def generateTTP(incident, attribute, ttps, eventTags): ttp = TTP(timestamp=getDateFromTimestamp(int(attribute["timestamp"]))) ttp.id_= namespace[1] + ":ttp-" + attribute["uuid"] setTLP(ttp, attribute["distribution"], mergeTags(eventTags, attribute["AttributeTag"])) ttp.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")" if attribute["type"] == "vulnerability": vulnerability = Vulnerability() vulnerability.cve_id = attribute["value"] et = ExploitTarget(timestamp=getDateFromTimestamp(int(attribute["timestamp"]))) et.id_= namespace[1] + ":et-" + attribute["uuid"] if attribute["comment"] != "" and attribute["comment"] != "Imported via the freetext import.": et.title = attribute["comment"] else: et.title = "Vulnerability " + attribute["value"] et.add_vulnerability(vulnerability) ttp.exploit_targets.append(et) else: malware = MalwareInstance() malware.add_name(attribute["value"]) ttp.behavior = Behavior() ttp.behavior.add_malware_instance(malware) if attribute["comment"] != "": ttp.description = attribute["comment"] ttps.append(ttp) rttp = TTP(idref=ttp.id_, timestamp=ttp.timestamp) relatedTTP = RelatedTTP(rttp, relationship=attribute["category"]) incident.leveraged_ttps.append(relatedTTP)
def generate_vulnerability(self, incident, tags, attribute): ttp = self.create_ttp(tags, attribute) vulnerability = Vulnerability() vulnerability.cve_id = attribute.value ET = ExploitTarget(timestamp=attribute.timestamp) ET.id_ = "{}:et-{}".format(namespace[1], attribute.uuid) if attribute.comment and attribute.comment != "Imported via the freetext import.": ET.title = attribute.comment else: ET.title = "Vulnerability {}".format(attribute.value) ET.add_vulnerability(vulnerability) ttp.exploit_targets.append(ET) self.append_ttp(incident, attribute, ttp)
def test_et(self): e = ExploitTarget() e.title = UNICODE_STR e.description = UNICODE_STR e.short_description = UNICODE_STR e2 = round_trip(e) self._test_equal(e, e2)
def cvebuild(var): """Search for a CVE ID and return a STIX formatted response.""" cve = CVESearch() data = json.loads(cve.id(var)) if data: try: from stix.utils import set_id_namespace namespace = {NS: NS_PREFIX} set_id_namespace(namespace) except ImportError: from mixbox.idgen import set_id_namespace from mixbox.namespaces import Namespace namespace = Namespace(NS, NS_PREFIX, "") set_id_namespace(namespace) pkg = STIXPackage() pkg.stix_header = STIXHeader() pkg = STIXPackage() pkg.stix_header = STIXHeader() pkg.stix_header.handling = _marking() # Define the exploit target expt = ExploitTarget() expt.title = data['id'] expt.description = data['summary'] expt.information_source = InformationSource( identity=Identity(name="National Vulnerability Database")) # Add the vulnerability object to the package object expt.add_vulnerability(_vulnbuild(data)) # Add the COA object to the ET object for coa in COAS: expt.potential_coas.append( CourseOfAction( idref=coa['id'], timestamp=expt.timestamp)) # Do some TTP stuff with CAPEC objects if TTPON is True: try: for i in data['capec']: pkg.add_ttp(_buildttp(i, expt)) except KeyError: pass expt.add_weakness(_weakbuild(data)) # Add the exploit target to the package object pkg.add_exploit_target(expt) xml = pkg.to_xml() title = pkg.id_.split(':', 1)[-1] # If the function is not imported then output the xml to a file. if __name__ == '__main__': _postconstruct(xml, title) return xml else: sys.exit("[-] Error retrieving details for " + var)
def cvebuild(var): """Search for a CVE ID and return a STIX formatted response.""" cve = CVESearch() data = json.loads(cve.id(var)) if data: try: from stix.utils import set_id_namespace namespace = {NS: NS_PREFIX} set_id_namespace(namespace) except ImportError: from mixbox.idgen import set_id_namespace from mixbox.namespaces import Namespace namespace = Namespace(NS, NS_PREFIX, "") set_id_namespace(namespace) pkg = STIXPackage() pkg.stix_header = STIXHeader() pkg = STIXPackage() pkg.stix_header = STIXHeader() pkg.stix_header.handling = _marking() # Define the exploit target expt = ExploitTarget() expt.title = data['id'] expt.description = data['summary'] expt.information_source = InformationSource(identity=Identity( name="National Vulnerability Database")) # Add the vulnerability object to the package object expt.add_vulnerability(_vulnbuild(data)) # Add the COA object to the ET object for coa in COAS: expt.potential_coas.append( CourseOfAction(idref=coa['id'], timestamp=expt.timestamp)) # Do some TTP stuff with CAPEC objects if TTPON is True: try: for i in data['capec']: pkg.add_ttp(_buildttp(i, expt)) except KeyError: pass expt.add_weakness(_weakbuild(data)) # Add the exploit target to the package object pkg.add_exploit_target(expt) xml = pkg.to_xml() title = pkg.id_.split(':', 1)[-1] # If the function is not imported then output the xml to a file. if __name__ == '__main__': _postconstruct(xml, title) return xml else: sys.exit("[-] Error retrieving details for " + var)
def cvebuild(var): """Search for a CVE ID and return a STIX formatted response.""" cve = CVESearch() data = json.loads(cve.id(var)) if data: try: from stix.utils import set_id_namespace namespace = {NS: NS_PREFIX} set_id_namespace(namespace) except ImportError: from stix.utils import idgen from mixbox.namespaces import Namespace namespace = Namespace(NS, NS_PREFIX, "") idgen.set_id_namespace(namespace) pkg = STIXPackage() pkg.stix_header = STIXHeader() pkg = STIXPackage() pkg.stix_header = STIXHeader() pkg.stix_header.handling = marking() # Define the exploit target expt = ExploitTarget() expt.title = data['id'] expt.description = data['summary'] # Add the vulnerability object to the package object expt.add_vulnerability(vulnbuild(data)) # Do some TTP stuff with CAPEC objects try: for i in data['capec']: ttp = TTP() ttp.title = "CAPEC-" + str(i['id']) ttp.description = i['summary'] ttp.exploit_targets.append(ExploitTarget(idref=expt.id_)) pkg.add_ttp(ttp) except KeyError: pass # Do some weakness stuff if data['cwe'] != 'Unknown': weak = Weakness() weak.cwe_id = data['cwe'] expt.add_weakness(weak) # Add the exploit target to the package object pkg.add_exploit_target(expt) xml = pkg.to_xml() # If the function is not imported then output the xml to a file. if __name__ == '__main__': title = pkg.id_.split(':', 1)[-1] with open(title + ".xml", "w") as text_file: text_file.write(xml) return xml
def get_exploit_target_from_json(ttp_json): json_cve = ttp_json['value'] json_title = ttp_json['title'] # title は "%CVE番号% (index)" とする title = '%s (%s)' % (json_cve, json_title) # CVE 情報を circl から取得する cve_info = Cve.get_cve_info(json_cve) # 各種 CVE 情報のリンクを作成 mitre_url = 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=' + str( json_cve) circl_url = 'http://cve.circl.lu/cve/' + str(json_cve) # Expoit_Target, Vulnerability の Short Description は link common_short_description = '%s (<a href="%s" target="_blank">MITRE</a>, <a href="%s" target="_blank">circl.lu</a>)<br/>' % ( json_cve, mitre_url, circl_url) # base_score try: vul_cvss_score = CVSSVector() vul_cvss_score.base_score = cve_info['cvss'] except BaseException: vul_cvss_score = None # Expoit_Target, Vulnerability の Description 作成 common_decritpion = common_short_description # base_score があったら追加する if vul_cvss_score is not None: common_decritpion += ('Base Score: %s<br/>' % (vul_cvss_score.base_score)) # vulnerability の description は circl から取得した description try: common_decritpion += ('%s<br/>' % (cve_info['summary'])) except BaseException: # 取得失敗時は circl のページの url common_decritpion += ('%s<br/>' % (circl_url)) # ExploitTarget et = ExploitTarget() et.title = title et.description = common_decritpion et.short_description = common_short_description # Vulnerability vulnerablity = Vulnerability() vulnerablity.title = title vulnerablity.description = common_decritpion vulnerablity.short_description = common_short_description vulnerablity.cve_id = json_cve if vul_cvss_score is not None: vulnerablity.cvss_score = vul_cvss_score et.add_vulnerability(vulnerablity) return et
def buildTarget(input_dict): # add incident and confidence target = ExploitTarget() target.title = input_dict['title'] target.description = input_dict['description'] if input_dict['vulnerability']: target.add_vulnerability(input_dict['vulnerability']) if input_dict['weakness']: target.add_weakness(input_dict['weakness']) if input_dict['configuration']: target.configuration = input_dict['configuration'] if input_dict['informationSource']: target.information_source = InformationSource(input_dict['informationSource']) return target
def get_exploit_target_from_cve(cve): title = cve # description は mitreのページヘのリンク description = 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=' + str( cve) # ExploitTarget et = ExploitTarget() et.title = title et.description = description et.short_description = description # Vulnerability vulnerablity = Vulnerability() vulnerablity.title = title vulnerablity.description = description vulnerablity.short_description = description vulnerablity.cve_id = cve et.add_vulnerability(vulnerablity) return et
def get_exploit_target_from_json(ttp_json): json_cve = ttp_json['value'] json_title = ttp_json['title'] # title は "%CVE番号% (index)" とする title = '%s (%s)' % (json_cve, json_title) # # CVE 情報を circl から取得する cve_info = CommonExtractor.get_cve_info(json_cve) # Expoit_Target, Vulnerability の Short Description は link common_short_description = CommonExtractor.get_ttp_common_short_description( ttp_json) # # base_score vul_cvss_score = CommonExtractor.get_vul_cvss_score(cve_info) # Expoit_Target, Vulnerability の Description 作成 common_decritpion = CommonExtractor.get_ttp_common_description( ttp_json) # ExploitTarget et = ExploitTarget() et.title = title et.description = common_decritpion et.short_description = common_short_description # Vulnerability vulnerablity = Vulnerability() vulnerablity.title = title vulnerablity.description = common_decritpion vulnerablity.short_description = common_short_description vulnerablity.cve_id = json_cve if vul_cvss_score is not None: vulnerablity.cvss_score = vul_cvss_score et.add_vulnerability(vulnerablity) return et