def to_threat_actor(r):
""" Fungsi untuk mengubah menjadi objek stix threat-actor dengan cara lookup ip ke geoip maxmind """
uid = str(uuid.uuid4())
created = datetime.now()
modified = created
if type(r["src_ip"]) == list:
threat_actor_list = []
for src_ip in r["src_ip"]:
uid = str(uuid.uuid4())
ip = src_ip
geoip = lookup_ip(ip)
if geoip['city'] == 'PRIVATE':
name = 'Internal threat actor'
desc = 'Threat actor from internal system | ' + ip
else:
name = geoip['country'] + ' threat actor'
desc = 'Threat actor from ' + geoip['city'] + ', ' + geoip['country'] + ' | ' + ip
threat_actor = stix2.ThreatActor(
id="threat-actor--" + uid,
created=created,
modified=modified,
name=name,
description=desc,
labels=["crime-syndicate"]
)
threat_actor_list.append(threat_actor)
return threat_actor_list
else:
ip = r['src_ip']
geoip = lookup_ip(ip)
if geoip['city'] == 'PRIVATE':
name = 'Internal threat actor'
desc = 'Threat actor from internal system | ' + ip
else:
name = geoip['country'] + ' threat actor'
desc = 'Threat actor from ' + geoip['city'] + ', ' + geoip['country'] + ' | ' + ip
threat_actor = stix2.ThreatActor(
id="threat-actor--" + uid,
created=created,
modified=modified,
name=name,
description=desc,
labels=["crime-syndicate"]
)
return threat_actor
def test_threat_actor_example():
threat_actor = stix2.ThreatActor(
id="threat-actor--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
created="2016-04-06T20:03:48.000Z",
modified="2016-04-06T20:03:48.000Z",
name="Evil Org",
description="The Evil Org threat actor group",
labels=["crime-syndicate"],
)
assert str(threat_actor) == EXPECTED
import stix2
threat_actor = stix2.ThreatActor(
id="threat-actor--9a8a0d25-7636-429b-a99e-b2a73cd0f11f",
created="2015-05-07T14:22:14.760Z",
modified="2015-05-07T14:22:14.760Z",
name="Adversary Bravo",
description=
"Adversary Bravo is known to use phishing attacks to deliver remote access malware to the targets.",
labels=["spy", "criminal"])
identity = stix2.Identity(
id="identity--1621d4d4-b67d-41e3-9670-f01faf20d111",
created="2015-05-10T16:27:17.760Z",
modified="2015-05-10T16:27:17.760Z",
name="Adversary Bravo",
description=
"Adversary Bravo is a threat actor that utilizes phishing attacks.",
identity_class="unknown")
init_comp = stix2.KillChainPhase(
kill_chain_name="mandiant-attack-lifecycle-model",
phase_name="initial-compromise")
malware = stix2.Malware(id="malware--d1c612bc-146f-4b65-b7b0-9a54a14150a4",
created="2015-04-23T11:12:34.760Z",
modified="2015-04-23T11:12:34.760Z",
name="Poison Ivy Variant d1c6",
labels=["remote-access-trojan"],
kill_chain_phases=[init_comp])
import stix2
threat_actor = stix2.ThreatActor(
id="threat-actor--dfaa8d77-07e2-4e28-b2c8-92e9f7b04428",
created="2014-11-19T23:39:03.893Z",
modified="2014-11-19T23:39:03.893Z",
name="Disco Team Threat Actor Group",
description=
"This organized threat actor group operates to create profit from all types of crime.",
labels=["crime-syndicate"],
aliases=["Equipo del Discoteca"],
roles=["agent"],
goals=["Steal Credit Card Information"],
sophistication="expert",
resource_level="organization",
primary_motivation="personal-gain")
identity = stix2.Identity(
id="identity--733c5838-34d9-4fbf-949c-62aba761184c",
created="2016-08-23T18:05:49.307Z",
modified="2016-08-23T18:05:49.307Z",
name="Disco Team",
description=
"Disco Team is the name of an organized threat actor crime-syndicate.",
identity_class="organization",
contact_information="*****@*****.**")
relationship = stix2.Relationship(threat_actor, 'attributed-to', identity)
bundle = stix2.Bundle(objects=[threat_actor, identity, relationship])
def threat_actor_maker(**kwargs):
threat_actor = stix2.ThreatActor(**kwargs)
flag = itemtofile(threat_actor)
return flag, threat_actor
def stix_bundle(objs, rel=True, sight=True):
objects = ()
ids = []
for o in objs:
if not o.object_id.id in ids:
ids.append(o.object_id.id)
if o.object_type.name == "report":
r = Report.objects.get(id=o.id)
for i in r.object_refs.all().values_list("id", flat=True):
if i in ids:
ids.append(i)
if rel:
rels = Relationship.objects.filter(
Q(source_ref=o.object_id)\
|Q(target_ref=o.object_id)\
)
lists = list(rels.values_list("object_id", flat=True)) + \
list(rels.values_list("source_ref", flat=True)) + \
list(rels.values_list("target_ref", flat=True))
for i in lists:
if not i in ids:
ids.append(i)
if sight:
sights = Sighting.objects.filter(
Q(where_sighted_refs=o.object_id)\
|Q(sighting_of_ref=o.object_id)\
)
lists = list(sights.values_list("object_id", flat=True)) + \
list(sights.values_list("sighting_of_ref", flat=True))
for i in lists:
if not i in ids:
ids += i
oids = STIXObjectID.objects.filter(id__in=ids)
for oid in oids:
obj = myforms.get_obj_from_id(oid)
if obj.object_type.name == 'identity':
i = stix2.Identity(
id=obj.object_id.object_id,
name=obj.name,
identity_class=obj.identity_class,
description=obj.description,
#sectors=[str(s.value) for s in obj.sectors.all()],
sectors=[str(l.value) for l in obj.labels.all()],
created=obj.created,
modified=obj.modified,
)
objects += (i, )
elif obj.object_type.name == 'attack-pattern':
a = stix2.AttackPattern(
id=obj.object_id.object_id,
name=obj.name,
description=obj.description,
created=obj.created,
modified=obj.modified,
)
objects += (a, )
elif obj.object_type.name == 'malware':
m = stix2.Malware(
id=obj.object_id.object_id,
name=obj.name,
description=obj.description,
labels=[str(l.value) for l in obj.labels.all()],
created=obj.created,
modified=obj.modified,
)
objects += (m, )
elif obj.object_type.name == 'indicator':
i = stix2.Indicator(
id=obj.object_id.object_id,
name=obj.name,
description=obj.description,
labels=[str(l.value) for l in obj.labels.all()],
pattern=[str(p.value) for p in obj.pattern.all()],
created=obj.created,
modified=obj.modified,
)
objects += (i, )
elif obj.object_type.name == 'threat-actor':
t = stix2.ThreatActor(
id=obj.object_id.object_id,
name=obj.name,
description=obj.description,
labels=[str(l.value) for l in obj.labels.all()],
aliases=[str(a.name) for a in obj.aliases.all()],
created=obj.created,
modified=obj.modified,
)
objects += (t, )
elif obj.object_type.name == 'relationship':
r = stix2.Relationship(
id=obj.object_id.object_id,
relationship_type=obj.relationship_type.name,
description=obj.description,
source_ref=obj.source_ref.object_id,
target_ref=obj.target_ref.object_id,
created=obj.created,
modified=obj.modified,
)
objects += (r, )
elif obj.object_type.name == 'sighting':
s = stix2.Sighting(
id=obj.object_id.object_id,
sighting_of_ref=obj.sighting_of_ref.object_id,
where_sighted_refs=[
str(w.object_id) for w in obj.where_sighted_refs.all()
],
first_seen=obj.first_seen,
last_seen=obj.last_seen,
created=obj.created,
modified=obj.modified,
)
objects += (s, )
elif obj.object_type.name == 'report':
r = stix2.Report(
id=obj.object_id.object_id,
labels=[str(l.value) for l in obj.labels.all()],
name=obj.name,
description=obj.description,
published=obj.published,
object_refs=[str(r.object_id) for r in obj.object_refs.all()],
created=obj.created,
modified=obj.modified,
)
objects += (r, )
bundle = stix2.Bundle(*objects)
return bundle
selectors=["labels.[0]", "name", "pattern"])
identity = stix2.Identity(id="identity--b38dfe21-7477-40d1-aa90-5c8671ce51ca",
created="2017-04-27T16:18:24.318Z",
modified="2017-04-27T16:18:24.318Z",
name="Gotham National Bank",
contact_information="*****@*****.**",
identity_class="organization",
sectors=["financial-services"])
threat_actor = stix2.ThreatActor(
id="threat-actor--8b6297fe-cae7-47c6-9256-5584b417849c",
created="2017-04-27T16:18:24.318Z",
modified="2017-04-27T16:18:24.318Z",
created_by_ref="identity--b38dfe21-7477-40d1-aa90-5c8671ce51ca",
name="The Joker",
labels=["terrorist", "criminal"],
aliases=["Joe Kerr", "The Clown Prince of Crime"],
roles=["director"],
resource_level="team",
primary_motivation="personal-satisfaction",
object_marking_refs=[stix2.TLP_RED])
indicator = stix2.Indicator(
id="indicator--1ed8caa7-a708-4706-b651-f1186ede6ca1",
created="2017-04-27T16:18:24.318Z",
modified="2017-04-27T16:18:24.318Z",
created_by_ref="identity--b38dfe21-7477-40d1-aa90-5c8671ce51ca",
name="Fake email address",
description="Known to be used by The Joker.",
labels=["malicious-activity", "attribution"],
pattern=
campaign = stix2.Campaign(**CAMPAIGN_KWARGS, interoperability=True)
course_of_action = stix2.CourseOfAction(**COURSE_OF_ACTION_KWARGS,
interoperability=True)
identity = stix2.Identity(**IDENTITY_KWARGS, interoperability=True)
indicator = stix2.Indicator(**INDICATOR_KWARGS, interoperability=True)
intrusion_set = stix2.IntrusionSet(**INTRUSION_SET_KWARGS,
interoperability=True)
malware = stix2.Malware(**MALWARE_KWARGS, interoperability=True)
marking_definition = stix2.MarkingDefinition(**MARKING_DEFINITION_KWARGS,
interoperability=True)
observed_data = stix2.ObservedData(**OBSERVED_DATA_KWARGS,
interoperability=True)
relationship = stix2.Relationship(**RELATIONSHIP_KWARGS,
interoperability=True)
sighting = stix2.Sighting(**SIGHTING_KWARGS, interoperability=True)
threat_actor = stix2.ThreatActor(**THREAT_ACTOR_KWARGS,
interoperability=True)
tool = stix2.Tool(**TOOL_KWARGS) #, interoperability=True),
vulnerability = stix2.Vulnerability(**VULNERABILITY_KWARGS,
interoperability=True)
report = stix2.Report(**REPORT_KWARGS, interoperability=True)
bundle = stix2.Bundle(**BUNDLE_KWARGS,
interoperability=True,
objects=[
attack_pattern, campaign, course_of_action,
identity, indicator, intrusion_set, malware,
marking_definition, observed_data, tool,
relationship, sighting, threat_actor,
vulnerability, report
])
stix2.parse(dict(bundle), interoperability=True)
print("All interoperability tests passed !")
import stix2
threat_actor = stix2.ThreatActor(
id="threat-actor--56f3f0db-b5d5-431c-ae56-c18f02caf500",
created="2016-08-08T15:50:10.983Z",
modified="2016-08-08T15:50:10.983Z",
name="Fake BPP (Branistan Peoples Party)",
labels=["nation-state"],
roles=["director"],
goals=["Influence the election in Branistan"],
resource_level="government"
primary_motivation="ideology",
secondary_motivations=["dominance"],
sophistication="strategic"
)
identity1 = stix2.Identity(
id="identity--8c6af861-7b20-41ef-9b59-6344fd872a8f",
created="2016-08-08T15:50:10.983Z",
modified="2016-08-08T15:50:10.983Z",
name="Franistan Intelligence",
identity_class="organisation"
)
ref_bpp = stix2.ExternalReference(
source_name="website",
url="http://www.bpp.bn"
)
identity2 = stix2.Identity(
id="identity--ddfe7140-2ba4-48e4-b19a-df069432103b",
def stix_bundle(rep):
objects = ()
for ref in rep.object_refs.all():
obj = myforms.get_obj_from_id(ref)
if obj.object_type.name == 'identity':
i = stix2.Identity(
id=obj.object_id.object_id,
name=obj.name,
identity_class=obj.identity_class,
description=obj.description,
#sectors=[str(s.value) for s in obj.sectors.all()],
sectors=[str(l.value) for l in obj.labels.all()],
created=obj.created,
modified=obj.modified,
)
objects += (i, )
elif obj.object_type.name == 'attack-pattern':
a = stix2.AttackPattern(
id=obj.object_id.object_id,
name=obj.name,
description=obj.description,
created=obj.created,
modified=obj.modified,
)
objects += (a, )
elif obj.object_type.name == 'malware':
m = stix2.Malware(
id=obj.object_id.object_id,
name=obj.name,
description=obj.description,
labels=[str(l.value) for l in obj.labels.all()],
created=obj.created,
modified=obj.modified,
)
objects += (m, )
elif obj.object_type.name == 'threat-actor':
t = stix2.ThreatActor(
id=obj.object_id.object_id,
name=obj.name,
description=obj.description,
labels=[str(l.value) for l in obj.labels.all()],
aliases=[str(a.name) for a in obj.aliases.all()],
created=obj.created,
modified=obj.modified,
)
objects += (t, )
elif obj.object_type.name == 'relationship':
r = stix2.Relationship(
id=obj.object_id.object_id,
relationship_type=obj.relationship_type.name,
description=obj.description,
source_ref=obj.source_ref.object_id,
target_ref=obj.target_ref.object_id,
created=obj.created,
modified=obj.modified,
)
objects += (r, )
elif obj.object_type.name == 'sighting':
s = stix2.Sighting(
id=obj.object_id.object_id,
sighting_of_ref=obj.sighting_of_ref.object_id,
where_sighted_refs=[
str(w.object_id) for w in obj.where_sighted_refs.all()
],
first_seen=obj.first_seen,
last_seen=obj.last_seen,
created=obj.created,
modified=obj.modified,
)
objects += (s, )
report = stix2.Report(
id=rep.object_id.object_id,
labels=[str(l.value) for l in rep.labels.all()],
name=rep.name,
description=rep.description,
published=rep.published,
object_refs=[str(r.object_id) for r in rep.object_refs.all()],
created=obj.created,
modified=obj.modified,
)
objects += (report, )
bundle = stix2.Bundle(*objects)
return bundle
def stix_bundle(objs, mask=True):
objects = ()
for obj in objs:
oid = obj.object_id.object_id
dscr = ""
if not mask and hasattr(obj, "description"):
dscr = obj.description
if obj.object_type.name == 'attack-pattern':
a = stix2.AttackPattern(
id=oid,
name=obj.name,
description=dscr,
created=obj.created,
modified=obj.modified,
kill_chain_phases=stix2killchain(obj),
)
objects += (a, )
elif obj.object_type.name == 'campaign':
c = stix2.Campaign(
id=oid,
name=obj.name,
description=dscr,
aliases=[str(a.name) for a in obj.aliases.all()],
created=obj.created,
modified=obj.modified,
first_seen=obj.first_seen,
last_seen=obj.last_seen,
)
objects += (c, )
elif obj.object_type.name == 'course-of-action':
c = stix2.CourseOfAction(
id=oid,
name=obj.name,
description=dscr,
created=obj.created,
modified=obj.modified,
)
objects += (c, )
elif obj.object_type.name == 'identity':
name = obj.name
if mask:
name = oid
label = obj.labels.all()
if label.count() >= 1:
name = str(obj.id)
if label[0].alias:
name += '-' + label[0].alias
else:
name += '-' + label[0].value
i = stix2.Identity(
id=oid,
name=name,
identity_class=obj.identity_class,
description=dscr,
sectors=[str(s.value) for s in obj.sectors.all()],
labels=[str(l.value) for l in obj.labels.all()],
created=obj.created,
modified=obj.modified,
)
objects += (i, )
elif obj.object_type.name == 'indicator':
pattern = "[]"
if not mask and obj.pattern:
pattern = obj.pattern.pattern
i = stix2.Indicator(
id=oid,
name=obj.name,
description=dscr,
labels=[str(l.value) for l in obj.labels.all()],
pattern=pattern,
created=obj.created,
modified=obj.modified,
valid_from=obj.valid_from,
valid_until=obj.valid_until,
)
objects += (i, )
elif obj.object_type.name == 'intrusion-set':
i = stix2.IntrusionSet(
id=oid,
name=obj.name,
description=dscr,
aliases=[str(a.name) for a in obj.aliases.all()],
created=obj.created,
modified=obj.modified,
first_seen=obj.first_seen,
#last_seen=obj.last_seen,
)
objects += (i, )
elif obj.object_type.name == 'malware':
m = stix2.Malware(
id=oid,
name=obj.name,
description=dscr,
labels=[str(l.value) for l in obj.labels.all()],
created=obj.created,
modified=obj.modified,
kill_chain_phases=stix2killchain(obj),
)
objects += (m, )
elif obj.object_type.name == 'observed-data':
obs = {}
for o in obj.observable_objects.all():
ob = None
if o.type.name == "file":
f = FileObject.objects.get(id=o.id)
ob = stix2.File(name=f.name)
elif o.type.name == "ipv4-addr":
i = IPv4AddressObject.objects.get(id=o.id)
ob = stix2.IPv4Address(value=i.value)
elif o.type.name == "url":
u = URLObject.objects.get(id=o.id)
ob = stix2.URL(value=u.value)
elif o.type.name == "domain-name":
dn = DomainNameObject.objects.get(id=o.id)
ob = stix2.DomainName(value=dn.value)
if ob and not mask:
obs[str(o.id)] = json.loads(str(ob))
od = stix2.ObservedData(
id=oid,
created=obj.created,
modified=obj.modified,
first_observed=obj.first_observed,
last_observed=obj.last_observed,
number_observed=obj.number_observed,
objects=obs,
)
objects += (od, )
elif obj.object_type.name == 'report':
created_by = None
if obj.created_by_ref:
created_by = obj.created_by_ref.object_id
r = stix2.Report(
id=oid,
labels=[str(l.value) for l in obj.labels.all()],
name=obj.name,
description=dscr,
published=obj.published,
object_refs=[str(r.object_id) for r in obj.object_refs.all()],
created_by_ref=created_by,
created=obj.created,
modified=obj.modified,
)
objects += (r, )
elif obj.object_type.name == 'threat-actor':
t = stix2.ThreatActor(
id=oid,
name=obj.name,
description=dscr,
labels=[str(l.value) for l in obj.labels.all()],
aliases=[str(a.name) for a in obj.aliases.all()],
created=obj.created,
modified=obj.modified,
)
objects += (t, )
elif obj.object_type.name == 'tool':
t = stix2.Tool(
id=oid,
name=obj.name,
description=dscr,
labels=[str(l.value) for l in obj.labels.all()],
created=obj.created,
modified=obj.modified,
kill_chain_phases=stix2killchain(obj),
)
objects += (t, )
elif obj.object_type.name == 'vulnerability':
v = stix2.Vulnerability(
id=oid,
name=obj.name,
description=dscr,
created=obj.created,
modified=obj.modified,
)
objects += (v, )
elif obj.object_type.name == 'relationship':
r = stix2.Relationship(
id=oid,
relationship_type=obj.relationship_type.name,
description=dscr,
source_ref=obj.source_ref.object_id,
target_ref=obj.target_ref.object_id,
created=obj.created,
modified=obj.modified,
)
objects += (r, )
elif obj.object_type.name == 'sighting':
s = stix2.Sighting(
id=oid,
sighting_of_ref=obj.sighting_of_ref.object_id,
where_sighted_refs=[
str(w.object_id.object_id)
for w in obj.where_sighted_refs.all()
],
observed_data_refs=[
str(od.object_id.object_id)
for od in obj.observed_data_refs.all()
],
first_seen=obj.first_seen,
last_seen=obj.last_seen,
created=obj.created,
modified=obj.modified,
)
objects += (s, )
bundle = stix2.Bundle(*objects)
return bundle
