def main(): ioc = etree.parse('6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc') stix_package = STIXPackage() ttp = TTP() malware_instance = MalwareInstance() malware_instance.names = ['Zeus', 'twexts', 'sdra64', 'ntos'] ttp = TTP(title="Zeus") ttp.behavior = Behavior() ttp.behavior.add_malware_instance(malware_instance) indicator = Indicator(title="Zeus", description="Finds Zeus variants, twexts, sdra64, ntos") tm = OpenIOCTestMechanism() tm.ioc = ioc tm.producer = InformationSource(identity=Identity(name="Yara")) time = Time() time.produced_time = "0001-01-01T00:00:00" tm.producer.time = time tm.producer.references = ["http://openioc.org/iocs/6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc"] indicator.test_mechanisms = [tm] indicator.add_indicated_ttp(TTP(idref=ttp.id_)) stix_package.add_indicator(indicator) stix_package.add_ttp(ttp) print stix_package.to_xml()
def main(): from stix.campaign import Campaign from stix.common.related import RelatedTTP from stix.core import STIXPackage from stix.ttp import TTP ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting.add_targeted_information("Information Assets - Customer PII") ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data") ttp_ref = TTP() ttp_ref.idref = ttp.id_ related_ttp = RelatedTTP(ttp_ref) related_ttp.relationship = "Targets" c = Campaign() c.title = "Operation Alpha" c.related_ttps.append(related_ttp) pkg = STIXPackage() pkg.add_campaign(c) pkg.add_ttp(ttp) print pkg.to_xml()
def main(): stix_package = STIXPackage() ttp_phishing = TTP(title="Phishing") attack_pattern = AttackPattern() attack_pattern.capec_id = "CAPEC-98" attack_pattern.description = ("Phishing") ttp_phishing.behavior = Behavior() ttp_phishing.behavior.add_attack_pattern(attack_pattern) ttp_pivy = TTP(title="Poison Ivy Variant d1c6") malware_instance = MalwareInstance() malware_instance.add_name("Poison Ivy Variant d1c6") malware_instance.add_type("Remote Access Trojan") ttp_pivy.behavior = Behavior() ttp_pivy.behavior.add_malware_instance(malware_instance) ta_bravo = ThreatActor(title="Adversary Bravo") ta_bravo.identity = Identity(name="Adversary Bravo") related_ttp_phishing = RelatedTTP(TTP(idref=ttp_phishing.id_), relationship="Leverages Attack Pattern") ta_bravo.observed_ttps.append(related_ttp_phishing) related_ttp_pivy = RelatedTTP(TTP(idref=ttp_pivy.id_), relationship="Leverages Malware") ta_bravo.observed_ttps.append(related_ttp_pivy) stix_package.add_ttp(ttp_phishing) stix_package.add_ttp(ttp_pivy) stix_package.add_threat_actor(ta_bravo) print stix_package.to_xml()
def main(): campaign = Campaign(title="Campaign against ICS") ttp = TTP(title="DrownedRat") alpha_report = Report() alpha_report.header = Header() alpha_report.header.title = "Report on Adversary Alpha's Campaign against the Industrial Control Sector" alpha_report.header.descriptions = "Adversary Alpha has a campaign against the ICS sector!" alpha_report.header.intents = "Campaign Characterization" alpha_report.add_campaign(Campaign(idref=campaign._id)) rat_report = Report() rat_report.header = Header() rat_report.header.title = "Indicators for Malware DrownedRat" rat_report.header.intents = "Indicators - Malware Artifacts" rat_report.add_ttp(TTP(idref=ttp._id)) wrapper = STIXPackage() info_src = InformationSource() info_src.identity = Identity(name="Government Sharing Program - GSP") wrapper.stix_header = STIXHeader(information_source=info_src) wrapper.add_report(alpha_report) wrapper.add_report(rat_report) wrapper.add_campaign(campaign) wrapper.add_ttp(ttp) print wrapper.to_xml()
def main(): stix_package = STIXPackage() ta = ThreatActor() ta.title = "Disco Team Threat Actor Group" ta.identity = CIQIdentity3_0Instance() identity_spec = STIXCIQIdentity3_0() identity_spec.party_name = PartyName() identity_spec.party_name.add_organisation_name(OrganisationName("Disco Tean", type_="CommonUse")) identity_spec.party_name.add_organisation_name(OrganisationName("Equipo del Discoteca", type_="UnofficialName")) identity_spec.add_language("Spanish") address = Address() address.country = Country() address.country.add_name_element("United States") address.administrative_area = AdministrativeArea() address.administrative_area.add_name_element("California") identity_spec.add_address(address) identity_spec.add_electronic_address_identifier("*****@*****.**") ta.identity.specification = identity_spec stix_package.add_threat_actor(ta) print stix_package.to_xml()
def main(): stix_package = STIXPackage() ta = ThreatActor() ta.title = "Disco Team Threat Actor Group" ta.identity = CIQIdentity3_0Instance() identity_spec = STIXCIQIdentity3_0() identity_spec.party_name = PartyName() identity_spec.party_name.add_organisation_name(OrganisationName("Disco Tean", type_="CommonUse")) identity_spec.party_name.add_organisation_name(OrganisationName("Equipo del Discoteca", type_="UnofficialName")) identity_spec.add_language("Spanish") address = Address() address.country = Country() address.country.add_name_element("United States") address.administrative_area = AdministrativeArea() address.administrative_area.add_name_element("California") identity_spec.add_address(address) identity_spec.add_electronic_address_identifier("*****@*****.**") identity_spec.add_electronic_address_identifier("facebook.com/thediscoteam") identity_spec.add_electronic_address_identifier("twitter.com/realdiscoteam") ta.identity.specification = identity_spec stix_package.add_threat_actor(ta) print stix_package.to_xml()
def main(): rule = """ rule silent_banker : banker { meta: description = "This is just an example" thread_level = 3 in_the_wild = true strings: $a = {6A 40 68 00 30 00 00 6A 14 8D 91} $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9} $c = "UVODFRYSIHLNWPEJXQZAKCBGMT" condition: $a or $b or $c } """ stix_package = STIXPackage() indicator = Indicator(title="silent_banker", description="This is just an example") tm = YaraTestMechanism() tm.rule = rule tm.producer = InformationSource(identity=Identity(name="Yara")) tm.producer.references = ["http://plusvic.github.io/yara/"] indicator.test_mechanisms = [tm] stix_package.add_indicator(indicator) print stix_package.to_xml()
def main(): data = json.load(open("data.json")) stix_package = STIXPackage(stix_header=STIXHeader(title=data['title'], package_intents='Incident')) ttps = {} for info in data['ips']: if info['bot'] not in ttps: ttps[info['bot']] = TTP(title=info['bot']) stix_package.add_ttp(ttps[info['bot']]) incident = Incident(title=info['ip']) incident.time = Time() incident.time.first_malicious_action = info['first_seen'] addr = Address(address_value=info['ip'], category=Address.CAT_IPV4) observable = Observable(item=addr) stix_package.add_observable(observable) related_ttp = RelatedTTP(TTP(idref=ttps[info['bot']].id_), relationship="Used Malware") incident.leveraged_ttps.append(related_ttp) related_observable = RelatedObservable(Observable(idref=observable.id_)) incident.related_observables.append(related_observable) stix_package.add_incident(incident) print stix_package.to_xml()
def main(): from stix.campaign import Campaign, Attribution from stix.threat_actor import ThreatActor from stix.incident import Incident from stix.core import STIXPackage from stix.ttp import TTP, VictimTargeting ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data") actor = ThreatActor() actor.title = "People behind the intrusion" attrib = Attribution() attrib.append(actor) c = Campaign() c.attribution = [] c.attribution.append(attrib) c.title = "Compromise of ATM Machines" c.related_ttps.append(ttp) c.related_incidents.append(Incident(idref="example:incident-229ab6ba-0eb2-415b-bdf2-079e6b42f51e")) c.related_incidents.append(Incident(idref="example:incident-517cf274-038d-4ed4-a3ec-3ac18ad9db8a")) c.related_incidents.append(Incident(idref="example:incident-7d8cf96f-91cb-42d0-a1e0-bfa38ea08621")) pkg = STIXPackage() pkg.add_campaign(c) print pkg.to_xml()
def main(): ioc = etree.parse('6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc.xml') stix_package = STIXPackage() ttp = TTP() malware_instance = MalwareInstance() malware_instance.names = ['Zeus', 'twexts', 'sdra64', 'ntos'] ttp = TTP(title="Zeus") ttp.behavior = Behavior() ttp.behavior.add_malware_instance(malware_instance) indicator = Indicator(title="Zeus", description="Finds Zeus variants, twexts, sdra64, ntos") tm = OpenIOCTestMechanism() tm.ioc = ioc tm.producer = InformationSource(identity=Identity(name="Yara")) time = Time() time.produced_time = "0001-01-01T00:00:00" tm.producer.time = time tm.producer.references = ["http://openioc.org/iocs/6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc"] indicator.test_mechanisms = [tm] indicator.add_indicated_ttp(TTP(idref=ttp.id_)) stix_package.add_indicator(indicator) stix_package.add_ttp(ttp) print stix_package.to_xml()
def main(): rule = """ rule silent_banker : banker { meta: description = "This is just an example" thread_level = 3 in_the_wild = true strings: $a = {6A 40 68 00 30 00 00 6A 14 8D 91} $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9} $c = "UVODFRYSIHLNWPEJXQZAKCBGMT" condition: $a or $b or $c } """ stix_package = STIXPackage() indicator = Indicator(title="silent_banker", description="This is just an example") tm = YaraTestMechanism() tm.rule = rule tm.producer = InformationSource(identity=Identity(name="Yara")) tm.producer.references = ["http://plusvic.github.io/yara/"] indicator.test_mechanisms = [tm] stix_package.add_indicator(indicator) print stix_package.to_xml()
def main(): NAMESPACE = {"https://www.ncsc.gov.uk/": "ncscuk"} idgen.set_id_namespace(NAMESPACE) pkg = STIXPackage() coa = CourseOfAction() obj = file_to_obj('out.json') if obj.type == 'bundle': for _dict in obj.objects: object = dict_to_obj(_dict) if object.type == 'indicator': ind = Indicator() id_str = object.id.replace('--', '-') print id_str #ind.id_ = object.id pattern_type = object.pattern.split(':')[0] _value = re.sub("'", '', object.pattern.split(' = ')[1]) if pattern_type == 'ipv4-addr': obs = Observable( Address(address_value=_value, category=Address.CAT_IPV4)) elif pattern_type == 'url': obs = Observable(URI(value=_value, type_=URI.TYPE_URL)) pkg.add_observable(obs) obs_ref = Observable() obs_ref.id_ = None obs_ref.idref = obs.id_ ind.add_observable(obs_ref) pkg.add_indicator(ind) print pkg.to_xml()
def main(): from stix.coa import CourseOfAction, Objective from stix.common import Confidence from stix.core import STIXPackage from cybox.core import Observables from cybox.objects.address_object import Address pkg = STIXPackage() coa = CourseOfAction() coa.title = "Block traffic to PIVY C2 Server (10.10.10.10)" coa.stage = "Response" coa.type_ = "Perimeter Blocking" obj = Objective() obj.description = "Block communication between the PIVY agents and the C2 Server" obj.applicability_confidence = Confidence("High") coa.objective = obj coa.impact = "Low" coa.impact.description = "This IP address is not used for legitimate hosting so there should be no operational impact." coa.cost = "Low" coa.efficacy = "High" addr = Address(address_value="10.10.10.10", category=Address.CAT_IPV4) coa.parameter_observables=Observables(addr) pkg.add_course_of_action(coa) print pkg.to_xml()
def main(): stix_package = STIXPackage() ttp_phishing = TTP(title="Phishing") attack_pattern = AttackPattern() attack_pattern.capec_id = "CAPEC-98" attack_pattern.description = ("Phishing") ttp_phishing.behavior = Behavior() ttp_phishing.behavior.add_attack_pattern(attack_pattern) ttp_pivy = TTP(title="Poison Ivy Variant d1c6") malware_instance = MalwareInstance() malware_instance.add_name("Poison Ivy Variant d1c6") malware_instance.add_type("Remote Access Trojan") ttp_pivy.behavior = Behavior() ttp_pivy.behavior.add_malware_instance(malware_instance) ta_bravo = ThreatActor(title="Adversary Bravo") ta_bravo.identity = Identity(name="Adversary Bravo") related_ttp_phishing = RelatedTTP(TTP(idref=ttp_phishing.id_), relationship="Leverages Attack Pattern") ta_bravo.observed_ttps.append(related_ttp_phishing) related_ttp_pivy = RelatedTTP(TTP(idref=ttp_pivy.id_), relationship="Leverages Malware") ta_bravo.observed_ttps.append(related_ttp_pivy) stix_package.add_ttp(ttp_phishing) stix_package.add_ttp(ttp_pivy) stix_package.add_threat_actor(ta_bravo) print stix_package.to_xml()
def main(): campaign = Campaign(title="Campaign against ICS") ttp = TTP(title="DrownedRat") alpha_report = Report() alpha_report.header = Header() alpha_report.header.title = "Report on Adversary Alpha's Campaign against the Industrial Control Sector" alpha_report.header.descriptions = "Adversary Alpha has a campaign against the ICS sector!" alpha_report.header.intents = "Campaign Characterization" alpha_report.add_campaign(Campaign(idref=campaign._id)) rat_report = Report() rat_report.header = Header() rat_report.header.title = "Indicators for Malware DrownedRat" rat_report.header.intents = "Indicators - Malware Artifacts" rat_report.add_ttp(TTP(idref=ttp._id)) wrapper = STIXPackage() info_src = InformationSource() info_src.identity = Identity(name="Government Sharing Program - GSP") wrapper.stix_header = STIXHeader(information_source=info_src) wrapper.add_report(alpha_report) wrapper.add_report(rat_report) wrapper.add_campaign(campaign) wrapper.add_ttp(ttp) print wrapper.to_xml()
def main(): from stix.campaign import Campaign from stix.common.related import RelatedTTP from stix.core import STIXPackage from stix.ttp import TTP, VictimTargeting ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.add_targeted_information( "Information Assets - Customer PII") ttp.victim_targeting.add_targeted_information( "Information Assets - Financial Data") ttp_ref = TTP() ttp_ref.idref = ttp.id_ related_ttp = RelatedTTP(ttp_ref) related_ttp.relationship = "Targets" c = Campaign() c.title = "Operation Alpha" c.related_ttps.append(related_ttp) pkg = STIXPackage() pkg.add_campaign(c) pkg.add_ttp(ttp) print pkg.to_xml()
def main(): # Build Campaign instances camp1 = Campaign(title='Campaign 1') camp2 = Campaign(title='Campaign 2') # Build a CampaignRef object, setting the `idref` to the `id_` value of # our `camp2` Campaign object. campaign_ref = CampaignRef(idref=camp2.id_) # Build an Indicator object. i = Indicator() # Add CampaignRef object pointing to `camp2`. i.add_related_campaign(campaign_ref) # Add Campaign object, which gets promoted into an instance of # CampaignRef type internally. Only the `idref` is set. i.add_related_campaign(camp1) # Build our STIX Package and attach our Indicator and Campaign objects. package = STIXPackage() package.add_indicator(i) package.add_campaign(camp1) package.add_campaign(camp2) # Print! print package.to_xml()
def main(): from stix.coa import CourseOfAction, Objective from stix.common import Confidence from stix.core import STIXPackage from cybox.core import Observables from cybox.objects.address_object import Address pkg = STIXPackage() coa = CourseOfAction() coa.title = "Block traffic to PIVY C2 Server (10.10.10.10)" coa.stage = "Response" coa.type_ = "Perimeter Blocking" obj = Objective() obj.description = "Block communication between the PIVY agents and the C2 Server" obj.applicability_confidence = Confidence("High") coa.objective = obj coa.impact = "Low" coa.impact.description = "This IP address is not used for legitimate hosting so there should be no operational impact." coa.cost = "Low" coa.efficacy = "High" addr = Address(address_value="10.10.10.10", category=Address.CAT_IPV4) coa.parameter_observables = Observables(addr) pkg.add_course_of_action(coa) print pkg.to_xml()
def main(): data = json.load(open("data.json")) stix_package = STIXPackage(stix_header=STIXHeader( title=data['title'], package_intents='Incident')) ttps = {} for info in data['ips']: if info['bot'] not in ttps: ttps[info['bot']] = TTP(title=info['bot']) stix_package.add_ttp(ttps[info['bot']]) incident = Incident(title=info['ip']) incident.time = Time() incident.time.first_malicious_action = info['first_seen'] addr = Address(address_value=info['ip'], category=Address.CAT_IPV4) observable = Observable(item=addr) stix_package.add_observable(observable) related_ttp = RelatedTTP(TTP(idref=ttps[info['bot']].id_), relationship="Used Malware") incident.leveraged_ttps.append(related_ttp) related_observable = RelatedObservable( Observable(idref=observable.id_)) incident.related_observables.append(related_observable) stix_package.add_incident(incident) print stix_package.to_xml()
def main(): stix_package = STIXPackage() addr1 = Observable(Address(address_value="198.51.100.2", category=Address.CAT_IPV4)) addr2 = Observable(Address(address_value="198.51.100.17", category=Address.CAT_IPV4)) addr3 = Observable(Address(address_value="203.0.113.19", category=Address.CAT_IPV4)) stix_package.add_observable(addr1) stix_package.add_observable(addr2) stix_package.add_observable(addr3) obs_addr1 = Observable() obs_addr2 = Observable() obs_addr3 = Observable() obs_addr1.id_ = None obs_addr2.id_ = None obs_addr3.id_ = None obs_addr1.idref = addr1.id_ obs_addr2.idref = addr2.id_ obs_addr3.idref = addr3.id_ infrastructure = Infrastructure() infrastructure.observable_characterization = Observables([obs_addr1, obs_addr2, obs_addr3]) resource = Resource() resource.infrastructure = infrastructure ttp = TTP(title="Malware C2 Channel") ttp.resources = resource stix_package.add_ttp(ttp) print stix_package.to_xml()
def main(): alpha_package = STIXPackage() alpha_package.stix_header = STIXHeader() alpha_package.stix_header.title = "Report on Adversary Alpha's Campaign against the Industrial Control Sector" alpha_package.stix_header.package_intents = "Campaign Characterization" alpha_package.stix_header.handling = Marking() alpha_marking = MarkingSpecification() alpha_marking.controlled_structure = "../../../../node()" alpha_tlp_marking = TLPMarkingStructure() alpha_tlp_marking.color = "AMBER" alpha_marking.marking_structures.append(alpha_tlp_marking) alpha_package.stix_header.handling.add_marking(alpha_marking) rat_package = STIXPackage() rat_package.stix_header = STIXHeader() rat_package.stix_header.title = "Indicators for Malware DrownedRat" rat_package.stix_header.package_intents = "Indicators - Malware Artifacts" rat_package.stix_header.handling = Marking() rat_marking = MarkingSpecification() rat_marking.controlled_structure = "../../../../node()" rat_tlp_marking = TLPMarkingStructure() rat_tlp_marking.color = "RED" alpha_marking.marking_structures.append(rat_tlp_marking) rat_package.stix_header.handling.add_marking(rat_marking) stix_package = STIXPackage() info_src = InformationSource() info_src.identity = Identity(name="Government Sharing Program - GSP") stix_package.stix_header = STIXHeader(information_source=info_src) stix_package.related_packages.append(alpha_package) stix_package.related_packages.append(rat_package) print stix_package.to_xml()
def main(): # Build Campaign instances camp1 = Campaign(title='Campaign 1') camp2 = Campaign(title='Campaign 2') # Build a CampaignRef object, setting the `idref` to the `id_` value of # our `camp2` Campaign object. campaign_ref = CampaignRef(idref=camp2.id_) # Build an Indicator object. i = Indicator() # Add CampaignRef object pointing to `camp2`. i.add_related_campaign(campaign_ref) # Add Campaign object, which gets promoted into an instance of # CampaignRef type internally. Only the `idref` is set. i.add_related_campaign(camp1) # Build our STIX Package and attach our Indicator and Campaign objects. package = STIXPackage() package.add_indicator(i) package.add_campaign(camp1) package.add_campaign(camp2) # Print! print package.to_xml()
def main(): stix_package = STIXPackage() ttp = TTP(title="Phishing") stix_package.add_ttp(ttp) # Create the indicator for just the subject email_subject_object = EmailMessage() email_subject_object.header = EmailHeader() email_subject_object.header.subject = "[IMPORTANT] Please Review Before" email_subject_object.header.subject.condition = "StartsWith" email_subject_indicator = Indicator() email_subject_indicator.title = "Malicious E-mail Subject Line" email_subject_indicator.add_indicator_type("Malicious E-mail") email_subject_indicator.observable = email_subject_object email_subject_indicator.confidence = "Low" # Create the indicator for just the attachment file_attachment_object = EmailMessage() file_attachment_object.attachments = Attachments() attached_file_object = File() attached_file_object.file_name = "Final Report" attached_file_object.file_name.condition = "StartsWith" attached_file_object.file_extension = "doc.exe" attached_file_object.file_extension.condition = "Equals" file_attachment_object.add_related(attached_file_object, "Contains", inline=True) file_attachment_object.attachments.append(file_attachment_object.parent.id_) indicator_attachment = Indicator() indicator_attachment.title = "Malicious E-mail Attachment" indicator_attachment.add_indicator_type("Malicious E-mail") indicator_attachment.observable = file_attachment_object indicator_attachment.confidence = "Low" # Create the combined indicator w/ both subject an attachment full_email_object = EmailMessage() full_email_object.attachments = Attachments() # Add the previously referenced file as another reference rather than define it again: full_email_object.attachments.append(file_attachment_object.parent.id_) full_email_object.header = EmailHeader() full_email_object.header.subject = "[IMPORTANT] Please Review Before" full_email_object.header.subject.condition = "StartsWith" combined_indicator = Indicator(title="Malicious E-mail") combined_indicator.add_indicator_type("Malicious E-mail") combined_indicator.confidence = Confidence(value="High") combined_indicator.observable = full_email_object email_subject_indicator.add_indicated_ttp(TTP(idref=ttp.id_)) indicator_attachment.add_indicated_ttp(TTP(idref=ttp.id_)) combined_indicator.add_indicated_ttp(TTP(idref=ttp.id_)) stix_package.indicators = [combined_indicator, email_subject_indicator, indicator_attachment] print stix_package.to_xml()
def main(): pkg = STIXPackage() vuln = Vulnerability() vuln.cve_id = "CVE-2013-3893" et = ExploitTarget(title="Javascript vulnerability in MSIE 6-11") et.add_vulnerability(vuln) pkg.add_exploit_target(et) print pkg.to_xml()
def main(): pkg = STIXPackage() vuln = Vulnerability() vuln.cve_id = "CVE-2013-3893" et = ExploitTarget(title="Javascript vulnerability in MSIE 6-11") et.add_vulnerability(vuln) pkg.add_exploit_target(et) print pkg.to_xml()
def main(): ciq_identity = CIQIdentity3_0Instance() identity_spec = STIXCIQIdentity3_0() identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems") ciq_identity.specification = identity_spec ttp = TTP(title="Victim Targeting: Electricity Sector and Industrial Control System Sector") ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.identity = ciq_identity stix_package = STIXPackage() stix_package.add_ttp(ttp) print stix_package.to_xml()
def main(): maec_malware_instance = MAECInstance() maec_malware_instance.add_name("Poison Ivy Variant v4392-acc") maec_malware_instance.add_type("Remote Access Trojan") maec_malware_instance.maec = etree.fromstring(MAEC_XML, parser=etree.ETCompatXMLParser()) ttp = TTP(title="Poison Ivy Variant v4392-acc") ttp.behavior = Behavior() ttp.behavior.add_malware_instance(maec_malware_instance) stix_package = STIXPackage() stix_package.add_ttp(ttp) print stix_package.to_xml()
def _export_multi_json(): from stix.core import STIXPackage, STIXHeader if jsonPattern is None: if streamFlag: #stream fullFileName = "cifStream" else: fullFileName = myJsonFile xmlFileName = outputFile else: fullFileName = jsonPath + myJsonFile + '.json' fileName = "stix_" + str(myJsonFile) xmlFileName = stixPath + fileName + '.xml' if testMode: print "-----------------File Name: -------- " + fullFileName print "xmlFileName: " + xmlFileName global log_string log_string = log_string + "\n\n" + str(datetime.datetime.now().time()) + ": fullFileName: " + fullFileName + "\n" log_string = log_string + str(datetime.datetime.now().time()) + ": xmlFileName: " + xmlFileName + "\n" wholeJson = _prepare_json(fullFileName) stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = "Search result from CIF with search parameter " + str(mySearchParam) stix_header.title = "Indicators from search by " + str(mySearchParam) stix_package.stix_header = stix_header stix_header.package_intent = "Purpose: mitigation" for x in wholeJson: indicatorIns = _export_from_json_to_xml(json.loads(x)) stix_package.add_indicator(indicatorIns) if streamFlag is False: f = open(xmlFileName, 'w') try: f.write(stix_package.to_xml()) finally: f.close() #if testMode: # print stix_package.to_xml() log_string = log_string + str(datetime.datetime.now().time()) + ": -------------- STIX----------- \n\n" + stix_package.to_xml() return stix_package.to_xml()
def main(): maec_malware_instance = MAECInstance() maec_malware_instance.add_name("Poison Ivy Variant v4392-acc") maec_malware_instance.add_type("Remote Access Trojan") maec_malware_instance.maec = etree.fromstring( MAEC_XML, parser=etree.ETCompatXMLParser()) ttp = TTP(title="Poison Ivy Variant v4392-acc") ttp.behavior = Behavior() ttp.behavior.add_malware_instance(maec_malware_instance) stix_package = STIXPackage() stix_package.add_ttp(ttp) print stix_package.to_xml()
def capecbuild(capecid): """Build a STIX package based on a CAPEC ID.""" data = _get_attack(capecid) if data: try: from stix.utils import set_id_namespace namespace = {NS: NS_PREFIX} set_id_namespace(namespace) except ImportError: from mixbox.idgen import set_id_namespace from mixbox.namespaces import Namespace namespace = Namespace(NS, NS_PREFIX, "") set_id_namespace(namespace) pkg = STIXPackage() pkg.stix_header = STIXHeader() pkg = STIXPackage() pkg.stix_header = STIXHeader() pkg.stix_header.handling = _marking() ttp = _buildttp(data) if data['related_attacks']: ttp.related_ttps.append( _buildttp(_get_attack(str(data['related_attacks'][0])))) pkg.add_ttp(ttp) xml = pkg.to_xml() title = pkg.id_.split(':', 1)[-1] if __name__ == '__main__': _postconstruct(xml, title) return xml
def main(): # Create a CyboX File Object f = File() # This automatically detects that it's an MD5 hash based on the length f.add_hash("4EC0027BEF4D7E1786A04D021FA8A67F") # Create an Indicator with the File Hash Object created above. indicator = Indicator() indicator.title = "File Hash Example" indicator.description = ( "An indicator containing a File observable with an associated hash" ) indicator.set_producer_identity("The MITRE Corporation") indicator.set_produced_time(utils.dates.now()) # Add The File Object to the Indicator. This will promote the CybOX Object # to a CybOX Observable internally. indicator.add_object(f) # Create a STIX Package stix_package = STIXPackage() # Create the STIX Header and add a description. stix_header = STIXHeader() stix_header.description = "File Hash Indicator Example" stix_package.stix_header = stix_header # Add our Indicator object. The add() method will inspect the input and # append it to the `stix_package.indicators` collection. stix_package.add(indicator) # Print the XML! print(stix_package.to_xml())
def md5(hash, provider, reporttime): vuln = Vulnerability() vuln.cve_id = "MD5-" + hash vuln.description = "maliciousMD5" et = ExploitTarget(title=provider + " observable") et.add_vulnerability(vuln) # Create a CyboX File Object f = File() # This automatically detects that it's an MD5 hash based on the length f.add_hash(hash) # Create an Indicator with the File Hash Object created above. indicator = Indicator() indicator.title = "MD5-" + hash indicator.description = ("Malicious hash " + hash + " reported from " + provider) indicator.set_producer_identity(provider) indicator.set_produced_time(reporttime) # Add The File Object to the Indicator. This will promote the CybOX Object # to a CybOX Observable internally. indicator.add_observable(f) # Create a STIX Package stix_package = STIXPackage() stix_package.add(et) stix_package.add(indicator) # Print the XML! #print(stix_package.to_xml()) f = open('/opt/TARDIS/Observables/MD5/' + hash + '.xml', 'w') f.write(stix_package.to_xml()) f.close()
def url(ip, provider, reporttime): vuln = Vulnerability() vuln.cve_id = "IPV4-" + str(ip) vuln.description = "maliciousURL" et = ExploitTarget(title=provider + " observable") et.add_vulnerability(vuln) addr = Address(address_value=str(ip), category=Address.CAT_IPV4) addr.condition = "Equals" # Create an Indicator with the File Hash Object created above. indicator = Indicator() indicator.title = "URL-" + str(ip) indicator.description = ("Malicious URL " + str(ip) + " reported from " + provider) indicator.set_producer_identity(provider) indicator.set_produced_time(reporttime) indicator.add_observable(addr) # Create a STIX Package stix_package = STIXPackage() stix_package.add(et) stix_package.add(indicator) # Print the XML! #print(stix_package.to_xml()) f = open('/opt/TARDIS/Observables/URL/' + str(ip) + '.xml', 'w') f.write(stix_package.to_xml()) f.close()
def main(): pkg = STIXPackage() file_object1 = File() file_object1.file_name = "readme.doc.exe" file_object1.size_in_bytes = 40891 file_object1.add_hash( Hash("e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" )) observable1 = Observable(file_object1) file_object2 = File() file_object2.file_name = "readme.doc.exe" file_object2.size_in_bytes = 40891 file_object2.add_hash( Hash("d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592" )) observable2 = Observable(file_object2) incident = Incident(title="Malicious files detected") related_observable1 = RelatedObservable( observable1, relationship="Malicious Artifact Detected") related_observable2 = RelatedObservable( observable2, relationship="Malicious Artifact Detected") incident.related_observables.append(related_observable1) incident.related_observables.append(related_observable2) pkg.add_incident(incident) print(pkg.to_xml(encoding=None))
def main(hash_value, title, description, confidence_value): # Create a CyboX File Object f = File() # This automatically detects that it's an MD5 hash based on the length f.add_hash(hash_value) # Create an Indicator with the File Hash Object created above. indicator = Indicator() indicator.title = title indicator.description = (description) indicator.confidence = confidence_value indicator.set_producer_identity("Information Security") indicator.set_produced_time(utils.dates.now()) # Add The File Object to the Indicator. This will promote the CybOX Object # to a CybOX Observable internally. indicator.add_object(f) # Create a STIX Package stix_package = STIXPackage() # Create the STIX Header and add a description. stix_header = STIXHeader() stix_header.description = description stix_package.stix_header = stix_header # Add our Indicator object. The add() method will inspect the input and # append it to the `stix_package.indicators` collection. stix_package.add(indicator) # Print the XML! with open('FileHash_indicator.xml', 'w') as the_file: the_file.write(stix_package.to_xml().decode('utf-8'))
def stix_xml(bldata): # Create the STIX Package and Header objects stix_package = STIXPackage() stix_header = STIXHeader() # Set the description stix_header.description = "RiskIQ Blacklist Data - STIX Format" # Set the namespace NAMESPACE = {"http://www.riskiq.com" : "RiskIQ"} set_id_namespace(NAMESPACE) # Set the produced time to now stix_header.information_source = InformationSource() stix_header.information_source.time = Time() stix_header.information_source.time.produced_time = datetime.now() # Create the STIX Package stix_package = STIXPackage() # Build document stix_package.stix_header = stix_header # Build the Package Intent stix_header.package_intents.append(PackageIntent.TERM_INDICATORS) # Build the indicator indicator = Indicator() indicator.title = "List of Malicious URLs detected by RiskIQ - Malware, Phishing, and Spam" indicator.add_indicator_type("URL Watchlist") for datum in bldata: url = URI() url.value = "" url.value = datum['url'] url.type_ = URI.TYPE_URL url.condition = "Equals" indicator.add_observable(url) stix_package.add_indicator(indicator) return stix_package.to_xml()
def stix_xml(bldata): # Create the STIX Package and Header objects stix_package = STIXPackage() stix_header = STIXHeader() # Set the description stix_header.description = "RiskIQ Blacklist Data - STIX Format" # Set the namespace NAMESPACE = {"http://www.riskiq.com": "RiskIQ"} set_id_namespace(NAMESPACE) # Set the produced time to now stix_header.information_source = InformationSource() stix_header.information_source.time = Time() stix_header.information_source.time.produced_time = datetime.now() # Create the STIX Package stix_package = STIXPackage() # Build document stix_package.stix_header = stix_header # Build the Package Intent stix_header.package_intents.append(PackageIntent.TERM_INDICATORS) # Build the indicator indicator = Indicator() indicator.title = "List of Malicious URLs detected by RiskIQ - Malware, Phishing, and Spam" indicator.add_indicator_type("URL Watchlist") for datum in bldata: url = URI() url.value = "" url.value = datum['url'] url.type_ = URI.TYPE_URL url.condition = "Equals" indicator.add_observable(url) stix_package.add_indicator(indicator) return stix_package.to_xml()
def main(): # Create a new STIXPackage stix_package = STIXPackage() # Create a new STIXHeader stix_header = STIXHeader() # Add Information Source. This is where we will add the tool information. stix_header.information_source = InformationSource() # Create a ToolInformation object. Use the initialization parameters # to set the tool and vendor names. # # Note: This is an instance of cybox.common.ToolInformation and NOT # stix.common.ToolInformation. tool = ToolInformation(tool_name="python-stix", tool_vendor="The MITRE Corporation") # Set the Information Source "tools" section to a # cybox.common.ToolInformationList which contains our tool that we # created above. stix_header.information_source.tools = ToolInformationList(tool) # Set the header description stix_header.description = "Example" # Set the STIXPackage header stix_package.stix_header = stix_header # Print the XML! print(stix_package.to_xml()) # Print the dictionary! pprint(stix_package.to_dict())
def test_user_provided_ns(self): """Test that user-provided namespaces are serialized. """ p = STIXPackage() nsinfo = nsparser.NamespaceInfo() # Collect classes nsinfo.collect(p) TEST_PREFIX = 'test' TEST_NS = 'a:unit:test' NEW_STIX_PREFIX = 'newstix' NEW_STIX_NS = "http://stix.mitre.org/stix-1" test_dict = { TEST_NS: TEST_PREFIX, NEW_STIX_NS: NEW_STIX_PREFIX } finalized = nsinfo._finalize_namespaces(ns_dict=test_dict) nsinfo.finalized_namespaces self.assertEqual(finalized.get(TEST_PREFIX), TEST_NS) self.assertEqual(finalized.get(NEW_STIX_PREFIX), NEW_STIX_NS) # Parse the exported document and make sure that the namespaces # made it through the serialization process. xml = p.to_xml(ns_dict=test_dict) e = lxml.etree.XML(xml) self.assertEqual(e.nsmap.get(TEST_PREFIX), TEST_NS) self.assertEqual(e.nsmap.get(NEW_STIX_PREFIX), NEW_STIX_NS)
def test_identity_from_xml(self): obj = self.klass.from_dict(self._full_dict) sp = STIXPackage() sp.add(obj) s = BytesIO(sp.to_xml()) pkg = STIXPackage.from_xml(s) self.assertTrue("CIQIdentity3.0InstanceType" in text_type(pkg.to_xml()))
def main(): stix_package = STIXPackage() ttp = TTP(title="C2 Behavior") indicator = Indicator(title="IP Address for known C2 Channel") indicator.add_indicator_type("IP Watchlist") addr = Address(address_value="10.0.0.0", category=Address.CAT_IPV4) addr.condition = "Equals" indicator.add_observable(addr) indicator.add_indicated_ttp(TTP(idref=ttp.id_)) stix_package.add_indicator(indicator) stix_package.add_ttp(ttp) print stix_package.to_xml()
def capecbuild(capecid): """Build a STIX package based on a CAPEC ID.""" data = _get_attack(capecid) if data: try: from stix.utils import set_id_namespace namespace = {NS: NS_PREFIX} set_id_namespace(namespace) except ImportError: from mixbox.idgen import set_id_namespace from mixbox.namespaces import Namespace namespace = Namespace(NS, NS_PREFIX, "") set_id_namespace(namespace) pkg = STIXPackage() pkg.stix_header = STIXHeader() pkg = STIXPackage() pkg.stix_header = STIXHeader() pkg.stix_header.handling = _marking() ttp = _buildttp(data) if data['related_attacks']: ttp.related_ttps.append( _buildttp(_get_attack(str(data['related_attacks'][0])))) pkg.add_ttp(ttp) xml = pkg.to_xml() title = pkg.id_.split(':', 1)[-1] if __name__ == '__main__': _postconstruct(xml, title) return xml
def main(): f = File() f.add_hash("4EC0027BEF4D7E1786A04D021FA8A67F") indicator = Indicator() indicator.title = "File Hash Example" indicator.description = "An indicator containing a File observable with an associated hash" indicator.set_producer_identity("The MITRE Corporation") indicator.set_produced_time(datetime.now(tzutc())) indicator.add_object(f) party_name = PartyName(name_lines=["Foo", "Bar"], person_names=["John Smith", "Jill Smith"], organisation_names=["Foo Inc.", "Bar Corp."]) ident_spec = STIXCIQIdentity3_0(party_name=party_name) ident_spec.add_electronic_address_identifier("*****@*****.**") ident_spec.add_free_text_line("Demonstrating Free Text!") ident_spec.add_contact_number("555-555-5555") ident_spec.add_contact_number("555-555-5556") identity = CIQIdentity3_0Instance(specification=ident_spec) indicator.set_producer_identity(identity) stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = "Example" stix_package.stix_header = stix_header stix_package.add_indicator(indicator) xml = stix_package.to_xml() print(xml)
def cvebuild(var): """Search for a CVE ID and return a STIX formatted response.""" cve = CVESearch() data = json.loads(cve.id(var)) if data: try: from stix.utils import set_id_namespace namespace = {NS: NS_PREFIX} set_id_namespace(namespace) except ImportError: from mixbox.idgen import set_id_namespace from mixbox.namespaces import Namespace namespace = Namespace(NS, NS_PREFIX, "") set_id_namespace(namespace) pkg = STIXPackage() pkg.stix_header = STIXHeader() pkg = STIXPackage() pkg.stix_header = STIXHeader() pkg.stix_header.handling = _marking() # Define the exploit target expt = ExploitTarget() expt.title = data['id'] expt.description = data['summary'] expt.information_source = InformationSource( identity=Identity(name="National Vulnerability Database")) # Add the vulnerability object to the package object expt.add_vulnerability(_vulnbuild(data)) # Add the COA object to the ET object for coa in COAS: expt.potential_coas.append( CourseOfAction( idref=coa['id'], timestamp=expt.timestamp)) # Do some TTP stuff with CAPEC objects if TTPON is True: try: for i in data['capec']: pkg.add_ttp(_buildttp(i, expt)) except KeyError: pass expt.add_weakness(_weakbuild(data)) # Add the exploit target to the package object pkg.add_exploit_target(expt) xml = pkg.to_xml() title = pkg.id_.split(':', 1)[-1] # If the function is not imported then output the xml to a file. if __name__ == '__main__': _postconstruct(xml, title) return xml else: sys.exit("[-] Error retrieving details for " + var)
def main(): # Create our CybOX Simple Hash Value shv = Hash() shv.simple_hash_value = "4EC0027BEF4D7E1786A04D021FA8A67F" # Create a CybOX File Object and add the Hash we created above. f = File() h = Hash(shv, Hash.TYPE_MD5) f.add_hash(h) # Create the STIX Package stix_package = STIXPackage() # Create the STIX Header and add a description. stix_header = STIXHeader() stix_header.description = "Simple File Hash Observable Example" stix_package.stix_header = stix_header # Add the File Hash Observable to the STIX Package. The add() method will # inspect the input and add it to the top-level stix_package.observables # collection. stix_package.add(f) # Print the XML! print(stix_package.to_xml())
def main(): pkg = STIXPackage() indicator = Indicator() indicator.id_ = "example:package-382ded87-52c9-4644-bab0-ad3168cbad50" indicator.title = "Malicious site hosting downloader" indicator.add_indicator_type("URL Watchlist") url = URI() url.value = "http://x4z9arb.cn/4712" url.type_ = URI.TYPE_URL indicator.add_observable(url) pkg.add_indicator(indicator) print pkg.to_xml()
def test_user_provided_ns(self): """Test that user-provided namespaces are serialized. """ p = STIXPackage() nsinfo = nsparser.NamespaceInfo() # Collect classes nsinfo.collect(p) TEST_PREFIX = 'test' TEST_NS = 'a:unit:test' NEW_STIX_PREFIX = 'newstix' NEW_STIX_NS = "http://stix.mitre.org/stix-1" test_dict = { TEST_NS: TEST_PREFIX, NEW_STIX_NS: NEW_STIX_PREFIX } finalized = nsinfo._finalize_namespaces(ns_dict=test_dict) nsinfo.finalized_namespaces self.assertEqual(finalized.get(TEST_PREFIX), TEST_NS) self.assertEqual(finalized.get(NEW_STIX_PREFIX), NEW_STIX_NS) # Parse the exported document and make sure that the namespaces # made it through the serialization process. xml = p.to_xml(ns_dict=test_dict) e = lxml.etree.XML(xml) self.assertEqual(e.nsmap.get(TEST_PREFIX), TEST_NS) self.assertEqual(e.nsmap.get(NEW_STIX_PREFIX), NEW_STIX_NS)
def main(args): if len(args) < 4: sys.exit("Invalid parameters") baseURL = args[1] if not baseURL: baseURL = 'https://www.misp-project.org' orgname = args[2] orgname = re.sub('[\W]+', '', orgname.replace(" ", "_")) NS_DICT[baseURL] = orgname try: idgen.set_id_namespace(Namespace(baseURL, orgname)) except TypeError: idgen.set_id_namespace(Namespace(baseURL, orgname, "MISP")) stix_package = STIXPackage() stix_header = STIXHeader() stix_header.title = "Export from {} MISP".format(args[2]) stix_header.package_intents = "Threat Report" stix_package.stix_header = stix_header stix_package.version = "1.1.1" stix_package.timestamp = datetime.datetime.now() if args[3] == 'json': stix_string = stix_package.to_json()[:-1] stix_string += ', "related_packages": [' else: stix_string = stix_package.to_xml(auto_namespace=False, ns_dict=NS_DICT, schemaloc_dict=SCHEMALOC_DICT) stix_string = stix_string.decode().replace("</stix:STIX_Package>\n", "") print(stix_string)
def main(): # Crea un objeto vía CybOX f = File() # Asocia el hash a dicho objeto, la tipología del hash la detecta automáticamente en función de su amplitud f.add_hash("8994a4713713e4683117e35d8689ea24") # Creamos el indicador con la información de la que disponemos indicator = Indicator() indicator.title = "Feeds and Risk Score" indicator.description = ( "An indicator containing the feed and the appropriate Risk Score" ) indicator.set_producer_identity("Malshare") indicator.set_produced_time("01/05/2019") indicator.likely_impact = ("Risk Score: 4(Critical)") # Asociamos el hash anterior a nuestro indicador indicator.add_object(f) # Creamos el reporte en STIX, con una brve descripción stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = "Feeds in STIX format with their Risk Scores" stix_package.stix_header = stix_header # Añadimos al reporte el indicador que hemos construido antes stix_package.add(indicator) # Imprimimos el xml en pantalla print(stix_package.to_xml())
def main(): file_hash = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' stix_header = STIXHeader( title="File Hash Reputation Service Results", package_intents=["Indicators - Malware Artifacts"]) stix_package = STIXPackage(stix_header=stix_header) indicator = Indicator( title= "File Reputation for SHA256=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" ) indicator.add_indicator_type("File Hash Watchlist") file_object = File() file_object.add_hash(Hash(file_hash)) file_object.hashes[0].simple_hash_value.condition = "Equals" file_object.hashes[0].type_.condition = "Equals" indicator.add_observable(file_object) indicator.add_indicated_ttp(TTP(title="Malicious file")) indicator.confidence = Confidence(value=VocabString('75')) indicator.confidence.value.vocab_name = "Percentage" indicator.confidence.value.vocab_reference = "https://en.wikipedia.org/wiki/Percentage" stix_package.add_indicator(indicator) print(stix_package.to_xml(encoding=None))
def md5(hash,provider,reporttime): vuln = Vulnerability() vuln.cve_id = "MD5-" + hash vuln.description = "maliciousMD5" et = ExploitTarget(title=provider + " observable") et.add_vulnerability(vuln) # Create a CyboX File Object f = File() # This automatically detects that it's an MD5 hash based on the length f.add_hash(hash) # Create an Indicator with the File Hash Object created above. indicator = Indicator() indicator.title = "MD5-" + hash indicator.description = ("Malicious hash " + hash + " reported from " + provider) indicator.set_producer_identity(provider) indicator.set_produced_time(reporttime) # Add The File Object to the Indicator. This will promote the CybOX Object # to a CybOX Observable internally. indicator.add_observable(f) # Create a STIX Package stix_package = STIXPackage() stix_package.add(et) stix_package.add(indicator) # Print the XML! #print(stix_package.to_xml()) f = open('/opt/TARDIS/Observables/MD5/' + hash + '.xml','w') f.write(stix_package.to_xml()) f.close()
def main(): # Creamos el indicador con la información de la que disponemos threatActor = ThreatActor() threatActor.title = "Ip/Domain/Hostname" threatActor.description = ("A threatActor commited with malicious tasks") threatActor.information_source = ("Malshare") threatActor.timestamp = ("01/05/2019") threatActor.identity = ("106.113.123.197") threatActor.types = ("eCrime Actor - Spam Service") # Creamos el indicador con la información de la que disponemos indicator = Indicator() indicator.title = "Risk Score" indicator.description = ( "An indicator containing the appropriate Risk Score") indicator.set_produced_time("01/05/2019") indicator.likely_impact = ("Risk Score: 2(Medium)") # Creamos el reporte en STIX, con una brve descripción stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = "Feeds in STIX format with their Risk Scores" stix_package.stix_header = stix_header # Añadimos al reporte el indicador que hemos construido antes stix_package.add(threatActor) stix_package.add(indicator) # Imprimimos el xml en pantalla print(stix_package.to_xml())
def url(ip,provider,reporttime): vuln = Vulnerability() vuln.cve_id = "IPV4-" + str(ip) vuln.description = "maliciousURL" et = ExploitTarget(title=provider + " observable") et.add_vulnerability(vuln) addr = Address(address_value=str(ip), category=Address.CAT_IPV4) addr.condition = "Equals" # Create an Indicator with the File Hash Object created above. indicator = Indicator() indicator.title = "URL-" + str(ip) indicator.description = ("Malicious URL " + str(ip) + " reported from " + provider) indicator.set_producer_identity(provider) indicator.set_produced_time(reporttime) indicator.add_observable(addr) # Create a STIX Package stix_package = STIXPackage() stix_package.add(et) stix_package.add(indicator) # Print the XML! #print(stix_package.to_xml()) f = open('/opt/TARDIS/Observables/URL/' + str(ip) + '.xml','w') f.write(stix_package.to_xml()) f.close()
def main(): f = File() f.add_hash("4EC0027BEF4D7E1786A04D021FA8A67F") indicator = Indicator() indicator.title = "File Hash Example" indicator.description = "An indicator containing a File observable with an associated hash" indicator.set_producer_identity("The MITRE Corporation") indicator.set_produced_time(datetime.now(tzutc())) indicator.add_object(f) party_name = PartyName(name_lines=["Foo", "Bar"], person_names=["John Smith", "Jill Smith"], organisation_names=["Foo Inc.", "Bar Corp."]) ident_spec = STIXCIQIdentity3_0(party_name=party_name) ident_spec.add_electronic_address_identifier("*****@*****.**") ident_spec.add_free_text_line("Demonstrating Free Text!") ident_spec.add_contact_number("555-555-5555") ident_spec.add_contact_number("555-555-5556") identity = CIQIdentity3_0Instance(specification=ident_spec) indicator.set_producer_identity(identity) stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = "Example 05" stix_package.stix_header = stix_header stix_package.add_indicator(indicator) xml = stix_package.to_xml() print(xml)
def main(): pkg = STIXPackage() affected_asset = AffectedAsset() affected_asset.description = "Database server at hr-data1.example.com" affected_asset.type_ = "Database" affected_asset.type_.count_affected = 1 affected_asset.business_function_or_role = "Hosts the database for example.com" affected_asset.ownership_class = "Internally-Owned" affected_asset.management_class = "Internally-Managed" affected_asset.location_class = "Internally-Located" property_affected = PropertyAffected() property_affected.property_ = "Confidentiality" property_affected.description_of_effect = "Data was exfiltrated, has not been determined which data or how." property_affected.non_public_data_compromised = "Yes" property_affected.non_public_data_compromised.data_encrypted = False security_effect_nature = NatureOfSecurityEffect() security_effect_nature.append(property_affected) affected_asset.nature_of_security_effect = security_effect_nature affected_assets = AffectedAssets() affected_assets.append(affected_asset) incident = Incident(title="Exfiltration from hr-data1.example.com") incident.affected_assets = affected_assets pkg.add_incident(incident) print(pkg.to_xml(encoding=None))
def main(): infilename = '' outfilename = '' #Get the command-line arguments args = sys.argv[1:] if len(args) < 4: usage() sys.exit(1) for i in range(0,len(args)): if args[i] == '-i': infilename = args[i+1] elif args[i] == '-o': outfilename = args[i+1] if os.path.isfile(infilename): try: # Perform the translation using the methods from the OpenIOC to CybOX Script openioc_indicators = openioc.parse(infilename) observables_obj = openioc_to_cybox.generate_cybox(openioc_indicators, infilename, True) observables_cls = Observables.from_obj(observables_obj) # Set the namespace to be used in the STIX Package stix.utils.set_id_namespace({"https://github.com/STIXProject/openioc-to-stix":"openiocToSTIX"}) # Wrap the created Observables in a STIX Package/Indicator stix_package = STIXPackage() # Add the OpenIOC namespace input_namespaces = {"http://openioc.org/":"openioc"} stix_package.__input_namespaces__ = input_namespaces for observable in observables_cls.observables: indicator_dict = {} producer_dict = {} producer_dict['tools'] = [{'name':'OpenIOC to STIX Utility', 'version':str(__VERSION__)}] indicator_dict['producer'] = producer_dict indicator_dict['title'] = "CybOX-represented Indicator Created from OpenIOC File" indicator = Indicator.from_dict(indicator_dict) indicator.add_observable(observables_cls.observables[0]) stix_package.add_indicator(indicator) # Create and write the STIX Header stix_header = STIXHeader() stix_header.package_intent = "Indicators - Malware Artifacts" stix_header.description = "CybOX-represented Indicators Translated from OpenIOC File" stix_package.stix_header = stix_header # Write the generated STIX Package as XML to the output file outfile = open(outfilename, 'w') # Ignore any warnings - temporary fix for no schemaLocation w/ namespace with warnings.catch_warnings(): warnings.simplefilter("ignore") outfile.write(stix_package.to_xml()) warnings.resetwarnings() outfile.flush() outfile.close() except Exception, err: print('\nError: %s\n' % str(err)) traceback.print_exc()
def main(): stix_package = STIXPackage() ttp = TTP(title="C2 Behavior") indicator = Indicator(title="IP Address for known C2 Channel") indicator.add_indicator_type("IP Watchlist") addr = Address(address_value="10.0.0.0", category=Address.CAT_IPV4) addr.condition = "Equals" indicator.add_observable(addr) indicator.add_indicated_ttp(TTP(idref=ttp.id_)) stix_package.add_indicator(indicator) stix_package.add_ttp(ttp) print stix_package.to_xml()