def create_indicator(self, ce1sus_indicator, event_permissions, user):
indicator = Indicator()
indicator.id_ = 'ce1sus:Indicator-{0}'.format(ce1sus_indicator.uuid)
indicator.title = ce1sus_indicator.title
indicator.description = ce1sus_indicator.description
indicator.short_description = ce1sus_indicator.short_description
if ce1sus_indicator.confidence:
indicator.confidence = ce1sus_indicator.confidence.title()
else:
indicator.confidence = 'Low'
# TODO: handling
# TODO: markings
for type_ in ce1sus_indicator.types:
indicator.add_indicator_type(type_.name)
if ce1sus_indicator.operator:
indicator.observable_composition_operator = ce1sus_indicator.operator
# Todo Add confidence
# indicator_attachment.confidence = "Low"
creator = self.create_stix_identity(ce1sus_indicator)
time = self.cybox_mapper.get_time(
produced_time=ce1sus_indicator.created_at)
info_source = InformationSource(identity=creator, time=time)
indicator.producer = info_source
observables = ce1sus_indicator.get_observables_for_permissions(
event_permissions, user)
for obs in observables:
cybox_obs = self.create_observable(obs, event_permissions, user)
indicator.add_observable(cybox_obs)
valid_time = ValidTime(start_time=ce1sus_indicator.created_at,
end_time=ce1sus_indicator.created_at)
indicator.add_valid_time_position(valid_time)
return indicator
def main():
stix_package = STIXPackage()
ttp = TTP(title="Phishing")
stix_package.add_ttp(ttp)
# Create the indicator for just the subject
email_subject_object = EmailMessage()
email_subject_object.header = EmailHeader()
email_subject_object.header.subject = "[IMPORTANT] Please Review Before"
email_subject_object.header.subject.condition = "StartsWith"
email_subject_indicator = Indicator()
email_subject_indicator.title = "Malicious E-mail Subject Line"
email_subject_indicator.add_indicator_type("Malicious E-mail")
email_subject_indicator.observable = email_subject_object
email_subject_indicator.confidence = "Low"
# Create the indicator for just the attachment
file_attachment_object = EmailMessage()
file_attachment_object.attachments = Attachments()
attached_file_object = File()
attached_file_object.file_name = "Final Report"
attached_file_object.file_name.condition = "StartsWith"
attached_file_object.file_extension = "doc.exe"
attached_file_object.file_extension.condition = "Equals"
file_attachment_object.add_related(attached_file_object, "Contains", inline=True)
file_attachment_object.attachments.append(file_attachment_object.parent.id_)
indicator_attachment = Indicator()
indicator_attachment.title = "Malicious E-mail Attachment"
indicator_attachment.add_indicator_type("Malicious E-mail")
indicator_attachment.observable = file_attachment_object
indicator_attachment.confidence = "Low"
# Create the combined indicator w/ both subject an attachment
full_email_object = EmailMessage()
full_email_object.attachments = Attachments()
# Add the previously referenced file as another reference rather than define it again:
full_email_object.attachments.append(file_attachment_object.parent.id_)
full_email_object.header = EmailHeader()
full_email_object.header.subject = "[IMPORTANT] Please Review Before"
full_email_object.header.subject.condition = "StartsWith"
combined_indicator = Indicator(title="Malicious E-mail")
combined_indicator.add_indicator_type("Malicious E-mail")
combined_indicator.confidence = Confidence(value="High")
combined_indicator.observable = full_email_object
email_subject_indicator.add_indicated_ttp(TTP(idref=ttp.id_))
indicator_attachment.add_indicated_ttp(TTP(idref=ttp.id_))
combined_indicator.add_indicated_ttp(TTP(idref=ttp.id_))
stix_package.indicators = [combined_indicator, email_subject_indicator, indicator_attachment]
print stix_package.to_xml()
def _dostix(hashes):
'''This function creates a STIX packages containing hashes.'''
print("[+] Creating STIX Package")
title = SETTINGS['stix']['ind_title'] + " " + str(datetime.datetime.now())
_custom_namespace(SETTINGS['stix']['ns'], SETTINGS['stix']['ns_prefix'])
stix_package = STIXPackage()
stix_package.stix_header = STIXHeader()
stix_package.stix_header.title = title
stix_package.stix_header.handling = _marking()
try:
indicator = Indicator()
indicator.set_producer_identity(SETTINGS['stix']['producer'])
indicator.set_produced_time(indicator.timestamp)
indicator.set_received_time(indicator.timestamp)
indicator.add_kill_chain_phase(PHASE_DELIVERY)
indicator.confidence = "Low"
indicator.title = title
indicator.add_indicator_type("File Hash Watchlist")
indicator.description = SETTINGS['stix']['ind_desc']
try:
indicator.add_indicated_ttp(
TTP(idref=SETTINGS['indicated_ttp'],
timestamp=indicator.timestamp))
indicator.suggested_coas.append(
CourseOfAction(idref=SETTINGS['suggested_coa'],
timestamp=indicator.timestamp))
except KeyError:
pass
for info in hashes:
try:
file_name = info['filename']
file_object = File()
file_object.file_name = file_name
file_object.file_name.condition = "Equals"
file_object.file_extension = "." + file_name.split('.')[-1]
file_object.file_extension.condition = "Equals"
file_object.size_in_bytes = info['filesize']
file_object.size_in_bytes.condition = "Equals"
file_object.file_format = info['fileformat']
file_object.file_format.condition = "Equals"
file_object.add_hash(Hash(info['md5']))
file_object.add_hash(Hash(info['sha1']))
file_object.add_hash(Hash(info['sha256']))
file_object.add_hash(Hash(info['sha512']))
file_object.add_hash(Hash(info['ssdeep'], Hash.TYPE_SSDEEP))
for hashobj in file_object.hashes:
hashobj.simple_hash_value.condition = "Equals"
hashobj.type_.condition = "Equals"
file_obs = Observable(file_object)
file_obs.title = "File: " + file_name
indicator.add_observable(file_obs)
except TypeError:
pass
stix_package.add_indicator(indicator)
return stix_package
except KeyError:
pass
def generate_indicators(self, count):
'''Generate a list of STIX Indicators'''
indicators = []
for i in range(0, count):
indicator = Indicator(title='Multiple indicator types')
indicator.set_producer_identity(Identity(name='Secret Source'))
indicator.set_produced_time(datetime.today())
indicator.add_indicator_type(choice(['Malware Artifacts', 'C2', 'Exfiltration']))
indicator.add_short_description('Short description...')
indicator.add_description('Long description...')
indicator.confidence = Confidence(choice(['High', 'Medium', 'Low', 'None', 'Unknown']))
kill_chain_phase = choice(LMCO_KILL_CHAIN_PHASES)
indicator.kill_chain_phases = KillChainPhasesReference(
[KillChainPhaseReference(name=kill_chain_phase.name)])
ips = self.gen_ips(randint(0, 5))
for ip in ips:
indicator.add_observable(ip)
# user_agents = self.gen_user_agents(randint(0, 5))
# for ua in user_agents:
# indicator.add_observable(ua)
# fqnds = self.gen_fqdns(randint(0, 5))
# for f in fqnds:
# indicator.add_observable(f)
# urls = self.gen_urls(randint(0, 5))
# for u in urls:
# indicator.add_observable(u)
indicators.append(indicator)
return indicators
def main(hash_value, title, description, confidence_value):
# Create a CyboX File Object
f = File()
# This automatically detects that it's an MD5 hash based on the length
f.add_hash(hash_value)
# Create an Indicator with the File Hash Object created above.
indicator = Indicator()
indicator.title = title
indicator.description = (description)
indicator.confidence = confidence_value
indicator.set_producer_identity("Information Security")
indicator.set_produced_time(utils.dates.now())
# Add The File Object to the Indicator. This will promote the CybOX Object
# to a CybOX Observable internally.
indicator.add_object(f)
# Create a STIX Package
stix_package = STIXPackage()
# Create the STIX Header and add a description.
stix_header = STIXHeader()
stix_header.description = description
stix_package.stix_header = stix_header
# Add our Indicator object. The add() method will inspect the input and
# append it to the `stix_package.indicators` collection.
stix_package.add(indicator)
# Print the XML!
with open('FileHash_indicator.xml', 'w') as the_file:
the_file.write(stix_package.to_xml().decode('utf-8'))
def main():
file_hash = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
stix_header = STIXHeader(
title="File Hash Reputation Service Results",
package_intents=["Indicators - Malware Artifacts"])
stix_package = STIXPackage(stix_header=stix_header)
indicator = Indicator(
title=
"File Reputation for SHA256=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
)
indicator.add_indicator_type("File Hash Watchlist")
file_object = File()
file_object.add_hash(Hash(file_hash))
file_object.hashes[0].simple_hash_value.condition = "Equals"
file_object.hashes[0].type_.condition = "Equals"
indicator.add_observable(file_object)
indicator.add_indicated_ttp(TTP(title="Malicious file"))
indicator.confidence = Confidence(value=VocabString('75'))
indicator.confidence.value.vocab_name = "Percentage"
indicator.confidence.value.vocab_reference = "https://en.wikipedia.org/wiki/Percentage"
stix_package.add_indicator(indicator)
print(stix_package.to_xml(encoding=None))
def generateIndicator(attribute):
indicator = Indicator()
indicator.id_="example:indicator-" + attribute["uuid"]
setTLP(indicator, attribute["distribution"])
indicator.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"]
confidence_description = "Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none"
confidence_value = confidence_mapping.get(attribute["to_ids"], None)
if confidence_value is None:
return indicator
indicator.confidence = Confidence(value=confidence_value, description=confidence_description)
return indicator
def _add_stix_indicators(self, final_indicator_objects, ttp_id):
"""Create and add STIX Indicators for a list of Object History entries.
Link each Indicator to their Indicated TTP.
Note:
Each STIX Indicator is added to the STIX Package stored in the ``stix_package`` class
member.
Args:
final_indicator_objects: a list of ``maec.bundle.object_history.ObjectHistoryEntry`` objects representing
the final, pruned list of Objects to be used in the STIX Indicators.
ttp_id: the id of the STIX TTP that each STIX Indicator should reference as its Indicated TTP.
"""
object_values_list = []
actions_list = []
final_object_list = []
# Deduplicate the Objects and combine their Actions
for entry in final_indicator_objects:
object = entry.object
# Test if we've already created an Indicator for this Object
obj_values = BundleDeduplicator.get_object_values(object)
if obj_values not in object_values_list:
object_values_list.append(obj_values)
final_object_list.append(object)
actions_list.append(entry.get_action_names())
else:
object_index = object_values_list.index(obj_values)
existing_actions = actions_list[object_index]
existing_actions += entry.get_action_names()
# Create the STIX Indicators
for object in final_object_list:
object_index = final_object_list.index(object)
indicator = Indicator()
indicator.title = "Malware Artifact Extracted from MAEC Document"
indicator.add_indicator_type("Malware Artifacts")
indicator.add_observable(object.properties)
# Add the Action-derived description to the Indicator
description = "Corresponding Action(s): "
for action_name in actions_list[object_index]:
description += (action_name + ", ")
indicator.description = description[:-2]
# Set the proper Confidence on the Indicator
confidence = Confidence()
confidence.value = "Low"
confidence.description = "Tool-generated Indicator. It is HIGHLY recommended that it be vetted by a human analyst before usage."
indicator.confidence = confidence
# Link the Indicator to its Indicated TTP
ttp = TTP(idref=ttp_id)
indicator.add_indicated_ttp(ttp)
# Add the Indicator to the STIX Package
self.stix_package.add_indicator(indicator)
def _add_stix_indicators(self, final_indicator_objects, ttp_id):
"""Create and add STIX Indicators for a list of Object History entries.
Link each Indicator to their Indicated TTP.
Note:
Each STIX Indicator is added to the STIX Package stored in the ``stix_package`` class
member.
Args:
final_indicator_objects: a list of ``maec.bundle.object_history.ObjectHistoryEntry`` objects representing
the final, pruned list of Objects to be used in the STIX Indicators.
ttp_id: the id of the STIX TTP that each STIX Indicator should reference as its Indicated TTP.
"""
object_values_list = []
actions_list = []
final_object_list = []
# Deduplicate the Objects and combine their Actions
for entry in final_indicator_objects:
object = entry.object
# Test if we've already created an Indicator for this Object
obj_values = BundleDeduplicator.get_object_values(object)
if obj_values not in object_values_list:
object_values_list.append(obj_values)
final_object_list.append(object)
actions_list.append(entry.get_action_names())
else:
object_index = object_values_list.index(obj_values)
existing_actions = actions_list[object_index]
existing_actions += entry.get_action_names()
# Create the STIX Indicators
for object in final_object_list:
object_index = final_object_list.index(object)
indicator = Indicator()
indicator.title = "Malware Artifact Extracted from MAEC Document"
indicator.add_indicator_type("Malware Artifacts")
indicator.add_observable(object.properties)
# Add the Action-derived description to the Indicator
description = "Corresponding Action(s): "
for action_name in actions_list[object_index]:
description += (action_name + ", ")
indicator.description = description[:-2]
# Set the proper Confidence on the Indicator
confidence = Confidence()
confidence.value = "Low"
confidence.description = "Tool-generated Indicator. It is HIGHLY recommended that it be vetted by a human analyst before usage."
indicator.confidence = confidence
# Link the Indicator to its Indicated TTP
ttp = TTP(idref=ttp_id)
indicator.add_indicated_ttp(ttp)
# Add the Indicator to the STIX Package
self.stix_package.add_indicator(indicator)
def generateIndicator(attribute):
indicator = Indicator(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
indicator.id_= namespace[1] + ":indicator-" + attribute["uuid"]
if attribute["comment"] != "":
indicator.description = attribute["comment"]
setTLP(indicator, attribute["distribution"])
indicator.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")"
confidence_description = "Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none"
confidence_value = confidence_mapping.get(attribute["to_ids"], None)
if confidence_value is None:
return indicator
indicator.confidence = Confidence(value=confidence_value, description=confidence_description, timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
return indicator
def generateIndicator(attribute):
indicator = Indicator()
indicator.id_ = "example:indicator-" + attribute["uuid"]
setTLP(indicator, attribute["distribution"])
indicator.title = "MISP Attribute #" + attribute[
"id"] + " uuid: " + attribute["uuid"]
confidence_description = "Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none"
confidence_value = confidence_mapping.get(attribute["to_ids"], None)
if confidence_value is None:
return indicator
indicator.confidence = Confidence(value=confidence_value,
description=confidence_description)
return indicator
def generate_indicator(self, attribute, tags, org):
indicator = Indicator(timestamp=attribute.timestamp)
indicator.id_ = "{}:indicator-{}".format(namespace[1], attribute.uuid)
self.set_prod(indicator, org)
if attribute.comment:
indicator.description = attribute.comment
self.set_tlp(indicator, attribute.distribution, self.merge_tags(tags, attribute))
indicator.title = "{}: {} (MISP Attribute #{})".format(attribute.category, attribute.value, attribute.id)
indicator.description = indicator.title
confidence_description = "Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none"
confidence_value = confidence_mapping.get(attribute.to_ids, None)
if confidence_value is None:
return indicator
indicator.confidence = Confidence(value=confidence_value, description=confidence_description, timestamp=attribute.timestamp)
return indicator
def gen_stix_indicator_sample(
config,
target=None,
datatype=None,
title="random test data",
description="random test data",
package_intents="Indicators - Watchlist",
tlp_color="WHITE",
observables_list=None,
):
"""generate sample stix data comprised of indicator_count
indicators of type datatype"""
# setup the xmlns...
xmlns_url = config["edge"]["sites"][target]["stix"]["xmlns_url"]
xmlns_name = config["edge"]["sites"][target]["stix"]["xmlns_name"]
set_stix_id_namespace({xmlns_url: xmlns_name})
set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name))
# construct a stix package...
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.title = title
stix_header.description = description
stix_header.package_intents = package_intents
marking = MarkingSpecification()
marking.controlled_structure = "../../../../descendant-or-self::node()"
tlp_marking = TLPMarkingStructure()
tlp_marking.color = tlp_color
marking.marking_structures.append(tlp_marking)
stix_package.stix_header = stix_header
stix_package.stix_header.handling = Marking()
stix_package.stix_header.handling.add_marking(marking)
indicator_ = Indicator()
indicator_.title = str(uuid.uuid4()) + "_sample_indicator"
indicator_.confidence = "Unknown"
indicator_.add_indicator_type("Malware Artifacts")
observable_composition_ = ObservableComposition()
observable_composition_.operator = indicator_.observable_composition_operator
for observable_id in observables_list:
observable_ = Observable()
observable_.idref = observable_id
observable_composition_.add(observable_)
indicator_.observable = Observable()
indicator_.observable.observable_composition = observable_composition_
stix_package.add_indicator(indicator_)
return stix_package
def to_stix_relationship(obj):
from stix.indicator import Indicator
ind_rel = []
for relationship in obj.relationships:
#if not relationship.private: #testing
ind = Indicator()
ind.title = "MARTI Relation"
ind.timestamp = relationship.relationship_date
ind.confidence = relationship.rel_confidence.title()
ind.id_ = relationship.url_key
ind.add_indicator_type(get_indicator_type(relationship.rel_type))
ind.description = relationship.rel_reason
ind.short_description = relationship.relationship
ind_rel.append(ind)
return ind_rel
def buildIndicator(input_dict):
indicator = Indicator()
indicator.description = input_dict["description"]
if input_dict["confidence"]:
indicator.confidence = input_dict["confidence"]
if input_dict["impact"]:
indicator.likely_impact = input_dict["impact"]
if input_dict["producer"]:
indicator.producer = InformationSource()
indicator.producer.identity = Identity(input_dict["producer"])
indicator.title = input_dict["title"]
indicator.add_valid_time_position(valid_time.ValidTime(input_dict["starttime"], input_dict["endtime"]))
if input_dict["type"]:
indicator.add_indicator_type(input_dict["type"])
return indicator
def gen_stix_indicator_sample(config,
target=None,
datatype=None,
title='random test data',
description='random test data',
package_intents='Indicators - Watchlist',
tlp_color='WHITE',
observables_list=None):
'''generate sample stix data comprised of indicator_count
indicators of type datatype'''
# setup the xmlns...
xmlns_url = config['edge']['sites'][target]['stix']['xmlns_url']
xmlns_name = config['edge']['sites'][target]['stix']['xmlns_name']
set_stix_id_namespace({xmlns_url: xmlns_name})
set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name))
# construct a stix package...
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.title = title
stix_header.description = description
stix_header.package_intents = package_intents
marking = MarkingSpecification()
marking.controlled_structure = '../../../../descendant-or-self::node()'
tlp_marking = TLPMarkingStructure()
tlp_marking.color = tlp_color
marking.marking_structures.append(tlp_marking)
stix_package.stix_header = stix_header
stix_package.stix_header.handling = Marking()
stix_package.stix_header.handling.add_marking(marking)
indicator_ = Indicator()
indicator_.title = str(uuid.uuid4()) + '_sample_indicator'
indicator_.confidence = 'Unknown'
indicator_.add_indicator_type('Malware Artifacts')
observable_composition_ = ObservableComposition()
observable_composition_.operator = \
indicator_.observable_composition_operator
for observable_id in observables_list:
observable_ = Observable()
observable_.idref = observable_id
observable_composition_.add(observable_)
indicator_.observable = Observable()
indicator_.observable.observable_composition = observable_composition_
stix_package.add_indicator(indicator_)
return (stix_package)
def gen_stix_indicator_sample(config, target=None, datatype=None,
title='random test data',
description='random test data',
package_intents='Indicators - Watchlist',
tlp_color='WHITE', observables_list=None):
'''generate sample stix data comprised of indicator_count
indicators of type datatype'''
# setup the xmlns...
xmlns_url = config['edge']['sites'][target]['stix']['xmlns_url']
xmlns_name = config['edge']['sites'][target]['stix']['xmlns_name']
set_stix_id_namespace({xmlns_url: xmlns_name})
set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name))
# construct a stix package...
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.title = title
stix_header.description = description
stix_header.package_intents = package_intents
marking = MarkingSpecification()
marking.controlled_structure = '../../../../descendant-or-self::node()'
tlp_marking = TLPMarkingStructure()
tlp_marking.color = tlp_color
marking.marking_structures.append(tlp_marking)
stix_package.stix_header = stix_header
stix_package.stix_header.handling = Marking()
stix_package.stix_header.handling.add_marking(marking)
indicator_ = Indicator()
indicator_.title = str(uuid.uuid4()) + '_sample_indicator'
indicator_.confidence = 'Unknown'
indicator_.add_indicator_type('Malware Artifacts')
observable_composition_ = ObservableComposition()
observable_composition_.operator = \
indicator_.observable_composition_operator
for observable_id in observables_list:
observable_ = Observable()
observable_.idref = observable_id
observable_composition_.add(observable_)
indicator_.observable = Observable()
indicator_.observable.observable_composition = observable_composition_
stix_package.add_indicator(indicator_)
return(stix_package)
def main():
stix_package = STIXPackage()
# Build the Exploit Target
vuln = Vulnerability()
vuln.cve_id = "CVE-2014-0160"
vuln.add_reference("http://heartbleed.com/")
et = ExploitTarget(title="Heartbleed")
et.add_vulnerability(vuln)
stix_package.add_exploit_target(et)
# Build the TTP
ttp = TTP(title="Generic Heartbleed Exploits")
ttp.exploit_targets.append(ExploitTarget(idref=et.id_))
stix_package.add_ttp(ttp)
# Build the indicator
indicator = Indicator(title="Snort Signature for Heartbleed")
indicator.confidence = Confidence("High")
tm = SnortTestMechanism()
tm.rules = [
"""alert tcp any any -> any any (msg:"FOX-SRT - Flowbit - TLS-SSL Client Hello"; flow:established; dsize:< 500; content:"|16 03|"; depth:2; byte_test:1, <=, 2, 3; byte_test:1, !=, 2, 1; content:"|01|"; offset:5; depth:1; content:"|03|"; offset:9; byte_test:1, <=, 3, 10; byte_test:1, !=, 2, 9; content:"|00 0f 00|"; flowbits:set,foxsslsession; flowbits:noalert; threshold:type limit, track by_src, count 1, seconds 60; reference:cve,2014-0160; classtype:bad-unknown; sid: 21001130; rev:9;)""",
"""alert tcp any any -> any any (msg:"FOX-SRT - Suspicious - TLS-SSL Large Heartbeat Response"; flow:established; flowbits:isset,foxsslsession; content:"|18 03|"; depth: 2; byte_test:1, <=, 3, 2; byte_test:1, !=, 2, 1; byte_test:2, >, 200, 3; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160; classtype:bad-unknown; sid: 21001131; rev:5;)"""
]
tm.efficacy = "Low"
tm.producer = InformationSource(identity=Identity(name="FOX IT"))
tm.producer.references = [
"http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/"
]
indicator.test_mechanisms = TestMechanisms([tm])
indicator.add_indicated_ttp(TTP(idref=ttp.id_))
stix_package.add_indicator(indicator)
print(stix_package.to_xml(encoding=None))
def main():
stix_package = STIXPackage()
# Build the Exploit Target
vuln = Vulnerability()
vuln.cve_id = "CVE-2014-0160"
vuln.add_reference("http://heartbleed.com/")
et = ExploitTarget(title="Heartbleed")
et.add_vulnerability(vuln)
stix_package.add_exploit_target(et)
# Build the TTP
ttp = TTP(title="Generic Heartbleed Exploits")
ttp.exploit_targets.append(ExploitTarget(idref=et.id_))
stix_package.add_ttp(ttp)
# Build the indicator
indicator = Indicator(title="Snort Signature for Heartbleed")
indicator.confidence = Confidence("High")
tm = SnortTestMechanism()
tm.rules = [
"""alert tcp any any -> any any (msg:"FOX-SRT - Flowbit - TLS-SSL Client Hello"; flow:established; dsize:< 500; content:"|16 03|"; depth:2; byte_test:1, <=, 2, 3; byte_test:1, !=, 2, 1; content:"|01|"; offset:5; depth:1; content:"|03|"; offset:9; byte_test:1, <=, 3, 10; byte_test:1, !=, 2, 9; content:"|00 0f 00|"; flowbits:set,foxsslsession; flowbits:noalert; threshold:type limit, track by_src, count 1, seconds 60; reference:cve,2014-0160; classtype:bad-unknown; sid: 21001130; rev:9;)""",
"""alert tcp any any -> any any (msg:"FOX-SRT - Suspicious - TLS-SSL Large Heartbeat Response"; flow:established; flowbits:isset,foxsslsession; content:"|18 03|"; depth: 2; byte_test:1, <=, 3, 2; byte_test:1, !=, 2, 1; byte_test:2, >, 200, 3; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160; classtype:bad-unknown; sid: 21001131; rev:5;)"""
]
tm.efficacy = "Low"
tm.producer = InformationSource(identity=Identity(name="FOX IT"))
tm.producer.references = ["http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/"]
indicator.test_mechanisms = TestMechanisms([tm])
indicator.add_indicated_ttp(TTP(idref=ttp.id_))
stix_package.add_indicator(indicator)
print(stix_package.to_xml(encoding=None))
def main():
file_hash = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
stix_header = STIXHeader(title="File Hash Reputation Service Results", package_intents=["Indicators - Malware Artifacts"])
stix_package = STIXPackage(stix_header=stix_header)
indicator = Indicator(title="File Reputation for SHA256=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855")
indicator.add_indicator_type("File Hash Watchlist")
file_object = File()
file_object.add_hash(Hash(file_hash))
file_object.hashes[0].simple_hash_value.condition = "Equals"
file_object.hashes[0].type_.condition = "Equals"
indicator.add_observable(file_object)
indicator.add_indicated_ttp(TTP(title="Malicious file"))
indicator.confidence = Confidence(value=VocabString('75'))
indicator.confidence.value.vocab_name = "Percentage"
indicator.confidence.value.vocab_reference = "https://en.wikipedia.org/wiki/Percentage"
stix_package.add_indicator(indicator)
print(stix_package.to_xml(encoding=None))
def to_stix(obj, items_to_convert=[], loaded=False, bin_fmt="raw"):
"""
Converts a CRITs object to a STIX document.
The resulting document includes standardized representations
of all related objects noted within items_to_convert.
:param items_to_convert: The list of items to convert to STIX/CybOX
:type items_to_convert: Either a list of CRITs objects OR
a list of {'_type': CRITS_TYPE, '_id': CRITS_ID} dicts
:param loaded: Set to True if you've passed a list of CRITs objects as
the value for items_to_convert, else leave False.
:type loaded: bool
:param bin_fmt: Specifies the format for Sample data encoding.
Options: None (don't include binary data in STIX output),
"raw" (include binary data as is),
"base64" (base64 encode binary data)
:returns: A dict indicating which items mapped to STIX indicators, ['stix_indicators']
which items mapped to STIX observables, ['stix_observables']
which items are included in the resulting STIX doc, ['final_objects']
and the STIX doc itself ['stix_obj'].
"""
from cybox.common import Time, ToolInformationList, ToolInformation
from stix.common import StructuredText, InformationSource
from stix.core import STIXPackage, STIXHeader
from stix.common.identity import Identity
# These lists are used to determine which CRITs objects
# go in which part of the STIX document.
ind_list = ['Indicator']
obs_list = [
'Certificate', 'Domain', 'Email', 'IP', 'PCAP', 'RawData', 'Sample'
]
actor_list = ['Actor']
# Store message
stix_msg = {
'stix_incidents': [],
'stix_indicators': [],
'stix_observables': [],
'stix_actors': [],
'final_objects': []
}
if not loaded: # if we have a list of object metadata, load it before processing
items_to_convert = [
class_from_id(item['_type'], item['_id'])
for item in items_to_convert
]
# add self to the list of items to STIXify
if obj not in items_to_convert:
items_to_convert.append(obj)
# add any email attachments
attachments = []
for obj in items_to_convert:
if obj._meta['crits_type'] == 'Email':
for rel in obj.relationships:
if rel.relationship == RelationshipTypes.CONTAINS:
atch = class_from_id('Sample', rel.object_id)
if atch not in items_to_convert:
attachments.append(atch)
items_to_convert.extend(attachments)
# grab ObjectId of items
refObjs = {key.id: 0 for key in items_to_convert}
relationships = {}
stix = []
from stix.indicator import Indicator as S_Ind
for obj in items_to_convert:
obj_type = obj._meta['crits_type']
if obj_type == class_from_type('Event')._meta['crits_type']:
stx, release = to_stix_incident(obj)
stix_msg['stix_incidents'].append(stx)
elif obj_type in ind_list: # convert to STIX indicators
stx, releas = to_stix_indicator(obj)
stix_msg['stix_indicators'].append(stx)
refObjs[obj.id] = S_Ind(idref=stx.id_)
elif obj_type in obs_list: # convert to CybOX observable
if obj_type == class_from_type('Sample')._meta['crits_type']:
stx, releas = to_cybox_observable(obj, bin_fmt=bin_fmt)
else:
stx, releas = to_cybox_observable(obj)
# wrap in stix Indicator
ind = S_Ind()
for ob in stx:
ind.add_observable(ob)
ind.title = "CRITs %s Top-Level Object" % obj_type
ind.description = ("This is simply a CRITs %s top-level "
"object, not actually an Indicator. "
"The Observable is wrapped in an Indicator"
" to facilitate documentation of the "
"relationship." % obj_type)
ind.confidence = 'None'
stx = ind
stix_msg['stix_indicators'].append(stx)
refObjs[obj.id] = S_Ind(idref=stx.id_)
elif obj_type in actor_list: # convert to STIX actor
stx, releas = to_stix_actor(obj)
stix_msg['stix_actors'].append(stx)
# get relationships from CRITs objects
for rel in obj.relationships:
if rel.object_id in refObjs:
relationships.setdefault(stx.id_, {})
relationships[stx.id_][rel.object_id] = (
rel.relationship, rel.rel_confidence.capitalize(),
rel.rel_type)
stix_msg['final_objects'].append(obj)
stix.append(stx)
# set relationships on STIX objects
for stix_obj in stix:
for rel in relationships.get(stix_obj.id_, {}):
if isinstance(refObjs.get(rel), S_Ind): # if is STIX Indicator
stix_obj.related_indicators.append(refObjs[rel])
rel_meta = relationships.get(stix_obj.id_)[rel]
stix_obj.related_indicators[-1].relationship = rel_meta[0]
stix_obj.related_indicators[-1].confidence = rel_meta[1]
# Add any Email Attachments to CybOX EmailMessage Objects
if isinstance(stix_obj, S_Ind):
if 'EmailMessage' in stix_obj.observable.object_.id_:
if rel_meta[0] == 'Contains' and rel_meta[
2] == 'Sample':
email = stix_obj.observable.object_.properties
email.attachments.append(refObjs[rel].idref)
tool_list = ToolInformationList()
tool = ToolInformation("CRITs", "MITRE")
tool.version = settings.CRITS_VERSION
tool_list.append(tool)
i_s = InformationSource(time=Time(produced_time=datetime.now()),
identity=Identity(name=settings.COMPANY_NAME),
tools=tool_list)
if obj._meta['crits_type'] == "Event":
stix_desc = obj.description()
stix_int = obj.event_type()
stix_title = obj.title()
else:
stix_desc = "STIX from %s" % settings.COMPANY_NAME
stix_int = "Collective Threat Intelligence"
stix_title = "Threat Intelligence Sharing"
header = STIXHeader(information_source=i_s,
description=StructuredText(value=stix_desc),
package_intents=[stix_int],
title=stix_title)
stix_msg['stix_obj'] = STIXPackage(incidents=stix_msg['stix_incidents'],
indicators=stix_msg['stix_indicators'],
threat_actors=stix_msg['stix_actors'],
stix_header=header,
id_=uuid.uuid4())
return stix_msg
attached_file_object.file_name = xfilename
attached_file_object.file_name.condition = "Equals"
file_attachment_object.add_related(attached_file_object,
"Contains",
inline=True)
file_attachment_object.attachments.append(
attached_file_object.parent.id_)
attachdescription = "Phishing email attachment\nFrom: %s\nSubj: %s\n Filename: %s\nSize: %s\nMD5: %s\nSHA1: %s\nSHA256: %s\nSSDEEP: %s\nAnalyst Notes: %s\n"\
%(xfrom,xsubject,xfilename,xfilesize,xmd5,xsha1,xsha256,xssdeep,acomment)
indicator_attachment = Indicator(description=attachdescription)
indicator_attachment.title = "Phishing E-mail Attachment"
indicator_attachment.add_indicator_type("Malicious E-mail")
indicator_attachment.observable = file_attachment_object
indicator_attachment.confidence = "High"
full_email_object.attachments = Attachments()
# Add the previously referenced file as another reference rather than define it again:
full_email_object.attachments.append(attached_file_object.parent.id_)
full_email_object.header = EmailHeader()
full_email_object.header.date = xdate
full_email_object.header.date.condition = "Equals"
full_email_object.header.From = xfrom
full_email_object.header.sender = xsender
full_email_object.header.sender.condition = "Equals"
full_email_object.header.reply_to = xreplyto
full_email_object.header.reply_to.condition = "Equals"
full_email_object.header.subject = xsubject
full_email_object.header.subject.condition = "Equals"
full_email_object.header.x_originating_ip = xoriginatingip
def transform(self, event):
self._set_namespace(self.config['contact_domain'], self.config['contact_name'])
stix_package = STIXPackage()
self._add_header(stix_package, "Unauthorized traffic to honeypot", "Describes one or more honeypot incidents")
incident = Incident(id_="%s:%s-%s" % (self.config['contact_name'], 'incident', event['session_id']))
initial_time = StixTime()
initial_time.initial_compromise = event['timestamp'].isoformat()
incident.time = initial_time
incident.title = "Conpot Event"
incident.short_description = "Traffic to Conpot ICS honeypot"
incident.add_category(VocabString(value='Scans/Probes/Attempted Access'))
tool_list = ToolInformationList()
tool_list.append(ToolInformation.from_dict({
'name': "Conpot",
'vendor': "Conpot Team",
'version': conpot.__version__,
'description': textwrap.dedent('Conpot is a low interactive server side Industrial Control Systems '
'honeypot designed to be easy to deploy, modify and extend.')
}))
incident.reporter = InformationSource(tools=tool_list)
incident.add_discovery_method("Monitoring Service")
incident.confidence = "High"
# Victim Targeting by Sector
ciq_identity = CIQIdentity3_0Instance()
#identity_spec = STIXCIQIdentity3_0()
#identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems")
#ciq_identity.specification = identity_spec
ttp = TTP(title="Victim Targeting: Electricity Sector and Industrial Control System Sector")
ttp.victim_targeting = VictimTargeting()
ttp.victim_targeting.identity = ciq_identity
incident.leveraged_ttps.append(ttp)
indicator = Indicator(title="Conpot Event")
indicator.description = "Conpot network event"
indicator.confidence = "High"
source_port = Port.from_dict({'port_value': event['remote'][1], 'layer4_protocol': 'tcp'})
dest_port = Port.from_dict({'port_value': self.protocol_to_port_mapping[event['data_type']],
'layer4_protocol': 'tcp'})
source_ip = Address.from_dict({'address_value': event['remote'][0], 'category': Address.CAT_IPV4})
dest_ip = Address.from_dict({'address_value': event['public_ip'], 'category': Address.CAT_IPV4})
source_address = SocketAddress.from_dict({'ip_address': source_ip.to_dict(), 'port': source_port.to_dict()})
dest_address = SocketAddress.from_dict({'ip_address': dest_ip.to_dict(), 'port': dest_port.to_dict()})
network_connection = NetworkConnection.from_dict(
{'source_socket_address': source_address.to_dict(),
'destination_socket_address': dest_address.to_dict(),
'layer3_protocol': u"IPv4",
'layer4_protocol': u"TCP",
'layer7_protocol': event['data_type'],
'source_tcp_state': u"ESTABLISHED",
'destination_tcp_state': u"ESTABLISHED",
}
)
indicator.add_observable(Observable(network_connection))
artifact = Artifact()
artifact.data = json.dumps(event['data'])
artifact.packaging.append(ZlibCompression())
artifact.packaging.append(Base64Encoding())
indicator.add_observable(Observable(artifact))
incident.related_indicators.append(indicator)
stix_package.add_incident(incident)
stix_package_xml = stix_package.to_xml()
return stix_package_xml
def build(self):
"""Define the STIX report."""
self.stix_header.title = self.pulse["name"]
self.stix_header.description = self.pulse["description"]
self.stix_header.package_intents = "Indicators"
self.stix_header.information_source = InformationSource()
self.stix_header.information_source.time = Time()
self.stix_header.information_source.time.received_time = self.pulse[
"modified"]
self.stix_header.information_source.time.produced_time = self.stix_package.timestamp
self.stix_header.information_source.identity = Identity()
self.stix_header.information_source.identity.name = IDENTITY_NAME
# self.stix_package.stix_header = self.stix_header
# self.stix_package.stix_header.handling = self._marking()
# self.report = Report()
# self.report.header = Header()
# self.report.header.title = self.pulse["name"]
# self.report.header.descriptions = self.pulse["description"]
# self.report.header.intents = "Indicators"
# self.report.header.short_description = "%spulse/%s" % (
# PULSE_SERVER_BASE, str(self.pulse["id"]))
# self.report.header.information_source = InformationSource()
# self.report.header.information_source.time = Time()
# self.report.header.information_source.time.received_time = self.pulse[
# "modified"]
# self.report.header.information_source.time.produced_time = self.report.timestamp
# self.report.header.information_source.identity = Identity()
# self.report.header.information_source.identity.name = IDENTITY_NAME
hashes = False
addresses = False
emails = False
domains = False
urls = False
mutex = False
hash_indicator = Indicator()
hash_indicator.set_producer_identity(IDENTITY_NAME)
hash_indicator.set_produced_time(hash_indicator.timestamp)
hash_indicator.set_received_time(self.pulse["modified"])
hash_indicator.title = "[OTX] [Files] " + self.pulse["name"]
hash_indicator.add_indicator_type("File Hash Watchlist")
hash_indicator.confidence = "Low"
address_indicator = Indicator()
address_indicator.set_producer_identity(IDENTITY_NAME)
address_indicator.set_produced_time(address_indicator.timestamp)
address_indicator.set_received_time(self.pulse["modified"])
address_indicator.title = "[OTX] [IP] " + self.pulse["name"]
address_indicator.add_indicator_type("IP Watchlist")
address_indicator.confidence = "Low"
domain_indicator = Indicator()
domain_indicator.set_producer_identity(IDENTITY_NAME)
domain_indicator.set_produced_time(domain_indicator.timestamp)
domain_indicator.set_received_time(self.pulse["modified"])
domain_indicator.title = "[OTX] [Domain] " + self.pulse["name"]
domain_indicator.add_indicator_type("Domain Watchlist")
domain_indicator.confidence = "Low"
url_indicator = Indicator()
url_indicator.set_producer_identity(IDENTITY_NAME)
url_indicator.set_produced_time(url_indicator.timestamp)
url_indicator.set_received_time(self.pulse["modified"])
url_indicator.title = "[OTX] [URL] " + self.pulse["name"]
url_indicator.add_indicator_type("URL Watchlist")
url_indicator.confidence = "Low"
email_indicator = Indicator()
email_indicator.set_producer_identity(IDENTITY_NAME)
email_indicator.set_produced_time(email_indicator.timestamp)
email_indicator.set_received_time(self.pulse["modified"])
email_indicator.title = "[OTX] [Email] " + self.pulse["name"]
email_indicator.add_indicator_type("Malicious E-mail")
email_indicator.confidence = "Low"
mutex_indicator = Indicator()
mutex_indicator.set_producer_identity(IDENTITY_NAME)
mutex_indicator.set_produced_time(mutex_indicator.timestamp)
mutex_indicator.set_received_time(self.pulse["modified"])
mutex_indicator.title = "[OTX] [Mutex] " + self.pulse["name"]
mutex_indicator.add_indicator_type("Malware Artifacts")
mutex_indicator.confidence = "Low"
for p_indicator in self.pulse["indicators"]:
if p_indicator["type"] in self.hash_translation:
file_object = File()
file_object.add_hash(Hash(p_indicator["indicator"]))
file_object.hashes[0].simple_hash_value.condition = "Equals"
file_object.hashes[0].type_.condition = "Equals"
file_obs = Observable(file_object)
file_obs.title = "File: " + \
str(file_object.hashes[0].type_) + \
" - " + p_indicator["indicator"]
hash_indicator.add_observable(file_obs)
try:
hash_indicator.description = p_indicator["description"]
except KeyError:
hash_indicator.description = ""
hashes = True
elif p_indicator["type"] in self.address_translation:
ip = Address()
ip.address_value = p_indicator["indicator"]
ip.category = self.address_translation[p_indicator["type"]]
ip.address_value.condition = "Equals"
ip_obs = Observable(ip)
ip_obs.title = "Address: " + str(ip.address_value)
address_indicator.add_observable(ip_obs)
try:
address_indicator.description = p_indicator["description"]
except KeyError:
address_indicator.description = ""
addresses = True
elif p_indicator["type"] in self.name_translation:
domain = DomainName()
domain.value = p_indicator["indicator"]
domain.type_ = "FQDN"
domain.value.condition = "Equals"
domain_obs = Observable(domain)
domain_obs.title = "Domain: " + str(domain.value)
domain_indicator.add_observable(domain_obs)
try:
domain_indicator.description = p_indicator["description"]
except KeyError:
domain_indicator.description = ""
domains = True
elif p_indicator["type"] == "URL":
url = URI()
url.value = p_indicator["indicator"]
url.type_ = URI.TYPE_URL
url.value.condition = "Equals"
url_obs = Observable(url)
url_obs.title = "URI: " + str(url.value)
url_indicator.add_observable(url_obs)
try:
url_indicator.description = p_indicator["description"]
except KeyError:
url_indicator.description = ""
urls = True
elif p_indicator["type"] == "email":
email = Address()
email.address_value = p_indicator["indicator"]
email.category = "e-mail"
email.address_value.condition = "Equals"
email_obs = Observable(email)
email_obs.title = "Address: " + str(email.address_value)
email_indicator.add_observable(email_obs)
try:
email_indicator.description = p_indicator["indicator"]
except KeyError:
email_indicator.description = ""
emails = True
elif p_indicator["type"] == "Mutex":
mutex = Mutex()
mutex.name = p_indicator["indicator"]
mutex.named = True
mutex_obs = Observable(mutex)
mutex_obs.title = "Mutex: " + str(mutex.name)
mutex_indicator.add_observable(mutex_obs)
try:
mutex_indicator.description = p_indicator["indicator"]
except KeyError:
mutex_indicator.description = ""
mutex = True
else:
continue
if hashes:
self.stix_package.add_indicator(hash_indicator)
if addresses:
self.stix_package.add_indicator(address_indicator)
if domains:
self.stix_package.add_indicator(domain_indicator)
if urls:
self.stix_package.add_indicator(url_indicator)
if emails:
self.stix_package.add_indicator(email_indicator)
if mutex:
self.stix_package.add_indicator(mutex_indicator)
def json2indicator(config, src, dest, endpoint, json_, crits_id):
'''transform crits indicators into stix indicators with embedded
cybox observable composition'''
try:
set_id_method(IDGenerator.METHOD_UUID)
xmlns_url = config['edge']['sites'][dest]['stix']['xmlns_url']
xmlns_name = config['edge']['sites'][dest]['stix']['xmlns_name']
set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name))
if endpoint == 'indicators':
endpoint_trans = {'Email': 'emails', 'IP': 'ips',
'Sample': 'samples', 'Domain': 'domains',
'Indicator': 'indicators', 'Event': 'events'}
if json_.get('type', None) not in ['Reference', 'Related_To']:
config['logger'].error(
log.log_messages['unsupported_object_error'].format(
type_='crits', obj_type='indicator type ' + json_.get('type', 'None'),
id_=crits_id))
return(None)
indicator_ = Indicator()
indicator_.id = xmlns_name + ':indicator-' + crits_id
indicator_.id_ = indicator_.id
indicator_.title = json_['value']
indicator_.confidence = json_['confidence']['rating'].capitalize()
indicator_.add_indicator_type('Malware Artifacts')
observable_composition_ = ObservableComposition()
observable_composition_.operator = \
indicator_.observable_composition_operator
for r in json_['relationships']:
if r.get('relationship', None) not in ['Contains', 'Related_To']:
config['logger'].error(
log.log_messages['unsupported_object_error'].format(
type_='crits', obj_type='indicator relationship type '
+ r.get('relationship', 'None'), id_=crits_id))
continue
if r['type'] in ['Sample', 'Email', 'IP', 'Sample', 'Domain']:
observable_ = Observable()
observable_.idref = xmlns_name + ':observable-' + r['value']
observable_composition_.add(observable_)
elif r['type'] == 'Indicator':
related_indicator = RelatedIndicator(Indicator(idref=xmlns_name + ':indicator-' + r['value']))
indicator_.related_indicators.append(related_indicator)
# stix indicators don't support related_incident :-(
# elif r['type'] == 'Event':
# related_incident = RelatedIncident(Incident(idref=xmlns_name + ':incident-' + r['value']))
# indicator_.related_incidents.append(related_incident)
indicator_.observable = Observable()
indicator_.observable.observable_composition = \
observable_composition_
return(indicator_)
else:
config['logger'].error(
log.log_messages['unsupported_object_error'].format(
type_='crits', obj_type=endpoint, id_=crits_id))
return(None)
except:
e = sys.exc_info()[0]
config['logger'].error(log.log_messages['obj_convert_error'].format(
src_type='crits', src_obj='indicator', id_=crits_id,
dest_type='stix', dest_obj='indicator'))
config['logger'].exception(e)
return(None)
def genStixDoc(
outputDir_,
targetFileSha1_,
targetFileSha256_,
targetFileSha512_,
targetFileSsdeep_,
targetFileMd5_,
targetFileSize_,
targetFileName_,
ipv4Addresses_,
hostNames_):
"""
Generate Stix document from the input values. The doc structure is the file
object along with the related network items: addresses, domain names. Output
is written to files, which are then wrapped with taxii and uploaded using a
separate script.
"""
parsedTargetFileName = reFileName(targetFileName_)[1]
parsedTargetFilePrefix = reFileName(targetFileName_)[0]
stix.utils.set_id_namespace({"http://www.equifax.com/cuckoo2Stix" : "cuckoo2Stix"})
NS = cybox.utils.Namespace("http://www.equifax.com/cuckoo2Stix", "cuckoo2Stix")
cybox.utils.set_id_namespace(NS)
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.title = 'File: ' + parsedTargetFileName + ' with the associated hashes, network indicators'
stix_header.description = 'File: ' + parsedTargetFileName + ' with the associated hashes, network indicators'
stix_package.stix_header = stix_header
# Create the ttp
malware_instance = MalwareInstance()
malware_instance.add_name(parsedTargetFileName)
malware_instance.description = targetFileSha1_
ttp = TTP(title='TTP: ' + parsedTargetFileName)
ttp.behavior = Behavior()
ttp.behavior.add_malware_instance(malware_instance)
stix_package.add_ttp(ttp)
# Create the indicator for the ipv4 addresses
ipv4Object = Address(ipv4Addresses_, Address.CAT_IPV4)
ipv4Object.condition = 'Equals'
ipv4Indicator = Indicator()
ipv4Indicator.title = parsedTargetFileName + ': ipv4 addresses'
ipv4Indicator.add_indicator_type('IP Watchlist')
ipv4Indicator.add_indicated_ttp(RelatedTTP(TTP(idref=ttp.id_), relationship='Indicates Malware'))
ipv4Indicator.observable = ipv4Object
ipv4Indicator.confidence = 'Low'
# Create the indicator for the domain names
domainNameObject = DomainName()
domainNameObject.value = hostNames_
domainNameObject.condition = 'Equals'
domainNameIndicator = Indicator()
domainNameIndicator.title = parsedTargetFileName + ': domain names'
domainNameIndicator.add_indicator_type('Domain Watchlist')
domainNameIndicator.add_indicated_ttp(RelatedTTP(TTP(idref=ttp.id_), relationship='Indicates Malware'))
domainNameIndicator.observable = domainNameObject
domainNameIndicator.confidence = 'Low'
# Create the indicator for the file
fileObject = File()
fileObject.file_name = parsedTargetFileName
fileObject.file_name.condition = 'Equals'
fileObject.size_in_bytes = targetFileSize_
fileObject.size_in_bytes.condition = 'Equals'
fileObject.add_hash(Hash(targetFileSha1_, type_='SHA1', exact=True))
fileObject.add_hash(Hash(targetFileSha256_, type_='SHA256', exact=True))
fileObject.add_hash(Hash(targetFileSha512_, type_='SHA512', exact=True))
fileObject.add_hash(Hash(targetFileSsdeep_, type_='SSDEEP', exact=True))
fileObject.add_hash(Hash(targetFileMd5_, type_='MD5', exact=True))
fileIndicator = Indicator()
fileIndicator.title = parsedTargetFileName + ': hashes'
fileIndicator.description = parsedTargetFilePrefix
fileIndicator.add_indicator_type('File Hash Watchlist')
fileIndicator.add_indicated_ttp(RelatedTTP(TTP(idref=ttp.id_), relationship="Indicates Malware"))
fileIndicator.observable = fileObject
fileIndicator.confidence = 'Low'
stix_package.indicators = [fileIndicator, ipv4Indicator, domainNameIndicator]
stagedStixDoc = stix_package.to_xml()
stagedStixDoc = fixAddressObject(stagedStixDoc)
stagedStixDoc = fixDomainObject(stagedStixDoc)
today = datetime.datetime.now()
now = today.strftime('%Y-%m-%d_%H%M%S')
if not os.path.exists(outputDir_):
os.makedirs(outputDir_)
with open (outputDir_ + '/' + now + '-' + targetFileSha1_ + '.stix.xml', 'a') as myfile:
myfile.write(stagedStixDoc)
_l.debug('Wrote file: ' + now + '-' + targetFileSha1_ + '.stix.xml')
return
def main():
# NOTE: ID values will differ due to being regenerated on each script execution
pkg1 = STIXPackage()
pkg1.title = "Example of Indicator Composition for an aggregate indicator composition"
# USE CASE: Indicator with aggregate pattern
# Add TTP for malware usage
malware_ttp = TTP()
malware_ttp.behavior = Behavior()
malware = MalwareInstance()
malware.title = "foobar malware"
malware.add_type("Remote Access Trojan")
malware_ttp.behavior.add_malware_instance(malware)
c2_ttp = TTP()
c2_ttp.resources = Resource()
c2_ttp.resources.infrastructure = Infrastructure()
c2_ttp.resources.infrastructure.add_type(VocabString("Malware C2"))
pkg1.add_ttp(c2_ttp)
pkg1.add_ttp(malware_ttp)
nw_ind = Indicator()
nw_ind.description = "Indicator for a particular C2 infstructure IP address."
# add network network connection to this indicator
obs = NetworkConnection()
sock = SocketAddress()
sock.ip_address = "46.123.99.25"
sock.ip_address.category = "ipv4-addr"
sock.ip_address.condition = "Equals"
obs.destination_socket_address = sock
nw_ind.add_observable(obs)
nw_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_))
# create File Hash indicator w/ embedded Observable
file_ind = Indicator()
file_ind.description = "Indicator for the hash of the foobar malware."
file_ind.add_indicator_type("File Hash Watchlist")
file_obs = File()
file_obs.add_hash("01234567890abcdef01234567890abcdef")
file_obs.hashes[0].type_ = "MD5"
file_obs.hashes[0].type_.condition = "Equals"
file_ind.add_observable(file_obs)
# create references
file_ind.add_indicated_ttp(TTP(idref=malware_ttp.id_))
# create container indicator
ind = Indicator()
ind.add_indicator_type(VocabString("Campaign Characteristics"))
ind.description = "Indicator for a composite of characteristics for the use of specific malware and C2 infrastructure within a Campaign."
# Add campaign with related
camp = Campaign()
camp.title = "holy grail"
pkg1.add_campaign(camp)
camp.related_ttps.append(TTP(idref=c2_ttp.id_))
camp.related_ttps.append(TTP(idref=malware_ttp.id_))
# Add threat actor
ta = ThreatActor()
ta.identity = Identity()
ta.identity.name = "boobear"
ta.observed_ttps.append(TTP(idref=malware_ttp.id_))
pkg1.add_threat_actor(ta)
# Create composite expression
ind.composite_indicator_expression = CompositeIndicatorExpression()
ind.composite_indicator_expression.operator = "AND"
ind.composite_indicator_expression.append(file_ind)
ind.composite_indicator_expression.append(nw_ind)
pkg1.add_indicator(ind)
print pkg1.to_xml()
# USE CASE: Indicator with partial matching
pkg2 = STIXPackage()
pkg2.title = "Example of Indicator Composition for a one of many indicator composition"
# create container indicator
watchlistind = Indicator()
watchlistind.add_indicator_type("IP Watchlist")
watchlistind.description = "This Indicator specifies a pattern where any one or more of a set of three IP addresses are observed."
watchlistind.add_indicated_ttp(TTP(idref=c2_ttp.id_))
# Create composite expression
watchlistind.composite_indicator_expression = CompositeIndicatorExpression()
watchlistind.composite_indicator_expression.operator = "OR"
ips = ['23.5.111.68', '23.5.111.99', '46.123.99.25']
for ip in ips:
new_ind = Indicator()
new_ind.description = "This Indicator specifies a pattern where one specific IP address is observed"
# add network network connection to this indicator
obs = Address()
obs.address_value = ip
obs.address_value.condition = "Equals"
new_ind.add_observable(obs)
new_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_))
watchlistind.composite_indicator_expression.append(new_ind)
pkg2.add_indicator(watchlistind)
print pkg2.to_xml()
# USE CASE: Indicator with compound detection
pkg3 = STIXPackage()
pkg3.title = "Example of Indicator Composition for compound detection"
# create container indicator
watchlistind2 = Indicator()
watchlistind2.add_indicator_type("IP Watchlist")
watchlistind2.description = "This Indicator specifies a composite condition of two preexisting Indicators (each identifying a particular TTP with low confidence) that in aggregate identify the particular TTP with high confidence."
# Create composite expression
watchlistind2.composite_indicator_expression = CompositeIndicatorExpression()
watchlistind2.composite_indicator_expression.operator = "OR"
watchlistind2.add_indicated_ttp(TTP(idref=c2_ttp.id_))
watchlistind2.confidence = "High"
nw_ind.description = "Indicator for a particular C2 IP address used by a malware variant."
nw_ind.confidence = "Low"
nw_ind.indicator_types = ["C2"]
file_ind.description = "Indicator that contains malicious file hashes for a particular malware variant."
file_ind.confidence = "Low"
watchlistind2.composite_indicator_expression.append(nw_ind)
watchlistind2.composite_indicator_expression.append(file_ind)
pkg3.add_indicator(watchlistind2)
print pkg3.to_xml()
def _dostix(hashes):
'''This function creates a STIX packages containing hashes.'''
print("[+] Creating STIX Package")
title = SETTINGS['stix']['ind_title'] + " " + str(datetime.datetime.now())
_custom_namespace(SETTINGS['stix']['ns'], SETTINGS['stix']['ns_prefix'])
stix_package = STIXPackage()
stix_package.stix_header = STIXHeader()
stix_package.stix_header.title = title
stix_package.stix_header.handling = _marking()
try:
indicator = Indicator()
indicator.set_producer_identity(SETTINGS['stix']['producer'])
indicator.set_produced_time(indicator.timestamp)
indicator.set_received_time(indicator.timestamp)
indicator.add_kill_chain_phase(PHASE_DELIVERY)
indicator.confidence = "Low"
indicator.title = title
indicator.add_indicator_type("File Hash Watchlist")
indicator.description = SETTINGS['stix']['ind_desc']
try:
indicator.add_indicated_ttp(
TTP(idref=SETTINGS['indicated_ttp'],
timestamp=indicator.timestamp))
indicator.suggested_coas.append(
CourseOfAction(
idref=SETTINGS['suggested_coa'],
timestamp=indicator.timestamp))
except KeyError:
pass
for info in hashes:
try:
file_name = info['filename']
file_object = File()
file_object.file_name = file_name
file_object.file_name.condition = "Equals"
file_object.file_extension = "." + file_name.split('.')[-1]
file_object.file_extension.condition = "Equals"
file_object.size_in_bytes = info['filesize']
file_object.size_in_bytes.condition = "Equals"
file_object.file_format = info['fileformat']
file_object.file_format.condition = "Equals"
file_object.add_hash(Hash(info['md5']))
file_object.add_hash(Hash(info['sha1']))
file_object.add_hash(Hash(info['sha256']))
file_object.add_hash(Hash(info['sha512']))
file_object.add_hash(Hash(info['ssdeep'], Hash.TYPE_SSDEEP))
for hashobj in file_object.hashes:
hashobj.simple_hash_value.condition = "Equals"
hashobj.type_.condition = "Equals"
file_obs = Observable(file_object)
file_obs.title = "File: " + file_name
indicator.add_observable(file_obs)
except TypeError:
pass
stix_package.add_indicator(indicator)
return stix_package
except KeyError:
pass
def main():
# define constants
TI_REQUEST_URL = "https://api.intelgraph.idefense.com/rest/threatindicator/v0"
# iDefense API Key
# To avoid hard-coding creds, I'm using environment variables
if os.environ.get('IDEF_TOKEN') is None:
print(
"error: please store your iDefense IntelGraph API key in the IDEF_TOKEN environment"
)
sys.exit(1)
API_KEY = os.environ.get('IDEF_TOKEN')
API_SECRET = ''
# TODO: use command-line parameter
timestr = datetime.datetime.utcnow() - datetime.timedelta(days=1)
LAST_IMPORT = timestr.strftime("%Y-%m-%dT%H:%M:%S") + ".000Z"
HEADERS = {
"Content-Type": "application/json",
"auth-token": API_KEY,
"X-Api-Key-Proof": API_SECRET
}
print(HEADERS)
page = 1
more_data = True
count = 0
# Set namespace
NAMESPACE = Namespace("https://intelgraph.idefense.com", "idefense")
set_id_namespace(NAMESPACE)
# Create STIX Package
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "iDefense Threat Indicators Feed"
stix_package.stix_header = stix_header
ttps = {}
malware = {}
try:
while more_data:
request_payload = {
"start_date": LAST_IMPORT,
"page_size": 200,
"page": page
}
r = requests.post(TI_REQUEST_URL,
headers=HEADERS,
data=json.dumps(request_payload))
print(r)
response = []
if r.status_code == requests.codes.ok:
try:
# Read in response as json
response = r.json()
except (ValueError, KeyError):
print("Response couldn't be decoded :(")
more_data = False
continue
more_data = response.get('more', 'False')
print("Page %d ==> %s (%s)" %
(page, response['more'], response['total_size']))
page += 1
# Iterate the response
for indicatorD in response['results']:
count += 1
# Indicator value such as the value of the IP/Domain/URL
indicator = indicatorD.get('key')
print(indicator, indicatorD.get('type'))
if indicatorD.get('last_seen_as') is None:
last_seen_as = 'UNKNOWN'
else:
last_seen_as = ''.join(indicatorD.get('last_seen_as'))
# Identify TTP
if last_seen_as not in ttps:
ttps[last_seen_as] = TTP(title=last_seen_as)
stix_package.add_ttp(ttps[last_seen_as])
# Identify malware source
if 'files' in indicatorD:
for hashD in indicatorD['files']:
md5 = hashD.get('key')
# Malware Family classification of the hash if available
if hashD.get('malware_family') is None:
malware_family = "Unknown"
else:
malware_family = ''.join(
hashD.get('malware_family'))
if md5 not in malware:
malware[md5] = add_malware(
md5, malware_family, hashD.get('uuid'))
if indicatorD.get('type') == "url":
# Create indicator
indicator = Indicator(
id_="indicator-{0}".format(indicatorD.get('uuid')),
title=''.join(indicatorD.get('malware_family')),
timestamp=indicatorD.get('last_seen'))
indicator.add_indicator_type("URL Watchlist")
# Populate URL
url = URI()
url.value = indicatorD.get('key')
url.type_ = URI.TYPE_URL
url.value.condition = "Equals"
indicator.add_observable(url)
elif indicatorD.get('type') == "domain":
# Populate domain name
indicator = Indicator(
id_="indicator-{0}".format(indicatorD.get('uuid')),
title=''.join(indicatorD.get('malware_family')),
timestamp=indicatorD.get('last_seen'))
indicator.add_indicator_type("Domain Watchlist")
domain = DomainName()
domain.value = indicatorD.get('key')
domain.value.condition = "Equals"
indicator.add_observable(domain)
elif indicatorD.get('type') == "ip":
# Create indicator
indicator = Indicator(
id_="indicator-{0}".format(indicatorD.get('uuid')),
title=indicatorD.get('malware_family'),
timestamp=indicatorD.get('last_seen'))
indicator.add_indicator_type("IP Watchlist")
# Populate IP address
addr = Address(address_value=indicatorD.get('key'),
category=Address.CAT_IPV4)
addr.condition = "Equals"
indicator.add_observable(addr)
# Link TTP
indicator.add_indicated_ttp(
TTP(idref=ttps[last_seen_as].id_))
# Indicate confidence score
indicator.confidence = Confidence(
value=VocabString(indicatorD.get('confidence')))
# Add related indicator to malware
indicator.add_related_indicator(malware[md5])
# Add to package
stix_package.add_indicator(indicator)
else:
print("API request couldn't be fulfilled due status code: %d" %
r.status_code)
more_data = False
except requests.exceptions.ConnectionError as e:
print("Check your network connection\n %s" % str(e))
except requests.exceptions.HTTPError as e:
print("Bad HTTP response\n %s" % str(e))
except Exception as e:
print("Uncaught exception\n %s" % str(e))
# Output to XML
with open('stix-1.2.1.xml', 'wb') as f:
f.write(stix_package.to_xml())
def toStixXml(self, confidence, efficacy):
"""
This method converts a list of FASGuard generated Snort rules into a STIX
compliant XML string ready for output. It first converts the object
into a hash of the right format and then converts it into XML using
STIXPackage.from_dict and to_xml on the resulting object.
Arguments:
confidence - High, Medium or Low. High means low false alarm rate.
efficacy - High, Medium or Low. High means a low missed detection rate.
Returns:
Reference to string containing STIX/CybOX XML file.
"""
logger = logging.getLogger('simple_example')
self.logger = logger
self.logger.debug('In asg.fasguardStixRule')
stix_package = STIXPackage()
# Build the Exploit Target
vuln = Vulnerability()
vuln.cve_id = "Unknown"
et = ExploitTarget(title="From FASGuard")
et.add_vulnerability(vuln)
stix_package.add_exploit_target(et)
# Build the TTP
ttp = TTP(title="FASGuard Produced Signatures")
ttp.exploit_targets.append(ExploitTarget(idref=et.id_))
stix_package.add_ttp(ttp)
# Build the indicator
indicator = Indicator(title = "Snort Signature from FASGuard")
indicator.confidence = Confidence(confidence)
tm = SnortTestMechanism()
tm.rules = self.ruleList
tm.efficacy = efficacy
tm.producer = InformationSource(identity=Identity(name="FASGuard"))
tm.producer.references = ["http://fasguard.github.io/"]
indicator.test_mechanisms = [tm]
indicator.add_indicated_ttp(TTP(idref=ttp.id_))
stix_package.add_indicator(indicator)
return stix_package.to_xml()
# stixDict = {'campaigns': [{}],
# 'courses_of_action': [{}],
# 'exploit_targets': [{}],
# 'id': 'INSERT_PACKAGE_ID_HERE'}
# stixDict['indicators'] = [{'indicator':
# {'title':
# 'Automatically Generated FASGuard Signatures',
# 'test_mechanisms':
# {'test_mechanism':
# {'efficacy':'Low',
# 'producer':
# {'Identity':'FASGuard'},
# 'rule':'xyz'}}}}
# ]
stix_package = STIXPackage.from_dict(stixDict)
stix_xml = stix_package.to_xml()
return stix_xml
def csv2stix(outFormat,inFile):
#=============
# Build package metadata
#=============
stix_package = STIXPackage()
stix_package.stix_header = STIXHeader()
stix_package.stix_header.title = "TG3390"
stix_package.stix_header.description = "Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers investigated activities associated with Threat Group-3390[1] (TG-3390) - http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/"
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "../../../../descendant-or-self::node()"
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
stix_package.stix_header.handling = handling
#=============
# Build package structure
#=============
ta_tg3390 = ThreatActor(title="TG3390")
ta_tg3390.identity = Identity(name="TG3390")
attack_pattern = AttackPattern()
attack_pattern.description = ("Infrastructure Building")
ttp_infrastructure = TTP(title="Infrastructure Building")
ttp_infrastructure.behavior = Behavior()
ttp_infrastructure.behavior.add_attack_pattern(attack_pattern)
ttp_infrastructure.add_intended_effect("Unauthorized Access")
infra_domainInd = Indicator(title="Domains associated with TG3390 Infrastructure")
infra_domainInd.add_indicator_type("Domain Watchlist")
infra_domainInd.confidence = "High"
infra_domainInd.add_indicated_ttp(TTP(idref=ttp_infrastructure.id_))
infra_IPInd = Indicator(title="[H] IP Addresses associated with TG3390 Infrastructure")
infra_IPInd.add_indicator_type("IP Watchlist")
infra_IPInd.confidence = "High"
infra_IPInd.add_indicated_ttp(TTP(idref=ttp_infrastructure.id_))
infra_IPInd_M = Indicator(title="[M] IP Addresses associated with TG3390 Infrastructure")
infra_IPInd_M.add_indicator_type("IP Watchlist")
infra_IPInd_M.confidence = "Medium"
infra_IPInd_M.add_indicated_ttp(TTP(idref=ttp_infrastructure.id_))
httpBrowserObj = MalwareInstance()
httpBrowserObj.add_name("HTTP Browser")
ttp_httpB = TTP(title="HTTP Browser")
ttp_httpB.behavior = Behavior()
ttp_httpB.behavior.add_malware_instance(httpBrowserObj)
ttp_httpB.add_intended_effect("Theft - Intellectual Property")
httpB_hashInd = Indicator(title="File hashes for HTTP Browser")
httpB_hashInd.add_indicator_type("File Hash Watchlist")
httpB_hashInd.confidence = "High"
httpB_hashInd.add_indicated_ttp(TTP(idref=ttp_httpB.id_))
httpBrowserDropperObj = MalwareInstance()
httpBrowserDropperObj.add_name("HTTP Browser Dropper")
ttp_httpBDpr = TTP(title="HTTP Browser Dropper")
ttp_httpBDpr.behavior = Behavior()
ttp_httpBDpr.behavior.add_malware_instance(httpBrowserDropperObj)
ttp_httpBDpr.add_intended_effect("Theft - Intellectual Property")
httpBDpr_hashInd = Indicator(title="File hashes for HTTP Browser Dropper")
httpBDpr_hashInd.add_indicator_type("File Hash Watchlist")
httpBDpr_hashInd.confidence = "High"
httpBDpr_hashInd.add_indicated_ttp(TTP(idref=ttp_httpBDpr.id_))
plugXObj = MalwareInstance()
plugXObj.add_name("PlugX Dropper")
ttp_plugX = TTP(title="PlugX Dropper")
ttp_plugX.behavior = Behavior()
ttp_plugX.behavior.add_malware_instance(plugXObj)
ttp_plugX.add_intended_effect("Theft - Intellectual Property")
plugX_hashInd = Indicator(title="File hashes for PlugX Dropper")
plugX_hashInd.add_indicator_type("File Hash Watchlist")
plugX_hashInd.confidence = "High"
plugX_hashInd.add_indicated_ttp(TTP(idref=ttp_plugX.id_))
#=============
# Process content in to structure
#=============
ip_rules = []
ip_rules_M = []
domain_rules = []
with open(inFile, 'rb') as f:
reader = csv.reader(f)
for row in reader:
obs = row[0]
obsType = row[1]
description = row[2]
confidence = row[3]
#print obs,obsType,description,confidence
if description == 'TG-3390 infrastructure':
if obsType == 'Domain name':
domain_obj = DomainName()
domain_obj.value = obs
#domain_obj.title = description
infra_domainInd.add_object(domain_obj)
domain_rule = generate_snort([obs], 'DomainName', str(infra_domainInd.id_).split(':',1)[1].split('-',1)[1])
domain_rules.append(domain_rule)
elif obsType == 'IP address':
ipv4_obj = Address()
ipv4_obj.category = "ipv4-addr"
ipv4_obj.address_value = obs
ipv4_obj.title = description
ind_ref = str(infra_IPInd.id_).split(':',1)[1].split('-',1)[1]
if confidence == "High":
infra_IPInd.add_object(ipv4_obj)
ip_rules.append(obs)
else:
infra_IPInd_M.add_object(ipv4_obj)
ip_rules_M.append(obs)
else:
print "TTP Infra: obsType is wrong"
elif description == 'HttpBrowser RAT dropper':
file_obj = File()
file_obj.add_hash(Hash(obs))
file_obj.title = description
httpBDpr_hashInd.add_observable(file_obj)
elif description == 'HttpBrowser RAT':
file_obj = File()
file_obj.add_hash(Hash(obs))
file_obj.title = description
httpB_hashInd.add_observable(file_obj)
elif description == 'PlugX RAT dropper':
file_obj = File()
file_obj.add_hash(Hash(obs))
file_obj.title = description
plugX_hashInd.add_observable(file_obj)
else:
print "TTP not found"
#print ip_rules
ip_rule = generate_snort(ip_rules, 'Address', str(infra_IPInd.id_).split(':',1)[1].split('-',1)[1])
ip_rule_M = generate_snort(ip_rules_M, 'Address', str(infra_IPInd_M.id_).split(':',1)[1].split('-',1)[1])
ip_tm = SnortTestMechanism()
ip_tm.rules = [ip_rule]
ip_tm.efficacy = "High"
ip_tm.producer = InformationSource(identity=Identity(name="Auto"))
infra_IPInd.test_mechanisms = [ip_tm]
ip_M_tm = SnortTestMechanism()
ip_M_tm.rules = [ip_rule_M]
ip_M_tm.efficacy = "Medium"
ip_M_tm.producer = InformationSource(identity=Identity(name="Auto"))
infra_IPInd_M.test_mechanisms = [ip_M_tm]
domain_tm = SnortTestMechanism()
domain_tm.rules = domain_rules
domain_tm.efficacy = "High"
domain_tm.producer = InformationSource(identity=Identity(name="Auto"))
infra_domainInd.test_mechanisms = [domain_tm]
#=============
# Add the composed content to the structure
#=============
stix_package.add_indicator(infra_domainInd)
stix_package.add_indicator(infra_IPInd)
stix_package.add_indicator(infra_IPInd_M)
stix_package.add_indicator(httpBDpr_hashInd)
stix_package.add_indicator(httpB_hashInd)
stix_package.add_indicator(plugX_hashInd)
stix_package.add_ttp(ttp_infrastructure)
stix_package.add_ttp(ttp_httpB)
stix_package.add_ttp(ttp_httpBDpr)
stix_package.add_ttp(ttp_plugX)
"""
if outFormat =='dict':
print stix_package.to_dict()
if outFormat =='json':
parsed = stix_package.to_json()
jsonpkg = json.loads(parsed)
pprint.pprint(jsonpkg)
if outFormat =='stix':
print stix_package.to_xml()
"""
#if verbose:
#print stix_package.to_xml()
#pprint(stix_package.to_json())
return stix_package
def genStixDoc(
outputDir_,
targetFileSha1_,
targetFileSha256_,
targetFileSha512_,
targetFileSsdeep_,
targetFileMd5_,
targetFileSize_,
targetFileName_,
ipv4Addresses_,
hostNames_):
"""
Generate Stix document from the input values. The doc structure is the file
object along with the related network items: addresses, domain names. Output
is written to files, which are then wrapped with taxii and uploaded using a
separate script.
"""
parsedTargetFileName = reFileName(targetFileName_)[1]
parsedTargetFilePrefix = reFileName(targetFileName_)[0]
stix.utils.set_id_namespace({"http://www.equifax.com/cuckoo2Stix" : "cuckoo2Stix"})
NS = cybox.utils.Namespace("http://www.equifax.com/cuckoo2Stix", "cuckoo2Stix")
cybox.utils.set_id_namespace(NS)
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.title = 'File: ' + parsedTargetFileName + ' with the associated hashes, network indicators'
stix_header.description = 'File: ' + parsedTargetFileName + ' with the associated hashes, network indicators'
stix_package.stix_header = stix_header
# Create the ttp
malware_instance = MalwareInstance()
malware_instance.add_name(parsedTargetFileName)
malware_instance.description = targetFileSha1_
ttp = TTP(title='TTP: ' + parsedTargetFileName)
ttp.behavior = Behavior()
ttp.behavior.add_malware_instance(malware_instance)
stix_package.add_ttp(ttp)
# Create the indicator for the ipv4 addresses
ipv4Object = Address(ipv4Addresses_, Address.CAT_IPV4)
ipv4Object.condition = 'Equals'
ipv4Indicator = Indicator()
ipv4Indicator.title = parsedTargetFileName + ': ipv4 addresses'
ipv4Indicator.add_indicator_type('IP Watchlist')
ipv4Indicator.add_indicated_ttp(RelatedTTP(TTP(idref=ttp.id_), relationship='Indicates Malware'))
ipv4Indicator.observable = ipv4Object
ipv4Indicator.confidence = 'Low'
# Create the indicator for the domain names
domainNameObject = DomainName()
domainNameObject.value = hostNames_
domainNameObject.condition = 'Equals'
domainNameIndicator = Indicator()
domainNameIndicator.title = parsedTargetFileName + ': domain names'
domainNameIndicator.add_indicator_type('Domain Watchlist')
domainNameIndicator.add_indicated_ttp(RelatedTTP(TTP(idref=ttp.id_), relationship='Indicates Malware'))
domainNameIndicator.observable = domainNameObject
domainNameIndicator.confidence = 'Low'
# Create the indicator for the file
fileObject = File()
fileObject.file_name = parsedTargetFileName
fileObject.file_name.condition = 'Equals'
fileObject.size_in_bytes = targetFileSize_
fileObject.size_in_bytes.condition = 'Equals'
fileObject.add_hash(Hash(targetFileSha1_, type_='SHA1', exact=True))
fileObject.add_hash(Hash(targetFileSha256_, type_='SHA256', exact=True))
fileObject.add_hash(Hash(targetFileSha512_, type_='SHA512', exact=True))
fileObject.add_hash(Hash(targetFileSsdeep_, type_='SSDEEP', exact=True))
fileObject.add_hash(Hash(targetFileMd5_, type_='MD5', exact=True))
fileIndicator = Indicator()
fileIndicator.title = parsedTargetFileName + ': hashes'
fileIndicator.description = parsedTargetFilePrefix
fileIndicator.add_indicator_type('File Hash Watchlist')
fileIndicator.add_indicated_ttp(RelatedTTP(TTP(idref=ttp.id_), relationship="Indicates Malware"))
fileIndicator.observable = fileObject
fileIndicator.confidence = 'Low'
stix_package.indicators = [fileIndicator, ipv4Indicator, domainNameIndicator]
stagedStixDoc = stix_package.to_xml()
stagedStixDoc = fixAddressObject(stagedStixDoc)
stagedStixDoc = fixDomainObject(stagedStixDoc)
today = datetime.datetime.now()
now = today.strftime('%Y-%m-%d_%H%M%S')
if not os.path.exists(outputDir_):
os.makedirs(outputDir_)
with open (outputDir_ + '/' + now + '-' + targetFileSha1_ + '.stix.xml', 'a') as myfile:
myfile.write(stagedStixDoc)
_l.debug('Wrote file: ' + now + '-' + targetFileSha1_ + '.stix.xml')
return
def index2stix(local_index, orig_stix):
#=============
# Build package metadata
#=============
new_stix = STIXPackage()
new_stix.stix_header = STIXHeader()
new_stix.stix_header.title = "TG3390 - Enrichment"
new_stix.stix_header.description = "Enrichment stix file to the Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers investigated activities associated with Threat Group-3390[1] (TG-3390) - http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/"
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "../../../../descendant-or-self::node()"
tlp = TLPMarkingStructure()
tlp.color = "WHITE"
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
new_stix.stix_header.handling = handling
enrich_IPs = Indicator(title="Suspected TG3390 IP Addresses obtained through automated enrichment")
enrich_IPs.add_indicator_type("IP Watchlist")
enrich_IPs.confidence = "Low"
related_IPs = Indicator(title="Related indicator wrapper for source of enrichment")
related_IPs.add_indicator_type("IP Watchlist")
related_IPs.confidence = "Medium"
enrich_Domains = Indicator(title="Suspected TG3390 Domains obtained through automated enrichment")
enrich_Domains.add_indicator_type("Domain Watchlist")
enrich_Domains.confidence = "Low"
related_Domains = Indicator(title="Related indicator wrapper for source of enrichment")
related_Domains.add_indicator_type("Domain Watchlist")
related_Domains.confidence = "Medium"
# START with the ones that already have ids:
#if verbose:
#print_chain(local_index)
new_ref_created = True
while new_ref_created:
new_ref_created = False
for ind_type in local_index:
for obs in local_index[ind_type]:
id_tobe_referenced = local_index[ind_type][obs][0]
#print id_tobe_referenced[:10]
if id_tobe_referenced[:10] != '{{no_ref}}':
ref_obs = Observable()
ref_obs.id_ = id_tobe_referenced.replace("{{no_ref}}","")
ref_obs.description = 'Source of enrichment for: '
create_ref_obs = False
for entry in local_index[ind_type][obs]:
if type(entry) is list:
if len(entry)>0:
for item in entry:
ref, child_ind_type = get_ref_from_obs(item, local_index)
#print item
if ref == '{{no_ref}}' or ref == '':
create_ref_obs = True
new_ref_created = True
#print 'Create new, complete, observable for ' + item
#print child_ind_type
#Create the new observable for item and add as object to appropriate Indicator
if child_ind_type == 'DomainName':
append_ind = enrich_Domains
related_ind = related_Domains
new_obj = DomainName()
new_obj.value = item
#enrich_Domains.add_object(domain_obj)
elif child_ind_type == 'Address':
append_ind = enrich_IPs
related_ind = related_IPs
new_obj = Address()
new_obj.category = "ipv4-addr"
new_obj.address_value = item
#enrich_IPs.add_object(ipv4_obj)
else:
print 'Unsupported indicator type: ' + child_ind_type
new_obs = Observable(new_obj)
new_obs_ref = new_obs.id_
append_ind.add_observable(new_obs)
ref = new_obs_ref
#local_index[item][0] = ref
set_obs_ref(item, new_obs_ref, local_index)
#print 'Adding ref to: ' + ref_obs.id_ + ' of ' + ref
ref_obs.description = str(ref_obs.description) + ref.replace("{{no_ref}}","") + ', '
if create_ref_obs:
#Add the new ref obs to Related Indicators
related_ind.add_observable(ref_obs)
#print related_ind.to_xml()
create_ref_obs = False
related_ind1 = RelatedIndicator(related_IPs, relationship='Source of enrichment for IPs')
related_ind2 = RelatedIndicator(related_Domains, relationship='Source of enrichment for Domains')
enrich_IPs.related_indicators.append(related_ind1)
enrich_Domains.related_indicators.append(related_ind2)
new_stix.add_indicator(enrich_IPs)
new_stix.add_indicator(enrich_Domains)
#new_stix_json = json.loads(new_stix.to_json())
#new_stix_xml = new_stix.to_xml()
#if verbose:
#print new_stix.to_xml()
return new_stix
def genObject_Indicator(data):
from stix.indicator import Indicator
try:
sTitle = "phishTank.com id:" + data[
'phish_id'] + " with malicious URL:" + data['url']
sTitle = sTitle[:70] + "..."
except:
sTitle = "phishTank.com id:" + data[
'phish_id'] + " with malicious URL:--[URL Not Displayed - Due to encoding issue]--"
# try:
# sDscrpt = "This URL:[" + escape(unicode(srcDict[item]['url'])) + "] was identified by phishtank.com as part of a phishing email"
# except:
# sDscrpt = "This URL:--[URL Not Displayed - Due to encoding issue]-- was identified by phishtank.com as part of a phishing email"
sDscrpt = "This URL:[" + escape(
data['url']
) + "] was identified by phishtank.com as part of a phishing email"
if data['target'] and not data['target'] == 'Other':
sDscrpt += " which appears to be targeting " + data['target']
else:
sDscrpt += "."
if data['online'] == 'yes':
sDscrpt += " This URL appears to still be online as of " + data[
'verification_time']
elif data['online'] == 'no':
sDscrpt += " This URL appears to offline as of " + data[
'verification_time']
sDscrpt += ". More detailed infomation can be found at " + data[
'phish_detail_url']
objIndicator = Indicator()
objIndicator.idref = None
objIndicator.title = sTitle
objIndicator.description = "<![CDATA[" + sDscrpt + "]]>"
objIndicator.short_description = "<![CDATA[" + sTitle + "]]>"
if data['verified'] == 'yes':
objIndicator.confidence = 'High'
else:
objIndicator.confidence = 'Low'
objIndicator.test_mechanisms = None
objIndicator.alternative_id = None
objIndicator.composite_indicator_expression = None
objIndicator.valid_time_positions = None
objIndicator.related_indicators = None
# objIndicator.suggested_coas = SuggestedCOAs()
# objIndicator.kill_chain_phases = KillChainPhasesReference()
# objIndicator.likely_impact = None
### Used/Defined Outside this funtion
# objIndicator.indicator_types = ["URL Watchlist"]
# objIndicator.observable_composition_operator = "OR"
# objIndicator.producer = None
# objIndicator.observables = obsList
# objIndicator.handling = objMarking
# objIndicator.sightings = None
# objIndicator.set_received_time
return (objIndicator)
def json2indicator(config, src, dest, endpoint, json_, crits_id):
'''transform crits indicators into stix indicators with embedded
cybox observable composition'''
try:
set_id_method(IDGenerator.METHOD_UUID)
xmlns_url = config['edge']['sites'][dest]['stix']['xmlns_url']
xmlns_name = config['edge']['sites'][dest]['stix']['xmlns_name']
set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name))
if endpoint == 'indicators':
endpoint_trans = {
'Email': 'emails',
'IP': 'ips',
'Sample': 'samples',
'Domain': 'domains',
'Indicator': 'indicators',
'Event': 'events'
}
if json_.get('type', None) not in ['Reference', 'Related_To']:
config['logger'].error(
log.log_messages['unsupported_object_error'].format(
type_='crits',
obj_type='indicator type ' + json_.get('type', 'None'),
id_=crits_id))
return (None)
indicator_ = Indicator()
indicator_.id = xmlns_name + ':indicator-' + crits_id
indicator_.id_ = indicator_.id
indicator_.title = json_['value']
indicator_.confidence = json_['confidence']['rating'].capitalize()
indicator_.add_indicator_type('Malware Artifacts')
observable_composition_ = ObservableComposition()
observable_composition_.operator = \
indicator_.observable_composition_operator
for r in json_['relationships']:
if r.get('relationship',
None) not in ['Contains', 'Related_To']:
config['logger'].error(
log.log_messages['unsupported_object_error'].format(
type_='crits',
obj_type='indicator relationship type ' +
r.get('relationship', 'None'),
id_=crits_id))
continue
if r['type'] in ['Sample', 'Email', 'IP', 'Sample', 'Domain']:
observable_ = Observable()
observable_.idref = xmlns_name + ':observable-' + r['value']
observable_composition_.add(observable_)
elif r['type'] == 'Indicator':
related_indicator = RelatedIndicator(
Indicator(idref=xmlns_name + ':indicator-' +
r['value']))
indicator_.related_indicators.append(related_indicator)
# stix indicators don't support related_incident :-(
# elif r['type'] == 'Event':
# related_incident = RelatedIncident(Incident(idref=xmlns_name + ':incident-' + r['value']))
# indicator_.related_incidents.append(related_incident)
indicator_.observable = Observable()
indicator_.observable.observable_composition = \
observable_composition_
return (indicator_)
else:
config['logger'].error(
log.log_messages['unsupported_object_error'].format(
type_='crits', obj_type=endpoint, id_=crits_id))
return (None)
except:
e = sys.exc_info()[0]
config['logger'].error(log.log_messages['obj_convert_error'].format(
src_type='crits',
src_obj='indicator',
id_=crits_id,
dest_type='stix',
dest_obj='indicator'))
config['logger'].exception(e)
return (None)
def to_stix(obj, items_to_convert=[], loaded=False, bin_fmt="raw"):
"""
Converts a CRITs object to a STIX document.
The resulting document includes standardized representations
of all related objects noted within items_to_convert.
:param items_to_convert: The list of items to convert to STIX/CybOX
:type items_to_convert: Either a list of CRITs objects OR
a list of {'_type': CRITS_TYPE, '_id': CRITS_ID} dicts
:param loaded: Set to True if you've passed a list of CRITs objects as
the value for items_to_convert, else leave False.
:type loaded: bool
:param bin_fmt: Specifies the format for Sample data encoding.
Options: None (don't include binary data in STIX output),
"raw" (include binary data as is),
"base64" (base64 encode binary data)
:returns: A dict indicating which items mapped to STIX indicators, ['stix_indicators']
which items mapped to STIX observables, ['stix_observables']
which items are included in the resulting STIX doc, ['final_objects']
and the STIX doc itself ['stix_obj'].
"""
from cybox.common import Time, ToolInformationList, ToolInformation
from stix.common import StructuredText, InformationSource
from stix.core import STIXPackage, STIXHeader
from stix.common.identity import Identity
# These lists are used to determine which CRITs objects
# go in which part of the STIX document.
ind_list = ['Indicator']
obs_list = ['Certificate',
'Domain',
'Email',
'IP',
'PCAP',
'RawData',
'Sample']
actor_list = ['Actor']
# Store message
stix_msg = {
'stix_incidents': [],
'stix_indicators': [],
'stix_observables': [],
'stix_actors': [],
'final_objects': []
}
if not loaded: # if we have a list of object metadata, load it before processing
items_to_convert = [class_from_id(item['_type'], item['_id'])
for item in items_to_convert]
# add self to the list of items to STIXify
if obj not in items_to_convert:
items_to_convert.append(obj)
# add any email attachments
attachments = []
for obj in items_to_convert:
if obj._meta['crits_type'] == 'Email':
for rel in obj.relationships:
if rel.relationship == RelationshipTypes.CONTAINS:
atch = class_from_id('Sample', rel.object_id)
if atch not in items_to_convert:
attachments.append(atch)
items_to_convert.extend(attachments)
# grab ObjectId of items
refObjs = {key.id: 0 for key in items_to_convert}
relationships = {}
stix = []
from stix.indicator import Indicator as S_Ind
for obj in items_to_convert:
obj_type = obj._meta['crits_type']
if obj_type == class_from_type('Event')._meta['crits_type']:
stx, release = to_stix_incident(obj)
stix_msg['stix_incidents'].append(stx)
elif obj_type in ind_list: # convert to STIX indicators
stx, releas = to_stix_indicator(obj)
stix_msg['stix_indicators'].append(stx)
refObjs[obj.id] = S_Ind(idref=stx.id_)
elif obj_type in obs_list: # convert to CybOX observable
if obj_type == class_from_type('Sample')._meta['crits_type']:
stx, releas = to_cybox_observable(obj, bin_fmt=bin_fmt)
else:
stx, releas = to_cybox_observable(obj)
# wrap in stix Indicator
ind = S_Ind()
for ob in stx:
ind.add_observable(ob)
ind.title = "CRITs %s Top-Level Object" % obj_type
ind.description = ("This is simply a CRITs %s top-level "
"object, not actually an Indicator. "
"The Observable is wrapped in an Indicator"
" to facilitate documentation of the "
"relationship." % obj_type)
ind.confidence = 'None'
stx = ind
stix_msg['stix_indicators'].append(stx)
refObjs[obj.id] = S_Ind(idref=stx.id_)
elif obj_type in actor_list: # convert to STIX actor
stx, releas = to_stix_actor(obj)
stix_msg['stix_actors'].append(stx)
# get relationships from CRITs objects
for rel in obj.relationships:
if rel.object_id in refObjs:
relationships.setdefault(stx.id_, {})
relationships[stx.id_][rel.object_id] = (rel.relationship,
rel.rel_confidence.capitalize(),
rel.rel_type)
stix_msg['final_objects'].append(obj)
stix.append(stx)
# set relationships on STIX objects
for stix_obj in stix:
for rel in relationships.get(stix_obj.id_, {}):
if isinstance(refObjs.get(rel), S_Ind): # if is STIX Indicator
stix_obj.related_indicators.append(refObjs[rel])
rel_meta = relationships.get(stix_obj.id_)[rel]
stix_obj.related_indicators[-1].relationship = rel_meta[0]
stix_obj.related_indicators[-1].confidence = rel_meta[1]
# Add any Email Attachments to CybOX EmailMessage Objects
if isinstance(stix_obj, S_Ind):
if 'EmailMessage' in stix_obj.observable.object_.id_:
if rel_meta[0] == 'Contains' and rel_meta[2] == 'Sample':
email = stix_obj.observable.object_.properties
email.attachments.append(refObjs[rel].idref)
tool_list = ToolInformationList()
tool = ToolInformation("CRITs", "MITRE")
tool.version = settings.CRITS_VERSION
tool_list.append(tool)
i_s = InformationSource(
time=Time(produced_time= datetime.now()),
identity=Identity(name=settings.COMPANY_NAME),
tools=tool_list)
if obj._meta['crits_type'] == "Event":
stix_desc = obj.description()
stix_int = obj.event_type()
stix_title = obj.title()
else:
stix_desc = "STIX from %s" % settings.COMPANY_NAME
stix_int = "Collective Threat Intelligence"
stix_title = "Threat Intelligence Sharing"
header = STIXHeader(information_source=i_s,
description=StructuredText(value=stix_desc),
package_intents=[stix_int],
title=stix_title)
stix_msg['stix_obj'] = STIXPackage(incidents=stix_msg['stix_incidents'],
indicators=stix_msg['stix_indicators'],
threat_actors=stix_msg['stix_actors'],
stix_header=header,
id_=uuid.uuid4())
return stix_msg
def toStixXml(self, confidence, efficacy):
"""
This method converts a list of FASGuard generated Snort rules into a STIX
compliant XML string ready for output. It first converts the object
into a hash of the right format and then converts it into XML using
STIXPackage.from_dict and to_xml on the resulting object.
Arguments:
confidence - High, Medium or Low. High means low false alarm rate.
efficacy - High, Medium or Low. High means a low missed detection rate.
Returns:
Reference to string containing STIX/CybOX XML file.
"""
logger = logging.getLogger('simple_example')
self.logger = logger
self.logger.debug('In asg.fasguardStixRule')
stix_package = STIXPackage()
# Build the Exploit Target
vuln = Vulnerability()
vuln.cve_id = "Unknown"
et = ExploitTarget(title="From FASGuard")
et.add_vulnerability(vuln)
stix_package.add_exploit_target(et)
# Build the TTP
ttp = TTP(title="FASGuard Produced Signatures")
ttp.exploit_targets.append(ExploitTarget(idref=et.id_))
stix_package.add_ttp(ttp)
# Build the indicator
indicator = Indicator(title="Snort Signature from FASGuard")
indicator.confidence = Confidence(confidence)
tm = SnortTestMechanism()
tm.rules = self.ruleList
tm.efficacy = efficacy
tm.producer = InformationSource(identity=Identity(name="FASGuard"))
tm.producer.references = ["http://fasguard.github.io/"]
indicator.test_mechanisms = [tm]
indicator.add_indicated_ttp(TTP(idref=ttp.id_))
stix_package.add_indicator(indicator)
return stix_package.to_xml()
# stixDict = {'campaigns': [{}],
# 'courses_of_action': [{}],
# 'exploit_targets': [{}],
# 'id': 'INSERT_PACKAGE_ID_HERE'}
# stixDict['indicators'] = [{'indicator':
# {'title':
# 'Automatically Generated FASGuard Signatures',
# 'test_mechanisms':
# {'test_mechanism':
# {'efficacy':'Low',
# 'producer':
# {'Identity':'FASGuard'},
# 'rule':'xyz'}}}}
# ]
stix_package = STIXPackage.from_dict(stixDict)
stix_xml = stix_package.to_xml()
return stix_xml
def main():
stix_package = STIXPackage()
ttp = TTP(title="Phishing")
stix_package.add_ttp(ttp)
# Create the indicator for just the subject
email_subject_object = EmailMessage()
email_subject_object.header = EmailHeader()
email_subject_object.header.subject = "[IMPORTANT] Please Review Before"
email_subject_object.header.subject.condition = "StartsWith"
email_subject_indicator = Indicator()
email_subject_indicator.title = "Malicious E-mail Subject Line"
email_subject_indicator.add_indicator_type("Malicious E-mail")
email_subject_indicator.observable = email_subject_object
email_subject_indicator.confidence = "Low"
# Create the indicator for just the attachment
file_attachment_object = EmailMessage()
file_attachment_object.attachments = Attachments()
attached_file_object = File()
attached_file_object.file_name = "Final Report"
attached_file_object.file_name.condition = "StartsWith"
attached_file_object.file_extension = "doc.exe"
attached_file_object.file_extension.condition = "Equals"
file_attachment_object.add_related(attached_file_object,
"Contains",
inline=True)
file_attachment_object.attachments.append(attached_file_object.parent.id_)
indicator_attachment = Indicator()
indicator_attachment.title = "Malicious E-mail Attachment"
indicator_attachment.add_indicator_type("Malicious E-mail")
indicator_attachment.observable = file_attachment_object
indicator_attachment.confidence = "Low"
# Create the combined indicator w/ both subject an attachment
full_email_object = EmailMessage()
full_email_object.attachments = Attachments()
# Add the previously referenced file as another reference rather than define it again:
full_email_object.attachments.append(attached_file_object.parent.id_)
full_email_object.header = EmailHeader()
full_email_object.header.subject = "[IMPORTANT] Please Review Before"
full_email_object.header.subject.condition = "StartsWith"
combined_indicator = Indicator(title="Malicious E-mail")
combined_indicator.add_indicator_type("Malicious E-mail")
combined_indicator.confidence = Confidence(value="High")
combined_indicator.observable = full_email_object
email_subject_indicator.add_indicated_ttp(TTP(idref=ttp.id_))
indicator_attachment.add_indicated_ttp(TTP(idref=ttp.id_))
combined_indicator.add_indicated_ttp(TTP(idref=ttp.id_))
stix_package.add_indicator(combined_indicator)
stix_package.add_indicator(email_subject_indicator)
stix_package.add_indicator(indicator_attachment)
print(stix_package.to_xml(encoding=None))
def transform(self, event):
stix_package = STIXPackage()
self._add_header(stix_package, "Unauthorized traffic to honeypot",
"Describes one or more honeypot incidents")
incident = Incident(
id_="%s:%s-%s" %
(CONPOT_NAMESPACE, 'incident', event['session_id']))
initial_time = StixTime()
initial_time.initial_compromise = event['timestamp'].isoformat()
incident.time = initial_time
incident.title = "Conpot Event"
incident.short_description = "Traffic to Conpot ICS honeypot"
incident.add_category(
VocabString(value='Scans/Probes/Attempted Access'))
tool_list = ToolInformationList()
tool_list.append(
ToolInformation.from_dict({
'name':
"Conpot",
'vendor':
"Conpot Team",
'version':
conpot.__version__,
'description':
textwrap.dedent(
'Conpot is a low interactive server side Industrial Control Systems '
'honeypot designed to be easy to deploy, modify and extend.'
)
}))
incident.reporter = InformationSource(tools=tool_list)
incident.add_discovery_method("Monitoring Service")
incident.confidence = "High"
# Victim Targeting by Sector
ciq_identity = CIQIdentity3_0Instance()
#identity_spec = STIXCIQIdentity3_0()
#identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems")
#ciq_identity.specification = identity_spec
ttp = TTP(
title=
"Victim Targeting: Electricity Sector and Industrial Control System Sector"
)
ttp.victim_targeting = VictimTargeting()
ttp.victim_targeting.identity = ciq_identity
incident.leveraged_ttps.append(ttp)
indicator = Indicator(title="Conpot Event")
indicator.description = "Conpot network event"
indicator.confidence = "High"
source_port = Port.from_dict({
'port_value': event['remote'][1],
'layer4_protocol': 'tcp'
})
dest_port = Port.from_dict({
'port_value':
self.protocol_to_port_mapping[event['data_type']],
'layer4_protocol':
'tcp'
})
source_ip = Address.from_dict({
'address_value': event['remote'][0],
'category': Address.CAT_IPV4
})
dest_ip = Address.from_dict({
'address_value': event['public_ip'],
'category': Address.CAT_IPV4
})
source_address = SocketAddress.from_dict({
'ip_address':
source_ip.to_dict(),
'port':
source_port.to_dict()
})
dest_address = SocketAddress.from_dict({
'ip_address': dest_ip.to_dict(),
'port': dest_port.to_dict()
})
network_connection = NetworkConnection.from_dict({
'source_socket_address':
source_address.to_dict(),
'destination_socket_address':
dest_address.to_dict(),
'layer3_protocol':
"IPv4",
'layer4_protocol':
"TCP",
'layer7_protocol':
event['data_type'],
'source_tcp_state':
"ESTABLISHED",
'destination_tcp_state':
"ESTABLISHED",
})
indicator.add_observable(Observable(network_connection))
artifact = Artifact()
artifact.data = json.dumps(event['data'])
artifact.packaging.append(ZlibCompression())
artifact.packaging.append(Base64Encoding())
indicator.add_observable(Observable(artifact))
incident.related_indicators.append(indicator)
stix_package.add_incident(incident)
stix_package_xml = stix_package.to_xml()
return stix_package_xml
def main():
# NOTE: ID values will differ due to being regenerated on each script execution
pkg1 = STIXPackage()
pkg1.title = "Example of Indicator Composition for an aggregate indicator composition"
# USE CASE: Indicator with aggregate pattern
# Add TTP for malware usage
malware_ttp = TTP()
malware_ttp.behavior = Behavior()
malware = MalwareInstance()
malware.title = "foobar malware"
malware.add_type("Remote Access Trojan")
malware_ttp.behavior.add_malware_instance(malware)
c2_ttp = TTP()
c2_ttp.resources = Resource()
c2_ttp.resources.infrastructure = Infrastructure()
c2_ttp.resources.infrastructure.add_type(VocabString("Malware C2"))
pkg1.add_ttp(c2_ttp)
pkg1.add_ttp(malware_ttp)
nw_ind = Indicator()
nw_ind.description = "Indicator for a particular C2 infstructure IP address."
# add network network connection to this indicator
obs = NetworkConnection()
sock = SocketAddress()
sock.ip_address = "46.123.99.25"
sock.ip_address.category = "ipv4-addr"
sock.ip_address.condition = "Equals"
obs.destination_socket_address = sock
nw_ind.add_observable(obs)
nw_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_))
# create File Hash indicator w/ embedded Observable
file_ind = Indicator()
file_ind.description = "Indicator for the hash of the foobar malware."
file_ind.add_indicator_type("File Hash Watchlist")
file_obs = File()
file_obs.add_hash("01234567890abcdef01234567890abcdef")
file_obs.hashes[0].type_ = "MD5"
file_obs.hashes[0].type_.condition = "Equals"
file_ind.add_observable(file_obs)
# create references
file_ind.add_indicated_ttp(TTP(idref=malware_ttp.id_))
# create container indicator
ind = Indicator()
ind.add_indicator_type(VocabString("Campaign Characteristics"))
ind.description = "Indicator for a composite of characteristics for the use of specific malware and C2 infrastructure within a Campaign."
# Add campaign with related
camp = Campaign()
camp.title = "holy grail"
pkg1.add_campaign(camp)
camp.related_ttps.append(TTP(idref=c2_ttp.id_))
camp.related_ttps.append(TTP(idref=malware_ttp.id_))
# Add threat actor
ta = ThreatActor()
ta.identity = Identity()
ta.identity.name = "boobear"
ta.observed_ttps.append(TTP(idref=malware_ttp.id_))
pkg1.add_threat_actor(ta)
# Create composite expression
ind.composite_indicator_expression = CompositeIndicatorExpression()
ind.composite_indicator_expression.operator = "AND"
ind.composite_indicator_expression.append(file_ind)
ind.composite_indicator_expression.append(nw_ind)
pkg1.add_indicator(ind)
print pkg1.to_xml()
# USE CASE: Indicator with partial matching
pkg2 = STIXPackage()
pkg2.title = "Example of Indicator Composition for a one of many indicator composition"
# create container indicator
watchlistind = Indicator()
watchlistind.add_indicator_type("IP Watchlist")
watchlistind.description = "This Indicator specifies a pattern where any one or more of a set of three IP addresses are observed."
watchlistind.add_indicated_ttp(TTP(idref=c2_ttp.id_))
# Create composite expression
watchlistind.composite_indicator_expression = CompositeIndicatorExpression(
)
watchlistind.composite_indicator_expression.operator = "OR"
ips = ['23.5.111.68', '23.5.111.99', '46.123.99.25']
for ip in ips:
new_ind = Indicator()
new_ind.description = "This Indicator specifies a pattern where one specific IP address is observed"
# add network network connection to this indicator
obs = Address()
obs.address_value = ip
obs.address_value.condition = "Equals"
new_ind.add_observable(obs)
new_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_))
watchlistind.composite_indicator_expression.append(new_ind)
pkg2.add_indicator(watchlistind)
print pkg2.to_xml()
# USE CASE: Indicator with compound detection
pkg3 = STIXPackage()
pkg3.title = "Example of Indicator Composition for compound detection"
# create container indicator
watchlistind2 = Indicator()
watchlistind2.add_indicator_type("IP Watchlist")
watchlistind2.description = "This Indicator specifies a composite condition of two preexisting Indicators (each identifying a particular TTP with low confidence) that in aggregate identify the particular TTP with high confidence."
# Create composite expression
watchlistind2.composite_indicator_expression = CompositeIndicatorExpression(
)
watchlistind2.composite_indicator_expression.operator = "OR"
watchlistind2.add_indicated_ttp(TTP(idref=c2_ttp.id_))
watchlistind2.confidence = "High"
nw_ind.description = "Indicator for a particular C2 IP address used by a malware variant."
nw_ind.confidence = "Low"
nw_ind.indicator_types = ["C2"]
file_ind.description = "Indicator that contains malicious file hashes for a particular malware variant."
file_ind.confidence = "Low"
watchlistind2.composite_indicator_expression.append(nw_ind)
watchlistind2.composite_indicator_expression.append(file_ind)
pkg3.add_indicator(watchlistind2)
print pkg3.to_xml()
