def main(): from stix.campaign import Campaign, Attribution from stix.threat_actor import ThreatActor from stix.incident import Incident from stix.core import STIXPackage from stix.ttp import TTP, VictimTargeting ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data") actor = ThreatActor() actor.title = "People behind the intrusion" attrib = Attribution() attrib.append(actor) c = Campaign() c.attribution = [] c.attribution.append(attrib) c.title = "Compromise of ATM Machines" c.related_ttps.append(ttp) c.related_incidents.append(Incident(idref="example:incident-229ab6ba-0eb2-415b-bdf2-079e6b42f51e")) c.related_incidents.append(Incident(idref="example:incident-517cf274-038d-4ed4-a3ec-3ac18ad9db8a")) c.related_incidents.append(Incident(idref="example:incident-7d8cf96f-91cb-42d0-a1e0-bfa38ea08621")) pkg = STIXPackage() pkg.add_campaign(c) print pkg.to_xml()
def main(): from stix.campaign import Campaign from stix.common.related import RelatedTTP from stix.core import STIXPackage from stix.ttp import TTP, VictimTargeting ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.add_targeted_information( "Information Assets - Customer PII") ttp.victim_targeting.add_targeted_information( "Information Assets - Financial Data") ttp_ref = TTP() ttp_ref.idref = ttp.id_ related_ttp = RelatedTTP(ttp_ref) related_ttp.relationship = "Targets" c = Campaign() c.title = "Operation Alpha" c.related_ttps.append(related_ttp) pkg = STIXPackage() pkg.add_campaign(c) pkg.add_ttp(ttp) print(pkg.to_xml(encoding=None))
def main(): from stix.campaign import Campaign from stix.common.related import RelatedTTP from stix.core import STIXPackage from stix.ttp import TTP, VictimTargeting ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.add_targeted_information("Information Assets - Customer PII") ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data") ttp_ref = TTP() ttp_ref.idref = ttp.id_ related_ttp = RelatedTTP(ttp_ref) related_ttp.relationship = "Targets" c = Campaign() c.title = "Operation Alpha" c.related_ttps.append(related_ttp) pkg = STIXPackage() pkg.add_campaign(c) pkg.add_ttp(ttp) print pkg.to_xml()
def create_victim_target(source, target_ref, target_obj_ref_1x): global _VICTIM_TARGET_TTPS target, identity1x_tuple = handle_identity(target_ref, target_obj_ref_1x) ttp = TTP() ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.identity = target _VICTIM_TARGET_TTPS.append(ttp) source.observed_ttps.append(ttp) identity1x_tuple[1] = True
def create_victim_target_for_threat_actor(source, target_ref, target_obj_ref_1x): global _VICTIM_TARGET_TTPS target, identity1x_tuple = choose_full_object_or_idref( target_ref, target_obj_ref_1x) ttp = TTP() ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.identity = target _VICTIM_TARGET_TTPS.append(ttp) source.observed_ttps.append(ttp) identity1x_tuple[1] = True
def main(): ciq_identity = CIQIdentity3_0Instance() identity_spec = STIXCIQIdentity3_0() identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems") ciq_identity.specification = identity_spec ttp = TTP(title="Victim Targeting: Electricity Sector and Industrial Control System Sector") ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.identity = ciq_identity stix_package = STIXPackage() stix_package.add_ttp(ttp) print(stix_package.to_xml(encoding=None))
def main(): ciq_identity = CIQIdentity3_0Instance() identity_spec = STIXCIQIdentity3_0() identity_spec.organisation_info = OrganisationInfo( industry_type="Electricity, Industrial Control Systems") ciq_identity.specification = identity_spec ttp = TTP( title= "Victim Targeting: Electricity Sector and Industrial Control System Sector" ) ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.identity = ciq_identity stix_package = STIXPackage() stix_package.add_ttp(ttp) print stix_package.to_xml()
def main(): from stix.campaign import Campaign, Attribution from stix.threat_actor import ThreatActor from stix.incident import Incident from stix.core import STIXPackage from stix.ttp import TTP, VictimTargeting ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.add_targeted_information( "Information Assets - Financial Data") actor = ThreatActor() actor.title = "People behind the intrusion" attrib = Attribution() attrib.append(actor) c = Campaign() c.attribution = [] c.attribution.append(attrib) c.title = "Compromise of ATM Machines" c.related_ttps.append(ttp) c.related_incidents.append( Incident( idref="example:incident-229ab6ba-0eb2-415b-bdf2-079e6b42f51e")) c.related_incidents.append( Incident( idref="example:incident-517cf274-038d-4ed4-a3ec-3ac18ad9db8a")) c.related_incidents.append( Incident( idref="example:incident-7d8cf96f-91cb-42d0-a1e0-bfa38ea08621")) pkg = STIXPackage() pkg.add_campaign(c) print(pkg.to_xml(encoding=None))
def main(): from stix.campaign import Campaign, Attribution from stix.threat_actor import ThreatActor from stix.core import STIXPackage from stix.ttp import TTP, VictimTargeting ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data") actor = ThreatActor() actor.title = "People behind the intrusion" c = Campaign() c.attribution.append(actor) c.title = "Compromise of ATM Machines" c.related_ttps.append(ttp) pkg = STIXPackage() pkg.add_campaign(c) print pkg.to_xml()
def buildTtp(input_dict): ttp = TTP() ttp.title = input_dict['title'] ttp.description = input_dict['description'] if input_dict['intendedEffect']: ttp.add_intended_effect(input_dict['intendedEffect']) if input_dict['behavior']: ttp.behavior = Behavior(input_dict['behavior']) if input_dict['resources']: ttp.resources = input_dict['resources'] if input_dict['victimTargeting']: #TODO look into adding more victim fields vic = VictimTargeting() vic.add_targeted_information(input_dict['victimTargeting']) ttp.victim_targeting = vic #target = ExploitTargets(). #target.append(input_dict['exploitTargets']) #ttp.exploit_targets = target if input_dict['informationSource']: ttp.information_source = InformationSource(input_dict['informationSource']) if input_dict['killChain']: ttp.kill_chain_phases = input_dict['killChain'] return ttp
def transform(self, event): stix_package = STIXPackage() self._add_header(stix_package, "Unauthorized traffic to honeypot", "Describes one or more honeypot incidents") incident = Incident( id_="%s:%s-%s" % (CONPOT_NAMESPACE, 'incident', event['session_id'])) initial_time = StixTime() initial_time.initial_compromise = event['timestamp'].isoformat() incident.time = initial_time incident.title = "Conpot Event" incident.short_description = "Traffic to Conpot ICS honeypot" incident.add_category( VocabString(value='Scans/Probes/Attempted Access')) tool_list = ToolInformationList() tool_list.append( ToolInformation.from_dict({ 'name': "Conpot", 'vendor': "Conpot Team", 'version': conpot.__version__, 'description': textwrap.dedent( 'Conpot is a low interactive server side Industrial Control Systems ' 'honeypot designed to be easy to deploy, modify and extend.' ) })) incident.reporter = InformationSource(tools=tool_list) incident.add_discovery_method("Monitoring Service") incident.confidence = "High" # Victim Targeting by Sector ciq_identity = CIQIdentity3_0Instance() #identity_spec = STIXCIQIdentity3_0() #identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems") #ciq_identity.specification = identity_spec ttp = TTP( title= "Victim Targeting: Electricity Sector and Industrial Control System Sector" ) ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.identity = ciq_identity incident.leveraged_ttps.append(ttp) indicator = Indicator(title="Conpot Event") indicator.description = "Conpot network event" indicator.confidence = "High" source_port = Port.from_dict({ 'port_value': event['remote'][1], 'layer4_protocol': 'tcp' }) dest_port = Port.from_dict({ 'port_value': self.protocol_to_port_mapping[event['data_type']], 'layer4_protocol': 'tcp' }) source_ip = Address.from_dict({ 'address_value': event['remote'][0], 'category': Address.CAT_IPV4 }) dest_ip = Address.from_dict({ 'address_value': event['public_ip'], 'category': Address.CAT_IPV4 }) source_address = SocketAddress.from_dict({ 'ip_address': source_ip.to_dict(), 'port': source_port.to_dict() }) dest_address = SocketAddress.from_dict({ 'ip_address': dest_ip.to_dict(), 'port': dest_port.to_dict() }) network_connection = NetworkConnection.from_dict({ 'source_socket_address': source_address.to_dict(), 'destination_socket_address': dest_address.to_dict(), 'layer3_protocol': "IPv4", 'layer4_protocol': "TCP", 'layer7_protocol': event['data_type'], 'source_tcp_state': "ESTABLISHED", 'destination_tcp_state': "ESTABLISHED", }) indicator.add_observable(Observable(network_connection)) artifact = Artifact() artifact.data = json.dumps(event['data']) artifact.packaging.append(ZlibCompression()) artifact.packaging.append(Base64Encoding()) indicator.add_observable(Observable(artifact)) incident.related_indicators.append(indicator) stix_package.add_incident(incident) stix_package_xml = stix_package.to_xml() return stix_package_xml
def transform(self, event): self._set_namespace(self.config['contact_domain'], self.config['contact_name']) stix_package = STIXPackage() self._add_header(stix_package, "Unauthorized traffic to honeypot", "Describes one or more honeypot incidents") incident = Incident(id_="%s:%s-%s" % (self.config['contact_name'], 'incident', event['session_id'])) initial_time = StixTime() initial_time.initial_compromise = event['timestamp'].isoformat() incident.time = initial_time incident.title = "Conpot Event" incident.short_description = "Traffic to Conpot ICS honeypot" incident.add_category(VocabString(value='Scans/Probes/Attempted Access')) tool_list = ToolInformationList() tool_list.append(ToolInformation.from_dict({ 'name': "Conpot", 'vendor': "Conpot Team", 'version': conpot.__version__, 'description': textwrap.dedent('Conpot is a low interactive server side Industrial Control Systems ' 'honeypot designed to be easy to deploy, modify and extend.') })) incident.reporter = InformationSource(tools=tool_list) incident.add_discovery_method("Monitoring Service") incident.confidence = "High" # Victim Targeting by Sector ciq_identity = CIQIdentity3_0Instance() #identity_spec = STIXCIQIdentity3_0() #identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems") #ciq_identity.specification = identity_spec ttp = TTP(title="Victim Targeting: Electricity Sector and Industrial Control System Sector") ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.identity = ciq_identity incident.leveraged_ttps.append(ttp) indicator = Indicator(title="Conpot Event") indicator.description = "Conpot network event" indicator.confidence = "High" source_port = Port.from_dict({'port_value': event['remote'][1], 'layer4_protocol': 'tcp'}) dest_port = Port.from_dict({'port_value': self.protocol_to_port_mapping[event['data_type']], 'layer4_protocol': 'tcp'}) source_ip = Address.from_dict({'address_value': event['remote'][0], 'category': Address.CAT_IPV4}) dest_ip = Address.from_dict({'address_value': event['public_ip'], 'category': Address.CAT_IPV4}) source_address = SocketAddress.from_dict({'ip_address': source_ip.to_dict(), 'port': source_port.to_dict()}) dest_address = SocketAddress.from_dict({'ip_address': dest_ip.to_dict(), 'port': dest_port.to_dict()}) network_connection = NetworkConnection.from_dict( {'source_socket_address': source_address.to_dict(), 'destination_socket_address': dest_address.to_dict(), 'layer3_protocol': u"IPv4", 'layer4_protocol': u"TCP", 'layer7_protocol': event['data_type'], 'source_tcp_state': u"ESTABLISHED", 'destination_tcp_state': u"ESTABLISHED", } ) indicator.add_observable(Observable(network_connection)) artifact = Artifact() artifact.data = json.dumps(event['data']) artifact.packaging.append(ZlibCompression()) artifact.packaging.append(Base64Encoding()) indicator.add_observable(Observable(artifact)) incident.related_indicators.append(indicator) stix_package.add_incident(incident) stix_package_xml = stix_package.to_xml() return stix_package_xml
def adptrTransform_Dict2Obj(srcData, data=None): sNAMEFUNC = 'adptrTransform_Dict2Obj' sndMSG('Called...', 'INFO', sNAMEFUNC) if not srcData: return (None) #srcData can not be empty from stix.core import STIXPackage from stix.common import InformationSource, Identity from stix.data_marking import Marking from stix.ttp import TTP ### Build Package objMarkingSpecification = genObject_MarkingSpecification(data) objMarkingSpecification.controlled_structure = "//node()" objHdr = genData_STIXHeader(data) objHdr.handling = Marking(objMarkingSpecification) objHdr.information_source = InformationSource(identity=Identity( name=srcData.pkgLink)) objTTP = genObject_TTP(data) objTTP.information_source = InformationSource(identity=Identity( name=srcData.pkgLink)) objPkg = STIXPackage() objPkg.stix_header = objHdr objPkg.add_ttp(objTTP) for sKey in data['data']: obsList = [] ### Build Observables obsURI = genObject_URI(data['data'][sKey]['src']) try: obsURI.id_ = data['data'][sKey]['meta']['uri'] except: data['data'][sKey]['meta'].update({'uri': obsURI.id_}) ### Srt: Stupid test to make sure URL be output via STIX.to_xml() try: testPkg = STIXPackage() testPkg.add_observable(obsURI) testPkg.to_xml() except: sNAMEFUNC = 'adptrTransform_Dict2Obj' sndMSG('Error Parsing URL for this key: [' + sKey + ']', 'INFO', sNAMEFUNC) testPkg = None continue ### End: Stupid test objPkg.add_observable(obsURI) obsList.append(genRefObs(obsURI)) ### Build Indicators objInd = genObject_Indicator(data['data'][sKey]['src']) try: obsURI.id_ = data['data'][sKey]['meta']['ind'] except: data['data'][sKey]['meta'].update({'ind': objInd.id_}) objInd.producer = InformationSource(identity=Identity( name=srcData.pkgLink)) objInd.observables = obsList objInd.indicator_types = ["URL Watchlist"] objInd.observable_composition_operator = "OR" objInd.set_received_time(data['data'][sKey]['meta']['dateDL']) try: objInd.set_produced_time( data['data'][sKey]['src']['verification_time']) except: pass if not data['data'][sKey]['src']['target'] == 'Other': from stix.ttp import TTP objVictimTargeting = genData_VictimTargeting( data['data'][sKey]['src']) if obsURI: objVictimTargeting.targeted_technical_details = genRefObs( obsURI) objTTP_vic = TTP() objTTP_vic.title = "Targeting: " + data['data'][sKey]['src'][ 'target'] objTTP_vic.victim_targeting = objVictimTargeting objInd.add_indicated_ttp(objTTP_vic) objInd.add_indicated_ttp(TTP(idref=objTTP.id_)) objPkg.add_indicator(objInd) #updateDB_local(data,srcData) return (objPkg)
ElectronicAddressIdentifier(value='*****@*****.**', type_='Email')) party_name = PartyName() party_name.add_person_name('Bob Ricca') party_name.add_person_name('Robert Ricca') party_name.add_organisation_name('ThreatQuotient') identity_spec.party_name = party_name organization = OrganisationInfo(industry_type='Cybersecurity') identity_spec.organisation_info = organization identity.specification = identity_spec victim_targeting.identity = identity domain2 = DomainName() domain2.value = 'www.bobricca.com' observable2 = Observable(domain2) victim_targeting.targeted_technical_details = Observables( Observable(idref=observable2.id_)) ttp2.victim_targeting = victim_targeting ttp2.related_ttps.append(related_ttp) # Related TTP (Exploit; by id) ttp3 = TTP(title='Remote Exploit of Server Software') exploit = Exploit(title='Exploit Apache') exploit.description = 'Exploit Description' exploit.short_description = 'Short Description' ttp3.behavior = Behavior() ttp3.behavior.add_exploit(exploit) vt3 = VictimTargeting() vt3.identity = Identity(name='Steve Franchak') ttp3.victim_targeting = vt3 # TTP 3 - Related Exploit Target