def createDNSObs(self, DNSOBJ):
DNSObs = []
DNSRel = []
for host in DNSOBJ:
host: cuckooReportDomain
IP = IPv4Address(value=host.ip)
DNS = DomainName(
value=host.domain
) # , resolves_to_refs=IP.id) ref https://github.com/OpenCTI-Platform/client-python/issues/155
Rel = Relationship(
source_ref=DNS.id,
target_ref=IP.id,
relationship_type="resolves-to",
allow_custom=True,
)
if self.CreateIndicator:
STIXPattern = self.getStixPattern(host.domain, "FQDN")
DNSind = Indicator(name=host.domain,
pattern=STIXPattern,
pattern_type="stix")
STIXPattern = self.getStixPattern(host.ip, "ipv4")
IPind = Indicator(name=host.ip,
pattern=STIXPattern,
pattern_type="stix")
DNSObs.append(DNSind)
DNSObs.append(IPind)
DNSObs.append(IP)
DNSObs.append(DNS)
DNSRel.append(Rel)
return [DNSObs, DNSRel]
def createBinarieObs(self, objects):
iocs = []
for file in objects:
file: cuckooPayload
hashes = {
"MD5": file.md5.upper(),
"SHA-1": file.sha1.upper(),
"SHA-256": file.sha256.upper(),
"SHA-512": file.sha512.upper(),
"SSDEEP": file.ssdeep.upper(),
}
iocs.append(
File(hashes=hashes,
size=file.size,
name=file.name,
mime_type=file.type))
if self.CreateIndicator:
STIXPattern = self.getStixPattern(file.sha256.upper(),
"sha256")
fileind = Indicator(name=file.name,
pattern=STIXPattern,
pattern_type="stix")
iocs.append(fileind)
return iocs
def rel_mem_store():
cam = Campaign(id=CAMPAIGN_ID, **CAMPAIGN_KWARGS)
idy = Identity(id=IDENTITY_ID, **IDENTITY_KWARGS)
ind = Indicator(id=INDICATOR_ID, **INDICATOR_KWARGS)
mal = Malware(id=MALWARE_ID, **MALWARE_KWARGS)
rel1 = Relationship(ind, 'indicates', mal, id=RELATIONSHIP_IDS[0])
rel2 = Relationship(mal, 'targets', idy, id=RELATIONSHIP_IDS[1])
rel3 = Relationship(cam, 'uses', mal, id=RELATIONSHIP_IDS[2])
stix_objs = [cam, idy, ind, mal, rel1, rel2, rel3]
yield MemoryStore(stix_objs)
def createIPObs(self, hosts):
IPObs = []
for host in hosts:
host: cuckooReportHost
IPObs.append(IPv4Address(value=host.ip))
if self.CreateIndicator:
STIXPattern = self.getStixPattern(host.ip, "ipv4")
IPind = Indicator(name=host.ip,
pattern=STIXPattern,
pattern_type="stix")
IPObs.append(IPind)
return IPObs
def createPrimaryBinary(self, file: cuckooTarget, external_references):
hashes = {
"MD5": file.md5.upper(),
"SHA-1": file.sha1.upper(),
"SHA-256": file.sha256.upper(),
"SHA-512": file.sha512.upper(),
"SSDEEP": file.ssdeep.upper(),
}
STIXPattern = self.getStixPattern(file.sha256, "sha256")
size = 0
try:
if file.size:
size = file.size
except:
pass
Filex = File(
hashes=hashes,
size=size,
name=file.name,
mime_type=file.type,
)
ind = Indicator(
name=file.name,
pattern=STIXPattern,
pattern_type="stix",
external_references=external_references,
)
rel = Relationship(
source_ref=Filex.id,
relationship_type="based-on",
target_ref=ind.id,
allow_custom=True,
)
return [Filex, ind, rel]
contact_information="*****@*****.**",
identity_class="organization",
sectors=["defence"])
marking_def_amber = MarkingDefinition(
id="marking-definition--f88d31f6-486f-44da-b317-01333bde0b82",
created="2017-01-20T00:00:00.000Z",
definition_type="tlp",
definition={"tlp": "amber"})
marking_def_statement = MarkingDefinition(
id="marking-definition--d81f86b9-975b-4c0b-875e-810c5ad45a4f",
created="2017-04-14T13:07:49.812Z",
definition_type="statement",
definition=StatementMarking("Copyright (c) Stark Industries 2017."))
indicator = Indicator(
id="indicator--33fe3b22-0201-47cf-85d0-97c02164528d",
created="2017-04-14T13:07:49.812Z",
modified="2017-04-14T13:07:49.812Z",
created_by_ref="identity--611d9d41-dba5-4e13-9b29-e22488058ffc",
name="Known malicious IP Address",
indicator_types=["malicious-activity"],
pattern="[ipv4-addr:value = '10.0.0.0']",
pattern_type="stix",
valid_from="2017-04-14T13:07:49.812Z",
object_marking_refs=[marking_def_amber, marking_def_statement])
bundle = Bundle(
objects=[identity, indicator, marking_def_amber, marking_def_statement])
name="Beta Cyber Intelligence Company",
identity_class="organization",
contact_information="*****@*****.**",
roles=["Cyber Security"],
sectors=["technology"],
spec_version="2.1",
type="identity"
)
indicator = Indicator(
id="indicator--9299f726-ce06-492e-8472-2b52ccb53191",
created_by_ref="identity--39012926-a052-44c4-ae48-caaf4a10ee6e",
created="2017-02-27T13:57:10.515Z",
modified="2017-02-27T13:57:10.515Z",
name="Malicious URL",
description="This URL is potentially associated with malicious activity and is listed on several blacklist sites.",
indicator_types=["malicious-activity"],
pattern="[url:value = 'http://paypa1.banking.com']",
pattern_type="stix",
valid_from="2015-06-29T09:10:15.915Z",
spec_version="2.1",
type="indicator"
)
sighting = Sighting(
id="sighting--8356e820-8080-4692-aa91-ecbe94006833",
created_by_ref="identity--5206ba14-478f-4b0b-9a48-395f690c20a2",
created="2017-02-28T19:37:11.213Z",
modified="2017-02-28T19:37:11.213Z",
first_seen="2017-02-27T21:37:11.213Z",
last_seen="2017-02-27T21:37:11.214Z",
count=1,
filenames = list(set([a.strip() for a in f.read().split()]))
with open("processes.txt") as f:
processes = list(set([a.strip() for a in f.read().split()]))
with open("emails.txt") as f:
emails = list(set([a.strip() for a in f.read().split()]))
res = []
malware = Malware(name="Pegasus",
is_family=False,
description="IOCs for Pegasus")
res.append(malware)
for d in domains:
i = Indicator(indicator_types=["malicious-activity"],
pattern="[domain-name:value='{}']".format(d),
pattern_type="stix")
res.append(i)
res.append(Relationship(i, 'indicates', malware))
for p in processes:
i = Indicator(indicator_types=["malicious-activity"],
pattern="[process:name='{}']".format(p),
pattern_type="stix")
res.append(i)
res.append(Relationship(i, 'indicates', malware))
for f in filenames:
i = Indicator(indicator_types=["malicious-activity"],
pattern="[file:name='{}']".format(f),
pattern_type="stix")
aliases=["Joe Kerr", "The Clown Prince of Crime"],
roles=["director"],
resource_level="team",
primary_motivation="personal-satisfaction",
object_marking_refs=[TLP_RED],
spec_version="2.1",
type="threat-actor")
indicator = Indicator(
id="indicator--1ed8caa7-a708-4706-b651-f1186ede6ca1",
created="2017-04-27T16:18:24.318Z",
modified="2017-04-27T16:18:24.318Z",
created_by_ref="identity--b38dfe21-7477-40d1-aa90-5c8671ce51ca",
name="Fake email address",
description="Known to be used by The Joker.",
indicator_types=["malicious-activity", "attribution"],
pattern=
"[email-message:from_ref.value MATCHES '.+\\\\banking@g0thamnatl\\\\.com$']",
pattern_type="stix",
valid_from="2017-04-27T16:18:24.318Z",
granular_markings=[granular_red, granular_amber, granular_green],
spec_version="2.1",
type="indicator")
rel = Relationship(
id="relationship--3d1dd3cc-eb47-4704-9c77-ceff2971b95c",
created="2017-04-27T16:18:24.318Z",
modified="2017-04-27T16:18:24.318Z",
relationship_type='indicates',
source_ref="indicator--1ed8caa7-a708-4706-b651-f1186ede6ca1",
target_ref="threat-actor--8b6297fe-cae7-47c6-9256-5584b417849c",
from stix2.v21 import (Indicator, KillChainPhase, Malware, Relationship,
Bundle)
indicator = Indicator(
id="indicator--d81f86b9-975b-4c0b-875e-810c5ad45a4f",
created="2014-06-29T13:49:37.079Z",
modified="2014-06-29T13:49:37.079Z",
name="Malicious site hosting downloader",
description=
"This organized threat actor group operates to create profit from all types of crime.",
indicator_types=["malicious-activity"],
pattern="[url:value = 'http://x4z9arb.cn/4712/']",
pattern_type="stix",
valid_from="2014-06-29T13:49:37.079000Z")
foothold = KillChainPhase(kill_chain_name="mandiant-attack-lifecycle-model",
phase_name="establish-foothold")
malware = Malware(
id="malware--162d917e-766f-4611-b5d6-652791454fca",
created="2014-06-30T09:15:17.182Z",
modified="2014-06-30T09:15:17.182Z",
name="x4z9arb backdoor",
malware_types=["backdoor", "remote-access-trojan"],
description=
"This malware attempts to download remote files after establishing a foothold as a backdoor.",
kill_chain_phases=[foothold],
is_family="false")
relationship = Relationship(indicator, 'indicates', malware)
with open('appid.yaml') as f:
r = yaml.load(f, Loader=yaml.BaseLoader)
for entry in r:
app = entry['name'].lower()
indicators_by_name[app]['appids'].add(entry['package'])
res = []
for app_name, entries in indicators_by_name.items():
malware = Malware(name=app_name,
is_family=False,
description="Stalkerware applications")
res.append(malware)
for d in entries['domains']:
i = Indicator(indicator_types=["malicious-activity"],
pattern="[domain-name:value='{}']".format(d),
pattern_type="stix")
res.append(i)
res.append(Relationship(i, 'indicates', malware))
for h in entries['sha256']:
i = Indicator(indicator_types=["malicious-activity"],
pattern="[file:hashes.sha256='{}']".format(h),
pattern_type="stix")
res.append(i)
res.append(Relationship(i, 'indicates', malware))
for a in entries['appids']:
i = Indicator(indicator_types=["malicious-activity"],
pattern="[app:id='{}']".format(a),
pattern_type="stix")
from stix2.v21 import (Indicator, Malware, Relationship, Bundle)
indicator = Indicator(
id="indicator--a932fcc6-e032-476c-826f-cb970a5a1ade",
created="2014-02-20T09:16:08.989Z",
modified="2014-02-20T09:16:08.989Z",
name="File hash for Poison Ivy variant",
description=
"This file hash indicates that a sample of Poison Ivy is present.",
indicator_types=["malicious-activity"],
pattern=
"[file:hashes.'SHA-256' = 'ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c']",
pattern_type="stix",
valid_from="2014-02-20T09:00:00.000000Z")
malware = Malware(id="malware--fdd60b30-b67c-41e3-b0b9-f01faf20d111",
created="2014-02-20T09:16:08.989Z",
modified="2014-02-20T09:16:08.989Z",
name="Poison Ivy",
malware_types=["remote-access-trojan"],
is_family="false")
relationship = Relationship(indicator, 'indicates', malware)
bundle = Bundle(objects=[indicator, malware, relationship])
