def main(): campaign = Campaign(title="Campaign against ICS") ttp = TTP(title="DrownedRat") alpha_report = Report() alpha_report.header = Header() alpha_report.header.title = "Report on Adversary Alpha's Campaign against the Industrial Control Sector" alpha_report.header.descriptions = "Adversary Alpha has a campaign against the ICS sector!" alpha_report.header.intents = "Campaign Characterization" alpha_report.add_campaign(Campaign(idref=campaign.id_)) rat_report = Report() rat_report.header = Header() rat_report.header.title = "Indicators for Malware DrownedRat" rat_report.header.intents = "Indicators - Malware Artifacts" rat_report.add_ttp(TTP(idref=ttp.id_)) wrapper = STIXPackage() info_src = InformationSource() info_src.identity = Identity(name="Government Sharing Program - GSP") wrapper.stix_header = STIXHeader(information_source=info_src) wrapper.add_report(alpha_report) wrapper.add_report(rat_report) wrapper.add_campaign(campaign) wrapper.add_ttp(ttp) print(wrapper.to_xml())
def main(): from stix.campaign import Campaign from stix.common.related import RelatedTTP from stix.core import STIXPackage from stix.ttp import TTP, VictimTargeting ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.add_targeted_information( "Information Assets - Customer PII") ttp.victim_targeting.add_targeted_information( "Information Assets - Financial Data") ttp_ref = TTP() ttp_ref.idref = ttp.id_ related_ttp = RelatedTTP(ttp_ref) related_ttp.relationship = "Targets" c = Campaign() c.title = "Operation Alpha" c.related_ttps.append(related_ttp) pkg = STIXPackage() pkg.add_campaign(c) pkg.add_ttp(ttp) print(pkg.to_xml(encoding=None))
def main(): # Build Campaign instances camp1 = Campaign(title='Campaign 1') camp2 = Campaign(title='Campaign 2') # Build a CampaignRef object, setting the `idref` to the `id_` value of # our `camp2` Campaign object. campaign_ref = CampaignRef(idref=camp2.id_) # Build an Indicator object. i = Indicator() # Add CampaignRef object pointing to `camp2`. i.add_related_campaign(campaign_ref) # Add Campaign object, which gets promoted into an instance of # CampaignRef type internally. Only the `idref` is set. i.add_related_campaign(camp1) # Build our STIX Package and attach our Indicator and Campaign objects. package = STIXPackage() package.add_indicator(i) package.add_campaign(camp1) package.add_campaign(camp2) # Print! print package.to_xml()
def main(): from stix.campaign import Campaign, Attribution from stix.threat_actor import ThreatActor from stix.incident import Incident from stix.core import STIXPackage from stix.ttp import TTP, VictimTargeting ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data") actor = ThreatActor() actor.title = "People behind the intrusion" attrib = Attribution() attrib.append(actor) c = Campaign() c.attribution = [] c.attribution.append(attrib) c.title = "Compromise of ATM Machines" c.related_ttps.append(ttp) c.related_incidents.append(Incident(idref="example:incident-229ab6ba-0eb2-415b-bdf2-079e6b42f51e")) c.related_incidents.append(Incident(idref="example:incident-517cf274-038d-4ed4-a3ec-3ac18ad9db8a")) c.related_incidents.append(Incident(idref="example:incident-7d8cf96f-91cb-42d0-a1e0-bfa38ea08621")) pkg = STIXPackage() pkg.add_campaign(c) print pkg.to_xml()
def main(): campaign = Campaign(title="Campaign against ICS") ttp = TTP(title="DrownedRat") alpha_report = Report() alpha_report.header = Header() alpha_report.header.title = "Report on Adversary Alpha's Campaign against the Industrial Control Sector" alpha_report.header.descriptions = "Adversary Alpha has a campaign against the ICS sector!" alpha_report.header.intents = "Campaign Characterization" alpha_report.add_campaign(Campaign(idref=campaign._id)) rat_report = Report() rat_report.header = Header() rat_report.header.title = "Indicators for Malware DrownedRat" rat_report.header.intents = "Indicators - Malware Artifacts" rat_report.add_ttp(TTP(idref=ttp._id)) wrapper = STIXPackage() info_src = InformationSource() info_src.identity = Identity(name="Government Sharing Program - GSP") wrapper.stix_header = STIXHeader(information_source=info_src) wrapper.add_report(alpha_report) wrapper.add_report(rat_report) wrapper.add_campaign(campaign) wrapper.add_ttp(ttp) print wrapper.to_xml()
def main(): from stix.campaign import Campaign from stix.common.related import RelatedTTP from stix.core import STIXPackage from stix.ttp import TTP ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting.add_targeted_information("Information Assets - Customer PII") ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data") ttp_ref = TTP() ttp_ref.idref = ttp.id_ related_ttp = RelatedTTP(ttp_ref) related_ttp.relationship = "Targets" c = Campaign() c.title = "Operation Alpha" c.related_ttps.append(related_ttp) pkg = STIXPackage() pkg.add_campaign(c) pkg.add_ttp(ttp) print pkg.to_xml()
def main(): # Build Campaign instances camp1 = Campaign(title='Campaign 1') camp2 = Campaign(title='Campaign 2') # Build a CampaignRef object, setting the `idref` to the `id_` value of # our `camp2` Campaign object. campaign_ref = CampaignRef(idref=camp2.id_) # Build an Indicator object. i = Indicator() # Add CampaignRef object pointing to `camp2`. i.add_related_campaign(campaign_ref) # Add Campaign object, which gets promoted into an instance of # CampaignRef type internally. Only the `idref` is set. i.add_related_campaign(camp1) # Build our STIX Package and attach our Indicator and Campaign objects. package = STIXPackage() package.add_indicator(i) package.add_campaign(camp1) package.add_campaign(camp2) # Print! print package.to_xml()
def main(): package = STIXPackage() # Create the indicator indicator = Indicator(title="IP Address for known C2 Channel") indicator.add_indicator_type("IP Watchlist") address = Address(category="ipv4-addr") address.address_value = "10.0.0.0" address.address_value.condition = "Equals" indicator.observable = address package.add_indicator(indicator) # Create the campaign campaign = Campaign(title="Operation Omega") package.add_campaign(campaign) # Link the campaign to the indicator campaign.related_indicators.append(RelatedIndicator(item=Indicator(idref=indicator.id_))) print package.to_xml()
def main(): package = STIXPackage() # Create the indicator indicator = Indicator(title="IP Address for known C2 Channel") indicator.add_indicator_type("IP Watchlist") address = Address(category="ipv4-addr") address.address_value = "10.0.0.0" address.address_value.condition = "Equals" indicator.observable = address package.add_indicator(indicator) # Create the campaign campaign = Campaign(title="Operation Omega") package.add_campaign(campaign) # Link the campaign to the indicator campaign.related_indicators.append( RelatedIndicator(item=Indicator(idref=indicator.id_))) print package.to_xml()
def main(): from stix.campaign import Campaign, Attribution from stix.threat_actor import ThreatActor from stix.incident import Incident from stix.core import STIXPackage from stix.ttp import TTP, VictimTargeting ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.add_targeted_information( "Information Assets - Financial Data") actor = ThreatActor() actor.title = "People behind the intrusion" attrib = Attribution() attrib.append(actor) c = Campaign() c.attribution = [] c.attribution.append(attrib) c.title = "Compromise of ATM Machines" c.related_ttps.append(ttp) c.related_incidents.append( Incident( idref="example:incident-229ab6ba-0eb2-415b-bdf2-079e6b42f51e")) c.related_incidents.append( Incident( idref="example:incident-517cf274-038d-4ed4-a3ec-3ac18ad9db8a")) c.related_incidents.append( Incident( idref="example:incident-7d8cf96f-91cb-42d0-a1e0-bfa38ea08621")) pkg = STIXPackage() pkg.add_campaign(c) print(pkg.to_xml(encoding=None))
def main(): from stix.campaign import Campaign, Attribution from stix.threat_actor import ThreatActor from stix.core import STIXPackage from stix.ttp import TTP, VictimTargeting ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data") actor = ThreatActor() actor.title = "People behind the intrusion" c = Campaign() c.attribution.append(actor) c.title = "Compromise of ATM Machines" c.related_ttps.append(ttp) pkg = STIXPackage() pkg.add_campaign(c) print pkg.to_xml()
def main(): # NOTE: ID values will differ due to being regenerated on each script execution pkg1 = STIXPackage() pkg1.title = "Example of Indicator Composition for an aggregate indicator composition" # USE CASE: Indicator with aggregate pattern # Add TTP for malware usage malware_ttp = TTP() malware_ttp.behavior = Behavior() malware = MalwareInstance() malware.title = "foobar malware" malware.add_type("Remote Access Trojan") malware_ttp.behavior.add_malware_instance(malware) c2_ttp = TTP() c2_ttp.resources = Resource() c2_ttp.resources.infrastructure = Infrastructure() c2_ttp.resources.infrastructure.add_type(VocabString("Malware C2")) pkg1.add_ttp(c2_ttp) pkg1.add_ttp(malware_ttp) nw_ind = Indicator() nw_ind.description = "Indicator for a particular C2 infstructure IP address." # add network network connection to this indicator obs = NetworkConnection() sock = SocketAddress() sock.ip_address = "46.123.99.25" sock.ip_address.category = "ipv4-addr" sock.ip_address.condition = "Equals" obs.destination_socket_address = sock nw_ind.add_observable(obs) nw_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_)) # create File Hash indicator w/ embedded Observable file_ind = Indicator() file_ind.description = "Indicator for the hash of the foobar malware." file_ind.add_indicator_type("File Hash Watchlist") file_obs = File() file_obs.add_hash("01234567890abcdef01234567890abcdef") file_obs.hashes[0].type_ = "MD5" file_obs.hashes[0].type_.condition = "Equals" file_ind.add_observable(file_obs) # create references file_ind.add_indicated_ttp(TTP(idref=malware_ttp.id_)) # create container indicator ind = Indicator() ind.add_indicator_type(VocabString("Campaign Characteristics")) ind.description = "Indicator for a composite of characteristics for the use of specific malware and C2 infrastructure within a Campaign." # Add campaign with related camp = Campaign() camp.title = "holy grail" pkg1.add_campaign(camp) camp.related_ttps.append(TTP(idref=c2_ttp.id_)) camp.related_ttps.append(TTP(idref=malware_ttp.id_)) # Add threat actor ta = ThreatActor() ta.identity = Identity() ta.identity.name = "boobear" ta.observed_ttps.append(TTP(idref=malware_ttp.id_)) pkg1.add_threat_actor(ta) # Create composite expression ind.composite_indicator_expression = CompositeIndicatorExpression() ind.composite_indicator_expression.operator = "AND" ind.composite_indicator_expression.append(file_ind) ind.composite_indicator_expression.append(nw_ind) pkg1.add_indicator(ind) print pkg1.to_xml() # USE CASE: Indicator with partial matching pkg2 = STIXPackage() pkg2.title = "Example of Indicator Composition for a one of many indicator composition" # create container indicator watchlistind = Indicator() watchlistind.add_indicator_type("IP Watchlist") watchlistind.description = "This Indicator specifies a pattern where any one or more of a set of three IP addresses are observed." watchlistind.add_indicated_ttp(TTP(idref=c2_ttp.id_)) # Create composite expression watchlistind.composite_indicator_expression = CompositeIndicatorExpression() watchlistind.composite_indicator_expression.operator = "OR" ips = ['23.5.111.68', '23.5.111.99', '46.123.99.25'] for ip in ips: new_ind = Indicator() new_ind.description = "This Indicator specifies a pattern where one specific IP address is observed" # add network network connection to this indicator obs = Address() obs.address_value = ip obs.address_value.condition = "Equals" new_ind.add_observable(obs) new_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_)) watchlistind.composite_indicator_expression.append(new_ind) pkg2.add_indicator(watchlistind) print pkg2.to_xml() # USE CASE: Indicator with compound detection pkg3 = STIXPackage() pkg3.title = "Example of Indicator Composition for compound detection" # create container indicator watchlistind2 = Indicator() watchlistind2.add_indicator_type("IP Watchlist") watchlistind2.description = "This Indicator specifies a composite condition of two preexisting Indicators (each identifying a particular TTP with low confidence) that in aggregate identify the particular TTP with high confidence." # Create composite expression watchlistind2.composite_indicator_expression = CompositeIndicatorExpression() watchlistind2.composite_indicator_expression.operator = "OR" watchlistind2.add_indicated_ttp(TTP(idref=c2_ttp.id_)) watchlistind2.confidence = "High" nw_ind.description = "Indicator for a particular C2 IP address used by a malware variant." nw_ind.confidence = "Low" nw_ind.indicator_types = ["C2"] file_ind.description = "Indicator that contains malicious file hashes for a particular malware variant." file_ind.confidence = "Low" watchlistind2.composite_indicator_expression.append(nw_ind) watchlistind2.composite_indicator_expression.append(file_ind) pkg3.add_indicator(watchlistind2) print pkg3.to_xml()
def main(): # NOTE: ID values will differ due to being regenerated on each script execution pkg1 = STIXPackage() pkg1.title = "Example of Indicator Composition for an aggregate indicator composition" # USE CASE: Indicator with aggregate pattern # Add TTP for malware usage malware_ttp = TTP() malware_ttp.behavior = Behavior() malware = MalwareInstance() malware.title = "foobar malware" malware.add_type("Remote Access Trojan") malware_ttp.behavior.add_malware_instance(malware) c2_ttp = TTP() c2_ttp.resources = Resource() c2_ttp.resources.infrastructure = Infrastructure() c2_ttp.resources.infrastructure.add_type(VocabString("Malware C2")) pkg1.add_ttp(c2_ttp) pkg1.add_ttp(malware_ttp) nw_ind = Indicator() nw_ind.description = "Indicator for a particular C2 infstructure IP address." # add network network connection to this indicator obs = NetworkConnection() sock = SocketAddress() sock.ip_address = "46.123.99.25" sock.ip_address.category = "ipv4-addr" sock.ip_address.condition = "Equals" obs.destination_socket_address = sock nw_ind.add_observable(obs) nw_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_)) # create File Hash indicator w/ embedded Observable file_ind = Indicator() file_ind.description = "Indicator for the hash of the foobar malware." file_ind.add_indicator_type("File Hash Watchlist") file_obs = File() file_obs.add_hash("01234567890abcdef01234567890abcdef") file_obs.hashes[0].type_ = "MD5" file_obs.hashes[0].type_.condition = "Equals" file_ind.add_observable(file_obs) # create references file_ind.add_indicated_ttp(TTP(idref=malware_ttp.id_)) # create container indicator ind = Indicator() ind.add_indicator_type(VocabString("Campaign Characteristics")) ind.description = "Indicator for a composite of characteristics for the use of specific malware and C2 infrastructure within a Campaign." # Add campaign with related camp = Campaign() camp.title = "holy grail" pkg1.add_campaign(camp) camp.related_ttps.append(TTP(idref=c2_ttp.id_)) camp.related_ttps.append(TTP(idref=malware_ttp.id_)) # Add threat actor ta = ThreatActor() ta.identity = Identity() ta.identity.name = "boobear" ta.observed_ttps.append(TTP(idref=malware_ttp.id_)) pkg1.add_threat_actor(ta) # Create composite expression ind.composite_indicator_expression = CompositeIndicatorExpression() ind.composite_indicator_expression.operator = "AND" ind.composite_indicator_expression.append(file_ind) ind.composite_indicator_expression.append(nw_ind) pkg1.add_indicator(ind) print pkg1.to_xml() # USE CASE: Indicator with partial matching pkg2 = STIXPackage() pkg2.title = "Example of Indicator Composition for a one of many indicator composition" # create container indicator watchlistind = Indicator() watchlistind.add_indicator_type("IP Watchlist") watchlistind.description = "This Indicator specifies a pattern where any one or more of a set of three IP addresses are observed." watchlistind.add_indicated_ttp(TTP(idref=c2_ttp.id_)) # Create composite expression watchlistind.composite_indicator_expression = CompositeIndicatorExpression( ) watchlistind.composite_indicator_expression.operator = "OR" ips = ['23.5.111.68', '23.5.111.99', '46.123.99.25'] for ip in ips: new_ind = Indicator() new_ind.description = "This Indicator specifies a pattern where one specific IP address is observed" # add network network connection to this indicator obs = Address() obs.address_value = ip obs.address_value.condition = "Equals" new_ind.add_observable(obs) new_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_)) watchlistind.composite_indicator_expression.append(new_ind) pkg2.add_indicator(watchlistind) print pkg2.to_xml() # USE CASE: Indicator with compound detection pkg3 = STIXPackage() pkg3.title = "Example of Indicator Composition for compound detection" # create container indicator watchlistind2 = Indicator() watchlistind2.add_indicator_type("IP Watchlist") watchlistind2.description = "This Indicator specifies a composite condition of two preexisting Indicators (each identifying a particular TTP with low confidence) that in aggregate identify the particular TTP with high confidence." # Create composite expression watchlistind2.composite_indicator_expression = CompositeIndicatorExpression( ) watchlistind2.composite_indicator_expression.operator = "OR" watchlistind2.add_indicated_ttp(TTP(idref=c2_ttp.id_)) watchlistind2.confidence = "High" nw_ind.description = "Indicator for a particular C2 IP address used by a malware variant." nw_ind.confidence = "Low" nw_ind.indicator_types = ["C2"] file_ind.description = "Indicator that contains malicious file hashes for a particular malware variant." file_ind.confidence = "Low" watchlistind2.composite_indicator_expression.append(nw_ind) watchlistind2.composite_indicator_expression.append(file_ind) pkg3.add_indicator(watchlistind2) print pkg3.to_xml()
# Related Threat Actor (by id) ta = ThreatActor(title='Albino Rhino') attrib_ta = Attribution() attrib_ta.append(ThreatActor(idref=ta.id_)) campaign.attribution.append(attrib_ta) # Related Campaign (basic; by id) campaign2 = Campaign(title='Another Campaign') cassoc_campaign = CAssociatedCampaigns() cassoc_campaign.append(RelatedCampaign(Campaign(idref=campaign2.id_))) campaign.associated_campaigns = cassoc_campaign # Related Other Objects to Campaign (by id) campaign3 = Campaign(title='Another Another Campaign') tassoc_campaign = TAssociatedCampaigns() tassoc_campaign.append(RelatedCampaign(Campaign(idref=campaign3.id_))) ta.associated_campaigns = tassoc_campaign r = RelatedCampaignRef(CampaignRef(idref=campaign3.id_)) indicator.add_related_campaign(r) # Generate STIX Package stix_package = STIXPackage() stix_package.add_campaign(campaign) stix_package.add_ttp(ttp) stix_package.add_incident(incident) stix_package.add_indicator(indicator) stix_package.add_threat_actor(ta) stix_package.add_campaign(campaign2) print(stix_package.to_xml().decode())