[cti-users] Classifying File or Domain as Malware

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[cti-users] Classifying File or Domain as Malware

Sarvagya Pant
Hi I am having confusion on how to get started with Cybox. I have installed python library and run one sample code:
Consider,

from cybox.core import Observables
from cybox.objects.file_object import File
from cybox.objects.domain_name_object import DomainName
from cybox.utils import IDGenerator, set_id_method
set_id_method(IDGenerator.METHOD_INT)
f = File()
d = DomainName()
d.value = "1.2.3.4"
f.file_name = "malware.exe"
f.file_path = "C:\Windows\Temp\malware.exe"
print Observables(f).to_xml(include_namespaces=True)
print Observables(d).to_xml(include_namespaces=True)

This will output XML which looks like:

<cybox:Observables
    xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
    xmlns:cybox="http://cybox.mitre.org/cybox-2"
    xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"
    xmlns:example="http://example.com"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://cybox.mitre.org/common-2 http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsd http://cybox.mitre.org/cybox-2 http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd http://cybox.mitre.org/objects#FileObject-2 http://cybox.mitre.org/XMLSchema/objects/File/2.1/File_Object.xsd" cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
    <cybox:Observable id="example:Observable-1">
        <cybox:Object id="example:File-2">
            <cybox:Properties xsi:type="FileObj:FileObjectType">
                <FileObj:File_Name>malware.exe</FileObj:File_Name>
                <FileObj:File_Path>C:\Windows\Temp\malware.exe</FileObj:File_Path>
            </cybox:Properties>
        </cybox:Object>
    </cybox:Observable>
</cybox:Observables>

<cybox:Observables
    xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
    xmlns:cybox="http://cybox.mitre.org/cybox-2"
    xmlns:DomainNameObj="http://cybox.mitre.org/objects#DomainNameObject-1"
    xmlns:example="http://example.com"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://cybox.mitre.org/common-2 http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsd http://cybox.mitre.org/cybox-2 http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd http://cybox.mitre.org/objects#DomainNameObject-1 http://cybox.mitre.org/XMLSchema/objects/Domain_Name/1.0/Domain_Name_Object.xsd" cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
    <cybox:Observable id="example:Observable-3">
        <cybox:Object id="example:DomainName-4">
            <cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType">
                <DomainNameObj:Value>1.2.3.4</DomainNameObj:Value>
            </cybox:Properties>
        </cybox:Object>
    </cybox:Observable>
</cybox:Observables>

​If the file malware.exe is a malware or domain 1.2.3.4 is a malicious domain, how does this generated XML helps me to identify that these are malware or not? I am required create a program preferably in Python that will get those XML. By getting those Cybox XML document, how can I know if the information given on XML is suspicious or not. Please clarify if I'm wrong.

Thank you.

--
Sarvagya Pant
Kathmandu, Nepal
+9779803468257
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [cti-users] Classifying File or Domain as Malware

Kirillov, Ivan A.
Hi Sarvagya,

CybOX by itself is intended to capture cyber “facts” such as the characterization of the domain name and file you have below. What it does not include is context as to whether something is specifically malicious – this is done intentionally, as this type of context is left to other languages such as Malware Attribute Enumeration and Characterization (MAEC) [1] for malware and Structured Threat Information eXpression (STIX) [2] for the broader cyber threat domain. Both of these languages leverage CybOX for describing their relevant cyber entities, and also layer additional context on top of this information. It seems like you’re primarily interested in being able to define whether a particular cyber artifact is malicious, something which can be accomplished through the STIX Indicator [3].

Let me know if you have any further questions about CybOX, STIX, or MAEC.


Regards,
Ivan Kirillov
MITRE

From: <[hidden email]> on behalf of Sarvagya Pant
Date: Wednesday, October 7, 2015 at 6:32 AM
To: "[hidden email]"
Subject: [cti-users] Classifying File or Domain as Malware

Hi I am having confusion on how to get started with Cybox. I have installed python library and run one sample code:
Consider,

from cybox.core import Observables
from cybox.objects.file_object import File
from cybox.objects.domain_name_object import DomainName
from cybox.utils import IDGenerator, set_id_method
set_id_method(IDGenerator.METHOD_INT)
f = File()
d = DomainName()
d.value = "1.2.3.4"
f.file_name = "malware.exe"
f.file_path = "C:\Windows\Temp\malware.exe"
print Observables(f).to_xml(include_namespaces=True)
print Observables(d).to_xml(include_namespaces=True)

This will output XML which looks like:

<cybox:Observables
    xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
    xmlns:cybox="http://cybox.mitre.org/cybox-2"
    xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"
    xmlns:example="http://example.com"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://cybox.mitre.org/common-2http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsdhttp://cybox.mitre.org/cybox-2 http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd http://cybox.mitre.org/objects#FileObject-2 http://cybox.mitre.org/XMLSchema/objects/File/2.1/File_Object.xsd" cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
    <cybox:Observable id="example:Observable-1">
        <cybox:Object id="example:File-2">
            <cybox:Properties xsi:type="FileObj:FileObjectType">
                <FileObj:File_Name>malware.exe</FileObj:File_Name>
                <FileObj:File_Path>C:\Windows\Temp\malware.exe</FileObj:File_Path>
            </cybox:Properties>
        </cybox:Object>
    </cybox:Observable>
</cybox:Observables>

<cybox:Observables
    xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
    xmlns:cybox="http://cybox.mitre.org/cybox-2"
    xmlns:DomainNameObj="http://cybox.mitre.org/objects#DomainNameObject-1"
    xmlns:example="http://example.com"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://cybox.mitre.org/common-2http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsdhttp://cybox.mitre.org/cybox-2 http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd http://cybox.mitre.org/objects#DomainNameObject-1 http://cybox.mitre.org/XMLSchema/objects/Domain_Name/1.0/Domain_Name_Object.xsd" cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
    <cybox:Observable id="example:Observable-3">
        <cybox:Object id="example:DomainName-4">
            <cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType">
                <DomainNameObj:Value>1.2.3.4</DomainNameObj:Value>
            </cybox:Properties>
        </cybox:Object>
    </cybox:Observable>
</cybox:Observables>

​If the file malware.exe is a malware or domain 1.2.3.4 is a malicious domain, how does this generated XML helps me to identify that these are malware or not? I am required create a program preferably in Python that will get those XML. By getting those Cybox XML document, how can I know if the information given on XML is suspicious or not. Please clarify if I'm wrong.

Thank you.

--
Sarvagya Pant
Kathmandu, Nepal
+9779803468257
Loading...