Cuckoo/Win32 API to MAEC Action Mappings

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Cuckoo/Win32 API to MAEC Action Mappings

Kirillov, Ivan A.

All,

 

As part of the work we’re doing for updating Cuckoo Sandbox to output MAEC 4.0, we are mapping the Win32 API calls it captures to their MAEC equivalents. The current mapping we’ve developed can be found here: https://github.com/MITRECND/cuckoo/blob/maec40_report/modules/reporting/maec40_mappings.py

 

Hopefully the structure is self-explanatory, but let us know if you have any questions or anything looks amiss. We’d love to hear your thoughts!

 

Also, if anyone is curious to play around with the MAEC 4.0 output in Cuckoo, our branch is here: https://github.com/MITRECND/cuckoo/tree/maec40_report

 

Regards,

Ivan

 

Reply | Threaded
Open this post in threaded view
|

RE: Cuckoo/Win32 API to MAEC Action Mappings

Kirillov, Ivan A.

Small, but hopefully useful update – we completed the Win32 API mappings and MAEC 4.0 output module (now updated for 4.0.1) and submitted it in a pull request to the Cuckoo developers for inclusion in the next release, which they’ve accepted (thanks guys!). It can now be found here:

 

https://github.com/cuckoobox/cuckoo/blob/development/modules/reporting/maec40.py

 

Regards,

Ivan

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Kirillov, Ivan A.
Sent: Friday, August 16, 2013 2:01 PM
To: maec-discussion-list Malware Attribute Enumeration Discussion
Subject: Cuckoo/Win32 API to MAEC Action Mappings

 

All,

 

As part of the work we’re doing for updating Cuckoo Sandbox to output MAEC 4.0, we are mapping the Win32 API calls it captures to their MAEC equivalents. The current mapping we’ve developed can be found here: https://github.com/MITRECND/cuckoo/blob/maec40_report/modules/reporting/maec40_mappings.py

 

Hopefully the structure is self-explanatory, but let us know if you have any questions or anything looks amiss. We’d love to hear your thoughts!

 

Also, if anyone is curious to play around with the MAEC 4.0 output in Cuckoo, our branch is here: https://github.com/MITRECND/cuckoo/tree/maec40_report

 

Regards,

Ivan

 

Reply | Threaded
Open this post in threaded view
|

Re: Cuckoo/Win32 API to MAEC Action Mappings

Terry MacDonald
Nice work guys!

Cheers

Terry

Terry MacDonald


On 25 October 2013 02:07, Kirillov, Ivan A. <[hidden email]> wrote:

Small, but hopefully useful update – we completed the Win32 API mappings and MAEC 4.0 output module (now updated for 4.0.1) and submitted it in a pull request to the Cuckoo developers for inclusion in the next release, which they’ve accepted (thanks guys!). It can now be found here:

 

https://github.com/cuckoobox/cuckoo/blob/development/modules/reporting/maec40.py

 

Regards,

Ivan

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Kirillov, Ivan A.
Sent: Friday, August 16, 2013 2:01 PM
To: maec-discussion-list Malware Attribute Enumeration Discussion
Subject: Cuckoo/Win32 API to MAEC Action Mappings

 

All,

 

As part of the work we’re doing for updating Cuckoo Sandbox to output MAEC 4.0, we are mapping the Win32 API calls it captures to their MAEC equivalents. The current mapping we’ve developed can be found here: https://github.com/MITRECND/cuckoo/blob/maec40_report/modules/reporting/maec40_mappings.py

 

Hopefully the structure is self-explanatory, but let us know if you have any questions or anything looks amiss. We’d love to hear your thoughts!

 

Also, if anyone is curious to play around with the MAEC 4.0 output in Cuckoo, our branch is here: https://github.com/MITRECND/cuckoo/tree/maec40_report

 

Regards,

Ivan