def setTLP(target, distribution, tags, sort=False):
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "../../../descendant-or-self::node()"
tlp = TLPMarkingStructure()
attrColors = fetchColors(tags.get('attributes')) if ('attributes'
in tags) else []
if attrColors:
color = setColor(attrColors)
else:
eventColors = fetchColors(tags.get('event')) if ('event'
in tags) else []
if eventColors:
color = setColor(eventColors)
else:
color = TLP_mapping.get(distribution, None)
#for tag in tags:
# if tag["name"].startswith("tlp:") and tag["name"].count(':') == 1:
# new_colour = tag["name"][4:].upper()
# if colour and sort:
# if TLP_order[colour] < TLP_order[new_colour]:
# colour = new_colour
# else:
# colour = new_colour
if color is None:
return target
tlp.color = color
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
target.handling = handling
def main():
mydata = loaddata()
'''
Your Namespace
'''
# NAMESPACE = {sanitizer(mydata["NSXURL"]) : (mydata["NS"])}
# set_id_namespace(NAMESPACE)
NAMESPACE = Namespace(sanitizer(mydata['NSXURL']), sanitizer(mydata['NS']))
set_id_namespace(NAMESPACE) # new ids will be prefixed by "myNS"
wrapper = STIXPackage()
info_src = InformationSource()
info_src.identity = Identity(name=sanitizer(mydata["Identity"]))
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = sanitizer(mydata["TLP_COLOR"])
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
timestamp = datetime.datetime.fromtimestamp(
time.time()).strftime('%Y-%m-%d %H:%M:%S')
MyTITLE = sanitizer(mydata["Title"])
SHORT = timestamp
DESCRIPTION = sanitizer(mydata["Description"])
wrapper.stix_header = STIXHeader(information_source=info_src,
title=MyTITLE,
description=DESCRIPTION,
short_description=SHORT)
wrapper.stix_header.handling = handling
indiDom = Indicator()
indiDom.title = MyTITLE
indiDom.add_indicator_type("IP Watchlist")
for key in mydata["IOC"].keys():
myip = Address(address_value=sanitizer(key), category=Address.CAT_IPV4)
myip.condition = "Equals"
obsu = Observable(myip)
#if mydata[key].size:
for idx, mydata["IOC"][key] in enumerate(mydata["IOC"][key]):
ioc = File()
ioc.add_hash(sanitizer(mydata["IOC"][key]))
myip.add_related(ioc, "Downloaded")
indiDom.add_observable(obsu)
wrapper.add_indicator(indiDom)
print(wrapper.to_xml())
def setTLP(target, distribution):
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "../../../descendant-or-self::node()"
tlp = TLPMarkingStructure()
colour = TLP_mapping.get(distribution, None)
if colour is None:
return target
tlp.color = colour
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
target.handling = handling
def setTLP(target, distribution):
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "../../../descendant-or-self::node()"
tlp = TLPMarkingStructure()
colour = TLP_mapping.get(distribution, None)
if colour is None:
return target
tlp.color = colour
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
target.handling = handling
def _marking(self):
"""Define the TLP marking and the inheritance."""
marking_specification = MarkingSpecification()
tlp = TLPMarkingStructure()
tlp.color = self.pulse["TLP"].upper()
marking_specification.marking_structures.append(tlp)
marking_specification.controlled_structure = "../../../../descendant-or-self::node() | ../../../../descendant-or-self::node()/@*"
simple = SimpleMarkingStructure()
simple.statement = "Automated ingest from AlienVault OTX."
marking_specification.marking_structures.append(simple)
handling = Marking()
handling.add_marking(marking_specification)
return handling
def _marking():
"""Define the TLP marking and the inheritance."""
marking_specification = MarkingSpecification()
tlp = TLPMarkingStructure()
tlp.color = SETTINGS['stix']['tlp']
marking_specification.marking_structures.append(tlp)
marking_specification.controlled_structure = SETTINGS['stix'][
'controlled_structure']
simple = SimpleMarkingStructure()
simple.statement = SETTINGS['stix']['statement']
marking_specification.marking_structures.append(simple)
handling = Marking()
handling.add_marking(marking_specification)
return handling
def marking():
"""Define the TLP marking and the inheritence."""
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "../../../../descendant"\
"-or-self::node() | ../../../../descendant-or-self::node()/@*"
simple = SimpleMarkingStructure()
simple.statement = HNDL_ST
marking_specification.marking_structures.append(simple)
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
return handling
def _marking():
"""Define the TLP marking and the inheritance."""
marking_specification = MarkingSpecification()
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
marking_specification.controlled_structure = "../../../../descendant"\
"-or-self::node() | ../../../../descendant-or-self::node()/@*"
simple = SimpleMarkingStructure()
simple.statement = HNDL_ST
marking_specification.marking_structures.append(simple)
handling = Marking()
handling.add_marking(marking_specification)
return handling
def _marking():
"""Define the TLP marking and the inheritance."""
marking_specification = MarkingSpecification()
tlp = TLPMarkingStructure()
tlp.color = SETTINGS['stix']['tlp']
marking_specification.marking_structures.append(tlp)
marking_specification.controlled_structure = SETTINGS[
'stix']['controlled_structure']
simple = SimpleMarkingStructure()
simple.statement = SETTINGS['stix']['statement']
marking_specification.marking_structures.append(simple)
handling = Marking()
handling.add_marking(marking_specification)
return handling
def to_stix_tlp(obj):
from stix.data_marking import Marking, MarkingSpecification
from stix.extensions.marking.tlp import TLPMarkingStructure
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = obj.tlp
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
return handling
def convert(self, stix_id_prefix='', published_only=True, **kw_arg):
self.parse(**kw_arg)
stix_packages = []
for event in self.events:
if published_only:
if not event.published:
continue
# id generator
package_id = self.get_misp_pacakge_id(stix_id_prefix, event)
stix_package = STIXPackage(timestamp=event.dt, id_=package_id)
stix_header = STIXHeader()
# set identity information
identity = Identity(name=self.identity_name)
information_source = InformationSource(identity=identity)
stix_header.information_source = information_source
tlp = None
for tag in event.tags:
if tag.tlp is not None:
tlp = tag.tlp
break
if tlp is not None:
# TLP for Generic format
tlp_marking_structure = TLPMarkingStructure()
tlp_marking_structure.color = tlp
marking_specification = MarkingSpecification()
marking_specification.marking_structures = tlp_marking_structure
marking_specification.controlled_structure = '../../../../descendant-or-self::node() | ../../../../descendant-or-self::node()/@*'
marking = Marking()
marking.add_marking(marking_specification)
stix_header.handling = marking
stix_header.title = event.info
stix_header.description = event.info
stix_header.short_description = event.info
for attribute in event.attributes:
stix_package.add_indicator(attribute.convert())
stix_package.stix_header = stix_header
stix_packages.append(stix_package)
return stix_packages
def setTLP(target, distribution, tags, sort=False):
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "../../../descendant-or-self::node()"
tlp = TLPMarkingStructure()
colour = TLP_mapping.get(distribution, None)
for tag in tags:
if tag["name"].startswith("tlp:") and tag["name"].count(':') == 1:
new_colour = tag["name"][4:].upper()
if colour and sort:
if TLP_order[colour] < TLP_order[new_colour]:
colour = new_colour
else:
colour = new_colour
if colour is None:
return target
tlp.color = colour
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
target.handling = handling
def set_tlp(self, target, distribution, tags):
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "../../../descendant-or-self::node()"
tlp = TLPMarkingStructure()
attr_colors = self.fetch_colors(tags.get('attributes')) if 'attributes' in tags else []
if attr_colors:
color = self.set_color(attr_colors)
else:
event_colors = self.fetch_colors(tags.get('event')) if 'event' in tags else []
if event_colors:
color = self.set_color(event_colors)
else:
color = TLP_mapping.get(str(distribution), None)
if color is None:
return target
tlp.color = color
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
target.handling = handling
return target
def __map_stix_header(self, event):
self.init()
stix_header = STIXHeader(title=event.title)
stix_header.description = event.description
stix_header.short_description = event.title
identifiy = self.create_stix_identity(event)
time = self.cybox_mapper.get_time(produced_time=event.created_at,
received_time=event.modified_on)
info_source = InformationSource(identity=identifiy, time=time)
stix_header.information_source = info_source
# Add TLP
marking = Marking()
marking_spec = MarkingSpecification()
marking.add_marking(marking_spec)
tlp_marking_struct = TLPMarkingStructure()
tlp_marking_struct.color = event.tlp.upper()
tlp_marking_struct.marking_model_ref = 'http://govcert.lu/en/docs/POL_202_V2.2_rfc2350.pdf'
marking_spec.marking_structures = list()
marking_spec.marking_structures.append(tlp_marking_struct)
stix_header.handling = marking
return stix_header
def csv2stix(outFormat,inFile):
#=============
# Build package metadata
#=============
stix_package = STIXPackage()
stix_package.stix_header = STIXHeader()
stix_package.stix_header.title = "TG3390"
stix_package.stix_header.description = "Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers investigated activities associated with Threat Group-3390[1] (TG-3390) - http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/"
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "../../../../descendant-or-self::node()"
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
stix_package.stix_header.handling = handling
#=============
# Build package structure
#=============
ta_tg3390 = ThreatActor(title="TG3390")
ta_tg3390.identity = Identity(name="TG3390")
attack_pattern = AttackPattern()
attack_pattern.description = ("Infrastructure Building")
ttp_infrastructure = TTP(title="Infrastructure Building")
ttp_infrastructure.behavior = Behavior()
ttp_infrastructure.behavior.add_attack_pattern(attack_pattern)
ttp_infrastructure.add_intended_effect("Unauthorized Access")
infra_domainInd = Indicator(title="Domains associated with TG3390 Infrastructure")
infra_domainInd.add_indicator_type("Domain Watchlist")
infra_domainInd.confidence = "High"
infra_domainInd.add_indicated_ttp(TTP(idref=ttp_infrastructure.id_))
infra_IPInd = Indicator(title="[H] IP Addresses associated with TG3390 Infrastructure")
infra_IPInd.add_indicator_type("IP Watchlist")
infra_IPInd.confidence = "High"
infra_IPInd.add_indicated_ttp(TTP(idref=ttp_infrastructure.id_))
infra_IPInd_M = Indicator(title="[M] IP Addresses associated with TG3390 Infrastructure")
infra_IPInd_M.add_indicator_type("IP Watchlist")
infra_IPInd_M.confidence = "Medium"
infra_IPInd_M.add_indicated_ttp(TTP(idref=ttp_infrastructure.id_))
httpBrowserObj = MalwareInstance()
httpBrowserObj.add_name("HTTP Browser")
ttp_httpB = TTP(title="HTTP Browser")
ttp_httpB.behavior = Behavior()
ttp_httpB.behavior.add_malware_instance(httpBrowserObj)
ttp_httpB.add_intended_effect("Theft - Intellectual Property")
httpB_hashInd = Indicator(title="File hashes for HTTP Browser")
httpB_hashInd.add_indicator_type("File Hash Watchlist")
httpB_hashInd.confidence = "High"
httpB_hashInd.add_indicated_ttp(TTP(idref=ttp_httpB.id_))
httpBrowserDropperObj = MalwareInstance()
httpBrowserDropperObj.add_name("HTTP Browser Dropper")
ttp_httpBDpr = TTP(title="HTTP Browser Dropper")
ttp_httpBDpr.behavior = Behavior()
ttp_httpBDpr.behavior.add_malware_instance(httpBrowserDropperObj)
ttp_httpBDpr.add_intended_effect("Theft - Intellectual Property")
httpBDpr_hashInd = Indicator(title="File hashes for HTTP Browser Dropper")
httpBDpr_hashInd.add_indicator_type("File Hash Watchlist")
httpBDpr_hashInd.confidence = "High"
httpBDpr_hashInd.add_indicated_ttp(TTP(idref=ttp_httpBDpr.id_))
plugXObj = MalwareInstance()
plugXObj.add_name("PlugX Dropper")
ttp_plugX = TTP(title="PlugX Dropper")
ttp_plugX.behavior = Behavior()
ttp_plugX.behavior.add_malware_instance(plugXObj)
ttp_plugX.add_intended_effect("Theft - Intellectual Property")
plugX_hashInd = Indicator(title="File hashes for PlugX Dropper")
plugX_hashInd.add_indicator_type("File Hash Watchlist")
plugX_hashInd.confidence = "High"
plugX_hashInd.add_indicated_ttp(TTP(idref=ttp_plugX.id_))
#=============
# Process content in to structure
#=============
ip_rules = []
ip_rules_M = []
domain_rules = []
with open(inFile, 'rb') as f:
reader = csv.reader(f)
for row in reader:
obs = row[0]
obsType = row[1]
description = row[2]
confidence = row[3]
#print obs,obsType,description,confidence
if description == 'TG-3390 infrastructure':
if obsType == 'Domain name':
domain_obj = DomainName()
domain_obj.value = obs
#domain_obj.title = description
infra_domainInd.add_object(domain_obj)
domain_rule = generate_snort([obs], 'DomainName', str(infra_domainInd.id_).split(':',1)[1].split('-',1)[1])
domain_rules.append(domain_rule)
elif obsType == 'IP address':
ipv4_obj = Address()
ipv4_obj.category = "ipv4-addr"
ipv4_obj.address_value = obs
ipv4_obj.title = description
ind_ref = str(infra_IPInd.id_).split(':',1)[1].split('-',1)[1]
if confidence == "High":
infra_IPInd.add_object(ipv4_obj)
ip_rules.append(obs)
else:
infra_IPInd_M.add_object(ipv4_obj)
ip_rules_M.append(obs)
else:
print "TTP Infra: obsType is wrong"
elif description == 'HttpBrowser RAT dropper':
file_obj = File()
file_obj.add_hash(Hash(obs))
file_obj.title = description
httpBDpr_hashInd.add_observable(file_obj)
elif description == 'HttpBrowser RAT':
file_obj = File()
file_obj.add_hash(Hash(obs))
file_obj.title = description
httpB_hashInd.add_observable(file_obj)
elif description == 'PlugX RAT dropper':
file_obj = File()
file_obj.add_hash(Hash(obs))
file_obj.title = description
plugX_hashInd.add_observable(file_obj)
else:
print "TTP not found"
#print ip_rules
ip_rule = generate_snort(ip_rules, 'Address', str(infra_IPInd.id_).split(':',1)[1].split('-',1)[1])
ip_rule_M = generate_snort(ip_rules_M, 'Address', str(infra_IPInd_M.id_).split(':',1)[1].split('-',1)[1])
ip_tm = SnortTestMechanism()
ip_tm.rules = [ip_rule]
ip_tm.efficacy = "High"
ip_tm.producer = InformationSource(identity=Identity(name="Auto"))
infra_IPInd.test_mechanisms = [ip_tm]
ip_M_tm = SnortTestMechanism()
ip_M_tm.rules = [ip_rule_M]
ip_M_tm.efficacy = "Medium"
ip_M_tm.producer = InformationSource(identity=Identity(name="Auto"))
infra_IPInd_M.test_mechanisms = [ip_M_tm]
domain_tm = SnortTestMechanism()
domain_tm.rules = domain_rules
domain_tm.efficacy = "High"
domain_tm.producer = InformationSource(identity=Identity(name="Auto"))
infra_domainInd.test_mechanisms = [domain_tm]
#=============
# Add the composed content to the structure
#=============
stix_package.add_indicator(infra_domainInd)
stix_package.add_indicator(infra_IPInd)
stix_package.add_indicator(infra_IPInd_M)
stix_package.add_indicator(httpBDpr_hashInd)
stix_package.add_indicator(httpB_hashInd)
stix_package.add_indicator(plugX_hashInd)
stix_package.add_ttp(ttp_infrastructure)
stix_package.add_ttp(ttp_httpB)
stix_package.add_ttp(ttp_httpBDpr)
stix_package.add_ttp(ttp_plugX)
"""
if outFormat =='dict':
print stix_package.to_dict()
if outFormat =='json':
parsed = stix_package.to_json()
jsonpkg = json.loads(parsed)
pprint.pprint(jsonpkg)
if outFormat =='stix':
print stix_package.to_xml()
"""
#if verbose:
#print stix_package.to_xml()
#pprint(stix_package.to_json())
return stix_package
def adptr_dict2STIX(srcObj, data):
sTxt = "Called... "
sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
stixObj = None
### Input Check
if srcObj == None or data == None:
#TODO: Needs error msg: Missing srcData Object
return (False)
### Generate NameSpace id tags
STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
stix_set_id_namespace(STIX_NAMESPACE)
obs_set_id_namespace(OBS_NAMESPACE)
### Building STIX Wrapper
stix_package = STIXPackage()
objIndicator = Indicator()
### Bulid Object Data
for sKey in data:
objIndicator = Indicator()
listOBS = []
oObsSrcData = genObsSrcData(srcObj, data[sKey])
### Parsing IP Address
sAddr = data[sKey]['attrib']['ip']
if len(sAddr) > 0:
objAddr = Address()
objAddr.is_destination = True
objAddr.address_value = sAddr
objAddr.address_value.condition = 'Equals'
if isIPv4(sAddr):
objAddr.type = 'ipv4-addr'
elif isIPv6(sAddr):
objAddr.type = 'ipv6-addr'
else:
continue
obsAddr = Observable(objAddr)
objAddr = None
obsAddr.sighting_count = 1
oObsSrcData.sighting_count = 1
obsAddr.observable_source.append(oObsSrcData)
sTitle = 'IP: ' + sAddr
obsAddr.title = sTitle
sDscpt = 'ipv4-addr' + ': ' + sAddr + " | "
sDscpt += "is_destination: True | "
if data[sKey]['attrib']['first']:
sDscpt += "firstSeen: " + data[sKey]['attrib']['first'] + " | "
if data[sKey]['attrib']['last']:
sDscpt += "lastSeen: " + data[sKey]['attrib']['last'] + " | "
obsAddr.description = "<![CDATA[" + sDscpt + "]]>"
listOBS.append(obsAddr)
obsAddr = None
### Parsing Network Address
sAddr = data[sKey]['attrib']['inetnum']
if sAddr:
objAddr = Address()
objAddr.is_destination = True
sAddrNet = sAddr.split("-")
objAddr.address_value = sAddrNet[0].strip(
) + "##comma##" + sAddrNet[1].strip()
objAddr.address_value.condition = 'InclusiveBetween'
objAddr.category = 'ipv4-net'
obsAddr = Observable(objAddr)
objAddr = None
obsAddr.sighting_count = 1
oObsSrcData.sighting_count = 1
obsAddr.observable_source.append(oObsSrcData)
sTitle = 'NETWORK_range: ' + sAddr
obsAddr.title = sTitle
sDscpt = 'ipv4-net' + ': ' + sAddr + " | "
if data[sKey]['attrib']['netname']:
sDscpt += 'netName' + ': ' + data[sKey]['attrib'][
'netname'] + " | "
obsAddr.description = "<![CDATA[" + sDscpt + "]]>"
listOBS.append(obsAddr)
obsAddr = None
### Parsing Email Address
sEMAIL = data[sKey]['attrib']['email']
if sEMAIL:
objEmail = EmailAddress()
#objEmail.is_source = True
objEmail.address_value = sEMAIL
objEmail.address_value.condition = 'Equals'
objEmail.category = 'e-mail'
obsEmail = Observable(objEmail)
objEmail = None
obsEmail.sighting_count = 1
oObsSrcData.sighting_count = 1
if len(data[sKey]['attrib']['source']) > 0:
oObsSrcData.name = data[sKey]['attrib']['source']
obsEmail.observable_source.append(oObsSrcData)
sTitle = 'REGISTRAR_email: ' + sEMAIL
obsEmail.title = sTitle
sDscrpt = 'REGISTRAR_email: ' + sEMAIL
if data[sKey]['attrib']['descr']:
sDscrpt += " | REGISTRAR_name: " + data[sKey]['attrib'][
'descr'] + " | "
obsEmail.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsEmail)
obsEmail = None
### Parsing Domain
sDomain = data[sKey]['attrib']['domain']
if len(sDomain) > 0:
objDomain = DomainName()
objDomain.value = sDomain
objDomain.value.condition = 'Equals'
objDomain.is_destination = True
if isFQDN(sDomain):
objDomain.type = 'FQDN'
elif isTLD(sDomain):
objDomain.type = 'TLD'
else:
continue
obsDomain = Observable(objDomain)
objDomain = None
obsDomain.sighting_count = 1
oObsSrcData.sighting_count = 1
obsDomain.observable_source.append(oObsSrcData)
obsDomain.title = 'Domain: ' + sDomain
sDscpt = 'Domain: ' + sDomain + " | "
sDscpt += "isDestination: True | "
if data[sKey]['attrib']['first']:
sDscpt += "firstSeen: " + data[sKey]['attrib']['first'] + " | "
if data[sKey]['attrib']['last']:
sDscpt += "lastSeen: " + data[sKey]['attrib']['last'] + " | "
#if
obsDomain.description = "<![CDATA[" + sDscpt + "]]>"
listOBS.append(obsDomain)
obsDomain = None
objIndicator.add_indicator_type("Domain Watchlist")
#Parser URI
sURI = data[sKey]['attrib']['url']
if len(sURI) > 0:
objURI = URI()
objURI.value = sURI
objURI.value.condition = 'Equals'
objURI.type_ = URI.TYPE_URL
obsURI = Observable(objURI)
objURI = None
obsURI.sighting_count = 1
oObsSrcData.sighting_count = 1
obsURI.observable_source.append(oObsSrcData)
obsURI.title = 'URI: ' + sURI
sDscpt = 'URI: ' + sURI + " | "
sDscpt += "Type: URL | "
obsURI.description = "<![CDATA[" + sDscpt + "]]>"
listOBS.append(obsURI)
obsURI = None
objIndicator.add_indicator_type("URL Watchlist")
sDscrpt = None
sCntry_code = None
sCntry_name = None
sRgstra_email = None
sRgstra_name = None
# add Phishing Email Target
# add Phishing email Details phishtank_ID
if data[sKey]['attrib']['country']:
sCntry_code = data[sKey]['attrib']['country']
if sCntry_code in dictCC2CN:
sCntry_name = dictCC2CN[sCntry_code]
if data[sKey]['attrib']['email'] > 0:
sRgstra_email = data[sKey]['attrib']['email']
if data[sKey]['attrib']['descr']:
sRgstra_name = data[sKey]['attrib']['descr']
sDscrpt = " clean-mx.de has identified this "
if isIPv4(data[sKey]['attrib']['domain']):
sDscrpt += "ip address " + data[sKey]['attrib']['domain'] + " "
else:
sDscrpt += "domain " + data[sKey]['attrib']['domain'] + " "
sDscrpt += "as malicious "
if data[sKey]['attrib']['target']:
sDscrpt += "and uses phishing email(s) targeting " + data[sKey][
'attrib']['target'] + " users with "
else:
sDscrpt += "and sent out "
sDscrpt += "email containg this url <-Do Not Connect-> {" + data[sKey][
'attrib']['url'] + "} <-Do Not Connect-> link. "
if data[sKey]['attrib']['phishtank']:
sDscrpt += "For more detail on the specific phisihing email use this phishtank ID [" + data[
sKey]['attrib']['phishtank'] + "]. "
if sCntry_code:
sDscrpt += " This url appears to originated in " + sCntry_code
if sCntry_name:
sDscrpt += " (" + sCntry_name + ")"
if sCntry_code and (sRgstra_email or sRgstra_name):
sDscrpt += " and is "
if sRgstra_email:
sDscrpt += "register to " + sRgstra_email
if sRgstra_email and sRgstra_name:
sDscrpt += " of " + sRgstra_name
elif sRgstra_name:
sDscrpt += "register to " + sRgstra_name
sDscrpt += "."
if sCntry_code or sRgstra_email or sRgstra_name:
objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"
sTitle = 'Phishing ID:' + sKey + " "
if data[sKey]['attrib']["target"]:
sTitle += "Target: " + data[sKey]['attrib']["target"] + " "
if data[sKey]['attrib']["url"]:
sTitle += "URL: " + data[sKey]['attrib']["url"] + " "
objIndicator.title = sTitle
### Add Generated observable to Indicator
objIndicator.add_indicator_type("IP Watchlist")
objIndicator.observable_composition_operator = 'OR'
objIndicator.observables = listOBS
#Parsing Producer
sProducer = srcObj.Domain
if len(sProducer) > 0:
objIndicator.set_producer_identity(sProducer)
objIndicator.set_produced_time(data[sKey]['attrib']['first'])
objIndicator.set_received_time(data[sKey]['dateDL'])
stix_package.add_indicator(objIndicator)
objIndicator = None
### STIX Package Meta Data
stix_header = STIXHeader()
stix_header.title = srcObj.pkgTitle
stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"
### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
marking_specification = MarkingSpecification()
classLevel = SimpleMarkingStructure()
classLevel.statement = "Unclassified (Public)"
marking_specification.marking_structures.append(classLevel)
objTOU = TermsOfUseMarkingStructure()
#sTOU = open('tou.txt').read()
objTOU.terms_of_use = sProducer + " | " + srcObj.srcTOU
marking_specification.marking_structures.append(objTOU)
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
marking_specification.controlled_structure = "//node()"
handling = Marking()
handling.add_marking(marking_specification)
stix_header.handling = handling
stix_package.stix_header = stix_header
stix_header = None
### Generate STIX XML File
locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
sndFile(stix_package.to_xml(), locSTIXFile)
return (stix_package)
def main():
######################################################################
# MODIFICARE LE VARIABILI SEGUENTI
# Il title e' ID univoco della minaccia (es. Cobalt / Danabot / APT28)
MyTITLE = "GandCrab"
# La description strutturiamola come segue
# <IOC PRODUCER> - <Descrizione della minaccia/campagna> - <URL (if any)>
DESCRIPTION = "CERT-PA - Nuova campagna di Cyber-Estorsione basata su ransomware GandCrab - https://www.cert-pa.it/notizie/nuova-campagna-di-cyber-estorsione-basata-su-ransomware-gandcrab/"
# La sorgente che ha generato l'IoC con riferimento a Cyber Saiyan Community
IDENTITY = "CERT-PA via Cyber Saiyan Community"
#
######################################################################
# Build STIX file
info_src = InformationSource()
info_src.identity = Identity(name=IDENTITY)
NAMESPACE = Namespace("https://infosharing.cybersaiyan.it", "CYBERSAIYAN")
set_id_namespace(NAMESPACE)
timestamp = datetime.datetime.fromtimestamp(time.time()).strftime('%Y-%m-%d %H:%M:%S')
SHORT = timestamp
wrapper = STIXPackage()
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
wrapper.stix_header = STIXHeader(information_source=info_src, title=MyTITLE.encode(encoding='UTF-8', errors='replace'), description=DESCRIPTION.encode(encoding='UTF-8', errors='replace'), short_description=SHORT.encode(encoding='UTF-8', errors='replace'))
wrapper.stix_header.handling = handling
# HASH indicators
indicatorHASH = Indicator()
indicatorHASH.title = MyTITLE + " - HASH"
indicatorHASH.add_indicator_type("File Hash Watchlist")
# DOMAIN indicators
indiDOMAIN = Indicator()
indiDOMAIN.title = MyTITLE + " - DOMAIN"
indiDOMAIN.add_indicator_type("Domain Watchlist")
# URL indicators
indiURL = Indicator()
indiURL.title = MyTITLE + " - URL"
indiURL.add_indicator_type("URL Watchlist")
# IP indicators
indiIP = Indicator()
indiIP.title = MyTITLE + " - IP"
indiIP.add_indicator_type("IP Watchlist")
# EMAIL indicators
indiEMAIL = Indicator()
indiEMAIL.title = MyTITLE + " - EMAIL"
indiEMAIL.add_indicator_type("Malicious E-mail")
# Read IoC file
file_ioc = "CS-ioc.txt"
ioc = loaddata(file_ioc)
print "Reading IoC file..."
for idx, ioc in enumerate(ioc):
notfound = 1
# sha256
p = re.compile(r"^[0-9a-f]{64}$", re.IGNORECASE)
m = p.match(ioc)
if m and notfound:
filei = File()
filei.add_hash(Hash(ioc))
obsi = Observable(filei)
indicatorHASH.add_observable(obsi)
print "SHA256: " + ioc
notfound = 0
#md5
p = re.compile(r"^[0-9a-f]{32}$", re.IGNORECASE)
m = p.match(ioc)
if m and notfound:
filej = File()
filej.add_hash(Hash(ioc))
obsj = Observable(filej)
indicatorHASH.add_observable(obsj)
print "MD5: " + ioc
notfound = 0
#sha1
p = re.compile(r"^[0-9a-f]{40}$", re.IGNORECASE)
m = p.match(ioc)
if m and notfound:
filek = File()
filek.add_hash(Hash(ioc))
obsk = Observable(filek)
indicatorHASH.add_observable(obsk)
print "SHA1: " + ioc
notfound = 0
#domains
if validators.domain(ioc) and notfound:
url = URI()
url.value = ioc
url.type_ = URI.TYPE_DOMAIN
url.condition = "Equals"
obsu = Observable(url)
indiDOMAIN.add_observable(obsu)
print "DOMAIN: " + ioc
notfound = 0
#url
if validators.url(ioc) and notfound:
url = URI()
url.value = ioc
url.type_ = URI.TYPE_URL
url.condition = "Equals"
obsu = Observable(url)
indiURL.add_observable(obsu)
print "URL: " + ioc
notfound = 0
#ip
if validators.ipv4(ioc) and notfound:
ip = Address()
ip.address_value = ioc
obsu = Observable(ip)
indiIP.add_observable(obsu)
print "IP: " + ioc
notfound = 0
# add all indicators to STIX
wrapper.add_indicator(indicatorHASH)
wrapper.add_indicator(indiDOMAIN)
wrapper.add_indicator(indiURL)
wrapper.add_indicator(indiIP)
wrapper.add_indicator(indiEMAIL)
# print STIX file to stdout
print "Writing STIX package: package.stix"
f = open ("package.stix", "w")
f.write (wrapper.to_xml())
f.close ()
print
def adptr_dict2STIX(srcObj, data):
sTxt = "Called... "
sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
stixObj = None
### Input Check
if srcObj == None or data == None:
#TODO: Needs error msg: Missing srcData Object
return (False)
### Generate NameSpace id tags
STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
stix_set_id_namespace(STIX_NAMESPACE)
obs_set_id_namespace(OBS_NAMESPACE)
### Building STIX Wrapper
stix_package = STIXPackage()
objIndicator = Indicator()
### Bulid Object Data
for sKey in data:
objIndicator = Indicator()
listOBS = []
### Parsing Domain
sDomain = data[sKey]['attrib']['domain']
if len(sDomain) > 0:
objDomain = DomainName()
objDomain.value = sDomain
objDomain.value.condition = 'Equals'
if isFQDN(sDomain):
objDomain.type = 'FQDN'
elif isTLD(sDomain):
objDomain.type = 'TLD'
else:
continue
obsDomain = Observable(objDomain)
objDomain = None
obsDomain.sighting_count = 1
obsDomain.title = 'Domain: ' + sDomain
sDscrpt = 'Domain: ' + sDomain + " | "
sDscrpt += "isFQDN: True | "
obsDomain.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsDomain)
obsDomain = None
objIndicator.add_indicator_type("Domain Watchlist")
### Add Generated observable to Indicator
objIndicator.observable_composition_operator = 'OR'
objIndicator.observables = listOBS
#Parsing Producer
infoSrc = InformationSource(identity=Identity(name=srcObj.Domain))
infoSrc.add_contributing_source(data[sKey]['attrib']['ref'])
if len(srcObj.Domain) > 0:
objIndicator.producer = infoSrc
if data[sKey]['attrib']['lstDateVF']:
objIndicator.set_produced_time(
data[sKey]['attrib']['lstDateVF'][0])
objIndicator.set_received_time(data[sKey]['dateDL'])
### Generate Indicator Title based on availbe data
lstContainng = []
lstIs = []
sTitle = 'This domain ' + data[sKey]['attrib'][
'domain'] + ' has been identified as malicious'
if len(data[sKey]['attrib']['ref']):
sTitle += ' by ' + data[sKey]['attrib']['ref']
if len(data[sKey]['attrib']['type']) > 0:
sTitle += ', via this vector [' + data[sKey]['attrib'][
'type'] + '].'
else:
sTitle += '.'
objIndicator.title = sTitle
### Generate Indicator Description based on availbe data
sDscrpt = 'Lehigh.edu site has added this domain ' + data[sKey][
'attrib']['domain']
sDscrpt += ' to recommend block list.'
sDscrpt += ' This site has been identified as malicious'
sDscrpt += ' by ' + data[sKey]['attrib']['ref']
sDscrpt += ' and was still attive on the following dates ' + str(
data[sKey]['attrib']['lstDateVF']) + "."
objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"
#Parse TTP
objMalware = MalwareInstance()
objMalware.add_type("Remote Access Trojan")
ttpTitle = data[sKey]['attrib']['type']
objTTP = TTP(title=ttpTitle)
objTTP.behavior = Behavior()
objTTP.behavior.add_malware_instance(objMalware)
objIndicator.add_indicated_ttp(objTTP)
#objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_))
#stix_package.add_ttp(objTTP)
stix_package.add_indicator(objIndicator)
objIndicator = None
### STIX Package Meta Data
stix_header = STIXHeader()
stix_header.title = srcObj.pkgTitle
stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"
### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
marking_specification = MarkingSpecification()
classLevel = SimpleMarkingStructure()
classLevel.statement = "Unclassified (Public)"
marking_specification.marking_structures.append(classLevel)
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
marking_specification.controlled_structure = "//node()"
objTOU = TermsOfUseMarkingStructure()
sTOU = open('tou.txt').read()
objTOU.terms_of_use = srcObj.Domain + " | " + sTOU
marking_specification.marking_structures.append(objTOU)
handling = Marking()
handling.add_marking(marking_specification)
stix_header.handling = handling
stix_package.stix_header = stix_header
stix_header = None
### Generate STIX XML File
locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
sndFile(stix_package.to_xml(), locSTIXFile)
return (stix_package)
def _get_stix_header_marking(self, feed, creator=None):
if creator is None:
user = feed.user
else:
user = creator
s = STIXPackage()
if user.region is not None:
country_name_code = user.region.country_code
admin_area_name_code = user.region.code
else:
country_name_code = user.country_code
admin_area_name_code = None
industry_type = ais.OTHER
organisation_name = ais.OTHER
ais_tlp = feed.tlp
# REDの場合はAISではエラーとなるのでNoneとする
if ais_tlp == 'RED':
ais_tlp = None
ais.add_ais_marking(s,
False,
'EVERYONE',
ais_tlp,
country_name_code=country_name_code,
country_name_code_type='ISO_3166-1_alpha-2',
admin_area_name_code=admin_area_name_code,
organisation_name=organisation_name,
industry_type=industry_type,
admin_area_name_code_type="ISO_3166-2",
)
ais_marking_specification = s.stix_header.handling.marking[0]
# Marking作成
marking = Marking()
marking.add_marking(ais_marking_specification)
# 汎用のTLPmarking_specification作成
marking_specification = self._get_tlp_marking_structure(feed)
marking.add_marking(marking_specification)
# Critical Infrastructure
marking_critical_infrastructure = self._make_marking_specification_statement(const.STIP_SNS_CI_KEY, user.ci)
marking.add_marking(marking_critical_infrastructure)
# スクリーン名
marking_screen_name = self._make_marking_specification_statement(const.STIP_SNS_SCREEN_NAME_KEY, user.get_screen_name())
marking.add_marking(marking_screen_name)
# username
marking_user_name = self._make_marking_specification_statement(const.STIP_SNS_USER_NAME_KEY, user.username)
marking.add_marking(marking_user_name)
# 会社名
marking_affiliation = self._make_marking_specification_statement(const.STIP_SNS_AFFILIATION_KEY, user.affiliation)
marking.add_marking(marking_affiliation)
# region code
if user.region is not None:
marking_region_code = self._make_marking_specification_statement(const.STIP_SNS_REGION_CODE_KEY, user.region.code)
marking.add_marking(marking_region_code)
# Sharing Range
if feed.sharing_range_type == const.SHARING_RANGE_TYPE_KEY_ALL:
sharing_range = 'CIC Community'
elif feed.sharing_range_type == const.SHARING_RANGE_TYPE_KEY_GROUP:
sharing_range = 'Group: %s' % (feed.sharing_group.en_name)
elif feed.sharing_range_type == const.SHARING_RANGE_TYPE_KEY_PEOPLE:
sharing_range = 'People: '
feed.save()
for sharing_stip_user in feed.tmp_sharing_people:
sharing_range += sharing_stip_user.username
sharing_range += ','
# 最後の改行を取り除く
sharing_range = sharing_range[:-1]
marking_sharing_range = self._make_marking_specification_statement('Sharing Range', sharing_range)
marking.add_marking(marking_sharing_range)
# referred_url
if feed.referred_url is not None:
marking_referred_url = self._make_marking_specification_statement(const.STIP_SNS_REFERRED_URL_KEY, feed.referred_url)
marking.add_marking(marking_referred_url)
# stix2_package_id
if feed.stix2_package_id is not None and len(feed.stix2_package_id) != 0:
marking_stix2_package_id = self._make_marking_specification_statement(const.STIP_SNS_STIX2_PACKAGE_ID_KEY, feed.stix2_package_id)
marking.add_marking(marking_stix2_package_id)
return marking
def adptr_dict2STIX(srcObj, data):
sTxt = "Called... "
sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
stixObj = None
### Input Check
if srcObj == None or data == None:
#TODO: Needs error msg: Missing srcData Object
return (False)
### Generate NameSpace id tags
STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
stix_set_id_namespace(STIX_NAMESPACE)
obs_set_id_namespace(OBS_NAMESPACE)
### Building STIX Wrapper
stix_package = STIXPackage()
objIndicator = Indicator()
### Bulid Object Data
for sKey in data:
objIndicator = Indicator()
listOBS = []
oObsSrcData = genObsSrcData(srcObj, data[sKey])
### Parsing IP Address
sAddr = sKey
if len(sAddr) > 0:
objAddr = Address()
objAddr.is_source = True
objAddr.address_value = sAddr
objAddr.address_value.condition = 'InclusiveBetween'
objAddr.category = 'ipv4-net'
obsAddr = Observable(objAddr)
objAddr = None
obsAddr.sighting_count = int(data[sKey]['attrib']['Attacks'])
oObsSrcData.sighting_count = int(data[sKey]['attrib']['Attacks'])
obsAddr.observable_source.append(oObsSrcData)
sTitle = 'NETWORK_range: ' + sAddr
obsAddr.title = sTitle
sDscpt = 'ipv4-net' + ': ' + sAddr + " | "
sDscpt += "is_source: True | "
sDscpt += "Attack_Count: " + data[sKey]['attrib']['Attacks'] + " | "
sDscpt += "Attack_DateRange: " + data[sKey]['attrib'][
'dateRange'] + " | "
obsAddr.description = sDscpt
listOBS.append(obsAddr)
obsAddr = None
### Parsing Registrar Information
if data[sKey]['attrib']['email']:
objEmail = EmailAddress()
objEmail.address_value = data[sKey]['attrib']['email']
objEmail.address_value.condition = 'Equals'
objEmail.category = 'e-mail'
objWhoisReg = WhoisRegistrar()
if len(data[sKey]['attrib']['Name']) > 1:
objWhoisReg.name = data[sKey]['attrib']['Name']
objWhoisReg.email_address = objEmail
objEmail = None
objWhois = WhoisEntry()
objWhois.registrar_info = objWhoisReg
obsWhois = Observable(objWhois)
#print obsWhois.id_
objWhois = None
obsWhois.sighting_count = 1
sTitle = 'REGISTRAR_email: ' + data[sKey]['attrib']['email']
if len(data[sKey]['attrib']['Name']) > 0:
sTitle += " | REGISTRAR_name: " + data[sKey]['attrib'][
'Name'] + " | "
obsWhois.title = sTitle
obsWhois.description = sTitle
listOBS.append(obsWhois)
obsWhois = None
sDscrpt = None
sCntry_code = None
sCntry_name = None
sRgstra_email = None
sRgstra_name = None
if len(data[sKey]['attrib']['Country']) > 0:
sCntry_code = data[sKey]['attrib']['Country']
if sCntry_code in dictCC2CN:
sCntry_name = dictCC2CN[sCntry_code]
if 'email' in data[sKey]['attrib']:
sRgstra_email = data[sKey]['attrib']['email']
if len(data[sKey]['attrib']['Name']) > 0:
sRgstra_name = data[sKey]['attrib']['Name']
sDscrpt = "This IP block appears to have "
if sCntry_code:
sDscrpt += "originated in " + sCntry_code
if sCntry_name:
sDscrpt += "(" + sCntry_name + ")"
if sCntry_code and (sRgstra_email or sRgstra_name):
sDscrpt += " and is "
if sRgstra_email:
sDscrpt += "register to " + sRgstra_email
if sRgstra_email and sRgstra_name:
sDscrpt += " of " + sRgstra_name
elif sRgstra_name:
sDscrpt += "register to " + sRgstra_name
sDscrpt += "."
if sCntry_code or sRgstra_email or sRgstra_name:
objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"
objIndicator.title = sAddr.replace('##comma##',
' - ') + " | " + srcObj.pkgTitle
### Add Generated observable to Indicator
objIndicator.add_indicator_type("IP Watchlist")
objIndicator.observable_composition_operator = 'OR'
objIndicator.observables = listOBS
#Parsing Producer
sProducer = srcObj.Domain
if len(sProducer) > 0:
objIndicator.set_producer_identity(sProducer)
objIndicator.set_produced_time(data[sKey]['attrib']['dateVF'])
objIndicator.set_received_time(data[sKey]['dateDL'])
stix_package.add_indicator(objIndicator)
objIndicator = None
### STIX Package Meta Data
stix_header = STIXHeader()
stix_header.title = srcObj.pkgTitle
stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"
### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
marking_specification = MarkingSpecification()
classLevel = SimpleMarkingStructure()
classLevel.statement = "Unclassified (Public)"
marking_specification.marking_structures.append(classLevel)
objTOU = TermsOfUseMarkingStructure()
#sTOU = open('tou.txt').read()
objTOU.terms_of_use = sProducer + " | " + srcObj.srcTOU
marking_specification.marking_structures.append(objTOU)
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
marking_specification.controlled_structure = "//node()"
handling = Marking()
handling.add_marking(marking_specification)
stix_header.handling = handling
stix_package.stix_header = stix_header
stix_header = None
### Generate STIX XML File
locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
sndFile(stix_package.to_xml(), locSTIXFile)
return (stix_package)
def createstix(db, themail):
# Create the stix object
# Set the cybox namespace
NAMESPACE = {companyurl: companyname}
# new ids will be prefixed with your company name
set_id_namespace(NAMESPACE)
# Set the TLP color to Green
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = "GREEN"
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
# stix assignments
stix_package = STIXPackage()
ttp = TTP(title="Phishing")
stix_package.add_ttp(ttp)
stix_package.stix_header = STIXHeader()
stix_package.stix_header.handling = handling
# Get data from the email dictionary object
xid = themail['_id']
xdate = themail['date']
xoriginatingip = themail['x_originating_ip']
xmailer = themail['x_mailer']
xhelo = themail['helo']
xfrom = themail['from']
xsender = themail['sender']
xreplyto = themail['reply_to']
xsubject = themail['subject']
xbody = themail['raw_body']
# Routines to remove unwanted company identifiers from the emails
xsubject = scrubit(xsubject)
xbody = scrubit(xbody)
# Terms to search for in email addresses.
# replaces spoofed internal email addresses with [SPOOFED]
# change to match your company's domain name without the '.com/.net/etc'
searchterms = ['term1', 'term2']
for term in searchterms:
if term.upper() in xfrom.upper():
xfrom = '[SPOOFED]'
if term.upper() in xsender.upper():
xsender = '[SPOOFED]'
if term.upper() in xreplyto.upper():
xreplyto = '[SPOOFED]'
# Remove brackets from xoriginating IP
xoriginatingip = re.sub(r'\[|\]', '', xoriginatingip)
# get email comments
ecomment = getcomments(db, xid)
# Look for attachment and get info if true
if themail['relationships']:
# check if the first relationship is a sample because when an email object with attachment
# is uploaded to crits the first relationship is always the attachment
# which is uploaded seperately as a sample and related back to the original email
if themail['relationships'][0]['type'] in 'Sample':
myattachment = themail['relationships'][0]['value']
try:
myfile = db.sample.find_one({'_id': ObjectId(myattachment)})
hasattachment = True
except Exception, e:
logger.error(
"received error when querying samples collection for email with id %s",
xid,
exc_info=True)
hasattachment = False
else:
hasattachment = False
def adptr_dict2STIX(srcObj, data):
sTxt = "Called... "
sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
stixObj = None
### Input Check
if srcObj == None or data == None:
#TODO: Needs error msg: Missing srcData Object
return (False)
### Generate NameSpace id tags
STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
stix_set_id_namespace(STIX_NAMESPACE)
obs_set_id_namespace(OBS_NAMESPACE)
### Building STIX Wrapper
stix_package = STIXPackage()
objIndicator = Indicator()
### Bulid Object Data
for sKey in data:
objIndicator = Indicator()
listOBS = []
### Parsing IP Address
sAddr = data[sKey]['attrib']['ipAddr']
if len(sAddr) > 0:
objAddr = Address()
objAddr.is_destination = True
objAddr.address_value = sAddr
objAddr.address_value.condition = 'Equals'
if isIPv4(sAddr):
objAddr.category = objAddr.CAT_IPV4
elif isIPv6(sAddr):
objAddr.category = objAddr.CAT_IPV6
else:
continue
obsAddr = Observable(objAddr)
objAddr = None
obsAddr.sighting_count = 1
obsAddr.title = 'IP: ' + sAddr
sDscrpt = 'IPv4' + ': ' + sAddr + " | "
sDscrpt += "isDestination: True | "
obsAddr.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsAddr)
obsAddr = None
objIndicator.add_indicator_type("IP Watchlist")
### Parsing Domain
sDomain = data[sKey]['attrib']['domain']
if len(sDomain) > 0:
objDomain = DomainName()
objDomain.value = sDomain
objDomain.value.condition = 'Equals'
if isFQDN(sDomain):
objDomain.type = 'FQDN'
elif isTLD(sDomain):
objDomain.type = 'TLD'
else:
continue
obsDomain = Observable(objDomain)
objDomain = None
obsDomain.sighting_count = 1
obsDomain.title = 'Domain: ' + sDomain
sDscrpt = 'Domain: ' + sDomain + " | "
sDscrpt += "isFQDN: True | "
obsDomain.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsDomain)
obsDomain = None
objIndicator.add_indicator_type("Domain Watchlist")
#Parser URI
sURI = data[sKey]['attrib']['title']
if len(sURI) > 0:
objURI = URI()
objURI.value = sURI
objURI.value.condition = 'Equals'
objURI.type_ = URI.TYPE_URL
obsURI = Observable(objURI)
objURI = None
obsURI.sighting_count = 1
obsURI.title = 'URI: ' + sURI
sDscrpt = 'URI: ' + sURI + " | "
sDscrpt += "Type: URL | "
obsURI.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsURI)
obsURI = None
objIndicator.add_indicator_type("URL Watchlist")
### Add Generated observable to Indicator
objIndicator.observables = listOBS
objIndicator.observable_composition_operator = 'OR'
#Parsing Producer
sProducer = srcObj.Domain
if len(sProducer) > 0:
objIndicator.set_producer_identity(sProducer)
objIndicator.set_produced_time(data[sKey]['attrib']['dateVF'])
objIndicator.set_received_time(data[sKey]['dateDL'])
### Generate Indicator Title based on availbe data
sTitle = 'C2C Site: ' + sURI
objIndicator.title = sTitle
#Generate Indicator Description based on availbe data
sDscrpt = ""
if len(sAddr) > 0:
sAddLine = "This IP address " + sAddr
if len(sDomain) > 0:
sAddLine = "This domain " + sDomain
if len(sAddr) > 0 and len(sDomain) > 0:
sAddLine = "This domain " + sDomain + " (" + sAddr + ")"
if len(sAddLine) > 0:
sDscrpt += sAddLine
sDscrpt = sDscrpt + " has been identified as a command and control site for " + data[
sKey]['attrib']['dscrpt'] + ' malware'
if len(srcObj.Domain) > 0:
sDscrpt = sDscrpt + " by " + srcObj.Domain
else:
sDscrpt = sDscrpt + "."
sDscrpt = sDscrpt + ". For more detailed infomation about this indicator go to [CAUTION!!Read-URL-Before-Click] [" + data[
sKey]['attrib']['link'] + "]."
if len(sDscrpt) > 0:
objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"
pass
#Parse TTP
sType = data[sKey]['attrib']['dscrpt']
if len(sType) > 0:
objMalware = MalwareInstance()
objMalware.add_name(sType)
objMalware.add_type("Remote Access Trojan")
objMalware.short_description = ""
objMalware.description = ""
objTTP = TTP(title=sType)
objTTP.behavior = Behavior()
objTTP.behavior.add_malware_instance(objMalware)
objIndicator.add_indicated_ttp(objTTP)
stix_package.add_indicator(objIndicator)
objIndicator = None
### STIX Package Meta Data
stix_header = STIXHeader()
stix_header.title = srcObj.pkgTitle
stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"
### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
marking_specification = MarkingSpecification()
classLevel = SimpleMarkingStructure()
classLevel.statement = "Unclassified (Public)"
marking_specification.marking_structures.append(classLevel)
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
marking_specification.controlled_structure = "//node()"
objTOU = TermsOfUseMarkingStructure()
sTOU = open('tou.txt').read()
objTOU.terms_of_use = sProducer + " | " + sTOU
marking_specification.marking_structures.append(objTOU)
handling = Marking()
handling.add_marking(marking_specification)
stix_header.handling = handling
stix_package.stix_header = stix_header
stix_header = None
### Generate STIX XML File
locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
sndFile(stix_package.to_xml(), locSTIXFile)
return (stix_package)
def main():
mydata = loaddata()
# NAMESPACE = {sanitizer(mydata["NSXURL"]) : sanitizer(mydata["NS"])}
# set_id_namespace(NAMESPACE)
NAMESPACE = Namespace(sanitizer(mydata['NSXURL']), sanitizer(mydata['NS']))
set_id_namespace(NAMESPACE) # new ids will be prefixed by "myNS"
wrapper = STIXPackage()
info_src = InformationSource()
info_src.identity = Identity(name=sanitizer(mydata["Identity"]))
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = sanitizer(mydata["TLP_COLOR"])
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
timestamp = datetime.datetime.fromtimestamp(
time.time()).strftime('%Y-%m-%d %H:%M:%S')
MyTITLE = sanitizer(mydata["filename"]) + ": " + sanitizer(
mydata["hashes"]["md5"])
ShortDescription = timestamp
DESCRIPTION = "STIX Report for: " + sanitizer(
mydata["filename"]) + " - " + sanitizer(mydata["hashes"]["md5"])
wrapper.stix_header = STIXHeader(information_source=info_src,
title=MyTITLE,
description=DESCRIPTION,
short_description=ShortDescription)
wrapper.stix_header.handling = handling
fileobj = File()
fileobj.file_name = sanitizer(mydata["filename"])
fileobj.file_format = sanitizer(mydata["file_type"])
fileobj.size_in_bytes = sanitizer(mydata["file_size"])
fileobj.add_hash(Hash(sanitizer(mydata["hashes"]["md5"])))
fileobj.add_hash(Hash(sanitizer(mydata["hashes"]["sha1"])))
fileobj.add_hash(Hash(sanitizer(mydata["hashes"]["sha256"])))
observable = Observable(fileobj)
if "URL_file_hosting" in mydata:
for idx, mydata["URL_file_hosting"] in enumerate(
mydata["URL_file_hosting"]):
url = URI()
url.value = sanitizer(mydata["URL_file_hosting"])
url.type_ = URI.TYPE_URL
url.condition = "Equals"
fileobj.add_related(url, "Downloaded_From")
indicator = Indicator()
indicator.title = MyTITLE
indicator.add_indicator_type("File Hash Watchlist")
indicator.add_observable(observable)
wrapper.add_indicator(indicator)
print(wrapper.to_xml())
def adptr_dict2STIX(srcObj, data):
sTxt = "Called... "
sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
stixObj = None
### Input Check
if srcObj == None or data == None:
#TODO: Needs error msg: Missing srcData Object
return (False)
### Generate NameSpace id tags
STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
stix_set_id_namespace(STIX_NAMESPACE)
obs_set_id_namespace(OBS_NAMESPACE)
### Building STIX Wrapper
stix_package = STIXPackage()
objIndicator = Indicator()
### Bulid Object Data
for sKey in data:
objIndicator = Indicator()
listOBS = []
### Parsing IP Address
for sAddr in data[sKey]['attrib']['ipAddrList']:
if len(sAddr) > 0:
objAddr = Address()
objAddr.is_destination = True
objAddr.address_value = sAddr
#objAddr.address_value.operator = 'Equals'
objAddr.address_value.condition = 'Equals'
if isIPv4(sAddr):
objAddr.category = 'ipv4-addr'
elif isIPv6(sAddr):
objAddr.category = 'ipv6-addr'
else:
continue
obsAddr = Observable(objAddr)
objAddr = None
obsAddr.sighting_count = 1
obsAddr.title = 'IP: ' + sAddr
sDscrpt = 'IPv4' + ': ' + sAddr + " | "
sDscrpt += "isDestination: True | "
obsAddr.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsAddr)
obsAddr = None
### Parsing Port Number
sPort = data[sKey]['attrib']['ipPort']
if len(sPort) > 0:
objPort = Port()
objPort.port_value = int(sPort)
objPort.port_value.condition = 'Equals'
sProtocol = data[sKey]['attrib']['ipProt']
if len(sProtocol) > 0:
objPort.layer4_protocol = sProtocol.upper()
obsPort = Observable(objPort)
objPort = None
obsPort.sighting_count = 1
obsPort.title = 'Port: ' + sPort
sDscrpt = 'PortNumber' + ': ' + sPort + " | "
sDscrpt += "Protocol: " + sProtocol.upper() + " | "
obsPort.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsPort)
### Add Generated observable to Indicator
objIndicator.add_indicator_type("IP Watchlist")
objIndicator.observable_composition_operator = 'OR'
objIndicator.observables = listOBS
from stix.extensions.test_mechanism.snort_test_mechanism import SnortTestMechanism
from stix.common import InformationSource, Identity
testMech = SnortTestMechanism()
testMech.rules = [data[sKey]['attrib']['rule']]
testMech.efficacy = "Unknown"
infoSrc = InformationSource(identity=Identity(name=srcObj.Domain))
infoSrc.add_contributing_source("http://www.shadowserver.org")
infoSrc.add_contributing_source("https://spyeyetracker.abuse.ch")
infoSrc.add_contributing_source("https://palevotracker.abuse.ch")
infoSrc.add_contributing_source("https://zeustracker.abuse.ch")
testMech.producer = infoSrc
lstRef = data[sKey]['attrib']['reference'].split('|')
testMech.producer.references = lstRef
objIndicator.test_mechanisms = [testMech]
#Parsing Producer
sProducer = srcObj.Domain
if len(sProducer) > 0:
objIndicator.set_producer_identity(sProducer)
#objIndicator.set_produced_time(data[sKey]['attrib']['dateVF']);
objIndicator.set_received_time(data[sKey]['dateDL'])
### Title / Description Generator
objIndicator.set_received_time(data[sKey]['dateDL'])
sTitle = "sid:" + data[sKey]['attrib']['sid'] + " | "
sTitle += data[sKey]['attrib']['msg'] + " | "
sTitle += "rev:" + data[sKey]['attrib']['rev']
objIndicator.title = sTitle
sDscrpt = "SNORT Rule by Emergingthreats | " + data[sKey]['attrib'][
'rule']
objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"
#Parse TTP
objMalware = MalwareInstance()
nameList = data[sKey]['attrib']['flowbits']
if len(nameList) > 0:
nameList = nameList.split("|")
for sName in nameList:
sName = sName.split(",")[1]
objMalware.add_name(sName)
#objMalware.add_type("Remote Access Trojan")
objMalware.short_description = data[sKey]['attrib']['msg']
ttpTitle = data[sKey]['attrib']['classtype'] + " | " + data[sKey][
'attrib']['msg']
objTTP = TTP(title=ttpTitle)
objTTP.behavior = Behavior()
objTTP.behavior.add_malware_instance(objMalware)
objIndicator.add_indicated_ttp(objTTP)
#objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_))
#stix_package.add_ttp(objTTP)
stix_package.add_indicator(objIndicator)
objIndicator = None
### STIX Package Meta Data
stix_header = STIXHeader()
stix_header.title = srcObj.pkgTitle
stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"
### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
marking_specification = MarkingSpecification()
classLevel = SimpleMarkingStructure()
classLevel.statement = "Unclassified (Public)"
marking_specification.marking_structures.append(classLevel)
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
marking_specification.controlled_structure = "//node()"
objTOU = TermsOfUseMarkingStructure()
sTOU = open('tou.txt').read()
objTOU.terms_of_use = sProducer + " | " + sTOU
marking_specification.marking_structures.append(objTOU)
handling = Marking()
handling.add_marking(marking_specification)
stix_header.handling = handling
stix_package.stix_header = stix_header
stix_header = None
### Generate STIX XML File
locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
sndFile(stix_package.to_xml(), locSTIXFile)
return (stix_package)
def main(argv):
######################################################################
# Se non impostati da command line vengono utilizzati i seguenti valori per TITLE, DESCRIPTION, IDENTITY
# Il title e' ID univoco della minaccia (es. Cobalt / Danabot / APT28)
TITLE = raw_input("Insert Title Ioc:")
# La description strutturiamola come segue
# <IOC PRODUCER> - <Descrizione della minaccia/campagna> - <URL (if any)>
DESCRIPTION = raw_input("Insert Decription:")
# La sorgente che ha generato l'IoC con riferimento a Cyber Saiyan Community
IDENTITY = raw_input("Insert User Identity:")
# File degli IoC
IOCFILE = raw_input("Add IoC Source File:")
# Prefisso STIX output files STIX 1.2 e STIX 2
OUTFILEPREFIX = "package"
# Short Description - UNUSED
#SHORT = "Emotet"
######################################################################
VERBOSE = 0
# UTF8 encode
TITLE = TITLE.encode('utf8')
DESCRIPTION = DESCRIPTION.encode('utf8')
IDENTITY = IDENTITY.encode('utf8')
print "\nStix File generation in progress...."
#print (TITLE) #"TITLE: " + TITLE
#print (DESCRIPTION) #"DESCRIPTION: " + DESCRIPTION
#print (IDENTITY) #"IDENTITY: " + IDENTITY
#print (IOCFILE) #"IOC FILE: " + IOCFILE
#print "---------------------"
########################
# Commond data
timestamp = datetime.datetime.fromtimestamp(
time.time()).strftime('%Y-%m-%d %H:%M:%S')
########################
# Build STIX 1.2 file
info_src = InformationSource()
info_src.identity = Identity(name=IDENTITY)
NAMESPACE = Namespace("https://infosharing.cybersaiyan.it", "CYBERSAIYAN")
set_id_namespace(NAMESPACE)
wrapper = STIXPackage()
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
# HASH indicators
indicatorHASH = Indicator()
indicatorHASH.title = TITLE + " - HASH"
indicatorHASH.add_indicator_type("File Hash Watchlist")
# DOMAIN indicators
indiDOMAIN = Indicator()
indiDOMAIN.title = TITLE + " - DOMAIN"
indiDOMAIN.add_indicator_type("Domain Watchlist")
# URL indicators
indiURL = Indicator()
indiURL.title = TITLE + " - URL"
indiURL.add_indicator_type("URL Watchlist")
# IP indicators
indiIP = Indicator()
indiIP.title = TITLE + " - IP"
indiIP.add_indicator_type("IP Watchlist")
# EMAIL indicators
indiEMAIL = Indicator()
indiEMAIL.title = TITLE + " - EMAIL"
indiEMAIL.add_indicator_type("Malicious E-mail")
########################
# Build STIX 2 file
pattern_sha256 = []
pattern_md5 = []
pattern_sha1 = []
pattern_domain = []
pattern_url = []
pattern_ip = []
pattern_email = []
# Marking
marking_def_white = stix2.MarkingDefinition(definition_type="tlp",
definition={"tlp": "WHITE"})
# campagna
# [TODO] aggiungere tutti i campi dello STIX 1.2 (es. IDENTITY)
campaign_MAIN = stix2.Campaign(created=timestamp,
modified=timestamp,
name=TITLE,
description=DESCRIPTION,
first_seen=timestamp,
objective="TBD")
########################
# Read IoC file
ioc = loaddata(IOCFILE)
if (VERBOSE): print "Reading IoC file " + IOCFILE + "..."
for idx, ioc in enumerate(ioc):
notfound = 1
# sha256
p = re.compile(r"^[0-9a-f]{64}$", re.IGNORECASE)
m = p.match(ioc)
if m and notfound:
# STIX 1.2
filei = File()
filei.add_hash(Hash(ioc))
obsi = Observable(filei)
indicatorHASH.add_observable(obsi)
if (VERBOSE): print "SHA256: " + ioc
notfound = 0
# STIX 2
pattern_sha256.append("[file:hashes.'SHA-256' = '" + ioc +
"'] OR ")
#md5
p = re.compile(r"^[0-9a-f]{32}$", re.IGNORECASE)
m = p.match(ioc)
if m and notfound:
# STIX 1.2
filej = File()
filej.add_hash(Hash(ioc))
obsj = Observable(filej)
indicatorHASH.add_observable(obsj)
if (VERBOSE): print "MD5: " + ioc
notfound = 0
# STIX 2
pattern_md5.append("[file:hashes.'MD5' = '" + ioc + "'] OR ")
#sha1
p = re.compile(r"^[0-9a-f]{40}$", re.IGNORECASE)
m = p.match(ioc)
if m and notfound:
# STIX 1.2
filek = File()
filek.add_hash(Hash(ioc))
obsk = Observable(filek)
indicatorHASH.add_observable(obsk)
if (VERBOSE): print "SHA1: " + ioc
notfound = 0
# STIX 2
pattern_sha1.append("[file:hashes.'SHA1' = '" + ioc + "'] OR ")
#domains
if validators.domain(ioc) and notfound:
# STIX 1.2
url = URI()
url.value = ioc
url.type_ = URI.TYPE_DOMAIN
url.condition = "Equals"
obsu = Observable(url)
indiDOMAIN.add_observable(obsu)
if (VERBOSE): print "DOMAIN: " + ioc
notfound = 0
# STIX 2
pattern_domain.append("[domain-name:value = '" + ioc + "'] OR ")
#url
if validators.url(ioc) and notfound:
# STIX 1.2
url = URI()
url.value = ioc
url.type_ = URI.TYPE_URL
url.condition = "Equals"
obsu = Observable(url)
indiURL.add_observable(obsu)
if (VERBOSE): print "URL: " + ioc
notfound = 0
# STIX 2
pattern_url.append("[url:value = '" + ioc + "'] OR ")
#ip
if validators.ipv4(ioc) and notfound:
# STIX 1.2
ip = Address()
ip.address_value = ioc
obsu = Observable(ip)
indiIP.add_observable(obsu)
if (VERBOSE): print "IP: " + ioc
notfound = 0
# STIX 2
pattern_ip.append("[ipv4-addr:value = '" + ioc + "'] OR ")
#email
if validators.email(ioc) and notfound:
# STIX 1.2
email = EmailAddress()
email.address_value = ioc
obsu = Observable(email)
indiEMAIL.add_observable(obsu)
if (VERBOSE): print "Email: " + ioc
notfound = 0
# STIX 2
pattern_email.append("[email-message:from_ref.value = '" + ioc +
"'] OR ")
########################
# add all indicators to STIX 1.2
wrapper.add_indicator(indicatorHASH)
wrapper.add_indicator(indiDOMAIN)
wrapper.add_indicator(indiURL)
wrapper.add_indicator(indiIP)
wrapper.add_indicator(indiEMAIL)
########################
# prepare for STIX 2
bundle_objects = [campaign_MAIN, marking_def_white]
if len(pattern_sha256) != 0:
stix2_sha256 = "".join(pattern_sha256)
stix2_sha256 = stix2_sha256[:-4]
indicator_SHA256 = stix2.Indicator(
name=TITLE + " - SHA256",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_sha256,
object_marking_refs=[marking_def_white])
relationship_indicator_SHA256 = stix2.Relationship(
indicator_SHA256, 'indicates', campaign_MAIN)
bundle_objects.append(indicator_SHA256)
bundle_objects.append(relationship_indicator_SHA256)
if len(pattern_md5) != 0:
stix2_md5 = "".join(pattern_md5)
stix2_md5 = stix2_md5[:-4]
indicator_MD5 = stix2.Indicator(
name=TITLE + " - MD5",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_md5,
object_marking_refs=[marking_def_white])
relationship_indicator_MD5 = stix2.Relationship(
indicator_MD5, 'indicates', campaign_MAIN)
bundle_objects.append(indicator_MD5)
bundle_objects.append(relationship_indicator_MD5)
if len(pattern_sha1) != 0:
stix2_sha1 = "".join(pattern_sha1)
stix2_sha1 = stix2_sha1[:-4]
indicator_SHA1 = stix2.Indicator(
name=TITLE + " - SHA1",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_sha1,
object_marking_refs=[marking_def_white])
relationship_indicator_SHA1 = stix2.Relationship(
indicator_SHA1, 'indicates', campaign_MAIN)
bundle_objects.append(indicator_SHA1)
bundle_objects.append(relationship_indicator_SHA1)
if len(pattern_domain) != 0:
stix2_domain = "".join(pattern_domain)
stix2_domain = stix2_domain[:-4]
indicator_DOMAINS = stix2.Indicator(
name=TITLE + " - DOMAINS",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_domain,
object_marking_refs=[marking_def_white])
relationship_indicator_DOMAINS = stix2.Relationship(
indicator_DOMAINS, 'indicates', campaign_MAIN)
bundle_objects.append(indicator_DOMAINS)
bundle_objects.append(relationship_indicator_DOMAINS)
if len(pattern_url) != 0:
stix2_url = "".join(pattern_url)
stix2_url = stix2_url[:-4]
indicator_URLS = stix2.Indicator(
name=TITLE + " - URL",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_url,
object_marking_refs=[marking_def_white])
relationship_indicator_URLS = stix2.Relationship(
indicator_URLS, 'indicates', campaign_MAIN)
bundle_objects.append(indicator_URLS)
bundle_objects.append(relationship_indicator_URLS)
if len(pattern_ip) != 0:
stix2_ip = "".join(pattern_ip)
stix2_ip = stix2_ip[:-4]
indicator_IPS = stix2.Indicator(
name=TITLE + " - IPS",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_ip,
object_marking_refs=[marking_def_white])
relationship_indicator_IPS = stix2.Relationship(
indicator_IPS, 'indicates', campaign_MAIN)
bundle_objects.append(indicator_IPS)
bundle_objects.append(relationship_indicator_IPS)
if len(pattern_email) != 0:
stix2_email = "".join(pattern_email)
stix2_email = stix2_email[:-4]
indicator_EMAILS = stix2.Indicator(
name=TITLE + " - EMAILS",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_email,
object_marking_refs=[marking_def_white])
relationship_indicator_EMAILS = stix2.Relationship(
indicator_EMAILS, 'indicates', campaign_MAIN)
bundle_objects.append(indicator_EMAILS)
bundle_objects.append(relationship_indicator_EMAILS)
# creo il bunble STIX 2
bundle = stix2.Bundle(objects=bundle_objects)
########################
# save to STIX 1.2 file
print
print "Writing STIX 1.2 package: " + OUTFILEPREFIX + ".stix"
f = open(OUTFILEPREFIX + ".stix", "w")
f.write(wrapper.to_xml())
f.close()
########################
# save to STIX 2 file
print "Writing STIX 2 package: " + OUTFILEPREFIX + ".stix2"
g = open(OUTFILEPREFIX + ".stix2", "w")
sys.stdout = g
print bundle
def adptr_dict2STIX(srcObj, data):
sTxt = "Called... "
sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
stixObj = None
### Input Check
if srcObj == None or data == None:
#TODO: Needs error msg: Missing srcData Object
return (False)
### Generate NameSpace id tags
STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
stix_set_id_namespace(STIX_NAMESPACE)
obs_set_id_namespace(OBS_NAMESPACE)
### Building STIX Wrapper
stix_package = STIXPackage()
objIndicator = Indicator()
### Bulid Object Data
for sKey in data:
objIndicator = Indicator()
listOBS = []
### Parsing IP Address
sAddr = data[sKey]['attrib']['ipAddr']
if len(sAddr) > 0:
objAddr = Address()
objAddr.is_source = True
objAddr.address_value = sAddr
objAddr.address_value.condition = 'Equals'
if isIPv4(sAddr):
objAddr.category = 'ipv4-addr'
elif isIPv6(sAddr):
objAddr.category = 'ipv6-addr'
else:
continue
obsAddr = Observable(objAddr)
objAddr = None
obsAddr.sighting_count = 1
obsAddr.title = 'IP: ' + sAddr
sDscrpt = 'IPv4' + ': ' + sAddr + " | "
sDscrpt += "isSource: True | "
obsAddr.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsAddr)
obsAddr = None
objIndicator.add_indicator_type("IP Watchlist")
### Parsing Domain
sDomain = data[sKey]['attrib']['domain']
if len(sDomain) > 0:
objDomain = DomainName()
objDomain.value = sDomain
objDomain.value.condition = 'Equals'
if isFQDN(sDomain):
objDomain.type = 'FQDN'
elif isTLD(sDomain):
objDomain.type = 'TLD'
else:
continue
obsDomain = Observable(objDomain)
objDomain = None
obsDomain.sighting_count = 1
obsDomain.title = 'Domain: ' + sDomain
sDscrpt = 'Domain: ' + sDomain + " | "
sDscrpt += "isFQDN: True | "
obsDomain.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsDomain)
obsDomain = None
objIndicator.add_indicator_type("Domain Watchlist")
#Parser URI
sURI = data[sKey]['attrib']['URI']
if len(sURI) > 0:
objURI = URI()
objURI.value = sURI
objURI.value.condition = 'Equals'
objURI.type_ = URI.TYPE_URL
obsURI = Observable(objURI)
objURI = None
obsURI.sighting_count = 1
obsURI.title = 'URI: ' + sURI
sDscrpt = 'URI: ' + sURI + " | "
sDscrpt += "Type: URL | "
obsURI.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsURI)
obsURI = None
objIndicator.add_indicator_type("URL Watchlist")
#Parser File Hash
sHash = data[sKey]['attrib']['hash']
if len(sHash) > 0:
objFile = File()
sFileName = data[sKey]['attrib']['fileName']
if len(sFileName) > 0:
objFile.file_name = sFileName
objFile.file_format = sFileName.split('.')[1]
objFile.add_hash(Hash(sHash, exact=True))
obsFile = Observable(objFile)
objFile = None
obsFile.sighting_count = 1
obsFile.title = 'File: ' + sFileName
sDscrpt = 'FileName: ' + sFileName + " | "
sDscrpt += "FileHash: " + sHash + " | "
obsFile.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsFile)
obsFile = None
objIndicator.add_indicator_type("File Hash Watchlist")
### Add Generated observable to Indicator
objIndicator.observables = listOBS
objIndicator.observable_composition_operator = 'OR'
#Parsing Producer
sProducer = srcObj.Domain
if len(sProducer) > 0:
objIndicator.set_producer_identity(sProducer)
objIndicator.set_produced_time(data[sKey]['attrib']['dateVF'])
objIndicator.set_received_time(data[sKey]['dateDL'])
### Old Title / Description Generator
#objIndicator.title = data[sKey]['attrib']['title'];
#objIndicator.description = "<![CDATA[" + data[sKey]['attrib']['dscrpt'] + "]]>";
### Generate Indicator Title based on availbe data
sTitle = 'ZeuS Tracker (' + data[sKey]['attrib'][
'status'] + ')| ' + data[sKey]['attrib']['title']
if len(sAddr) > 0:
sAddLine = "This IP address has been identified as malicious"
if len(sDomain) > 0:
sAddLine = "This domain has been identified as malicious"
if len(sAddLine) > 0:
sTitle = sTitle + " | " + sAddLine
if len(srcObj.Domain) > 0:
sTitle = sTitle + " by " + srcObj.Domain
else:
sTitle = sTitle + "."
if len(sTitle) > 0:
objIndicator.title = sTitle
#Generate Indicator Description based on availbe data
sDscrpt = ""
if len(sAddr) > 0:
sAddLine = "This IP address " + sAddr
if len(sDomain) > 0:
sAddLine = "This domain " + sDomain
if len(sAddr) > 0 and len(sDomain) > 0:
sAddLine = "This domain " + sDomain + " (" + sAddr + ")"
if len(sAddLine) > 0:
sDscrpt = sDscrpt + sAddLine
sDscrpt = sDscrpt + " has been identified as malicious"
if len(srcObj.Domain) > 0:
sDscrpt = sDscrpt + " by " + srcObj.Domain
else:
sDscrpt = sDscrpt + "."
sDscrpt = sDscrpt + ". For more detailed infomation about this indicator go to [CAUTION!!Read-URL-Before-Click] [" + data[
sKey]['attrib']['link'] + "]."
if len(sDscrpt) > 0:
objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"
#Parse TTP
objMalware = MalwareInstance()
objMalware.add_name("ZeuS")
objMalware.add_name("Zbot")
objMalware.add_name("Zeus")
objMalware.add_type("Remote Access Trojan")
objMalware.short_description = "Zeus, ZeuS, or Zbot is Trojan horse computer malware effects Microsoft Windows operating system"
objMalware.description = "Zeus, ZeuS, or Zbot is Trojan horse computer malware that runs on computers running under versions of the Microsoft Windows operating system. While it is capable of being used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware.[1] Zeus is spread mainly through drive-by downloads and phishing schemes. (2014(http://en.wikipedia.org/wiki/Zeus_%28Trojan_horse%29))"
objTTP = TTP(title="ZeuS")
objTTP.behavior = Behavior()
objTTP.behavior.add_malware_instance(objMalware)
objIndicator.add_indicated_ttp(objTTP)
#objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_))
#stix_package.add_ttp(objTTP)
stix_package.add_indicator(objIndicator)
objIndicator = None
### STIX Package Meta Data
stix_header = STIXHeader()
stix_header.title = srcObj.pkgTitle
stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"
### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
marking_specification = MarkingSpecification()
classLevel = SimpleMarkingStructure()
classLevel.statement = "Unclassified (Public)"
marking_specification.marking_structures.append(classLevel)
objTOU = TermsOfUseMarkingStructure()
sTOU = open('tou.txt').read()
objTOU.terms_of_use = sProducer + " | " + sTOU
marking_specification.marking_structures.append(objTOU)
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
marking_specification.controlled_structure = "//node()"
handling = Marking()
handling.add_marking(marking_specification)
stix_header.handling = handling
stix_package.stix_header = stix_header
stix_header = None
### Generate STIX XML File
locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
sndFile(stix_package.to_xml(), locSTIXFile)
return (stix_package)
def main():
######################################################################
# MODIFICARE LE VARIABILI SEGUENTI
# Il title e' ID univoco della minaccia (es. Cobalt / Danabot / APT28)
MyTITLE = "Gootkit"
# La description strutturiamola come segue
# <IOC PRODUCER> - <Descrizione della minaccia/campagna> - <URL (if any)>
DESCRIPTION = "D3Lab - Malspam Gootkit con dropper da 450+ MB - https://www.d3lab.net/malspam-gootkit-con-dropper-da-450-mb/"
# La sorgente che ha generato l'IoC con riferimento a Cyber Saiyan Community
IDENTITY = "D3Lab via Cyber Saiyan Community"
#
######################################################################
# read IoC files
file_sha256 = "CS-sha256.txt"
sha256 = loaddata(file_sha256)
file_md5 = "CS-md5.txt"
md5 = loaddata(file_md5)
file_sha1 = "CS-sha1.txt"
sha1 = loaddata(file_sha1)
file_domains = "CS-domain.txt"
domains = loaddata(file_domains)
file_urls = "CS-url.txt"
urls = loaddata(file_urls)
file_ips = "CS-ipv4.txt"
ips = loaddata(file_ips)
file_emails = "CS-email.txt"
emails = loaddata(file_emails)
# Build STIX file
info_src = InformationSource()
info_src.identity = Identity(name=IDENTITY)
NAMESPACE = Namespace("https://infosharing.cybersaiyan.it", "CYBERSAIYAN")
set_id_namespace(NAMESPACE)
timestamp = datetime.datetime.fromtimestamp(
time.time()).strftime('%Y-%m-%d %H:%M:%S')
SHORT = timestamp
wrapper = STIXPackage()
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
wrapper.stix_header = STIXHeader(
information_source=info_src,
title=MyTITLE.encode(encoding='UTF-8', errors='replace'),
description=DESCRIPTION.encode(encoding='UTF-8', errors='replace'),
short_description=SHORT.encode(encoding='UTF-8', errors='replace'))
wrapper.stix_header.handling = handling
# HASH indicators
indicatorHASH = Indicator()
indicatorHASH.title = MyTITLE + " - HASH"
indicatorHASH.add_indicator_type("File Hash Watchlist")
print "Reading IoC sha256 file..."
p = re.compile(r"^[0-9a-f]{64}$", re.IGNORECASE)
for idx, sha256 in enumerate(sha256):
m = p.match(sha256)
if m:
filei = File()
filei.add_hash(Hash(sha256))
obsi = Observable(filei)
indicatorHASH.add_observable(obsi)
else:
print " Malformed sha256: " + sha256
print
print "Reading IoC md5 file..."
p = re.compile(r"^[0-9a-f]{32}$", re.IGNORECASE)
for idx, md5 in enumerate(md5):
m = p.match(md5)
if m:
filej = File()
filej.add_hash(Hash(md5))
obsj = Observable(filej)
indicatorHASH.add_observable(obsj)
else:
print " Malformed md5: " + md5
print
print "Reading IoC sha1 file..."
p = re.compile(r"^[0-9a-f]{40}$", re.IGNORECASE)
for idx, sha1 in enumerate(sha1):
m = p.match(sha1)
if m:
filek = File()
filek.add_hash(Hash(sha1))
obsk = Observable(filek)
indicatorHASH.add_observable(obsk)
else:
print " Malformed sha1: " + sha1
print
# DOMAIN indicators
indiDOMAIN = Indicator()
indiDOMAIN.title = MyTITLE + " - DOMAIN"
indiDOMAIN.add_indicator_type("Domain Watchlist")
print "Reading IoC domains file..."
for idu, domains in enumerate(domains):
if validators.domain(domains):
url = URI()
url.value = domains
url.type_ = URI.TYPE_DOMAIN
url.condition = "Equals"
obsu = Observable(url)
indiDOMAIN.add_observable(obsu)
else:
print " Malformed domain: " + domains
print
# URL indicators
indiURL = Indicator()
indiURL.title = MyTITLE + " - URL"
indiURL.add_indicator_type("URL Watchlist")
print "Reading IoC url file..."
for idu, urls in enumerate(urls):
if validators.url(urls):
url = URI()
url.value = urls
url.type_ = URI.TYPE_URL
url.condition = "Equals"
obsu = Observable(url)
indiURL.add_observable(obsu)
else:
print " Malformed url: " + urls
print
# IP indicators
indiIP = Indicator()
indiIP.title = MyTITLE + " - IP"
indiIP.add_indicator_type("IP Watchlist")
print "Reading IoC IP file..."
for idu, ips in enumerate(ips):
if validators.ipv4(ips):
ip = Address()
ip.address_value = ips
obsu = Observable(ip)
indiIP.add_observable(obsu)
else:
print " Malformed IP: " + ips
print
# EMAIL indicators
indiEMAIL = Indicator()
indiEMAIL.title = MyTITLE + " - EMAIL"
indiEMAIL.add_indicator_type("Malicious E-mail")
print "Reading IoC email file..."
for idu, emails in enumerate(emails):
if validators.email(emails):
email = EmailAddress()
email.address_value = emails
obsu = Observable(email)
indiEMAIL.add_observable(obsu)
else:
print " Malformed email: " + emails
print
# add all indicators
wrapper.add_indicator(indicatorHASH)
wrapper.add_indicator(indiDOMAIN)
wrapper.add_indicator(indiURL)
wrapper.add_indicator(indiIP)
wrapper.add_indicator(indiEMAIL)
# print STIX file to stdout
print "Writing STIX package: package.stix"
f = open("package.stix", "w")
f.write(wrapper.to_xml())
f.close()
print
def index2stix(local_index, orig_stix):
#=============
# Build package metadata
#=============
new_stix = STIXPackage()
new_stix.stix_header = STIXHeader()
new_stix.stix_header.title = "TG3390 - Enrichment"
new_stix.stix_header.description = "Enrichment stix file to the Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers investigated activities associated with Threat Group-3390[1] (TG-3390) - http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/"
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "../../../../descendant-or-self::node()"
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
new_stix.stix_header.handling = handling
enrich_IPs = Indicator(title="Suspected TG3390 IP Addresses obtained through automated enrichment")
enrich_IPs.add_indicator_type("IP Watchlist")
enrich_IPs.confidence = "Low"
related_IPs = Indicator(title="Related indicator wrapper for source of enrichment")
related_IPs.add_indicator_type("IP Watchlist")
related_IPs.confidence = "Medium"
enrich_Domains = Indicator(title="Suspected TG3390 Domains obtained through automated enrichment")
enrich_Domains.add_indicator_type("Domain Watchlist")
enrich_Domains.confidence = "Low"
related_Domains = Indicator(title="Related indicator wrapper for source of enrichment")
related_Domains.add_indicator_type("Domain Watchlist")
related_Domains.confidence = "Medium"
# START with the ones that already have ids:
#if verbose:
#print_chain(local_index)
new_ref_created = True
while new_ref_created:
new_ref_created = False
for ind_type in local_index:
for obs in local_index[ind_type]:
id_tobe_referenced = local_index[ind_type][obs][0]
#print id_tobe_referenced[:10]
if id_tobe_referenced[:10] != '{{no_ref}}':
ref_obs = Observable()
ref_obs.id_ = id_tobe_referenced.replace("{{no_ref}}","")
ref_obs.description = 'Source of enrichment for: '
create_ref_obs = False
for entry in local_index[ind_type][obs]:
if type(entry) is list:
if len(entry)>0:
for item in entry:
ref, child_ind_type = get_ref_from_obs(item, local_index)
#print item
if ref == '{{no_ref}}' or ref == '':
create_ref_obs = True
new_ref_created = True
#print 'Create new, complete, observable for ' + item
#print child_ind_type
#Create the new observable for item and add as object to appropriate Indicator
if child_ind_type == 'DomainName':
append_ind = enrich_Domains
related_ind = related_Domains
new_obj = DomainName()
new_obj.value = item
#enrich_Domains.add_object(domain_obj)
elif child_ind_type == 'Address':
append_ind = enrich_IPs
related_ind = related_IPs
new_obj = Address()
new_obj.category = "ipv4-addr"
new_obj.address_value = item
#enrich_IPs.add_object(ipv4_obj)
else:
print 'Unsupported indicator type: ' + child_ind_type
new_obs = Observable(new_obj)
new_obs_ref = new_obs.id_
append_ind.add_observable(new_obs)
ref = new_obs_ref
#local_index[item][0] = ref
set_obs_ref(item, new_obs_ref, local_index)
#print 'Adding ref to: ' + ref_obs.id_ + ' of ' + ref
ref_obs.description = str(ref_obs.description) + ref.replace("{{no_ref}}","") + ', '
if create_ref_obs:
#Add the new ref obs to Related Indicators
related_ind.add_observable(ref_obs)
#print related_ind.to_xml()
create_ref_obs = False
related_ind1 = RelatedIndicator(related_IPs, relationship='Source of enrichment for IPs')
related_ind2 = RelatedIndicator(related_Domains, relationship='Source of enrichment for Domains')
enrich_IPs.related_indicators.append(related_ind1)
enrich_Domains.related_indicators.append(related_ind2)
new_stix.add_indicator(enrich_IPs)
new_stix.add_indicator(enrich_Domains)
#new_stix_json = json.loads(new_stix.to_json())
#new_stix_xml = new_stix.to_xml()
#if verbose:
#print new_stix.to_xml()
return new_stix
def main(argv):
######################################################################
# Se non impostati da command line vengono utilizzati i seguenti valori per TITLE, DESCRIPTION, IDENTITY
# Il title e' ID univoco della minaccia (es. Cobalt / Danabot / APT28)
TITLE = "Test"
# La description strutturiamola come segue
# <IOC PRODUCER> - <Descrizione della minaccia/campagna> - <URL (if any)>
DESCRIPTION = "Cyber Saiyan - Test - https://infosharing.cybersaiyan.it"
# La sorgente che ha generato l'IoC con riferimento a Cyber Saiyan Community
IDENTITY = "Cyber Saiyan Community"
# File degli IoC
IOCFILE = "CS-ioc.txt"
# Prefisso STIX output files STIX 1.2 e STIX 2
OUTFILEPREFIX = "package"
# Short Description - UNUSED
SHORT = "unused"
######################################################################
VERBOSE = 0
# Parse ARGV[]
try:
opts, args = getopt.getopt(argv, "ht:d:i:f:o:v")
except getopt.GetoptError:
print(
"CS_build_stix-from_files.py [-t TITLE] [-d DESCRIPTION] [-i IDENTITY] [-f IOC_FILE] [-o STIX_FILES_PREFIX]")
sys.exit(2)
for opt, arg in opts:
if opt == "-h":
print(
"CS_build_stix-from_files.py [-t TITLE] [-d DESCRIPTION] [-i IDENTITY] [-f IOC_FILE] [-o STIX_FILES_PREFIX]")
sys.exit()
elif opt == "-t":
TITLE = arg
elif opt == "-d":
DESCRIPTION = arg
elif opt == "-i":
IDENTITY = arg
elif opt == "-f":
IOCFILE = arg
elif opt == "-o":
OUTFILEPREFIX = arg
elif opt == "-v":
VERBOSE = 1
print("---------------------")
print("TITLE: " + TITLE)
print("DESCRIPTION: " + DESCRIPTION)
print("IDENTITY: " + IDENTITY)
print("IOC FILE: " + IOCFILE)
print("---------------------")
########################
# Commond data
timestamp = datetime.utcnow().strftime("%Y-%m-%d %H:%M:%S")
########################
# Build STIX 1.2 file
info_src = InformationSource()
info_src.identity = Identity(name=IDENTITY)
NAMESPACE = Namespace("https://infosharing.cybersaiyan.it", "CYBERSAIYAN")
set_id_namespace(NAMESPACE)
wrapper = STIXPackage()
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = "white"
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
wrapper.stix_header = STIXHeader(information_source=info_src,
title=TITLE,
description=DESCRIPTION,
short_description=SHORT)
wrapper.stix_header.handling = handling
# HASH indicators
indicatorHASH = Indicator()
indicatorHASH.title = TITLE + " - HASH"
indicatorHASH.add_indicator_type("File Hash Watchlist")
# DOMAIN indicators
indiDOMAIN = Indicator()
indiDOMAIN.title = TITLE + " - DOMAIN"
indiDOMAIN.add_indicator_type("Domain Watchlist")
# URL indicators
indiURL = Indicator()
indiURL.title = TITLE + " - URL"
indiURL.add_indicator_type("URL Watchlist")
# IP indicators
indiIP = Indicator()
indiIP.title = TITLE + " - IP"
indiIP.add_indicator_type("IP Watchlist")
# EMAIL indicators
indiEMAIL = Indicator()
indiEMAIL.title = TITLE + " - EMAIL"
indiEMAIL.add_indicator_type("Malicious E-mail")
########################
# Build STIX 2 file
pattern_sha256 = []
pattern_md5 = []
pattern_sha1 = []
pattern_domain = []
pattern_url = []
pattern_ip = []
pattern_email = []
# Marking
marking_def_white = stix2.TLP_WHITE
# campagna
# [TODO] aggiungere tutti i campi dello STIX 1.2 (es. IDENTITY)
campaign_MAIN = stix2.Campaign(
created=timestamp,
modified=timestamp,
name=TITLE,
description=DESCRIPTION,
first_seen=timestamp,
objective="TBD"
)
########################
# Read IoC file
loaddata(IOCFILE)
if (VERBOSE): print("Reading IoC file " + IOCFILE + "...")
ioccount = 0
# sha256
for ioc in listSHA256:
# STIX 1.2
filei = File()
filei.add_hash(Hash(ioc))
obsi = Observable(filei)
indicatorHASH.add_observable(obsi)
if (VERBOSE): print("SHA256: " + ioc)
ioccount += 1
# STIX 2
pattern_sha256.append("[file:hashes.'SHA-256' = '" + ioc + "'] OR ")
# md5
for ioc in listMD5:
# STIX 1.2
filej = File()
filej.add_hash(Hash(ioc))
obsj = Observable(filej)
indicatorHASH.add_observable(obsj)
if (VERBOSE): print("MD5: " + ioc)
ioccount += 1
# STIX 2
pattern_md5.append("[file:hashes.'MD5' = '" + ioc + "'] OR ")
# sha1
for ioc in listSHA1:
# STIX 1.2
filek = File()
filek.add_hash(Hash(ioc))
obsk = Observable(filek)
indicatorHASH.add_observable(obsk)
if (VERBOSE): print("SHA1: " + ioc)
ioccount += 1
# STIX 2
pattern_sha1.append("[file:hashes.'SHA1' = '" + ioc + "'] OR ")
# domains
for ioc in listDOMAIN:
# STIX 1.2
url = URI()
url.value = ioc
url.type_ = URI.TYPE_DOMAIN
url.condition = "Equals"
obsu = Observable(url)
indiDOMAIN.add_observable(obsu)
if (VERBOSE): print("DOMAIN: " + ioc)
ioccount += 1
# STIX 2
pattern_domain.append("[domain-name:value = '" + ioc + "'] OR ")
# url
for ioc in listURL:
# STIX 1.2
url = URI()
url.value = ioc
url.type_ = URI.TYPE_URL
url.condition = "Equals"
obsu = Observable(url)
indiURL.add_observable(obsu)
if (VERBOSE): print("URL: " + ioc)
ioccount += 1
# STIX 2
pattern_url.append("[url:value = '" + ioc + "'] OR ")
# ip
for ioc in listIP:
# STIX 1.2
ip = Address()
ip.address_value = ioc
obsu = Observable(ip)
indiIP.add_observable(obsu)
if (VERBOSE): print("IP: " + ioc)
ioccount += 1
# STIX 2
pattern_ip.append("[ipv4-addr:value = '" + ioc + "'] OR ")
# email
for ioc in listEMAIL:
# STIX 1.2
email = EmailAddress()
email.address_value = ioc
obsu = Observable(email)
indiEMAIL.add_observable(obsu)
if (VERBOSE): print("Email: " + ioc)
ioccount += 1
# STIX 2
pattern_email.append("[email-message:from_ref.value = '" + ioc + "'] OR ")
# subject
for ioc in listSUBJECT:
# STIX 1.2
emailsubject = EmailMessage()
emailsubject.subject = ioc
obsu = Observable(emailsubject)
indiEMAIL.add_observable(obsu)
if (VERBOSE): print("Subject: " + ioc)
ioccount += 1
# STIX 2 (http://docs.oasis-open.org/cti/stix/v2.0/stix-v2.0-part5-stix-patterning.html)
# Replace all quotes in a subject string with escaped quotes
pattern_email.append("[email-message:subject = '" + ioc.replace("'", "\\'") + "'] OR ")
########################
# add all indicators to STIX 1.2
wrapper.add_indicator(indicatorHASH)
wrapper.add_indicator(indiDOMAIN)
wrapper.add_indicator(indiURL)
wrapper.add_indicator(indiIP)
wrapper.add_indicator(indiEMAIL)
########################
# prepare for STIX 2
bundle_objects = [campaign_MAIN, marking_def_white]
if len(pattern_sha256) != 0:
stix2_sha256 = "".join(pattern_sha256)
stix2_sha256 = stix2_sha256[:-4]
indicator_SHA256 = stix2.Indicator(
name=TITLE + " - SHA256",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_sha256,
object_marking_refs=[marking_def_white]
)
relationship_indicator_SHA256 = stix2.Relationship(indicator_SHA256, "indicates", campaign_MAIN)
bundle_objects.append(indicator_SHA256)
bundle_objects.append(relationship_indicator_SHA256)
if len(pattern_md5) != 0:
stix2_md5 = "".join(pattern_md5)
stix2_md5 = stix2_md5[:-4]
indicator_MD5 = stix2.Indicator(
name=TITLE + " - MD5",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_md5,
object_marking_refs=[marking_def_white]
)
relationship_indicator_MD5 = stix2.Relationship(indicator_MD5, "indicates", campaign_MAIN)
bundle_objects.append(indicator_MD5)
bundle_objects.append(relationship_indicator_MD5)
if len(pattern_sha1) != 0:
stix2_sha1 = "".join(pattern_sha1)
stix2_sha1 = stix2_sha1[:-4]
indicator_SHA1 = stix2.Indicator(
name=TITLE + " - SHA1",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_sha1,
object_marking_refs=[marking_def_white]
)
relationship_indicator_SHA1 = stix2.Relationship(indicator_SHA1, "indicates", campaign_MAIN)
bundle_objects.append(indicator_SHA1)
bundle_objects.append(relationship_indicator_SHA1)
if len(pattern_domain) != 0:
stix2_domain = "".join(pattern_domain)
stix2_domain = stix2_domain[:-4]
indicator_DOMAINS = stix2.Indicator(
name=TITLE + " - DOMAINS",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_domain,
object_marking_refs=[marking_def_white]
)
relationship_indicator_DOMAINS = stix2.Relationship(indicator_DOMAINS, "indicates", campaign_MAIN)
bundle_objects.append(indicator_DOMAINS)
bundle_objects.append(relationship_indicator_DOMAINS)
if len(pattern_url) != 0:
stix2_url = "".join(pattern_url)
stix2_url = stix2_url[:-4]
indicator_URLS = stix2.Indicator(
name=TITLE + " - URL",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_url,
object_marking_refs=[marking_def_white]
)
relationship_indicator_URLS = stix2.Relationship(indicator_URLS, "indicates", campaign_MAIN)
bundle_objects.append(indicator_URLS)
bundle_objects.append(relationship_indicator_URLS)
if len(pattern_ip) != 0:
stix2_ip = "".join(pattern_ip)
stix2_ip = stix2_ip[:-4]
indicator_IPS = stix2.Indicator(
name=TITLE + " - IPS",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_ip,
object_marking_refs=[marking_def_white]
)
relationship_indicator_IPS = stix2.Relationship(indicator_IPS, "indicates", campaign_MAIN)
bundle_objects.append(indicator_IPS)
bundle_objects.append(relationship_indicator_IPS)
if len(pattern_email) != 0:
stix2_email = "".join(pattern_email)
stix2_email = stix2_email[:-4]
indicator_EMAILS = stix2.Indicator(
name=TITLE + " - EMAILS",
created=timestamp,
modified=timestamp,
description=DESCRIPTION,
labels=["malicious-activity"],
pattern=stix2_email,
object_marking_refs=[marking_def_white]
)
relationship_indicator_EMAILS = stix2.Relationship(indicator_EMAILS, "indicates", campaign_MAIN)
bundle_objects.append(indicator_EMAILS)
bundle_objects.append(relationship_indicator_EMAILS)
# creo il bunble STIX 2
bundlestix2 = stix2.Bundle(objects=bundle_objects)
if (ioccount > 0):
########################
# save to STIX 1.2 file
print("Writing STIX 1.2 package: " + OUTFILEPREFIX + ".stix")
f = open(OUTFILEPREFIX + ".stix", "wb")
f.write(wrapper.to_xml())
f.close()
########################
# save to STIX 2 file
print("Writing STIX 2 package: " + OUTFILEPREFIX + ".stix2")
g = open(OUTFILEPREFIX + ".stix2", "w")
g.write(str(bundlestix2))
g.close()
else:
print("No IoC found")
def adptr_dict2STIX(srcObj, data):
sTxt = "Called... "
sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
### Input Check
if srcObj is None or data is None:
# TODO: Needs error msg: Missing srcData Object
return False
### Generate NameSpace id tags
STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
stix_set_id_namespace(STIX_NAMESPACE)
obs_set_id_namespace(OBS_NAMESPACE)
### Building STIX Wrapper
stix_package = STIXPackage()
### Bulid Object Data
for sKey in data:
objIndicator = Indicator()
listOBS = []
### Parsing IP Address
sAddr = data[sKey]['attrib']['ipAddr']
if sAddr:
objAddr = Address()
objAddr.is_source = True
objAddr.address_value = sAddr
objAddr.address_value.condition = 'Equals'
if isIPv4(sAddr):
objAddr.category = 'ipv4-addr'
elif isIPv6(sAddr):
objAddr.category = 'ipv6-addr'
else:
continue
obsAddr = Observable(objAddr)
obsAddr.sighting_count = 1
obsAddr.title = 'IP: ' + sAddr
sDscrpt = 'IPv4' + ': ' + sAddr + " | "
sDscrpt += "isSource: True | "
obsAddr.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsAddr)
objIndicator.add_indicator_type("IP Watchlist")
### Parsing Domain
sDomain = data[sKey]['attrib']['domain']
if sDomain:
objDomain = DomainName()
objDomain.value = sDomain
objDomain.value.condition = 'Equals'
if isFQDN(sDomain):
objDomain.type = 'FQDN'
elif isTLD(sDomain):
objDomain.type = 'TLD'
else:
continue
obsDomain = Observable(objDomain)
obsDomain.sighting_count = 1
obsDomain.title = 'Domain: ' + sDomain
sDscrpt = 'Domain: ' + sDomain + " | "
sDscrpt += "isFQDN: True | "
obsDomain.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsDomain)
objIndicator.add_indicator_type("Domain Watchlist")
# Parser File Hash
# sHash = data[sKey]['attrib']['hash'];
# if len(sHash) > 0:
# objFile = File()
# sFileName = data[sKey]['attrib']['fileName']
# if len(sFileName) > 0:
# objFile.file_name = sFileName
# objFile.file_format = sFileName.split('.')[1]
# objFile.add_hash(Hash(sHash, exact=True))
# obsFile = Observable(objFile)
# objFile = None;
# obsFile.sighting_count = 1
# obsFile.title = 'File: ' + sFileName
# sDscrpt = 'FileName: ' + sFileName + " | "
# sDscrpt += "FileHash: " + sHash + " | "
# obsFile.description = "<![CDATA[" + sDscrpt + "]]>"
# listOBS.append(obsFile)
# obsFile = None;
# objIndicator.add_indicator_type("File Hash Watchlist")
### Add Generated observable to Indicator
objIndicator.observables = listOBS
objIndicator.observable_composition_operator = 'OR'
#Parsing Producer
sProducer = srcObj.Domain
if len(srcObj.Domain) > 0:
objIndicator.set_producer_identity(srcObj.Domain)
if data[sKey]['attrib']['dateVF']:
objIndicator.set_produced_time(data[sKey]['attrib']['dateVF'])
objIndicator.set_received_time(data[sKey]['dateDL'])
### Old Title / Description Generator
#objIndicator.title = data[sKey]['attrib']['title'];
#objIndicator.description = "<![CDATA[" + data[sKey]['attrib']['dscrpt'] + "]]>";
### Generate Indicator Title based on availbe data
sTitle = 'Feodo Tracker: '
if sAddr:
sAddLine = "This IP address has been identified as malicious"
if sDomain:
sAddLine = "This domain has been identified as malicious"
if len(sAddLine) > 0:
sTitle += " | " + sAddLine
if len(srcObj.Domain) > 0:
sTitle += " by " + srcObj.Domain
else:
sTitle += "."
if len(sTitle) > 0:
objIndicator.title = sTitle
#Generate Indicator Description based on availbe data
sDscrpt = ""
if sAddr:
sAddLine = "This IP address " + sAddr
if sDomain:
sAddLine = "This domain " + sDomain
if sAddr and sDomain:
sAddLine = "This domain " + sDomain + " (" + sAddr + ")"
if len(sAddLine) > 0:
sDscrpt += sAddLine
sDscrpt += " has been identified as malicious"
if len(srcObj.Domain) > 0:
sDscrpt += " by " + srcObj.Domain
else:
sDscrpt += "."
sDscrpt = sDscrpt + ". For more detailed infomation about this indicator go to [CAUTION!!Read-URL-Before-Click] [" + \
data[sKey]['attrib']['link'] + "]."
if len(sDscrpt) > 0:
objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"
#Parse TTP
objMalware = MalwareInstance()
objMalware.add_name("Cridex")
objMalware.add_name("Bugat")
objMalware.add_name("Dridex")
objMalware.add_type("Remote Access Trojan")
objMalware.short_description = "Feodo (also known as Cridex or Bugat) is a Trojan used to commit ebanking fraud and steal sensitive information from the victims computer, such as credit card details or credentials"
sDscrpt = "Feodo (also known as Cridex or Bugat) is a Trojan used to commit ebanking fraud and steal sensitive information from the victims computer, such as credit card details or credentials. At the moment, Feodo Tracker is tracking four versions of Feodo, and they are labeled by Feodo Tracker as version A, version B, version C and version D:\n"
sDscrpt += "\n"
sDscrpt += " Version A: Hosted on compromised webservers running an nginx proxy on port 8080 TCP forwarding all botnet traffic to a tier 2 proxy node. Botnet traffic usually directly hits these hosts on port 8080 TCP without using a domain name.\n"
sDscrpt += " Version B: Hosted on servers rented and operated by cybercriminals for the exclusive purpose of hosting a Feodo botnet controller. Usually taking advantage of a domain name within ccTLD .ru. Botnet traffic usually hits these domain names using port 80 TCP.\n"
sDscrpt += " Version C: Successor of Feodo, completely different code. Hosted on the same botnet infrastructure as Version A (compromised webservers, nginx on port 8080 TCP or port 7779 TCP, no domain names) but using a different URL structure. This Version is also known as Geodo.\n"
sDscrpt += " Version D: Successor of Cridex. This version is also known as Dridex\n"
objMalware.description = "<![CDATA[" + sDscrpt + "]]>"
objTTP = TTP(title="Feodo")
objTTP.behavior = Behavior()
objTTP.behavior.add_malware_instance(objMalware)
objIndicator.add_indicated_ttp(objTTP)
#objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_))
#stix_package.add_ttp(objTTP)
stix_package.add_indicator(objIndicator)
### STIX Package Meta Data
stix_header = STIXHeader()
stix_header.title = srcObj.pkgTitle
stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"
### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
marking_specification = MarkingSpecification()
classLevel = SimpleMarkingStructure()
classLevel.statement = "Unclassified (Public)"
marking_specification.marking_structures.append(classLevel)
objTOU = TermsOfUseMarkingStructure()
sTOU = open('tou.txt').read()
objTOU.terms_of_use = srcObj.Domain + " | " + sTOU
marking_specification.marking_structures.append(objTOU)
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
marking_specification.controlled_structure = "//node()"
handling = Marking()
handling.add_marking(marking_specification)
stix_header.handling = handling
stix_package.stix_header = stix_header
### Generate STIX XML File
locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
sndFile(stix_package.to_xml(), locSTIXFile)
return stix_package
def stix(json):
"""
Created a stix file based on a json file that is being handed over
"""
# Create a new STIXPackage
stix_package = STIXPackage()
# Create a new STIXHeader
stix_header = STIXHeader()
# Add Information Source. This is where we will add the tool information.
stix_header.information_source = InformationSource()
# Create a ToolInformation object. Use the initialization parameters
# to set the tool and vendor names.
#
# Note: This is an instance of cybox.common.ToolInformation and NOT
# stix.common.ToolInformation.
tool = ToolInformation(
tool_name="viper2stix",
tool_vendor="The Viper group http://viper.li - developed by Alexander Jaeger https://github.com/deralexxx/viper2stix"
)
#Adding your identity to the header
identity = Identity()
identity.name = Config.get('stix', 'producer_name')
stix_header.information_source.identity=identity
# Set the Information Source "tools" section to a
# cybox.common.ToolInformationList which contains our tool that we
# created above.
stix_header.information_source.tools = ToolInformationList(tool)
stix_header.title = Config.get('stix', 'title')
# Set the produced time to now
stix_header.information_source.time = Time()
stix_header.information_source.time.produced_time = datetime.now()
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "../../../descendant-or-self::node()"
tlp = TLPMarkingStructure()
tlp.color = Config.get('stix', 'TLP')
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
# Set the header description
stix_header.description = Config.get('stix', 'description')
# Set the STIXPackage header
stix_package.stix_header = stix_header
stix_package.stix_header.handling = handling
try:
pp = pprint.PrettyPrinter(indent=5)
pp.pprint(json['default'])
#for key, value in json['default'].iteritems():
# print key, value
for item in json['default']:
#logger.debug("item %s", item)
indicator = Indicator()
indicator.title = "File Hash"
indicator.description = (
"An indicator containing a File observable with an associated hash"
)
# Create a CyboX File Object
f = File()
sha_value = item['sha256']
if sha_value is not None:
sha256 = Hash()
sha256.simple_hash_value = sha_value
h = Hash(sha256, Hash.TYPE_SHA256)
f.add_hash(h)
sha1_value = item['sha1']
if sha_value is not None:
sha1 = Hash()
sha1.simple_hash_value = sha1_value
h = Hash(sha1, Hash.TYPE_SHA1)
f.add_hash(h)
sha512_value = item['sha512']
if sha_value is not None:
sha512 = Hash()
sha512.simple_hash_value = sha512_value
h = Hash(sha512, Hash.TYPE_SHA512)
f.add_hash(h)
f.add_hash(item['md5'])
#adding the md5 hash to the title as well
stix_header.title+=' '+item['md5']
#print(item['type'])
f.size_in_bytes=item['size']
f.file_format=item['type']
f.file_name = item['name']
indicator.description = "File hash served by a Viper instance"
indicator.add_object(f)
stix_package.add_indicator(indicator)
except Exception, e:
logger.error('Error: %s',format(e))
return False
def main():
######################################################################
# MODIFICARE LE VARIABILI SEGUENTI
MyTITLE = "APT28 / Fancy Bear"
DESCRIPTION = "Emanuele De Lucia - APT28 / Fancy Bear still targeting military institutions - https://www.emanueledelucia.net/apt28-targeting-military-institutions/"
sha256 = []
md5 = [
'43D7FFD611932CF51D7150B176ECFC29', '549726B8BFB1919A343AC764D48FDC81'
]
sha1 = []
domains = ['beatguitar.com']
urls = [
'https://beatguitar.com/aadv/gJNn/X2/ep/VQOA/3.SMPTE292M/?ct=+lMQKtXi0kf+3MVk38U=',
'https://beatguitar.com/n2qqSy/HPSe0/SY/yAsFy8/mSaYZP/lw.sip/?n=VxL0BnijNmtTnSFIcoQ='
]
ips = ['185.99.133.72']
emails = []
######################################################################
# Costruzione STIX file
NAMESPACE = Namespace("https://infosharing.cybersaiyan.it", "CYBERSAIYAN")
set_id_namespace(NAMESPACE)
timestamp = datetime.datetime.fromtimestamp(
time.time()).strftime('%Y-%m-%d %H:%M:%S')
SHORT = timestamp
wrapper = STIXPackage()
info_src = InformationSource()
info_src.identity = Identity(name="CyberSaiyan Community")
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
wrapper.stix_header = STIXHeader(information_source=info_src,
title=MyTITLE,
description=DESCRIPTION,
short_description=SHORT)
wrapper.stix_header.handling = handling
# HASH indicators
indicatorHASH = Indicator()
indicatorHASH.title = MyTITLE + " - HASH"
indicatorHASH.add_indicator_type("File Hash Watchlist")
for idx, sha256 in enumerate(sha256):
filei = File()
filei.add_hash(Hash(sha256))
obsi = Observable(filei)
indicatorHASH.add_observable(obsi)
for idx, md5 in enumerate(md5):
filej = File()
filej.add_hash(Hash(md5))
obsj = Observable(filej)
indicatorHASH.add_observable(obsj)
for idx, sha1 in enumerate(sha1):
filek = File()
filek.add_hash(Hash(sha1))
obsk = Observable(filek)
indicatorHASH.add_observable(obsk)
# DOMAIN indicators
indiDOMAIN = Indicator()
indiDOMAIN.title = MyTITLE + " - DOMAIN"
indiDOMAIN.add_indicator_type("Domain Watchlist")
for idu, domains in enumerate(domains):
url = URI()
url.value = domains
url.type_ = URI.TYPE_DOMAIN
url.condition = "Equals"
obsu = Observable(url)
indiDOMAIN.add_observable(obsu)
# URL indicators
indiURL = Indicator()
indiURL.title = MyTITLE + " - URL"
indiURL.add_indicator_type("URL Watchlist")
for idu, urls in enumerate(urls):
url = URI()
url.value = urls
url.type_ = URI.TYPE_URL
url.condition = "Equals"
obsu = Observable(url)
indiURL.add_observable(obsu)
# IP indicators
indiIP = Indicator()
indiIP.title = MyTITLE + " - IP"
indiIP.add_indicator_type("IP Watchlist")
for idu, ips in enumerate(ips):
ip = Address()
ip.address_value = ips
obsu = Observable(ip)
indiIP.add_observable(obsu)
# EMAIL indicators
indiEMAIL = Indicator()
indiEMAIL.title = MyTITLE + " - EMAIL"
indiEMAIL.add_indicator_type("Malicious E-mail")
for idu, emails in enumerate(emails):
email = EmailAddress()
email.address_value = emails
obsu = Observable(email)
indiEMAIL.add_observable(obsu)
# add all indicators
wrapper.add_indicator(indicatorHASH)
wrapper.add_indicator(indiDOMAIN)
wrapper.add_indicator(indiURL)
wrapper.add_indicator(indiIP)
wrapper.add_indicator(indiEMAIL)
print(wrapper.to_xml())
def adptr_dict2STIX(srcObj, data):
sTxt = "Called... "
sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()')
stixObj = None
### Input Check
if srcObj == None or data == None:
#TODO: Needs error msg: Missing srcData Object
return (False)
### Generate NameSpace id tags
STIX_NAMESPACE = {"http://hailataxii.com": "opensource"}
OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource")
stix_set_id_namespace(STIX_NAMESPACE)
obs_set_id_namespace(OBS_NAMESPACE)
### Building STIX Wrapper
stix_package = STIXPackage()
objIndicator = Indicator()
### Bulid Object Data
for sKey in data:
objIndicator = Indicator()
# if 'indicator' in data[sKey]['meta']['IDs']:
# objIndicator.id_ = data[sKey]['meta']['IDs'].key
# else:
# data[sKey]['meta']['IDs'].update({objIndicator.id_:'indicator'})
listOBS = []
### Parsing IP Address
sAddr = data[sKey]['attrib']['IP Address']
if sAddr:
objAddr = Address()
objAddr.is_source = True
objAddr.address_value = sAddr
objAddr.address_value.condition = 'Equals'
if isIPv4(sAddr):
objAddr.category = 'ipv4-addr'
elif isIPv6(sAddr):
objAddr.category = 'ipv6-addr'
else:
continue
obsAddr = Observable(objAddr)
# if 'address"' in data[sKey]['meta']['IDs']:
# obsAddr.id_ = data[sKey]['meta']['IDs'].key
# else:
# data[sKey]['meta']['IDs'].update({objIndicator.id_:'address'})
objAddr = None
obsAddr.sighting_count = 1
obsAddr.title = 'IP: ' + sAddr
sDscrpt = 'IPv4' + ': ' + sAddr + " | "
sDscrpt += "isSource: True | "
obsAddr.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsAddr)
obsAddr = None
objIndicator.add_indicator_type("IP Watchlist")
### Parsing Domain
sDomain = data[sKey]['attrib']['Hostname']
if sDomain:
objDomain = DomainName()
objDomain.value = sDomain
objDomain.value.condition = 'Equals'
if isFQDN(sDomain):
objDomain.type = 'FQDN'
elif isTLD(sDomain):
objDomain.type = 'TLD'
else:
continue
obsDomain = Observable(objDomain)
# if 'domain' in data[sKey]['meta']['IDs']:
# obsDomain.id_ = data[sKey]['meta']['IDs'].key
# else:
# data[sKey]['meta']['IDs'].update({obsDomain.id_:'domain'})
objDomain = None
obsDomain.sighting_count = 1
obsDomain.title = 'Domain: ' + sDomain
sDscrpt = 'Domain: ' + sDomain + " | "
sDscrpt += "isFQDN: True | "
obsDomain.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsDomain)
obsDomain = None
objIndicator.add_indicator_type("Domain Watchlist")
### Parsing Port Number
sPortList = data[sKey]['attrib']['Ports']
for item in sPortList:
if sPortList[item]:
objPort = Port()
sPort = sPortList[item]
objPort.port_value = int(sPort)
objPort.port_value.condition = 'Equals'
objPort.layer4_protocol = 'TCP'
obsPort = Observable(objPort)
objPort = None
obsPort.sighting_count = 1
obsPort.title = 'Port: ' + str(sPort)
sDscrpt = 'PortNumber: ' + str(sPort) + " | "
sDscrpt += "Protocol: TCP | "
obsPort.description = "<![CDATA[" + sDscrpt + "]]>"
listOBS.append(obsPort)
### Add Generated observable to Indicator
objIndicator.observable_composition_operator = 'OR'
objIndicator.observables = listOBS
#Parsing Producer
infoSrc = InformationSource(identity=Identity(name=srcObj.Domain))
#infoSrc.add_contributing_source(data[sKey]['attrib']['ref'])
objIndicator.producer = infoSrc
# if data[sKey]['attrib']['lstDateVF']:
# objIndicator.set_produced_time(data[sKey]['attrib']['lstDateVF'][0]);
objIndicator.set_received_time(data[sKey]['meta']['dateDL'])
### Generate Indicator Title based on availbe data
lstContainng = []
lstIs = []
sTitle = ' This'
if data[sKey]['attrib']['Hostname']:
sTitle += ' domain ' + data[sKey]['attrib']['Hostname']
else:
sTitle += ' ipAddress ' + sKey
sTitle += ' has been identified as a TOR network "Exit Point" router'
objIndicator.title = sTitle
### Generate Indicator Description based on availbe data
sDscrpt = ' torstatus.blutmagie.de has identified this'
if data[sKey]['attrib']['Hostname']:
sDscrpt += ' domain ' + data[sKey]['attrib']['Hostname']
else:
sDscrpt += ' ipAddress ' + sKey
# sDscrpt += ' with a router name of "' + data[sKey]['attrib']['Router Name'] + '"'
# if data[sKey]['attrib']['Ports']['ORPort']:
# sDscrpt += ' using ORPort: ' + str(data[sKey]['attrib']['Ports']['ORPort'])
# if data[sKey]['attrib']['Ports']['DirPort']:
# sDscrpt += ' and DirPort: ' + str(data[sKey]['attrib']['Ports']['DirPort'])
sDscrpt += ' as a TOR network "Exit Point" router'
if data[sKey]['attrib']['Country Code']:
sCntry_code = data[sKey]['attrib']['Country Code']
if sCntry_code in dictCC2CN:
sCntry_name = dictCC2CN[sCntry_code]
sDscrpt += ', which appears to be located in ' + sCntry_name
sDscrpt += '. \n\n RawData: ' + str(data[sKey]['attrib'])
objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"
#Parse TTP
# objMalware = MalwareInstance()
# objMalware.add_type("Remote Access Trojan")
# ttpTitle = data[sKey]['attrib']['type']
# objTTP = TTP(title=ttpTitle)
# objTTP.behavior = Behavior()
# objTTP.behavior.add_malware_instance(objMalware)
# objIndicator.add_indicated_ttp(objTTP)
#objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_))
#stix_package.add_ttp(objTTP)
stix_package.add_indicator(objIndicator)
objIndicator = None
### STIX Package Meta Data
stix_header = STIXHeader()
stix_header.title = srcObj.pkgTitle
stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>"
### Understanding markings http://stixproject.github.io/idioms/features/data-markings/
marking_specification = MarkingSpecification()
classLevel = SimpleMarkingStructure()
classLevel.statement = "Unclassified (Public)"
marking_specification.marking_structures.append(classLevel)
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
marking_specification.controlled_structure = "//node()"
objTOU = TermsOfUseMarkingStructure()
sTOU = open('tou.txt').read()
objTOU.terms_of_use = srcObj.Domain + " | " + sTOU
marking_specification.marking_structures.append(objTOU)
handling = Marking()
handling.add_marking(marking_specification)
stix_header.handling = handling
stix_package.stix_header = stix_header
stix_header = None
### Generate STIX XML File
locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml'
sndFile(stix_package.to_xml(), locSTIXFile)
# locDataFile = 'db_' + srcObj.fileName.split('.')[0] + '.json'
# sndFile_Dict2JSON(data,locDataFile);
# data = None
return (stix_package)
def main():
# get args
parser = argparse.ArgumentParser ( description = "Parse a given CSV from Shadowserver and output STIX XML to stdout"
, formatter_class=argparse.ArgumentDefaultsHelpFormatter )
parser.add_argument("--infile","-f", help="input CSV with bot data", default = "bots.csv")
args = parser.parse_args()
# setup stix document
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.title = "Bot Server IP addresses"
stix_header.description = "IP addresses connecting to bot control servers at a given port"
stix_header.add_package_intent ("Indicators - Watchlist")
# add marking
mark = Marking()
markspec = MarkingSpecification()
markstruct = SimpleMarkingStructure()
markstruct.statement = "Usage of this information, including integration into security mechanisms implies agreement with the Shadowserver Terms of Service available at https://www.shadowserver.org/wiki/pmwiki.php/Shadowserver/TermsOfService"
markspec.marking_structures.append(markstruct)
mark.add_marking(markspec)
stix_header.handling = mark
# include author info
stix_header.information_source = InformationSource()
stix_header.information_source.time = Time()
stix_header.information_source.time.produced_time =datetime.now(tzutc())
stix_header.information_source.tools = ToolInformationList()
stix_header.information_source.tools.append("ShadowBotnetIP-STIXParser")
stix_header.information_source.identity = Identity()
stix_header.information_source.identity.name = "MITRE STIX Team"
stix_header.information_source.add_role(VocabString("Format Transformer"))
src = InformationSource()
src.description = "https://www.shadowserver.org/wiki/pmwiki.php/Services/Botnet-CCIP"
srcident = Identity()
srcident.name = "shadowserver.org"
src.identity = srcident
src.add_role(VocabString("Originating Publisher"))
stix_header.information_source.add_contributing_source(src)
stix_package.stix_header = stix_header
# add TTP for overall indicators
bot_ttp = TTP()
bot_ttp.title = 'Botnet C2'
bot_ttp.resources = Resource()
bot_ttp.resources.infrastructure = Infrastructure()
bot_ttp.resources.infrastructure.title = 'Botnet C2'
stix_package.add_ttp(bot_ttp)
# read input data
fd = open (args.infile, "rb")
infile = csv.DictReader(fd)
for row in infile:
# split indicators out, may be 1..n with positional storage, same port and channel, inconsistent delims
domain = row['Domain'].split()
country = row['Country'].split()
region = row['Region'].split('|')
state = row['State'].split('|')
asn = row['ASN'].split()
asname = row['AS Name'].split()
asdesc = row['AS Description'].split('|')
index = 0
for ip in row['IP Address'].split():
indicator = Indicator()
indicator.title = "IP indicator for " + row['Channel']
indicator.description = "Bot connecting to control server"
# point to overall TTP
indicator.add_indicated_ttp(TTP(idref=bot_ttp.id_))
# add our IP and port
sock = SocketAddress()
sock.ip_address = ip
# add sighting
sight = Sighting()
sight.timestamp = ""
obs = Observable(item=sock.ip_address)
obsref = Observable(idref=obs.id_)
sight.related_observables.append(obsref)
indicator.sightings.append(sight)
stix_package.add_observable(obs)
# add pattern for indicator
sock_pattern = SocketAddress()
sock_pattern.ip_address = ip
port = Port()
port.port_value = row['Port']
sock_pattern.port = port
sock_pattern.ip_address.condition= "Equals"
sock_pattern.port.port_value.condition= "Equals"
indicator.add_object(sock_pattern)
stix_package.add_indicator(indicator)
# add domain
domain_obj = DomainName()
domain_obj.value = domain[index]
domain_obj.add_related(sock.ip_address,"Resolved_To", inline=False)
stix_package.add_observable(domain_obj)
# add whois obs
whois_obj = WhoisEntry()
registrar = WhoisRegistrar()
registrar.name = asname[index]
registrar.address = state[index] + region[index] + country[index]
whois_obj.registrar_info = registrar
whois_obj.add_related(sock.ip_address,"Characterizes", inline=False)
stix_package.add_observable(whois_obj)
# add ASN obj
asn_obj = AutonomousSystem()
asn_obj.name = asname[index]
asn_obj.number = asn[index]
asn_obj.handle = "AS" + str(asn[index])
asn_obj.add_related(sock.ip_address,"Contains", inline=False)
stix_package.add_observable(asn_obj)
# iterate
index = index + 1
print stix_package.to_xml()
