Beispiel #1
0
    def _get_threat_actor_object(value,
                                 description=None,
                                 crowd_strike_motivations=[]):
        # 攻撃者情報作成
        organisation_name = OrganisationName(value)
        party_name = PartyName()
        party_name.add_organisation_name(organisation_name)
        identity_specification = STIXCIQIdentity3_0()
        identity_specification.party_name = party_name
        identity = CIQIdentity3_0Instance()

        # ThreatActor
        ta = ThreatActor()
        ta.identity = identity
        ta.identity.specification = identity_specification
        # Title に抽出した Threat Actor 名前
        ta.title = value
        ta.description = description
        ta.short_description = description
        ta.identity = identity

        # motivations 作成
        for crowd_strike_motivation in crowd_strike_motivations:
            ta_motivation = Statement(crowd_strike_motivation['value'])
            # motivation 追加
            ta.add_motivation(ta_motivation)
        return ta
Beispiel #2
0
def resolveIdentityAttribute(incident, attribute, namespace):
    ciq_identity = CIQIdentity3_0Instance()
    identity_spec = STIXCIQIdentity3_0()
    if attribute["type"] == 'target-user':
        identity_spec.party_name = PartyName(person_names=[attribute["value"]])
    elif attribute["type"] == 'target-external':
        # we don't know if target-external is a person or an organisation, so as described at http://docs.oasis-open.org/ciq/v3.0/prd03/specs/ciq-specs-v3-prd3.html#_Toc207716018, use NameLine
        identity_spec.party_name = PartyName(
            name_lines=["External target: " + attribute["value"]])
    elif attribute["type"] == 'target-org':
        identity_spec.party_name = PartyName(
            organisation_names=[attribute["value"]])
    elif attribute["type"] == 'target-location':
        identity_spec.add_address(
            Address(FreeTextAddress(address_lines=[attribute["value"]])))
    elif attribute["type"] == 'target-email':
        identity_spec.add_electronic_address_identifier(
            ElectronicAddressIdentifier(value=attribute["value"]))
    ciq_identity.specification = identity_spec

    ciq_identity.id_ = "example:Identity-" + attribute["uuid"]

    # is this a good idea?
    ciq_identity.name = attribute["type"] + ": " + attribute[
        "value"] + " (MISP Attribute #" + attribute["id"] + ")"
    incident.add_victim(ciq_identity)
    return incident
def convert_identity(ident20):
    if ("sectors" in ident20 or "contact_information" in ident20
            or "labels" in ident20 or "identity_class" in ident20
            or "description" in ident20):
        ident1x = CIQIdentity3_0Instance()
        id1x = convert_id20(ident20["id"])
        ident1x.id_ = id1x
        if ident20["identity_class"] != "organization":
            ident1x.name = ident20["name"]
        if "labels" in ident20:
            ident1x.roles = ident20["labels"]
        if ("sectors" in ident20 or "contact_information" in ident20
                or "identity_class" in ident20 or "description" in ident20):
            ident1x.specification = STIXCIQIdentity3_0()
            if ident20["identity_class"] == "organization":
                party_name = PartyName()
                party_name.add_organisation_name(text_type(ident20["name"]))
                ident1x.specification.party_name = party_name
            if "sectors" in ident20:
                first = True
                for s in ident20["sectors"]:
                    if first:
                        ident1x.specification.organisation_info = \
                            OrganisationInfo(text_type(convert_open_vocabs_to_controlled_vocabs(s, SECTORS_MAP, False)[0]))
                        first = False
                    else:
                        warn(
                            "%s in STIX 2.0 has multiple %s, only one is allowed in STIX 1.x. Using first in list - %s omitted",
                            401, "Identity", "sectors", s)
            # Identity in 1.x has no description property, use free-text-lines
            if "identity_class" in ident20:
                add_missing_property_to_free_text_lines(
                    ident1x.specification, "identity_class",
                    ident20["identity_class"])
            # Because there is format defined in the specification for this property, it is difficult to
            # determine how to convert the information probably found within it to the CIQ fields, so it will be put
            # in the free_text_lines
            if "contact_information" in ident20:
                add_missing_property_to_free_text_lines(
                    ident1x.specification, "contact_information",
                    ident20["contact_information"])
            if "description" in ident20:
                add_missing_property_to_free_text_lines(
                    ident1x.specification, "description",
                    ident20["description"])
    else:
        ident1x = Identity(id_=convert_id20(ident20["id"]),
                           name=ident20["name"])
    if "object_marking_refs" in ident20:
        for m_id in ident20["object_marking_refs"]:
            ms = create_marking_specification(m_id)
            if ms:
                CONTAINER.add_marking(ident1x, ms, descendants=True)
    if "granular_markings" in ident20:
        error(
            "Granular Markings present in '%s' are not supported by stix2slider",
            604, ident20["id"])
    return ident1x
Beispiel #4
0
def add_analyst_item(analyst_item, incident):
    insrc = InformationSource()
    analyst_identity = CIQIdentity3_0Instance()
    identity_spec = STIXCIQIdentity3_0()
    analyst_identity.specification = identity_spec
    if analyst_item:
        partyName = PartyName()
        partyName.add_name_line(analyst_item)
        identity_spec.party_name = partyName
    insrc.identity = analyst_identity
    incident.reporter = insrc
Beispiel #5
0
def main():
    f = File()
    f.add_hash("4EC0027BEF4D7E1786A04D021FA8A67F")

    indicator = Indicator()
    indicator.title = "File Hash Example"
    indicator.description = "An indicator containing a File observable with an associated hash"
    indicator.set_producer_identity("The MITRE Corporation")
    indicator.set_produced_time(datetime.now(tzutc()))
    indicator.add_object(f)

    party_name = PartyName(name_lines=["Foo", "Bar"],
                           person_names=["John Smith", "Jill Smith"],
                           organisation_names=["Foo Inc.", "Bar Corp."])
    ident_spec = STIXCIQIdentity3_0(party_name=party_name)
    ident_spec.add_electronic_address_identifier("*****@*****.**")
    ident_spec.add_free_text_line("Demonstrating Free Text!")
    ident_spec.add_contact_number("555-555-5555")
    ident_spec.add_contact_number("555-555-5556")
    identity = CIQIdentity3_0Instance(specification=ident_spec)
    indicator.set_producer_identity(identity)

    stix_package = STIXPackage()
    stix_header = STIXHeader()
    stix_header.description = "Example 05"
    stix_package.stix_header = stix_header
    stix_package.add_indicator(indicator)

    xml = stix_package.to_xml()
    print(xml)
Beispiel #6
0
    def from_dict(cls, dict_repr, return_obj=None):
        if not dict_repr:
            return None

        if not return_obj:
            return_obj = cls()

        return_obj.party_name = PartyName.from_dict(
            dict_repr.get('party_name'))
        return_obj.languages = [
            Language.from_dict(x) for x in dict_repr.get('languages', [])
        ]
        return_obj.addresses = [
            Address.from_dict(x) for x in dict_repr.get('addresses', [])
        ]
        return_obj.electronic_address_identifiers = [
            ElectronicAddressIdentifier.from_dict(x)
            for x in dict_repr.get('electronic_address_identifiers', [])
        ]
        return_obj.free_text_lines = [
            FreeTextLine.from_dict(x)
            for x in dict_repr.get('free_text_lines', [])
        ]
        return_obj.contact_numbers = [
            ContactNumber.from_dict(x)
            for x in dict_repr.get('contact_numbers', [])
        ]
        return_obj.organisation_info = OrganisationInfo.from_dict(
            dict_repr.get('organisation_info'))

        return return_obj
Beispiel #7
0
def main():
    stix_package = STIXPackage()
    ta = ThreatActor()
    ta.title = "Disco Team Threat Actor Group"

    ta.identity = CIQIdentity3_0Instance()
    identity_spec = STIXCIQIdentity3_0()

    identity_spec.party_name = PartyName()
    identity_spec.party_name.add_organisation_name(
        OrganisationName("Disco Team", type_="CommonUse"))
    identity_spec.party_name.add_organisation_name(
        OrganisationName("Equipo del Discoteca", type_="UnofficialName"))

    identity_spec.add_language("Spanish")

    address = Address()
    address.country = Country()
    address.country.add_name_element("United States")
    address.administrative_area = AdministrativeArea()
    address.administrative_area.add_name_element("California")
    identity_spec.add_address(address)

    identity_spec.add_electronic_address_identifier(
        "*****@*****.**")
    identity_spec.add_electronic_address_identifier(
        "facebook.com/thediscoteam")
    identity_spec.add_electronic_address_identifier(
        "twitter.com/realdiscoteam")

    ta.identity.specification = identity_spec
    stix_package.add_threat_actor(ta)
    print(stix_package.to_xml(encoding=None))
Beispiel #8
0
 def resolve_identity_attribute(incident, attribute):
     attribute_type = attribute.type
     ciq_identity = CIQIdentity3_0Instance()
     identity_spec = STIXCIQIdentity3_0()
     if attribute_type == "target-user":
         identity_spec.party_name = PartyName(person_names=[attribute.value])
     if attribute_type == "target-external":
         # we don't know if target-external is a person or an organisation, so as described at http://docs.oasis-open.org/ciq/v3.0/prd03/specs/ciq-specs-v3-prd3.html#_Toc207716018, use NameLine
         identity_spec.party_name = PartyName(name_lines=["External target: {}".format(attribute.value)])
     elif attribute_type == 'target-org':
         identity_spec.party_name = PartyName(organisation_names=[attribute.value])
     elif attribute_type == 'target-location':
         identity_spec.add_address(ciq_Address(FreeTextAddress(address_lines=[attribute.value])))
     elif attribute_type == 'target-email':
         identity_spec.add_electronic_address_identifier(ElectronicAddressIdentifier(value=attribute.value))
     ciq_identity.specification = identity_spec
     ciq_identity.id_ = "{}:Identity-{}".format(namespace[1], attribute.uuid)
     # is this a good idea?
     ciq_identity.name = "{}: {} (MISP Attribute #{})".format(attribute_type, attribute.value, attribute.id)
     incident.add_victim(ciq_identity)
Beispiel #9
0
def add_victim_item(victim_item, incident):
    global targets_item
    victim_identity = CIQIdentity3_0Instance()
    identity_spec = STIXCIQIdentity3_0()
    victim_identity.specification = identity_spec
    if targets_item:
        for item in targets_item:
            victim_identity.add_role(item)
    country_item = victim_item.get('country')
    if not country_item:
        error("Required 'country' item is missing in 'victim' item")
    else:  
        for c in country_item:
            address = Address()
            address.country = Country()
            address.country.add_name_element(c)
            state_item = victim_item.get('state')
            if state_item:
                address.administrative_area = AdministrativeArea()
                address.administrative_area.add_name_element(state_item)
            identity_spec.add_address(address)
    # no organisationInfo details - https://github.com/STIXProject/python-stix/issues/108 
    if victim_item.get("employee_count"):
        warn("'victim/employee_count' item not handled, yet")
    if victim_item.get("industry"):
        warn("'victim/industry' item not handled, yet")
    if victim_item.get("revenue"):
        warn("'victim/revenue' item not handled, yet")
    victim_id_item = victim_item.get('victim_id')
    if victim_id_item:
        partyName = PartyName()
        # id might be inappropriate for name
        partyName.add_name_line(victim_id_item)
        identity_spec.party_name = partyName
        
    incident.add_victim(victim_identity)
Beispiel #10
0
def add_ais_marking(stix_package, proprietary, consent, color, **kwargs):
    """
    This utility functions aids in the creation of an AIS marking and appends
    it to the provided STIX package.

    Args:
        stix_package: A stix.core.STIXPackage object.
        proprietary: True if marking uses IsProprietary, False for
            NotProprietary.
        consent: A string with one of the following values: "EVERYONE", "NONE"
            or "USG".
        color: A string that corresponds to TLP values: "WHITE", "GREEN" or
            "AMBER".
        **kwargs: Six required keyword arguments that are used to create a CIQ
            identity object. These are: country_name_code,
            country_name_code_type, admin_area_name_code,
            admin_area_name_code_type, organisation_name, industry_type.

    Raises:
        ValueError: When keyword arguments are missing. User did not supply
            correct values for: proprietary, color and consent.

    Note:
        The following line is required to register the AIS extension::

            >>> import stix.extensions.marking.ais

        Any Markings under STIX Header will be removed. Please follow the
        guidelines for `AIS`_.

        The industry_type keyword argument accepts: a list of string based on
        defined sectors, a pipe-delimited string of sectors, or a single
        sector.

    .. _AIS:
        https://www.us-cert.gov/ais

    """
    from stix.common import InformationSource
    from stix.extensions.identity.ciq_identity_3_0 import (
        CIQIdentity3_0Instance, STIXCIQIdentity3_0, PartyName, Address,
        Country, NameElement, OrganisationInfo, AdministrativeArea)
    from stix.core.stix_header import STIXHeader
    from stix.data_marking import MarkingSpecification, Marking

    args = ('country_name_code', 'country_name_code_type', 'industry_type',
            'admin_area_name_code', 'admin_area_name_code_type',
            'organisation_name')

    diff = set(args) - set(kwargs.keys())

    if diff:
        msg = 'All keyword arguments must be provided. Missing: {0}'
        raise ValueError(msg.format(tuple(diff)))

    party_name = PartyName()
    party_name.add_organisation_name(kwargs['organisation_name'])

    country = Country()
    country_name = NameElement()
    country_name.name_code = kwargs['country_name_code']
    country_name.name_code_type = kwargs['country_name_code_type']
    country.add_name_element(country_name)

    admin_area = AdministrativeArea()
    admin_area_name = NameElement()
    admin_area_name.name_code = kwargs['admin_area_name_code']
    admin_area_name.name_code_type = kwargs['admin_area_name_code_type']
    admin_area.add_name_element(admin_area_name)

    address = Address()
    address.country = country
    address.administrative_area = admin_area

    org_info = OrganisationInfo()
    org_info.industry_type = _validate_and_create_industry_type(
        kwargs['industry_type'])

    id_spec = STIXCIQIdentity3_0()
    id_spec.party_name = party_name
    id_spec.add_address(address)
    id_spec.organisation_info = org_info

    identity = CIQIdentity3_0Instance()
    identity.specification = id_spec

    if proprietary is True:
        proprietary_obj = IsProprietary()
        consent = 'EVERYONE'
    elif proprietary is False:
        proprietary_obj = NotProprietary()
    else:
        raise ValueError('proprietary expected True or False.')

    proprietary_obj.ais_consent = AISConsentType(consent=consent)
    proprietary_obj.tlp_marking = TLPMarkingType(color=color)

    ais_marking = AISMarkingStructure()

    if isinstance(proprietary_obj, IsProprietary):
        ais_marking.is_proprietary = proprietary_obj
    else:
        ais_marking.not_proprietary = proprietary_obj

    marking_spec = MarkingSpecification()
    marking_spec.controlled_structure = '//node() | //@*'
    marking_spec.marking_structures.append(ais_marking)
    marking_spec.information_source = InformationSource()
    marking_spec.information_source.identity = identity

    if not stix_package.stix_header:
        stix_package.stix_header = STIXHeader()

    # Removes any other Markings if present.
    stix_package.stix_header.handling = Marking()
    stix_package.stix_header.handling.add_marking(marking_spec)
Beispiel #11
0
def add_ais_marking(stix_package, proprietary, consent, color, **kwargs):
    """
    This utility functions aids in the creation of an AIS marking and appends
    it to the provided STIX package.

    Args:
        stix_package: A stix.core.STIXPackage object.
        proprietary: True if marking uses IsProprietary, False for
            NotProprietary.
        consent: A string with one of the following values: "EVERYONE", "NONE"
            or "USG".
        color: A string that corresponds to TLP values: "WHITE", "GREEN" or
            "AMBER".
        **kwargs: Six required keyword arguments that are used to create a CIQ
            identity object. These are: country_name_code,
            country_name_code_type, admin_area_name_code,
            admin_area_name_code_type, organisation_name, industry_type.

    Raises:
        ValueError: When keyword arguments are missing. User did not supply
            correct values for: proprietary, color and consent.

    Note:
        The following line is required to register the AIS extension::

            >>> import stix.extensions.marking.ais

        Any Markings under STIX Header will be removed. Please follow the
        guidelines for `AIS`_.

        The industry_type keyword argument accepts: a list of string based on
        defined sectors, a pipe-delimited string of sectors, or a single
        sector.

    .. _AIS:
        https://www.us-cert.gov/ais

    """
    from stix.common import InformationSource
    from stix.extensions.identity.ciq_identity_3_0 import (
        CIQIdentity3_0Instance, STIXCIQIdentity3_0, PartyName, Address,
        Country, NameElement, OrganisationInfo, AdministrativeArea)
    from stix.core.stix_header import STIXHeader
    from stix.data_marking import MarkingSpecification, Marking

    args = ('country_name_code', 'country_name_code_type', 'industry_type',
            'admin_area_name_code', 'admin_area_name_code_type',
            'organisation_name')

    diff = set(args) - set(kwargs.keys())

    if diff:
        msg = 'All keyword arguments must be provided. Missing: {0}'
        raise ValueError(msg.format(tuple(diff)))

    party_name = PartyName()
    party_name.add_organisation_name(kwargs['organisation_name'])

    country = Country()
    country_name = NameElement()
    country_name.name_code = kwargs['country_name_code']
    country_name.name_code_type = kwargs['country_name_code_type']
    country.add_name_element(country_name)

    admin_area = AdministrativeArea()
    admin_area_name = NameElement()
    admin_area_name.name_code = kwargs['admin_area_name_code']
    admin_area_name.name_code_type = kwargs['admin_area_name_code_type']
    admin_area.add_name_element(admin_area_name)

    address = Address()
    address.country = country
    address.administrative_area = admin_area

    org_info = OrganisationInfo()
    org_info.industry_type = _validate_and_create_industry_type(kwargs['industry_type'])

    id_spec = STIXCIQIdentity3_0()
    id_spec.party_name = party_name
    id_spec.add_address(address)
    id_spec.organisation_info = org_info

    identity = CIQIdentity3_0Instance()
    identity.specification = id_spec

    if proprietary is True:
        proprietary_obj = IsProprietary()
        consent = 'EVERYONE'
    elif proprietary is False:
        proprietary_obj = NotProprietary()
    else:
        raise ValueError('proprietary expected True or False.')

    proprietary_obj.ais_consent = AISConsentType(consent=consent)
    proprietary_obj.tlp_marking = TLPMarkingType(color=color)

    ais_marking = AISMarkingStructure()

    if isinstance(proprietary_obj, IsProprietary):
        ais_marking.is_proprietary = proprietary_obj
    else:
        ais_marking.not_proprietary = proprietary_obj

    marking_spec = MarkingSpecification()
    marking_spec.controlled_structure = '//node() | //@*'
    marking_spec.marking_structures.append(ais_marking)
    marking_spec.information_source = InformationSource()
    marking_spec.information_source.identity = identity

    if not stix_package.stix_header:
        stix_package.stix_header = STIXHeader()

    # Removes any other Markings if present.
    stix_package.stix_header.handling = Marking()
    stix_package.stix_header.handling.add_marking(marking_spec)
Beispiel #12
0
    InformationType('Information Assets - User Credentials'))

identity = CIQIdentity3_0Instance()
# identity.name = 'Bob Ricca'

identity_spec = STIXCIQIdentity3_0()
identity_spec.add_address(Address(country='Germany'))
identity_spec.add_address(Address(country='United States'))
identity_spec.add_language('German')
identity_spec.add_language('English')
identity_spec.add_nationality('American')
identity_spec.add_contact_number('727-867-5309')
identity_spec.add_electronic_address_identifier('bricca')
identity_spec.add_electronic_address_identifier(
    ElectronicAddressIdentifier(value='*****@*****.**', type_='Email'))
party_name = PartyName()
party_name.add_person_name('Bob Ricca')
party_name.add_person_name('Robert Ricca')
party_name.add_organisation_name('ThreatQuotient')
identity_spec.party_name = party_name
organization = OrganisationInfo(industry_type='Cybersecurity')
identity_spec.organisation_info = organization
identity.specification = identity_spec
victim_targeting.identity = identity
domain2 = DomainName()
domain2.value = 'www.bobricca.com'
observable2 = Observable(domain2)
victim_targeting.targeted_technical_details = Observables(
    Observable(idref=observable2.id_))
ttp2.victim_targeting = victim_targeting