def main():
from stix.campaign import Campaign, Attribution
from stix.threat_actor import ThreatActor
from stix.incident import Incident
from stix.core import STIXPackage
from stix.ttp import TTP, VictimTargeting
ttp = TTP()
ttp.title = "Victim Targeting: Customer PII and Financial Data"
ttp.victim_targeting = VictimTargeting()
ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data")
actor = ThreatActor()
actor.title = "People behind the intrusion"
attrib = Attribution()
attrib.append(actor)
c = Campaign()
c.attribution = []
c.attribution.append(attrib)
c.title = "Compromise of ATM Machines"
c.related_ttps.append(ttp)
c.related_incidents.append(Incident(idref="example:incident-229ab6ba-0eb2-415b-bdf2-079e6b42f51e"))
c.related_incidents.append(Incident(idref="example:incident-517cf274-038d-4ed4-a3ec-3ac18ad9db8a"))
c.related_incidents.append(Incident(idref="example:incident-7d8cf96f-91cb-42d0-a1e0-bfa38ea08621"))
pkg = STIXPackage()
pkg.add_campaign(c)
print pkg.to_xml()
def test_ta(self):
t = ThreatActor()
t.title = UNICODE_STR
t.description = UNICODE_STR
t.short_description = UNICODE_STR
t2 = round_trip(t)
self._test_equal(t, t2)
def test_ta(self):
t = ThreatActor()
t.title = UNICODE_STR
t.description = UNICODE_STR
t.short_description = UNICODE_STR
t2 = round_trip(t)
self._test_equal(t, t2)
def generateThreatActor(attribute):
ta = ThreatActor()
ta.id_ = "example:threatactor-" + attribute["uuid"]
ta.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute[
"uuid"]
ta.description = attribute["value"]
return ta
def main():
stix_package = STIXPackage()
ta = ThreatActor()
ta.title = "Disco Team Threat Actor Group"
ta.identity = CIQIdentity3_0Instance()
identity_spec = STIXCIQIdentity3_0()
identity_spec.party_name = PartyName()
identity_spec.party_name.add_organisation_name(
OrganisationName("Disco Team", type_="CommonUse"))
identity_spec.party_name.add_organisation_name(
OrganisationName("Equipo del Discoteca", type_="UnofficialName"))
identity_spec.add_language("Spanish")
address = Address()
address.country = Country()
address.country.add_name_element("United States")
address.administrative_area = AdministrativeArea()
address.administrative_area.add_name_element("California")
identity_spec.add_address(address)
identity_spec.add_electronic_address_identifier(
"*****@*****.**")
identity_spec.add_electronic_address_identifier(
"facebook.com/thediscoteam")
identity_spec.add_electronic_address_identifier(
"twitter.com/realdiscoteam")
ta.identity.specification = identity_spec
stix_package.add_threat_actor(ta)
print(stix_package.to_xml(encoding=None))
def _get_threat_actor_object(value,
description=None,
crowd_strike_motivations=[]):
# 攻撃者情報作成
organisation_name = OrganisationName(value)
party_name = PartyName()
party_name.add_organisation_name(organisation_name)
identity_specification = STIXCIQIdentity3_0()
identity_specification.party_name = party_name
identity = CIQIdentity3_0Instance()
# ThreatActor
ta = ThreatActor()
ta.identity = identity
ta.identity.specification = identity_specification
# Title に抽出した Threat Actor 名前
ta.title = value
ta.description = description
ta.short_description = description
ta.identity = identity
# motivations 作成
for crowd_strike_motivation in crowd_strike_motivations:
ta_motivation = Statement(crowd_strike_motivation['value'])
# motivation 追加
ta.add_motivation(ta_motivation)
return ta
def main():
# Creamos el indicador con la información de la que disponemos
threatActor = ThreatActor()
threatActor.title = "Ip/Domain/Hostname"
threatActor.description = ("A threatActor commited with malicious tasks")
threatActor.information_source = ("Malshare")
threatActor.timestamp = ("01/05/2019")
threatActor.identity = ("106.113.123.197")
threatActor.types = ("eCrime Actor - Spam Service")
# Creamos el indicador con la información de la que disponemos
indicator = Indicator()
indicator.title = "Risk Score"
indicator.description = (
"An indicator containing the appropriate Risk Score")
indicator.set_produced_time("01/05/2019")
indicator.likely_impact = ("Risk Score: 2(Medium)")
# Creamos el reporte en STIX, con una brve descripción
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "Feeds in STIX format with their Risk Scores"
stix_package.stix_header = stix_header
# Añadimos al reporte el indicador que hemos construido antes
stix_package.add(threatActor)
stix_package.add(indicator)
# Imprimimos el xml en pantalla
print(stix_package.to_xml())
def main():
stix_package = STIXPackage()
ta = ThreatActor()
ta.title = "Disco Team Threat Actor Group"
ta.identity = CIQIdentity3_0Instance()
identity_spec = STIXCIQIdentity3_0()
identity_spec.party_name = PartyName()
identity_spec.party_name.add_organisation_name(OrganisationName("Disco Tean", type_="CommonUse"))
identity_spec.party_name.add_organisation_name(OrganisationName("Equipo del Discoteca", type_="UnofficialName"))
identity_spec.add_language("Spanish")
address = Address()
address.country = Country()
address.country.add_name_element("United States")
address.administrative_area = AdministrativeArea()
address.administrative_area.add_name_element("California")
identity_spec.add_address(address)
identity_spec.add_electronic_address_identifier("*****@*****.**")
ta.identity.specification = identity_spec
stix_package.add_threat_actor(ta)
print stix_package.to_xml()
def generateThreatActor(attribute):
ta = ThreatActor(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
ta.id_ = namespace[1] + ":threatactor-" + attribute["uuid"]
ta.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")"
if attribute["comment"] != "":
ta.description = attribute["value"] + " (" + attribute["comment"] + ")"
else:
ta.description = attribute["value"]
return ta
def generate_threat_actor(attribute):
ta = ThreatActor(timestamp=attribute.timestamp)
ta.id_ = "{}:threatactor-{}".format(namespace[1], attribute.uuid)
ta.title = "{}: {} (MISP Attribute #{})".format(attribute.category, attribute.value, attribute.id)
description = attribute.value
if attribute.comment:
description += " ({})".format(attribute.comment)
ta.description = description
return ta
def generateThreatActor(attribute):
ta = ThreatActor()
ta.id_= namespace[1] + ":threatactor-" + attribute["uuid"]
ta.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"]
if attribute["comment"] != "":
ta.description = attribute["value"] + " (" + attribute["comment"] + ")"
else:
ta.description = attribute["value"]
return ta
def generateThreatActor(attribute):
ta = ThreatActor(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
ta.id_= namespace[1] + ":threatactor-" + attribute["uuid"]
ta.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")"
if attribute["comment"] != "":
ta.description = attribute["value"] + " (" + attribute["comment"] + ")"
else:
ta.description = attribute["value"]
return ta
def convert_threat_actor(ta20):
ta1x = ThreatActor(id_=convert_id20(ta20["id"]),
timestamp=text_type(ta20["modified"]))
ta1x.title = ta20["name"]
types = convert_open_vocabs_to_controlled_vocabs(ta20["labels"],
THREAT_ACTOR_LABEL_MAP)
for t in types:
ta1x.add_type(t)
if "description" in ta20:
ta1x.add_description(ta20["description"])
if "aliases" in ta20:
add_missing_list_property_to_description(ta1x, "aliases",
ta20["aliases"])
if "roles" in ta20:
add_missing_list_property_to_description(ta1x, "roles", ta20["roles"])
if "goals" in ta20:
for g in ta20["goals"]:
ta1x.add_intended_effect(g)
if "sophistication" in ta20:
sophistications = convert_open_vocabs_to_controlled_vocabs(
[ta20["sophistication"]], THREAT_ACTOR_SOPHISTICATION_MAP)
for s in sophistications:
ta1x.add_sophistication(s)
if "resource_level" in ta20:
add_missing_list_property_to_description(ta1x, "resource_level",
ta20["resource_level"])
all_motivations = []
if "primary_motivation" in ta20:
all_motivations = [ta20["primary_motivation"]]
if "secondary_motivation" in ta20:
all_motivations.extend(ta20["secondary_motivation"])
if "personal_motivation" in ta20:
all_motivations.extend(ta20["personal_motivation"])
motivations = convert_open_vocabs_to_controlled_vocabs(
all_motivations, ATTACK_MOTIVATION_MAP)
for m in motivations:
ta1x.add_motivation(m)
if "object_marking_refs" in ta20:
for m_id in ta20["object_marking_refs"]:
ms = create_marking_specification(m_id)
if ms:
CONTAINER.add_marking(ta1x, ms, descendants=True)
if "granular_markings" in ta20:
error(
"Granular Markings present in '%s' are not supported by stix2slider",
604, ta20["id"])
record_id_object_mapping(ta20["id"], ta1x)
return ta1x
def to_stix_actor(obj):
"""
Create a STIX Actor.
"""
ta = ThreatActor()
ta.title = obj.name
ta.description = obj.description
for tt in obj.threat_types:
ta.add_type(tt)
for m in obj.motivations:
ta.add_motivation(m)
for ie in obj.intended_effects:
ta.add_intended_effect(ie)
for s in obj.sophistications:
ta.add_sophistication(s)
#for i in self.identifiers:
return (ta, obj.releasability)
def to_stix_actor(obj):
"""
Create a STIX Actor.
"""
ta = ThreatActor()
ta.title = obj.name
ta.description = obj.description
for tt in obj.threat_types:
ta.add_type(tt)
for m in obj.motivations:
ta.add_motivation(m)
for ie in obj.intended_effects:
ta.add_intended_effect(ie)
for s in obj.sophistications:
ta.add_sophistication(s)
#for i in self.identifiers:
return (ta, obj.releasability)
def to_stix_actor(self):
"""
Create a STIX Actor.
"""
from stix.threat_actor import ThreatActor
ta = ThreatActor()
ta.title = self.name
ta.description = self.description
for tt in self.threat_types:
ta.add_type(tt)
for m in self.motivations:
ta.add_motivation(m)
for ie in self.intended_effects:
ta.add_intended_effect(ie)
for s in self.sophistications:
ta.add_sophistication(s)
#for i in self.identifiers:
return (ta, self.releasability)
def to_stix_actor(self):
"""
Create a STIX Actor.
"""
from stix.threat_actor import ThreatActor
ta = ThreatActor()
ta.title = self.name
ta.description = self.description
for tt in self.threat_types:
ta.add_type(tt)
for m in self.motivations:
ta.add_motivation(m)
for ie in self.intended_effects:
ta.add_intended_effect(ie)
for s in self.sophistications:
ta.add_sophistication(s)
#for i in self.identifiers:
return (ta, self.releasability)
def buildThreatActor(input_dict):
threatActor = ThreatActor()
threatActor.title = input_dict["title"]
threatActor.description = input_dict["description"]
if input_dict["identity"]:
threatActor.identity = Identity(input_dict["identity"])
if input_dict["type"]:
threatActor.add_type(input_dict["type"])
if input_dict["motivation"]:
threatActor.add_motivation(input_dict["motivation"])
if input_dict["sophistication"]:
threatActor.add_sophistication(input_dict["sophistication"])
if input_dict["intendedEffect"]:
threatActor.add_intended_effect(input_dict["intendedEffect"])
if input_dict["support"]:
threatActor.add_planning_and_operational_support(input_dict["support"])
if input_dict["confidence"]:
threatActor.confidence = Confidence(input_dict["confidence"])
if input_dict["informationSource"]:
threatActor.information_source = InformationSource(input_dict["informationSource"])
return threatActor
def main():
from stix.campaign import Campaign, Attribution
from stix.threat_actor import ThreatActor
from stix.incident import Incident
from stix.core import STIXPackage
from stix.ttp import TTP, VictimTargeting
ttp = TTP()
ttp.title = "Victim Targeting: Customer PII and Financial Data"
ttp.victim_targeting = VictimTargeting()
ttp.victim_targeting.add_targeted_information(
"Information Assets - Financial Data")
actor = ThreatActor()
actor.title = "People behind the intrusion"
attrib = Attribution()
attrib.append(actor)
c = Campaign()
c.attribution = []
c.attribution.append(attrib)
c.title = "Compromise of ATM Machines"
c.related_ttps.append(ttp)
c.related_incidents.append(
Incident(
idref="example:incident-229ab6ba-0eb2-415b-bdf2-079e6b42f51e"))
c.related_incidents.append(
Incident(
idref="example:incident-517cf274-038d-4ed4-a3ec-3ac18ad9db8a"))
c.related_incidents.append(
Incident(
idref="example:incident-7d8cf96f-91cb-42d0-a1e0-bfa38ea08621"))
pkg = STIXPackage()
pkg.add_campaign(c)
print(pkg.to_xml(encoding=None))
def main():
from stix.campaign import Campaign, Attribution
from stix.threat_actor import ThreatActor
from stix.core import STIXPackage
from stix.ttp import TTP, VictimTargeting
ttp = TTP()
ttp.title = "Victim Targeting: Customer PII and Financial Data"
ttp.victim_targeting = VictimTargeting()
ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data")
actor = ThreatActor()
actor.title = "People behind the intrusion"
c = Campaign()
c.attribution.append(actor)
c.title = "Compromise of ATM Machines"
c.related_ttps.append(ttp)
pkg = STIXPackage()
pkg.add_campaign(c)
print pkg.to_xml()
def generateThreatActor(attribute):
ta = ThreatActor()
ta.id_="example:threatactor-" + attribute["uuid"]
ta.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"]
ta.description = attribute["value"]
return ta
