def generate_indicators(self, count):
'''Generate a list of STIX Indicators'''
indicators = []
for i in range(0, count):
indicator = Indicator(title='Multiple indicator types')
indicator.set_producer_identity(Identity(name='Secret Source'))
indicator.set_produced_time(datetime.today())
indicator.add_indicator_type(choice(['Malware Artifacts', 'C2', 'Exfiltration']))
indicator.add_short_description('Short description...')
indicator.add_description('Long description...')
indicator.confidence = Confidence(choice(['High', 'Medium', 'Low', 'None', 'Unknown']))
kill_chain_phase = choice(LMCO_KILL_CHAIN_PHASES)
indicator.kill_chain_phases = KillChainPhasesReference(
[KillChainPhaseReference(name=kill_chain_phase.name)])
ips = self.gen_ips(randint(0, 5))
for ip in ips:
indicator.add_observable(ip)
# user_agents = self.gen_user_agents(randint(0, 5))
# for ua in user_agents:
# indicator.add_observable(ua)
# fqnds = self.gen_fqdns(randint(0, 5))
# for f in fqnds:
# indicator.add_observable(f)
# urls = self.gen_urls(randint(0, 5))
# for u in urls:
# indicator.add_observable(u)
indicators.append(indicator)
return indicators
def main():
stix_pkg = STIXPackage()
# create LM-style kill chain
# REF: http://stix.mitre.org/language/version{{site.current_version}}/stix_v{{site.current_version}}_lmco_killchain.xml
recon = KillChainPhase(phase_id="stix:TTP-af1016d6-a744-4ed7-ac91-00fe2272185a", name="Reconnaissance", ordinality="1")
weapon = KillChainPhase(phase_id="stix:TTP-445b4827-3cca-42bd-8421-f2e947133c16", name="Weaponization", ordinality="2")
deliver = KillChainPhase(phase_id="stix:TTP-79a0e041-9d5f-49bb-ada4-8322622b162d", name="Delivery", ordinality="3")
exploit = KillChainPhase(phase_id="stix:TTP-f706e4e7-53d8-44ef-967f-81535c9db7d0", name="Exploitation", ordinality="4")
install = KillChainPhase(phase_id="stix:TTP-e1e4e3f7-be3b-4b39-b80a-a593cfd99a4f", name="Installation", ordinality="5")
control = KillChainPhase(phase_id="stix:TTP-d6dc32b9-2538-4951-8733-3cb9ef1daae2", name="Command and Control", ordinality="6")
action = KillChainPhase(phase_id="stix:TTP-786ca8f9-2d9a-4213-b38e-399af4a2e5d6", name="Actions on Objectives", ordinality="7")
lmchain = KillChain(id_="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff", name="LM Cyber Kill Chain")
lmchain.definer = "LMCO"
lmchain.kill_chain_phases = [recon, weapon, deliver, exploit, install, control, action]
stix_pkg.ttps.kill_chains.append(lmchain)
infect = KillChainPhase(name="Infect Machine")
exfil = KillChainPhase(name="Exfiltrate Data")
mychain = KillChain(name="Organization-specific Kill Chain")
mychain.definer = "Myself"
mychain.kill_chain_phases = [infect, exfil]
stix_pkg.ttps.add_ttp(TTP())
stix_pkg.ttps.kill_chains.append(mychain)
indicator = Indicator()
indicator.kill_chain_phases = KillChainPhasesReference([
KillChainPhaseReference(phase_id=exfil.phase_id, kill_chain_id=mychain.id_),
KillChainPhaseReference(phase_id=action.phase_id, kill_chain_id=lmchain.id_)
])
stix_pkg.add_indicator(indicator)
print(stix_pkg.to_xml(encoding=None))
