def test_lockheed_martin_cyber_kill_chain():
recon = stix2.KillChainPhase(
kill_chain_name="lockheed-martin-cyber-kill-chain",
phase_name="reconnaissance",
)
assert str(recon) == LMCO_RECON
def test_kill_chain_example():
preattack = stix2.KillChainPhase(
kill_chain_name="foo",
phase_name="pre-attack",
)
assert str(preattack) == FOO_PRE_ATTACK
def test_kill_chain_required_property_chain_name():
with pytest.raises(stix2.exceptions.MissingPropertiesError) as excinfo:
stix2.KillChainPhase(phase_name="weaponization")
assert excinfo.value.cls == stix2.KillChainPhase
assert excinfo.value.properties == ["kill_chain_name"]
def test_kill_chain_required_property_phase_name():
with pytest.raises(stix2.exceptions.MissingPropertiesError) as excinfo:
stix2.KillChainPhase(kill_chain_name="lockheed-martin-cyber-kill-chain")
assert excinfo.value.cls == stix2.KillChainPhase
assert excinfo.value.properties == ["phase_name"]
def get(self):
if not self.flag:
if self.selected_items:
#----hotfix for report------
try:
templist=[]
for item in self.selected_items:
templist.append(item.split(": ")[1])
return templist
#----hotfix for report END--
except:
return self.selected_items
else:
return ""
elif self.flag=="killchain":
killchains=[]
for item in self.selected_items:
try:
killchains.append(json.load(open(os.path.join(getkcpfolder(), item+".kcp"))))
except:
killchains.append(stix2.KillChainPhase(kill_chain_name=item.split("_")[0], phase_name=item.split("_")[1]))
tk.messagebox.showinfo("Notice", item+" is not present in the filesystem.")
return killchains
else:
exrefs=[]
for item in self.selected_items:
try:
exrefs.append(json.load(open(os.path.join(getexreffolder(),item+".ext"))))
except:
exrefs=[]
tk.messagebox.showinfo("Notice", item + " is not present in the filesystem.")
return exrefs
def test_kill_chain_required_field_chain_name():
with pytest.raises(stix2.exceptions.MissingFieldsError) as excinfo:
stix2.KillChainPhase(phase_name="weaponization")
assert excinfo.value.cls == stix2.KillChainPhase
assert excinfo.value.fields == ["kill_chain_name"]
assert str(
excinfo.value
) == "Missing required field(s) for KillChainPhase: (kill_chain_name)."
def stix2killchain(obj):
kcps = []
for k in obj.kill_chain_phases.all():
kcp = stix2.KillChainPhase(
kill_chain_name=k.kill_chain_name,
phase_name=k.phase_name,
)
if not kcp in kcps:
kcps.append(kcp)
return kcps
def test_kill_chain_required_field_phase_name():
with pytest.raises(stix2.exceptions.MissingFieldsError) as excinfo:
stix2.KillChainPhase(
kill_chain_name="lockheed-martin-cyber-kill-chain")
assert excinfo.value.cls == stix2.KillChainPhase
assert excinfo.value.fields == ["phase_name"]
assert str(
excinfo.value
) == "Missing required field(s) for KillChainPhase: (phase_name)."
name="Adversary Bravo",
description=
"Adversary Bravo is known to use phishing attacks to deliver remote access malware to the targets.",
labels=["spy", "criminal"])
identity = stix2.Identity(
id="identity--1621d4d4-b67d-41e3-9670-f01faf20d111",
created="2015-05-10T16:27:17.760Z",
modified="2015-05-10T16:27:17.760Z",
name="Adversary Bravo",
description=
"Adversary Bravo is a threat actor that utilizes phishing attacks.",
identity_class="unknown")
init_comp = stix2.KillChainPhase(
kill_chain_name="mandiant-attack-lifecycle-model",
phase_name="initial-compromise")
malware = stix2.Malware(id="malware--d1c612bc-146f-4b65-b7b0-9a54a14150a4",
created="2015-04-23T11:12:34.760Z",
modified="2015-04-23T11:12:34.760Z",
name="Poison Ivy Variant d1c6",
labels=["remote-access-trojan"],
kill_chain_phases=[init_comp])
ref = stix2.ExternalReference(
source_name="capec",
description="phishing",
url="https://capec.mitre.org/data/definitions/98.html",
external_id="CAPEC-98")
import stix2
indicator = stix2.Indicator(
id="indicator--d81f86b9-975b-4c0b-875e-810c5ad45a4f",
created="2014-06-29T13:49:37.079Z",
modified="2014-06-29T13:49:37.079Z",
name="Malicious site hosting downloader",
description=
"This organized threat actor group operates to create profit from all types of crime.",
labels=["malicious-activity"],
pattern="[url:value = 'http://x4z9arb.cn/4712/']",
valid_from="2014-06-29T13:49:37.079000Z")
foothold = stix2.KillChainPhase(
kill_chain_name="mandiant-attack-lifecycle-model",
phase_name="establish-foothold")
malware = stix2.Malware(
id="malware--162d917e-766f-4611-b5d6-652791454fca",
created="2014-06-30T09:15:17.182Z",
modified="2014-06-30T09:15:17.182Z",
name="x4z9arb backdoor",
labels=["backdoor", "remote-access-trojan"],
description=
"This malware attempts to download remote files after establishing a foothold as a backdoor.",
kill_chain_phases=[foothold])
relationship = stix2.Relationship(indicator, 'indicates', malware)
bundle = stix2.Bundle(objects=[indicator, malware, relationship])
def test_kill_chain_required_field_phase_name():
with pytest.raises(ValueError) as excinfo:
stix2.KillChainPhase(kill_chain_name="lockheed-martin-cyber-kill-chain")
assert str(excinfo.value) == "Missing required field(s) for KillChainPhase: (phase_name)."
def test_kill_chain_required_field_chain_name():
with pytest.raises(ValueError) as excinfo:
stix2.KillChainPhase(phase_name="weaponization")
assert str(excinfo.value) == "Missing required field(s) for KillChainPhase: (kill_chain_name)."
def widgets(self):
self.killchainlabel = tk.Label(self.frame, text="Kill Chain Name:", font=("OpenSans", 12))
self.killchainlabel.grid(row=0, column=0, padx=5, pady=5, sticky=tk.E)
self.killchaintext = tk.Entry(self.frame, font=("OpenSans", 12))
self.killchaintext.grid(row=0, column=1, padx=5, pady=5)
self.killchaintext.bind('<KeyPress>', lambda event : self.keyPress(event))
self.phaselabel = tk.Label(self.frame, text="Phase Name:", font=("OpenSans", 12))
self.phaselabel.grid(row=1, column=0, padx=5, pady=5, sticky=tk.E)
self.phasetext = tk.Entry(self.frame, font=("OpenSans", 12))
self.phasetext.grid(row=1, column=1, padx=5, pady=5)
self.killchaintext.bind('<KeyPress>', lambda event : self.keyPress(event))
self.label = tk.Label(self.btframe, font=("OpenSans", 8, "bold"), text="Existing Kill Chain Phase into workspace:", bg="black", fg="white")
self.label.pack(fill=tk.X, padx=10)
self.listview = tk.Listbox(self.btframe, font=("OpenSans", 10, "bold"), height=5)
self.listview.pack(fill=tk.X, expand=True, padx=10)
self.getlist()
self.addbutton = tk.Button(self.btframe, text="Create", font=("OpenSans", 12), fg="white", bg="#03AC13", command=lambda : [(killchainphasetofile(self.killchaintext.get()+"_"+self.phasetext.get(), stix2.KillChainPhase(kill_chain_name=self.killchaintext.get(), phase_name=self.phasetext.get())), self.getlist(), tk.messagebox.showinfo("Success", "Kill Chain Phase created successfully!", parent=self), self.killchaintext.delete(0, tk.END), self.phasetext.delete(0, tk.END)) if self.killchaintext.get()!="" and self.phasetext.get()!="" else tk.messagebox.showerror("Error", "Input fields cannot be empty!", parent=self)])
self.addbutton.pack(side=tk.LEFT, fill=tk.X, expand=True, padx=5, pady=5)
self.cancelbutton = tk.Button(self.btframe, text="Delete", font=("OpenSans", 12), fg="white", bg="#FF3B30", command=lambda : [(killchainphasedelete(self.listview.get(tk.ACTIVE), self), self.getlist()) if self.listview.get(tk.ACTIVE)!="" else print("")])
self.cancelbutton.pack(side=tk.LEFT, fill=tk.X, expand=True, padx=5, pady=5)
