def generateTTP(incident, attribute, ttps, eventTags): ttp = TTP(timestamp=getDateFromTimestamp(int(attribute["timestamp"]))) ttp.id_= namespace[1] + ":ttp-" + attribute["uuid"] setTLP(ttp, attribute["distribution"], mergeTags(eventTags, attribute["AttributeTag"])) ttp.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")" if attribute["type"] == "vulnerability": vulnerability = Vulnerability() vulnerability.cve_id = attribute["value"] et = ExploitTarget(timestamp=getDateFromTimestamp(int(attribute["timestamp"]))) et.id_= namespace[1] + ":et-" + attribute["uuid"] if attribute["comment"] != "" and attribute["comment"] != "Imported via the freetext import.": et.title = attribute["comment"] else: et.title = "Vulnerability " + attribute["value"] et.add_vulnerability(vulnerability) ttp.exploit_targets.append(et) else: malware = MalwareInstance() malware.add_name(attribute["value"]) ttp.behavior = Behavior() ttp.behavior.add_malware_instance(malware) if attribute["comment"] != "": ttp.description = attribute["comment"] ttps.append(ttp) rttp = TTP(idref=ttp.id_, timestamp=ttp.timestamp) relatedTTP = RelatedTTP(rttp, relationship=attribute["category"]) incident.leveraged_ttps.append(relatedTTP)
def main(): ioc = etree.parse('6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc') stix_package = STIXPackage() ttp = TTP() malware_instance = MalwareInstance() malware_instance.names = ['Zeus', 'twexts', 'sdra64', 'ntos'] ttp = TTP(title="Zeus") ttp.behavior = Behavior() ttp.behavior.add_malware_instance(malware_instance) indicator = Indicator(title="Zeus", description="Finds Zeus variants, twexts, sdra64, ntos") tm = OpenIOCTestMechanism() tm.ioc = ioc tm.producer = InformationSource(identity=Identity(name="Yara")) time = Time() time.produced_time = "0001-01-01T00:00:00" tm.producer.time = time tm.producer.references = ["http://openioc.org/iocs/6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc"] indicator.test_mechanisms = [tm] indicator.add_indicated_ttp(TTP(idref=ttp.id_)) stix_package.add_indicator(indicator) stix_package.add_ttp(ttp) print stix_package.to_xml()
def main(): stix_package = STIXPackage() ttp_phishing = TTP(title="Phishing") attack_pattern = AttackPattern() attack_pattern.capec_id = "CAPEC-98" attack_pattern.description = ("Phishing") ttp_phishing.behavior = Behavior() ttp_phishing.behavior.add_attack_pattern(attack_pattern) ttp_pivy = TTP(title="Poison Ivy Variant d1c6") malware_instance = MalwareInstance() malware_instance.add_name("Poison Ivy Variant d1c6") malware_instance.add_type("Remote Access Trojan") ttp_pivy.behavior = Behavior() ttp_pivy.behavior.add_malware_instance(malware_instance) ta_bravo = ThreatActor(title="Adversary Bravo") ta_bravo.identity = Identity(name="Adversary Bravo") related_ttp_phishing = RelatedTTP(TTP(idref=ttp_phishing.id_), relationship="Leverages Attack Pattern") ta_bravo.observed_ttps.append(related_ttp_phishing) related_ttp_pivy = RelatedTTP(TTP(idref=ttp_pivy.id_), relationship="Leverages Malware") ta_bravo.observed_ttps.append(related_ttp_pivy) stix_package.add_ttp(ttp_phishing) stix_package.add_ttp(ttp_pivy) stix_package.add_threat_actor(ta_bravo) print stix_package.to_xml()
def main(): from stix.campaign import Campaign from stix.common.related import RelatedTTP from stix.core import STIXPackage from stix.ttp import TTP, VictimTargeting ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.add_targeted_information( "Information Assets - Customer PII") ttp.victim_targeting.add_targeted_information( "Information Assets - Financial Data") ttp_ref = TTP() ttp_ref.idref = ttp.id_ related_ttp = RelatedTTP(ttp_ref) related_ttp.relationship = "Targets" c = Campaign() c.title = "Operation Alpha" c.related_ttps.append(related_ttp) pkg = STIXPackage() pkg.add_campaign(c) pkg.add_ttp(ttp) print(pkg.to_xml(encoding=None))
def main(): campaign = Campaign(title="Campaign against ICS") ttp = TTP(title="DrownedRat") alpha_report = Report() alpha_report.header = Header() alpha_report.header.title = "Report on Adversary Alpha's Campaign against the Industrial Control Sector" alpha_report.header.descriptions = "Adversary Alpha has a campaign against the ICS sector!" alpha_report.header.intents = "Campaign Characterization" alpha_report.add_campaign(Campaign(idref=campaign.id_)) rat_report = Report() rat_report.header = Header() rat_report.header.title = "Indicators for Malware DrownedRat" rat_report.header.intents = "Indicators - Malware Artifacts" rat_report.add_ttp(TTP(idref=ttp.id_)) wrapper = STIXPackage() info_src = InformationSource() info_src.identity = Identity(name="Government Sharing Program - GSP") wrapper.stix_header = STIXHeader(information_source=info_src) wrapper.add_report(alpha_report) wrapper.add_report(rat_report) wrapper.add_campaign(campaign) wrapper.add_ttp(ttp) print(wrapper.to_xml())
def main(): data = json.load(open("data.json")) stix_package = STIXPackage(stix_header=STIXHeader( title=data['title'], package_intents='Incident')) ttps = {} for info in data['ips']: if info['bot'] not in ttps: ttps[info['bot']] = TTP(title=info['bot']) stix_package.add_ttp(ttps[info['bot']]) incident = Incident(title=info['ip']) incident.time = Time() incident.time.first_malicious_action = info['first_seen'] addr = Address(address_value=info['ip'], category=Address.CAT_IPV4) observable = Observable(item=addr) stix_package.add_observable(observable) related_ttp = RelatedTTP(TTP(idref=ttps[info['bot']].id_), relationship="Used Malware") incident.leveraged_ttps.append(related_ttp) related_observable = RelatedObservable( Observable(idref=observable.id_)) incident.related_observables.append(related_observable) stix_package.add_incident(incident) print(stix_package.to_xml(encoding=None))
def convert_report(r20): r1x = Report(id_=convert_id20(r20["id"]), timestamp=text_type(r20["modified"])) r1x.header = Header() if "name" in r20: r1x.header.title = r20["name"] if "description" in r20: r1x.header.add_description(r20["description"]) intents = convert_open_vocabs_to_controlled_vocabs(r20["labels"], REPORT_LABELS_MAP) for i in intents: r1x.header.add_intent(i) if "published" in r20: add_missing_property_to_description(r1x.header, "published", r20["published"]) for ref in r20["object_refs"]: ref_type = get_type_from_id(ref) ref1x = convert_id20(ref) if ref_type == "attack-pattern": r1x.add_ttp(TTP(idref=ref1x)) elif ref_type == "campaign": r1x.add_campaign(Campaign(idref=ref1x)) elif ref_type == 'course-of-action': r1x.add_course_of_action(CourseOfAction(idref=ref1x)) elif ref_type == "indicator": r1x.add_indicator(Indicator(idref=ref1x)) elif ref_type == "observed-data": r1x.add_observable(Observable(idref=ref1x)) elif ref_type == "malware": r1x.add_ttp(TTP(idref=ref1x)) elif ref_type == "threat-actor": r1x.add_threat_actor(ThreatActor(idref=ref1x)) elif ref_type == "tool": r1x.add_ttp(TTP(idref=ref1x)) elif ref_type == "vulnerability": r1x.add_exploit_target(ExploitTarget(idref=ref1x)) elif ref_type == "identity" or ref_type == "relationship": warn("%s in %s is not explicitly a member of a STIX 1.x report", 703, ref, r20["id"]) elif ref_type == "intrusion-set": warn("%s in %s cannot be represented in STIX 1.x", 612, ref, r20["id"]) else: warn("ref type %s in %s is not known", 0, ref_type, r20["id"]) if "object_marking_refs" in r20: for m_id in r20["object_marking_refs"]: ms = create_marking_specification(m_id) if ms: CONTAINER.add_marking(r1x, ms, descendants=True) if "granular_markings" in r20: error( "Granular Markings present in '%s' are not supported by stix2slider", 604, r20["id"]) return r1x
def append_ttp(self, incident, attribute, ttp): if attribute.comment: ttp.description = attribute.comment self.ttps.append(ttp) rttp = TTP(idref=ttp.id_, timestamp=ttp.timestamp) related_ttp = RelatedTTP(rttp, relationship=attribute.category) incident.leveraged_ttps.append(related_ttp)
def convert_malware(malware20): malware1x = MalwareInstance() if "name" in malware20: malware1x.add_name(malware20["name"]) if "description" in malware20: malware1x.add_description(malware20["description"]) types = convert_open_vocabs_to_controlled_vocabs(malware20["labels"], MALWARE_LABELS_MAP) for t in types: malware1x.add_type(t) ttp = TTP(id_=convert_id20(malware20["id"]), timestamp=text_type(malware20["modified"])) ttp.behavior = Behavior() ttp.behavior.add_malware_instance(malware1x) if "kill_chain_phases" in malware20: process_kill_chain_phases(malware20["kill_chain_phases"], ttp) if "object_marking_refs" in malware20: for m_id in malware20["object_marking_refs"]: ms = create_marking_specification(m_id) if ms: CONTAINER.add_marking(ttp, ms, descendants=True) if "granular_markings" in malware20: error( "Granular Markings present in '%s' are not supported by stix2slider", 604, malware20["id"]) record_id_object_mapping(malware20["id"], ttp) return ttp
def convert_attack_pattern(ap20): ap1x = AttackPattern() if "name" in ap20: ap1x.title = ap20["name"] if "description" in ap20: ap1x.add_description(ap20["description"]) if "labels" in ap20: for l in ap20["labels"]: add_missing_property_to_description(ap1x, "label", l) if "external_references" in ap20: ap1x.capec_id = extract_external_id("capec", ap20["external_references"]) ttp = TTP(id_=convert_id20(ap20["id"]), timestamp=text_type(ap20["modified"])) ttp.behavior = Behavior() ttp.behavior.add_attack_pattern(ap1x) if "kill_chain_phases" in ap20: process_kill_chain_phases(ap20["kill_chain_phases"], ttp) if "object_marking_refs" in ap20: for m_id in ap20["object_marking_refs"]: ms = create_marking_specification(m_id) if ms: CONTAINER.add_marking(ttp, ms, descendants=True) if "granular_markings" in ap20: error( "Granular Markings present in '%s' are not supported by stix2slider", 604, ap20["id"]) # if "kill_chain_phases" in ap20: # process_kill_chain_phases(ap20["kill_chain_phases"], ttp) record_id_object_mapping(ap20["id"], ttp) return ttp
def test_ttp(self): t = TTP() t.title = UNICODE_STR t.description = UNICODE_STR t.short_description = UNICODE_STR t2 = round_trip(t) self._test_equal(t, t2)
def main(): file_hash = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' stix_header = STIXHeader( title="File Hash Reputation Service Results", package_intents=["Indicators - Malware Artifacts"]) stix_package = STIXPackage(stix_header=stix_header) indicator = Indicator( title= "File Reputation for SHA256=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" ) indicator.add_indicator_type("File Hash Watchlist") file_object = File() file_object.add_hash(Hash(file_hash)) file_object.hashes[0].simple_hash_value.condition = "Equals" file_object.hashes[0].type_.condition = "Equals" indicator.add_observable(file_object) indicator.add_indicated_ttp(TTP(title="Malicious file")) indicator.confidence = Confidence(value=VocabString('75')) indicator.confidence.value.vocab_name = "Percentage" indicator.confidence.value.vocab_reference = "https://en.wikipedia.org/wiki/Percentage" stix_package.add_indicator(indicator) print(stix_package.to_xml(encoding=None))
def main(): stix_package = STIXPackage() ttp = TTP(title="C2 Behavior") indicator = Indicator(title="IP Address for known C2 Channel") indicator.add_indicator_type("IP Watchlist") addr = Address(address_value="10.0.0.0", category=Address.CAT_IPV4) addr.condition = "Equals" indicator.add_observable(addr) indicator.add_indicated_ttp(TTP(idref=ttp.id_)) stix_package.add_indicator(indicator) stix_package.add_ttp(ttp) print(stix_package.to_xml(encoding=None))
def convert_tool(tool20): tool1x = ToolInformation() if "name" in tool20: tool1x.title = tool20["name"] if "description" in tool20: tool1x.description = tool20["description"] if "tool_version" in tool20: tool1x.version = tool20["tool_version"] if "labels" in tool20: warn( "labels not representable in a STIX 1.x ToolInformation. Found in %s", 502, tool20["id"]) # bug in python_stix prevents using next line of code # tool1x.type_ = convert_open_vocabs_to_controlled_vocabs(tool20["labels"], TOOL_LABELS_MAP) ttp = TTP(id_=convert_id20(tool20["id"]), timestamp=text_type(tool20["modified"])) if not ttp.resources: ttp.resources = Resource() if not ttp.resources.tools: ttp.resources.tools = Tools() ttp.resources.tools.append(tool1x) if "kill_chain_phases" in tool20: process_kill_chain_phases(tool20["kill_chain_phases"], ttp) if "object_marking_refs" in tool20: for m_id in tool20["object_marking_refs"]: ms = create_marking_specification(m_id) if ms: CONTAINER.add_marking(ttp, ms, descendants=True) if "granular_markings" in tool20: error( "Granular Markings present in '%s' are not supported by stix2slider", 604, tool20["id"]) record_id_object_mapping(tool20["id"], ttp) return ttp
def _dostix(hashes): '''This function creates a STIX packages containing hashes.''' print("[+] Creating STIX Package") title = SETTINGS['stix']['ind_title'] + " " + str(datetime.datetime.now()) _custom_namespace(SETTINGS['stix']['ns'], SETTINGS['stix']['ns_prefix']) stix_package = STIXPackage() stix_package.stix_header = STIXHeader() stix_package.stix_header.title = title stix_package.stix_header.handling = _marking() try: indicator = Indicator() indicator.set_producer_identity(SETTINGS['stix']['producer']) indicator.set_produced_time(indicator.timestamp) indicator.set_received_time(indicator.timestamp) indicator.add_kill_chain_phase(PHASE_DELIVERY) indicator.confidence = "Low" indicator.title = title indicator.add_indicator_type("File Hash Watchlist") indicator.description = SETTINGS['stix']['ind_desc'] try: indicator.add_indicated_ttp( TTP(idref=SETTINGS['indicated_ttp'], timestamp=indicator.timestamp)) indicator.suggested_coas.append( CourseOfAction(idref=SETTINGS['suggested_coa'], timestamp=indicator.timestamp)) except KeyError: pass for info in hashes: try: file_name = info['filename'] file_object = File() file_object.file_name = file_name file_object.file_name.condition = "Equals" file_object.file_extension = "." + file_name.split('.')[-1] file_object.file_extension.condition = "Equals" file_object.size_in_bytes = info['filesize'] file_object.size_in_bytes.condition = "Equals" file_object.file_format = info['fileformat'] file_object.file_format.condition = "Equals" file_object.add_hash(Hash(info['md5'])) file_object.add_hash(Hash(info['sha1'])) file_object.add_hash(Hash(info['sha256'])) file_object.add_hash(Hash(info['sha512'])) file_object.add_hash(Hash(info['ssdeep'], Hash.TYPE_SSDEEP)) for hashobj in file_object.hashes: hashobj.simple_hash_value.condition = "Equals" hashobj.type_.condition = "Equals" file_obs = Observable(file_object) file_obs.title = "File: " + file_name indicator.add_observable(file_obs) except TypeError: pass stix_package.add_indicator(indicator) return stix_package except KeyError: pass
def cvebuild(var): """Search for a CVE ID and return a STIX formatted response.""" cve = CVESearch() data = json.loads(cve.id(var)) if data: try: from stix.utils import set_id_namespace namespace = {NS: NS_PREFIX} set_id_namespace(namespace) except ImportError: from stix.utils import idgen from mixbox.namespaces import Namespace namespace = Namespace(NS, NS_PREFIX, "") idgen.set_id_namespace(namespace) pkg = STIXPackage() pkg.stix_header = STIXHeader() pkg = STIXPackage() pkg.stix_header = STIXHeader() pkg.stix_header.handling = marking() # Define the exploit target expt = ExploitTarget() expt.title = data['id'] expt.description = data['summary'] # Add the vulnerability object to the package object expt.add_vulnerability(vulnbuild(data)) # Do some TTP stuff with CAPEC objects try: for i in data['capec']: ttp = TTP() ttp.title = "CAPEC-" + str(i['id']) ttp.description = i['summary'] ttp.exploit_targets.append(ExploitTarget(idref=expt.id_)) pkg.add_ttp(ttp) except KeyError: pass # Do some weakness stuff if data['cwe'] != 'Unknown': weak = Weakness() weak.cwe_id = data['cwe'] expt.add_weakness(weak) # Add the exploit target to the package object pkg.add_exploit_target(expt) xml = pkg.to_xml() # If the function is not imported then output the xml to a file. if __name__ == '__main__': title = pkg.id_.split(':', 1)[-1] with open(title + ".xml", "w") as text_file: text_file.write(xml) return xml
def create_victim_target(source, target_ref, target_obj_ref_1x): global _VICTIM_TARGET_TTPS target, identity1x_tuple = handle_identity(target_ref, target_obj_ref_1x) ttp = TTP() ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.identity = target _VICTIM_TARGET_TTPS.append(ttp) source.observed_ttps.append(ttp) identity1x_tuple[1] = True
def main(): malware = MalwareInstance() malware.add_name("Poison Ivy") malware.add_type("Remote Access Trojan") ttp = TTP(title="Poison Ivy") ttp.behavior = Behavior() ttp.behavior.add_malware_instance(malware) incident = Incident( title="Detected Poison Ivy beaconing through perimeter firewalls") related_ttp = RelatedTTP(TTP(idref=ttp.id_), relationship="Uses Malware") incident.leveraged_ttps.append(related_ttp) stix_package = STIXPackage() stix_package.add_ttp(ttp) stix_package.add_incident(incident) print(stix_package.to_xml(encoding=None))
def add_malware(hashVal, TTPTitle, malware_uuid): malware_instance = MalwareInstance() malware_instance.add_name(TTPTitle) # malware_instance.add_type("Malware") ttp = TTP(title=TTPTitle) ttp.behavior = Behavior() ttp.behavior.add_malware_instance(malware_instance) file_object = File() file_object.add_hash(Hash(hashVal)) file_object.hashes[0].simple_hash_value.condition = "Equals" indicator = Indicator(id_="indicator-{0}".format(malware_uuid), title="File hash") indicator.add_indicator_type("File Hash Watchlist") indicator.add_observable(file_object) indicator.add_indicated_ttp(TTP(idref=ttp.id_)) return (indicator)
def resolveAttributes(incident, ttps, attributes): for attribute in attributes: if (attribute["type"] in not_implemented_attributes): addJournalEntry(incident, "!Not implemented attribute category/type combination caught! attribute[" + attribute["category"] + "][" + attribute["type"] + "]: " + attribute["value"]) elif (attribute["type"] in non_indicator_attributes): #types that will definitely not become indicators handleNonIndicatorAttribute(incident, ttps, attribute) else: #types that may become indicators handleIndicatorAttribute(incident, ttps, attribute) if incident.related_indicators and not ttps: ttp = TTP(timestamp=incident.timestamp) ttp.id_= incident.id_.replace("incident","ttp") ttp.title = "Unknown" ttps.append(ttp) for rindicator in incident.related_indicators: for ttp in ttps: ittp=TTP(idref=ttp.id_, timestamp=ttp.timestamp) rindicator.item.add_indicated_ttp(ittp) return [incident, ttps]
def create_victim_target_for_threat_actor(source, target_ref, target_obj_ref_1x): global _VICTIM_TARGET_TTPS target, identity1x_tuple = choose_full_object_or_idref( target_ref, target_obj_ref_1x) ttp = TTP() ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.identity = target _VICTIM_TARGET_TTPS.append(ttp) source.observed_ttps.append(ttp) identity1x_tuple[1] = True
def to_stix_ttps(obj): from stix.ttp import TTP ttp_list = [] for each in obj.ttps: ttp = TTP() ttp.timestamp = each.date ttp.description = each.ttp ttp_list.append(ttp) return ttp_list
def _add_stix_indicators(self, final_indicator_objects, ttp_id): """Create and add STIX Indicators for a list of Object History entries. Link each Indicator to their Indicated TTP. Note: Each STIX Indicator is added to the STIX Package stored in the ``stix_package`` class member. Args: final_indicator_objects: a list of ``maec.bundle.object_history.ObjectHistoryEntry`` objects representing the final, pruned list of Objects to be used in the STIX Indicators. ttp_id: the id of the STIX TTP that each STIX Indicator should reference as its Indicated TTP. """ object_values_list = [] actions_list = [] final_object_list = [] # Deduplicate the Objects and combine their Actions for entry in final_indicator_objects: object = entry.object # Test if we've already created an Indicator for this Object obj_values = BundleDeduplicator.get_object_values(object) if obj_values not in object_values_list: object_values_list.append(obj_values) final_object_list.append(object) actions_list.append(entry.get_action_names()) else: object_index = object_values_list.index(obj_values) existing_actions = actions_list[object_index] existing_actions += entry.get_action_names() # Create the STIX Indicators for object in final_object_list: object_index = final_object_list.index(object) indicator = Indicator() indicator.title = "Malware Artifact Extracted from MAEC Document" indicator.add_indicator_type("Malware Artifacts") indicator.add_observable(object.properties) # Add the Action-derived description to the Indicator description = "Corresponding Action(s): " for action_name in actions_list[object_index]: description += (action_name + ", ") indicator.description = description[:-2] # Set the proper Confidence on the Indicator confidence = Confidence() confidence.value = "Low" confidence.description = "Tool-generated Indicator. It is HIGHLY recommended that it be vetted by a human analyst before usage." indicator.confidence = confidence # Link the Indicator to its Indicated TTP ttp = TTP(idref=ttp_id) indicator.add_indicated_ttp(ttp) # Add the Indicator to the STIX Package self.stix_package.add_indicator(indicator)
def main(): stix_package = STIXPackage() # Build the Exploit Target vuln = Vulnerability() vuln.cve_id = "CVE-2014-0160" vuln.add_reference("http://heartbleed.com/") et = ExploitTarget(title="Heartbleed") et.add_vulnerability(vuln) stix_package.add_exploit_target(et) # Build the TTP ttp = TTP(title="Generic Heartbleed Exploits") ttp.exploit_targets.append(ExploitTarget(idref=et.id_)) stix_package.add_ttp(ttp) # Build the indicator indicator = Indicator(title="Snort Signature for Heartbleed") indicator.confidence = Confidence("High") tm = SnortTestMechanism() tm.rules = [ """alert tcp any any -> any any (msg:"FOX-SRT - Flowbit - TLS-SSL Client Hello"; flow:established; dsize:< 500; content:"|16 03|"; depth:2; byte_test:1, <=, 2, 3; byte_test:1, !=, 2, 1; content:"|01|"; offset:5; depth:1; content:"|03|"; offset:9; byte_test:1, <=, 3, 10; byte_test:1, !=, 2, 9; content:"|00 0f 00|"; flowbits:set,foxsslsession; flowbits:noalert; threshold:type limit, track by_src, count 1, seconds 60; reference:cve,2014-0160; classtype:bad-unknown; sid: 21001130; rev:9;)""", """alert tcp any any -> any any (msg:"FOX-SRT - Suspicious - TLS-SSL Large Heartbeat Response"; flow:established; flowbits:isset,foxsslsession; content:"|18 03|"; depth: 2; byte_test:1, <=, 3, 2; byte_test:1, !=, 2, 1; byte_test:2, >, 200, 3; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160; classtype:bad-unknown; sid: 21001131; rev:5;)""" ] tm.efficacy = "Low" tm.producer = InformationSource(identity=Identity(name="FOX IT")) tm.producer.references = [ "http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/" ] indicator.test_mechanisms = TestMechanisms([tm]) indicator.add_indicated_ttp(TTP(idref=ttp.id_)) stix_package.add_indicator(indicator) print(stix_package.to_xml(encoding=None))
def _merge_ttps(api_object, references): related_objects = {} for ref in references: related_objects.setdefault(ref.ty, []).append(ref.idref) if getattr(api_object, 'exploit_targets', None) is None: setattr(api_object, 'exploit_targets', ExploitTargets()) if getattr(api_object, 'related_ttps', None) is None: setattr(api_object, 'related_ttps', RelatedTTPs()) for tgt in related_objects.get('tgt', []): api_object.exploit_targets.append(ExploitTarget(idref=tgt)) for ttp in related_objects.get('ttp', []): api_object.related_ttps.append(TTP(idref=ttp))
def main(): fileIn = open('tor_exit_node_list.txt', 'r') fileOut = open('tor_stix.xml', 'w') #print("List of Tor Exit nodes as of 5/4/2018") ip_addr_list = [] for line in fileIn: ip_addr = re.search( '(([2][5][0-5]\.)|([2][0-4][0-9]\.)|([0-1]?[0-9]?[0-9]\.)){3}(([2][5][0-5])|([2][0-4][0-9])|([0-1]?[0-9]?[0-9]))', line) if ip_addr: ip_addr_list.append(ip_addr) #print(" ", ip_addr.group(0)) stix_package = STIXPackage() ttp = TTP(title="Tor Exit Nodes") i = 0 for ip_addr in ip_addr_list: indicator = Indicator(title="IP Address for known Tor exit Node") indicator.add_indicator_type("IP Watchlist") addr = Address(address_value=ip_addr.group(0), category=Address.CAT_IPV4) addr.condition = "Equals" indicator.add_observable(addr) indicator.add_indicated_ttp(TTP(idref=ttp.id_)) stix_package.add_indicator(indicator) print(i) i = i + 1 stix_package.add_ttp(ttp) #print(stix_package.to_xml(encoding=None)) fileOut.write(stix_package.to_xml(encoding=None))
def _buildttp(i, expt): """Do some TTP stuff.""" ttp = TTP() ttp.title = str(i['name']) # The summary key is a list. In 1.2 this is represented # properly using description ordinality. ttp.description = i['summary'] attack_pattern = AttackPattern() attack_pattern.capec_id = "CAPEC-" + str(i['id']) ttp.behavior = Behavior() ttp.behavior.add_attack_pattern(attack_pattern) ttp.exploit_targets.append(ExploitTarget(idref=expt.id_)) return ttp
def resolveAttributes(incident, ttps, attributes, eventTags, org): for attribute in attributes: if (attribute["type"] in not_implemented_attributes): addJournalEntry(incident, "!Not implemented attribute category/type combination caught! attribute[" + attribute["category"] + "][" + attribute["type"] + "]: " + attribute["value"]) elif (attribute["type"] in non_indicator_attributes): #types that will definitely not become indicators handleNonIndicatorAttribute(incident, ttps, attribute, eventTags, org) else: #types that may become indicators handleIndicatorAttribute(incident, ttps, attribute, eventTags, org) for rindicator in incident.related_indicators: for ttp in ttps: ittp=TTP(idref=ttp.id_, timestamp=ttp.timestamp) rindicator.item.add_indicated_ttp(ittp) return [incident, ttps]
def main(): stix_package = STIXPackage() malware_instance = MalwareInstance() malware_instance.add_name("Poison Ivy") malware_instance.add_type("Remote Access Trojan") ttp = TTP(title="Poison Ivy") ttp.behavior = Behavior() ttp.behavior.add_malware_instance(malware_instance) file_object = File() file_object.add_hash(Hash("e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855")) file_object.hashes[0].simple_hash_value.condition = "Equals" indicator = Indicator(title="File hash for Poison Ivy variant") indicator.add_indicator_type("File Hash Watchlist") indicator.add_observable(file_object) indicator.add_indicated_ttp(TTP(idref=ttp.id_)) stix_package.add_indicator(indicator) stix_package.add_ttp(ttp) print stix_package.to_xml()
def main(): data = json.load(open("data.json")) stix_package = STIXPackage() ttps = {} for info in data['ips']: if info['bot'] not in ttps: ttps[info['bot']] = TTP(title=info['bot']) stix_package.add_ttp(ttps[info['bot']]) indicator = Indicator(title=info['ip']) indicator.add_indicator_type("IP Watchlist") addr = Address(address_value=info['ip'], category=Address.CAT_IPV4) addr.condition = "Equals" indicator.add_observable(addr) indicator.add_indicated_ttp(TTP(idref=ttps[info['bot']].id_)) stix_package.add_indicator(indicator) print stix_package.to_xml()