def add_software(client: Act,
matrice: AttckMatrice,
output_format: Text = "json") -> List:
"""
extract objects/facts related to ATT&CK Software
Insert to ACT if client.baseurl is set, if not, print to stdout
Args:
attack (AttckMatrice): Attack matrice
output_format (Text): "json" or "str" output format
"""
notify: List = []
# Enterprise matrice has malwares and tools, but preattack has none of them
for software in getattr(matrice, "malwares", []) + getattr(
matrice, "tools", []):
if deprecated_or_revoked(software):
# Object is revoked/deprecated, add to notification list but do not add to facts that should be added to the platform
notify.append(software)
continue
tool_name = software.name
# Tool category
handle_fact(
client.fact("category", software.type).source("tool", tool_name),
output_format=output_format,
)
for alias in software.alias:
alias_name = alias
if tool_name != alias_name:
# Tool category (alias)
handle_fact(
client.fact("category",
software.type).source("tool", alias_name),
output_format=output_format,
)
handle_fact(
client.fact("alias").bidirectional("tool", tool_name,
"tool", alias_name),
output_format=output_format,
)
for technique in software.techniques:
handle_fact(
client.fact("implements").source("tool",
software.name).destination(
"technique",
technique.id),
output_format=output_format,
)
return notify
def add_ta_campaign(client: Act, output_format: Text, threat_actor: Text,
campaign: Text) -> None:
"""Threat Actor Campaign"""
handle_facts(act.api.fact.fact_chain(
client.fact("attributedTo").source("incident", "*").destination(
"campaign", campaign),
client.fact("attributedTo").source("incident", "*").destination(
"threatActor", threat_actor),
),
output_format=output_format)
def add_ta_located_in(client: Act, output_format: Text, threat_actor: Text,
located_in: Text) -> None:
"""Threat actor located in"""
handle_facts(act.api.fact.fact_chain(
client.fact("locatedIn").source("organization", "*").destination(
"country", located_in),
client.fact("attributedTo").source("threatActor",
threat_actor).destination(
"organization", "*"),
),
output_format=output_format)
def add_ta_target_country(client: Act, output_format: Text, threat_actor: Text,
target_countries: List[Text]) -> None:
"""Threat actor target countries"""
for target_country in target_countries:
handle_facts(act.api.fact.fact_chain(
client.fact("targets").source("incident", "*").destination(
"organization", "*"),
client.fact("locatedIn").source("organization", "*").destination(
"country", target_country),
client.fact("attributedTo").source("incident", "*").destination(
"threatActor", threat_actor),
),
output_format=output_format)
def add_ta_sectors(client: Act, output_format: Text, threat_actor: Text,
sectors: List[Text]) -> None:
"""Threat Actor Sectors"""
for sector in sectors:
handle_facts(act.api.fact.fact_chain(
client.fact("targets").source("incident", "*").destination(
"organization", "*"),
client.fact("memberOf").source("organization",
"*").destination("sector", sector),
client.fact("attributedTo").source("incident", "*").destination(
"threatActor", threat_actor),
),
output_format=output_format)
def add_ta_techniques(client: Act, output_format: Text, threat_actor: Text,
techniques: List[Text]) -> None:
"""Threat Actor Techniques"""
for technique in techniques:
handle_facts(act.api.fact.fact_chain(
client.fact("attributedTo").source("incident", "*").destination(
"threatActor", threat_actor),
client.fact("observedIn").source("technique",
technique).destination(
"incident", "*"),
),
output_format=output_format)
def add_ta_tools(client: Act, output_format: Text, threat_actor: Text,
tools: List[Text]) -> None:
"""Threat Actor Tools"""
for tool in tools:
handle_facts(act.api.fact.fact_chain(
client.fact("classifiedAs").source("content",
"*").destination("tool", tool),
client.fact("observedIn").source("content",
"*").destination("incident", "*"),
client.fact("attributedTo").source("incident", "*").destination(
"threatActor", threat_actor),
),
output_format=output_format)
def add_ta_techniques(client: Act, output_format: Text, threat_actor: Text,
techniques: List[Text]) -> None:
""" Threat Actor Techniques """
for technique in techniques:
chain = act.api.fact.fact_chain(
client.fact("attributedTo").source("incident", "*").destination(
"threatActor", threat_actor),
client.fact("attributedTo").source("event", "*").destination(
"incident", "*"),
client.fact("classifiedAs").source("event", "*").destination(
"technique", technique))
for fact in chain:
handle_fact(fact, output_format=output_format)
def handle_techniques(
client: Act,
technique: "AttckTechnique",
main_technique: Optional["AttckTechnique"],
output_format: Text = "json",
) -> List:
"""
Args:
client: Act Client
technique (str): Technique or subtechnique ID
main_technique (str): If set, technique is a sub technique
output_format (str): Fact output if sent to stdout (text | json)
"""
if deprecated_or_revoked(technique):
# Object is revoked/deprecated, add to notification list but do not add to facts that should be added to the platform
return [technique]
if main_technique:
handle_fact(
client.fact("subTechniqueOf").source("technique",
technique.id).destination(
"technique",
main_technique.id),
output_format=output_format,
)
handle_fact(
client.fact("name", technique.name).source("technique", technique.id),
output_format=output_format,
)
# Mitre ATT&CK Tactics are implemented in STIX as kill chain phases with kill_chain_name "mitre-attack"
for tactic in technique.tactics:
handle_fact(
client.fact("accomplishes").source("technique",
technique.id).destination(
"tactic", tactic.id),
output_format=output_format,
)
handle_fact(
client.fact("name", tactic.name).source("tactic", tactic.id),
output_format=output_format,
)
return []
def add_groups(client: Act,
matrice: AttckMatrice,
output_format: Text = "json") -> List:
"""
extract objects/facts related to ATT&CK Threat Actors
Args:
attack (AttckMatrice): Attack matrice
output_format (Text): "json" or "str" output format
"""
notify: List = []
for actor in matrice.actors:
if deprecated_or_revoked(actor):
# Object is revoked, add to notification list but do not add to facts that should be added to the platform
notify.append(actor)
continue
for alias in actor.alias:
if actor.name != alias:
handle_fact(
client.fact("alias").bidirectional(
"threatActor",
actor.name,
"threatActor",
alias,
),
output_format=output_format,
)
for tool in actor.known_tools:
handle_facts(act.api.fact.fact_chain(
client.fact("classifiedAs").source("content", "*").destination(
"tool", tool),
client.fact("observedIn").source("content", "*").destination(
"incident", "*"),
client.fact("attributedTo").source(
"incident", "*").destination("threatActor", actor.name),
),
output_format=output_format)
for technique in actor.techniques:
handle_facts(act.api.fact.fact_chain(
client.fact("observedIn").source("technique",
technique.id).destination(
"incident", "*"),
client.fact("attributedTo").source(
"incident", "*").destination("threatActor", actor.name),
),
output_format=output_format)
return notify