def main():
from stix.coa import CourseOfAction, Objective
from stix.common import Confidence
from stix.core import STIXPackage
from cybox.core import Observables
from cybox.objects.address_object import Address
pkg = STIXPackage()
coa = CourseOfAction()
coa.title = "Block traffic to PIVY C2 Server (10.10.10.10)"
coa.stage = "Response"
coa.type_ = "Perimeter Blocking"
obj = Objective()
obj.description = "Block communication between the PIVY agents and the C2 Server"
obj.applicability_confidence = Confidence("High")
coa.objective = obj
coa.impact = "Low"
coa.impact.description = "This IP address is not used for legitimate hosting so there should be no operational impact."
coa.cost = "Low"
coa.efficacy = "High"
addr = Address(address_value="10.10.10.10", category=Address.CAT_IPV4)
coa.parameter_observables = Observables(addr)
pkg.add_course_of_action(coa)
print pkg.to_xml()
def add_coa_items(corrective_action_item, cost_corrective_action_item, pkg):
coa = CourseOfAction()
if corrective_action_item:
coa.title = corrective_action_item
if cost_corrective_action_item:
cost = Statement()
cost.value = map_cost_corrective_action_item_to_high_medium_low(cost_corrective_action_item)
coa.cost = cost
pkg.coa = coa
def main():
from stix.coa import CourseOfAction, Objective
from stix.common import Confidence
from stix.core import STIXPackage
from cybox.core import Observables
from cybox.objects.address_object import Address
pkg = STIXPackage()
coa = CourseOfAction()
coa.title = "Block traffic to PIVY C2 Server (10.10.10.10)"
coa.stage = "Response"
coa.type_ = "Perimeter Blocking"
obj = Objective()
obj.description = "Block communication between the PIVY agents and the C2 Server"
obj.applicability_confidence = Confidence("High")
coa.objective = obj
coa.impact = "Low"
coa.impact.description = "This IP address is not used for legitimate hosting so there should be no operational impact."
coa.cost = "Low"
coa.efficacy = "High"
addr = Address(address_value="10.10.10.10", category=Address.CAT_IPV4)
coa.parameter_observables = Observables(addr)
pkg.add_course_of_action(coa)
print(pkg.to_xml(encoding=None))
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header())
return_obj.related_packages = RelatedPackages.from_obj(obj.get_Related_Packages())
if obj.get_version():
return_obj.version = obj.get_version()
if obj.get_Campaigns():
return_obj.campaigns = [Campaign.from_obj(x) for x in obj.get_Campaigns().get_Campaign()]
if obj.get_Courses_Of_Action():
return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.get_Courses_Of_Action().get_Course_Of_Action()]
if obj.get_Exploit_Targets():
return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.get_Exploit_Targets().get_Exploit_Target()]
if obj.get_Indicators():
return_obj.indicators = [Indicator.from_obj(x) for x in obj.get_Indicators().get_Indicator()]
if obj.get_Observables():
return_obj.observables = Observables.from_obj(obj.get_Observables())
if obj.get_Incidents():
return_obj.incidents = [Incident.from_obj(x) for x in obj.get_Incidents().get_Incident()]
if obj.get_Threat_Actors():
return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.get_Threat_Actors().get_Threat_Actor()]
if obj.get_TTPs():
return_obj.ttps = TTPs.from_obj(obj.get_TTPs())
return return_obj
def _dostix(hashes):
'''This function creates a STIX packages containing hashes.'''
print("[+] Creating STIX Package")
title = SETTINGS['stix']['ind_title'] + " " + str(datetime.datetime.now())
_custom_namespace(SETTINGS['stix']['ns'], SETTINGS['stix']['ns_prefix'])
stix_package = STIXPackage()
stix_package.stix_header = STIXHeader()
stix_package.stix_header.title = title
stix_package.stix_header.handling = _marking()
try:
indicator = Indicator()
indicator.set_producer_identity(SETTINGS['stix']['producer'])
indicator.set_produced_time(indicator.timestamp)
indicator.set_received_time(indicator.timestamp)
indicator.add_kill_chain_phase(PHASE_DELIVERY)
indicator.confidence = "Low"
indicator.title = title
indicator.add_indicator_type("File Hash Watchlist")
indicator.description = SETTINGS['stix']['ind_desc']
try:
indicator.add_indicated_ttp(
TTP(idref=SETTINGS['indicated_ttp'],
timestamp=indicator.timestamp))
indicator.suggested_coas.append(
CourseOfAction(idref=SETTINGS['suggested_coa'],
timestamp=indicator.timestamp))
except KeyError:
pass
for info in hashes:
try:
file_name = info['filename']
file_object = File()
file_object.file_name = file_name
file_object.file_name.condition = "Equals"
file_object.file_extension = "." + file_name.split('.')[-1]
file_object.file_extension.condition = "Equals"
file_object.size_in_bytes = info['filesize']
file_object.size_in_bytes.condition = "Equals"
file_object.file_format = info['fileformat']
file_object.file_format.condition = "Equals"
file_object.add_hash(Hash(info['md5']))
file_object.add_hash(Hash(info['sha1']))
file_object.add_hash(Hash(info['sha256']))
file_object.add_hash(Hash(info['sha512']))
file_object.add_hash(Hash(info['ssdeep'], Hash.TYPE_SSDEEP))
for hashobj in file_object.hashes:
hashobj.simple_hash_value.condition = "Equals"
hashobj.type_.condition = "Equals"
file_obs = Observable(file_object)
file_obs.title = "File: " + file_name
indicator.add_observable(file_obs)
except TypeError:
pass
stix_package.add_indicator(indicator)
return stix_package
except KeyError:
pass
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header)
return_obj.related_packages = RelatedPackages.from_obj(obj.Related_Packages)
if obj.version:
return_obj.version = obj.version
if obj.Campaigns:
return_obj.campaigns = [Campaign.from_obj(x) for x in obj.Campaigns.Campaign]
if obj.Courses_Of_Action:
return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.Courses_Of_Action.Course_Of_Action]
if obj.Exploit_Targets:
return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.Exploit_Targets.Exploit_Target]
if obj.Indicators:
return_obj.indicators = [Indicator.from_obj(x) for x in obj.Indicators.Indicator]
if obj.Observables:
return_obj.observables = Observables.from_obj(obj.Observables)
if obj.Incidents:
return_obj.incidents = [Incident.from_obj(x) for x in obj.Incidents.Incident]
if obj.Threat_Actors:
return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.Threat_Actors.Threat_Actor]
if obj.TTPs:
return_obj.ttps = TTPs.from_obj(obj.TTPs)
return return_obj
def cvebuild(var):
"""Search for a CVE ID and return a STIX formatted response."""
cve = CVESearch()
data = json.loads(cve.id(var))
if data:
try:
from stix.utils import set_id_namespace
namespace = {NS: NS_PREFIX}
set_id_namespace(namespace)
except ImportError:
from mixbox.idgen import set_id_namespace
from mixbox.namespaces import Namespace
namespace = Namespace(NS, NS_PREFIX, "")
set_id_namespace(namespace)
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg.stix_header.handling = _marking()
# Define the exploit target
expt = ExploitTarget()
expt.title = data['id']
expt.description = data['summary']
expt.information_source = InformationSource(identity=Identity(
name="National Vulnerability Database"))
# Add the vulnerability object to the package object
expt.add_vulnerability(_vulnbuild(data))
# Add the COA object to the ET object
for coa in COAS:
expt.potential_coas.append(
CourseOfAction(idref=coa['id'], timestamp=expt.timestamp))
# Do some TTP stuff with CAPEC objects
if TTPON is True:
try:
for i in data['capec']:
pkg.add_ttp(_buildttp(i, expt))
except KeyError:
pass
expt.add_weakness(_weakbuild(data))
# Add the exploit target to the package object
pkg.add_exploit_target(expt)
xml = pkg.to_xml()
title = pkg.id_.split(':', 1)[-1]
# If the function is not imported then output the xml to a file.
if __name__ == '__main__':
_postconstruct(xml, title)
return xml
else:
sys.exit("[-] Error retrieving details for " + var)
def convert_report(r20):
r1x = Report(id_=convert_id20(r20["id"]),
timestamp=text_type(r20["modified"]))
r1x.header = Header()
if "name" in r20:
r1x.header.title = r20["name"]
if "description" in r20:
r1x.header.add_description(r20["description"])
intents = convert_open_vocabs_to_controlled_vocabs(r20["labels"],
REPORT_LABELS_MAP)
for i in intents:
r1x.header.add_intent(i)
if "published" in r20:
add_missing_property_to_description(r1x.header, "published",
r20["published"])
for ref in r20["object_refs"]:
ref_type = get_type_from_id(ref)
ref1x = convert_id20(ref)
if ref_type == "attack-pattern":
r1x.add_ttp(TTP(idref=ref1x))
elif ref_type == "campaign":
r1x.add_campaign(Campaign(idref=ref1x))
elif ref_type == 'course-of-action':
r1x.add_course_of_action(CourseOfAction(idref=ref1x))
elif ref_type == "indicator":
r1x.add_indicator(Indicator(idref=ref1x))
elif ref_type == "observed-data":
r1x.add_observable(Observable(idref=ref1x))
elif ref_type == "malware":
r1x.add_ttp(TTP(idref=ref1x))
elif ref_type == "threat-actor":
r1x.add_threat_actor(ThreatActor(idref=ref1x))
elif ref_type == "tool":
r1x.add_ttp(TTP(idref=ref1x))
elif ref_type == "vulnerability":
r1x.add_exploit_target(ExploitTarget(idref=ref1x))
elif ref_type == "identity" or ref_type == "relationship":
warn("%s in %s is not explicitly a member of a STIX 1.x report",
703, ref, r20["id"])
elif ref_type == "intrusion-set":
warn("%s in %s cannot be represented in STIX 1.x", 612, ref,
r20["id"])
else:
warn("ref type %s in %s is not known", 0, ref_type, r20["id"])
if "object_marking_refs" in r20:
for m_id in r20["object_marking_refs"]:
ms = create_marking_specification(m_id)
if ms:
CONTAINER.add_marking(r1x, ms, descendants=True)
if "granular_markings" in r20:
error(
"Granular Markings present in '%s' are not supported by stix2slider",
604, r20["id"])
return r1x
def from_dict(cls, d, return_obj=None):
if not d:
return None
if not return_obj:
return_obj = cls()
return_obj.time = COATime.from_dict(d.get('time'))
return_obj.contributors = Contributors.from_dict(d.get('contributors'))
return_obj.course_of_action = CourseOfAction.from_dict(d.get('course_of_action'))
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.time = COATime.from_obj(obj.Time)
return_obj.contributors = Contributors.from_obj(obj.Contributors)
return_obj.course_of_action = CourseOfAction.from_obj(obj.Course_Of_Action)
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.time = COATime.from_obj(obj.Time)
return_obj.contributors = Contributors.from_obj(obj.Contributors)
return_obj.course_of_action = CourseOfAction.from_obj(obj.Course_Of_Action)
return return_obj
def from_dict(cls, d, return_obj=None):
if not d:
return None
if not return_obj:
return_obj = cls()
return_obj.time = COATime.from_dict(d.get('time'))
return_obj.contributors = Contributors.from_dict(d.get('contributors'))
return_obj.course_of_action = CourseOfAction.from_dict(d.get('course_of_action'))
return return_obj
def buildCoa(input_dict):
# add incident and confidence
coa = CourseOfAction()
coa.title = input_dict['title']
coa.description = input_dict['description']
if input_dict['stage']:
coa.stage = input_dict['stage']
if input_dict['type']:
coa.type = input_dict['type']
if input_dict['objective']:
coa.objective = Objective(input_dict['objective'])
if input_dict['impact']:
coa.impact = input_dict['impact']
if input_dict['cost']:
coa.cost = input_dict['cost']
if input_dict['efficacy']:
coa.efficacy = input_dict['efficacy']
if input_dict['informationSource']:
coa.information_source = InformationSource(input_dict['informationSource'])
return coa
def convert_coa(coa20):
coa1x = CourseOfAction(id_=convert_id20(coa20["id"]),
timestamp=text_type(coa20["modified"]))
if "name" in coa20:
coa1x.title = coa20["name"]
if "description" in coa20:
coa1x.add_description(coa20["description"])
if "labels" in coa20:
coa_types = convert_open_vocabs_to_controlled_vocabs(
coa20["labels"], COA_LABEL_MAP)
coa1x.type_ = coa_types[0]
for l in coa_types[1:]:
warn(
"%s in STIX 2.0 has multiple %s, only one is allowed in STIX 1.x. Using first in list - %s omitted",
401, "labels", l)
if "object_marking_refs" in coa20:
for m_id in coa20["object_marking_refs"]:
ms = create_marking_specification(m_id)
if ms:
CONTAINER.add_marking(coa1x, ms, descendants=True)
if "granular_markings" in coa20:
error(
"Granular Markings present in '%s' are not supported by stix2slider",
604, coa20["id"])
record_id_object_mapping(coa20["id"], coa1x)
return coa1x
def _merge_tgts(api_object, references):
related_objects = {}
for ref in references:
related_objects.setdefault(ref.ty, []).append(ref.idref)
if getattr(api_object, 'related_exploit_targets', None) is None:
setattr(api_object, 'related_exploit_targets', RelatedExploitTargets())
if getattr(api_object, 'potential_coas', None) is None:
setattr(api_object, 'potential_coas', PotentialCOAs())
for tgt in related_objects.get('tgt', []):
api_object.related_exploit_targets.append(ExploitTarget(idref=tgt))
for coa in related_objects.get('coa', []):
api_object.potential_coas.append(CourseOfAction(idref=coa))
def from_obj(cls, obj, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header())
return_obj.related_packages = RelatedPackages.from_obj(
obj.get_Related_Packages())
if obj.get_version():
return_obj.version = obj.get_version()
if obj.get_Campaigns():
return_obj.campaigns = [
Campaign.from_obj(x)
for x in obj.get_Campaigns().get_Campaign()
]
if obj.get_Courses_Of_Action():
return_obj.courses_of_action = [
CourseOfAction.from_obj(x)
for x in obj.get_Courses_Of_Action().get_Course_Of_Action()
]
if obj.get_Exploit_Targets():
return_obj.exploit_targets = [
ExploitTarget.from_obj(x)
for x in obj.get_Exploit_Targets().get_Exploit_Target()
]
if obj.get_Indicators():
return_obj.indicators = [
Indicator.from_obj(x)
for x in obj.get_Indicators().get_Indicator()
]
if obj.get_Observables():
return_obj.observables = Observables.from_obj(
obj.get_Observables())
if obj.get_Incidents():
return_obj.incidents = [
Incident.from_obj(x)
for x in obj.get_Incidents().get_Incident()
]
if obj.get_Threat_Actors():
return_obj.threat_actors = [
ThreatActor.from_obj(x)
for x in obj.get_Threat_Actors().get_Threat_Actor()
]
if obj.get_TTPs():
return_obj.ttps = TTPs.from_obj(obj.get_TTPs())
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id', None)
return_obj.idref = dict_repr.get('idref', None)
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version', cls._version)
return_obj.stix_header = STIXHeader.from_dict(dict_repr.get('stix_header', None))
return_obj.campaigns = [Campaign.from_dict(x) for x in dict_repr.get('campaigns', [])]
return_obj.courses_of_action = [CourseOfAction.from_dict(x) for x in dict_repr.get('courses_of_action', [])]
return_obj.exploit_targets = [ExploitTarget.from_dict(x) for x in dict_repr.get('exploit_targets', [])]
return_obj.indicators = [Indicator.from_dict(x) for x in dict_repr.get('indicators', [])]
return_obj.observables = Observables.from_dict(dict_repr.get('observables'))
return_obj.incidents = [Incident.from_dict(x) for x in dict_repr.get('incidents', [])]
return_obj.threat_actors = [ThreatActor.from_dict(x) for x in dict_repr.get('threat_actors', [])]
return_obj.ttps = TTPs.from_dict(dict_repr.get('ttps'))
return_obj.related_packages = RelatedPackages.from_dict(dict_repr.get('related_packages'))
return return_obj
def main():
fileIn = open('tor_exit_node_list.txt', 'r')
fileOut = open('coa_tor.xml', 'w')
#print("List of Tor Exit nodes as of 5/4/2018")
ip_addr_list = []
for line in fileIn:
ip_addr = re.search(
'(([2][5][0-5]\.)|([2][0-4][0-9]\.)|([0-1]?[0-9]?[0-9]\.)){3}(([2][5][0-5])|([2][0-4][0-9])|([0-1]?[0-9]?[0-9]))',
line)
if ip_addr:
ip_addr_list.append(ip_addr)
#print(" ", ip_addr.group(0))
pkg = STIXPackage()
coa = CourseOfAction()
coa.title = "Block traffic to Tor exit nodes"
coa.stage = "Response"
coa.type_ = "Perimeter Blocking"
obj = Objective()
obj.description = "Block communication to Tor exit nodes"
obj.applicability_confidence = Confidence("High")
i = 0
observables_list = []
for ip_addr in ip_addr_list:
addr = Address(address_value=ip_addr.group(0),
category=Address.CAT_IPV4)
observables_list.append(addr)
print(i)
i = i + 1
coa.parameter_observables = Observables(observables_list)
pkg.add_course_of_action(coa)
fileOut.write(pkg.to_xml(encoding=None))
# Related TTP (basic; by id) ttp = TTP(title='Phishing') beh = Behavior() attack_pattern = AttackPattern() attack_pattern.capec_id = 'CAPEC-98' attack_pattern.description = 'Phishing' beh.add_attack_pattern(attack_pattern) ttp.behavior = beh leveraged_ttps = LeveragedTTPs() related_ttp = RelatedTTP(TTP(idref=ttp.id_)) leveraged_ttps.append(related_ttp) incident.leveraged_ttps = leveraged_ttps # Related CoA (basic; by id) coa = CourseOfAction(title='Block traffic') related_coa = CourseOfAction(idref=coa.id_) incident.add_coa_requested(related_coa) incident.add_coa_taken(related_coa) # Generate STIX Package stix_package = STIXPackage() stix_package.add_observable(observable) stix_package.add_indicator(indicator) stix_package.add_threat_actor(ta) stix_package.add_incident(incident) stix_package.add_incident(incident2) stix_package.add_ttp(ttp) stix_package.add_course_of_action(coa) print(stix_package.to_xml().decode())
cce_id='CCE-27686-5',
description='The Apache web server be run with the appropriate privileges.',
short_description='Configuration Short Description')
et1.add_configuration(config)
# Exploit Target 1 - Vulnerability
vuln = Vulnerability()
vuln.cve_id = 'CVE-2018-1312'
cvss = CVSSVector()
cvss.base_score = '6.8'
cvss.base_vector = 'AV:N/AC:M/Au:N/C:P/I:P/A:P'
vuln.cvss_score = cvss
vuln.add_reference('https://nvd.nist.gov/vuln/detail/CVE-2018-1312')
et1.add_vulnerability(vuln)
# Exploit Target 1 - Potential COA
coa = CourseOfAction(title='Patch Apache httpd')
et1.potential_coas.append(CourseOfAction(idref=coa.id_))
# Exploit Target 2 - Related to Exploit Target 1
et2 = ExploitTarget(title='Apache HTTP Vulnerability - CVE-2018-1333')
et1.related_exploit_targets.append(ExploitTarget(idref=et2.id_))
# Generate STIX Package
stix_package = STIXPackage()
stix_package.add_exploit_target(et1)
stix_package.add_course_of_action(coa)
stix_package.add_exploit_target(et2)
print(stix_package.to_xml().decode())
def test_coa_idref_deprecation(self):
package = core.STIXPackage()
package.add(CourseOfAction(idref='test-idref-dep'))
from cybox.objects.domain_name_object import DomainName
from faker import Faker
from stix.coa import CourseOfAction, Objective
from stix.common import Confidence
from stix.common.related import RelatedCOA
from stix.common.vocabs import COAStage, CourseOfActionType, HighMediumLow
from stix.core import STIXPackage
from stix.indicator import Indicator
# Generate IP Address and FQDN
fake = Faker()
ip = fake.ipv4()
domain = fake.domain_name()
# Basics
coa = CourseOfAction(
title='Block traffic to Malicious C2 Server ({})'.format(ip))
coa.description = 'Maecenas sed diam eget risus varius blandit sit amet non magna.'
coa.short_description = 'Tristique Venenatis Tortor Mollis Vestibulum'
# Objective
obj = Objective()
obj.description = 'Block communication between the infected agents and the C2 Server'
obj.short_description = 'Block traffic'
obj.applicability_confidence = Confidence(HighMediumLow('High'))
coa.objective = obj
# Attributes
coa.impact = HighMediumLow('Medium')
coa.cost = HighMediumLow('Low')
coa.efficacy = HighMediumLow('High')
coa.stage = COAStage('Response')
