def _get_threat_actor_object(value, description=None, crowd_strike_motivations=[]): # 攻撃者情報作成 organisation_name = OrganisationName(value) party_name = PartyName() party_name.add_organisation_name(organisation_name) identity_specification = STIXCIQIdentity3_0() identity_specification.party_name = party_name identity = CIQIdentity3_0Instance() # ThreatActor ta = ThreatActor() ta.identity = identity ta.identity.specification = identity_specification # Title に抽出した Threat Actor 名前 ta.title = value ta.description = description ta.short_description = description ta.identity = identity # motivations 作成 for crowd_strike_motivation in crowd_strike_motivations: ta_motivation = Statement(crowd_strike_motivation['value']) # motivation 追加 ta.add_motivation(ta_motivation) return ta
def test_ta(self): t = ThreatActor() t.title = UNICODE_STR t.description = UNICODE_STR t.short_description = UNICODE_STR t2 = round_trip(t) self._test_equal(t, t2)
def generateThreatActor(attribute): ta = ThreatActor() ta.id_ = "example:threatactor-" + attribute["uuid"] ta.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute[ "uuid"] ta.description = attribute["value"] return ta
def main(): stix_package = STIXPackage() ta = ThreatActor() ta.title = "Disco Team Threat Actor Group" ta.identity = CIQIdentity3_0Instance() identity_spec = STIXCIQIdentity3_0() identity_spec.party_name = PartyName() identity_spec.party_name.add_organisation_name( OrganisationName("Disco Team", type_="CommonUse")) identity_spec.party_name.add_organisation_name( OrganisationName("Equipo del Discoteca", type_="UnofficialName")) identity_spec.add_language("Spanish") address = Address() address.country = Country() address.country.add_name_element("United States") address.administrative_area = AdministrativeArea() address.administrative_area.add_name_element("California") identity_spec.add_address(address) identity_spec.add_electronic_address_identifier( "*****@*****.**") identity_spec.add_electronic_address_identifier( "facebook.com/thediscoteam") identity_spec.add_electronic_address_identifier( "twitter.com/realdiscoteam") ta.identity.specification = identity_spec stix_package.add_threat_actor(ta) print(stix_package.to_xml(encoding=None))
def main(): # Creamos el indicador con la información de la que disponemos threatActor = ThreatActor() threatActor.title = "Ip/Domain/Hostname" threatActor.description = ("A threatActor commited with malicious tasks") threatActor.information_source = ("Malshare") threatActor.timestamp = ("01/05/2019") threatActor.identity = ("106.113.123.197") threatActor.types = ("eCrime Actor - Spam Service") # Creamos el indicador con la información de la que disponemos indicator = Indicator() indicator.title = "Risk Score" indicator.description = ( "An indicator containing the appropriate Risk Score") indicator.set_produced_time("01/05/2019") indicator.likely_impact = ("Risk Score: 2(Medium)") # Creamos el reporte en STIX, con una brve descripción stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = "Feeds in STIX format with their Risk Scores" stix_package.stix_header = stix_header # Añadimos al reporte el indicador que hemos construido antes stix_package.add(threatActor) stix_package.add(indicator) # Imprimimos el xml en pantalla print(stix_package.to_xml())
def main(): stix_package = STIXPackage() ttp_phishing = TTP(title="Phishing") attack_pattern = AttackPattern() attack_pattern.capec_id = "CAPEC-98" attack_pattern.description = ("Phishing") ttp_phishing.behavior = Behavior() ttp_phishing.behavior.add_attack_pattern(attack_pattern) ttp_pivy = TTP(title="Poison Ivy Variant d1c6") malware_instance = MalwareInstance() malware_instance.add_name("Poison Ivy Variant d1c6") malware_instance.add_type("Remote Access Trojan") ttp_pivy.behavior = Behavior() ttp_pivy.behavior.add_malware_instance(malware_instance) ta_bravo = ThreatActor(title="Adversary Bravo") ta_bravo.identity = Identity(name="Adversary Bravo") related_ttp_phishing = RelatedTTP(TTP(idref=ttp_phishing.id_), relationship="Leverages Attack Pattern") ta_bravo.observed_ttps.append(related_ttp_phishing) related_ttp_pivy = RelatedTTP(TTP(idref=ttp_pivy.id_), relationship="Leverages Malware") ta_bravo.observed_ttps.append(related_ttp_pivy) stix_package.add_ttp(ttp_phishing) stix_package.add_ttp(ttp_pivy) stix_package.add_threat_actor(ta_bravo) print stix_package.to_xml()
def generate_threat_actor(attribute): ta = ThreatActor(timestamp=attribute.timestamp) ta.id_ = "{}:threatactor-{}".format(namespace[1], attribute.uuid) ta.title = "{}: {} (MISP Attribute #{})".format(attribute.category, attribute.value, attribute.id) description = attribute.value if attribute.comment: description += " ({})".format(attribute.comment) ta.description = description return ta
def generateThreatActor(attribute): ta = ThreatActor() ta.id_= namespace[1] + ":threatactor-" + attribute["uuid"] ta.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"] if attribute["comment"] != "": ta.description = attribute["value"] + " (" + attribute["comment"] + ")" else: ta.description = attribute["value"] return ta
def generateThreatActor(attribute): ta = ThreatActor(timestamp=getDateFromTimestamp(int(attribute["timestamp"]))) ta.id_= namespace[1] + ":threatactor-" + attribute["uuid"] ta.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")" if attribute["comment"] != "": ta.description = attribute["value"] + " (" + attribute["comment"] + ")" else: ta.description = attribute["value"] return ta
def convert_report(r20): r1x = Report(id_=convert_id20(r20["id"]), timestamp=text_type(r20["modified"])) r1x.header = Header() if "name" in r20: r1x.header.title = r20["name"] if "description" in r20: r1x.header.add_description(r20["description"]) intents = convert_open_vocabs_to_controlled_vocabs(r20["labels"], REPORT_LABELS_MAP) for i in intents: r1x.header.add_intent(i) if "published" in r20: add_missing_property_to_description(r1x.header, "published", r20["published"]) for ref in r20["object_refs"]: ref_type = get_type_from_id(ref) ref1x = convert_id20(ref) if ref_type == "attack-pattern": r1x.add_ttp(TTP(idref=ref1x)) elif ref_type == "campaign": r1x.add_campaign(Campaign(idref=ref1x)) elif ref_type == 'course-of-action': r1x.add_course_of_action(CourseOfAction(idref=ref1x)) elif ref_type == "indicator": r1x.add_indicator(Indicator(idref=ref1x)) elif ref_type == "observed-data": r1x.add_observable(Observable(idref=ref1x)) elif ref_type == "malware": r1x.add_ttp(TTP(idref=ref1x)) elif ref_type == "threat-actor": r1x.add_threat_actor(ThreatActor(idref=ref1x)) elif ref_type == "tool": r1x.add_ttp(TTP(idref=ref1x)) elif ref_type == "vulnerability": r1x.add_exploit_target(ExploitTarget(idref=ref1x)) elif ref_type == "identity" or ref_type == "relationship": warn("%s in %s is not explicitly a member of a STIX 1.x report", 703, ref, r20["id"]) elif ref_type == "intrusion-set": warn("%s in %s cannot be represented in STIX 1.x", 612, ref, r20["id"]) else: warn("ref type %s in %s is not known", 0, ref_type, r20["id"]) if "object_marking_refs" in r20: for m_id in r20["object_marking_refs"]: ms = create_marking_specification(m_id) if ms: CONTAINER.add_marking(r1x, ms, descendants=True) if "granular_markings" in r20: error( "Granular Markings present in '%s' are not supported by stix2slider", 604, r20["id"]) return r1x
def convert_threat_actor(ta20): ta1x = ThreatActor(id_=convert_id20(ta20["id"]), timestamp=text_type(ta20["modified"])) ta1x.title = ta20["name"] types = convert_open_vocabs_to_controlled_vocabs(ta20["labels"], THREAT_ACTOR_LABEL_MAP) for t in types: ta1x.add_type(t) if "description" in ta20: ta1x.add_description(ta20["description"]) if "aliases" in ta20: add_missing_list_property_to_description(ta1x, "aliases", ta20["aliases"]) if "roles" in ta20: add_missing_list_property_to_description(ta1x, "roles", ta20["roles"]) if "goals" in ta20: for g in ta20["goals"]: ta1x.add_intended_effect(g) if "sophistication" in ta20: sophistications = convert_open_vocabs_to_controlled_vocabs( [ta20["sophistication"]], THREAT_ACTOR_SOPHISTICATION_MAP) for s in sophistications: ta1x.add_sophistication(s) if "resource_level" in ta20: add_missing_list_property_to_description(ta1x, "resource_level", ta20["resource_level"]) all_motivations = [] if "primary_motivation" in ta20: all_motivations = [ta20["primary_motivation"]] if "secondary_motivation" in ta20: all_motivations.extend(ta20["secondary_motivation"]) if "personal_motivation" in ta20: all_motivations.extend(ta20["personal_motivation"]) motivations = convert_open_vocabs_to_controlled_vocabs( all_motivations, ATTACK_MOTIVATION_MAP) for m in motivations: ta1x.add_motivation(m) if "object_marking_refs" in ta20: for m_id in ta20["object_marking_refs"]: ms = create_marking_specification(m_id) if ms: CONTAINER.add_marking(ta1x, ms, descendants=True) if "granular_markings" in ta20: error( "Granular Markings present in '%s' are not supported by stix2slider", 604, ta20["id"]) record_id_object_mapping(ta20["id"], ta1x) return ta1x
def to_stix_actor(obj): """ Create a STIX Actor. """ ta = ThreatActor() ta.title = obj.name ta.description = obj.description for tt in obj.threat_types: ta.add_type(tt) for m in obj.motivations: ta.add_motivation(m) for ie in obj.intended_effects: ta.add_intended_effect(ie) for s in obj.sophistications: ta.add_sophistication(s) #for i in self.identifiers: return (ta, obj.releasability)
def to_stix_actor(self): """ Create a STIX Actor. """ from stix.threat_actor import ThreatActor ta = ThreatActor() ta.title = self.name ta.description = self.description for tt in self.threat_types: ta.add_type(tt) for m in self.motivations: ta.add_motivation(m) for ie in self.intended_effects: ta.add_intended_effect(ie) for s in self.sophistications: ta.add_sophistication(s) #for i in self.identifiers: return (ta, self.releasability)
def main(): from stix.campaign import Campaign, Attribution from stix.threat_actor import ThreatActor from stix.incident import Incident from stix.core import STIXPackage from stix.ttp import TTP, VictimTargeting ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.add_targeted_information( "Information Assets - Financial Data") actor = ThreatActor() actor.title = "People behind the intrusion" attrib = Attribution() attrib.append(actor) c = Campaign() c.attribution = [] c.attribution.append(attrib) c.title = "Compromise of ATM Machines" c.related_ttps.append(ttp) c.related_incidents.append( Incident( idref="example:incident-229ab6ba-0eb2-415b-bdf2-079e6b42f51e")) c.related_incidents.append( Incident( idref="example:incident-517cf274-038d-4ed4-a3ec-3ac18ad9db8a")) c.related_incidents.append( Incident( idref="example:incident-7d8cf96f-91cb-42d0-a1e0-bfa38ea08621")) pkg = STIXPackage() pkg.add_campaign(c) print(pkg.to_xml(encoding=None))
# Related Observable (by id) addr1 = Address(address_value=fake.ipv4(), category=Address.CAT_IPV4) observable = Observable(addr1) related_observable = RelatedObservable(Observable(idref=observable.id_)) incident.related_observables.append(related_observable) # Related Indicator (by id) indicator = Indicator() addr2 = Address(address_value=fake.ipv4(), category=Address.CAT_IPV4) indicator.add_observable(addr2) related_indicator = RelatedIndicator(Indicator(idref=indicator.id_)) incident.related_indicators.append(related_indicator) # Related Threat Actor (by id) ta = ThreatActor(title='Albino Rhino') attrib_ta = AttributedThreatActors() related_ta = RelatedThreatActor(ThreatActor(idref=ta.id_)) attrib_ta.append(related_ta) incident.attributed_threat_actors = attrib_ta # Related Incident (basic; by id) incident2 = Incident(title='Malware outbreak') incident2.time = '2018-06-12T11:00:05.470947+00:00' related_incident = RelatedIncident(Incident(idref=incident2.id_)) incident.add_related_incidents(related_incident) # Related TTP (basic; by id) ttp = TTP(title='Phishing') beh = Behavior() attack_pattern = AttackPattern()
t = Time() t.incident_opened = '2018-09-11' incident.time = t related_incident = RelatedIncident(Incident(idref=incident.id_)) campaign.related_incidents.append(related_incident) # Related Indicator (by id) fake = Faker() indicator = Indicator() addr2 = Address(address_value=fake.ipv4(), category=Address.CAT_IPV4) indicator.add_observable(addr2) related_indicator = RelatedIndicator(Indicator(idref=indicator.id_)) campaign.related_indicators.append(related_indicator) # Related Threat Actor (by id) ta = ThreatActor(title='Albino Rhino') attrib_ta = Attribution() attrib_ta.append(ThreatActor(idref=ta.id_)) campaign.attribution.append(attrib_ta) # Related Campaign (basic; by id) campaign2 = Campaign(title='Another Campaign') cassoc_campaign = CAssociatedCampaigns() cassoc_campaign.append(RelatedCampaign(Campaign(idref=campaign2.id_))) campaign.associated_campaigns = cassoc_campaign # Related Other Objects to Campaign (by id) campaign3 = Campaign(title='Another Another Campaign') tassoc_campaign = TAssociatedCampaigns() tassoc_campaign.append(RelatedCampaign(Campaign(idref=campaign3.id_))) ta.associated_campaigns = tassoc_campaign
def main(): # NOTE: ID values will differ due to being regenerated on each script execution pkg1 = STIXPackage() pkg1.title = "Example of Indicator Composition for an aggregate indicator composition" # USE CASE: Indicator with aggregate pattern # Add TTP for malware usage malware_ttp = TTP() malware_ttp.behavior = Behavior() malware = MalwareInstance() malware.title = "foobar malware" malware.add_type("Remote Access Trojan") malware_ttp.behavior.add_malware_instance(malware) c2_ttp = TTP() c2_ttp.resources = Resource() c2_ttp.resources.infrastructure = Infrastructure() c2_ttp.resources.infrastructure.add_type(VocabString("Malware C2")) pkg1.add_ttp(c2_ttp) pkg1.add_ttp(malware_ttp) nw_ind = Indicator() nw_ind.description = "Indicator for a particular C2 infstructure IP address." # add network network connection to this indicator obs = NetworkConnection() sock = SocketAddress() sock.ip_address = "46.123.99.25" sock.ip_address.category = "ipv4-addr" sock.ip_address.condition = "Equals" obs.destination_socket_address = sock nw_ind.add_observable(obs) nw_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_)) # create File Hash indicator w/ embedded Observable file_ind = Indicator() file_ind.description = "Indicator for the hash of the foobar malware." file_ind.add_indicator_type("File Hash Watchlist") file_obs = File() file_obs.add_hash("01234567890abcdef01234567890abcdef") file_obs.hashes[0].type_ = "MD5" file_obs.hashes[0].type_.condition = "Equals" file_ind.add_observable(file_obs) # create references file_ind.add_indicated_ttp(TTP(idref=malware_ttp.id_)) # create container indicator ind = Indicator() ind.add_indicator_type(VocabString("Campaign Characteristics")) ind.description = "Indicator for a composite of characteristics for the use of specific malware and C2 infrastructure within a Campaign." # Add campaign with related camp = Campaign() camp.title = "holy grail" pkg1.add_campaign(camp) camp.related_ttps.append(TTP(idref=c2_ttp.id_)) camp.related_ttps.append(TTP(idref=malware_ttp.id_)) # Add threat actor ta = ThreatActor() ta.identity = Identity() ta.identity.name = "boobear" ta.observed_ttps.append(TTP(idref=malware_ttp.id_)) pkg1.add_threat_actor(ta) # Create composite expression ind.composite_indicator_expression = CompositeIndicatorExpression() ind.composite_indicator_expression.operator = "AND" ind.composite_indicator_expression.append(file_ind) ind.composite_indicator_expression.append(nw_ind) pkg1.add_indicator(ind) print pkg1.to_xml() # USE CASE: Indicator with partial matching pkg2 = STIXPackage() pkg2.title = "Example of Indicator Composition for a one of many indicator composition" # create container indicator watchlistind = Indicator() watchlistind.add_indicator_type("IP Watchlist") watchlistind.description = "This Indicator specifies a pattern where any one or more of a set of three IP addresses are observed." watchlistind.add_indicated_ttp(TTP(idref=c2_ttp.id_)) # Create composite expression watchlistind.composite_indicator_expression = CompositeIndicatorExpression( ) watchlistind.composite_indicator_expression.operator = "OR" ips = ['23.5.111.68', '23.5.111.99', '46.123.99.25'] for ip in ips: new_ind = Indicator() new_ind.description = "This Indicator specifies a pattern where one specific IP address is observed" # add network network connection to this indicator obs = Address() obs.address_value = ip obs.address_value.condition = "Equals" new_ind.add_observable(obs) new_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_)) watchlistind.composite_indicator_expression.append(new_ind) pkg2.add_indicator(watchlistind) print pkg2.to_xml() # USE CASE: Indicator with compound detection pkg3 = STIXPackage() pkg3.title = "Example of Indicator Composition for compound detection" # create container indicator watchlistind2 = Indicator() watchlistind2.add_indicator_type("IP Watchlist") watchlistind2.description = "This Indicator specifies a composite condition of two preexisting Indicators (each identifying a particular TTP with low confidence) that in aggregate identify the particular TTP with high confidence." # Create composite expression watchlistind2.composite_indicator_expression = CompositeIndicatorExpression( ) watchlistind2.composite_indicator_expression.operator = "OR" watchlistind2.add_indicated_ttp(TTP(idref=c2_ttp.id_)) watchlistind2.confidence = "High" nw_ind.description = "Indicator for a particular C2 IP address used by a malware variant." nw_ind.confidence = "Low" nw_ind.indicator_types = ["C2"] file_ind.description = "Indicator that contains malicious file hashes for a particular malware variant." file_ind.confidence = "Low" watchlistind2.composite_indicator_expression.append(nw_ind) watchlistind2.composite_indicator_expression.append(file_ind) pkg3.add_indicator(watchlistind2) print pkg3.to_xml()
def test_ta_idref_deprecation(self): package = core.STIXPackage() package.add(ThreatActor(idref='test-idref-dep'))
observable = Observable(domain) infrastructure.observable_characterization = Observables( Observable(idref=observable.id_)) personas = Personas() personas.append(Identity(name='Stephen Golub')) resource = Resource(tools=Tools(tool), infrastructure=infrastructure, personas=personas) ttp.resources = resource related_ttp = RelatedTTP(TTP(idref=ttp.id_)) # TTP - Related Threat Actor (basic; by id) ta = ThreatActor(title='Adversary Bravo') ta.observed_ttps.append(related_ttp) # TTP - Related TTP2 (Malware; by id) ttp2 = TTP(title='Poison Ivy Variant') malware_instance = MalwareInstance(title='Poison Ivy Variant d1c6') malware_instance.description = 'Attack Pattern Description' malware_instance.short_description = 'Attack Pattern Short Description' malware_instance.add_type(MalwareType('Remote Access Trojan')) maec = MAECInstance() maec.add_name('Poison Ivy Variant v4392-acc') maec.add_type(MalwareType('Exploit Kits')) ttp2.behavior = Behavior() ttp2.behavior.add_malware_instance(malware_instance)