def main():
stix_package = STIXPackage()
ta = ThreatActor()
ta.title = "Disco Team Threat Actor Group"
ta.identity = CIQIdentity3_0Instance()
identity_spec = STIXCIQIdentity3_0()
identity_spec.party_name = PartyName()
identity_spec.party_name.add_organisation_name(OrganisationName("Disco Tean", type_="CommonUse"))
identity_spec.party_name.add_organisation_name(OrganisationName("Equipo del Discoteca", type_="UnofficialName"))
identity_spec.add_language("Spanish")
address = Address()
address.country = Country()
address.country.add_name_element("United States")
address.administrative_area = AdministrativeArea()
address.administrative_area.add_name_element("California")
identity_spec.add_address(address)
identity_spec.add_electronic_address_identifier("*****@*****.**")
ta.identity.specification = identity_spec
stix_package.add_threat_actor(ta)
print stix_package.to_xml()
def test_ta(self):
t = ThreatActor()
t.title = UNICODE_STR
t.description = UNICODE_STR
t.short_description = UNICODE_STR
t2 = round_trip(t)
self._test_equal(t, t2)
def main():
stix_package = STIXPackage()
ttp_phishing = TTP(title="Phishing")
attack_pattern = AttackPattern()
attack_pattern.capec_id = "CAPEC-98"
attack_pattern.description = ("Phishing")
ttp_phishing.behavior = Behavior()
ttp_phishing.behavior.add_attack_pattern(attack_pattern)
ttp_pivy = TTP(title="Poison Ivy Variant d1c6")
malware_instance = MalwareInstance()
malware_instance.add_name("Poison Ivy Variant d1c6")
malware_instance.add_type("Remote Access Trojan")
ttp_pivy.behavior = Behavior()
ttp_pivy.behavior.add_malware_instance(malware_instance)
ta_bravo = ThreatActor(title="Adversary Bravo")
ta_bravo.identity = Identity(name="Adversary Bravo")
related_ttp_phishing = RelatedTTP(TTP(idref=ttp_phishing.id_), relationship="Leverages Attack Pattern")
ta_bravo.observed_ttps.append(related_ttp_phishing)
related_ttp_pivy = RelatedTTP(TTP(idref=ttp_pivy.id_), relationship="Leverages Malware")
ta_bravo.observed_ttps.append(related_ttp_pivy)
stix_package.add_ttp(ttp_phishing)
stix_package.add_ttp(ttp_pivy)
stix_package.add_threat_actor(ta_bravo)
print(stix_package.to_xml(encoding=None))
def main():
from stix.campaign import Campaign, Attribution
from stix.threat_actor import ThreatActor
from stix.incident import Incident
from stix.core import STIXPackage
from stix.ttp import TTP, VictimTargeting
ttp = TTP()
ttp.title = "Victim Targeting: Customer PII and Financial Data"
ttp.victim_targeting = VictimTargeting()
ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data")
actor = ThreatActor()
actor.title = "People behind the intrusion"
attrib = Attribution()
attrib.append(actor)
c = Campaign()
c.attribution = []
c.attribution.append(attrib)
c.title = "Compromise of ATM Machines"
c.related_ttps.append(ttp)
c.related_incidents.append(Incident(idref="example:incident-229ab6ba-0eb2-415b-bdf2-079e6b42f51e"))
c.related_incidents.append(Incident(idref="example:incident-517cf274-038d-4ed4-a3ec-3ac18ad9db8a"))
c.related_incidents.append(Incident(idref="example:incident-7d8cf96f-91cb-42d0-a1e0-bfa38ea08621"))
pkg = STIXPackage()
pkg.add_campaign(c)
print pkg.to_xml()
def generateThreatActor(attribute):
ta = ThreatActor(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
ta.id_ = namespace[1] + ":threatactor-" + attribute["uuid"]
ta.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")"
if attribute["comment"] != "":
ta.description = attribute["value"] + " (" + attribute["comment"] + ")"
else:
ta.description = attribute["value"]
return ta
def generateThreatActor(attribute):
ta = ThreatActor()
ta.id_= namespace[1] + ":threatactor-" + attribute["uuid"]
ta.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"]
if attribute["comment"] != "":
ta.description = attribute["value"] + " (" + attribute["comment"] + ")"
else:
ta.description = attribute["value"]
return ta
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header)
return_obj.related_packages = RelatedPackages.from_obj(obj.Related_Packages)
if obj.version:
return_obj.version = obj.version
if obj.Campaigns:
return_obj.campaigns = [Campaign.from_obj(x) for x in obj.Campaigns.Campaign]
if obj.Courses_Of_Action:
return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.Courses_Of_Action.Course_Of_Action]
if obj.Exploit_Targets:
return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.Exploit_Targets.Exploit_Target]
if obj.Indicators:
return_obj.indicators = [Indicator.from_obj(x) for x in obj.Indicators.Indicator]
if obj.Observables:
return_obj.observables = Observables.from_obj(obj.Observables)
if obj.Incidents:
return_obj.incidents = [Incident.from_obj(x) for x in obj.Incidents.Incident]
if obj.Threat_Actors:
return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.Threat_Actors.Threat_Actor]
if obj.TTPs:
return_obj.ttps = TTPs.from_obj(obj.TTPs)
return return_obj
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header())
return_obj.related_packages = RelatedPackages.from_obj(obj.get_Related_Packages())
if obj.get_version():
return_obj.version = obj.get_version()
if obj.get_Campaigns():
return_obj.campaigns = [Campaign.from_obj(x) for x in obj.get_Campaigns().get_Campaign()]
if obj.get_Courses_Of_Action():
return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.get_Courses_Of_Action().get_Course_Of_Action()]
if obj.get_Exploit_Targets():
return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.get_Exploit_Targets().get_Exploit_Target()]
if obj.get_Indicators():
return_obj.indicators = [Indicator.from_obj(x) for x in obj.get_Indicators().get_Indicator()]
if obj.get_Observables():
return_obj.observables = Observables.from_obj(obj.get_Observables())
if obj.get_Incidents():
return_obj.incidents = [Incident.from_obj(x) for x in obj.get_Incidents().get_Incident()]
if obj.get_Threat_Actors():
return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.get_Threat_Actors().get_Threat_Actor()]
if obj.get_TTPs():
return_obj.ttps = TTPs.from_obj(obj.get_TTPs())
return return_obj
def add_external_or_partner_actor_ttem(item, pkg):
ta = ThreatActor()
ta.identity = CIQIdentity3_0Instance()
identity_spec = STIXCIQIdentity3_0()
country_item = item.get('country')
if not country_item:
error("Required 'country' item is missing in 'actor/external' or 'actor/partner' item")
else:
for c in country_item:
address = Address()
address.country = Country()
address.country.add_name_element(c)
identity_spec.add_address(address)
ta.identity.specification = identity_spec
motive_item = item.get('motive')
if not motive_item:
error("Required 'motive' item is missing in 'actor/external' or 'actor/partner' item")
else:
for m in motive_item:
motivation = Statement()
motivation.value = map_motive_item_to_motivation(m)
ta.add_motivation(motivation)
variety_item = item.get('variety')
if not variety_item:
error("Required 'variety' item is missing in 'actor/external' or 'actor/partner' item")
else:
for v in variety_item:
ta_type = Statement()
ta_type.value = map_actor_variety_item_to_threat_actor_type(v)
ta.add_type(ta_type)
notes_item = item.get('notes')
if notes_item:
ta.description = "Notes: " + escape(notes_item)
pkg.add_threat_actor(ta)
def add_actor_item(actor_item, pkg):
ta = ThreatActor()
external_item = actor_item.get('external')
if external_item:
add_external_or_partner_actor_ttem(external_item, pkg)
internal_item = actor_item.get('internal')
if internal_item:
add_internal_actor_item(internal_item, pkg)
# this is a partner of the victim...
partner_item = actor_item.get('partner')
if partner_item:
add_external_or_partner_actor_ttem(partner_item, pkg)
unknown_item = actor_item.get('unknown')
if unknown_item:
notes_item = unknown_item.get('notes')
if notes_item:
ta = ThreatActor()
ta.description = "Notes:" + escape(notes_item)
pkg.add_threat_actor(ta)
def main():
from stix.campaign import Campaign, Attribution
from stix.threat_actor import ThreatActor
from stix.core import STIXPackage
from stix.ttp import TTP, VictimTargeting
ttp = TTP()
ttp.title = "Victim Targeting: Customer PII and Financial Data"
ttp.victim_targeting = VictimTargeting()
ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data")
actor = ThreatActor()
actor.title = "People behind the intrusion"
c = Campaign()
c.attribution.append(actor)
c.title = "Compromise of ATM Machines"
c.related_ttps.append(ttp)
pkg = STIXPackage()
pkg.add_campaign(c)
print pkg.to_xml()
def generateThreatActor(attribute):
ta = ThreatActor(
timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
ta.id_ = namespace[1] + ":threatactor-" + attribute["uuid"]
ta.title = attribute["category"] + ": " + attribute[
"value"] + " (MISP Attribute #" + attribute["id"] + ")"
if attribute["comment"] != "":
ta.description = attribute["value"] + " (" + attribute["comment"] + ")"
else:
ta.description = attribute["value"]
return ta
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header)
return_obj.related_packages = RelatedPackages.from_obj(
obj.Related_Packages)
if obj.version:
return_obj.version = obj.version
if obj.Campaigns:
return_obj.campaigns = [
Campaign.from_obj(x) for x in obj.Campaigns.Campaign
]
if obj.Courses_Of_Action:
return_obj.courses_of_action = [
CourseOfAction.from_obj(x)
for x in obj.Courses_Of_Action.Course_Of_Action
]
if obj.Exploit_Targets:
return_obj.exploit_targets = [
ExploitTarget.from_obj(x)
for x in obj.Exploit_Targets.Exploit_Target
]
if obj.Indicators:
return_obj.indicators = [
Indicator.from_obj(x) for x in obj.Indicators.Indicator
]
if obj.Observables:
return_obj.observables = Observables.from_obj(obj.Observables)
if obj.Incidents:
return_obj.incidents = [
Incident.from_obj(x) for x in obj.Incidents.Incident
]
if obj.Threat_Actors:
return_obj.threat_actors = [
ThreatActor.from_obj(x) for x in obj.Threat_Actors.Threat_Actor
]
if obj.TTPs:
return_obj.ttps = TTPs.from_obj(obj.TTPs)
return return_obj
def convert_report(r20):
r1x = Report(id_=convert_id20(r20["id"]),
timestamp=text_type(r20["modified"]))
r1x.header = Header()
if "name" in r20:
r1x.header.title = r20["name"]
if "description" in r20:
r1x.header.add_description(r20["description"])
intents = convert_open_vocabs_to_controlled_vocabs(r20["labels"],
REPORT_LABELS_MAP)
for i in intents:
r1x.header.add_intent(i)
if "published" in r20:
add_missing_property_to_description(r1x.header, "published",
r20["published"])
for ref in r20["object_refs"]:
ref_type = get_type_from_id(ref)
if ref_type == "attack-pattern":
r1x.add_ttp(TTP(idref=ref))
elif ref_type == "campaign":
r1x.add_campaign(Campaign(idref=ref))
elif ref_type == 'course-of-action':
r1x.add_course_of_action(CourseOfAction(idref=ref))
elif ref_type == "indicator":
r1x.add_indicator(Indicator(idref=ref))
elif ref_type == "observed-data":
r1x.add_observable(Observable(idref=ref))
elif ref_type == "malware":
r1x.add_ttp(TTP(idref=ref))
elif ref_type == "threat-actor":
r1x.add_threat_actor(ThreatActor(idref=ref))
elif ref_type == "vulnerability":
r1x.add_exploit_target(ExploitTarget(idref=ref))
if "object_marking_refs" in r20:
for m_id in r20["object_marking_refs"]:
ms = create_marking_specification(m_id)
if ms:
CONTAINER.add_marking(r1x, ms, descendants=True)
if "granular_markings" in r20:
error(
"Granular Markings present in '%s' are not supported by stix2slider",
604, r20["id"])
return r1x
def from_dict(cls, dict_repr, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id', None)
return_obj.idref = dict_repr.get('idref', None)
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version', cls._version)
return_obj.stix_header = STIXHeader.from_dict(dict_repr.get('stix_header', None))
return_obj.campaigns = [Campaign.from_dict(x) for x in dict_repr.get('campaigns', [])]
return_obj.courses_of_action = [CourseOfAction.from_dict(x) for x in dict_repr.get('courses_of_action', [])]
return_obj.exploit_targets = [ExploitTarget.from_dict(x) for x in dict_repr.get('exploit_targets', [])]
return_obj.indicators = [Indicator.from_dict(x) for x in dict_repr.get('indicators', [])]
return_obj.observables = Observables.from_dict(dict_repr.get('observables'))
return_obj.incidents = [Incident.from_dict(x) for x in dict_repr.get('incidents', [])]
return_obj.threat_actors = [ThreatActor.from_dict(x) for x in dict_repr.get('threat_actors', [])]
return_obj.ttps = TTPs.from_dict(dict_repr.get('ttps'))
return_obj.related_packages = RelatedPackages.from_dict(dict_repr.get('related_packages'))
return return_obj
def add_internal_actor_item(internal_item, pkg):
ta = ThreatActor()
motive_item = internal_item.get('motive')
if not motive_item:
error("Required 'motive' item is missing in 'actor/internal' item")
else:
for item in motive_item:
motivation = Statement()
motivation.value = map_motive_item_to_motivation(item)
ta.add_motivation(motivation)
# job_change added in 1.3
variety_item = internal_item.get('variety')
if not variety_item:
error("Required 'variety' item is missing in 'actor/internal' item")
else:
for v in variety_item:
ta_type = Statement()
ta_type.value = ThreatActorType(ThreatActorType.TERM_INSIDER_THREAT)
ta_type.description = v
ta.add_type(ta_type)
notes_item = internal_item.get('notes')
if notes_item:
ta.description = "Notes: " + escape(notes_item)
pkg.add_threat_actor(ta)
def to_stix_actor(obj):
"""
Create a STIX Actor.
"""
ta = ThreatActor()
ta.title = obj.name
ta.description = obj.description
for tt in obj.threat_types:
ta.add_type(tt)
for m in obj.motivations:
ta.add_motivation(m)
for ie in obj.intended_effects:
ta.add_intended_effect(ie)
for s in obj.sophistications:
ta.add_sophistication(s)
#for i in self.identifiers:
return (ta, obj.releasability)
observable = Observable(domain)
infrastructure.observable_characterization = Observables(
Observable(idref=observable.id_))
personas = Personas()
personas.append(Identity(name='Stephen Golub'))
resource = Resource(tools=Tools(tool),
infrastructure=infrastructure,
personas=personas)
ttp.resources = resource
related_ttp = RelatedTTP(TTP(idref=ttp.id_))
# TTP - Related Threat Actor (basic; by id)
ta = ThreatActor(title='Adversary Bravo')
ta.observed_ttps.append(related_ttp)
# TTP - Related TTP2 (Malware; by id)
ttp2 = TTP(title='Poison Ivy Variant')
malware_instance = MalwareInstance(title='Poison Ivy Variant d1c6')
malware_instance.description = 'Attack Pattern Description'
malware_instance.short_description = 'Attack Pattern Short Description'
malware_instance.add_type(MalwareType('Remote Access Trojan'))
maec = MAECInstance()
maec.add_name('Poison Ivy Variant v4392-acc')
maec.add_type(MalwareType('Exploit Kits'))
ttp2.behavior = Behavior()
ttp2.behavior.add_malware_instance(malware_instance)
t = Time() t.incident_opened = '2018-09-11' incident.time = t related_incident = RelatedIncident(Incident(idref=incident.id_)) campaign.related_incidents.append(related_incident) # Related Indicator (by id) fake = Faker() indicator = Indicator() addr2 = Address(address_value=fake.ipv4(), category=Address.CAT_IPV4) indicator.add_observable(addr2) related_indicator = RelatedIndicator(Indicator(idref=indicator.id_)) campaign.related_indicators.append(related_indicator) # Related Threat Actor (by id) ta = ThreatActor(title='Albino Rhino') attrib_ta = Attribution() attrib_ta.append(ThreatActor(idref=ta.id_)) campaign.attribution.append(attrib_ta) # Related Campaign (basic; by id) campaign2 = Campaign(title='Another Campaign') cassoc_campaign = CAssociatedCampaigns() cassoc_campaign.append(RelatedCampaign(Campaign(idref=campaign2.id_))) campaign.associated_campaigns = cassoc_campaign # Related Other Objects to Campaign (by id) campaign3 = Campaign(title='Another Another Campaign') tassoc_campaign = TAssociatedCampaigns() tassoc_campaign.append(RelatedCampaign(Campaign(idref=campaign3.id_))) ta.associated_campaigns = tassoc_campaign
def csv2stix(outFormat,inFile):
#=============
# Build package metadata
#=============
stix_package = STIXPackage()
stix_package.stix_header = STIXHeader()
stix_package.stix_header.title = "TG3390"
stix_package.stix_header.description = "Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers investigated activities associated with Threat Group-3390[1] (TG-3390) - http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/"
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "../../../../descendant-or-self::node()"
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
stix_package.stix_header.handling = handling
#=============
# Build package structure
#=============
ta_tg3390 = ThreatActor(title="TG3390")
ta_tg3390.identity = Identity(name="TG3390")
attack_pattern = AttackPattern()
attack_pattern.description = ("Infrastructure Building")
ttp_infrastructure = TTP(title="Infrastructure Building")
ttp_infrastructure.behavior = Behavior()
ttp_infrastructure.behavior.add_attack_pattern(attack_pattern)
ttp_infrastructure.add_intended_effect("Unauthorized Access")
infra_domainInd = Indicator(title="Domains associated with TG3390 Infrastructure")
infra_domainInd.add_indicator_type("Domain Watchlist")
infra_domainInd.confidence = "High"
infra_domainInd.add_indicated_ttp(TTP(idref=ttp_infrastructure.id_))
infra_IPInd = Indicator(title="[H] IP Addresses associated with TG3390 Infrastructure")
infra_IPInd.add_indicator_type("IP Watchlist")
infra_IPInd.confidence = "High"
infra_IPInd.add_indicated_ttp(TTP(idref=ttp_infrastructure.id_))
infra_IPInd_M = Indicator(title="[M] IP Addresses associated with TG3390 Infrastructure")
infra_IPInd_M.add_indicator_type("IP Watchlist")
infra_IPInd_M.confidence = "Medium"
infra_IPInd_M.add_indicated_ttp(TTP(idref=ttp_infrastructure.id_))
httpBrowserObj = MalwareInstance()
httpBrowserObj.add_name("HTTP Browser")
ttp_httpB = TTP(title="HTTP Browser")
ttp_httpB.behavior = Behavior()
ttp_httpB.behavior.add_malware_instance(httpBrowserObj)
ttp_httpB.add_intended_effect("Theft - Intellectual Property")
httpB_hashInd = Indicator(title="File hashes for HTTP Browser")
httpB_hashInd.add_indicator_type("File Hash Watchlist")
httpB_hashInd.confidence = "High"
httpB_hashInd.add_indicated_ttp(TTP(idref=ttp_httpB.id_))
httpBrowserDropperObj = MalwareInstance()
httpBrowserDropperObj.add_name("HTTP Browser Dropper")
ttp_httpBDpr = TTP(title="HTTP Browser Dropper")
ttp_httpBDpr.behavior = Behavior()
ttp_httpBDpr.behavior.add_malware_instance(httpBrowserDropperObj)
ttp_httpBDpr.add_intended_effect("Theft - Intellectual Property")
httpBDpr_hashInd = Indicator(title="File hashes for HTTP Browser Dropper")
httpBDpr_hashInd.add_indicator_type("File Hash Watchlist")
httpBDpr_hashInd.confidence = "High"
httpBDpr_hashInd.add_indicated_ttp(TTP(idref=ttp_httpBDpr.id_))
plugXObj = MalwareInstance()
plugXObj.add_name("PlugX Dropper")
ttp_plugX = TTP(title="PlugX Dropper")
ttp_plugX.behavior = Behavior()
ttp_plugX.behavior.add_malware_instance(plugXObj)
ttp_plugX.add_intended_effect("Theft - Intellectual Property")
plugX_hashInd = Indicator(title="File hashes for PlugX Dropper")
plugX_hashInd.add_indicator_type("File Hash Watchlist")
plugX_hashInd.confidence = "High"
plugX_hashInd.add_indicated_ttp(TTP(idref=ttp_plugX.id_))
#=============
# Process content in to structure
#=============
ip_rules = []
ip_rules_M = []
domain_rules = []
with open(inFile, 'rb') as f:
reader = csv.reader(f)
for row in reader:
obs = row[0]
obsType = row[1]
description = row[2]
confidence = row[3]
#print obs,obsType,description,confidence
if description == 'TG-3390 infrastructure':
if obsType == 'Domain name':
domain_obj = DomainName()
domain_obj.value = obs
#domain_obj.title = description
infra_domainInd.add_object(domain_obj)
domain_rule = generate_snort([obs], 'DomainName', str(infra_domainInd.id_).split(':',1)[1].split('-',1)[1])
domain_rules.append(domain_rule)
elif obsType == 'IP address':
ipv4_obj = Address()
ipv4_obj.category = "ipv4-addr"
ipv4_obj.address_value = obs
ipv4_obj.title = description
ind_ref = str(infra_IPInd.id_).split(':',1)[1].split('-',1)[1]
if confidence == "High":
infra_IPInd.add_object(ipv4_obj)
ip_rules.append(obs)
else:
infra_IPInd_M.add_object(ipv4_obj)
ip_rules_M.append(obs)
else:
print "TTP Infra: obsType is wrong"
elif description == 'HttpBrowser RAT dropper':
file_obj = File()
file_obj.add_hash(Hash(obs))
file_obj.title = description
httpBDpr_hashInd.add_observable(file_obj)
elif description == 'HttpBrowser RAT':
file_obj = File()
file_obj.add_hash(Hash(obs))
file_obj.title = description
httpB_hashInd.add_observable(file_obj)
elif description == 'PlugX RAT dropper':
file_obj = File()
file_obj.add_hash(Hash(obs))
file_obj.title = description
plugX_hashInd.add_observable(file_obj)
else:
print "TTP not found"
#print ip_rules
ip_rule = generate_snort(ip_rules, 'Address', str(infra_IPInd.id_).split(':',1)[1].split('-',1)[1])
ip_rule_M = generate_snort(ip_rules_M, 'Address', str(infra_IPInd_M.id_).split(':',1)[1].split('-',1)[1])
ip_tm = SnortTestMechanism()
ip_tm.rules = [ip_rule]
ip_tm.efficacy = "High"
ip_tm.producer = InformationSource(identity=Identity(name="Auto"))
infra_IPInd.test_mechanisms = [ip_tm]
ip_M_tm = SnortTestMechanism()
ip_M_tm.rules = [ip_rule_M]
ip_M_tm.efficacy = "Medium"
ip_M_tm.producer = InformationSource(identity=Identity(name="Auto"))
infra_IPInd_M.test_mechanisms = [ip_M_tm]
domain_tm = SnortTestMechanism()
domain_tm.rules = domain_rules
domain_tm.efficacy = "High"
domain_tm.producer = InformationSource(identity=Identity(name="Auto"))
infra_domainInd.test_mechanisms = [domain_tm]
#=============
# Add the composed content to the structure
#=============
stix_package.add_indicator(infra_domainInd)
stix_package.add_indicator(infra_IPInd)
stix_package.add_indicator(infra_IPInd_M)
stix_package.add_indicator(httpBDpr_hashInd)
stix_package.add_indicator(httpB_hashInd)
stix_package.add_indicator(plugX_hashInd)
stix_package.add_ttp(ttp_infrastructure)
stix_package.add_ttp(ttp_httpB)
stix_package.add_ttp(ttp_httpBDpr)
stix_package.add_ttp(ttp_plugX)
"""
if outFormat =='dict':
print stix_package.to_dict()
if outFormat =='json':
parsed = stix_package.to_json()
jsonpkg = json.loads(parsed)
pprint.pprint(jsonpkg)
if outFormat =='stix':
print stix_package.to_xml()
"""
#if verbose:
#print stix_package.to_xml()
#pprint(stix_package.to_json())
return stix_package
def buildThreatActor(input_dict):
threatActor = ThreatActor()
threatActor.title = input_dict["title"]
threatActor.description = input_dict["description"]
if input_dict["identity"]:
threatActor.identity = Identity(input_dict["identity"])
if input_dict["type"]:
threatActor.add_type(input_dict["type"])
if input_dict["motivation"]:
threatActor.add_motivation(input_dict["motivation"])
if input_dict["sophistication"]:
threatActor.add_sophistication(input_dict["sophistication"])
if input_dict["intendedEffect"]:
threatActor.add_intended_effect(input_dict["intendedEffect"])
if input_dict["support"]:
threatActor.add_planning_and_operational_support(input_dict["support"])
if input_dict["confidence"]:
threatActor.confidence = Confidence(input_dict["confidence"])
if input_dict["informationSource"]:
threatActor.information_source = InformationSource(input_dict["informationSource"])
return threatActor
def convert_threat_actor(ta20):
ta1x = ThreatActor(id_=convert_id20(ta20["id"]),
timestamp=text_type(ta20["modified"]))
ta1x.title = ta20["name"]
types = convert_open_vocabs_to_controlled_vocabs(ta20["labels"],
THREAT_ACTOR_LABEL_MAP)
for t in types:
ta1x.add_type(t)
if "description" in ta20:
ta1x.add_description(ta20["description"])
if "aliases" in ta20:
add_missing_list_property_to_description(ta1x, "aliases",
ta20["aliases"])
if "roles" in ta20:
add_missing_list_property_to_description(ta1x, "roles", ta20["roles"])
if "goals" in ta20:
for g in ta20["goals"]:
ta1x.add_intended_effect(g)
if "sophistication" in ta20:
sophistications = convert_open_vocabs_to_controlled_vocabs(
[ta20["sophistication"]], THREAT_ACTOR_SOPHISTICATION_MAP)
for s in sophistications:
ta1x.add_sophistication(s)
if "resource_level" in ta20:
add_missing_list_property_to_description(ta1x, "resource_level",
ta20["resource_level"])
all_motivations = []
if "primary_motivation" in ta20:
all_motivations = [ta20["primary_motivation"]]
if "secondary_motivation" in ta20:
all_motivations.extend(ta20["secondary_motivation"])
if "personal_motivation" in ta20:
all_motivations.extend(ta20["personal_motivation"])
motivations = convert_open_vocabs_to_controlled_vocabs(
all_motivations, ATTACK_MOTIVATION_MAP)
for m in motivations:
ta1x.add_motivation(m)
if "object_marking_refs" in ta20:
for m_id in ta20["object_marking_refs"]:
ms = create_marking_specification(m_id)
if ms:
CONTAINER.add_marking(ta1x, ms, descendants=True)
if "granular_markings" in ta20:
error(
"Granular Markings present in '%s' are not supported by stix2slider",
604, ta20["id"])
record_id_object_mapping(ta20["id"], ta1x)
return ta1x
def to_stix_actor(self):
"""
Create a STIX Actor.
"""
from stix.threat_actor import ThreatActor
ta = ThreatActor()
ta.title = self.name
ta.description = self.description
for tt in self.threat_types:
ta.add_type(tt)
for m in self.motivations:
ta.add_motivation(m)
for ie in self.intended_effects:
ta.add_intended_effect(ie)
for s in self.sophistications:
ta.add_sophistication(s)
#for i in self.identifiers:
return (ta, self.releasability)
# Related Observable (by id) addr1 = Address(address_value=fake.ipv4(), category=Address.CAT_IPV4) observable = Observable(addr1) related_observable = RelatedObservable(Observable(idref=observable.id_)) incident.related_observables.append(related_observable) # Related Indicator (by id) indicator = Indicator() addr2 = Address(address_value=fake.ipv4(), category=Address.CAT_IPV4) indicator.add_observable(addr2) related_indicator = RelatedIndicator(Indicator(idref=indicator.id_)) incident.related_indicators.append(related_indicator) # Related Threat Actor (by id) ta = ThreatActor(title='Albino Rhino') attrib_ta = AttributedThreatActors() related_ta = RelatedThreatActor(ThreatActor(idref=ta.id_)) attrib_ta.append(related_ta) incident.attributed_threat_actors = attrib_ta # Related Incident (basic; by id) incident2 = Incident(title='Malware outbreak') incident2.time = '2018-06-12T11:00:05.470947+00:00' related_incident = RelatedIncident(Incident(idref=incident2.id_)) incident.add_related_incidents(related_incident) # Related TTP (basic; by id) ttp = TTP(title='Phishing') beh = Behavior() attack_pattern = AttackPattern()
def to_stix_actor(self):
"""
Create a STIX Actor.
"""
from stix.threat_actor import ThreatActor
ta = ThreatActor()
ta.title = self.name
ta.description = self.description
for tt in self.threat_types:
ta.add_type(tt)
for m in self.motivations:
ta.add_motivation(m)
for ie in self.intended_effects:
ta.add_intended_effect(ie)
for s in self.sophistications:
ta.add_sophistication(s)
#for i in self.identifiers:
return (ta, self.releasability)
def main():
# NOTE: ID values will differ due to being regenerated on each script execution
pkg1 = STIXPackage()
pkg1.title = "Example of Indicator Composition for an aggregate indicator composition"
# USE CASE: Indicator with aggregate pattern
# Add TTP for malware usage
malware_ttp = TTP()
malware_ttp.behavior = Behavior()
malware = MalwareInstance()
malware.title = "foobar malware"
malware.add_type("Remote Access Trojan")
malware_ttp.behavior.add_malware_instance(malware)
c2_ttp = TTP()
c2_ttp.resources = Resource()
c2_ttp.resources.infrastructure = Infrastructure()
c2_ttp.resources.infrastructure.add_type(VocabString("Malware C2"))
pkg1.add_ttp(c2_ttp)
pkg1.add_ttp(malware_ttp)
nw_ind = Indicator()
nw_ind.description = "Indicator for a particular C2 infstructure IP address."
# add network network connection to this indicator
obs = NetworkConnection()
sock = SocketAddress()
sock.ip_address = "46.123.99.25"
sock.ip_address.category = "ipv4-addr"
sock.ip_address.condition = "Equals"
obs.destination_socket_address = sock
nw_ind.add_observable(obs)
nw_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_))
# create File Hash indicator w/ embedded Observable
file_ind = Indicator()
file_ind.description = "Indicator for the hash of the foobar malware."
file_ind.add_indicator_type("File Hash Watchlist")
file_obs = File()
file_obs.add_hash("01234567890abcdef01234567890abcdef")
file_obs.hashes[0].type_ = "MD5"
file_obs.hashes[0].type_.condition = "Equals"
file_ind.add_observable(file_obs)
# create references
file_ind.add_indicated_ttp(TTP(idref=malware_ttp.id_))
# create container indicator
ind = Indicator()
ind.add_indicator_type(VocabString("Campaign Characteristics"))
ind.description = "Indicator for a composite of characteristics for the use of specific malware and C2 infrastructure within a Campaign."
# Add campaign with related
camp = Campaign()
camp.title = "holy grail"
pkg1.add_campaign(camp)
camp.related_ttps.append(TTP(idref=c2_ttp.id_))
camp.related_ttps.append(TTP(idref=malware_ttp.id_))
# Add threat actor
ta = ThreatActor()
ta.identity = Identity()
ta.identity.name = "boobear"
ta.observed_ttps.append(TTP(idref=malware_ttp.id_))
pkg1.add_threat_actor(ta)
# Create composite expression
ind.composite_indicator_expression = CompositeIndicatorExpression()
ind.composite_indicator_expression.operator = "AND"
ind.composite_indicator_expression.append(file_ind)
ind.composite_indicator_expression.append(nw_ind)
pkg1.add_indicator(ind)
print pkg1.to_xml()
# USE CASE: Indicator with partial matching
pkg2 = STIXPackage()
pkg2.title = "Example of Indicator Composition for a one of many indicator composition"
# create container indicator
watchlistind = Indicator()
watchlistind.add_indicator_type("IP Watchlist")
watchlistind.description = "This Indicator specifies a pattern where any one or more of a set of three IP addresses are observed."
watchlistind.add_indicated_ttp(TTP(idref=c2_ttp.id_))
# Create composite expression
watchlistind.composite_indicator_expression = CompositeIndicatorExpression(
)
watchlistind.composite_indicator_expression.operator = "OR"
ips = ['23.5.111.68', '23.5.111.99', '46.123.99.25']
for ip in ips:
new_ind = Indicator()
new_ind.description = "This Indicator specifies a pattern where one specific IP address is observed"
# add network network connection to this indicator
obs = Address()
obs.address_value = ip
obs.address_value.condition = "Equals"
new_ind.add_observable(obs)
new_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_))
watchlistind.composite_indicator_expression.append(new_ind)
pkg2.add_indicator(watchlistind)
print pkg2.to_xml()
# USE CASE: Indicator with compound detection
pkg3 = STIXPackage()
pkg3.title = "Example of Indicator Composition for compound detection"
# create container indicator
watchlistind2 = Indicator()
watchlistind2.add_indicator_type("IP Watchlist")
watchlistind2.description = "This Indicator specifies a composite condition of two preexisting Indicators (each identifying a particular TTP with low confidence) that in aggregate identify the particular TTP with high confidence."
# Create composite expression
watchlistind2.composite_indicator_expression = CompositeIndicatorExpression(
)
watchlistind2.composite_indicator_expression.operator = "OR"
watchlistind2.add_indicated_ttp(TTP(idref=c2_ttp.id_))
watchlistind2.confidence = "High"
nw_ind.description = "Indicator for a particular C2 IP address used by a malware variant."
nw_ind.confidence = "Low"
nw_ind.indicator_types = ["C2"]
file_ind.description = "Indicator that contains malicious file hashes for a particular malware variant."
file_ind.confidence = "Low"
watchlistind2.composite_indicator_expression.append(nw_ind)
watchlistind2.composite_indicator_expression.append(file_ind)
pkg3.add_indicator(watchlistind2)
print pkg3.to_xml()
def to_stix_actor(obj):
"""
Create a STIX Actor.
"""
ta = ThreatActor()
ta.title = obj.name
ta.description = obj.description
for tt in obj.threat_types:
ta.add_type(tt)
for m in obj.motivations:
ta.add_motivation(m)
for ie in obj.intended_effects:
ta.add_intended_effect(ie)
for s in obj.sophistications:
ta.add_sophistication(s)
#for i in self.identifiers:
return (ta, obj.releasability)
def main():
# NOTE: ID values will differ due to being regenerated on each script execution
pkg1 = STIXPackage()
pkg1.title = "Example of Indicator Composition for an aggregate indicator composition"
# USE CASE: Indicator with aggregate pattern
# Add TTP for malware usage
malware_ttp = TTP()
malware_ttp.behavior = Behavior()
malware = MalwareInstance()
malware.title = "foobar malware"
malware.add_type("Remote Access Trojan")
malware_ttp.behavior.add_malware_instance(malware)
c2_ttp = TTP()
c2_ttp.resources = Resource()
c2_ttp.resources.infrastructure = Infrastructure()
c2_ttp.resources.infrastructure.add_type(VocabString("Malware C2"))
pkg1.add_ttp(c2_ttp)
pkg1.add_ttp(malware_ttp)
nw_ind = Indicator()
nw_ind.description = "Indicator for a particular C2 infstructure IP address."
# add network network connection to this indicator
obs = NetworkConnection()
sock = SocketAddress()
sock.ip_address = "46.123.99.25"
sock.ip_address.category = "ipv4-addr"
sock.ip_address.condition = "Equals"
obs.destination_socket_address = sock
nw_ind.add_observable(obs)
nw_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_))
# create File Hash indicator w/ embedded Observable
file_ind = Indicator()
file_ind.description = "Indicator for the hash of the foobar malware."
file_ind.add_indicator_type("File Hash Watchlist")
file_obs = File()
file_obs.add_hash("01234567890abcdef01234567890abcdef")
file_obs.hashes[0].type_ = "MD5"
file_obs.hashes[0].type_.condition = "Equals"
file_ind.add_observable(file_obs)
# create references
file_ind.add_indicated_ttp(TTP(idref=malware_ttp.id_))
# create container indicator
ind = Indicator()
ind.add_indicator_type(VocabString("Campaign Characteristics"))
ind.description = "Indicator for a composite of characteristics for the use of specific malware and C2 infrastructure within a Campaign."
# Add campaign with related
camp = Campaign()
camp.title = "holy grail"
pkg1.add_campaign(camp)
camp.related_ttps.append(TTP(idref=c2_ttp.id_))
camp.related_ttps.append(TTP(idref=malware_ttp.id_))
# Add threat actor
ta = ThreatActor()
ta.identity = Identity()
ta.identity.name = "boobear"
ta.observed_ttps.append(TTP(idref=malware_ttp.id_))
pkg1.add_threat_actor(ta)
# Create composite expression
ind.composite_indicator_expression = CompositeIndicatorExpression()
ind.composite_indicator_expression.operator = "AND"
ind.composite_indicator_expression.append(file_ind)
ind.composite_indicator_expression.append(nw_ind)
pkg1.add_indicator(ind)
print pkg1.to_xml()
# USE CASE: Indicator with partial matching
pkg2 = STIXPackage()
pkg2.title = "Example of Indicator Composition for a one of many indicator composition"
# create container indicator
watchlistind = Indicator()
watchlistind.add_indicator_type("IP Watchlist")
watchlistind.description = "This Indicator specifies a pattern where any one or more of a set of three IP addresses are observed."
watchlistind.add_indicated_ttp(TTP(idref=c2_ttp.id_))
# Create composite expression
watchlistind.composite_indicator_expression = CompositeIndicatorExpression()
watchlistind.composite_indicator_expression.operator = "OR"
ips = ['23.5.111.68', '23.5.111.99', '46.123.99.25']
for ip in ips:
new_ind = Indicator()
new_ind.description = "This Indicator specifies a pattern where one specific IP address is observed"
# add network network connection to this indicator
obs = Address()
obs.address_value = ip
obs.address_value.condition = "Equals"
new_ind.add_observable(obs)
new_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_))
watchlistind.composite_indicator_expression.append(new_ind)
pkg2.add_indicator(watchlistind)
print pkg2.to_xml()
# USE CASE: Indicator with compound detection
pkg3 = STIXPackage()
pkg3.title = "Example of Indicator Composition for compound detection"
# create container indicator
watchlistind2 = Indicator()
watchlistind2.add_indicator_type("IP Watchlist")
watchlistind2.description = "This Indicator specifies a composite condition of two preexisting Indicators (each identifying a particular TTP with low confidence) that in aggregate identify the particular TTP with high confidence."
# Create composite expression
watchlistind2.composite_indicator_expression = CompositeIndicatorExpression()
watchlistind2.composite_indicator_expression.operator = "OR"
watchlistind2.add_indicated_ttp(TTP(idref=c2_ttp.id_))
watchlistind2.confidence = "High"
nw_ind.description = "Indicator for a particular C2 IP address used by a malware variant."
nw_ind.confidence = "Low"
nw_ind.indicator_types = ["C2"]
file_ind.description = "Indicator that contains malicious file hashes for a particular malware variant."
file_ind.confidence = "Low"
watchlistind2.composite_indicator_expression.append(nw_ind)
watchlistind2.composite_indicator_expression.append(file_ind)
pkg3.add_indicator(watchlistind2)
print pkg3.to_xml()
def test_ta_idref_deprecation(self):
package = core.STIXPackage()
package.add(ThreatActor(idref='test-idref-dep'))
def generateThreatActor(attribute):
ta = ThreatActor()
ta.id_="example:threatactor-" + attribute["uuid"]
ta.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"]
ta.description = attribute["value"]
return ta
