def add_social(social_item, ttp):
global targets_item
targets_item = social_item.get('target')
if not targets_item:
error("Required 'target' item is missing in 'action/socal' item")
# TODO: target
notes_item = social_item.get('notes')
if notes_item:
ttp.description = "Notes: " + escape(notes_item)
variety_item = social_item.get("variety")
if not variety_item:
error("Required 'variety' item is missing in 'action/socal' item")
else:
# the only one that makes sense to create an attack pattern for is "Phishing", what if isn't the first?
capec_id = map_socal_item_to_capecid(variety_item[0])
if capec_id:
ttp.behavior = Behavior()
attack_pattern = AttackPattern()
attack_pattern.capec_id = capec_id
ttp.behavior.add_attack_pattern(attack_pattern)
def convert_attack_pattern(ap20):
ap1x = AttackPattern()
if "name" in ap20:
ap1x.title = ap20["name"]
if "description" in ap20:
ap1x.add_description(ap20["description"])
if "labels" in ap20:
for l in ap20["labels"]:
add_missing_property_to_description(ap1x, "label", l)
if "external_references" in ap20:
ap1x.capec_id = extract_external_id("capec",
ap20["external_references"])
ttp = TTP(id_=convert_id20(ap20["id"]),
timestamp=text_type(ap20["modified"]))
ttp.behavior = Behavior()
ttp.behavior.add_attack_pattern(ap1x)
if "kill_chain_phases" in ap20:
process_kill_chain_phases(ap20["kill_chain_phases"], ttp)
if "object_marking_refs" in ap20:
for m_id in ap20["object_marking_refs"]:
ms = create_marking_specification(m_id)
if ms:
CONTAINER.add_marking(ttp, ms, descendants=True)
if "granular_markings" in ap20:
error(
"Granular Markings present in '%s' are not supported by stix2slider",
604, ap20["id"])
# if "kill_chain_phases" in ap20:
# process_kill_chain_phases(ap20["kill_chain_phases"], ttp)
record_id_object_mapping(ap20["id"], ttp)
return ttp
def add_hacking(hacking_item, ttp):
remember_cves(hacking_item.get('cve'), ttp)
ttp.behavior = Behavior()
variety_item = hacking_item.get("variety")
vector_item = hacking_item.get("vector")
# notes?
for item in variety_item:
attack_pattern = AttackPattern()
capec_info = utilities.ATTACK_PATTERN_MAPPING.get(item)
if not capec_info:
error("'%s' in 'action/hacking' item not found in attack_pattern mapping", item)
elif capec_info == 0:
warn("'%s' in 'action/hacking' item has no mapping, yet", item)
elif capec_info == "Other":
attack_pattern.title = "Other"
ttp.behavior.add_attack_pattern(attack_pattern)
elif capec_info == "Unknown":
attack_pattern.title = "Unknown"
ttp.behavior.add_attack_pattern(attack_pattern)
else:
attack_pattern.capec_id = capec_info[0]
attack_pattern.title = capec_info[1]
ttp.behavior.add_attack_pattern(attack_pattern)
def genData_AttackPattern(data):
from stix.utils import create_id as StixID
from stix.ttp.attack_pattern import AttackPattern
objAttackPattern = AttackPattern()
objAttackPattern.capec_id = None
objAttackPattern.title = data['source'][
'stix.ttp.attack_pattern.AttackPattern.title']
objAttackPattern.description = None
objAttackPattern.short_description = None
return (objAttackPattern)