_STOP_PENDING",
|
|
|
|
"SERVICE_STOPPED",
|
|
|
|
]),
|
|
|
|
),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2017-05-15 19:48:41 +02:00
|
|
|
|
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class Process(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_ur7snm473t1d>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
_type = 'process'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2019-08-19 19:35:17 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('is_hidden', BooleanProperty()),
|
|
|
|
('pid', IntegerProperty()),
|
2017-05-09 03:03:15 +02:00
|
|
|
# this is not the created timestamps of the object itself
|
2019-08-27 23:36:45 +02:00
|
|
|
('created_time', TimestampProperty()),
|
2017-08-14 16:29:17 +02:00
|
|
|
('cwd', StringProperty()),
|
|
|
|
('command_line', StringProperty()),
|
2018-07-10 21:20:16 +02:00
|
|
|
('environment_variables', DictionaryProperty(spec_version='2.1')),
|
2019-09-05 01:08:34 +02:00
|
|
|
('opened_connection_refs', ListProperty(ReferenceProperty(valid_types='network-traffic', spec_version='2.1'))),
|
|
|
|
('creator_user_ref', ReferenceProperty(valid_types='user-account', spec_version='2.1')),
|
|
|
|
('image_ref', ReferenceProperty(valid_types='file', spec_version='2.1')),
|
|
|
|
('parent_ref', ReferenceProperty(valid_types='process', spec_version='2.1')),
|
|
|
|
('child_refs', ListProperty(ReferenceProperty(valid_types='process', spec_version='2.1'))),
|
2018-07-10 21:20:16 +02:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1', enclosing_type=_type)),
|
2019-08-27 23:36:45 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = []
|
2017-05-09 03:03:15 +02:00
|
|
|
|
2017-05-18 15:48:01 +02:00
|
|
|
def _check_object_constraints(self):
|
|
|
|
# no need to check windows-service-ext, since it has a required property
|
|
|
|
super(Process, self)._check_object_constraints()
|
2017-05-17 21:33:28 +02:00
|
|
|
try:
|
|
|
|
self._check_at_least_one_property()
|
2018-06-30 00:38:04 +02:00
|
|
|
if 'windows-process-ext' in self.get('extensions', {}):
|
|
|
|
self.extensions['windows-process-ext']._check_at_least_one_property()
|
2017-05-17 21:33:28 +02:00
|
|
|
except AtLeastOnePropertyError as enclosing_exc:
|
2017-06-08 16:09:18 +02:00
|
|
|
if 'extensions' not in self:
|
2017-05-17 21:33:28 +02:00
|
|
|
raise enclosing_exc
|
|
|
|
else:
|
2018-06-30 00:38:04 +02:00
|
|
|
if 'windows-process-ext' in self.get('extensions', {}):
|
|
|
|
self.extensions['windows-process-ext']._check_at_least_one_property()
|
2017-05-17 21:33:28 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class Software(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_jru33yeokrmh>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
_type = 'software'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('name', StringProperty(required=True)),
|
|
|
|
('cpe', StringProperty()),
|
2020-03-02 22:57:18 +01:00
|
|
|
('swid', StringProperty()),
|
2017-08-14 16:29:17 +02:00
|
|
|
('languages', ListProperty(StringProperty)),
|
|
|
|
('vendor', StringProperty()),
|
|
|
|
('version', StringProperty()),
|
2018-07-10 21:20:16 +02:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1', enclosing_type=_type)),
|
2019-08-27 23:36:45 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2020-03-22 04:56:09 +01:00
|
|
|
_id_contributing_properties = ["name", "cpe", "swid", "vendor", "version"]
|
2017-05-09 03:03:15 +02:00
|
|
|
|
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class URL(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_6bsklda6vc0c>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
_type = 'url'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('value', StringProperty(required=True)),
|
2018-07-10 21:20:16 +02:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1', enclosing_type=_type)),
|
2019-08-27 23:36:45 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["value"]
|
2017-05-09 03:03:15 +02:00
|
|
|
|
|
|
|
|
2017-05-18 20:04:28 +02:00
|
|
|
class UNIXAccountExt(_Extension):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_z25gmwyz67kl>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-08-24 00:36:24 +02:00
|
|
|
_type = 'unix-account-ext'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2017-08-14 16:29:17 +02:00
|
|
|
('gid', IntegerProperty()),
|
|
|
|
('groups', ListProperty(StringProperty)),
|
|
|
|
('home_dir', StringProperty()),
|
|
|
|
('shell', StringProperty()),
|
|
|
|
])
|
2017-05-15 19:48:41 +02:00
|
|
|
|
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class UserAccount(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_hah33g4ntxnx>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
_type = 'user-account'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2018-07-12 20:31:14 +02:00
|
|
|
('user_id', StringProperty()),
|
|
|
|
('credential', StringProperty()),
|
2017-08-14 16:29:17 +02:00
|
|
|
('account_login', StringProperty()),
|
|
|
|
('account_type', StringProperty()), # open vocab
|
|
|
|
('display_name', StringProperty()),
|
|
|
|
('is_service_account', BooleanProperty()),
|
|
|
|
('is_privileged', BooleanProperty()),
|
|
|
|
('can_escalate_privs', BooleanProperty()),
|
|
|
|
('is_disabled', BooleanProperty()),
|
|
|
|
('account_created', TimestampProperty()),
|
|
|
|
('account_expires', TimestampProperty()),
|
2018-07-12 20:31:14 +02:00
|
|
|
('credential_last_changed', TimestampProperty()),
|
2017-08-14 16:29:17 +02:00
|
|
|
('account_first_login', TimestampProperty()),
|
|
|
|
('account_last_login', TimestampProperty()),
|
2018-07-10 21:20:16 +02:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1', enclosing_type=_type)),
|
2019-08-27 23:36:45 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["account_type", "user_id", "account_login"]
|
2017-05-09 03:03:15 +02:00
|
|
|
|
|
|
|
|
2020-03-22 03:22:36 +01:00
|
|
|
class WindowsRegistryValueType(_STIXBase21):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_6jiqabgqp2hp>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
_type = 'windows-registry-value-type'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2018-07-12 20:31:14 +02:00
|
|
|
('name', StringProperty()),
|
2017-08-14 16:29:17 +02:00
|
|
|
('data', StringProperty()),
|
2018-07-13 17:10:05 +02:00
|
|
|
(
|
|
|
|
'data_type', EnumProperty(allowed=[
|
|
|
|
"REG_NONE",
|
|
|
|
"REG_SZ",
|
|
|
|
"REG_EXPAND_SZ",
|
|
|
|
"REG_BINARY",
|
|
|
|
"REG_DWORD",
|
|
|
|
"REG_DWORD_BIG_ENDIAN",
|
|
|
|
"REG_LINK",
|
|
|
|
"REG_MULTI_SZ",
|
|
|
|
"REG_RESOURCE_LIST",
|
|
|
|
"REG_FULL_RESOURCE_DESCRIPTION",
|
|
|
|
"REG_RESOURCE_REQUIREMENTS_LIST",
|
|
|
|
"REG_QWORD",
|
|
|
|
"REG_INVALID_TYPE",
|
|
|
|
]),
|
|
|
|
),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2017-05-09 03:03:15 +02:00
|
|
|
|
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class WindowsRegistryKey(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_bdim4of4dl37>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
_type = 'windows-registry-key'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2018-07-12 20:31:14 +02:00
|
|
|
('key', StringProperty()),
|
2017-08-14 16:29:17 +02:00
|
|
|
('values', ListProperty(EmbeddedObjectProperty(type=WindowsRegistryValueType))),
|
2017-05-09 03:03:15 +02:00
|
|
|
# this is not the modified timestamps of the object itself
|
2019-07-17 21:48:09 +02:00
|
|
|
('modified_time', TimestampProperty()),
|
2019-09-05 01:08:34 +02:00
|
|
|
('creator_user_ref', ReferenceProperty(valid_types='user-account', spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('number_of_subkeys', IntegerProperty()),
|
2018-07-10 21:20:16 +02:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1', enclosing_type=_type)),
|
2019-08-27 23:36:45 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["key", "values"]
|
2017-05-09 03:03:15 +02:00
|
|
|
|
|
|
|
|
2020-03-22 03:22:36 +01:00
|
|
|
class X509V3ExtenstionsType(_STIXBase21):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_c1kt4dheb6vz>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
Changes so File object creation doesn't violate on of the MUSTs
Added three new exceptions: DependentPropertiestError, AtLeastOnePropertyError, MutuallyExclusivePropertiesError
Added tests for NetworkTraffic, Process, URL, WindowsRegistryKey and X509Certificate
Added error tests for EmailMessage, NetworkTraffic, Artifact,
Added interproperty checker methods to the base class: _check_mutually_exclusive_properties, _check_at_least_one_property and _check_properties_dependency
Added interproperty checkers to Artifact, EmailMIMEComponent, EmailMessage, NetworkTraffic
Made NetworkTraffic.protocols required
Added X509V3ExtenstionsType class
Use EmbeddedObjectProperty for X509Certificate.x509_v3_extensions
2017-05-11 21:22:46 +02:00
|
|
|
_type = 'x509-v3-extensions-type'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2017-08-14 16:29:17 +02:00
|
|
|
('basic_constraints', StringProperty()),
|
|
|
|
('name_constraints', StringProperty()),
|
|
|
|
('policy_constraints', StringProperty()),
|
|
|
|
('key_usage', StringProperty()),
|
|
|
|
('extended_key_usage', StringProperty()),
|
|
|
|
('subject_key_identifier', StringProperty()),
|
|
|
|
('authority_key_identifier', StringProperty()),
|
|
|
|
('subject_alternative_name', StringProperty()),
|
|
|
|
('issuer_alternative_name', StringProperty()),
|
|
|
|
('subject_directory_attributes', StringProperty()),
|
|
|
|
('crl_distribution_points', StringProperty()),
|
|
|
|
('inhibit_any_policy', StringProperty()),
|
|
|
|
('private_key_usage_period_not_before', TimestampProperty()),
|
|
|
|
('private_key_usage_period_not_after', TimestampProperty()),
|
|
|
|
('certificate_policies', StringProperty()),
|
|
|
|
('policy_mappings', StringProperty()),
|
|
|
|
])
|
2017-05-11 21:42:56 +02:00
|
|
|
|
Changes so File object creation doesn't violate on of the MUSTs
Added three new exceptions: DependentPropertiestError, AtLeastOnePropertyError, MutuallyExclusivePropertiesError
Added tests for NetworkTraffic, Process, URL, WindowsRegistryKey and X509Certificate
Added error tests for EmailMessage, NetworkTraffic, Artifact,
Added interproperty checker methods to the base class: _check_mutually_exclusive_properties, _check_at_least_one_property and _check_properties_dependency
Added interproperty checkers to Artifact, EmailMIMEComponent, EmailMessage, NetworkTraffic
Made NetworkTraffic.protocols required
Added X509V3ExtenstionsType class
Use EmbeddedObjectProperty for X509Certificate.x509_v3_extensions
2017-05-11 21:22:46 +02:00
|
|
|
|
2017-05-10 00:03:46 +02:00
|
|
|
class X509Certificate(_Observable):
|
2018-06-11 20:37:45 +02:00
|
|
|
"""For more detailed information on this object's properties, see
|
2020-03-25 16:36:29 +01:00
|
|
|
`the STIX 2.1 specification <https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_g3kniyun8ykv>`__.
|
2018-06-11 20:37:45 +02:00
|
|
|
"""
|
2017-10-06 20:24:46 +02:00
|
|
|
|
2017-05-09 03:03:15 +02:00
|
|
|
_type = 'x509-certificate'
|
2018-06-30 00:38:04 +02:00
|
|
|
_properties = OrderedDict([
|
2020-04-02 03:52:04 +02:00
|
|
|
('type', TypeProperty(_type, spec_version='2.1')),
|
2019-08-19 15:39:13 +02:00
|
|
|
('id', IDProperty(_type, spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('is_self_signed', BooleanProperty()),
|
2018-07-12 20:31:14 +02:00
|
|
|
('hashes', HashesProperty(spec_version='2.1')),
|
2017-08-14 16:29:17 +02:00
|
|
|
('version', StringProperty()),
|
|
|
|
('serial_number', StringProperty()),
|
|
|
|
('signature_algorithm', StringProperty()),
|
|
|
|
('issuer', StringProperty()),
|
|
|
|
('validity_not_before', TimestampProperty()),
|
|
|
|
('validity_not_after', TimestampProperty()),
|
|
|
|
('subject', StringProperty()),
|
|
|
|
('subject_public_key_algorithm', StringProperty()),
|
|
|
|
('subject_public_key_modulus', StringProperty()),
|
|
|
|
('subject_public_key_exponent', IntegerProperty()),
|
|
|
|
('x509_v3_extensions', EmbeddedObjectProperty(type=X509V3ExtenstionsType)),
|
2018-07-10 21:20:16 +02:00
|
|
|
('extensions', ExtensionsProperty(spec_version='2.1', enclosing_type=_type)),
|
2019-08-27 23:36:45 +02:00
|
|
|
('spec_version', StringProperty(fixed='2.1')),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(valid_types='marking-definition', spec_version='2.1'))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
('defanged', BooleanProperty(default=lambda: False)),
|
2017-08-14 16:29:17 +02:00
|
|
|
])
|
2019-08-19 15:39:13 +02:00
|
|
|
_id_contributing_properties = ["hashes", "serial_number"]
|
2017-06-14 15:34:42 +02:00
|
|
|
|
2019-11-22 19:24:09 +01:00
|
|
|
def _check_object_constraints(self):
|
|
|
|
super(X509Certificate, self)._check_object_constraints()
|
|
|
|
|
2019-11-25 21:52:50 +01:00
|
|
|
att_list = [
|
|
|
|
'is_self_signed', 'hashes', 'version', 'serial_number',
|
|
|
|
'signature_algorithm', 'issuer', 'validity_not_before',
|
|
|
|
'validity_not_after', 'subject', 'subject_public_key_algorithm',
|
|
|
|
'subject_public_key_modulus', 'subject_public_key_exponent',
|
|
|
|
'x509_v3_extensions',
|
|
|
|
]
|
|
|
|
self._check_at_least_one_property(att_list)
|
2019-11-22 19:24:09 +01:00
|
|
|
|
2017-06-14 15:34:42 +02:00
|
|
|
|
2020-03-04 20:29:35 +01:00
|
|
|
def CustomObservable(type='x-custom-observable', properties=None, id_contrib_props=None):
|
2017-09-22 17:03:25 +02:00
|
|
|
"""Custom STIX Cyber Observable Object type decorator.
|
|
|
|
|
|
|
|
Example:
|
2018-07-10 21:20:16 +02:00
|
|
|
>>> from stix2.v21 import CustomObservable
|
|
|
|
>>> from stix2.properties import IntegerProperty, StringProperty
|
2017-09-22 17:03:25 +02:00
|
|
|
>>> @CustomObservable('x-custom-observable', [
|
|
|
|
... ('property1', StringProperty(required=True)),
|
|
|
|
... ('property2', IntegerProperty()),
|
|
|
|
... ])
|
|
|
|
... class MyNewObservableType():
|
|
|
|
... pass
|
2017-06-14 15:34:42 +02:00
|
|
|
|
2017-08-24 00:36:24 +02:00
|
|
|
"""
|
2018-07-10 21:20:16 +02:00
|
|
|
def wrapper(cls):
|
|
|
|
_properties = list(itertools.chain.from_iterable([
|
2020-04-02 03:52:04 +02:00
|
|
|
[('type', TypeProperty(type, spec_version='2.1'))],
|
2019-11-06 16:11:12 +01:00
|
|
|
[('id', IDProperty(type, spec_version='2.1'))],
|
2018-07-10 21:20:16 +02:00
|
|
|
properties,
|
2018-07-13 17:10:05 +02:00
|
|
|
[('extensions', ExtensionsProperty(spec_version='2.1', enclosing_type=type))],
|
2018-07-10 21:20:16 +02:00
|
|
|
]))
|
2020-03-22 03:22:36 +01:00
|
|
|
return _custom_observable_builder(cls, type, _properties, '2.1', _Observable, id_contrib_props)
|
2018-07-10 21:20:16 +02:00
|
|
|
return wrapper
|
2017-08-24 00:36:24 +02:00
|
|
|
|
|
|
|
|
2018-07-10 21:20:16 +02:00
|
|
|
def CustomExtension(observable=None, type='x-custom-observable-ext', properties=None):
|
2017-09-22 17:03:25 +02:00
|
|
|
"""Decorator for custom extensions to STIX Cyber Observables.
|
2017-08-24 00:36:24 +02:00
|
|
|
"""
|
2018-07-10 21:20:16 +02:00
|
|
|
def wrapper(cls):
|
2020-03-22 03:22:36 +01:00
|
|
|
return _custom_extension_builder(cls, observable, type, properties, '2.1', _Extension)
|
2018-07-10 21:20:16 +02:00
|
|
|
return wrapper
|