def createDNSObs(self, DNSOBJ): DNSObs = [] DNSRel = [] for host in DNSOBJ: host: cuckooReportDomain IP = IPv4Address(value=host.ip) DNS = DomainName( value=host.domain ) # , resolves_to_refs=IP.id) ref https://github.com/OpenCTI-Platform/client-python/issues/155 Rel = Relationship( source_ref=DNS.id, target_ref=IP.id, relationship_type="resolves-to", allow_custom=True, ) if self.CreateIndicator: STIXPattern = self.getStixPattern(host.domain, "FQDN") DNSind = Indicator(name=host.domain, pattern=STIXPattern, pattern_type="stix") STIXPattern = self.getStixPattern(host.ip, "ipv4") IPind = Indicator(name=host.ip, pattern=STIXPattern, pattern_type="stix") DNSObs.append(DNSind) DNSObs.append(IPind) DNSObs.append(IP) DNSObs.append(DNS) DNSRel.append(Rel) return [DNSObs, DNSRel]
def createBinarieObs(self, objects): iocs = [] for file in objects: file: cuckooPayload hashes = { "MD5": file.md5.upper(), "SHA-1": file.sha1.upper(), "SHA-256": file.sha256.upper(), "SHA-512": file.sha512.upper(), "SSDEEP": file.ssdeep.upper(), } iocs.append( File(hashes=hashes, size=file.size, name=file.name, mime_type=file.type)) if self.CreateIndicator: STIXPattern = self.getStixPattern(file.sha256.upper(), "sha256") fileind = Indicator(name=file.name, pattern=STIXPattern, pattern_type="stix") iocs.append(fileind) return iocs
def rel_mem_store(): cam = Campaign(id=CAMPAIGN_ID, **CAMPAIGN_KWARGS) idy = Identity(id=IDENTITY_ID, **IDENTITY_KWARGS) ind = Indicator(id=INDICATOR_ID, **INDICATOR_KWARGS) mal = Malware(id=MALWARE_ID, **MALWARE_KWARGS) rel1 = Relationship(ind, 'indicates', mal, id=RELATIONSHIP_IDS[0]) rel2 = Relationship(mal, 'targets', idy, id=RELATIONSHIP_IDS[1]) rel3 = Relationship(cam, 'uses', mal, id=RELATIONSHIP_IDS[2]) stix_objs = [cam, idy, ind, mal, rel1, rel2, rel3] yield MemoryStore(stix_objs)
def createIPObs(self, hosts): IPObs = [] for host in hosts: host: cuckooReportHost IPObs.append(IPv4Address(value=host.ip)) if self.CreateIndicator: STIXPattern = self.getStixPattern(host.ip, "ipv4") IPind = Indicator(name=host.ip, pattern=STIXPattern, pattern_type="stix") IPObs.append(IPind) return IPObs
def createPrimaryBinary(self, file: cuckooTarget, external_references): hashes = { "MD5": file.md5.upper(), "SHA-1": file.sha1.upper(), "SHA-256": file.sha256.upper(), "SHA-512": file.sha512.upper(), "SSDEEP": file.ssdeep.upper(), } STIXPattern = self.getStixPattern(file.sha256, "sha256") size = 0 try: if file.size: size = file.size except: pass Filex = File( hashes=hashes, size=size, name=file.name, mime_type=file.type, ) ind = Indicator( name=file.name, pattern=STIXPattern, pattern_type="stix", external_references=external_references, ) rel = Relationship( source_ref=Filex.id, relationship_type="based-on", target_ref=ind.id, allow_custom=True, ) return [Filex, ind, rel]
contact_information="*****@*****.**", identity_class="organization", sectors=["defence"]) marking_def_amber = MarkingDefinition( id="marking-definition--f88d31f6-486f-44da-b317-01333bde0b82", created="2017-01-20T00:00:00.000Z", definition_type="tlp", definition={"tlp": "amber"}) marking_def_statement = MarkingDefinition( id="marking-definition--d81f86b9-975b-4c0b-875e-810c5ad45a4f", created="2017-04-14T13:07:49.812Z", definition_type="statement", definition=StatementMarking("Copyright (c) Stark Industries 2017.")) indicator = Indicator( id="indicator--33fe3b22-0201-47cf-85d0-97c02164528d", created="2017-04-14T13:07:49.812Z", modified="2017-04-14T13:07:49.812Z", created_by_ref="identity--611d9d41-dba5-4e13-9b29-e22488058ffc", name="Known malicious IP Address", indicator_types=["malicious-activity"], pattern="[ipv4-addr:value = '10.0.0.0']", pattern_type="stix", valid_from="2017-04-14T13:07:49.812Z", object_marking_refs=[marking_def_amber, marking_def_statement]) bundle = Bundle( objects=[identity, indicator, marking_def_amber, marking_def_statement])
name="Beta Cyber Intelligence Company", identity_class="organization", contact_information="*****@*****.**", roles=["Cyber Security"], sectors=["technology"], spec_version="2.1", type="identity" ) indicator = Indicator( id="indicator--9299f726-ce06-492e-8472-2b52ccb53191", created_by_ref="identity--39012926-a052-44c4-ae48-caaf4a10ee6e", created="2017-02-27T13:57:10.515Z", modified="2017-02-27T13:57:10.515Z", name="Malicious URL", description="This URL is potentially associated with malicious activity and is listed on several blacklist sites.", indicator_types=["malicious-activity"], pattern="[url:value = 'http://paypa1.banking.com']", pattern_type="stix", valid_from="2015-06-29T09:10:15.915Z", spec_version="2.1", type="indicator" ) sighting = Sighting( id="sighting--8356e820-8080-4692-aa91-ecbe94006833", created_by_ref="identity--5206ba14-478f-4b0b-9a48-395f690c20a2", created="2017-02-28T19:37:11.213Z", modified="2017-02-28T19:37:11.213Z", first_seen="2017-02-27T21:37:11.213Z", last_seen="2017-02-27T21:37:11.214Z", count=1,
filenames = list(set([a.strip() for a in f.read().split()])) with open("processes.txt") as f: processes = list(set([a.strip() for a in f.read().split()])) with open("emails.txt") as f: emails = list(set([a.strip() for a in f.read().split()])) res = [] malware = Malware(name="Pegasus", is_family=False, description="IOCs for Pegasus") res.append(malware) for d in domains: i = Indicator(indicator_types=["malicious-activity"], pattern="[domain-name:value='{}']".format(d), pattern_type="stix") res.append(i) res.append(Relationship(i, 'indicates', malware)) for p in processes: i = Indicator(indicator_types=["malicious-activity"], pattern="[process:name='{}']".format(p), pattern_type="stix") res.append(i) res.append(Relationship(i, 'indicates', malware)) for f in filenames: i = Indicator(indicator_types=["malicious-activity"], pattern="[file:name='{}']".format(f), pattern_type="stix")
aliases=["Joe Kerr", "The Clown Prince of Crime"], roles=["director"], resource_level="team", primary_motivation="personal-satisfaction", object_marking_refs=[TLP_RED], spec_version="2.1", type="threat-actor") indicator = Indicator( id="indicator--1ed8caa7-a708-4706-b651-f1186ede6ca1", created="2017-04-27T16:18:24.318Z", modified="2017-04-27T16:18:24.318Z", created_by_ref="identity--b38dfe21-7477-40d1-aa90-5c8671ce51ca", name="Fake email address", description="Known to be used by The Joker.", indicator_types=["malicious-activity", "attribution"], pattern= "[email-message:from_ref.value MATCHES '.+\\\\banking@g0thamnatl\\\\.com$']", pattern_type="stix", valid_from="2017-04-27T16:18:24.318Z", granular_markings=[granular_red, granular_amber, granular_green], spec_version="2.1", type="indicator") rel = Relationship( id="relationship--3d1dd3cc-eb47-4704-9c77-ceff2971b95c", created="2017-04-27T16:18:24.318Z", modified="2017-04-27T16:18:24.318Z", relationship_type='indicates', source_ref="indicator--1ed8caa7-a708-4706-b651-f1186ede6ca1", target_ref="threat-actor--8b6297fe-cae7-47c6-9256-5584b417849c",
from stix2.v21 import (Indicator, KillChainPhase, Malware, Relationship, Bundle) indicator = Indicator( id="indicator--d81f86b9-975b-4c0b-875e-810c5ad45a4f", created="2014-06-29T13:49:37.079Z", modified="2014-06-29T13:49:37.079Z", name="Malicious site hosting downloader", description= "This organized threat actor group operates to create profit from all types of crime.", indicator_types=["malicious-activity"], pattern="[url:value = 'http://x4z9arb.cn/4712/']", pattern_type="stix", valid_from="2014-06-29T13:49:37.079000Z") foothold = KillChainPhase(kill_chain_name="mandiant-attack-lifecycle-model", phase_name="establish-foothold") malware = Malware( id="malware--162d917e-766f-4611-b5d6-652791454fca", created="2014-06-30T09:15:17.182Z", modified="2014-06-30T09:15:17.182Z", name="x4z9arb backdoor", malware_types=["backdoor", "remote-access-trojan"], description= "This malware attempts to download remote files after establishing a foothold as a backdoor.", kill_chain_phases=[foothold], is_family="false") relationship = Relationship(indicator, 'indicates', malware)
with open('appid.yaml') as f: r = yaml.load(f, Loader=yaml.BaseLoader) for entry in r: app = entry['name'].lower() indicators_by_name[app]['appids'].add(entry['package']) res = [] for app_name, entries in indicators_by_name.items(): malware = Malware(name=app_name, is_family=False, description="Stalkerware applications") res.append(malware) for d in entries['domains']: i = Indicator(indicator_types=["malicious-activity"], pattern="[domain-name:value='{}']".format(d), pattern_type="stix") res.append(i) res.append(Relationship(i, 'indicates', malware)) for h in entries['sha256']: i = Indicator(indicator_types=["malicious-activity"], pattern="[file:hashes.sha256='{}']".format(h), pattern_type="stix") res.append(i) res.append(Relationship(i, 'indicates', malware)) for a in entries['appids']: i = Indicator(indicator_types=["malicious-activity"], pattern="[app:id='{}']".format(a), pattern_type="stix")
from stix2.v21 import (Indicator, Malware, Relationship, Bundle) indicator = Indicator( id="indicator--a932fcc6-e032-476c-826f-cb970a5a1ade", created="2014-02-20T09:16:08.989Z", modified="2014-02-20T09:16:08.989Z", name="File hash for Poison Ivy variant", description= "This file hash indicates that a sample of Poison Ivy is present.", indicator_types=["malicious-activity"], pattern= "[file:hashes.'SHA-256' = 'ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c']", pattern_type="stix", valid_from="2014-02-20T09:00:00.000000Z") malware = Malware(id="malware--fdd60b30-b67c-41e3-b0b9-f01faf20d111", created="2014-02-20T09:16:08.989Z", modified="2014-02-20T09:16:08.989Z", name="Poison Ivy", malware_types=["remote-access-trojan"], is_family="false") relationship = Relationship(indicator, 'indicates', malware) bundle = Bundle(objects=[indicator, malware, relationship])