def main():
    stix_package = STIXPackage()
    ttp_phishing = TTP(title="Phishing")

    attack_pattern = AttackPattern()
    attack_pattern.capec_id = "CAPEC-98"
    attack_pattern.description = ("Phishing")

    ttp_phishing.behavior = Behavior()
    ttp_phishing.behavior.add_attack_pattern(attack_pattern)

    ttp_pivy = TTP(title="Poison Ivy Variant d1c6")
    malware_instance = MalwareInstance()
    malware_instance.add_name("Poison Ivy Variant d1c6")
    malware_instance.add_type("Remote Access Trojan")

    ttp_pivy.behavior = Behavior()
    ttp_pivy.behavior.add_malware_instance(malware_instance)

    ta_bravo = ThreatActor(title="Adversary Bravo")
    ta_bravo.identity = Identity(name="Adversary Bravo")

    related_ttp_phishing = RelatedTTP(TTP(idref=ttp_phishing.id_),
                                      relationship="Leverages Attack Pattern")
    ta_bravo.observed_ttps.append(related_ttp_phishing)

    related_ttp_pivy = RelatedTTP(TTP(idref=ttp_pivy.id_),
                                  relationship="Leverages Malware")
    ta_bravo.observed_ttps.append(related_ttp_pivy)

    stix_package.add_ttp(ttp_phishing)
    stix_package.add_ttp(ttp_pivy)
    stix_package.add_threat_actor(ta_bravo)

    print stix_package.to_xml()
def main():
    stix_package = STIXPackage()
    ttp_phishing = TTP(title="Phishing")

    attack_pattern = AttackPattern()
    attack_pattern.capec_id = "CAPEC-98"
    attack_pattern.description = ("Phishing")

    ttp_phishing.behavior = Behavior()
    ttp_phishing.behavior.add_attack_pattern(attack_pattern)

    ttp_pivy = TTP(title="Poison Ivy Variant d1c6")
    malware_instance = MalwareInstance()
    malware_instance.add_name("Poison Ivy Variant d1c6")
    malware_instance.add_type("Remote Access Trojan")

    ttp_pivy.behavior = Behavior()
    ttp_pivy.behavior.add_malware_instance(malware_instance)

    ta_bravo = ThreatActor(title="Adversary Bravo")
    ta_bravo.identity = Identity(name="Adversary Bravo")

    related_ttp_phishing = RelatedTTP(TTP(idref=ttp_phishing.id_), relationship="Leverages Attack Pattern")
    ta_bravo.observed_ttps.append(related_ttp_phishing)

    related_ttp_pivy = RelatedTTP(TTP(idref=ttp_pivy.id_), relationship="Leverages Malware")
    ta_bravo.observed_ttps.append(related_ttp_pivy)

    stix_package.add_ttp(ttp_phishing)
    stix_package.add_ttp(ttp_pivy)
    stix_package.add_threat_actor(ta_bravo)

    print(stix_package.to_xml(encoding=None))
def main():
    ioc = etree.parse('6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc')

    stix_package = STIXPackage()

    ttp = TTP()
    malware_instance = MalwareInstance()
    malware_instance.names = ['Zeus', 'twexts', 'sdra64', 'ntos']

    ttp = TTP(title="Zeus")
    ttp.behavior = Behavior()
    ttp.behavior.add_malware_instance(malware_instance)

    indicator = Indicator(title="Zeus", description="Finds Zeus variants, twexts, sdra64, ntos")

    tm = OpenIOCTestMechanism()
    tm.ioc = ioc
    tm.producer = InformationSource(identity=Identity(name="Mandiant"))
    time = Time()
    time.produced_time = "0001-01-01T00:00:00"
    tm.producer.time = time
    tm.producer.references = ["http://openioc.org/iocs/6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc"]
    indicator.test_mechanisms = TestMechanisms([tm])
    indicator.add_indicated_ttp(TTP(idref=ttp.id_))

    stix_package.add_indicator(indicator)
    stix_package.add_ttp(ttp)

    print(stix_package.to_xml(encoding=None))
def convert_attack_pattern(ap20):
    ap1x = AttackPattern()
    if "name" in ap20:
        ap1x.title = ap20["name"]
    if "description" in ap20:
        ap1x.add_description(ap20["description"])
    if "labels" in ap20:
        for l in ap20["labels"]:
            add_missing_property_to_description(ap1x, "label", l)
    if "external_references" in ap20:
        ap1x.capec_id = extract_external_id("capec",
                                            ap20["external_references"])
    ttp = TTP(id_=convert_id20(ap20["id"]),
              timestamp=text_type(ap20["modified"]))
    ttp.behavior = Behavior()
    ttp.behavior.add_attack_pattern(ap1x)
    if "kill_chain_phases" in ap20:
        process_kill_chain_phases(ap20["kill_chain_phases"], ttp)
    if "object_marking_refs" in ap20:
        for m_id in ap20["object_marking_refs"]:
            ms = create_marking_specification(m_id)
            if ms:
                CONTAINER.add_marking(ttp, ms, descendants=True)
    if "granular_markings" in ap20:
        error(
            "Granular Markings present in '%s' are not supported by stix2slider",
            604, ap20["id"])
    # if "kill_chain_phases" in ap20:
    #     process_kill_chain_phases(ap20["kill_chain_phases"], ttp)
    record_id_object_mapping(ap20["id"], ttp)
    return ttp
Exemple #5
0
def main():
    ioc = etree.parse('6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc')

    stix_package = STIXPackage()

    ttp = TTP()
    malware_instance = MalwareInstance()
    malware_instance.names = ['Zeus', 'twexts', 'sdra64', 'ntos']
    
    ttp = TTP(title="Zeus")
    ttp.behavior = Behavior()
    ttp.behavior.add_malware_instance(malware_instance)

    indicator = Indicator(title="Zeus", description="Finds Zeus variants, twexts, sdra64, ntos")

    tm = OpenIOCTestMechanism()
    tm.ioc = ioc
    tm.producer = InformationSource(identity=Identity(name="Yara"))
    time = Time()
    time.produced_time = "0001-01-01T00:00:00"
    tm.producer.time = time
    tm.producer.references = ["http://openioc.org/iocs/6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc"]
    indicator.test_mechanisms = [tm]

    indicator.add_indicated_ttp(TTP(idref=ttp.id_))

    stix_package.add_indicator(indicator)
    stix_package.add_ttp(ttp)
    
    print stix_package.to_xml()
def convert_malware(malware20):
    malware1x = MalwareInstance()
    if "name" in malware20:
        malware1x.add_name(malware20["name"])
    if "description" in malware20:
        malware1x.add_description(malware20["description"])
    types = convert_open_vocabs_to_controlled_vocabs(malware20["labels"],
                                                     MALWARE_LABELS_MAP)
    for t in types:
        malware1x.add_type(t)
    ttp = TTP(id_=convert_id20(malware20["id"]),
              timestamp=text_type(malware20["modified"]))
    ttp.behavior = Behavior()
    ttp.behavior.add_malware_instance(malware1x)
    if "kill_chain_phases" in malware20:
        process_kill_chain_phases(malware20["kill_chain_phases"], ttp)
    if "object_marking_refs" in malware20:
        for m_id in malware20["object_marking_refs"]:
            ms = create_marking_specification(m_id)
            if ms:
                CONTAINER.add_marking(ttp, ms, descendants=True)
    if "granular_markings" in malware20:
        error(
            "Granular Markings present in '%s' are not supported by stix2slider",
            604, malware20["id"])
    record_id_object_mapping(malware20["id"], ttp)
    return ttp
Exemple #7
0
def generateTTP(incident, attribute, ttps, eventTags):
    ttp = TTP(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
    ttp.id_= namespace[1] + ":ttp-" + attribute["uuid"]
    setTLP(ttp, attribute["distribution"], mergeTags(eventTags, attribute["AttributeTag"]))
    ttp.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")"
    if attribute["type"] == "vulnerability":
        vulnerability = Vulnerability()
        vulnerability.cve_id = attribute["value"]
        et = ExploitTarget(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
        et.id_= namespace[1] + ":et-" + attribute["uuid"]
        if attribute["comment"] != "" and attribute["comment"] != "Imported via the freetext import.":
            et.title = attribute["comment"]
        else:
            et.title = "Vulnerability " + attribute["value"]
        et.add_vulnerability(vulnerability)
        ttp.exploit_targets.append(et)
    else:
        malware = MalwareInstance()
        malware.add_name(attribute["value"])
        ttp.behavior = Behavior()
        ttp.behavior.add_malware_instance(malware)
    if attribute["comment"] != "":
        ttp.description = attribute["comment"]
    ttps.append(ttp)
    rttp = TTP(idref=ttp.id_, timestamp=ttp.timestamp)
    relatedTTP = RelatedTTP(rttp, relationship=attribute["category"])
    incident.leveraged_ttps.append(relatedTTP)
Exemple #8
0
def _buildttp(i, expt):
    """Do some TTP stuff."""
    ttp = TTP()
    ttp.title = str(i['name'])
    # The summary key is a list. In 1.2 this is represented
    # properly using description ordinality.
    ttp.description = i['summary']
    attack_pattern = AttackPattern()
    attack_pattern.capec_id = "CAPEC-" + str(i['id'])
    ttp.behavior = Behavior()
    ttp.behavior.add_attack_pattern(attack_pattern)
    ttp.exploit_targets.append(ExploitTarget(idref=expt.id_))
    return ttp
Exemple #9
0
def _buildttp(i, expt):
    """Do some TTP stuff."""
    ttp = TTP()
    ttp.title = str(i['name'])
    # The summary key is a list. In 1.2 this is represented
    # properly using description ordinality.
    ttp.description = i['summary']
    attack_pattern = AttackPattern()
    attack_pattern.capec_id = "CAPEC-" + str(i['id'])
    ttp.behavior = Behavior()
    ttp.behavior.add_attack_pattern(attack_pattern)
    ttp.exploit_targets.append(ExploitTarget(idref=expt.id_))
    return ttp
def main():
    maec_malware_instance = MAECInstance()
    maec_malware_instance.add_name("Poison Ivy Variant v4392-acc")
    maec_malware_instance.add_type("Remote Access Trojan")
    maec_malware_instance.maec = etree.fromstring(MAEC_XML, parser=etree.ETCompatXMLParser())

    ttp = TTP(title="Poison Ivy Variant v4392-acc")
    ttp.behavior = Behavior()
    ttp.behavior.add_malware_instance(maec_malware_instance)

    stix_package = STIXPackage()
    stix_package.add_ttp(ttp)

    print(stix_package.to_xml(encoding=None))
Exemple #11
0
def main():
    maec_malware_instance = MAECInstance()
    maec_malware_instance.add_name("Poison Ivy Variant v4392-acc")
    maec_malware_instance.add_type("Remote Access Trojan")
    maec_malware_instance.maec = etree.fromstring(
        MAEC_XML, parser=etree.ETCompatXMLParser())

    ttp = TTP(title="Poison Ivy Variant v4392-acc")
    ttp.behavior = Behavior()
    ttp.behavior.add_malware_instance(maec_malware_instance)

    stix_package = STIXPackage()
    stix_package.add_ttp(ttp)

    print stix_package.to_xml()
Exemple #12
0
def _buildttp(data):
    ttp = TTP()
    ttp.title = data['name']
    ttp.description = data['description']
    attack_pattern = AttackPattern()
    attack_pattern.capec_id = "CAPEC-" + str(data['id'])
    attack_pattern.title = data['name']
    attack_pattern.description = data['description']
    ttp.behavior = Behavior()
    ttp.behavior.add_attack_pattern(attack_pattern)
    ttp.information_source = InformationSource()
    ttp.information_source.identity = Identity()
    ttp.information_source.identity.name = "The MITRE Corporation"
    ttp.information_source.references = data['references']
    return ttp
Exemple #13
0
def _buildttp(data):
    ttp = TTP()
    ttp.title = data['name']
    ttp.description = data['description']
    attack_pattern = AttackPattern()
    attack_pattern.capec_id = "CAPEC-" + str(data['id'])
    attack_pattern.title = data['name']
    attack_pattern.description = data['description']
    ttp.behavior = Behavior()
    ttp.behavior.add_attack_pattern(attack_pattern)
    ttp.information_source = InformationSource()
    ttp.information_source.identity = Identity()
    ttp.information_source.identity.name = "The MITRE Corporation"
    ttp.information_source.references = data['references']
    return ttp
def main():
    malware = MalwareInstance()
    malware.add_name("Poison Ivy")
    malware.add_type("Remote Access Trojan")
    
    ttp = TTP(title="Poison Ivy")
    ttp.behavior = Behavior()
    ttp.behavior.add_malware_instance(malware)
    
    incident = Incident(title="Detected Poison Ivy beaconing through perimeter firewalls")
    related_ttp = RelatedTTP(TTP(idref=ttp.id_), relationship="Uses Malware")
    incident.leveraged_ttps.append(related_ttp)
    
    stix_package = STIXPackage()
    stix_package.add_ttp(ttp)
    stix_package.add_incident(incident)
    
    print stix_package.to_xml() 
Exemple #15
0
def generateTTP(incident, attribute):
    ttp = TTP()
    ttp.id_="example:ttp-" + attribute["uuid"]
    setTLP(ttp, attribute["distribution"])
    ttp.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"]
    if attribute["type"] == "vulnerability":
        vulnerability = Vulnerability()
        vulnerability.cve_id = attribute["value"]
        et = ExploitTarget()
        et.add_vulnerability(vulnerability)
        ttp.exploit_targets.append(et)
    else:
        malware = MalwareInstance()
        malware.add_name(attribute["value"])
        ttp.behavior = Behavior()
        ttp.behavior.add_malware_instance(malware)
    relatedTTP = RelatedTTP(ttp, relationship=attribute["category"])
    incident.leveraged_ttps.append(relatedTTP)
Exemple #16
0
def wrap_maec(maec_package, file_name=None):
    """Wrap a MAEC Package in a STIX TTP/Package. Return the newly created STIX Package.

    Args:
        maec_package: the ``maec.package.package.Package`` instance to wrap in STIX.
        file_name: the name of the input file from which the MAEC Package originated,
            to be used in the Title of the STIX TTP that wraps the MAEC Package. Optional.

    Returns:
        A ``stix.STIXPackage`` instance with a single TTP that wraps the input MAEC Package.
    """

    # Set the namespace to be used in the STIX Package
    stix.utils.set_id_namespace(
        {"https://github.com/MAECProject/maec-to-stix": "MAECtoSTIX"})

    # Create the STIX MAEC Instance
    maec_malware_instance = MAECInstance()
    maec_malware_instance.maec = maec_package

    # Create the STIX TTP that includes the MAEC Instance
    ttp = TTP()
    ttp.behavior = Behavior()
    ttp.behavior.add_malware_instance(maec_malware_instance)

    # Create the STIX Package and add the TTP to it
    stix_package = STIXPackage()
    stix_package.add_ttp(ttp)

    # Create the STIX Header and add it to the Package
    stix_header = STIXHeader()
    if file_name:
        stix_header.title = "STIX TTP wrapper around MAEC file: " + str(
            file_name)
    stix_header.add_package_intent("Malware Characterization")
    # Add the Information Source to the STIX Header
    tool_info = ToolInformation()
    stix_header.information_source = InformationSource()
    tool_info.name = "MAEC to STIX"
    tool_info.version = str(maec_to_stix.__version__)
    stix_header.information_source.tools = ToolInformationList(tool_info)
    stix_package.stix_header = stix_header

    return stix_package
Exemple #17
0
def add_malware(hashVal, TTPTitle, malware_uuid):
    malware_instance = MalwareInstance()
    malware_instance.add_name(TTPTitle)
    # malware_instance.add_type("Malware")

    ttp = TTP(title=TTPTitle)
    ttp.behavior = Behavior()
    ttp.behavior.add_malware_instance(malware_instance)

    file_object = File()
    file_object.add_hash(Hash(hashVal))
    file_object.hashes[0].simple_hash_value.condition = "Equals"

    indicator = Indicator(id_="indicator-{0}".format(malware_uuid),
                          title="File hash")
    indicator.add_indicator_type("File Hash Watchlist")
    indicator.add_observable(file_object)
    indicator.add_indicated_ttp(TTP(idref=ttp.id_))
    return (indicator)
Exemple #18
0
def generateTTP(incident, attribute):
    ttp = TTP()
    ttp.id_ = "example:ttp-" + attribute["uuid"]
    setTLP(ttp, attribute["distribution"])
    ttp.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute[
        "uuid"]
    if attribute["type"] == "vulnerability":
        vulnerability = Vulnerability()
        vulnerability.cve_id = attribute["value"]
        et = ExploitTarget()
        et.add_vulnerability(vulnerability)
        ttp.exploit_targets.append(et)
    else:
        malware = MalwareInstance()
        malware.add_name(attribute["value"])
        ttp.behavior = Behavior()
        ttp.behavior.add_malware_instance(malware)
    relatedTTP = RelatedTTP(ttp, relationship=attribute["category"])
    incident.leveraged_ttps.append(relatedTTP)
def main():
    malware = MalwareInstance()
    malware.add_name("Poison Ivy")
    malware.add_type("Remote Access Trojan")

    ttp = TTP(title="Poison Ivy")
    ttp.behavior = Behavior()
    ttp.behavior.add_malware_instance(malware)

    incident = Incident(
        title="Detected Poison Ivy beaconing through perimeter firewalls")
    related_ttp = RelatedTTP(TTP(idref=ttp.id_), relationship="Uses Malware")
    incident.leveraged_ttps.append(related_ttp)

    stix_package = STIXPackage()
    stix_package.add_ttp(ttp)
    stix_package.add_incident(incident)

    print(stix_package.to_xml(encoding=None))
Exemple #20
0
def wrap_maec(maec_package, file_name=None):
    """Wrap a MAEC Package in a STIX TTP/Package. Return the newly created STIX Package.

    Args:
        maec_package: the ``maec.package.package.Package`` instance to wrap in STIX.
        file_name: the name of the input file from which the MAEC Package originated,
            to be used in the Title of the STIX TTP that wraps the MAEC Package. Optional.

    Returns:
        A ``stix.STIXPackage`` instance with a single TTP that wraps the input MAEC Package.
    """

    # Set the namespace to be used in the STIX Package
    stix.utils.set_id_namespace({"https://github.com/MAECProject/maec-to-stix":"MAECtoSTIX"})

    # Create the STIX MAEC Instance
    maec_malware_instance = MAECInstance()
    maec_malware_instance.maec = maec_package
    
    # Create the STIX TTP that includes the MAEC Instance
    ttp = TTP()
    ttp.behavior = Behavior()
    ttp.behavior.add_malware_instance(maec_malware_instance)
    
    # Create the STIX Package and add the TTP to it
    stix_package = STIXPackage()
    stix_package.add_ttp(ttp)

    # Create the STIX Header and add it to the Package
    stix_header = STIXHeader()
    if file_name:
        stix_header.title = "STIX TTP wrapper around MAEC file: " + str(file_name)
    stix_header.add_package_intent("Malware Characterization")
    # Add the Information Source to the STIX Header
    tool_info = ToolInformation()
    stix_header.information_source = InformationSource()
    tool_info.name = "MAEC to STIX"
    tool_info.version = str(maec_to_stix.__version__)
    stix_header.information_source.tools = ToolInformationList(tool_info)
    stix_package.stix_header = stix_header
    
    return stix_package
Exemple #21
0
def generateTTP(incident, attribute):
    ttp = TTP(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
    ttp.id_= namespace[1] + ":ttp-" + attribute["uuid"]
    setTLP(ttp, attribute["distribution"])
    ttp.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")"
    if attribute["type"] == "vulnerability":
        vulnerability = Vulnerability()
        vulnerability.cve_id = attribute["value"]
        et = ExploitTarget(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
        et.add_vulnerability(vulnerability)
        ttp.exploit_targets.append(et)
    else:
        malware = MalwareInstance()
        malware.add_name(attribute["value"])
        ttp.behavior = Behavior()
        ttp.behavior.add_malware_instance(malware)
    if attribute["comment"] != "":
        ttp.description = attribute["comment"]
    relatedTTP = RelatedTTP(ttp, relationship=attribute["category"])
    incident.leveraged_ttps.append(relatedTTP)
Exemple #22
0
def genObject_TTP(data):
    from stix.utils import create_id as StixID
    from stix.ttp import TTP
    from stix.common.vocabs import IntendedEffect

    objTTP = TTP()
    objTTP.idref = None
    objTTP.title = "Email Emmbedded URL"
    objTTP.description = "Target Users via Email by adding a malicious URL"
    objTTP.short_description = "Target Users via Email by adding a malicious URL"
    objTTP.behavior = genData_Behavior(data)
    objTTP.related_ttps = None
    ### _ALLOWED_VALUES = ('Advantage', 'Advantage - Economic', 'Advantage - Military', 'Advantage - Political', 'Theft', 'Theft - Intellectual Property', 'Theft - Credential Theft', 'Theft - Identity Theft', 'Theft - Theft of Proprietary Information', 'Account Takeover', 'Brand Damage', 'Competitive Advantage', 'Degradation of Service', 'Denial and Deception', 'Destruction', 'Disruption', 'Embarrassment', 'Exposure', 'Extortion', 'Fraud', 'Harassment', 'ICS Control', 'Traffic Diversion', 'Unauthorized Access')
    objTTP.intended_effects = data['source']['stix.ttp.TTP.intended_effects']

    # objTTP.resources          = None
    # objTTP.victim_targeting   = None
    # objTTP.information_source = None
    # objTTP.exploit_targets    = None
    # objTTP.handling           = None

    return (objTTP)
Exemple #23
0
    def _add_stix_ttp(self, malware_subject):
        """Create and add a STIX TTP for a MAEC Malware Subject.
        Args:
            malware_subject: the ``maec.malware_subject.MalwareSubject`` for which the STIX TTP will be created.

        Returns:
            The ID of the newly created STIX TTP.
        """
        # Create the STIX TTP that includes the MAEC Instance
        ttp = TTP()
        ttp.behavior = Behavior()
        # Add a MAEC Package with just the Malware Subject
        # For capturing the identity of the malware binary that the Indicators target
        maec_package = Package()
        new_malware_subject = MalwareSubject()
        new_malware_subject.malware_instance_object_attributes = malware_subject.malware_instance_object_attributes
        maec_package.add_malware_subject(new_malware_subject)
        maec_malware_instance = MAECInstance()
        maec_malware_instance.maec = maec_package
        ttp.behavior.add_malware_instance(maec_malware_instance)
        self.stix_package.add_ttp(ttp)
        return ttp.id_
Exemple #24
0
    def _add_stix_ttp(self, malware_subject):
        """Create and add a STIX TTP for a MAEC Malware Subject.
        Args:
            malware_subject: the ``maec.malware_subject.MalwareSubject`` for which the STIX TTP will be created.

        Returns:
            The ID of the newly created STIX TTP.
        """
        # Create the STIX TTP that includes the MAEC Instance
        ttp = TTP()
        ttp.behavior = Behavior()
        # Add a MAEC Package with just the Malware Subject
        # For capturing the identity of the malware binary that the Indicators target
        maec_package = Package()
        new_malware_subject = MalwareSubject()
        new_malware_subject.malware_instance_object_attributes = malware_subject.malware_instance_object_attributes
        maec_package.add_malware_subject(new_malware_subject)
        maec_malware_instance = MAECInstance()
        maec_malware_instance.maec = maec_package
        ttp.behavior.add_malware_instance(maec_malware_instance)
        self.stix_package.add_ttp(ttp)
        return ttp.id_
def main():
    stix_package = STIXPackage()
        
    malware_instance = MalwareInstance()
    malware_instance.add_name("Poison Ivy")
    malware_instance.add_type("Remote Access Trojan")
    
    ttp = TTP(title="Poison Ivy")
    ttp.behavior = Behavior()
    ttp.behavior.add_malware_instance(malware_instance)
    
    file_object = File()
    file_object.add_hash(Hash("e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"))
    
    indicator = Indicator(title="File hash for Poison Ivy variant")
    indicator.add_indicator_type("File Hash Watchlist")
    indicator.add_observable(file_object)
    indicator.add_indicated_ttp(TTP(idref=ttp.id_))
    
    stix_package.add_indicator(indicator)
    stix_package.add_ttp(ttp)
    
    print stix_package.to_xml()
def main():
    stix_package = STIXPackage()
        
    malware_instance = MalwareInstance()
    malware_instance.add_name("Poison Ivy")
    malware_instance.add_type("Remote Access Trojan")
    
    ttp = TTP(title="Poison Ivy")
    ttp.behavior = Behavior()
    ttp.behavior.add_malware_instance(malware_instance)
    
    file_object = File()
    file_object.add_hash(Hash("e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"))
    file_object.hashes[0].simple_hash_value.condition = "Equals"
    
    indicator = Indicator(title="File hash for Poison Ivy variant")
    indicator.add_indicator_type("File Hash Watchlist")
    indicator.add_observable(file_object)
    indicator.add_indicated_ttp(TTP(idref=ttp.id_))
    
    stix_package.add_indicator(indicator)
    stix_package.add_ttp(ttp)
    
    print stix_package.to_xml()
Exemple #27
0
def buildTtp(input_dict):
    ttp = TTP()
    ttp.title = input_dict['title']
    ttp.description = input_dict['description']
    if input_dict['intendedEffect']:
        ttp.add_intended_effect(input_dict['intendedEffect'])
    if input_dict['behavior']:
        ttp.behavior = Behavior(input_dict['behavior'])
    if input_dict['resources']:
        ttp.resources = input_dict['resources']
    if input_dict['victimTargeting']:
        #TODO look into adding more victim fields
        vic = VictimTargeting()
        vic.add_targeted_information(input_dict['victimTargeting'])
        ttp.victim_targeting = vic
    #target = ExploitTargets().
    #target.append(input_dict['exploitTargets'])
    #ttp.exploit_targets = target
    if input_dict['informationSource']:
        ttp.information_source = InformationSource(input_dict['informationSource'])
    if input_dict['killChain']:
        ttp.kill_chain_phases = input_dict['killChain']

    return ttp
from stix.ttp.resource import Personas, Resource, Tools
from stix.ttp.victim_targeting import VictimTargeting

# TTP (Phishing)
ttp = TTP(title='Phishing')
ttp.description = 'Integer posuere erat a ante venenatis dapibus posuere velit aliquet.'
ttp.short_description = 'Etiam Vestibulum Elit Ligula'

ttp.add_intended_effect(IntendedEffect('Account Takeover'))

# TTP - Attack Pattern
attack_pattern = AttackPattern()
attack_pattern.capec_id = 'CAPEC-98'
attack_pattern.description = 'Phishing'
attack_pattern.short_description = 'Phishing'
ttp.behavior = Behavior()
ttp.behavior.add_attack_pattern(attack_pattern)

# TTP - Kill Chain Phase
phase = KillChainPhase(
    name='Infect Machine',
    phase_id='example:TTP-7a0fb8e4-a778-4c79-9c7e-8747675da5f1')
kc_phases = KillChainPhasesReference()
kc_phases.append(KillChainPhaseReference(name=phase.name))
ttp.kill_chain_phases = kc_phases

# TTP - Resource (Tool, Infrastructure, Personas)
resource = Resource()
tool = ToolInformation(title='malware.exe')
tool.type_ = AttackerToolType('Malware')
tool.description = 'Tool Description'
def adptr_dict2STIX(srcObj, data):
    sTxt = "Called... "
    sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
    stixObj = None

    ### Input Check
    if srcObj == None or data == None:
        #TODO: Needs error msg: Missing srcData Object
        return (False)

    ### Generate NameSpace id tags
    STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
    OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
    stix_set_id_namespace(STIX_NAMESPACE)
    obs_set_id_namespace(OBS_NAMESPACE)

    ### Building STIX Wrapper
    stix_package = STIXPackage()
    objIndicator = Indicator()

    ### Bulid Object Data
    for sKey in data:
        objIndicator = Indicator()
        listOBS = []

        ### Parsing IP Address
        sAddr = data[sKey]['attrib']['ipAddr']
        if len(sAddr) > 0:
            objAddr = Address()
            objAddr.is_source = True
            objAddr.address_value = sAddr
            objAddr.address_value.condition = 'Equals'
            if isIPv4(sAddr):
                objAddr.category = 'ipv4-addr'
            elif isIPv6(sAddr):
                objAddr.category = 'ipv6-addr'
            else:
                continue

            obsAddr = Observable(objAddr)
            objAddr = None
            obsAddr.sighting_count = 1
            obsAddr.title = 'IP: ' + sAddr
            sDscrpt = 'IPv4' + ': ' + sAddr + " | "
            sDscrpt += "isSource: True | "
            obsAddr.description = "<![CDATA[" + sDscrpt + "]]>"
            listOBS.append(obsAddr)
            obsAddr = None
            objIndicator.add_indicator_type("IP Watchlist")

        ### Parsing Domain
        sDomain = data[sKey]['attrib']['domain']
        if len(sDomain) > 0:
            objDomain = DomainName()
            objDomain.value = sDomain
            objDomain.value.condition = 'Equals'
            if isFQDN(sDomain):
                objDomain.type = 'FQDN'
            elif isTLD(sDomain):
                objDomain.type = 'TLD'
            else:
                continue

            obsDomain = Observable(objDomain)
            objDomain = None
            obsDomain.sighting_count = 1
            obsDomain.title = 'Domain: ' + sDomain
            sDscrpt = 'Domain: ' + sDomain + " | "
            sDscrpt += "isFQDN: True | "
            obsDomain.description = "<![CDATA[" + sDscrpt + "]]>"
            listOBS.append(obsDomain)
            obsDomain = None
            objIndicator.add_indicator_type("Domain Watchlist")

        #Parser URI
        sURI = data[sKey]['attrib']['URI']
        if len(sURI) > 0:
            objURI = URI()
            objURI.value = sURI
            objURI.value.condition = 'Equals'
            objURI.type_ = URI.TYPE_URL
            obsURI = Observable(objURI)
            objURI = None
            obsURI.sighting_count = 1
            obsURI.title = 'URI: ' + sURI
            sDscrpt = 'URI: ' + sURI + " | "
            sDscrpt += "Type: URL | "
            obsURI.description = "<![CDATA[" + sDscrpt + "]]>"
            listOBS.append(obsURI)
            obsURI = None
            objIndicator.add_indicator_type("URL Watchlist")

        #Parser File Hash
        sHash = data[sKey]['attrib']['hash']
        if len(sHash) > 0:
            objFile = File()
            sFileName = data[sKey]['attrib']['fileName']
            if len(sFileName) > 0:
                objFile.file_name = sFileName
                objFile.file_format = sFileName.split('.')[1]

            objFile.add_hash(Hash(sHash, exact=True))
            obsFile = Observable(objFile)
            objFile = None
            obsFile.sighting_count = 1
            obsFile.title = 'File: ' + sFileName
            sDscrpt = 'FileName: ' + sFileName + " | "
            sDscrpt += "FileHash: " + sHash + " | "
            obsFile.description = "<![CDATA[" + sDscrpt + "]]>"
            listOBS.append(obsFile)
            obsFile = None
            objIndicator.add_indicator_type("File Hash Watchlist")

        ### Add Generated observable to Indicator
        objIndicator.observables = listOBS
        objIndicator.observable_composition_operator = 'OR'

        #Parsing Producer
        sProducer = srcObj.Domain
        if len(sProducer) > 0:
            objIndicator.set_producer_identity(sProducer)

        objIndicator.set_produced_time(data[sKey]['attrib']['dateVF'])
        objIndicator.set_received_time(data[sKey]['dateDL'])

        ### Old Title / Description Generator
        #objIndicator.title = data[sKey]['attrib']['title'];
        #objIndicator.description = "<![CDATA[" + data[sKey]['attrib']['dscrpt'] + "]]>";

        ### Generate Indicator Title based on availbe data
        sTitle = 'ZeuS Tracker (' + data[sKey]['attrib'][
            'status'] + ')| ' + data[sKey]['attrib']['title']
        if len(sAddr) > 0:
            sAddLine = "This IP address has been identified as malicious"
        if len(sDomain) > 0:
            sAddLine = "This domain has been identified as malicious"
        if len(sAddLine) > 0:
            sTitle = sTitle + " | " + sAddLine
        if len(srcObj.Domain) > 0:
            sTitle = sTitle + " by " + srcObj.Domain
        else:
            sTitle = sTitle + "."
        if len(sTitle) > 0:
            objIndicator.title = sTitle

        #Generate Indicator Description based on availbe data
        sDscrpt = ""
        if len(sAddr) > 0:
            sAddLine = "This IP address " + sAddr
        if len(sDomain) > 0:
            sAddLine = "This domain " + sDomain
        if len(sAddr) > 0 and len(sDomain) > 0:
            sAddLine = "This domain " + sDomain + " (" + sAddr + ")"
        if len(sAddLine) > 0:
            sDscrpt = sDscrpt + sAddLine

        sDscrpt = sDscrpt + " has been identified as malicious"
        if len(srcObj.Domain) > 0:
            sDscrpt = sDscrpt + " by " + srcObj.Domain
        else:
            sDscrpt = sDscrpt + "."
        sDscrpt = sDscrpt + ". For more detailed infomation about this indicator go to [CAUTION!!Read-URL-Before-Click] [" + data[
            sKey]['attrib']['link'] + "]."

        if len(sDscrpt) > 0:
            objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"

        #Parse TTP
        objMalware = MalwareInstance()
        objMalware.add_name("ZeuS")
        objMalware.add_name("Zbot")
        objMalware.add_name("Zeus")
        objMalware.add_type("Remote Access Trojan")
        objMalware.short_description = "Zeus, ZeuS, or Zbot is Trojan horse computer malware effects Microsoft Windows operating system"
        objMalware.description = "Zeus, ZeuS, or Zbot is Trojan horse computer malware that runs on computers running under versions of the Microsoft Windows operating system. While it is capable of being used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware.[1] Zeus is spread mainly through drive-by downloads and phishing schemes. (2014(http://en.wikipedia.org/wiki/Zeus_%28Trojan_horse%29))"

        objTTP = TTP(title="ZeuS")
        objTTP.behavior = Behavior()
        objTTP.behavior.add_malware_instance(objMalware)
        objIndicator.add_indicated_ttp(objTTP)
        #objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_))
        #stix_package.add_ttp(objTTP)

        stix_package.add_indicator(objIndicator)
        objIndicator = None

    ### STIX Package Meta Data
    stix_header = STIXHeader()
    stix_header.title = srcObj.pkgTitle
    stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"

    ### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
    marking_specification = MarkingSpecification()

    classLevel = SimpleMarkingStructure()
    classLevel.statement = "Unclassified (Public)"
    marking_specification.marking_structures.append(classLevel)

    objTOU = TermsOfUseMarkingStructure()
    sTOU = open('tou.txt').read()
    objTOU.terms_of_use = sProducer + " | " + sTOU
    marking_specification.marking_structures.append(objTOU)

    tlp = TLPMarkingStructure()
    tlp.color = "WHITE"
    marking_specification.marking_structures.append(tlp)
    marking_specification.controlled_structure = "//node()"

    handling = Marking()
    handling.add_marking(marking_specification)
    stix_header.handling = handling

    stix_package.stix_header = stix_header
    stix_header = None

    ### Generate STIX XML File
    locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
    sndFile(stix_package.to_xml(), locSTIXFile)

    return (stix_package)
Exemple #30
0
def genStixDoc(
        outputDir_,
        targetFileSha1_,
        targetFileSha256_,
        targetFileSha512_,
        targetFileSsdeep_,
        targetFileMd5_,
        targetFileSize_,
        targetFileName_,
        ipv4Addresses_,
        hostNames_):
    """
    Generate Stix document from the input values. The doc structure is the file
    object along with the related network items: addresses, domain names. Output
    is written to files, which are then wrapped with taxii and uploaded using a 
    separate script.
    """
    parsedTargetFileName = reFileName(targetFileName_)[1]
    parsedTargetFilePrefix = reFileName(targetFileName_)[0]
    stix.utils.set_id_namespace({"http://www.equifax.com/cuckoo2Stix" : "cuckoo2Stix"})
    NS = cybox.utils.Namespace("http://www.equifax.com/cuckoo2Stix", "cuckoo2Stix")
    cybox.utils.set_id_namespace(NS)
    stix_package = STIXPackage()

    stix_header = STIXHeader()
    stix_header.title = 'File: ' + parsedTargetFileName + ' with the associated hashes, network indicators'
    stix_header.description = 'File: ' + parsedTargetFileName + ' with the associated hashes, network indicators'
    stix_package.stix_header = stix_header

    # Create the ttp
    malware_instance = MalwareInstance()
    malware_instance.add_name(parsedTargetFileName)
    malware_instance.description = targetFileSha1_
    ttp = TTP(title='TTP: ' + parsedTargetFileName)
    ttp.behavior = Behavior()
    ttp.behavior.add_malware_instance(malware_instance)
    stix_package.add_ttp(ttp)
    
    # Create the indicator for the ipv4 addresses
    ipv4Object = Address(ipv4Addresses_, Address.CAT_IPV4)
    ipv4Object.condition = 'Equals'
    ipv4Indicator = Indicator()
    ipv4Indicator.title = parsedTargetFileName + ': ipv4 addresses'
    ipv4Indicator.add_indicator_type('IP Watchlist')
    ipv4Indicator.add_indicated_ttp(RelatedTTP(TTP(idref=ttp.id_), relationship='Indicates Malware'))
    ipv4Indicator.observable = ipv4Object
    ipv4Indicator.confidence = 'Low'
    
    # Create the indicator for the domain names
    domainNameObject = DomainName()
    domainNameObject.value = hostNames_
    domainNameObject.condition = 'Equals'
    domainNameIndicator = Indicator()
    domainNameIndicator.title = parsedTargetFileName + ': domain names'
    domainNameIndicator.add_indicator_type('Domain Watchlist')
    domainNameIndicator.add_indicated_ttp(RelatedTTP(TTP(idref=ttp.id_), relationship='Indicates Malware'))
    domainNameIndicator.observable = domainNameObject
    domainNameIndicator.confidence = 'Low'

    # Create the indicator for the file
    fileObject = File()
    fileObject.file_name = parsedTargetFileName
    fileObject.file_name.condition = 'Equals'
    fileObject.size_in_bytes = targetFileSize_
    fileObject.size_in_bytes.condition = 'Equals'
    fileObject.add_hash(Hash(targetFileSha1_, type_='SHA1', exact=True))
    fileObject.add_hash(Hash(targetFileSha256_, type_='SHA256', exact=True))
    fileObject.add_hash(Hash(targetFileSha512_, type_='SHA512', exact=True))
    fileObject.add_hash(Hash(targetFileSsdeep_, type_='SSDEEP', exact=True))
    fileObject.add_hash(Hash(targetFileMd5_, type_='MD5', exact=True))
    fileIndicator = Indicator()
    fileIndicator.title = parsedTargetFileName + ': hashes'
    fileIndicator.description = parsedTargetFilePrefix
    fileIndicator.add_indicator_type('File Hash Watchlist')
    fileIndicator.add_indicated_ttp(RelatedTTP(TTP(idref=ttp.id_), relationship="Indicates Malware"))
    fileIndicator.observable = fileObject
    fileIndicator.confidence = 'Low'
    
    stix_package.indicators = [fileIndicator, ipv4Indicator, domainNameIndicator]

    stagedStixDoc = stix_package.to_xml()
    stagedStixDoc = fixAddressObject(stagedStixDoc)
    stagedStixDoc = fixDomainObject(stagedStixDoc)
    today = datetime.datetime.now()
    now = today.strftime('%Y-%m-%d_%H%M%S')
    if not os.path.exists(outputDir_):
        os.makedirs(outputDir_)
    with open (outputDir_ + '/' + now + '-' + targetFileSha1_ + '.stix.xml', 'a') as myfile:
        myfile.write(stagedStixDoc)
    _l.debug('Wrote file: ' + now + '-' + targetFileSha1_ + '.stix.xml')
    return
Exemple #31
0
def csv2stix(outFormat,inFile):

	#=============
	# Build package metadata
	#=============

	stix_package = STIXPackage()
	stix_package.stix_header = STIXHeader()
	stix_package.stix_header.title = "TG3390"
	stix_package.stix_header.description = "Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers investigated activities associated with Threat Group-3390[1] (TG-3390) - http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/"

	marking_specification = MarkingSpecification()
	marking_specification.controlled_structure = "../../../../descendant-or-self::node()"

	tlp = TLPMarkingStructure()
	tlp.color = "WHITE"
	marking_specification.marking_structures.append(tlp)

	handling = Marking()
	handling.add_marking(marking_specification)

	stix_package.stix_header.handling = handling

        #=============
        # Build package structure
        #=============

	ta_tg3390 = ThreatActor(title="TG3390")
	ta_tg3390.identity = Identity(name="TG3390")

	attack_pattern = AttackPattern()
	attack_pattern.description = ("Infrastructure Building")
	ttp_infrastructure = TTP(title="Infrastructure Building")
	ttp_infrastructure.behavior = Behavior()
	ttp_infrastructure.behavior.add_attack_pattern(attack_pattern)
	ttp_infrastructure.add_intended_effect("Unauthorized Access")
	infra_domainInd = Indicator(title="Domains associated with TG3390 Infrastructure")
	infra_domainInd.add_indicator_type("Domain Watchlist")
	infra_domainInd.confidence = "High"
	infra_domainInd.add_indicated_ttp(TTP(idref=ttp_infrastructure.id_))

	infra_IPInd = Indicator(title="[H] IP Addresses associated with TG3390 Infrastructure")
	infra_IPInd.add_indicator_type("IP Watchlist")
	infra_IPInd.confidence = "High"
	infra_IPInd.add_indicated_ttp(TTP(idref=ttp_infrastructure.id_))

	infra_IPInd_M = Indicator(title="[M] IP Addresses associated with TG3390 Infrastructure")
        infra_IPInd_M.add_indicator_type("IP Watchlist")
	infra_IPInd_M.confidence = "Medium"
        infra_IPInd_M.add_indicated_ttp(TTP(idref=ttp_infrastructure.id_))


	httpBrowserObj = MalwareInstance()
	httpBrowserObj.add_name("HTTP Browser")
	ttp_httpB = TTP(title="HTTP Browser")
	ttp_httpB.behavior = Behavior()
	ttp_httpB.behavior.add_malware_instance(httpBrowserObj)
	ttp_httpB.add_intended_effect("Theft - Intellectual Property")
	httpB_hashInd = Indicator(title="File hashes for HTTP Browser")
	httpB_hashInd.add_indicator_type("File Hash Watchlist")
	httpB_hashInd.confidence = "High"
	httpB_hashInd.add_indicated_ttp(TTP(idref=ttp_httpB.id_))

	httpBrowserDropperObj = MalwareInstance()
	httpBrowserDropperObj.add_name("HTTP Browser Dropper")
	ttp_httpBDpr = TTP(title="HTTP Browser Dropper")
	ttp_httpBDpr.behavior = Behavior()
	ttp_httpBDpr.behavior.add_malware_instance(httpBrowserDropperObj)
	ttp_httpBDpr.add_intended_effect("Theft - Intellectual Property")
	httpBDpr_hashInd = Indicator(title="File hashes for HTTP Browser Dropper")
	httpBDpr_hashInd.add_indicator_type("File Hash Watchlist")
	httpBDpr_hashInd.confidence = "High"
	httpBDpr_hashInd.add_indicated_ttp(TTP(idref=ttp_httpBDpr.id_))


	plugXObj = MalwareInstance()
	plugXObj.add_name("PlugX Dropper")
	ttp_plugX = TTP(title="PlugX Dropper")
	ttp_plugX.behavior = Behavior()
	ttp_plugX.behavior.add_malware_instance(plugXObj)
	ttp_plugX.add_intended_effect("Theft - Intellectual Property")
	plugX_hashInd = Indicator(title="File hashes for PlugX Dropper")
	plugX_hashInd.add_indicator_type("File Hash Watchlist")
	plugX_hashInd.confidence = "High"
	plugX_hashInd.add_indicated_ttp(TTP(idref=ttp_plugX.id_))

        #=============
        # Process content in to structure
        #=============
	ip_rules = []
	ip_rules_M = []
	domain_rules = []
	with open(inFile, 'rb') as f:
                reader = csv.reader(f)
		for row in reader:
                        obs = row[0]
                        obsType = row[1]
                        description = row[2]
                        confidence = row[3]
			#print obs,obsType,description,confidence
			if description == 'TG-3390 infrastructure':
				if obsType == 'Domain name':
					domain_obj = DomainName()
        	                        domain_obj.value = obs
					#domain_obj.title = description
	                                infra_domainInd.add_object(domain_obj)
					domain_rule = generate_snort([obs], 'DomainName', str(infra_domainInd.id_).split(':',1)[1].split('-',1)[1])
					domain_rules.append(domain_rule)
				elif obsType == 'IP address':
					ipv4_obj = Address()
                	                ipv4_obj.category = "ipv4-addr"
        	                        ipv4_obj.address_value = obs
					ipv4_obj.title = description
					ind_ref = str(infra_IPInd.id_).split(':',1)[1].split('-',1)[1]
					if confidence == "High":
	                                	infra_IPInd.add_object(ipv4_obj)
						ip_rules.append(obs)
					else:
						infra_IPInd_M.add_object(ipv4_obj)
						ip_rules_M.append(obs)
				else:
					print "TTP Infra: obsType is wrong"
			elif description == 'HttpBrowser RAT dropper':
				file_obj = File()
				file_obj.add_hash(Hash(obs))
				file_obj.title = description
				httpBDpr_hashInd.add_observable(file_obj)
			elif description == 'HttpBrowser RAT':
				file_obj = File()
                                file_obj.add_hash(Hash(obs))
				file_obj.title = description
                                httpB_hashInd.add_observable(file_obj)
			elif description == 'PlugX RAT dropper':
				file_obj = File()
                                file_obj.add_hash(Hash(obs))
				file_obj.title = description
                                plugX_hashInd.add_observable(file_obj)
			else:
				print "TTP not found"
	#print ip_rules
	ip_rule = generate_snort(ip_rules, 'Address', str(infra_IPInd.id_).split(':',1)[1].split('-',1)[1])
	ip_rule_M = generate_snort(ip_rules_M, 'Address', str(infra_IPInd_M.id_).split(':',1)[1].split('-',1)[1])

	ip_tm = SnortTestMechanism()
	ip_tm.rules = [ip_rule]
	ip_tm.efficacy = "High"
	ip_tm.producer = InformationSource(identity=Identity(name="Auto"))
	infra_IPInd.test_mechanisms = [ip_tm]

	ip_M_tm = SnortTestMechanism()
        ip_M_tm.rules = [ip_rule_M]
        ip_M_tm.efficacy = "Medium"
        ip_M_tm.producer = InformationSource(identity=Identity(name="Auto"))
	infra_IPInd_M.test_mechanisms = [ip_M_tm]

	domain_tm = SnortTestMechanism()
        domain_tm.rules = domain_rules
        domain_tm.efficacy = "High"
        domain_tm.producer = InformationSource(identity=Identity(name="Auto"))
        infra_domainInd.test_mechanisms = [domain_tm]
	
        #=============
        # Add the composed content to the structure
        #=============

	stix_package.add_indicator(infra_domainInd)
	stix_package.add_indicator(infra_IPInd)
	stix_package.add_indicator(infra_IPInd_M)
	stix_package.add_indicator(httpBDpr_hashInd)
	stix_package.add_indicator(httpB_hashInd)
	stix_package.add_indicator(plugX_hashInd)

	stix_package.add_ttp(ttp_infrastructure)
	stix_package.add_ttp(ttp_httpB)
	stix_package.add_ttp(ttp_httpBDpr)
	stix_package.add_ttp(ttp_plugX)
					
				
	"""
	if outFormat =='dict':
		print stix_package.to_dict()
	if outFormat =='json':
		parsed = stix_package.to_json()
		jsonpkg = json.loads(parsed)
		pprint.pprint(jsonpkg)
	if outFormat =='stix':
		print stix_package.to_xml()
	"""
	#if verbose:
		#print stix_package.to_xml()
	#pprint(stix_package.to_json())
	return stix_package
Exemple #32
0
def adptr_dict2STIX(srcObj, data):
    sTxt = "Called... "
    sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
    stixObj = None

    ### Input Check
    if srcObj == None or data == None:
        #TODO: Needs error msg: Missing srcData Object
        return (False)

    ### Generate NameSpace id tags
    STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
    OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
    stix_set_id_namespace(STIX_NAMESPACE)
    obs_set_id_namespace(OBS_NAMESPACE)

    ### Building STIX Wrapper
    stix_package = STIXPackage()
    objIndicator = Indicator()

    ### Bulid Object Data
    for sKey in data:
        objIndicator = Indicator()
        listOBS = []

        ### Parsing Domain
        sDomain = data[sKey]['attrib']['domain']
        if len(sDomain) > 0:
            objDomain = DomainName()
            objDomain.value = sDomain
            objDomain.value.condition = 'Equals'
            if isFQDN(sDomain):
                objDomain.type = 'FQDN'
            elif isTLD(sDomain):
                objDomain.type = 'TLD'
            else:
                continue

            obsDomain = Observable(objDomain)
            objDomain = None
            obsDomain.sighting_count = 1
            obsDomain.title = 'Domain: ' + sDomain
            sDscrpt = 'Domain: ' + sDomain + " | "
            sDscrpt += "isFQDN: True | "
            obsDomain.description = "<![CDATA[" + sDscrpt + "]]>"
            listOBS.append(obsDomain)
            obsDomain = None
            objIndicator.add_indicator_type("Domain Watchlist")

        ### Add Generated observable to Indicator
        objIndicator.observable_composition_operator = 'OR'
        objIndicator.observables = listOBS

        #Parsing Producer
        infoSrc = InformationSource(identity=Identity(name=srcObj.Domain))
        infoSrc.add_contributing_source(data[sKey]['attrib']['ref'])
        if len(srcObj.Domain) > 0:
            objIndicator.producer = infoSrc

        if data[sKey]['attrib']['lstDateVF']:
            objIndicator.set_produced_time(
                data[sKey]['attrib']['lstDateVF'][0])
        objIndicator.set_received_time(data[sKey]['dateDL'])

        ### Generate Indicator Title based on availbe data
        lstContainng = []
        lstIs = []
        sTitle = 'This domain ' + data[sKey]['attrib'][
            'domain'] + ' has been identified as malicious'
        if len(data[sKey]['attrib']['ref']):
            sTitle += ' by ' + data[sKey]['attrib']['ref']

        if len(data[sKey]['attrib']['type']) > 0:
            sTitle += ', via this vector [' + data[sKey]['attrib'][
                'type'] + '].'
        else:
            sTitle += '.'
        objIndicator.title = sTitle

        ### Generate Indicator Description based on availbe data
        sDscrpt = 'Lehigh.edu site has added this domain ' + data[sKey][
            'attrib']['domain']
        sDscrpt += ' to recommend block list.'
        sDscrpt += ' This site has been identified as malicious'
        sDscrpt += ' by ' + data[sKey]['attrib']['ref']
        sDscrpt += ' and was still attive on the following dates ' + str(
            data[sKey]['attrib']['lstDateVF']) + "."
        objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"

        #Parse TTP
        objMalware = MalwareInstance()
        objMalware.add_type("Remote Access Trojan")

        ttpTitle = data[sKey]['attrib']['type']
        objTTP = TTP(title=ttpTitle)
        objTTP.behavior = Behavior()
        objTTP.behavior.add_malware_instance(objMalware)
        objIndicator.add_indicated_ttp(objTTP)
        #objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_))
        #stix_package.add_ttp(objTTP)

        stix_package.add_indicator(objIndicator)
        objIndicator = None

    ### STIX Package Meta Data
    stix_header = STIXHeader()
    stix_header.title = srcObj.pkgTitle
    stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"

    ### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
    marking_specification = MarkingSpecification()

    classLevel = SimpleMarkingStructure()
    classLevel.statement = "Unclassified (Public)"
    marking_specification.marking_structures.append(classLevel)

    tlp = TLPMarkingStructure()
    tlp.color = "WHITE"
    marking_specification.marking_structures.append(tlp)
    marking_specification.controlled_structure = "//node()"

    objTOU = TermsOfUseMarkingStructure()
    sTOU = open('tou.txt').read()
    objTOU.terms_of_use = srcObj.Domain + " | " + sTOU
    marking_specification.marking_structures.append(objTOU)

    handling = Marking()
    handling.add_marking(marking_specification)
    stix_header.handling = handling

    stix_package.stix_header = stix_header
    stix_header = None

    ### Generate STIX XML File
    locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
    sndFile(stix_package.to_xml(), locSTIXFile)

    return (stix_package)
def adptr_dict2STIX(srcObj, data):
    sTxt = "Called... "
    sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
    stixObj = None

    ### Input Check
    if srcObj == None or data == None:
        #TODO: Needs error msg: Missing srcData Object
        return (False)

    ### Generate NameSpace id tags
    STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
    OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
    stix_set_id_namespace(STIX_NAMESPACE)
    obs_set_id_namespace(OBS_NAMESPACE)

    ### Building STIX Wrapper
    stix_package = STIXPackage()
    objIndicator = Indicator()

    ### Bulid Object Data
    for sKey in data:
        objIndicator = Indicator()
        listOBS = []

        ### Parsing IP Address
        for sAddr in data[sKey]['attrib']['ipAddrList']:
            if len(sAddr) > 0:
                objAddr = Address()
                objAddr.is_destination = True
                objAddr.address_value = sAddr
                #objAddr.address_value.operator = 'Equals'
                objAddr.address_value.condition = 'Equals'

                if isIPv4(sAddr):
                    objAddr.category = 'ipv4-addr'
                elif isIPv6(sAddr):
                    objAddr.category = 'ipv6-addr'
                else:
                    continue

                obsAddr = Observable(objAddr)
                objAddr = None
                obsAddr.sighting_count = 1
                obsAddr.title = 'IP: ' + sAddr
                sDscrpt = 'IPv4' + ': ' + sAddr + " | "
                sDscrpt += "isDestination: True | "
                obsAddr.description = "<![CDATA[" + sDscrpt + "]]>"
                listOBS.append(obsAddr)
                obsAddr = None

        ### Parsing Port Number
        sPort = data[sKey]['attrib']['ipPort']
        if len(sPort) > 0:
            objPort = Port()
            objPort.port_value = int(sPort)
            objPort.port_value.condition = 'Equals'
            sProtocol = data[sKey]['attrib']['ipProt']
            if len(sProtocol) > 0:
                objPort.layer4_protocol = sProtocol.upper()

            obsPort = Observable(objPort)
            objPort = None
            obsPort.sighting_count = 1
            obsPort.title = 'Port: ' + sPort
            sDscrpt = 'PortNumber' + ': ' + sPort + " | "
            sDscrpt += "Protocol: " + sProtocol.upper() + " | "
            obsPort.description = "<![CDATA[" + sDscrpt + "]]>"
            listOBS.append(obsPort)

        ### Add Generated observable to Indicator
        objIndicator.add_indicator_type("IP Watchlist")
        objIndicator.observable_composition_operator = 'OR'
        objIndicator.observables = listOBS

        from stix.extensions.test_mechanism.snort_test_mechanism import SnortTestMechanism
        from stix.common import InformationSource, Identity
        testMech = SnortTestMechanism()
        testMech.rules = [data[sKey]['attrib']['rule']]
        testMech.efficacy = "Unknown"

        infoSrc = InformationSource(identity=Identity(name=srcObj.Domain))
        infoSrc.add_contributing_source("http://www.shadowserver.org")
        infoSrc.add_contributing_source("https://spyeyetracker.abuse.ch")
        infoSrc.add_contributing_source("https://palevotracker.abuse.ch")
        infoSrc.add_contributing_source("https://zeustracker.abuse.ch")

        testMech.producer = infoSrc

        lstRef = data[sKey]['attrib']['reference'].split('|')
        testMech.producer.references = lstRef

        objIndicator.test_mechanisms = [testMech]

        #Parsing Producer
        sProducer = srcObj.Domain
        if len(sProducer) > 0:
            objIndicator.set_producer_identity(sProducer)

        #objIndicator.set_produced_time(data[sKey]['attrib']['dateVF']);
        objIndicator.set_received_time(data[sKey]['dateDL'])

        ### Title / Description Generator
        objIndicator.set_received_time(data[sKey]['dateDL'])

        sTitle = "sid:" + data[sKey]['attrib']['sid'] + " | "
        sTitle += data[sKey]['attrib']['msg'] + " | "
        sTitle += "rev:" + data[sKey]['attrib']['rev']
        objIndicator.title = sTitle

        sDscrpt = "SNORT Rule by Emergingthreats | " + data[sKey]['attrib'][
            'rule']
        objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"

        #Parse TTP
        objMalware = MalwareInstance()
        nameList = data[sKey]['attrib']['flowbits']
        if len(nameList) > 0:
            nameList = nameList.split("|")
            for sName in nameList:
                sName = sName.split(",")[1]
                objMalware.add_name(sName)

        #objMalware.add_type("Remote Access Trojan")
        objMalware.short_description = data[sKey]['attrib']['msg']

        ttpTitle = data[sKey]['attrib']['classtype'] + " | " + data[sKey][
            'attrib']['msg']
        objTTP = TTP(title=ttpTitle)
        objTTP.behavior = Behavior()
        objTTP.behavior.add_malware_instance(objMalware)
        objIndicator.add_indicated_ttp(objTTP)
        #objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_))
        #stix_package.add_ttp(objTTP)

        stix_package.add_indicator(objIndicator)
        objIndicator = None

    ### STIX Package Meta Data
    stix_header = STIXHeader()
    stix_header.title = srcObj.pkgTitle
    stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"

    ### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
    marking_specification = MarkingSpecification()

    classLevel = SimpleMarkingStructure()
    classLevel.statement = "Unclassified (Public)"
    marking_specification.marking_structures.append(classLevel)

    tlp = TLPMarkingStructure()
    tlp.color = "WHITE"
    marking_specification.marking_structures.append(tlp)
    marking_specification.controlled_structure = "//node()"

    objTOU = TermsOfUseMarkingStructure()
    sTOU = open('tou.txt').read()
    objTOU.terms_of_use = sProducer + " | " + sTOU
    marking_specification.marking_structures.append(objTOU)

    handling = Marking()
    handling.add_marking(marking_specification)
    stix_header.handling = handling

    stix_package.stix_header = stix_header
    stix_header = None

    ### Generate STIX XML File
    locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
    sndFile(stix_package.to_xml(), locSTIXFile)

    return (stix_package)
Exemple #34
0
def genStixDoc(
        outputDir_,
        targetFileSha1_,
        targetFileSha256_,
        targetFileSha512_,
        targetFileSsdeep_,
        targetFileMd5_,
        targetFileSize_,
        targetFileName_,
        ipv4Addresses_,
        hostNames_):
    """
    Generate Stix document from the input values. The doc structure is the file
    object along with the related network items: addresses, domain names. Output
    is written to files, which are then wrapped with taxii and uploaded using a 
    separate script.
    """
    parsedTargetFileName = reFileName(targetFileName_)[1]
    parsedTargetFilePrefix = reFileName(targetFileName_)[0]
    stix.utils.set_id_namespace({"http://www.equifax.com/cuckoo2Stix" : "cuckoo2Stix"})
    NS = cybox.utils.Namespace("http://www.equifax.com/cuckoo2Stix", "cuckoo2Stix")
    cybox.utils.set_id_namespace(NS)
    stix_package = STIXPackage()

    stix_header = STIXHeader()
    stix_header.title = 'File: ' + parsedTargetFileName + ' with the associated hashes, network indicators'
    stix_header.description = 'File: ' + parsedTargetFileName + ' with the associated hashes, network indicators'
    stix_package.stix_header = stix_header

    # Create the ttp
    malware_instance = MalwareInstance()
    malware_instance.add_name(parsedTargetFileName)
    malware_instance.description = targetFileSha1_
    ttp = TTP(title='TTP: ' + parsedTargetFileName)
    ttp.behavior = Behavior()
    ttp.behavior.add_malware_instance(malware_instance)
    stix_package.add_ttp(ttp)
    
    # Create the indicator for the ipv4 addresses
    ipv4Object = Address(ipv4Addresses_, Address.CAT_IPV4)
    ipv4Object.condition = 'Equals'
    ipv4Indicator = Indicator()
    ipv4Indicator.title = parsedTargetFileName + ': ipv4 addresses'
    ipv4Indicator.add_indicator_type('IP Watchlist')
    ipv4Indicator.add_indicated_ttp(RelatedTTP(TTP(idref=ttp.id_), relationship='Indicates Malware'))
    ipv4Indicator.observable = ipv4Object
    ipv4Indicator.confidence = 'Low'
    
    # Create the indicator for the domain names
    domainNameObject = DomainName()
    domainNameObject.value = hostNames_
    domainNameObject.condition = 'Equals'
    domainNameIndicator = Indicator()
    domainNameIndicator.title = parsedTargetFileName + ': domain names'
    domainNameIndicator.add_indicator_type('Domain Watchlist')
    domainNameIndicator.add_indicated_ttp(RelatedTTP(TTP(idref=ttp.id_), relationship='Indicates Malware'))
    domainNameIndicator.observable = domainNameObject
    domainNameIndicator.confidence = 'Low'

    # Create the indicator for the file
    fileObject = File()
    fileObject.file_name = parsedTargetFileName
    fileObject.file_name.condition = 'Equals'
    fileObject.size_in_bytes = targetFileSize_
    fileObject.size_in_bytes.condition = 'Equals'
    fileObject.add_hash(Hash(targetFileSha1_, type_='SHA1', exact=True))
    fileObject.add_hash(Hash(targetFileSha256_, type_='SHA256', exact=True))
    fileObject.add_hash(Hash(targetFileSha512_, type_='SHA512', exact=True))
    fileObject.add_hash(Hash(targetFileSsdeep_, type_='SSDEEP', exact=True))
    fileObject.add_hash(Hash(targetFileMd5_, type_='MD5', exact=True))
    fileIndicator = Indicator()
    fileIndicator.title = parsedTargetFileName + ': hashes'
    fileIndicator.description = parsedTargetFilePrefix
    fileIndicator.add_indicator_type('File Hash Watchlist')
    fileIndicator.add_indicated_ttp(RelatedTTP(TTP(idref=ttp.id_), relationship="Indicates Malware"))
    fileIndicator.observable = fileObject
    fileIndicator.confidence = 'Low'
    
    stix_package.indicators = [fileIndicator, ipv4Indicator, domainNameIndicator]

    stagedStixDoc = stix_package.to_xml()
    stagedStixDoc = fixAddressObject(stagedStixDoc)
    stagedStixDoc = fixDomainObject(stagedStixDoc)
    today = datetime.datetime.now()
    now = today.strftime('%Y-%m-%d_%H%M%S')
    if not os.path.exists(outputDir_):
        os.makedirs(outputDir_)
    with open (outputDir_ + '/' + now + '-' + targetFileSha1_ + '.stix.xml', 'a') as myfile:
        myfile.write(stagedStixDoc)
    _l.debug('Wrote file: ' + now + '-' + targetFileSha1_ + '.stix.xml')
    return
def main():
    # NOTE: ID values will differ due to being regenerated on each script execution
    pkg1 = STIXPackage()
    pkg1.title = "Example of Indicator Composition for an aggregate indicator composition"

    # USE CASE: Indicator with aggregate pattern

    # Add TTP for malware usage
    malware_ttp = TTP()
    malware_ttp.behavior = Behavior()

    malware = MalwareInstance()
    malware.title = "foobar malware"
    malware.add_type("Remote Access Trojan")
    malware_ttp.behavior.add_malware_instance(malware)

    c2_ttp = TTP()
    c2_ttp.resources = Resource()
    c2_ttp.resources.infrastructure = Infrastructure()
    c2_ttp.resources.infrastructure.add_type(VocabString("Malware C2"))

    pkg1.add_ttp(c2_ttp)
    pkg1.add_ttp(malware_ttp)

    nw_ind = Indicator()
    nw_ind.description = "Indicator for a particular C2 infstructure IP address."
    # add network network connection to this indicator
    obs = NetworkConnection()
    sock = SocketAddress()
    sock.ip_address = "46.123.99.25"
    sock.ip_address.category = "ipv4-addr"
    sock.ip_address.condition = "Equals"
    obs.destination_socket_address = sock
    nw_ind.add_observable(obs)

    nw_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_))

    # create File Hash indicator w/ embedded Observable
    file_ind = Indicator()

    file_ind.description = "Indicator for the hash of the foobar malware."
    file_ind.add_indicator_type("File Hash Watchlist")

    file_obs = File()
    file_obs.add_hash("01234567890abcdef01234567890abcdef")
    file_obs.hashes[0].type_ = "MD5"
    file_obs.hashes[0].type_.condition = "Equals"
    file_ind.add_observable(file_obs)

    # create references
    file_ind.add_indicated_ttp(TTP(idref=malware_ttp.id_))

    # create container indicator
    ind = Indicator()
    ind.add_indicator_type(VocabString("Campaign Characteristics"))
    ind.description = "Indicator for a composite of characteristics for the use of specific malware and C2 infrastructure within a Campaign."

    # Add campaign with related
    camp = Campaign()
    camp.title = "holy grail"
    pkg1.add_campaign(camp)
    camp.related_ttps.append(TTP(idref=c2_ttp.id_))
    camp.related_ttps.append(TTP(idref=malware_ttp.id_))

    # Add threat actor
    ta = ThreatActor()
    ta.identity = Identity()
    ta.identity.name = "boobear"
    ta.observed_ttps.append(TTP(idref=malware_ttp.id_))
    pkg1.add_threat_actor(ta)

    # Create composite expression

    ind.composite_indicator_expression = CompositeIndicatorExpression()
    ind.composite_indicator_expression.operator = "AND"

    ind.composite_indicator_expression.append(file_ind)
    ind.composite_indicator_expression.append(nw_ind)

    pkg1.add_indicator(ind)

    print pkg1.to_xml()

#  USE CASE: Indicator with partial matching

    pkg2 = STIXPackage()
    pkg2.title = "Example of Indicator Composition for a one of many indicator composition"

    # create container indicator
    watchlistind = Indicator()
    watchlistind.add_indicator_type("IP Watchlist")
    watchlistind.description = "This Indicator specifies a pattern where any one or more of a set of three IP addresses are observed."

    watchlistind.add_indicated_ttp(TTP(idref=c2_ttp.id_))

    # Create composite expression
    watchlistind.composite_indicator_expression = CompositeIndicatorExpression()
    watchlistind.composite_indicator_expression.operator = "OR"

    ips = ['23.5.111.68', '23.5.111.99', '46.123.99.25']
    for ip in ips:
        new_ind = Indicator()
        new_ind.description = "This Indicator specifies a pattern where one specific IP address is observed"
        # add network network connection to this indicator
        obs = Address()
        obs.address_value = ip
        obs.address_value.condition = "Equals"
        new_ind.add_observable(obs)

        new_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_))

        watchlistind.composite_indicator_expression.append(new_ind)

    pkg2.add_indicator(watchlistind)

    print pkg2.to_xml()

    #  USE CASE: Indicator with compound detection

    pkg3 = STIXPackage()
    pkg3.title = "Example of Indicator Composition for compound detection"

    # create container indicator
    watchlistind2 = Indicator()
    watchlistind2.add_indicator_type("IP Watchlist")
    watchlistind2.description = "This Indicator specifies a composite condition of two preexisting Indicators (each identifying a particular TTP with low confidence) that in aggregate identify the particular TTP with high confidence."
    # Create composite expression
    watchlistind2.composite_indicator_expression = CompositeIndicatorExpression()
    watchlistind2.composite_indicator_expression.operator = "OR"

    watchlistind2.add_indicated_ttp(TTP(idref=c2_ttp.id_))
    watchlistind2.confidence = "High"

    nw_ind.description = "Indicator for a particular C2 IP address used by a malware variant."
    nw_ind.confidence = "Low"
    nw_ind.indicator_types = ["C2"]
    file_ind.description = "Indicator that contains malicious file hashes for a particular malware variant."
    file_ind.confidence = "Low"
    watchlistind2.composite_indicator_expression.append(nw_ind)
    watchlistind2.composite_indicator_expression.append(file_ind)

    pkg3.add_indicator(watchlistind2)

    print pkg3.to_xml()
def main():
    stix_package = STIXPackage()

    malware_instance = MalwareInstance()
    malware_instance.add_name("plugin1.exe")
    #not really remote access but am not sure what else to put
    malware_instance.add_type("Remote Access Trojan")

    ttp = TTP(title="Install+plugin1.exe")
    ttp.behavior = Behavior()
    ttp.behavior.add_malware_instance(malware_instance)

    #observable 1 Install+plugin1.exe
    file_object = File()
    file_object.file_name = "Install+plugin1.exe"
    file_object.add_hash(
        Hash("164ecfc36893ee368a3c4cb2fd500b58262f1b87de1e68df74390db0b5445915"
             ))
    file_object.hashes[0].simple_hash_value.condition = "Equals"

    #observable 2 plugin1.exe
    #http://cybox.readthedocs.io/en/stable/examples.html#creating-observables
    file_plugin1 = File()
    file_plugin1.file_name = "plugin1.exe"
    file_plugin1.file_path = "C:\\Users\\Default\\AppData\\Local\\temp\plugin1"
    file_plugin1.add_hash(
        Hash("ae768b62f5fef4dd604e1b736bdbc3ed30417ef4f67bff74bb57f779d794d6df"
             ))
    file_plugin1.hashes[0].simple_hash_value.condition = "Equals"

    #observable 3 registry key
    #http://cybox.readthedocs.io/en/stable/api/coverage.html
    registry_object = WinRegistryKey()
    registry_object.name = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Google Ultron Updater"

    #observable 4 network traffic
    #http://stixproject.github.io/documentation/idioms/malware-hash/
    #I couldn't figure out how to correctly indicate the source, dest or protocol
    addr = Address(address_value="192.168.52.219", category=Address.CAT_IPV4)

    #indicator 1 Install+plugin1.exe
    indicator = Indicator(title="File hash for Install+plugin.exe")
    indicator.add_indicator_type("File Hash Watchlist")
    indicator.add_observable(file_object)
    indicator.add_indicated_ttp(TTP(idref=ttp.id_))

    #indicator 2 plugin1.exe
    indicator2 = Indicator(title="File hash for plugin1.exe")
    indicator2.add_indicator_type("File Hash Watchlist")
    indicator2.add_observable(file_plugin1)
    indicator2.add_indicated_ttp(TTP(idref=ttp.id_))

    #indicator3 registry key
    indicator3 = Indicator(title="Registry entry for Install+plugin.exe")
    indicator3.add_indicator_type("Malware Artifacts")
    indicator3.add_observable(registry_object)
    indicator3.add_indicated_ttp(TTP(idref=ttp.id_))

    #indicator4 network traffic
    indicator4 = Indicator(title="Network Traffic for plugine1.exe")
    indicator.add_indicator_type("IP Watchlist")
    indicator4.add_observable(Observable(addr))
    indicator4.add_indicated_ttp(TTP(idref=ttp.id_))

    stix_package.add_indicator(indicator)
    stix_package.add_indicator(indicator2)
    stix_package.add_indicator(indicator3)
    stix_package.add_indicator(indicator4)
    stix_package.add_ttp(ttp)

    print(stix_package.to_xml(encoding=None))
def main():
    # NOTE: ID values will differ due to being regenerated on each script execution
    pkg1 = STIXPackage()
    pkg1.title = "Example of Indicator Composition for an aggregate indicator composition"

    # USE CASE: Indicator with aggregate pattern

    # Add TTP for malware usage
    malware_ttp = TTP()
    malware_ttp.behavior = Behavior()

    malware = MalwareInstance()
    malware.title = "foobar malware"
    malware.add_type("Remote Access Trojan")
    malware_ttp.behavior.add_malware_instance(malware)

    c2_ttp = TTP()
    c2_ttp.resources = Resource()
    c2_ttp.resources.infrastructure = Infrastructure()
    c2_ttp.resources.infrastructure.add_type(VocabString("Malware C2"))

    pkg1.add_ttp(c2_ttp)
    pkg1.add_ttp(malware_ttp)

    nw_ind = Indicator()
    nw_ind.description = "Indicator for a particular C2 infstructure IP address."
    # add network network connection to this indicator
    obs = NetworkConnection()
    sock = SocketAddress()
    sock.ip_address = "46.123.99.25"
    sock.ip_address.category = "ipv4-addr"
    sock.ip_address.condition = "Equals"
    obs.destination_socket_address = sock
    nw_ind.add_observable(obs)

    nw_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_))

    # create File Hash indicator w/ embedded Observable
    file_ind = Indicator()

    file_ind.description = "Indicator for the hash of the foobar malware."
    file_ind.add_indicator_type("File Hash Watchlist")

    file_obs = File()
    file_obs.add_hash("01234567890abcdef01234567890abcdef")
    file_obs.hashes[0].type_ = "MD5"
    file_obs.hashes[0].type_.condition = "Equals"
    file_ind.add_observable(file_obs)

    # create references
    file_ind.add_indicated_ttp(TTP(idref=malware_ttp.id_))

    # create container indicator
    ind = Indicator()
    ind.add_indicator_type(VocabString("Campaign Characteristics"))
    ind.description = "Indicator for a composite of characteristics for the use of specific malware and C2 infrastructure within a Campaign."

    # Add campaign with related
    camp = Campaign()
    camp.title = "holy grail"
    pkg1.add_campaign(camp)
    camp.related_ttps.append(TTP(idref=c2_ttp.id_))
    camp.related_ttps.append(TTP(idref=malware_ttp.id_))

    # Add threat actor
    ta = ThreatActor()
    ta.identity = Identity()
    ta.identity.name = "boobear"
    ta.observed_ttps.append(TTP(idref=malware_ttp.id_))
    pkg1.add_threat_actor(ta)

    # Create composite expression

    ind.composite_indicator_expression = CompositeIndicatorExpression()
    ind.composite_indicator_expression.operator = "AND"

    ind.composite_indicator_expression.append(file_ind)
    ind.composite_indicator_expression.append(nw_ind)

    pkg1.add_indicator(ind)

    print pkg1.to_xml()

    #  USE CASE: Indicator with partial matching

    pkg2 = STIXPackage()
    pkg2.title = "Example of Indicator Composition for a one of many indicator composition"

    # create container indicator
    watchlistind = Indicator()
    watchlistind.add_indicator_type("IP Watchlist")
    watchlistind.description = "This Indicator specifies a pattern where any one or more of a set of three IP addresses are observed."

    watchlistind.add_indicated_ttp(TTP(idref=c2_ttp.id_))

    # Create composite expression
    watchlistind.composite_indicator_expression = CompositeIndicatorExpression(
    )
    watchlistind.composite_indicator_expression.operator = "OR"

    ips = ['23.5.111.68', '23.5.111.99', '46.123.99.25']
    for ip in ips:
        new_ind = Indicator()
        new_ind.description = "This Indicator specifies a pattern where one specific IP address is observed"
        # add network network connection to this indicator
        obs = Address()
        obs.address_value = ip
        obs.address_value.condition = "Equals"
        new_ind.add_observable(obs)

        new_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_))

        watchlistind.composite_indicator_expression.append(new_ind)

    pkg2.add_indicator(watchlistind)

    print pkg2.to_xml()

    #  USE CASE: Indicator with compound detection

    pkg3 = STIXPackage()
    pkg3.title = "Example of Indicator Composition for compound detection"

    # create container indicator
    watchlistind2 = Indicator()
    watchlistind2.add_indicator_type("IP Watchlist")
    watchlistind2.description = "This Indicator specifies a composite condition of two preexisting Indicators (each identifying a particular TTP with low confidence) that in aggregate identify the particular TTP with high confidence."
    # Create composite expression
    watchlistind2.composite_indicator_expression = CompositeIndicatorExpression(
    )
    watchlistind2.composite_indicator_expression.operator = "OR"

    watchlistind2.add_indicated_ttp(TTP(idref=c2_ttp.id_))
    watchlistind2.confidence = "High"

    nw_ind.description = "Indicator for a particular C2 IP address used by a malware variant."
    nw_ind.confidence = "Low"
    nw_ind.indicator_types = ["C2"]
    file_ind.description = "Indicator that contains malicious file hashes for a particular malware variant."
    file_ind.confidence = "Low"
    watchlistind2.composite_indicator_expression.append(nw_ind)
    watchlistind2.composite_indicator_expression.append(file_ind)

    pkg3.add_indicator(watchlistind2)

    print pkg3.to_xml()
Exemple #38
0
incident.attributed_threat_actors = attrib_ta

# Related Incident (basic; by id)
incident2 = Incident(title='Malware outbreak')
incident2.time = '2018-06-12T11:00:05.470947+00:00'
related_incident = RelatedIncident(Incident(idref=incident2.id_))
incident.add_related_incidents(related_incident)

# Related TTP (basic; by id)
ttp = TTP(title='Phishing')
beh = Behavior()
attack_pattern = AttackPattern()
attack_pattern.capec_id = 'CAPEC-98'
attack_pattern.description = 'Phishing'
beh.add_attack_pattern(attack_pattern)
ttp.behavior = beh
leveraged_ttps = LeveragedTTPs()
related_ttp = RelatedTTP(TTP(idref=ttp.id_))
leveraged_ttps.append(related_ttp)
incident.leveraged_ttps = leveraged_ttps

# Related CoA (basic; by id)
coa = CourseOfAction(title='Block traffic')
related_coa = CourseOfAction(idref=coa.id_)
incident.add_coa_requested(related_coa)
incident.add_coa_taken(related_coa)

# Generate STIX Package
stix_package = STIXPackage()
stix_package.add_observable(observable)
stix_package.add_indicator(indicator)
Exemple #39
0
def adptr_dict2STIX(srcObj, data):
    sTxt = "Called... "
    sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
    stixObj = None

    ### Input Check
    if srcObj == None or data == None:
        #TODO: Needs error msg: Missing srcData Object
        return (False)

    ### Generate NameSpace id tags
    STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
    OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
    stix_set_id_namespace(STIX_NAMESPACE)
    obs_set_id_namespace(OBS_NAMESPACE)

    ### Building STIX Wrapper
    stix_package = STIXPackage()
    objIndicator = Indicator()

    ### Bulid Object Data
    for sKey in data:
        objIndicator = Indicator()
        listOBS = []

        ### Parsing IP Address
        sAddr = data[sKey]['attrib']['ipAddr']
        if len(sAddr) > 0:
            objAddr = Address()
            objAddr.is_destination = True
            objAddr.address_value = sAddr
            objAddr.address_value.condition = 'Equals'
            if isIPv4(sAddr):
                objAddr.category = objAddr.CAT_IPV4
            elif isIPv6(sAddr):
                objAddr.category = objAddr.CAT_IPV6
            else:
                continue

            obsAddr = Observable(objAddr)
            objAddr = None
            obsAddr.sighting_count = 1
            obsAddr.title = 'IP: ' + sAddr
            sDscrpt = 'IPv4' + ': ' + sAddr + " | "
            sDscrpt += "isDestination: True | "
            obsAddr.description = "<![CDATA[" + sDscrpt + "]]>"
            listOBS.append(obsAddr)
            obsAddr = None
            objIndicator.add_indicator_type("IP Watchlist")

        ### Parsing Domain
        sDomain = data[sKey]['attrib']['domain']
        if len(sDomain) > 0:
            objDomain = DomainName()
            objDomain.value = sDomain
            objDomain.value.condition = 'Equals'

            if isFQDN(sDomain):
                objDomain.type = 'FQDN'
            elif isTLD(sDomain):
                objDomain.type = 'TLD'
            else:
                continue

            obsDomain = Observable(objDomain)
            objDomain = None
            obsDomain.sighting_count = 1
            obsDomain.title = 'Domain: ' + sDomain
            sDscrpt = 'Domain: ' + sDomain + " | "
            sDscrpt += "isFQDN: True | "
            obsDomain.description = "<![CDATA[" + sDscrpt + "]]>"
            listOBS.append(obsDomain)
            obsDomain = None
            objIndicator.add_indicator_type("Domain Watchlist")

        #Parser URI
        sURI = data[sKey]['attrib']['title']
        if len(sURI) > 0:
            objURI = URI()
            objURI.value = sURI
            objURI.value.condition = 'Equals'
            objURI.type_ = URI.TYPE_URL
            obsURI = Observable(objURI)
            objURI = None
            obsURI.sighting_count = 1
            obsURI.title = 'URI: ' + sURI
            sDscrpt = 'URI: ' + sURI + " | "
            sDscrpt += "Type: URL | "
            obsURI.description = "<![CDATA[" + sDscrpt + "]]>"
            listOBS.append(obsURI)
            obsURI = None
            objIndicator.add_indicator_type("URL Watchlist")

        ### Add Generated observable to Indicator
        objIndicator.observables = listOBS
        objIndicator.observable_composition_operator = 'OR'

        #Parsing Producer
        sProducer = srcObj.Domain
        if len(sProducer) > 0:
            objIndicator.set_producer_identity(sProducer)

        objIndicator.set_produced_time(data[sKey]['attrib']['dateVF'])
        objIndicator.set_received_time(data[sKey]['dateDL'])

        ### Generate Indicator Title based on availbe data
        sTitle = 'C2C Site: ' + sURI
        objIndicator.title = sTitle

        #Generate Indicator Description based on availbe data
        sDscrpt = ""
        if len(sAddr) > 0:
            sAddLine = "This IP address " + sAddr
        if len(sDomain) > 0:
            sAddLine = "This domain " + sDomain
        if len(sAddr) > 0 and len(sDomain) > 0:
            sAddLine = "This domain " + sDomain + " (" + sAddr + ")"
        if len(sAddLine) > 0:
            sDscrpt += sAddLine

        sDscrpt = sDscrpt + " has been identified as a command and control site for " + data[
            sKey]['attrib']['dscrpt'] + ' malware'

        if len(srcObj.Domain) > 0:
            sDscrpt = sDscrpt + " by " + srcObj.Domain
        else:
            sDscrpt = sDscrpt + "."
        sDscrpt = sDscrpt + ". For more detailed infomation about this indicator go to [CAUTION!!Read-URL-Before-Click] [" + data[
            sKey]['attrib']['link'] + "]."

        if len(sDscrpt) > 0:
            objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"
            pass

        #Parse TTP
        sType = data[sKey]['attrib']['dscrpt']
        if len(sType) > 0:
            objMalware = MalwareInstance()

            objMalware.add_name(sType)
            objMalware.add_type("Remote Access Trojan")
            objMalware.short_description = ""
            objMalware.description = ""

            objTTP = TTP(title=sType)
            objTTP.behavior = Behavior()
            objTTP.behavior.add_malware_instance(objMalware)
            objIndicator.add_indicated_ttp(objTTP)

        stix_package.add_indicator(objIndicator)
        objIndicator = None

    ### STIX Package Meta Data
    stix_header = STIXHeader()
    stix_header.title = srcObj.pkgTitle
    stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"

    ### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
    marking_specification = MarkingSpecification()

    classLevel = SimpleMarkingStructure()
    classLevel.statement = "Unclassified (Public)"
    marking_specification.marking_structures.append(classLevel)

    tlp = TLPMarkingStructure()
    tlp.color = "WHITE"
    marking_specification.marking_structures.append(tlp)
    marking_specification.controlled_structure = "//node()"

    objTOU = TermsOfUseMarkingStructure()
    sTOU = open('tou.txt').read()
    objTOU.terms_of_use = sProducer + " | " + sTOU
    marking_specification.marking_structures.append(objTOU)

    handling = Marking()
    handling.add_marking(marking_specification)
    stix_header.handling = handling

    stix_package.stix_header = stix_header
    stix_header = None

    ### Generate STIX XML File
    locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
    sndFile(stix_package.to_xml(), locSTIXFile)

    return (stix_package)
def adptr_dict2STIX(srcObj, data):
    sTxt = "Called... "
    sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')

    ### Input Check
    if srcObj is None or data is None:
        # TODO: Needs error msg: Missing srcData Object
        return False

    ### Generate NameSpace id tags
    STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
    OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
    stix_set_id_namespace(STIX_NAMESPACE)
    obs_set_id_namespace(OBS_NAMESPACE)

    ### Building STIX Wrapper
    stix_package = STIXPackage()

    ### Bulid Object Data
    for sKey in data:
        objIndicator = Indicator()
        listOBS = []

        ### Parsing IP Address
        sAddr = data[sKey]['attrib']['ipAddr']
        if sAddr:
            objAddr = Address()
            objAddr.is_source = True
            objAddr.address_value = sAddr
            objAddr.address_value.condition = 'Equals'
            if isIPv4(sAddr):
                objAddr.category = 'ipv4-addr'
            elif isIPv6(sAddr):
                objAddr.category = 'ipv6-addr'
            else:
                continue

            obsAddr = Observable(objAddr)
            obsAddr.sighting_count = 1
            obsAddr.title = 'IP: ' + sAddr
            sDscrpt = 'IPv4' + ': ' + sAddr + " | "
            sDscrpt += "isSource: True | "
            obsAddr.description = "<![CDATA[" + sDscrpt + "]]>"
            listOBS.append(obsAddr)
            objIndicator.add_indicator_type("IP Watchlist")

            ### Parsing Domain
        sDomain = data[sKey]['attrib']['domain']
        if sDomain:
            objDomain = DomainName()
            objDomain.value = sDomain
            objDomain.value.condition = 'Equals'
            if isFQDN(sDomain):
                objDomain.type = 'FQDN'
            elif isTLD(sDomain):
                objDomain.type = 'TLD'
            else:
                continue

            obsDomain = Observable(objDomain)
            obsDomain.sighting_count = 1
            obsDomain.title = 'Domain: ' + sDomain
            sDscrpt = 'Domain: ' + sDomain + " | "
            sDscrpt += "isFQDN: True | "
            obsDomain.description = "<![CDATA[" + sDscrpt + "]]>"
            listOBS.append(obsDomain)
            objIndicator.add_indicator_type("Domain Watchlist")

        # Parser File Hash
        # sHash = data[sKey]['attrib']['hash'];
        # if len(sHash) > 0:
        # objFile = File()
        # sFileName = data[sKey]['attrib']['fileName']
        # if len(sFileName) > 0:
        # objFile.file_name   = sFileName
        # objFile.file_format = sFileName.split('.')[1]

        # objFile.add_hash(Hash(sHash, exact=True))
        # obsFile = Observable(objFile)
        # objFile = None;
        # obsFile.sighting_count = 1
        # obsFile.title = 'File: ' + sFileName
        #     sDscrpt = 'FileName: ' + sFileName + " | "
        #     sDscrpt += "FileHash: " + sHash + " | "
        #     obsFile.description = "<![CDATA[" + sDscrpt + "]]>"
        #     listOBS.append(obsFile)
        #     obsFile = None;
        #     objIndicator.add_indicator_type("File Hash Watchlist")

        ### Add Generated observable to Indicator
        objIndicator.observables = listOBS
        objIndicator.observable_composition_operator = 'OR'

        #Parsing Producer
        sProducer = srcObj.Domain
        if len(srcObj.Domain) > 0:
            objIndicator.set_producer_identity(srcObj.Domain)

        if data[sKey]['attrib']['dateVF']:
            objIndicator.set_produced_time(data[sKey]['attrib']['dateVF'])
        objIndicator.set_received_time(data[sKey]['dateDL'])

        ### Old Title / Description Generator
        #objIndicator.title = data[sKey]['attrib']['title'];
        #objIndicator.description = "<![CDATA[" + data[sKey]['attrib']['dscrpt'] + "]]>";

        ### Generate Indicator Title based on availbe data
        sTitle = 'Feodo Tracker: '
        if sAddr:
            sAddLine = "This IP address has been identified as malicious"
        if sDomain:
            sAddLine = "This domain has been identified as malicious"
        if len(sAddLine) > 0:
            sTitle += " | " + sAddLine
        if len(srcObj.Domain) > 0:
            sTitle += " by " + srcObj.Domain
        else:
            sTitle += "."
        if len(sTitle) > 0:
            objIndicator.title = sTitle

        #Generate Indicator Description based on availbe data
        sDscrpt = ""
        if sAddr:
            sAddLine = "This IP address " + sAddr
        if sDomain:
            sAddLine = "This domain " + sDomain
        if sAddr and sDomain:
            sAddLine = "This domain " + sDomain + " (" + sAddr + ")"
        if len(sAddLine) > 0:
            sDscrpt += sAddLine

        sDscrpt += " has been identified as malicious"
        if len(srcObj.Domain) > 0:
            sDscrpt += " by " + srcObj.Domain
        else:
            sDscrpt += "."
        sDscrpt = sDscrpt + ". For more detailed infomation about this indicator go to [CAUTION!!Read-URL-Before-Click] [" + \
                  data[sKey]['attrib']['link'] + "]."

        if len(sDscrpt) > 0:
            objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"

        #Parse TTP
        objMalware = MalwareInstance()
        objMalware.add_name("Cridex")
        objMalware.add_name("Bugat")
        objMalware.add_name("Dridex")
        objMalware.add_type("Remote Access Trojan")
        objMalware.short_description = "Feodo (also known as Cridex or Bugat) is a Trojan used to commit ebanking fraud and steal sensitive information from the victims computer, such as credit card details or credentials"

        sDscrpt = "Feodo (also known as Cridex or Bugat) is a Trojan used to commit ebanking fraud and steal sensitive information from the victims computer, such as credit card details or credentials. At the moment, Feodo Tracker is tracking four versions of Feodo, and they are labeled by Feodo Tracker as version A, version B, version C and version D:\n"
        sDscrpt += "\n"
        sDscrpt += "  Version A: Hosted on compromised webservers running an nginx proxy on port 8080 TCP forwarding all botnet traffic to a tier 2 proxy node. Botnet traffic usually directly hits these hosts on port 8080 TCP without using a domain name.\n"
        sDscrpt += "  Version B: Hosted on servers rented and operated by cybercriminals for the exclusive purpose of hosting a Feodo botnet controller. Usually taking advantage of a domain name within ccTLD .ru. Botnet traffic usually hits these domain names using port 80 TCP.\n"
        sDscrpt += "  Version C: Successor of Feodo, completely different code. Hosted on the same botnet infrastructure as Version A (compromised webservers, nginx on port 8080 TCP or port 7779 TCP, no domain names) but using a different URL structure. This Version is also known as Geodo.\n"
        sDscrpt += "  Version D: Successor of Cridex. This version is also known as Dridex\n"
        objMalware.description = "<![CDATA[" + sDscrpt + "]]>"

        objTTP = TTP(title="Feodo")
        objTTP.behavior = Behavior()
        objTTP.behavior.add_malware_instance(objMalware)
        objIndicator.add_indicated_ttp(objTTP)
        #objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_))
        #stix_package.add_ttp(objTTP)

        stix_package.add_indicator(objIndicator)

        ### STIX Package Meta Data
    stix_header = STIXHeader()
    stix_header.title = srcObj.pkgTitle
    stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"

    ### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
    marking_specification = MarkingSpecification()

    classLevel = SimpleMarkingStructure()
    classLevel.statement = "Unclassified (Public)"
    marking_specification.marking_structures.append(classLevel)

    objTOU = TermsOfUseMarkingStructure()
    sTOU = open('tou.txt').read()
    objTOU.terms_of_use = srcObj.Domain + " | " + sTOU
    marking_specification.marking_structures.append(objTOU)

    tlp = TLPMarkingStructure()
    tlp.color = "WHITE"
    marking_specification.marking_structures.append(tlp)
    marking_specification.controlled_structure = "//node()"

    handling = Marking()
    handling.add_marking(marking_specification)
    stix_header.handling = handling

    stix_package.stix_header = stix_header

    ### Generate STIX XML File
    locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
    sndFile(stix_package.to_xml(), locSTIXFile)

    return stix_package