def main():
from stix.campaign import Campaign, Attribution
from stix.threat_actor import ThreatActor
from stix.incident import Incident
from stix.core import STIXPackage
from stix.ttp import TTP, VictimTargeting
ttp = TTP()
ttp.title = "Victim Targeting: Customer PII and Financial Data"
ttp.victim_targeting = VictimTargeting()
ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data")
actor = ThreatActor()
actor.title = "People behind the intrusion"
attrib = Attribution()
attrib.append(actor)
c = Campaign()
c.attribution = []
c.attribution.append(attrib)
c.title = "Compromise of ATM Machines"
c.related_ttps.append(ttp)
c.related_incidents.append(Incident(idref="example:incident-229ab6ba-0eb2-415b-bdf2-079e6b42f51e"))
c.related_incidents.append(Incident(idref="example:incident-517cf274-038d-4ed4-a3ec-3ac18ad9db8a"))
c.related_incidents.append(Incident(idref="example:incident-7d8cf96f-91cb-42d0-a1e0-bfa38ea08621"))
pkg = STIXPackage()
pkg.add_campaign(c)
print pkg.to_xml()
def main():
from stix.campaign import Campaign
from stix.common.related import RelatedTTP
from stix.core import STIXPackage
from stix.ttp import TTP, VictimTargeting
ttp = TTP()
ttp.title = "Victim Targeting: Customer PII and Financial Data"
ttp.victim_targeting = VictimTargeting()
ttp.victim_targeting.add_targeted_information(
"Information Assets - Customer PII")
ttp.victim_targeting.add_targeted_information(
"Information Assets - Financial Data")
ttp_ref = TTP()
ttp_ref.idref = ttp.id_
related_ttp = RelatedTTP(ttp_ref)
related_ttp.relationship = "Targets"
c = Campaign()
c.title = "Operation Alpha"
c.related_ttps.append(related_ttp)
pkg = STIXPackage()
pkg.add_campaign(c)
pkg.add_ttp(ttp)
print(pkg.to_xml(encoding=None))
def main():
from stix.campaign import Campaign
from stix.common.related import RelatedTTP
from stix.core import STIXPackage
from stix.ttp import TTP, VictimTargeting
ttp = TTP()
ttp.title = "Victim Targeting: Customer PII and Financial Data"
ttp.victim_targeting = VictimTargeting()
ttp.victim_targeting.add_targeted_information("Information Assets - Customer PII")
ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data")
ttp_ref = TTP()
ttp_ref.idref = ttp.id_
related_ttp = RelatedTTP(ttp_ref)
related_ttp.relationship = "Targets"
c = Campaign()
c.title = "Operation Alpha"
c.related_ttps.append(related_ttp)
pkg = STIXPackage()
pkg.add_campaign(c)
pkg.add_ttp(ttp)
print pkg.to_xml()
def create_victim_target(source, target_ref, target_obj_ref_1x):
global _VICTIM_TARGET_TTPS
target, identity1x_tuple = handle_identity(target_ref, target_obj_ref_1x)
ttp = TTP()
ttp.victim_targeting = VictimTargeting()
ttp.victim_targeting.identity = target
_VICTIM_TARGET_TTPS.append(ttp)
source.observed_ttps.append(ttp)
identity1x_tuple[1] = True
def create_victim_target_for_threat_actor(source, target_ref,
target_obj_ref_1x):
global _VICTIM_TARGET_TTPS
target, identity1x_tuple = choose_full_object_or_idref(
target_ref, target_obj_ref_1x)
ttp = TTP()
ttp.victim_targeting = VictimTargeting()
ttp.victim_targeting.identity = target
_VICTIM_TARGET_TTPS.append(ttp)
source.observed_ttps.append(ttp)
identity1x_tuple[1] = True
def main():
ciq_identity = CIQIdentity3_0Instance()
identity_spec = STIXCIQIdentity3_0()
identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems")
ciq_identity.specification = identity_spec
ttp = TTP(title="Victim Targeting: Electricity Sector and Industrial Control System Sector")
ttp.victim_targeting = VictimTargeting()
ttp.victim_targeting.identity = ciq_identity
stix_package = STIXPackage()
stix_package.add_ttp(ttp)
print(stix_package.to_xml(encoding=None))
def main():
ciq_identity = CIQIdentity3_0Instance()
identity_spec = STIXCIQIdentity3_0()
identity_spec.organisation_info = OrganisationInfo(
industry_type="Electricity, Industrial Control Systems")
ciq_identity.specification = identity_spec
ttp = TTP(
title=
"Victim Targeting: Electricity Sector and Industrial Control System Sector"
)
ttp.victim_targeting = VictimTargeting()
ttp.victim_targeting.identity = ciq_identity
stix_package = STIXPackage()
stix_package.add_ttp(ttp)
print stix_package.to_xml()
def main():
from stix.campaign import Campaign, Attribution
from stix.threat_actor import ThreatActor
from stix.incident import Incident
from stix.core import STIXPackage
from stix.ttp import TTP, VictimTargeting
ttp = TTP()
ttp.title = "Victim Targeting: Customer PII and Financial Data"
ttp.victim_targeting = VictimTargeting()
ttp.victim_targeting.add_targeted_information(
"Information Assets - Financial Data")
actor = ThreatActor()
actor.title = "People behind the intrusion"
attrib = Attribution()
attrib.append(actor)
c = Campaign()
c.attribution = []
c.attribution.append(attrib)
c.title = "Compromise of ATM Machines"
c.related_ttps.append(ttp)
c.related_incidents.append(
Incident(
idref="example:incident-229ab6ba-0eb2-415b-bdf2-079e6b42f51e"))
c.related_incidents.append(
Incident(
idref="example:incident-517cf274-038d-4ed4-a3ec-3ac18ad9db8a"))
c.related_incidents.append(
Incident(
idref="example:incident-7d8cf96f-91cb-42d0-a1e0-bfa38ea08621"))
pkg = STIXPackage()
pkg.add_campaign(c)
print(pkg.to_xml(encoding=None))
def main():
from stix.campaign import Campaign, Attribution
from stix.threat_actor import ThreatActor
from stix.core import STIXPackage
from stix.ttp import TTP, VictimTargeting
ttp = TTP()
ttp.title = "Victim Targeting: Customer PII and Financial Data"
ttp.victim_targeting = VictimTargeting()
ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data")
actor = ThreatActor()
actor.title = "People behind the intrusion"
c = Campaign()
c.attribution.append(actor)
c.title = "Compromise of ATM Machines"
c.related_ttps.append(ttp)
pkg = STIXPackage()
pkg.add_campaign(c)
print pkg.to_xml()
def buildTtp(input_dict):
ttp = TTP()
ttp.title = input_dict['title']
ttp.description = input_dict['description']
if input_dict['intendedEffect']:
ttp.add_intended_effect(input_dict['intendedEffect'])
if input_dict['behavior']:
ttp.behavior = Behavior(input_dict['behavior'])
if input_dict['resources']:
ttp.resources = input_dict['resources']
if input_dict['victimTargeting']:
#TODO look into adding more victim fields
vic = VictimTargeting()
vic.add_targeted_information(input_dict['victimTargeting'])
ttp.victim_targeting = vic
#target = ExploitTargets().
#target.append(input_dict['exploitTargets'])
#ttp.exploit_targets = target
if input_dict['informationSource']:
ttp.information_source = InformationSource(input_dict['informationSource'])
if input_dict['killChain']:
ttp.kill_chain_phases = input_dict['killChain']
return ttp
def transform(self, event):
stix_package = STIXPackage()
self._add_header(stix_package, "Unauthorized traffic to honeypot",
"Describes one or more honeypot incidents")
incident = Incident(
id_="%s:%s-%s" %
(CONPOT_NAMESPACE, 'incident', event['session_id']))
initial_time = StixTime()
initial_time.initial_compromise = event['timestamp'].isoformat()
incident.time = initial_time
incident.title = "Conpot Event"
incident.short_description = "Traffic to Conpot ICS honeypot"
incident.add_category(
VocabString(value='Scans/Probes/Attempted Access'))
tool_list = ToolInformationList()
tool_list.append(
ToolInformation.from_dict({
'name':
"Conpot",
'vendor':
"Conpot Team",
'version':
conpot.__version__,
'description':
textwrap.dedent(
'Conpot is a low interactive server side Industrial Control Systems '
'honeypot designed to be easy to deploy, modify and extend.'
)
}))
incident.reporter = InformationSource(tools=tool_list)
incident.add_discovery_method("Monitoring Service")
incident.confidence = "High"
# Victim Targeting by Sector
ciq_identity = CIQIdentity3_0Instance()
#identity_spec = STIXCIQIdentity3_0()
#identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems")
#ciq_identity.specification = identity_spec
ttp = TTP(
title=
"Victim Targeting: Electricity Sector and Industrial Control System Sector"
)
ttp.victim_targeting = VictimTargeting()
ttp.victim_targeting.identity = ciq_identity
incident.leveraged_ttps.append(ttp)
indicator = Indicator(title="Conpot Event")
indicator.description = "Conpot network event"
indicator.confidence = "High"
source_port = Port.from_dict({
'port_value': event['remote'][1],
'layer4_protocol': 'tcp'
})
dest_port = Port.from_dict({
'port_value':
self.protocol_to_port_mapping[event['data_type']],
'layer4_protocol':
'tcp'
})
source_ip = Address.from_dict({
'address_value': event['remote'][0],
'category': Address.CAT_IPV4
})
dest_ip = Address.from_dict({
'address_value': event['public_ip'],
'category': Address.CAT_IPV4
})
source_address = SocketAddress.from_dict({
'ip_address':
source_ip.to_dict(),
'port':
source_port.to_dict()
})
dest_address = SocketAddress.from_dict({
'ip_address': dest_ip.to_dict(),
'port': dest_port.to_dict()
})
network_connection = NetworkConnection.from_dict({
'source_socket_address':
source_address.to_dict(),
'destination_socket_address':
dest_address.to_dict(),
'layer3_protocol':
"IPv4",
'layer4_protocol':
"TCP",
'layer7_protocol':
event['data_type'],
'source_tcp_state':
"ESTABLISHED",
'destination_tcp_state':
"ESTABLISHED",
})
indicator.add_observable(Observable(network_connection))
artifact = Artifact()
artifact.data = json.dumps(event['data'])
artifact.packaging.append(ZlibCompression())
artifact.packaging.append(Base64Encoding())
indicator.add_observable(Observable(artifact))
incident.related_indicators.append(indicator)
stix_package.add_incident(incident)
stix_package_xml = stix_package.to_xml()
return stix_package_xml
def transform(self, event):
self._set_namespace(self.config['contact_domain'], self.config['contact_name'])
stix_package = STIXPackage()
self._add_header(stix_package, "Unauthorized traffic to honeypot", "Describes one or more honeypot incidents")
incident = Incident(id_="%s:%s-%s" % (self.config['contact_name'], 'incident', event['session_id']))
initial_time = StixTime()
initial_time.initial_compromise = event['timestamp'].isoformat()
incident.time = initial_time
incident.title = "Conpot Event"
incident.short_description = "Traffic to Conpot ICS honeypot"
incident.add_category(VocabString(value='Scans/Probes/Attempted Access'))
tool_list = ToolInformationList()
tool_list.append(ToolInformation.from_dict({
'name': "Conpot",
'vendor': "Conpot Team",
'version': conpot.__version__,
'description': textwrap.dedent('Conpot is a low interactive server side Industrial Control Systems '
'honeypot designed to be easy to deploy, modify and extend.')
}))
incident.reporter = InformationSource(tools=tool_list)
incident.add_discovery_method("Monitoring Service")
incident.confidence = "High"
# Victim Targeting by Sector
ciq_identity = CIQIdentity3_0Instance()
#identity_spec = STIXCIQIdentity3_0()
#identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems")
#ciq_identity.specification = identity_spec
ttp = TTP(title="Victim Targeting: Electricity Sector and Industrial Control System Sector")
ttp.victim_targeting = VictimTargeting()
ttp.victim_targeting.identity = ciq_identity
incident.leveraged_ttps.append(ttp)
indicator = Indicator(title="Conpot Event")
indicator.description = "Conpot network event"
indicator.confidence = "High"
source_port = Port.from_dict({'port_value': event['remote'][1], 'layer4_protocol': 'tcp'})
dest_port = Port.from_dict({'port_value': self.protocol_to_port_mapping[event['data_type']],
'layer4_protocol': 'tcp'})
source_ip = Address.from_dict({'address_value': event['remote'][0], 'category': Address.CAT_IPV4})
dest_ip = Address.from_dict({'address_value': event['public_ip'], 'category': Address.CAT_IPV4})
source_address = SocketAddress.from_dict({'ip_address': source_ip.to_dict(), 'port': source_port.to_dict()})
dest_address = SocketAddress.from_dict({'ip_address': dest_ip.to_dict(), 'port': dest_port.to_dict()})
network_connection = NetworkConnection.from_dict(
{'source_socket_address': source_address.to_dict(),
'destination_socket_address': dest_address.to_dict(),
'layer3_protocol': u"IPv4",
'layer4_protocol': u"TCP",
'layer7_protocol': event['data_type'],
'source_tcp_state': u"ESTABLISHED",
'destination_tcp_state': u"ESTABLISHED",
}
)
indicator.add_observable(Observable(network_connection))
artifact = Artifact()
artifact.data = json.dumps(event['data'])
artifact.packaging.append(ZlibCompression())
artifact.packaging.append(Base64Encoding())
indicator.add_observable(Observable(artifact))
incident.related_indicators.append(indicator)
stix_package.add_incident(incident)
stix_package_xml = stix_package.to_xml()
return stix_package_xml
def adptrTransform_Dict2Obj(srcData, data=None):
sNAMEFUNC = 'adptrTransform_Dict2Obj'
sndMSG('Called...', 'INFO', sNAMEFUNC)
if not srcData: return (None) #srcData can not be empty
from stix.core import STIXPackage
from stix.common import InformationSource, Identity
from stix.data_marking import Marking
from stix.ttp import TTP
### Build Package
objMarkingSpecification = genObject_MarkingSpecification(data)
objMarkingSpecification.controlled_structure = "//node()"
objHdr = genData_STIXHeader(data)
objHdr.handling = Marking(objMarkingSpecification)
objHdr.information_source = InformationSource(identity=Identity(
name=srcData.pkgLink))
objTTP = genObject_TTP(data)
objTTP.information_source = InformationSource(identity=Identity(
name=srcData.pkgLink))
objPkg = STIXPackage()
objPkg.stix_header = objHdr
objPkg.add_ttp(objTTP)
for sKey in data['data']:
obsList = []
### Build Observables
obsURI = genObject_URI(data['data'][sKey]['src'])
try:
obsURI.id_ = data['data'][sKey]['meta']['uri']
except:
data['data'][sKey]['meta'].update({'uri': obsURI.id_})
### Srt: Stupid test to make sure URL be output via STIX.to_xml()
try:
testPkg = STIXPackage()
testPkg.add_observable(obsURI)
testPkg.to_xml()
except:
sNAMEFUNC = 'adptrTransform_Dict2Obj'
sndMSG('Error Parsing URL for this key: [' + sKey + ']', 'INFO',
sNAMEFUNC)
testPkg = None
continue
### End: Stupid test
objPkg.add_observable(obsURI)
obsList.append(genRefObs(obsURI))
### Build Indicators
objInd = genObject_Indicator(data['data'][sKey]['src'])
try:
obsURI.id_ = data['data'][sKey]['meta']['ind']
except:
data['data'][sKey]['meta'].update({'ind': objInd.id_})
objInd.producer = InformationSource(identity=Identity(
name=srcData.pkgLink))
objInd.observables = obsList
objInd.indicator_types = ["URL Watchlist"]
objInd.observable_composition_operator = "OR"
objInd.set_received_time(data['data'][sKey]['meta']['dateDL'])
try:
objInd.set_produced_time(
data['data'][sKey]['src']['verification_time'])
except:
pass
if not data['data'][sKey]['src']['target'] == 'Other':
from stix.ttp import TTP
objVictimTargeting = genData_VictimTargeting(
data['data'][sKey]['src'])
if obsURI:
objVictimTargeting.targeted_technical_details = genRefObs(
obsURI)
objTTP_vic = TTP()
objTTP_vic.title = "Targeting: " + data['data'][sKey]['src'][
'target']
objTTP_vic.victim_targeting = objVictimTargeting
objInd.add_indicated_ttp(objTTP_vic)
objInd.add_indicated_ttp(TTP(idref=objTTP.id_))
objPkg.add_indicator(objInd)
#updateDB_local(data,srcData)
return (objPkg)
ElectronicAddressIdentifier(value='*****@*****.**', type_='Email'))
party_name = PartyName()
party_name.add_person_name('Bob Ricca')
party_name.add_person_name('Robert Ricca')
party_name.add_organisation_name('ThreatQuotient')
identity_spec.party_name = party_name
organization = OrganisationInfo(industry_type='Cybersecurity')
identity_spec.organisation_info = organization
identity.specification = identity_spec
victim_targeting.identity = identity
domain2 = DomainName()
domain2.value = 'www.bobricca.com'
observable2 = Observable(domain2)
victim_targeting.targeted_technical_details = Observables(
Observable(idref=observable2.id_))
ttp2.victim_targeting = victim_targeting
ttp2.related_ttps.append(related_ttp)
# Related TTP (Exploit; by id)
ttp3 = TTP(title='Remote Exploit of Server Software')
exploit = Exploit(title='Exploit Apache')
exploit.description = 'Exploit Description'
exploit.short_description = 'Short Description'
ttp3.behavior = Behavior()
ttp3.behavior.add_exploit(exploit)
vt3 = VictimTargeting()
vt3.identity = Identity(name='Steve Franchak')
ttp3.victim_targeting = vt3
# TTP 3 - Related Exploit Target
