def main(): from stix.campaign import Campaign, Attribution from stix.threat_actor import ThreatActor from stix.incident import Incident from stix.core import STIXPackage from stix.ttp import TTP, VictimTargeting ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data") actor = ThreatActor() actor.title = "People behind the intrusion" attrib = Attribution() attrib.append(actor) c = Campaign() c.attribution = [] c.attribution.append(attrib) c.title = "Compromise of ATM Machines" c.related_ttps.append(ttp) c.related_incidents.append(Incident(idref="example:incident-229ab6ba-0eb2-415b-bdf2-079e6b42f51e")) c.related_incidents.append(Incident(idref="example:incident-517cf274-038d-4ed4-a3ec-3ac18ad9db8a")) c.related_incidents.append(Incident(idref="example:incident-7d8cf96f-91cb-42d0-a1e0-bfa38ea08621")) pkg = STIXPackage() pkg.add_campaign(c) print pkg.to_xml()
def test_ta(self): t = ThreatActor() t.title = UNICODE_STR t.description = UNICODE_STR t.short_description = UNICODE_STR t2 = round_trip(t) self._test_equal(t, t2)
def generateThreatActor(attribute): ta = ThreatActor() ta.id_ = "example:threatactor-" + attribute["uuid"] ta.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute[ "uuid"] ta.description = attribute["value"] return ta
def main(): stix_package = STIXPackage() ta = ThreatActor() ta.title = "Disco Team Threat Actor Group" ta.identity = CIQIdentity3_0Instance() identity_spec = STIXCIQIdentity3_0() identity_spec.party_name = PartyName() identity_spec.party_name.add_organisation_name( OrganisationName("Disco Team", type_="CommonUse")) identity_spec.party_name.add_organisation_name( OrganisationName("Equipo del Discoteca", type_="UnofficialName")) identity_spec.add_language("Spanish") address = Address() address.country = Country() address.country.add_name_element("United States") address.administrative_area = AdministrativeArea() address.administrative_area.add_name_element("California") identity_spec.add_address(address) identity_spec.add_electronic_address_identifier( "*****@*****.**") identity_spec.add_electronic_address_identifier( "facebook.com/thediscoteam") identity_spec.add_electronic_address_identifier( "twitter.com/realdiscoteam") ta.identity.specification = identity_spec stix_package.add_threat_actor(ta) print(stix_package.to_xml(encoding=None))
def _get_threat_actor_object(value, description=None, crowd_strike_motivations=[]): # 攻撃者情報作成 organisation_name = OrganisationName(value) party_name = PartyName() party_name.add_organisation_name(organisation_name) identity_specification = STIXCIQIdentity3_0() identity_specification.party_name = party_name identity = CIQIdentity3_0Instance() # ThreatActor ta = ThreatActor() ta.identity = identity ta.identity.specification = identity_specification # Title に抽出した Threat Actor 名前 ta.title = value ta.description = description ta.short_description = description ta.identity = identity # motivations 作成 for crowd_strike_motivation in crowd_strike_motivations: ta_motivation = Statement(crowd_strike_motivation['value']) # motivation 追加 ta.add_motivation(ta_motivation) return ta
def main(): # Creamos el indicador con la información de la que disponemos threatActor = ThreatActor() threatActor.title = "Ip/Domain/Hostname" threatActor.description = ("A threatActor commited with malicious tasks") threatActor.information_source = ("Malshare") threatActor.timestamp = ("01/05/2019") threatActor.identity = ("106.113.123.197") threatActor.types = ("eCrime Actor - Spam Service") # Creamos el indicador con la información de la que disponemos indicator = Indicator() indicator.title = "Risk Score" indicator.description = ( "An indicator containing the appropriate Risk Score") indicator.set_produced_time("01/05/2019") indicator.likely_impact = ("Risk Score: 2(Medium)") # Creamos el reporte en STIX, con una brve descripción stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = "Feeds in STIX format with their Risk Scores" stix_package.stix_header = stix_header # Añadimos al reporte el indicador que hemos construido antes stix_package.add(threatActor) stix_package.add(indicator) # Imprimimos el xml en pantalla print(stix_package.to_xml())
def main(): stix_package = STIXPackage() ta = ThreatActor() ta.title = "Disco Team Threat Actor Group" ta.identity = CIQIdentity3_0Instance() identity_spec = STIXCIQIdentity3_0() identity_spec.party_name = PartyName() identity_spec.party_name.add_organisation_name(OrganisationName("Disco Tean", type_="CommonUse")) identity_spec.party_name.add_organisation_name(OrganisationName("Equipo del Discoteca", type_="UnofficialName")) identity_spec.add_language("Spanish") address = Address() address.country = Country() address.country.add_name_element("United States") address.administrative_area = AdministrativeArea() address.administrative_area.add_name_element("California") identity_spec.add_address(address) identity_spec.add_electronic_address_identifier("*****@*****.**") ta.identity.specification = identity_spec stix_package.add_threat_actor(ta) print stix_package.to_xml()
def generateThreatActor(attribute): ta = ThreatActor(timestamp=getDateFromTimestamp(int(attribute["timestamp"]))) ta.id_ = namespace[1] + ":threatactor-" + attribute["uuid"] ta.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")" if attribute["comment"] != "": ta.description = attribute["value"] + " (" + attribute["comment"] + ")" else: ta.description = attribute["value"] return ta
def generate_threat_actor(attribute): ta = ThreatActor(timestamp=attribute.timestamp) ta.id_ = "{}:threatactor-{}".format(namespace[1], attribute.uuid) ta.title = "{}: {} (MISP Attribute #{})".format(attribute.category, attribute.value, attribute.id) description = attribute.value if attribute.comment: description += " ({})".format(attribute.comment) ta.description = description return ta
def generateThreatActor(attribute): ta = ThreatActor() ta.id_= namespace[1] + ":threatactor-" + attribute["uuid"] ta.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"] if attribute["comment"] != "": ta.description = attribute["value"] + " (" + attribute["comment"] + ")" else: ta.description = attribute["value"] return ta
def generateThreatActor(attribute): ta = ThreatActor(timestamp=getDateFromTimestamp(int(attribute["timestamp"]))) ta.id_= namespace[1] + ":threatactor-" + attribute["uuid"] ta.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")" if attribute["comment"] != "": ta.description = attribute["value"] + " (" + attribute["comment"] + ")" else: ta.description = attribute["value"] return ta
def convert_threat_actor(ta20): ta1x = ThreatActor(id_=convert_id20(ta20["id"]), timestamp=text_type(ta20["modified"])) ta1x.title = ta20["name"] types = convert_open_vocabs_to_controlled_vocabs(ta20["labels"], THREAT_ACTOR_LABEL_MAP) for t in types: ta1x.add_type(t) if "description" in ta20: ta1x.add_description(ta20["description"]) if "aliases" in ta20: add_missing_list_property_to_description(ta1x, "aliases", ta20["aliases"]) if "roles" in ta20: add_missing_list_property_to_description(ta1x, "roles", ta20["roles"]) if "goals" in ta20: for g in ta20["goals"]: ta1x.add_intended_effect(g) if "sophistication" in ta20: sophistications = convert_open_vocabs_to_controlled_vocabs( [ta20["sophistication"]], THREAT_ACTOR_SOPHISTICATION_MAP) for s in sophistications: ta1x.add_sophistication(s) if "resource_level" in ta20: add_missing_list_property_to_description(ta1x, "resource_level", ta20["resource_level"]) all_motivations = [] if "primary_motivation" in ta20: all_motivations = [ta20["primary_motivation"]] if "secondary_motivation" in ta20: all_motivations.extend(ta20["secondary_motivation"]) if "personal_motivation" in ta20: all_motivations.extend(ta20["personal_motivation"]) motivations = convert_open_vocabs_to_controlled_vocabs( all_motivations, ATTACK_MOTIVATION_MAP) for m in motivations: ta1x.add_motivation(m) if "object_marking_refs" in ta20: for m_id in ta20["object_marking_refs"]: ms = create_marking_specification(m_id) if ms: CONTAINER.add_marking(ta1x, ms, descendants=True) if "granular_markings" in ta20: error( "Granular Markings present in '%s' are not supported by stix2slider", 604, ta20["id"]) record_id_object_mapping(ta20["id"], ta1x) return ta1x
def to_stix_actor(obj): """ Create a STIX Actor. """ ta = ThreatActor() ta.title = obj.name ta.description = obj.description for tt in obj.threat_types: ta.add_type(tt) for m in obj.motivations: ta.add_motivation(m) for ie in obj.intended_effects: ta.add_intended_effect(ie) for s in obj.sophistications: ta.add_sophistication(s) #for i in self.identifiers: return (ta, obj.releasability)
def to_stix_actor(self): """ Create a STIX Actor. """ from stix.threat_actor import ThreatActor ta = ThreatActor() ta.title = self.name ta.description = self.description for tt in self.threat_types: ta.add_type(tt) for m in self.motivations: ta.add_motivation(m) for ie in self.intended_effects: ta.add_intended_effect(ie) for s in self.sophistications: ta.add_sophistication(s) #for i in self.identifiers: return (ta, self.releasability)
def buildThreatActor(input_dict): threatActor = ThreatActor() threatActor.title = input_dict["title"] threatActor.description = input_dict["description"] if input_dict["identity"]: threatActor.identity = Identity(input_dict["identity"]) if input_dict["type"]: threatActor.add_type(input_dict["type"]) if input_dict["motivation"]: threatActor.add_motivation(input_dict["motivation"]) if input_dict["sophistication"]: threatActor.add_sophistication(input_dict["sophistication"]) if input_dict["intendedEffect"]: threatActor.add_intended_effect(input_dict["intendedEffect"]) if input_dict["support"]: threatActor.add_planning_and_operational_support(input_dict["support"]) if input_dict["confidence"]: threatActor.confidence = Confidence(input_dict["confidence"]) if input_dict["informationSource"]: threatActor.information_source = InformationSource(input_dict["informationSource"]) return threatActor
def main(): from stix.campaign import Campaign, Attribution from stix.threat_actor import ThreatActor from stix.incident import Incident from stix.core import STIXPackage from stix.ttp import TTP, VictimTargeting ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.add_targeted_information( "Information Assets - Financial Data") actor = ThreatActor() actor.title = "People behind the intrusion" attrib = Attribution() attrib.append(actor) c = Campaign() c.attribution = [] c.attribution.append(attrib) c.title = "Compromise of ATM Machines" c.related_ttps.append(ttp) c.related_incidents.append( Incident( idref="example:incident-229ab6ba-0eb2-415b-bdf2-079e6b42f51e")) c.related_incidents.append( Incident( idref="example:incident-517cf274-038d-4ed4-a3ec-3ac18ad9db8a")) c.related_incidents.append( Incident( idref="example:incident-7d8cf96f-91cb-42d0-a1e0-bfa38ea08621")) pkg = STIXPackage() pkg.add_campaign(c) print(pkg.to_xml(encoding=None))
def main(): from stix.campaign import Campaign, Attribution from stix.threat_actor import ThreatActor from stix.core import STIXPackage from stix.ttp import TTP, VictimTargeting ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data") actor = ThreatActor() actor.title = "People behind the intrusion" c = Campaign() c.attribution.append(actor) c.title = "Compromise of ATM Machines" c.related_ttps.append(ttp) pkg = STIXPackage() pkg.add_campaign(c) print pkg.to_xml()
def generateThreatActor(attribute): ta = ThreatActor() ta.id_="example:threatactor-" + attribute["uuid"] ta.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"] ta.description = attribute["value"] return ta