Example #1
0
def main():
    from stix.coa import CourseOfAction, Objective
    from stix.common import Confidence
    from stix.core import STIXPackage
    from cybox.core import Observables
    from cybox.objects.address_object import Address

    pkg = STIXPackage()
    coa = CourseOfAction()
    coa.title = "Block traffic to PIVY C2 Server (10.10.10.10)"
    coa.stage = "Response"
    coa.type_ = "Perimeter Blocking"

    obj = Objective()
    obj.description = "Block communication between the PIVY agents and the C2 Server"
    obj.applicability_confidence = Confidence("High")

    coa.objective = obj
    coa.impact = "Low"
    coa.impact.description = "This IP address is not used for legitimate hosting so there should be no operational impact."
    coa.cost = "Low"
    coa.efficacy = "High"

    addr = Address(address_value="10.10.10.10", category=Address.CAT_IPV4)
    coa.parameter_observables = Observables(addr)

    pkg.add_course_of_action(coa)

    print pkg.to_xml()
Example #2
0
def add_coa_items(corrective_action_item, cost_corrective_action_item, pkg):
    coa = CourseOfAction()
    if corrective_action_item:
        coa.title = corrective_action_item
    if cost_corrective_action_item:
        cost = Statement()
        cost.value = map_cost_corrective_action_item_to_high_medium_low(cost_corrective_action_item)
        coa.cost = cost
    pkg.coa = coa
def main():
    from stix.coa import CourseOfAction, Objective
    from stix.common import Confidence
    from stix.core import STIXPackage
    from cybox.core import Observables
    from cybox.objects.address_object import Address

    pkg = STIXPackage()
    coa = CourseOfAction()
    coa.title = "Block traffic to PIVY C2 Server (10.10.10.10)"
    coa.stage = "Response"
    coa.type_ = "Perimeter Blocking"

    obj = Objective()
    obj.description = "Block communication between the PIVY agents and the C2 Server"
    obj.applicability_confidence = Confidence("High")

    coa.objective = obj
    coa.impact = "Low"
    coa.impact.description = "This IP address is not used for legitimate hosting so there should be no operational impact."
    coa.cost = "Low"
    coa.efficacy = "High"

    addr = Address(address_value="10.10.10.10", category=Address.CAT_IPV4)
    coa.parameter_observables = Observables(addr)

    pkg.add_course_of_action(coa)

    print(pkg.to_xml(encoding=None))
    def from_obj(cls, obj, return_obj=None):
        if not return_obj:
            return_obj = cls()

        return_obj.id_ = obj.get_id()
        return_obj.idref = obj.get_idref()
        return_obj.timestamp = obj.get_timestamp()
        return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header())
        return_obj.related_packages = RelatedPackages.from_obj(obj.get_Related_Packages())

        if obj.get_version():
            return_obj.version = obj.get_version()
        if obj.get_Campaigns():
            return_obj.campaigns = [Campaign.from_obj(x) for x in obj.get_Campaigns().get_Campaign()]
        if obj.get_Courses_Of_Action():
            return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.get_Courses_Of_Action().get_Course_Of_Action()]
        if obj.get_Exploit_Targets():
            return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.get_Exploit_Targets().get_Exploit_Target()]
        if obj.get_Indicators():
            return_obj.indicators = [Indicator.from_obj(x) for x in obj.get_Indicators().get_Indicator()]
        if obj.get_Observables():
            return_obj.observables = Observables.from_obj(obj.get_Observables())
        if obj.get_Incidents():
            return_obj.incidents = [Incident.from_obj(x) for x in obj.get_Incidents().get_Incident()]
        if obj.get_Threat_Actors():
            return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.get_Threat_Actors().get_Threat_Actor()]
        if obj.get_TTPs():
            return_obj.ttps = TTPs.from_obj(obj.get_TTPs())
            
        return return_obj
def _dostix(hashes):
    '''This function creates a STIX packages containing hashes.'''
    print("[+] Creating STIX Package")
    title = SETTINGS['stix']['ind_title'] + " " + str(datetime.datetime.now())
    _custom_namespace(SETTINGS['stix']['ns'], SETTINGS['stix']['ns_prefix'])
    stix_package = STIXPackage()
    stix_package.stix_header = STIXHeader()
    stix_package.stix_header.title = title
    stix_package.stix_header.handling = _marking()
    try:
        indicator = Indicator()
        indicator.set_producer_identity(SETTINGS['stix']['producer'])
        indicator.set_produced_time(indicator.timestamp)
        indicator.set_received_time(indicator.timestamp)
        indicator.add_kill_chain_phase(PHASE_DELIVERY)
        indicator.confidence = "Low"

        indicator.title = title
        indicator.add_indicator_type("File Hash Watchlist")
        indicator.description = SETTINGS['stix']['ind_desc']

        try:
            indicator.add_indicated_ttp(
                TTP(idref=SETTINGS['indicated_ttp'],
                    timestamp=indicator.timestamp))
            indicator.suggested_coas.append(
                CourseOfAction(idref=SETTINGS['suggested_coa'],
                               timestamp=indicator.timestamp))
        except KeyError:
            pass

        for info in hashes:
            try:
                file_name = info['filename']
                file_object = File()
                file_object.file_name = file_name
                file_object.file_name.condition = "Equals"
                file_object.file_extension = "." + file_name.split('.')[-1]
                file_object.file_extension.condition = "Equals"
                file_object.size_in_bytes = info['filesize']
                file_object.size_in_bytes.condition = "Equals"
                file_object.file_format = info['fileformat']
                file_object.file_format.condition = "Equals"
                file_object.add_hash(Hash(info['md5']))
                file_object.add_hash(Hash(info['sha1']))
                file_object.add_hash(Hash(info['sha256']))
                file_object.add_hash(Hash(info['sha512']))
                file_object.add_hash(Hash(info['ssdeep'], Hash.TYPE_SSDEEP))
                for hashobj in file_object.hashes:
                    hashobj.simple_hash_value.condition = "Equals"
                    hashobj.type_.condition = "Equals"
                file_obs = Observable(file_object)
                file_obs.title = "File: " + file_name
                indicator.add_observable(file_obs)
            except TypeError:
                pass
        stix_package.add_indicator(indicator)
        return stix_package
    except KeyError:
        pass
Example #6
0
    def from_obj(cls, obj, return_obj=None):
        if not return_obj:
            return_obj = cls()

        return_obj.id_ = obj.id
        return_obj.idref = obj.idref
        return_obj.timestamp = obj.timestamp
        return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header)
        return_obj.related_packages = RelatedPackages.from_obj(obj.Related_Packages)

        if obj.version:
            return_obj.version = obj.version
        if obj.Campaigns:
            return_obj.campaigns = [Campaign.from_obj(x) for x in obj.Campaigns.Campaign]
        if obj.Courses_Of_Action:
            return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.Courses_Of_Action.Course_Of_Action]
        if obj.Exploit_Targets:
            return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.Exploit_Targets.Exploit_Target]
        if obj.Indicators:
            return_obj.indicators = [Indicator.from_obj(x) for x in obj.Indicators.Indicator]
        if obj.Observables:
            return_obj.observables = Observables.from_obj(obj.Observables)
        if obj.Incidents:
            return_obj.incidents = [Incident.from_obj(x) for x in obj.Incidents.Incident]
        if obj.Threat_Actors:
            return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.Threat_Actors.Threat_Actor]
        if obj.TTPs:
            return_obj.ttps = TTPs.from_obj(obj.TTPs)
            
        return return_obj
Example #7
0
def cvebuild(var):
    """Search for a CVE ID and return a STIX formatted response."""
    cve = CVESearch()
    data = json.loads(cve.id(var))
    if data:
        try:
            from stix.utils import set_id_namespace
            namespace = {NS: NS_PREFIX}
            set_id_namespace(namespace)
        except ImportError:
            from mixbox.idgen import set_id_namespace
            from mixbox.namespaces import Namespace
            namespace = Namespace(NS, NS_PREFIX, "")
            set_id_namespace(namespace)

        pkg = STIXPackage()
        pkg.stix_header = STIXHeader()
        pkg = STIXPackage()
        pkg.stix_header = STIXHeader()

        pkg.stix_header.handling = _marking()

        # Define the exploit target
        expt = ExploitTarget()
        expt.title = data['id']
        expt.description = data['summary']
        expt.information_source = InformationSource(identity=Identity(
            name="National Vulnerability Database"))

        # Add the vulnerability object to the package object
        expt.add_vulnerability(_vulnbuild(data))

        # Add the COA object to the ET object
        for coa in COAS:
            expt.potential_coas.append(
                CourseOfAction(idref=coa['id'], timestamp=expt.timestamp))

        # Do some TTP stuff with CAPEC objects
        if TTPON is True:
            try:
                for i in data['capec']:
                    pkg.add_ttp(_buildttp(i, expt))
            except KeyError:
                pass

        expt.add_weakness(_weakbuild(data))

        # Add the exploit target to the package object
        pkg.add_exploit_target(expt)

        xml = pkg.to_xml()
        title = pkg.id_.split(':', 1)[-1]
        # If the function is not imported then output the xml to a file.
        if __name__ == '__main__':
            _postconstruct(xml, title)
        return xml
    else:
        sys.exit("[-] Error retrieving details for " + var)
Example #8
0
def convert_report(r20):
    r1x = Report(id_=convert_id20(r20["id"]),
                 timestamp=text_type(r20["modified"]))
    r1x.header = Header()
    if "name" in r20:
        r1x.header.title = r20["name"]
    if "description" in r20:
        r1x.header.add_description(r20["description"])
    intents = convert_open_vocabs_to_controlled_vocabs(r20["labels"],
                                                       REPORT_LABELS_MAP)
    for i in intents:
        r1x.header.add_intent(i)
    if "published" in r20:
        add_missing_property_to_description(r1x.header, "published",
                                            r20["published"])
    for ref in r20["object_refs"]:
        ref_type = get_type_from_id(ref)
        ref1x = convert_id20(ref)
        if ref_type == "attack-pattern":
            r1x.add_ttp(TTP(idref=ref1x))
        elif ref_type == "campaign":
            r1x.add_campaign(Campaign(idref=ref1x))
        elif ref_type == 'course-of-action':
            r1x.add_course_of_action(CourseOfAction(idref=ref1x))
        elif ref_type == "indicator":
            r1x.add_indicator(Indicator(idref=ref1x))
        elif ref_type == "observed-data":
            r1x.add_observable(Observable(idref=ref1x))
        elif ref_type == "malware":
            r1x.add_ttp(TTP(idref=ref1x))
        elif ref_type == "threat-actor":
            r1x.add_threat_actor(ThreatActor(idref=ref1x))
        elif ref_type == "tool":
            r1x.add_ttp(TTP(idref=ref1x))
        elif ref_type == "vulnerability":
            r1x.add_exploit_target(ExploitTarget(idref=ref1x))
        elif ref_type == "identity" or ref_type == "relationship":
            warn("%s in %s is not explicitly a member of a STIX 1.x report",
                 703, ref, r20["id"])
        elif ref_type == "intrusion-set":
            warn("%s in %s cannot be represented in STIX 1.x", 612, ref,
                 r20["id"])
        else:
            warn("ref type %s in %s is not known", 0, ref_type, r20["id"])
    if "object_marking_refs" in r20:
        for m_id in r20["object_marking_refs"]:
            ms = create_marking_specification(m_id)
            if ms:
                CONTAINER.add_marking(r1x, ms, descendants=True)
    if "granular_markings" in r20:
        error(
            "Granular Markings present in '%s' are not supported by stix2slider",
            604, r20["id"])
    return r1x
Example #9
0
 def from_dict(cls, d, return_obj=None):
     if not d:
         return None
     if not return_obj:
         return_obj = cls()
         
     return_obj.time = COATime.from_dict(d.get('time'))
     return_obj.contributors = Contributors.from_dict(d.get('contributors'))
     return_obj.course_of_action = CourseOfAction.from_dict(d.get('course_of_action'))
     
     return return_obj
Example #10
0
 def from_obj(cls, obj, return_obj=None):
     if not obj:
         return None
     if not return_obj:
         return_obj = cls()
         
     return_obj.time = COATime.from_obj(obj.Time)
     return_obj.contributors = Contributors.from_obj(obj.Contributors)
     return_obj.course_of_action = CourseOfAction.from_obj(obj.Course_Of_Action)
     
     return return_obj
Example #11
0
 def from_obj(cls, obj, return_obj=None):
     if not obj:
         return None
     if not return_obj:
         return_obj = cls()
         
     return_obj.time = COATime.from_obj(obj.Time)
     return_obj.contributors = Contributors.from_obj(obj.Contributors)
     return_obj.course_of_action = CourseOfAction.from_obj(obj.Course_Of_Action)
     
     return return_obj
Example #12
0
 def from_dict(cls, d, return_obj=None):
     if not d:
         return None
     if not return_obj:
         return_obj = cls()
         
     return_obj.time = COATime.from_dict(d.get('time'))
     return_obj.contributors = Contributors.from_dict(d.get('contributors'))
     return_obj.course_of_action = CourseOfAction.from_dict(d.get('course_of_action'))
     
     return return_obj
Example #13
0
def buildCoa(input_dict):
    # add incident and confidence
    coa = CourseOfAction()
    coa.title = input_dict['title']
    coa.description = input_dict['description']
    if input_dict['stage']:
        coa.stage = input_dict['stage']
    if input_dict['type']:
        coa.type = input_dict['type']
    if input_dict['objective']:
        coa.objective = Objective(input_dict['objective'])
    if input_dict['impact']:
        coa.impact = input_dict['impact']
    if input_dict['cost']:
        coa.cost = input_dict['cost']
    if input_dict['efficacy']:
        coa.efficacy = input_dict['efficacy']
    if input_dict['informationSource']:
        coa.information_source = InformationSource(input_dict['informationSource'])

    return coa
Example #14
0
def convert_coa(coa20):
    coa1x = CourseOfAction(id_=convert_id20(coa20["id"]),
                           timestamp=text_type(coa20["modified"]))
    if "name" in coa20:
        coa1x.title = coa20["name"]
    if "description" in coa20:
        coa1x.add_description(coa20["description"])
    if "labels" in coa20:
        coa_types = convert_open_vocabs_to_controlled_vocabs(
            coa20["labels"], COA_LABEL_MAP)
        coa1x.type_ = coa_types[0]
        for l in coa_types[1:]:
            warn(
                "%s in STIX 2.0 has multiple %s, only one is allowed in STIX 1.x. Using first in list - %s omitted",
                401, "labels", l)
    if "object_marking_refs" in coa20:
        for m_id in coa20["object_marking_refs"]:
            ms = create_marking_specification(m_id)
            if ms:
                CONTAINER.add_marking(coa1x, ms, descendants=True)
    if "granular_markings" in coa20:
        error(
            "Granular Markings present in '%s' are not supported by stix2slider",
            604, coa20["id"])
    record_id_object_mapping(coa20["id"], coa1x)
    return coa1x
def _merge_tgts(api_object, references):
    related_objects = {}
    for ref in references:
        related_objects.setdefault(ref.ty, []).append(ref.idref)
    if getattr(api_object, 'related_exploit_targets', None) is None:
        setattr(api_object, 'related_exploit_targets', RelatedExploitTargets())
    if getattr(api_object, 'potential_coas', None) is None:
        setattr(api_object, 'potential_coas', PotentialCOAs())

    for tgt in related_objects.get('tgt', []):
        api_object.related_exploit_targets.append(ExploitTarget(idref=tgt))
    for coa in related_objects.get('coa', []):
        api_object.potential_coas.append(CourseOfAction(idref=coa))
    def from_obj(cls, obj, return_obj=None):
        if not return_obj:
            return_obj = cls()

        return_obj.id_ = obj.get_id()
        return_obj.idref = obj.get_idref()
        return_obj.timestamp = obj.get_timestamp()
        return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header())
        return_obj.related_packages = RelatedPackages.from_obj(
            obj.get_Related_Packages())

        if obj.get_version():
            return_obj.version = obj.get_version()
        if obj.get_Campaigns():
            return_obj.campaigns = [
                Campaign.from_obj(x)
                for x in obj.get_Campaigns().get_Campaign()
            ]
        if obj.get_Courses_Of_Action():
            return_obj.courses_of_action = [
                CourseOfAction.from_obj(x)
                for x in obj.get_Courses_Of_Action().get_Course_Of_Action()
            ]
        if obj.get_Exploit_Targets():
            return_obj.exploit_targets = [
                ExploitTarget.from_obj(x)
                for x in obj.get_Exploit_Targets().get_Exploit_Target()
            ]
        if obj.get_Indicators():
            return_obj.indicators = [
                Indicator.from_obj(x)
                for x in obj.get_Indicators().get_Indicator()
            ]
        if obj.get_Observables():
            return_obj.observables = Observables.from_obj(
                obj.get_Observables())
        if obj.get_Incidents():
            return_obj.incidents = [
                Incident.from_obj(x)
                for x in obj.get_Incidents().get_Incident()
            ]
        if obj.get_Threat_Actors():
            return_obj.threat_actors = [
                ThreatActor.from_obj(x)
                for x in obj.get_Threat_Actors().get_Threat_Actor()
            ]
        if obj.get_TTPs():
            return_obj.ttps = TTPs.from_obj(obj.get_TTPs())

        return return_obj
Example #17
0
    def from_dict(cls, dict_repr, return_obj=None):
        if not return_obj:
            return_obj = cls()

        return_obj.id_ = dict_repr.get('id', None)
        return_obj.idref = dict_repr.get('idref', None)
        return_obj.timestamp = dict_repr.get('timestamp')
        return_obj.version = dict_repr.get('version', cls._version)
        return_obj.stix_header = STIXHeader.from_dict(dict_repr.get('stix_header', None))
        return_obj.campaigns = [Campaign.from_dict(x) for x in dict_repr.get('campaigns', [])]
        return_obj.courses_of_action = [CourseOfAction.from_dict(x) for x in dict_repr.get('courses_of_action', [])]
        return_obj.exploit_targets = [ExploitTarget.from_dict(x) for x in dict_repr.get('exploit_targets', [])]
        return_obj.indicators = [Indicator.from_dict(x) for x in dict_repr.get('indicators', [])]
        return_obj.observables = Observables.from_dict(dict_repr.get('observables'))
        return_obj.incidents = [Incident.from_dict(x) for x in dict_repr.get('incidents', [])]
        return_obj.threat_actors = [ThreatActor.from_dict(x) for x in dict_repr.get('threat_actors', [])]
        return_obj.ttps = TTPs.from_dict(dict_repr.get('ttps'))
        return_obj.related_packages = RelatedPackages.from_dict(dict_repr.get('related_packages'))
        
        return return_obj
def main():

    fileIn = open('tor_exit_node_list.txt', 'r')
    fileOut = open('coa_tor.xml', 'w')

    #print("List of Tor Exit nodes as of 5/4/2018")
    ip_addr_list = []

    for line in fileIn:

        ip_addr = re.search(
            '(([2][5][0-5]\.)|([2][0-4][0-9]\.)|([0-1]?[0-9]?[0-9]\.)){3}(([2][5][0-5])|([2][0-4][0-9])|([0-1]?[0-9]?[0-9]))',
            line)
        if ip_addr:
            ip_addr_list.append(ip_addr)
            #print("    ", ip_addr.group(0))

    pkg = STIXPackage()

    coa = CourseOfAction()
    coa.title = "Block traffic to Tor exit nodes"
    coa.stage = "Response"
    coa.type_ = "Perimeter Blocking"

    obj = Objective()
    obj.description = "Block communication to Tor exit nodes"
    obj.applicability_confidence = Confidence("High")

    i = 0
    observables_list = []
    for ip_addr in ip_addr_list:

        addr = Address(address_value=ip_addr.group(0),
                       category=Address.CAT_IPV4)
        observables_list.append(addr)
        print(i)
        i = i + 1

    coa.parameter_observables = Observables(observables_list)
    pkg.add_course_of_action(coa)
    fileOut.write(pkg.to_xml(encoding=None))
Example #19
0
# Related TTP (basic; by id)
ttp = TTP(title='Phishing')
beh = Behavior()
attack_pattern = AttackPattern()
attack_pattern.capec_id = 'CAPEC-98'
attack_pattern.description = 'Phishing'
beh.add_attack_pattern(attack_pattern)
ttp.behavior = beh
leveraged_ttps = LeveragedTTPs()
related_ttp = RelatedTTP(TTP(idref=ttp.id_))
leveraged_ttps.append(related_ttp)
incident.leveraged_ttps = leveraged_ttps

# Related CoA (basic; by id)
coa = CourseOfAction(title='Block traffic')
related_coa = CourseOfAction(idref=coa.id_)
incident.add_coa_requested(related_coa)
incident.add_coa_taken(related_coa)

# Generate STIX Package
stix_package = STIXPackage()
stix_package.add_observable(observable)
stix_package.add_indicator(indicator)
stix_package.add_threat_actor(ta)
stix_package.add_incident(incident)
stix_package.add_incident(incident2)
stix_package.add_ttp(ttp)
stix_package.add_course_of_action(coa)

print(stix_package.to_xml().decode())
Example #20
0
    cce_id='CCE-27686-5',
    description='The Apache web server be run with the appropriate privileges.',
    short_description='Configuration Short Description')
et1.add_configuration(config)

# Exploit Target 1 - Vulnerability
vuln = Vulnerability()
vuln.cve_id = 'CVE-2018-1312'
cvss = CVSSVector()
cvss.base_score = '6.8'
cvss.base_vector = 'AV:N/AC:M/Au:N/C:P/I:P/A:P'
vuln.cvss_score = cvss
vuln.add_reference('https://nvd.nist.gov/vuln/detail/CVE-2018-1312')
et1.add_vulnerability(vuln)

# Exploit Target 1 - Potential COA
coa = CourseOfAction(title='Patch Apache httpd')
et1.potential_coas.append(CourseOfAction(idref=coa.id_))

# Exploit Target 2 - Related to Exploit Target 1
et2 = ExploitTarget(title='Apache HTTP Vulnerability - CVE-2018-1333')
et1.related_exploit_targets.append(ExploitTarget(idref=et2.id_))

# Generate STIX Package
stix_package = STIXPackage()
stix_package.add_exploit_target(et1)
stix_package.add_course_of_action(coa)
stix_package.add_exploit_target(et2)

print(stix_package.to_xml().decode())
Example #21
0
 def test_coa_idref_deprecation(self):
     package = core.STIXPackage()
     package.add(CourseOfAction(idref='test-idref-dep'))
Example #22
0
from cybox.objects.domain_name_object import DomainName
from faker import Faker
from stix.coa import CourseOfAction, Objective
from stix.common import Confidence
from stix.common.related import RelatedCOA
from stix.common.vocabs import COAStage, CourseOfActionType, HighMediumLow
from stix.core import STIXPackage
from stix.indicator import Indicator

# Generate IP Address and FQDN
fake = Faker()
ip = fake.ipv4()
domain = fake.domain_name()

# Basics
coa = CourseOfAction(
    title='Block traffic to Malicious C2 Server ({})'.format(ip))
coa.description = 'Maecenas sed diam eget risus varius blandit sit amet non magna.'
coa.short_description = 'Tristique Venenatis Tortor Mollis Vestibulum'

# Objective
obj = Objective()
obj.description = 'Block communication between the infected agents and the C2 Server'
obj.short_description = 'Block traffic'
obj.applicability_confidence = Confidence(HighMediumLow('High'))
coa.objective = obj

# Attributes
coa.impact = HighMediumLow('Medium')
coa.cost = HighMediumLow('Low')
coa.efficacy = HighMediumLow('High')
coa.stage = COAStage('Response')