Example #1
0
def async_post(envelop, collection, taxii2_status, stip_user, community):
    pendings = []
    bundle_objects = []
    for object_ in envelop['objects']:
        object_id = object_['id']
        modified = get_modified_from_object(object_)
        try:
            objects = StixObject.objects.filter(object_id=object_id,
                                                modified=modified)
            is_exist = False
            for object_ in objects:
                if not object_.deleted:
                    is_exist = True
                    break
            if is_exist:
                msg = 'Duplication Object(id: %s, modifed: %s)' % (object_id,
                                                                   modified)
                taxii2_status.failure(object_id, modified, msg)
                continue
        except StixObject.DoesNotExist:
            pass
        bundle_objects.append(object_)
        pendings.append((object_id, modified))

    if len(bundle_objects) == 0:
        return

    bundle = Bundle(bundle_objects, allow_custom=True)

    try:
        _, stix2_file_path = tempfile.mkstemp()
        with open(stix2_file_path, 'w', encoding='utf-8') as fp:
            fp.write(
                bundle.serialize(True,
                                 ensure_ascii=False,
                                 include_optional_defaults=True))
        rs.regist_ctim_rs(stip_user, bundle.id, stix2_file_path,
                          community.name)
    except Exception as e:
        raise (e)
    finally:
        try:
            os.remove(stix2_file_path)
        except Exception:
            pass

    for object_id, modified in pendings:
        taxii2_status.success(object_id, modified)

    return
def test_memory_store_object_with_custom_property_in_bundle(mem_store):
    camp = Campaign(
        name="Scipio Africanus",
        objective="Defeat the Carthaginians",
        x_empire="Roman",
        allow_custom=True,
    )

    bundle = Bundle(camp, allow_custom=True)
    mem_store.add(bundle)

    camp_r = mem_store.get(camp.id)
    assert camp_r.id == camp.id
    assert camp_r.x_empire == camp.x_empire
Example #3
0
def make_group(group_name):
    collection = TAXIICollection()

    gb = GBundle(collection, group_name)
    gb.collect_relation()
    gb.pre_collect_relation()
    gb.generate_bundle()

    if not os.path.exists('./bundles'):
        os.mkdir('./bundles')

    with open('./bundles/{0}-bundle.json'.format(group_name), "w") as wf:
        wf.write(str(Bundle(objects=gb.objects)))

    with open('./bundles/{0}-bundle.json'.format(group_name), "r") as f:
        obj_list = json.loads(f.read())["objects"]

    g = Group(obj_list)
    g.grouping()

    # update for demo will update more fancy.
    with open('./grouping/{0}-bundle.json'.format(group_name), 'w') as f:
        f.write(str(Bundle(objects=gb.objects)))
Example #4
0
    def grouping(self):
        self.get_attack_pattern()
        for ap in self.attack_pattern:
            rel = []
            object_ids = []
            objects = []
            for obj in self.obj_list:
                if obj["type"] == "relationship":
                    if obj["source_ref"] == ap["id"] or obj[
                            "target_ref"] == ap["id"]:
                        rel.append(obj)
                        # print(obj["id"])
                        objects.append(parse(obj, allow_custom=True))

            for r in rel:
                if r["source_ref"] not in object_ids:
                    object_ids.append(r["source_ref"])
                if r["target_ref"] not in object_ids:
                    object_ids.append(r["target_ref"])

            for obj_id in object_ids:
                objects.append(parse(self.find_obj(obj_id), allow_custom=True))

            if not os.path.exists("grouping"):
                os.mkdir("grouping")

            for kcp in ap["kill_chain_phases"]:
                if not os.path.exists("grouping/" + kcp["kill_chain_name"]):
                    os.mkdir("grouping/" + kcp["kill_chain_name"])
                if not os.path.exists("grouping/" + kcp["kill_chain_name"] +
                                      "/" + kcp["phase_name"]):
                    os.mkdir("grouping/" + kcp["kill_chain_name"] + "/" +
                             kcp["phase_name"])

                bundle = Bundle(objects=objects)
                with open(
                        "grouping/" + kcp["kill_chain_name"] + "/" +
                        kcp["phase_name"] + "/" + str(bundle["id"]) + ".json",
                        "w") as wf:
                    wf.write(str(bundle))
                    contact_information="*****@*****.**",
                    identity_class="organization",
                    sectors=["defence"])

marking_def_amber = MarkingDefinition(
    id="marking-definition--f88d31f6-486f-44da-b317-01333bde0b82",
    created="2017-01-20T00:00:00.000Z",
    definition_type="tlp",
    definition={"tlp": "amber"})

marking_def_statement = MarkingDefinition(
    id="marking-definition--d81f86b9-975b-4c0b-875e-810c5ad45a4f",
    created="2017-04-14T13:07:49.812Z",
    definition_type="statement",
    definition=StatementMarking("Copyright (c) Stark Industries 2017."))

indicator = Indicator(
    id="indicator--33fe3b22-0201-47cf-85d0-97c02164528d",
    created="2017-04-14T13:07:49.812Z",
    modified="2017-04-14T13:07:49.812Z",
    created_by_ref="identity--611d9d41-dba5-4e13-9b29-e22488058ffc",
    name="Known malicious IP Address",
    indicator_types=["malicious-activity"],
    pattern="[ipv4-addr:value = '10.0.0.0']",
    pattern_type="stix",
    valid_from="2017-04-14T13:07:49.812Z",
    object_marking_refs=[marking_def_amber, marking_def_statement])

bundle = Bundle(
    objects=[identity, indicator, marking_def_amber, marking_def_statement])
Example #6
0
    secondary_motivations=["dominance"],
    aliases=["Bran-teaser"])

relationship1 = Relationship(campaign1, 'attributed-to', threat_actor)
relationship2 = Relationship(campaign2, 'attributed-to', threat_actor)
relationship3 = Relationship(campaign1, 'attributed-to', intrusionset)
relationship4 = Relationship(campaign2, 'attributed-to', intrusionset)
relationship5 = Relationship(intrusionset, 'attributed-to', threat_actor)
relationship6 = Relationship(intrusionset, 'targets', identity2)
relationship7 = Relationship(intrusionset, 'uses', attack_pattern1)
relationship8 = Relationship(intrusionset, 'uses', attack_pattern2)
relationship9 = Relationship(campaign1, 'targets', identity2)
relationship10 = Relationship(campaign2, 'targets', identity2)
relationship11 = Relationship(campaign1, 'uses', attack_pattern1)
relationship12 = Relationship(campaign2, 'uses', attack_pattern2)
relationship13 = Relationship(threat_actor, 'impersonates', identity2)
relationship14 = Relationship(threat_actor, 'targets', identity2)
relationship15 = Relationship(threat_actor, 'attributed-to', identity1)
relationship16 = Relationship(campaign2, 'targets', identity2)
relationship17 = Relationship(threat_actor, 'uses', attack_pattern1)
relationship18 = Relationship(threat_actor, 'uses', attack_pattern2)

bundle = Bundle(objects=[
    threat_actor, identity1, identity2, attack_pattern1, attack_pattern2,
    campaign1, campaign2, intrusionset, relationship1, relationship2,
    relationship3, relationship4, relationship5, relationship6, relationship7,
    relationship8, relationship9, relationship10, relationship11,
    relationship12, relationship13, relationship14, relationship15,
    relationship16, relationship17, relationship18
])
    modified="2017-02-28T19:37:11.213Z",
    first_observed="2017-02-27T21:37:11.213Z",
    last_observed="2017-02-27T21:37:11.213Z",
    number_observed=1,
    created_by_ref=identityOscorp.id,
    object_refs=["windows-registry-key--16b80d14-d574-5620-abad-10ff304b1c26"],
    spec_version="2.1",
    type="observed-data")

sighting = Sighting(
    id="sighting--779c4ae8-e134-4180-baa4-03141095d971",
    created_by_ref=identityOscorp.id,
    created="2017-02-28T19:37:11.213Z",
    modified="2017-02-28T19:37:11.213Z",
    first_seen="2017-02-28T19:07:24.856Z",
    last_seen="2017-02-28T19:07:24.857Z",
    count=1,
    sighting_of_ref="malware--ae560258-a5cb-4be8-8f05-013d6712295f",
    where_sighted_refs=["identity--987eeee1-413a-44ac-96cc-0a8acdcc2f2c"],
    observed_data_refs=[
        "observed-data--cf8eaa41-6f4c-482e-89b9-9cd2d6a83cb1",
        "observed-data--a0d34360-66ad-4977-b255-d9e1080421c4"
    ],
    spec_version="2.1",
    type="sighting")

bundle = Bundle(objects=[
    identityPym, identityOscorp, malware, observedDataFile, observedDataRegKey,
    sighting
])
                  malware_types=["remote-access-trojan"],
                  kill_chain_phases=[init_comp],
                  spec_version="2.1",
                  type="malware",
                  is_family="false")

ref = ExternalReference(source_name="capec",
                        description="phishing",
                        url="https://capec.mitre.org/data/definitions/98.html",
                        external_id="CAPEC-98")

attack_pattern = AttackPattern(
    id="attack-pattern--8ac90ff3-ecf8-4835-95b8-6aea6a623df5",
    created="2015-05-07T14:22:14.760Z",
    modified="2015-05-07T14:22:14.760Z",
    name="Phishing",
    description="Spear phishing used as a delivery mechanism for malware.",
    kill_chain_phases=[init_comp],
    external_references=[ref],
    spec_version="2.1",
    type="attack-pattern")

relationship1 = Relationship(threat_actor, 'uses', malware)
relationship2 = Relationship(threat_actor, 'uses', attack_pattern)
relationship3 = Relationship(threat_actor, 'attributed-to', identity)

bundle = Bundle(objects=[
    threat_actor, malware, attack_pattern, identity, relationship1,
    relationship2, relationship3
])
indicator = Indicator(
    id="indicator--9299f726-ce06-492e-8472-2b52ccb53191",
    created_by_ref="identity--39012926-a052-44c4-ae48-caaf4a10ee6e",
    created="2017-02-27T13:57:10.515Z",
    modified="2017-02-27T13:57:10.515Z",
    name="Malicious URL",
    description="This URL is potentially associated with malicious activity and is listed on several blacklist sites.",
    indicator_types=["malicious-activity"],
    pattern="[url:value = 'http://paypa1.banking.com']",
    pattern_type="stix",
    valid_from="2015-06-29T09:10:15.915Z", 
    spec_version="2.1",
    type="indicator"
)

sighting = Sighting(
    id="sighting--8356e820-8080-4692-aa91-ecbe94006833",
    created_by_ref="identity--5206ba14-478f-4b0b-9a48-395f690c20a2",
    created="2017-02-28T19:37:11.213Z",
    modified="2017-02-28T19:37:11.213Z",
    first_seen="2017-02-27T21:37:11.213Z",
    last_seen="2017-02-27T21:37:11.214Z",
    count=1,
    sighting_of_ref="indicator--9299f726-ce06-492e-8472-2b52ccb53191",
    where_sighted_refs=["identity--5206ba14-478f-4b0b-9a48-395f690c20a2"], 
    spec_version="2.1",
    type="sighting"
)

bundle = Bundle(objects=[indicator, identityAlpha, identityBeta, sighting])
Example #10
0
from stix2.v21 import (ThreatActor, Identity, Relationship, Bundle)

threat_actor = ThreatActor(
    id="threat-actor--dfaa8d77-07e2-4e28-b2c8-92e9f7b04428",
    created="2014-11-19T23:39:03.893Z",
    modified="2014-11-19T23:39:03.893Z",
    name="Disco Team Threat Actor Group",
    description=
    "This organized threat actor group operates to create profit from all types of crime.",
    threat_actor_types=["crime-syndicate"],
    aliases=["Equipo del Discoteca"],
    roles=["agent"],
    goals=["Steal Credit Card Information"],
    sophistication="expert",
    resource_level="organization",
    primary_motivation="personal-gain")

identity = Identity(
    id="identity--733c5838-34d9-4fbf-949c-62aba761184c",
    created="2016-08-23T18:05:49.307Z",
    modified="2016-08-23T18:05:49.307Z",
    name="Disco Team",
    description=
    "Disco Team is the name of an organized threat actor crime-syndicate.",
    identity_class="organization",
    contact_information="*****@*****.**")

relationship = Relationship(threat_actor, 'attributed-to', identity)

bundle = Bundle(objects=[threat_actor, identity, relationship])
Example #11
0
                      pattern="[domain-name:value='{}']".format(d),
                      pattern_type="stix")
        res.append(i)
        res.append(Relationship(i, 'indicates', malware))

    for p in processes:
        i = Indicator(indicator_types=["malicious-activity"],
                      pattern="[process:name='{}']".format(p),
                      pattern_type="stix")
        res.append(i)
        res.append(Relationship(i, 'indicates', malware))

    for f in filenames:
        i = Indicator(indicator_types=["malicious-activity"],
                      pattern="[file:name='{}']".format(f),
                      pattern_type="stix")
        res.append(i)
        res.append(Relationship(i, 'indicates', malware))

    for e in emails:
        i = Indicator(indicator_types=["malicious-activity"],
                      pattern="[email-addr:value='{}']".format(e),
                      pattern_type="stix")
        res.append(i)
        res.append(Relationship(i, 'indicates', malware))

    bundle = Bundle(objects=res)
    with open("pegasus.stix2", "w+") as f:
        f.write(str(bundle))
    print("pegasus.stix2 file created")
Example #12
0
    def processAndSubmit(self):
        # Create SDO's / Cyber Obs
        ext_ref = ExternalReference(
            source_name=f"Cape Sandbox Report {str(self.report.info.id)}",
            url=f"{self.cuckoo_url}/analysis/{str(self.report.info.id)}/",
            external_id=str(self.report.info.id),
        )

        if self.report.network.hosts:
            ips = self.createIPObs(self.report.network.hosts)
        else:
            ips = []

        if self.report.network.domains:
            fqdns = self.createDNSObs(self.report.network.domains)
        else:
            fqdns = [[], []]

        if self.report.process:
            processes = self.createProcessObs(self.report.process)
        else:
            processes = []

        if self.EnableRegKeys:
            if self.report.behavior:
                if self.report.behavior.write_keys:
                    registry_keys = self.createRegKeysObs(
                        self.report.behavior.write_keys)
                else:
                    registry_keys = None
            else:
                registry_keys = None
        else:
            registry_keys = None

        if self.EnableNetTraffic:
            if self.report.network:
                network_traffic = self.createNetTrafficObs(self.report.network)
            else:
                network_traffic = None
        else:
            network_traffic = None

        if self.report.payloads:
            dropped_binaries = self.createBinarieObs(self.report.payloads)
        else:
            dropped_binaries = []

        if self.report.signatures:
            AttackPatterns = self.getTTPs(self.report.ttps)
        else:
            AttackPatterns = []

        if self.report.detections:
            Malware = self.Get_Malware(self.report.detections)
        else:
            Malware = None

        # Get all IDs from ATPs/CyberObs
        IDs = self.get_related(
            ips,
            fqdns[0],
            processes,
            network_traffic,
            dropped_binaries,
            AttackPatterns,
            registry_keys,
            Malware,
        )

        if self.report.target.file:
            # Create Main binary and link All ATPs/Cyber Obs
            payload = self.createPrimaryBinary(self.report.target.file,
                                               ext_ref)
            payload_relations = []
            bundle_ids = []
            for ID in IDs:
                try:
                    IDx = ID.id
                    bundle_ids.append(
                        ID
                    )  # Get list for bundle w/o Attack Patterns that exisit
                except:
                    IDx = ID
                if IDx:
                    payload_relations.append(
                        Relationship(
                            relationship_type="related-to",
                            source_ref=payload[0].id,
                            target_ref=IDx,
                            allow_custom=True,
                        ))
            for ATP in AttackPatterns:
                payload_relations.append(
                    Relationship(
                        relationship_type="related-to",
                        source_ref=payload[0].id,
                        target_ref=ATP["standard_id"],
                        allow_custom=True,
                    ))
            if Malware:
                if "standard_id" in Malware:
                    ID = Malware["standard_id"]
                else:
                    ID = Malware["id"]

                Relationship(
                    relationship_type="related-to",
                    source_ref=payload[0].id,
                    target_ref=ID,
                    allow_custom=True,
                )

            IDs.append(payload[0])  # Add Observeable
            IDs.append(payload[1])  # Add Indicator
            bundle_ids.append(payload[0])
            bundle_ids.append(payload[1])
            payload_relations.append(payload[2])

        if int(self.report.malscore) >= self.ReportScore:
            # Create Report and link All ATPs/Cyber Obs/Payload
            report = self.createCuckooReport(self.report, IDs, ext_ref)
            b = Bundle(
                report,
                bundle_ids,
                payload_relations,
                fqdns[1],
                allow_custom=True,
            )  # fqdns[1] is the Resolves-to relations
        else:
            b = Bundle(
                bundle_ids,
                payload_relations,
                fqdns[1],
                allow_custom=True,
            )

        self.helper.send_stix2_bundle(b.serialize())

        return None
Example #13
0
    type="threat-actor")

indicator = Indicator(
    id="indicator--1ed8caa7-a708-4706-b651-f1186ede6ca1",
    created="2017-04-27T16:18:24.318Z",
    modified="2017-04-27T16:18:24.318Z",
    created_by_ref="identity--b38dfe21-7477-40d1-aa90-5c8671ce51ca",
    name="Fake email address",
    description="Known to be used by The Joker.",
    indicator_types=["malicious-activity", "attribution"],
    pattern=
    "[email-message:from_ref.value MATCHES '.+\\\\banking@g0thamnatl\\\\.com$']",
    pattern_type="stix",
    valid_from="2017-04-27T16:18:24.318Z",
    granular_markings=[granular_red, granular_amber, granular_green],
    spec_version="2.1",
    type="indicator")

rel = Relationship(
    id="relationship--3d1dd3cc-eb47-4704-9c77-ceff2971b95c",
    created="2017-04-27T16:18:24.318Z",
    modified="2017-04-27T16:18:24.318Z",
    relationship_type='indicates',
    source_ref="indicator--1ed8caa7-a708-4706-b651-f1186ede6ca1",
    target_ref="threat-actor--8b6297fe-cae7-47c6-9256-5584b417849c",
    object_marking_refs=[TLP_RED],
    spec_version="2.1",
    type="relationship")

bundle = Bundle(objects=[identity, indicator, threat_actor, rel])
indicator = Indicator(
    id="indicator--d81f86b9-975b-4c0b-875e-810c5ad45a4f",
    created="2014-06-29T13:49:37.079Z",
    modified="2014-06-29T13:49:37.079Z",
    name="Malicious site hosting downloader",
    description=
    "This organized threat actor group operates to create profit from all types of crime.",
    indicator_types=["malicious-activity"],
    pattern="[url:value = 'http://x4z9arb.cn/4712/']",
    pattern_type="stix",
    valid_from="2014-06-29T13:49:37.079000Z")

foothold = KillChainPhase(kill_chain_name="mandiant-attack-lifecycle-model",
                          phase_name="establish-foothold")

malware = Malware(
    id="malware--162d917e-766f-4611-b5d6-652791454fca",
    created="2014-06-30T09:15:17.182Z",
    modified="2014-06-30T09:15:17.182Z",
    name="x4z9arb backdoor",
    malware_types=["backdoor", "remote-access-trojan"],
    description=
    "This malware attempts to download remote files after establishing a foothold as a backdoor.",
    kill_chain_phases=[foothold],
    is_family="false")

relationship = Relationship(indicator, 'indicates', malware)

bundle = Bundle(objects=[indicator, malware, relationship])