def main(): alpha_package = STIXPackage() alpha_package.stix_header = STIXHeader() alpha_package.stix_header.title = "Report on Adversary Alpha's Campaign against the Industrial Control Sector" alpha_package.stix_header.package_intents = "Campaign Characterization" alpha_package.stix_header.handling = Marking() alpha_marking = MarkingSpecification() alpha_marking.controlled_structure = "../../../../node()" alpha_tlp_marking = TLPMarkingStructure() alpha_tlp_marking.color = "AMBER" alpha_marking.marking_structures.append(alpha_tlp_marking) alpha_package.stix_header.handling.add_marking(alpha_marking) rat_package = STIXPackage() rat_package.stix_header = STIXHeader() rat_package.stix_header.title = "Indicators for Malware DrownedRat" rat_package.stix_header.package_intents = "Indicators - Malware Artifacts" rat_package.stix_header.handling = Marking() rat_marking = MarkingSpecification() rat_marking.controlled_structure = "../../../../node()" rat_tlp_marking = TLPMarkingStructure() rat_tlp_marking.color = "RED" alpha_marking.marking_structures.append(rat_tlp_marking) rat_package.stix_header.handling.add_marking(rat_marking) stix_package = STIXPackage() info_src = InformationSource() info_src.identity = Identity(name="Government Sharing Program - GSP") stix_package.stix_header = STIXHeader(information_source=info_src) stix_package.related_packages.append(alpha_package) stix_package.related_packages.append(rat_package) print stix_package.to_xml()
def set_received_time(self, received_time): """Sets the received time for this :class:`Indicator`. This is the same as calling ``indicator.producer.time.produced_time = produced_time``. The `received_time` parameter must be an instance of ``str``, ``datetime.datetime``, or ``cybox.common.DateTimeWithPrecision``. Args: received_time: An instance of ``str``, ``datetime.datetime``, or ``cybox.common.DateTimeWithPrecision``. Note: If `received_time` is a ``str`` or ``datetime.datetime`` instance an attempt will be made to convert it into an instance of ``cybox.common.DateTimeWithPrecision``. """ if not self.producer: self.producer = InformationSource() if not self.producer.time: self.producer.time = Time() self.producer.time.received_time = received_time
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.idref = dict_repr.get('idref') return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version', cls._version) return_obj.title = dict_repr.get('title') return_obj.description = StructuredText.from_dict(dict_repr.get('description')) return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description')) return_obj.time = Time.from_dict(dict_repr.get('time')) return_obj.victims = [Identity.from_dict(x) for x in dict_repr.get('victims', [])] return_obj.categories = [IncidentCategory.from_dict(x) for x in dict_repr.get('categories', [])] return_obj.attributed_threat_actors = AttributedThreatActors.from_dict(dict_repr.get('attributed_threat_actors')) return_obj.related_indicators = RelatedIndicators.from_dict(dict_repr.get('related_indicators')) return_obj.related_observables = RelatedObservables.from_dict(dict_repr.get('related_observables')) return_obj.related_incidents = RelatedIncidents.from_dict(dict_repr.get('related_incidents')) return_obj.intended_effects = [Statement.from_dict(x) for x in dict_repr.get('intended_effects', [])] return_obj.leveraged_ttps = LeveragedTTPs.from_dict(dict_repr.get('leveraged_ttps')) return_obj.affected_assets = [AffectedAsset.from_dict(x) for x in dict_repr.get('affected_assets', [])] return_obj.discovery_methdos = [DiscoveryMethod.from_dict(x) for x in dict_repr.get('discovery_methods', [])] return_obj.reporter = InformationSource.from_dict(dict_repr.get('reporter')) return_obj.responders = [InformationSource.from_dict(x) for x in dict_repr.get('responders', [])] return_obj.coordinators = [InformationSource.from_dict(x) for x in dict_repr.get('coordinators', [])] return_obj.external_ids = [ExternalID.from_dict(x) for x in dict_repr.get('external_ids', [])] return_obj.impact_assessment = ImpactAssessment.from_dict(dict_repr.get('impact_assessment')) return_obj.information_source = InformationSource.from_dict(dict_repr.get('information_source')) return_obj.security_compromise = SecurityCompromise.from_dict(dict_repr.get('security_compromise')) return_obj.confidence = Confidence.from_dict(dict_repr.get('confidence')) return_obj.coa_taken = [COATaken.from_dict(x) for x in dict_repr.get('coa_taken', [])] return return_obj
def main(): campaign = Campaign(title="Campaign against ICS") ttp = TTP(title="DrownedRat") alpha_report = Report() alpha_report.header = Header() alpha_report.header.title = "Report on Adversary Alpha's Campaign against the Industrial Control Sector" alpha_report.header.descriptions = "Adversary Alpha has a campaign against the ICS sector!" alpha_report.header.intents = "Campaign Characterization" alpha_report.add_campaign(Campaign(idref=campaign.id_)) rat_report = Report() rat_report.header = Header() rat_report.header.title = "Indicators for Malware DrownedRat" rat_report.header.intents = "Indicators - Malware Artifacts" rat_report.add_ttp(TTP(idref=ttp.id_)) wrapper = STIXPackage() info_src = InformationSource() info_src.identity = Identity(name="Government Sharing Program - GSP") wrapper.stix_header = STIXHeader(information_source=info_src) wrapper.add_report(alpha_report) wrapper.add_report(rat_report) wrapper.add_campaign(campaign) wrapper.add_ttp(ttp) print(wrapper.to_xml())
def main(): campaign = Campaign(title="Campaign against ICS") ttp = TTP(title="DrownedRat") alpha_report = Report() alpha_report.header = Header() alpha_report.header.title = "Report on Adversary Alpha's Campaign against the Industrial Control Sector" alpha_report.header.descriptions = "Adversary Alpha has a campaign against the ICS sector!" alpha_report.header.intents = "Campaign Characterization" alpha_report.add_campaign(Campaign(idref=campaign._id)) rat_report = Report() rat_report.header = Header() rat_report.header.title = "Indicators for Malware DrownedRat" rat_report.header.intents = "Indicators - Malware Artifacts" rat_report.add_ttp(TTP(idref=ttp._id)) wrapper = STIXPackage() info_src = InformationSource() info_src.identity = Identity(name="Government Sharing Program - GSP") wrapper.stix_header = STIXHeader(information_source=info_src) wrapper.add_report(alpha_report) wrapper.add_report(rat_report) wrapper.add_campaign(campaign) wrapper.add_ttp(ttp) print wrapper.to_xml()
def main(): mydata = loaddata() ''' Your Namespace ''' # NAMESPACE = {sanitizer(mydata["NSXURL"]) : (mydata["NS"])} # set_id_namespace(NAMESPACE) NAMESPACE = Namespace(sanitizer(mydata['NSXURL']), sanitizer(mydata['NS'])) set_id_namespace(NAMESPACE) # new ids will be prefixed by "myNS" wrapper = STIXPackage() info_src = InformationSource() info_src.identity = Identity(name=sanitizer(mydata["Identity"])) marking_specification = MarkingSpecification() marking_specification.controlled_structure = "//node() | //@*" tlp = TLPMarkingStructure() tlp.color = sanitizer(mydata["TLP_COLOR"]) marking_specification.marking_structures.append(tlp) handling = Marking() handling.add_marking(marking_specification) timestamp = datetime.datetime.fromtimestamp( time.time()).strftime('%Y-%m-%d %H:%M:%S') MyTITLE = sanitizer(mydata["Title"]) SHORT = timestamp DESCRIPTION = sanitizer(mydata["Description"]) wrapper.stix_header = STIXHeader(information_source=info_src, title=MyTITLE, description=DESCRIPTION, short_description=SHORT) wrapper.stix_header.handling = handling indiDom = Indicator() indiDom.title = MyTITLE indiDom.add_indicator_type("IP Watchlist") for key in mydata["IOC"].keys(): myip = Address(address_value=sanitizer(key), category=Address.CAT_IPV4) myip.condition = "Equals" obsu = Observable(myip) #if mydata[key].size: for idx, mydata["IOC"][key] in enumerate(mydata["IOC"][key]): ioc = File() ioc.add_hash(sanitizer(mydata["IOC"][key])) myip.add_related(ioc, "Downloaded") indiDom.add_observable(obsu) wrapper.add_indicator(indiDom) print(wrapper.to_xml())
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp if isinstance(obj, cls._binding_class): return_obj.version = obj.version return_obj.title = obj.Title return_obj.description = StructuredText.from_obj(obj.Description) return_obj.short_description = StructuredText.from_obj(obj.Short_Description) return_obj.time = Time.from_obj(obj.Time) if obj.Victim: return_obj.victims = [Identity.from_obj(x) for x in obj.Victim] if obj.Categories: return_obj.categories = [IncidentCategory.from_obj(x) for x in obj.Categories.Category] if obj.Intended_Effect: return_obj.intended_effects = [Statement.from_obj(x) for x in obj.Intended_Effect] if obj.Affected_Assets: return_obj.affected_assets = [AffectedAsset.from_obj(x) for x in obj.Affected_Assets.Affected_Asset] if obj.Discovery_Method: return_obj.discovery_methods = [DiscoveryMethod.from_obj(x) for x in obj.Discovery_Method] if obj.Reporter: return_obj.reporter = InformationSource.from_obj(obj.Reporter) if obj.Responder: return_obj.responders = [InformationSource.from_obj(x) for x in obj.Responder] if obj.Coordinator: return_obj.coordinators = [InformationSource.from_obj(x) for x in obj.Coordinator] if obj.External_ID: return_obj.external_ids = [ExternalID.from_obj(x) for x in obj.External_ID] if obj.Impact_Assessment: return_obj.impact_assessment = ImpactAssessment.from_obj(obj.Impact_Assessment) if obj.Information_Source: return_obj.information_source = InformationSource.from_obj(obj.Information_Source) if obj.Security_Compromise: return_obj.security_compromise = SecurityCompromise.from_obj(obj.Security_Compromise) return_obj.coa_taken = [COATaken.from_obj(x) for x in obj.COA_Taken] return_obj.confidence = Confidence.from_obj(obj.Confidence) return_obj.attributed_threat_actors = AttributedThreatActors.from_obj(obj.Attributed_Threat_Actors) return_obj.related_indicators = RelatedIndicators.from_obj(obj.Related_Indicators) return_obj.related_observables = RelatedObservables.from_obj(obj.Related_Observables) return_obj.leveraged_ttps = LeveragedTTPs.from_obj(obj.Leveraged_TTPs) return_obj.related_incidents = RelatedIncidents.from_obj(obj.Related_Incidents) return_obj.status = VocabString.from_obj(obj.Status) return_obj.handling = Marking.from_obj(obj.Handling) return_obj.history = History.from_obj(obj.History) return return_obj
def add_analyst_item(analyst_item, incident): insrc = InformationSource() analyst_identity = CIQIdentity3_0Instance() identity_spec = STIXCIQIdentity3_0() analyst_identity.specification = identity_spec if analyst_item: partyName = PartyName() partyName.add_name_line(analyst_item) identity_spec.party_name = partyName insrc.identity = analyst_identity incident.reporter = insrc
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() if isinstance(obj, cls._binding_class): return_obj.version = obj.get_version() or cls._version return_obj.title = obj.get_Title() return_obj.description = StructuredText.from_obj(obj.get_Description()) return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description()) return_obj.time = Time.from_obj(obj.get_Time()) if obj.get_Victim(): return_obj.victims = [Identity.from_obj(x) for x in obj.get_Victim()] if obj.get_Categories(): return_obj.categories = [IncidentCategory.from_obj(x) for x in obj.get_Categories().get_Category()] if obj.get_Intended_Effect(): return_obj.intended_effects = [Statement.from_obj(x) for x in obj.get_Intended_Effect()] if obj.get_Affected_Assets(): return_obj.affected_assets = [AffectedAsset.from_obj(x) for x in obj.get_Affected_Assets().get_Affected_Asset()] if obj.get_Discovery_Method(): return_obj.discovery_methods = [DiscoveryMethod.from_obj(x) for x in obj.get_Discovery_Method()] if obj.get_Reporter(): return_obj.reporter = InformationSource.from_obj(obj.get_Reporter()) if obj.get_Responder(): return_obj.responders = [InformationSource.from_obj(x) for x in obj.get_Responder()] if obj.get_Coordinator(): return_obj.coordinators = [InformationSource.from_obj(x) for x in obj.get_Coordinator()] if obj.get_External_ID(): return_obj.external_ids = [ExternalID.from_obj(x) for x in obj.get_External_ID()] if obj.get_Impact_Assessment(): return_obj.impact_assessment = ImpactAssessment.from_obj(obj.get_Impact_Assessment()) if obj.get_Information_Source(): return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source()) if obj.get_Security_Compromise(): return_obj.security_compromise = SecurityCompromise.from_obj(obj.get_Security_Compromise()) return_obj.coa_taken = [COATaken.from_obj(x) for x in obj.get_COA_Taken()] return_obj.confidence = Confidence.from_obj(obj.get_Confidence()) return_obj.attributed_threat_actors = AttributedThreatActors.from_obj(obj.get_Attributed_Threat_Actors()) return_obj.related_indicators = RelatedIndicators.from_obj(obj.get_Related_Indicators()) return_obj.related_observables = RelatedObservables.from_obj(obj.get_Related_Observables()) return_obj.leveraged_ttps = LeveragedTTPs.from_obj(obj.get_Leveraged_TTPs()) return_obj.related_incidents = RelatedIncidents.from_obj(obj.get_Related_Incidents()) return_obj.status = VocabString.from_obj(obj.get_Status()) return_obj.handling = Marking.from_obj(obj.get_Handling()) return_obj.history = History.from_obj(obj.get_History()) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() super(Indicator, cls).from_dict(dict_repr, return_obj=return_obj) get = dict_repr.get return_obj.negate = get('negate') return_obj.alternative_id = get('alternative_id') return_obj.indicated_ttps = _IndicatedTTPs.from_dict(get('indicated_ttps')) return_obj.test_mechanisms = TestMechanisms.from_list(get('test_mechanisms')) return_obj.suggested_coas = SuggestedCOAs.from_dict(get('suggested_coas')) return_obj.sightings = Sightings.from_dict(get('sightings')) return_obj.composite_indicator_expression = CompositeIndicatorExpression.from_dict(get('composite_indicator_expression')) return_obj.kill_chain_phases = KillChainPhasesReference.from_dict(get('kill_chain_phases')) return_obj.related_indicators = RelatedIndicators.from_dict(get('related_indicators')) return_obj.likely_impact = Statement.from_dict(get('likely_impact')) return_obj.indicator_types = IndicatorTypes.from_list(get('indicator_types')) return_obj.confidence = Confidence.from_dict(get('confidence')) return_obj.valid_time_positions = _ValidTimePositions.from_dict(get('valid_time_positions')) return_obj.observable = Observable.from_dict(get('observable')) return_obj.producer = InformationSource.from_dict(get('producer')) return_obj.related_campaigns = RelatedCampaignRefs.from_dict(get('related_campaigns')) return_obj.related_packages = RelatedPackageRefs.from_dict(get('related_packages')) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp if isinstance(obj, cls._binding_class): # CourseOfActionType properties return_obj.version = obj.version return_obj.title = obj.Title return_obj.stage = VocabString.from_obj(obj.Stage) return_obj.type_ = VocabString.from_obj(obj.Type) return_obj.description = StructuredText.from_obj(obj.Description) return_obj.short_description = StructuredText.from_obj(obj.Short_Description) return_obj.objective = Objective.from_obj(obj.Objective) return_obj.parameter_observables = \ Observables.from_obj(obj.Parameter_Observables) return_obj.impact = Statement.from_obj(obj.Impact) return_obj.cost = Statement.from_obj(obj.Cost) return_obj.efficacy = Statement.from_obj(obj.Efficacy) return_obj.information_source = InformationSource.from_obj(obj.Information_Source) return_obj.handling = Marking.from_obj(obj.Handling) return_obj.related_coas = \ RelatedCOAs.from_obj(obj.Related_COAs) return_obj.related_packages = \ RelatedPackageRefs.from_obj(obj.Related_Packages) return return_obj
def main(): # Create a new STIXPackage stix_package = STIXPackage() # Create a new STIXHeader stix_header = STIXHeader() # Add Information Source. This is where we will add the tool information. stix_header.information_source = InformationSource() # Create a ToolInformation object. Use the initialization parameters # to set the tool and vendor names. # # Note: This is an instance of cybox.common.ToolInformation and NOT # stix.common.ToolInformation. tool = ToolInformation(tool_name="python-stix", tool_vendor="The MITRE Corporation") # Set the Information Source "tools" section to a # cybox.common.ToolInformationList which contains our tool that we # created above. stix_header.information_source.tools = ToolInformationList(tool) # Set the header description stix_header.description = "Example" # Set the STIXPackage header stix_package.stix_header = stix_header # Print the XML! print(stix_package.to_xml()) # Print the dictionary! pprint(stix_package.to_dict())
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() if isinstance(obj, cls._binding_class): # ThreatActorType properties return_obj.version = obj.get_version() if obj.get_version() else cls._version return_obj.title = obj.get_Title() return_obj.description = StructuredText.from_obj(obj.get_Description()) return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description()) return_obj.identity = Identity.from_obj(obj.get_Identity()) return_obj.types = [Statement.from_obj(x) for x in obj.get_Type()] return_obj.motivations = [Statement.from_obj(x) for x in obj.get_Motivation()] return_obj.sophistications = [Statement.from_obj(x) for x in obj.get_Sophistication()] return_obj.intended_effects = [Statement.from_obj(x) for x in obj.get_Intended_Effect()] return_obj.planning_and_operational_supports = [Statement.from_obj(x) for x in obj.get_Planning_And_Operational_Support()] return_obj.observed_ttps = ObservedTTPs.from_obj(obj.get_Observed_TTPs()) return_obj.associated_campaigns = AssociatedCampaigns.from_obj(obj.get_Associated_Campaigns()) return_obj.associated_actors = AssociatedActors.from_obj(obj.get_Associated_Actors()) return_obj.handling = Marking.from_obj(obj.get_Handling()) return_obj.confidence = Confidence.from_obj(obj.get_Confidence()) return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source()) return_obj.related_packages = RelatedPackageRefs.from_obj(obj.get_Related_Packages()) return return_obj
def main(): rule = """ rule silent_banker : banker { meta: description = "This is just an example" thread_level = 3 in_the_wild = true strings: $a = {6A 40 68 00 30 00 00 6A 14 8D 91} $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9} $c = "UVODFRYSIHLNWPEJXQZAKCBGMT" condition: $a or $b or $c } """ stix_package = STIXPackage() indicator = Indicator(title="silent_banker", description="This is just an example") tm = YaraTestMechanism() tm.rule = rule tm.producer = InformationSource(identity=Identity(name="Yara")) tm.producer.references = ["http://plusvic.github.io/yara/"] indicator.test_mechanisms = TestMechanisms([tm]) stix_package.add_indicator(indicator) print(stix_package.to_xml(encoding=None))
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() # not yet implemented if isinstance(obj, cls._binding_class): # TTPType properties return_obj.version = obj.get_version() or cls._version return_obj.title = obj.get_Title() return_obj.description = StructuredText.from_obj(obj.get_Description()) return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description()) return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source()) return_obj.handling = Marking.from_obj(obj.get_Handling()) return_obj.potential_coas = PotentialCOAs.from_obj(obj.get_Potential_COAs()) return_obj.related_exploit_targets = RelatedExploitTargets.from_obj(obj.get_Related_Exploit_Targets()) return_obj.vulnerabilities = [Vulnerability.from_obj(x) for x in obj.get_Vulnerability()] return_obj.weaknesses = [Weakness.from_obj(x) for x in obj.get_Weakness()] return_obj.configuration = [Configuration.from_obj(x) for x in obj.get_Configuration()] return_obj.related_packages = RelatedPackageRefs.from_obj(obj.get_Related_Packages()) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() if isinstance(obj, cls._binding_class): # TTPType properties return_obj.version = obj.get_version() or cls._version return_obj.title = obj.get_Title() return_obj.description = StructuredText.from_obj( obj.get_Description()) return_obj.short_description = StructuredText.from_obj( obj.get_Short_Description()) return_obj.behavior = Behavior.from_obj(obj.get_Behavior()) return_obj.related_ttps = RelatedTTPs.from_obj( obj.get_Related_TTPs()) return_obj.exploit_targets = ExploitTargets.from_obj( obj.get_Exploit_Targets()) return_obj.information_source = InformationSource.from_obj( obj.get_Information_Source()) return_obj.resources = Resource.from_obj(obj.get_Resources()) return_obj.victim_targeting = VictimTargeting.from_obj( obj.get_Victim_Targeting()) if obj.get_Intended_Effect(): return_obj.intended_effects = [ Statement.from_obj(x) for x in obj.get_Intended_Effect() ] return return_obj
def from_obj(cls, obj, return_obj=None): from stix.common import StructuredTextList, InformationSource from stix.data_marking import Marking if not return_obj: raise ValueError("Must provide a return_obj argument") if not obj: raise ValueError("Must provide an obj argument") return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp # These may not be found on the input obj if it isn't a full # type definition (e.g., used as a reference) return_obj.version = getattr(obj, 'version', None) return_obj.title = getattr(obj, 'Title', None) return_obj.descriptions = \ StructuredTextList.from_obj(getattr(obj, 'Description', None)) return_obj.short_descriptions = \ StructuredTextList.from_obj(getattr(obj, 'Short_Description', None)) return_obj.information_source = \ InformationSource.from_obj(getattr(obj, 'Information_Source', None)) return_obj.handling = \ Marking.from_obj(getattr(obj, 'Handling', None)) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() super(Incident, cls).from_obj(obj, return_obj=return_obj) if isinstance(obj, cls._binding_class): return_obj.time = Time.from_obj(obj.Time) return_obj.victims = _Victims.from_obj(obj.Victim) return_obj.categories = IncidentCategories.from_obj(obj.Categories) return_obj.intended_effects = _IntendedEffects.from_obj(obj.Intended_Effect) return_obj.affected_assets = AffectedAssets.from_obj(obj.Affected_Assets) return_obj.discovery_methods = DiscoveryMethods.from_obj(obj.Discovery_Method) return_obj.coa_taken = _COAsTaken.from_obj(obj.COA_Taken) return_obj.coa_requested = _COAsRequested.from_obj(obj.COA_Requested) return_obj.confidence = Confidence.from_obj(obj.Confidence) return_obj.attributed_threat_actors = AttributedThreatActors.from_obj(obj.Attributed_Threat_Actors) return_obj.related_indicators = RelatedIndicators.from_obj(obj.Related_Indicators) return_obj.related_observables = RelatedObservables.from_obj(obj.Related_Observables) return_obj.leveraged_ttps = LeveragedTTPs.from_obj(obj.Leveraged_TTPs) return_obj.related_incidents = RelatedIncidents.from_obj(obj.Related_Incidents) return_obj.status = VocabString.from_obj(obj.Status) return_obj.history = History.from_obj(obj.History) return_obj.responders = _InformationSources.from_obj(obj.Responder) return_obj.coordinators = _InformationSources.from_obj(obj.Coordinator) return_obj.external_ids = _ExternalIDs.from_obj(obj.External_ID) return_obj.reporter = InformationSource.from_obj(obj.Reporter) return_obj.impact_assessment = ImpactAssessment.from_obj(obj.Impact_Assessment) return_obj.security_compromise = VocabString.from_obj(obj.Security_Compromise) return_obj.related_packages = RelatedPackageRefs.from_obj(obj.Related_Packages) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() super(Indicator, cls).from_obj(obj, return_obj=return_obj) if isinstance(obj, cls._binding_class): return_obj.negate = obj.negate return_obj.producer = InformationSource.from_obj(obj.Producer) return_obj.confidence = Confidence.from_obj(obj.Confidence) return_obj.sightings = Sightings.from_obj(obj.Sightings) return_obj.composite_indicator_expression = CompositeIndicatorExpression.from_obj(obj.Composite_Indicator_Expression) return_obj.kill_chain_phases = KillChainPhasesReference.from_obj(obj.Kill_Chain_Phases) return_obj.related_indicators = RelatedIndicators.from_obj(obj.Related_Indicators) return_obj.likely_impact = Statement.from_obj(obj.Likely_Impact) return_obj.indicator_types = IndicatorTypes.from_obj(obj.Type) return_obj.test_mechanisms = TestMechanisms.from_obj(obj.Test_Mechanisms) return_obj.suggested_coas = SuggestedCOAs.from_obj(obj.Suggested_COAs) return_obj.alternative_id = obj.Alternative_ID return_obj.indicated_ttps = _IndicatedTTPs.from_obj(obj.Indicated_TTP) return_obj.valid_time_positions = _ValidTimePositions.from_obj(obj.Valid_Time_Position) return_obj.observable = Observable.from_obj(obj.Observable) return_obj.related_campaigns = RelatedCampaignRefs.from_obj(obj.Related_Campaigns) return_obj.related_packages = RelatedPackageRefs.from_obj(obj.Related_Packages) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.title = dict_repr.get('title') observable_dict = dict_repr.get('observable') producer_dict = dict_repr.get('producer') description_dict = dict_repr.get('description') indicator_type_dict = dict_repr.get('indicator_type') if observable_dict: return_obj.add_observable(Observable.from_dict(observable_dict)) if producer_dict: return_obj.producer = InformationSource.from_dict(producer_dict) if description_dict: return_obj.description = StructuredText.from_dict(description_dict) if indicator_type_dict: return_obj.indicator_type = IndicatorType.from_dict( indicator_type_dict) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() # not yet implemented if isinstance(obj, cls._binding_class): # TTPType properties return_obj.version = obj.get_version() or cls._version return_obj.title = obj.get_Title() return_obj.description = StructuredText.from_obj(obj.get_Description()) return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description()) return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source()) return_obj.handling = Marking.from_obj(obj.get_Handling()) return_obj.potential_coas = PotentialCOAs.from_obj(obj.get_Potential_COAs()) return_obj.related_exploit_targets = RelatedExploitTargets.from_obj(obj.get_Related_Exploit_Targets()) return_obj.vulnerabilities = [Vulnerability.from_obj(x) for x in obj.get_Vulnerability()] return_obj.weakness = [Weakness.from_obj(x) for x in obj.get_Weakness()] return_obj.configuration = [Configuration.from_obj(x) for x in obj.get_Configuration()] return_obj.related_packages = RelatedPackageRefs.from_obj(obj.get_Related_Packages()) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() super(Incident, cls).from_dict(dict_repr, return_obj=return_obj) get = dict_repr.get return_obj.time = Time.from_dict(get('time')) return_obj.victims = _Victims.from_dict(get('victims')) return_obj.categories = IncidentCategories.from_dict(get('categories')) return_obj.attributed_threat_actors = AttributedThreatActors.from_dict(get('attributed_threat_actors')) return_obj.related_indicators = RelatedIndicators.from_dict(get('related_indicators')) return_obj.related_observables = RelatedObservables.from_dict(get('related_observables')) return_obj.related_incidents = RelatedIncidents.from_dict(get('related_incidents')) return_obj.intended_effects = _IntendedEffects.from_list(get('intended_effects')) return_obj.leveraged_ttps = LeveragedTTPs.from_dict(get('leveraged_ttps')) return_obj.affected_assets = AffectedAssets.from_dict(get('affected_assets')) return_obj.discovery_methods = DiscoveryMethods.from_dict(get('discovery_methods')) return_obj.reporter = InformationSource.from_dict(get('reporter')) return_obj.responders = _InformationSources.from_dict(get('responders')) return_obj.coordinators = _InformationSources.from_dict(get('coordinators')) return_obj.external_ids = _ExternalIDs.from_dict(get('external_ids')) return_obj.impact_assessment = ImpactAssessment.from_dict(get('impact_assessment')) return_obj.security_compromise = VocabString.from_dict(get('security_compromise')) return_obj.confidence = Confidence.from_dict(get('confidence')) return_obj.coa_taken = _COAsTaken.from_dict(get('coa_taken')) return_obj.coa_requested = _COAsRequested.from_dict(get('coa_requested')) return_obj.status = VocabString.from_dict(get('status')) return_obj.history = History.from_dict(get('history')) return_obj.related_packages = RelatedPackageRefs.from_dict(get('related_packages')) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() super(Incident, cls).from_obj(obj, return_obj=return_obj) if isinstance(obj, cls._binding_class): return_obj.time = Time.from_obj(obj.Time) return_obj.victims = _Victims.from_obj(obj.Victim) return_obj.categories = IncidentCategories.from_obj(obj.Categories) return_obj.intended_effects = _IntendedEffects.from_obj(obj.Intended_Effect) return_obj.affected_assets = AffectedAssets.from_obj(obj.Affected_Assets) return_obj.discovery_methods = DiscoveryMethods.from_obj(obj.Discovery_Method) return_obj.coa_taken = _COAsTaken.from_obj(obj.COA_Taken) return_obj.confidence = Confidence.from_obj(obj.Confidence) return_obj.attributed_threat_actors = AttributedThreatActors.from_obj(obj.Attributed_Threat_Actors) return_obj.related_indicators = RelatedIndicators.from_obj(obj.Related_Indicators) return_obj.related_observables = RelatedObservables.from_obj(obj.Related_Observables) return_obj.leveraged_ttps = LeveragedTTPs.from_obj(obj.Leveraged_TTPs) return_obj.related_incidents = RelatedIncidents.from_obj(obj.Related_Incidents) return_obj.status = VocabString.from_obj(obj.Status) return_obj.handling = Marking.from_obj(obj.Handling) return_obj.history = History.from_obj(obj.History) return_obj.responders = _InformationSources.from_obj(obj.Responder) return_obj.coordinators = _InformationSources.from_obj(obj.Coordinator) return_obj.external_ids = _ExternalIDs.from_obj(obj.External_ID) return_obj.reporter = InformationSource.from_obj(obj.Reporter) return_obj.impact_assessment = ImpactAssessment.from_obj(obj.Impact_Assessment) return_obj.security_compromise = VocabString.from_obj(obj.Security_Compromise) return return_obj
def create_indicator(self, ce1sus_indicator, event_permissions, user): indicator = Indicator() indicator.id_ = 'ce1sus:Indicator-{0}'.format(ce1sus_indicator.uuid) indicator.title = ce1sus_indicator.title indicator.description = ce1sus_indicator.description indicator.short_description = ce1sus_indicator.short_description if ce1sus_indicator.confidence: indicator.confidence = ce1sus_indicator.confidence.title() else: indicator.confidence = 'Low' # TODO: handling # TODO: markings for type_ in ce1sus_indicator.types: indicator.add_indicator_type(type_.name) if ce1sus_indicator.operator: indicator.observable_composition_operator = ce1sus_indicator.operator # Todo Add confidence # indicator_attachment.confidence = "Low" creator = self.create_stix_identity(ce1sus_indicator) time = self.cybox_mapper.get_time( produced_time=ce1sus_indicator.created_at) info_source = InformationSource(identity=creator, time=time) indicator.producer = info_source observables = ce1sus_indicator.get_observables_for_permissions( event_permissions, user) for obs in observables: cybox_obs = self.create_observable(obs, event_permissions, user) indicator.add_observable(cybox_obs) valid_time = ValidTime(start_time=ce1sus_indicator.created_at, end_time=ce1sus_indicator.created_at) indicator.add_valid_time_position(valid_time) return indicator
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() super(Incident, cls).from_dict(dict_repr, return_obj=return_obj) get = dict_repr.get return_obj.time = Time.from_dict(get('time')) return_obj.victims = _Victims.from_dict(get('victims')) return_obj.categories = IncidentCategories.from_dict(get('categories')) return_obj.attributed_threat_actors = AttributedThreatActors.from_dict(get('attributed_threat_actors')) return_obj.related_indicators = RelatedIndicators.from_dict(get('related_indicators')) return_obj.related_observables = RelatedObservables.from_dict(get('related_observables')) return_obj.related_incidents = RelatedIncidents.from_dict(get('related_incidents')) return_obj.intended_effects = _IntendedEffects.from_list(get('intended_effects')) return_obj.leveraged_ttps = LeveragedTTPs.from_dict(get('leveraged_ttps')) return_obj.affected_assets = AffectedAssets.from_dict(get('affected_assets')) return_obj.discovery_methods = DiscoveryMethods.from_dict(get('discovery_methods')) return_obj.reporter = InformationSource.from_dict(get('reporter')) return_obj.responders = _InformationSources.from_dict(get('responders')) return_obj.coordinators = _InformationSources.from_dict(get('coordinators')) return_obj.external_ids = _ExternalIDs.from_dict(get('external_ids')) return_obj.impact_assessment = ImpactAssessment.from_dict(get('impact_assessment')) return_obj.security_compromise = VocabString.from_dict(get('security_compromise')) return_obj.confidence = Confidence.from_dict(get('confidence')) return_obj.coa_taken = _COAsTaken.from_dict(get('coa_taken')) return_obj.status = VocabString.from_dict(get('status')) return_obj.handling = Marking.from_dict(get('handling')) return_obj.history = History.from_dict(get('history')) return return_obj
def stix_xml(bldata): # Create the STIX Package and Header objects stix_package = STIXPackage() stix_header = STIXHeader() # Set the description stix_header.description = "RiskIQ Blacklist Data - STIX Format" # Set the namespace NAMESPACE = {"http://www.riskiq.com": "RiskIQ"} set_id_namespace(NAMESPACE) # Set the produced time to now stix_header.information_source = InformationSource() stix_header.information_source.time = Time() stix_header.information_source.time.produced_time = datetime.now() # Create the STIX Package stix_package = STIXPackage() # Build document stix_package.stix_header = stix_header # Build the Package Intent stix_header.package_intents.append(PackageIntent.TERM_INDICATORS) # Build the indicator indicator = Indicator() indicator.title = "List of Malicious URLs detected by RiskIQ - Malware, Phishing, and Spam" indicator.add_indicator_type("URL Watchlist") for datum in bldata: url = URI() url.value = "" url.value = datum['url'] url.type_ = URI.TYPE_URL url.condition = "Equals" indicator.add_observable(url) stix_package.add_indicator(indicator) return stix_package.to_xml()
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp # not yet implemented if isinstance(obj, cls._binding_class): # TTPType properties return_obj.version = obj.version return_obj.title = obj.Title return_obj.description = StructuredText.from_obj(obj.Description) return_obj.short_description = StructuredText.from_obj(obj.Short_Description) return_obj.information_source = InformationSource.from_obj(obj.Information_Source) return_obj.handling = Marking.from_obj(obj.Handling) return_obj.potential_coas = PotentialCOAs.from_obj(obj.Potential_COAs) return_obj.related_exploit_targets = RelatedExploitTargets.from_obj(obj.Related_Exploit_Targets) return_obj.vulnerabilities = [Vulnerability.from_obj(x) for x in obj.Vulnerability] return_obj.weaknesses = [Weakness.from_obj(x) for x in obj.Weakness] return_obj.configuration = [Configuration.from_obj(x) for x in obj.Configuration] return_obj.related_packages = RelatedPackageRefs.from_obj(obj.Related_Packages) return return_obj
def main(): ioc = etree.parse('6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc') stix_package = STIXPackage() ttp = TTP() malware_instance = MalwareInstance() malware_instance.names = ['Zeus', 'twexts', 'sdra64', 'ntos'] ttp = TTP(title="Zeus") ttp.behavior = Behavior() ttp.behavior.add_malware_instance(malware_instance) indicator = Indicator(title="Zeus", description="Finds Zeus variants, twexts, sdra64, ntos") tm = OpenIOCTestMechanism() tm.ioc = ioc tm.producer = InformationSource(identity=Identity(name="Yara")) time = Time() time.produced_time = "0001-01-01T00:00:00" tm.producer.time = time tm.producer.references = ["http://openioc.org/iocs/6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc"] indicator.test_mechanisms = [tm] indicator.add_indicated_ttp(TTP(idref=ttp.id_)) stix_package.add_indicator(indicator) stix_package.add_ttp(ttp) print stix_package.to_xml()
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.idref = dict_repr.get('idref') return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version') return_obj.title = dict_repr.get('title') return_obj.description = StructuredText.from_dict( dict_repr.get('description')) return_obj.short_description = StructuredText.from_dict( dict_repr.get('short_description')) return_obj.behavior = Behavior.from_dict(dict_repr.get('behavior')) return_obj.related_ttps = RelatedTTPs.from_dict( dict_repr.get('related_ttps')) return_obj.exploit_targets = ExploitTargets.from_dict( dict_repr.get('exploit_targets')) return_obj.information_source = InformationSource.from_dict( dict_repr.get('information_source')) return_obj.intended_effects = [ Statement.from_dict(x) for x in dict_repr.get('intended_effects', []) ] return_obj.resources = Resource.from_dict(dict_repr.get('resources')) return_obj.victim_targeting = VictimTargeting.from_dict( dict_repr.get('victim_targeting')) return_obj.handling = Marking.from_dict(dict_repr.get('handling')) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp if isinstance(obj, cls._binding_class): # TTPType properties return_obj.version = obj.version return_obj.title = obj.Title return_obj.description = StructuredText.from_obj(obj.Description) return_obj.short_description = StructuredText.from_obj( obj.Short_Description) return_obj.behavior = Behavior.from_obj(obj.Behavior) return_obj.related_ttps = RelatedTTPs.from_obj(obj.Related_TTPs) return_obj.exploit_targets = ExploitTargets.from_obj( obj.Exploit_Targets) return_obj.information_source = InformationSource.from_obj( obj.Information_Source) return_obj.resources = Resource.from_obj(obj.Resources) return_obj.victim_targeting = VictimTargeting.from_obj( obj.Victim_Targeting) return_obj.handling = Marking.from_obj(obj.Handling) if obj.Intended_Effect: return_obj.intended_effects = [ Statement.from_obj(x) for x in obj.Intended_Effect ] return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp if isinstance(obj, cls._binding_class): # TTPType properties return_obj.version = obj.version return_obj.title = obj.Title return_obj.description = StructuredText.from_obj(obj.Description) return_obj.short_description = StructuredText.from_obj(obj.Short_Description) return_obj.behavior = Behavior.from_obj(obj.Behavior) return_obj.related_ttps = RelatedTTPs.from_obj(obj.Related_TTPs) return_obj.exploit_targets = ExploitTargets.from_obj(obj.Exploit_Targets) return_obj.information_source = InformationSource.from_obj(obj.Information_Source) return_obj.resources = Resource.from_obj(obj.Resources) return_obj.victim_targeting = VictimTargeting.from_obj(obj.Victim_Targeting) return_obj.handling = Marking.from_obj(obj.Handling) if obj.Intended_Effect: return_obj.intended_effects = [Statement.from_obj(x) for x in obj.Intended_Effect] return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.idref = dict_repr.get('idref') return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version', cls._version) return_obj.title = dict_repr.get('title') return_obj.stage = VocabString.from_dict(dict_repr.get('stage')) return_obj.type_ = VocabString.from_dict(dict_repr.get('type')) return_obj.description = StructuredText.from_dict( dict_repr.get('description')) return_obj.short_description = StructuredText.from_dict( dict_repr.get('short_description')) return_obj.objective = Objective.from_dict(dict_repr.get('objective')) return_obj.parameter_observables = \ Observables.from_dict(dict_repr.get('parameter_observables')) return_obj.impact = Statement.from_dict(dict_repr.get('impact')) return_obj.cost = Statement.from_dict(dict_repr.get('cost')) return_obj.efficacy = Statement.from_dict(dict_repr.get('efficacy')) return_obj.information_source = InformationSource.from_dict( dict_repr.get('information_source')) return_obj.handling = Marking.from_dict(dict_repr.get('handling')) return_obj.related_coas = \ RelatedCOAs.from_dict(dict_repr.get('related_coas')) return_obj.related_packages = \ RelatedPackageRefs.from_dict(dict_repr.get('related_packages')) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.idref = dict_repr.get('idref') return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version') return_obj.title = dict_repr.get('title') return_obj.description = StructuredText.from_dict(dict_repr.get('description')) return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description')) return_obj.identity = Identity.from_dict(dict_repr.get('identity')) return_obj.types = [Statement.from_dict(x) for x in dict_repr.get('types', [])] return_obj.motivations = [Statement.from_dict(x) for x in dict_repr.get('motivations', [])] return_obj.sophistications = [Statement.from_dict(x) for x in dict_repr.get('sophistications', [])] return_obj.intended_effects = [Statement.from_dict(x) for x in dict_repr.get('intended_effects', [])] return_obj.planning_and_operational_supports = [Statement.from_dict(x) for x in dict_repr.get('planning_and_operational_supports', [])] return_obj.observed_ttps = ObservedTTPs.from_dict(dict_repr.get('observed_ttps')) return_obj.associated_campaigns = AssociatedCampaigns.from_dict(dict_repr.get('associated_campaigns')) return_obj.associated_actors = AssociatedActors.from_dict(dict_repr.get('associated_actors')) return_obj.handling = Marking.from_dict(dict_repr.get('handling')) return_obj.confidence = Confidence.from_dict(dict_repr.get('confidence')) return_obj.information_source = InformationSource.from_dict(dict_repr.get('information_source')) return_obj.related_packages = RelatedPackageRefs.from_dict(dict_repr.get('related_packages')) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() # not yet implemented if isinstance(obj, cls._binding_class): # TTPType properties return_obj.version = obj.get_version() or cls._version return_obj.title = obj.get_Title() return_obj.description = StructuredText.from_obj(obj.get_Description()) return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description()) return_obj.behavior = Behavior.from_obj(obj.get_Behavior()) return_obj.related_ttps = RelatedTTPs.from_obj(obj.get_Related_TTPs()) return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source()) return_obj.resources = Resource.from_obj(obj.get_Resources()) return_obj.victim_targeting = VictimTargeting.from_obj(obj.get_Victim_Targeting()) if obj.get_Intended_Effect(): return_obj.intended_effects = [Statement.from_obj(x) for x in obj.get_Intended_Effect()] return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.title = dict_repr.get('title') observable_dict = dict_repr.get('observable') producer_dict = dict_repr.get('producer') description_dict = dict_repr.get('description') indicator_type_dict = dict_repr.get('indicator_type') if observable_dict: return_obj.add_observable(Observable.from_dict(observable_dict)) if producer_dict: return_obj.producer = InformationSource.from_dict(producer_dict) if description_dict: return_obj.description = StructuredText.from_dict(description_dict) if indicator_type_dict: return_obj.indicator_type = IndicatorType.from_dict(indicator_type_dict) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.idref = dict_repr.get('idref') return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version') return_obj.title = dict_repr.get('title') return_obj.stage = VocabString.from_dict(dict_repr.get('stage')) return_obj.type_ = VocabString.from_dict(dict_repr.get('type')) return_obj.description = StructuredText.from_dict(dict_repr.get('description')) return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description')) return_obj.objective = Objective.from_dict(dict_repr.get('objective')) return_obj.parameter_observables = \ Observables.from_dict(dict_repr.get('parameter_observables')) return_obj.impact = Statement.from_dict(dict_repr.get('impact')) return_obj.cost = Statement.from_dict(dict_repr.get('cost')) return_obj.efficacy = Statement.from_dict(dict_repr.get('efficacy')) return_obj.information_source = InformationSource.from_dict(dict_repr.get('information_source')) return_obj.handling = Marking.from_dict(dict_repr.get('handling')) return_obj.related_coas = \ RelatedCOAs.from_dict(dict_repr.get('related_coas')) return_obj.related_packages = \ RelatedPackageRefs.from_dict(dict_repr.get('related_packages')) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() if isinstance(obj, cls._binding_class): # CourseOfActionType properties return_obj.version = obj.get_version() or cls._version return_obj.title = obj.get_Title() return_obj.stage = VocabString.from_obj(obj.get_Stage()) return_obj.type_ = VocabString.from_obj(obj.get_Type()) return_obj.description = StructuredText.from_obj( obj.get_Description()) return_obj.short_description = StructuredText.from_obj( obj.get_Short_Description()) return_obj.objective = Objective.from_obj(obj.get_Objective()) return_obj.parameter_observables = \ Observables.from_obj(obj.get_Parameter_Observables()) return_obj.impact = Statement.from_obj(obj.get_Impact()) return_obj.cost = Statement.from_obj(obj.get_Cost()) return_obj.efficacy = Statement.from_obj(obj.get_Efficacy()) return_obj.information_source = InformationSource.from_obj( obj.get_Information_Source()) return_obj.handling = Marking.from_obj(obj.get_Handling()) return_obj.related_coas = \ RelatedCOAs.from_obj(obj.get_Related_COAs()) return_obj.related_packages = \ RelatedPackageRefs.from_obj(obj.get_Related_Packages()) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() if isinstance(obj, cls._binding_class): # CourseOfActionType properties return_obj.version = obj.get_version() or cls._version return_obj.title = obj.get_Title() return_obj.stage = VocabString.from_obj(obj.get_Stage()) return_obj.type_ = VocabString.from_obj(obj.get_Type()) return_obj.description = StructuredText.from_obj(obj.get_Description()) return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description()) return_obj.objective = Objective.from_obj(obj.get_Objective()) return_obj.parameter_observables = \ Observables.from_obj(obj.get_Parameter_Observables()) return_obj.impact = Statement.from_obj(obj.get_Impact()) return_obj.cost = Statement.from_obj(obj.get_Cost()) return_obj.efficacy = Statement.from_obj(obj.get_Efficacy()) return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source()) return_obj.handling = Marking.from_obj(obj.get_Handling()) return_obj.related_coas = \ RelatedCOAs.from_obj(obj.get_Related_COAs()) return_obj.related_packages = \ RelatedPackageRefs.from_obj(obj.get_Related_Packages()) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp if isinstance(obj, cls._binding_class): # ThreatActorType properties return_obj.version = obj.version return_obj.title = obj.Title return_obj.description = StructuredText.from_obj(obj.Description) return_obj.short_description = StructuredText.from_obj(obj.Short_Description) return_obj.identity = Identity.from_obj(obj.Identity) return_obj.types = [Statement.from_obj(x) for x in obj.Type] return_obj.motivations = [Statement.from_obj(x) for x in obj.Motivation] return_obj.sophistications = [Statement.from_obj(x) for x in obj.Sophistication] return_obj.intended_effects = [Statement.from_obj(x) for x in obj.Intended_Effect] return_obj.planning_and_operational_supports = [Statement.from_obj(x) for x in obj.Planning_And_Operational_Support] return_obj.observed_ttps = ObservedTTPs.from_obj(obj.Observed_TTPs) return_obj.associated_campaigns = AssociatedCampaigns.from_obj(obj.Associated_Campaigns) return_obj.associated_actors = AssociatedActors.from_obj(obj.Associated_Actors) return_obj.handling = Marking.from_obj(obj.Handling) return_obj.confidence = Confidence.from_obj(obj.Confidence) return_obj.information_source = InformationSource.from_obj(obj.Information_Source) return_obj.related_packages = RelatedPackageRefs.from_obj(obj.Related_Packages) return return_obj
def set_producer_identity(self, identity): ''' Sets the name of the producer of this indicator. The identity param can be a string (name) or an Identity instance. ''' if not self.producer: self.producer = InformationSource() if isinstance(identity, Identity): self.producer.identity = identity else: if not self.producer.identity: self.producer.identity = Identity() self.producer.identity.name = identity # assume it's a string
def _add_header(self, stix_package, title, desc): stix_header = STIXHeader() stix_header.title = title stix_header.description = desc stix_header.information_source = InformationSource() stix_header.information_source.time = CyboxTime() stix_header.information_source.time.produced_time = datetime.now().isoformat() stix_package.stix_header = stix_header
def cvebuild(var): """Search for a CVE ID and return a STIX formatted response.""" cve = CVESearch() data = json.loads(cve.id(var)) if data: try: from stix.utils import set_id_namespace namespace = {NS: NS_PREFIX} set_id_namespace(namespace) except ImportError: from mixbox.idgen import set_id_namespace from mixbox.namespaces import Namespace namespace = Namespace(NS, NS_PREFIX, "") set_id_namespace(namespace) pkg = STIXPackage() pkg.stix_header = STIXHeader() pkg = STIXPackage() pkg.stix_header = STIXHeader() pkg.stix_header.handling = _marking() # Define the exploit target expt = ExploitTarget() expt.title = data['id'] expt.description = data['summary'] expt.information_source = InformationSource(identity=Identity( name="National Vulnerability Database")) # Add the vulnerability object to the package object expt.add_vulnerability(_vulnbuild(data)) # Add the COA object to the ET object for coa in COAS: expt.potential_coas.append( CourseOfAction(idref=coa['id'], timestamp=expt.timestamp)) # Do some TTP stuff with CAPEC objects if TTPON is True: try: for i in data['capec']: pkg.add_ttp(_buildttp(i, expt)) except KeyError: pass expt.add_weakness(_weakbuild(data)) # Add the exploit target to the package object pkg.add_exploit_target(expt) xml = pkg.to_xml() title = pkg.id_.split(':', 1)[-1] # If the function is not imported then output the xml to a file. if __name__ == '__main__': _postconstruct(xml, title) return xml else: sys.exit("[-] Error retrieving details for " + var)
def set_producer_identity(self, identity): """Sets the name of the producer of this indicator. This is the same as calling ``indicator.producer.identity.name = identity``. If the ``producer`` property is ``None``, it will be initialized to an instance of :class:`stix.common.information_source.InformationSource`. If the ``identity`` property of the ``producer`` instance is ``None``, it will be initialized to an instance of :class:`stix.common.identity.Identity`. Note: if the `identity` parameter is not an instance :class:`stix.common.identity.Identity` an attempt will be made to convert it to one. Args: identity: An instance of ``str`` or ``stix.common.identity.Identity``. """ def unset_producer_identity(): try: self.producer.identity.name = None except AttributeError: pass if not identity: unset_producer_identity() return if not self.producer: self.producer = InformationSource() if isinstance(identity, Identity): self.producer.identity = identity return if not self.producer.identity: self.producer.identity = Identity() self.producer.identity.name = str(identity)
def buildSTIX(ident,confid,restconfid, effect, resteffect,typeIncident,resttype,asset,restasset,hashPkg): # IMPLEMENTATION WORKAROUND - # restConfid --> header.description # resteffect --> breach.description # resttype --> reporter.description # restasset --> reporter.identity.name # setup stix document stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = restconfid # "Example description" stix_package.stix_header = stix_header # add incident and confidence breach = Incident(id_=ident) breach.description = resteffect # "Intrusion into enterprise network" breach.confidence = Confidence() breach.confidence.value=confid print("confidence set to %s"%(str(breach.confidence.value))) breach._binding_class.xml_type = typeIncident print("incident set to %s"%(str(breach._binding_class.xml_type))) # stamp with reporter breach.reporter = InformationSource() breach.reporter.description = resttype #"The person who reported it" breach.reporter.time = Time() breach.reporter.time.produced_time = datetime.strptime("2014-03-11","%Y-%m-%d") # when they submitted it breach.reporter.identity = Identity() breach.reporter.identity.name = restasset # set incident-specific timestamps breach.time = incidentTime() breach.title = "Breach of Company Dynamics" breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d") breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d") breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d") breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d") affected_asset = AffectedAsset() affected_asset.description = "Database server at hr-data1.example.com" affected_asset.type_ = asset breach.affected_assets = affected_asset # add the victim breach.add_victim (hashPkg) # add the impact impact = ImpactAssessment() impact.add_effect(effect) breach.impact_assessment = impact stix_package.add_incident(breach) return stix_package
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.package_intent = obj.get_PackageIntent() return_obj.description = StructuredText.from_obj(obj.get_Description()) return_obj.information_source = InformationSource.from_obj(obj.get_InformationSource()) return return_obj
def add_information_source_items(reference_item, source_id_item, schema_version_item, incident): insrc = InformationSource() if reference_item: for item in reference_item.split(';'): insrc.add_reference(item.strip()) if source_id_item or schema_version_item: insrc.tools = ToolInformationList() if source_id_item: insrc.identity = Identity() insrc.identity.name = source_id_item tool = ToolInformation() tool.name = "veris2stix" tool.vendor = "MITRE" tool.version = __version__ insrc.tools.append(tool) if schema_version_item: tool = ToolInformation() tool.name = "VERIS schema" tool.vendor = "Verizon" tool.version = schema_version_item insrc.tools.append(tool) incident.information_source = insrc
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.idref = dict_repr.get('idref') return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version', cls._version) return_obj.title = dict_repr.get('title') return_obj.description = StructuredText.from_dict(dict_repr.get('description')) return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description')) return_obj.time = Time.from_dict(dict_repr.get('time')) return_obj.victims = [Identity.from_dict(x) for x in dict_repr.get('victims', [])] return_obj.categories = [IncidentCategory.from_dict(x) for x in dict_repr.get('categories', [])] return_obj.attributed_threat_actors = AttributedThreatActors.from_dict(dict_repr.get('attributed_threat_actors')) return_obj.related_indicators = RelatedIndicators.from_dict(dict_repr.get('related_indicators')) return_obj.related_observables = RelatedObservables.from_dict(dict_repr.get('related_observables')) return_obj.related_incidents = RelatedIncidents.from_dict(dict_repr.get('related_incidents')) return_obj.intended_effects = [Statement.from_dict(x) for x in dict_repr.get('intended_effects', [])] return_obj.leveraged_ttps = LeveragedTTPs.from_dict(dict_repr.get('leveraged_ttps')) return_obj.affected_assets = [AffectedAsset.from_dict(x) for x in dict_repr.get('affected_assets', [])] return_obj.discovery_methdos = [DiscoveryMethod.from_dict(x) for x in dict_repr.get('discovery_methods', [])] return_obj.reporter = InformationSource.from_dict(dict_repr.get('reporter')) return_obj.responders = [InformationSource.from_dict(x) for x in dict_repr.get('responders', [])] return_obj.coordinators = [InformationSource.from_dict(x) for x in dict_repr.get('coordinators', [])] return_obj.external_ids = [ExternalID.from_dict(x) for x in dict_repr.get('external_ids', [])] return_obj.impact_assessment = ImpactAssessment.from_dict(dict_repr.get('impact_assessment')) return_obj.information_source = InformationSource.from_dict(dict_repr.get('information_source')) return_obj.security_compromise = SecurityCompromise.from_dict(dict_repr.get('security_compromise')) return_obj.confidence = Confidence.from_dict(dict_repr.get('confidence')) return_obj.coa_taken = [COATaken.from_dict(x) for x in dict_repr.get('coa_taken', [])] return_obj.status = VocabString.from_dict(dict_repr.get('status')) return_obj.handling = Marking.from_obj(dict_repr.get('handling')) return_obj.history = History.from_dict(dict_repr.get('history')) return return_obj
def from_dict(cls, d, return_obj=None): if not d: return None if return_obj is None: return_obj = cls() return_obj.timestamp = d.get('timestamp') return_obj.timestamp_precision = d.get('timestamp_precision') return_obj.source = InformationSource.from_dict(d.get('source')) return_obj.reference = d.get('reference') return_obj.confidence = Confidence.from_dict(d.get('confidence')) return_obj.description = StructuredText.from_dict(d.get('description')) return_obj.related_observables = RelatedObservables.from_dict(d.get('related_observables')) return return_obj
def _observable_to_indicator_stix(observable): """Translate a CybOX Observable into a STIX Indicator. Args: observable: Observable object that will be translated Returns: Indicator object with STIX utility and CybOX tags """ # Build STIX tool content tool = ToolInformation(tool_name='OpenIOC to STIX Utility') tool.version = version.__version__ # Build Indicator.producer contents producer = InformationSource() producer.tools = ToolInformationList(tool) # Build Indicator indicator = Indicator(title="CybOX-represented Indicator Created from OpenIOC File") indicator.producer = producer indicator.add_observable(observable) return indicator
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.version = obj.version return_obj.controlled_structure = obj.Controlled_Structure return_obj.marking_structures = _MarkingStructures.from_obj(obj.Marking_Structure) return_obj.information_source = InformationSource.from_obj(obj.Information_Source) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.idref = dict_repr.get('idref') return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version') return_obj.title = dict_repr.get('title') return_obj.description = StructuredText.from_dict( dict_repr.get('description')) return_obj.short_description = StructuredText.from_dict( dict_repr.get('short_description')) return_obj.identity = Identity.from_dict(dict_repr.get('identity')) return_obj.types = [ Statement.from_dict(x) for x in dict_repr.get('types', []) ] return_obj.motivations = [ Statement.from_dict(x) for x in dict_repr.get('motivations', []) ] return_obj.sophistications = [ Statement.from_dict(x) for x in dict_repr.get('sophistications', []) ] return_obj.intended_effects = [ Statement.from_dict(x) for x in dict_repr.get('intended_effects', []) ] return_obj.planning_and_operational_supports = [ Statement.from_dict(x) for x in dict_repr.get('planning_and_operational_supports', []) ] return_obj.observed_ttps = ObservedTTPs.from_dict( dict_repr.get('observed_ttps')) return_obj.associated_campaigns = AssociatedCampaigns.from_dict( dict_repr.get('associated_campaigns')) return_obj.associated_actors = AssociatedActors.from_dict( dict_repr.get('associated_actors')) return_obj.handling = Marking.from_dict(dict_repr.get('handling')) return_obj.confidence = Confidence.from_dict( dict_repr.get('confidence')) return_obj.information_source = InformationSource.from_dict( dict_repr.get('information_source')) return_obj.related_packages = RelatedPackageRefs.from_dict( dict_repr.get('related_packages')) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if return_obj is None: return_obj = cls() return_obj.timestamp = obj.get_timestamp() return_obj.timestamp_precision = obj.get_timestamp_precision() return_obj.source = InformationSource.from_obj(obj.get_Source()) return_obj.refernce = obj.get_Reference() return_obj.confidence = Confidence.from_obj(obj.get_Confidence()) return_obj.description = StructuredText.from_obj(obj.get_Description()) return_obj.related_observables = RelatedObservables.from_obj(obj.get_Related_Observables()) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.title = obj.Title return_obj.descriptions = StructuredTextList.from_obj(obj.Description) return_obj.short_descriptions = StructuredTextList.from_obj(obj.Short_Description) return_obj.handling = Marking.from_obj(obj.Handling) return_obj.information_source = InformationSource.from_obj(obj.Information_Source) return_obj.intents = _ReportIntents.from_obj(obj.Intent) return return_obj