def main(): stix_package = STIXPackage() ta = ThreatActor() ta.title = "Disco Team Threat Actor Group" ta.identity = CIQIdentity3_0Instance() identity_spec = STIXCIQIdentity3_0() identity_spec.party_name = PartyName() identity_spec.party_name.add_organisation_name(OrganisationName("Disco Tean", type_="CommonUse")) identity_spec.party_name.add_organisation_name(OrganisationName("Equipo del Discoteca", type_="UnofficialName")) identity_spec.add_language("Spanish") address = Address() address.country = Country() address.country.add_name_element("United States") address.administrative_area = AdministrativeArea() address.administrative_area.add_name_element("California") identity_spec.add_address(address) identity_spec.add_electronic_address_identifier("*****@*****.**") ta.identity.specification = identity_spec stix_package.add_threat_actor(ta) print stix_package.to_xml()
def test_ta(self): t = ThreatActor() t.title = UNICODE_STR t.description = UNICODE_STR t.short_description = UNICODE_STR t2 = round_trip(t) self._test_equal(t, t2)
def main(): stix_package = STIXPackage() ttp_phishing = TTP(title="Phishing") attack_pattern = AttackPattern() attack_pattern.capec_id = "CAPEC-98" attack_pattern.description = ("Phishing") ttp_phishing.behavior = Behavior() ttp_phishing.behavior.add_attack_pattern(attack_pattern) ttp_pivy = TTP(title="Poison Ivy Variant d1c6") malware_instance = MalwareInstance() malware_instance.add_name("Poison Ivy Variant d1c6") malware_instance.add_type("Remote Access Trojan") ttp_pivy.behavior = Behavior() ttp_pivy.behavior.add_malware_instance(malware_instance) ta_bravo = ThreatActor(title="Adversary Bravo") ta_bravo.identity = Identity(name="Adversary Bravo") related_ttp_phishing = RelatedTTP(TTP(idref=ttp_phishing.id_), relationship="Leverages Attack Pattern") ta_bravo.observed_ttps.append(related_ttp_phishing) related_ttp_pivy = RelatedTTP(TTP(idref=ttp_pivy.id_), relationship="Leverages Malware") ta_bravo.observed_ttps.append(related_ttp_pivy) stix_package.add_ttp(ttp_phishing) stix_package.add_ttp(ttp_pivy) stix_package.add_threat_actor(ta_bravo) print(stix_package.to_xml(encoding=None))
def main(): from stix.campaign import Campaign, Attribution from stix.threat_actor import ThreatActor from stix.incident import Incident from stix.core import STIXPackage from stix.ttp import TTP, VictimTargeting ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data") actor = ThreatActor() actor.title = "People behind the intrusion" attrib = Attribution() attrib.append(actor) c = Campaign() c.attribution = [] c.attribution.append(attrib) c.title = "Compromise of ATM Machines" c.related_ttps.append(ttp) c.related_incidents.append(Incident(idref="example:incident-229ab6ba-0eb2-415b-bdf2-079e6b42f51e")) c.related_incidents.append(Incident(idref="example:incident-517cf274-038d-4ed4-a3ec-3ac18ad9db8a")) c.related_incidents.append(Incident(idref="example:incident-7d8cf96f-91cb-42d0-a1e0-bfa38ea08621")) pkg = STIXPackage() pkg.add_campaign(c) print pkg.to_xml()
def generateThreatActor(attribute): ta = ThreatActor(timestamp=getDateFromTimestamp(int(attribute["timestamp"]))) ta.id_ = namespace[1] + ":threatactor-" + attribute["uuid"] ta.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")" if attribute["comment"] != "": ta.description = attribute["value"] + " (" + attribute["comment"] + ")" else: ta.description = attribute["value"] return ta
def generateThreatActor(attribute): ta = ThreatActor() ta.id_= namespace[1] + ":threatactor-" + attribute["uuid"] ta.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"] if attribute["comment"] != "": ta.description = attribute["value"] + " (" + attribute["comment"] + ")" else: ta.description = attribute["value"] return ta
def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header) return_obj.related_packages = RelatedPackages.from_obj(obj.Related_Packages) if obj.version: return_obj.version = obj.version if obj.Campaigns: return_obj.campaigns = [Campaign.from_obj(x) for x in obj.Campaigns.Campaign] if obj.Courses_Of_Action: return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.Courses_Of_Action.Course_Of_Action] if obj.Exploit_Targets: return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.Exploit_Targets.Exploit_Target] if obj.Indicators: return_obj.indicators = [Indicator.from_obj(x) for x in obj.Indicators.Indicator] if obj.Observables: return_obj.observables = Observables.from_obj(obj.Observables) if obj.Incidents: return_obj.incidents = [Incident.from_obj(x) for x in obj.Incidents.Incident] if obj.Threat_Actors: return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.Threat_Actors.Threat_Actor] if obj.TTPs: return_obj.ttps = TTPs.from_obj(obj.TTPs) return return_obj
def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header()) return_obj.related_packages = RelatedPackages.from_obj(obj.get_Related_Packages()) if obj.get_version(): return_obj.version = obj.get_version() if obj.get_Campaigns(): return_obj.campaigns = [Campaign.from_obj(x) for x in obj.get_Campaigns().get_Campaign()] if obj.get_Courses_Of_Action(): return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.get_Courses_Of_Action().get_Course_Of_Action()] if obj.get_Exploit_Targets(): return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.get_Exploit_Targets().get_Exploit_Target()] if obj.get_Indicators(): return_obj.indicators = [Indicator.from_obj(x) for x in obj.get_Indicators().get_Indicator()] if obj.get_Observables(): return_obj.observables = Observables.from_obj(obj.get_Observables()) if obj.get_Incidents(): return_obj.incidents = [Incident.from_obj(x) for x in obj.get_Incidents().get_Incident()] if obj.get_Threat_Actors(): return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.get_Threat_Actors().get_Threat_Actor()] if obj.get_TTPs(): return_obj.ttps = TTPs.from_obj(obj.get_TTPs()) return return_obj
def add_external_or_partner_actor_ttem(item, pkg): ta = ThreatActor() ta.identity = CIQIdentity3_0Instance() identity_spec = STIXCIQIdentity3_0() country_item = item.get('country') if not country_item: error("Required 'country' item is missing in 'actor/external' or 'actor/partner' item") else: for c in country_item: address = Address() address.country = Country() address.country.add_name_element(c) identity_spec.add_address(address) ta.identity.specification = identity_spec motive_item = item.get('motive') if not motive_item: error("Required 'motive' item is missing in 'actor/external' or 'actor/partner' item") else: for m in motive_item: motivation = Statement() motivation.value = map_motive_item_to_motivation(m) ta.add_motivation(motivation) variety_item = item.get('variety') if not variety_item: error("Required 'variety' item is missing in 'actor/external' or 'actor/partner' item") else: for v in variety_item: ta_type = Statement() ta_type.value = map_actor_variety_item_to_threat_actor_type(v) ta.add_type(ta_type) notes_item = item.get('notes') if notes_item: ta.description = "Notes: " + escape(notes_item) pkg.add_threat_actor(ta)
def add_actor_item(actor_item, pkg): ta = ThreatActor() external_item = actor_item.get('external') if external_item: add_external_or_partner_actor_ttem(external_item, pkg) internal_item = actor_item.get('internal') if internal_item: add_internal_actor_item(internal_item, pkg) # this is a partner of the victim... partner_item = actor_item.get('partner') if partner_item: add_external_or_partner_actor_ttem(partner_item, pkg) unknown_item = actor_item.get('unknown') if unknown_item: notes_item = unknown_item.get('notes') if notes_item: ta = ThreatActor() ta.description = "Notes:" + escape(notes_item) pkg.add_threat_actor(ta)
def main(): from stix.campaign import Campaign, Attribution from stix.threat_actor import ThreatActor from stix.core import STIXPackage from stix.ttp import TTP, VictimTargeting ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data") actor = ThreatActor() actor.title = "People behind the intrusion" c = Campaign() c.attribution.append(actor) c.title = "Compromise of ATM Machines" c.related_ttps.append(ttp) pkg = STIXPackage() pkg.add_campaign(c) print pkg.to_xml()
def generateThreatActor(attribute): ta = ThreatActor( timestamp=getDateFromTimestamp(int(attribute["timestamp"]))) ta.id_ = namespace[1] + ":threatactor-" + attribute["uuid"] ta.title = attribute["category"] + ": " + attribute[ "value"] + " (MISP Attribute #" + attribute["id"] + ")" if attribute["comment"] != "": ta.description = attribute["value"] + " (" + attribute["comment"] + ")" else: ta.description = attribute["value"] return ta
def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header) return_obj.related_packages = RelatedPackages.from_obj( obj.Related_Packages) if obj.version: return_obj.version = obj.version if obj.Campaigns: return_obj.campaigns = [ Campaign.from_obj(x) for x in obj.Campaigns.Campaign ] if obj.Courses_Of_Action: return_obj.courses_of_action = [ CourseOfAction.from_obj(x) for x in obj.Courses_Of_Action.Course_Of_Action ] if obj.Exploit_Targets: return_obj.exploit_targets = [ ExploitTarget.from_obj(x) for x in obj.Exploit_Targets.Exploit_Target ] if obj.Indicators: return_obj.indicators = [ Indicator.from_obj(x) for x in obj.Indicators.Indicator ] if obj.Observables: return_obj.observables = Observables.from_obj(obj.Observables) if obj.Incidents: return_obj.incidents = [ Incident.from_obj(x) for x in obj.Incidents.Incident ] if obj.Threat_Actors: return_obj.threat_actors = [ ThreatActor.from_obj(x) for x in obj.Threat_Actors.Threat_Actor ] if obj.TTPs: return_obj.ttps = TTPs.from_obj(obj.TTPs) return return_obj
def convert_report(r20): r1x = Report(id_=convert_id20(r20["id"]), timestamp=text_type(r20["modified"])) r1x.header = Header() if "name" in r20: r1x.header.title = r20["name"] if "description" in r20: r1x.header.add_description(r20["description"]) intents = convert_open_vocabs_to_controlled_vocabs(r20["labels"], REPORT_LABELS_MAP) for i in intents: r1x.header.add_intent(i) if "published" in r20: add_missing_property_to_description(r1x.header, "published", r20["published"]) for ref in r20["object_refs"]: ref_type = get_type_from_id(ref) if ref_type == "attack-pattern": r1x.add_ttp(TTP(idref=ref)) elif ref_type == "campaign": r1x.add_campaign(Campaign(idref=ref)) elif ref_type == 'course-of-action': r1x.add_course_of_action(CourseOfAction(idref=ref)) elif ref_type == "indicator": r1x.add_indicator(Indicator(idref=ref)) elif ref_type == "observed-data": r1x.add_observable(Observable(idref=ref)) elif ref_type == "malware": r1x.add_ttp(TTP(idref=ref)) elif ref_type == "threat-actor": r1x.add_threat_actor(ThreatActor(idref=ref)) elif ref_type == "vulnerability": r1x.add_exploit_target(ExploitTarget(idref=ref)) if "object_marking_refs" in r20: for m_id in r20["object_marking_refs"]: ms = create_marking_specification(m_id) if ms: CONTAINER.add_marking(r1x, ms, descendants=True) if "granular_markings" in r20: error( "Granular Markings present in '%s' are not supported by stix2slider", 604, r20["id"]) return r1x
def from_dict(cls, dict_repr, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id', None) return_obj.idref = dict_repr.get('idref', None) return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version', cls._version) return_obj.stix_header = STIXHeader.from_dict(dict_repr.get('stix_header', None)) return_obj.campaigns = [Campaign.from_dict(x) for x in dict_repr.get('campaigns', [])] return_obj.courses_of_action = [CourseOfAction.from_dict(x) for x in dict_repr.get('courses_of_action', [])] return_obj.exploit_targets = [ExploitTarget.from_dict(x) for x in dict_repr.get('exploit_targets', [])] return_obj.indicators = [Indicator.from_dict(x) for x in dict_repr.get('indicators', [])] return_obj.observables = Observables.from_dict(dict_repr.get('observables')) return_obj.incidents = [Incident.from_dict(x) for x in dict_repr.get('incidents', [])] return_obj.threat_actors = [ThreatActor.from_dict(x) for x in dict_repr.get('threat_actors', [])] return_obj.ttps = TTPs.from_dict(dict_repr.get('ttps')) return_obj.related_packages = RelatedPackages.from_dict(dict_repr.get('related_packages')) return return_obj
def add_internal_actor_item(internal_item, pkg): ta = ThreatActor() motive_item = internal_item.get('motive') if not motive_item: error("Required 'motive' item is missing in 'actor/internal' item") else: for item in motive_item: motivation = Statement() motivation.value = map_motive_item_to_motivation(item) ta.add_motivation(motivation) # job_change added in 1.3 variety_item = internal_item.get('variety') if not variety_item: error("Required 'variety' item is missing in 'actor/internal' item") else: for v in variety_item: ta_type = Statement() ta_type.value = ThreatActorType(ThreatActorType.TERM_INSIDER_THREAT) ta_type.description = v ta.add_type(ta_type) notes_item = internal_item.get('notes') if notes_item: ta.description = "Notes: " + escape(notes_item) pkg.add_threat_actor(ta)
def to_stix_actor(obj): """ Create a STIX Actor. """ ta = ThreatActor() ta.title = obj.name ta.description = obj.description for tt in obj.threat_types: ta.add_type(tt) for m in obj.motivations: ta.add_motivation(m) for ie in obj.intended_effects: ta.add_intended_effect(ie) for s in obj.sophistications: ta.add_sophistication(s) #for i in self.identifiers: return (ta, obj.releasability)
observable = Observable(domain) infrastructure.observable_characterization = Observables( Observable(idref=observable.id_)) personas = Personas() personas.append(Identity(name='Stephen Golub')) resource = Resource(tools=Tools(tool), infrastructure=infrastructure, personas=personas) ttp.resources = resource related_ttp = RelatedTTP(TTP(idref=ttp.id_)) # TTP - Related Threat Actor (basic; by id) ta = ThreatActor(title='Adversary Bravo') ta.observed_ttps.append(related_ttp) # TTP - Related TTP2 (Malware; by id) ttp2 = TTP(title='Poison Ivy Variant') malware_instance = MalwareInstance(title='Poison Ivy Variant d1c6') malware_instance.description = 'Attack Pattern Description' malware_instance.short_description = 'Attack Pattern Short Description' malware_instance.add_type(MalwareType('Remote Access Trojan')) maec = MAECInstance() maec.add_name('Poison Ivy Variant v4392-acc') maec.add_type(MalwareType('Exploit Kits')) ttp2.behavior = Behavior() ttp2.behavior.add_malware_instance(malware_instance)
t = Time() t.incident_opened = '2018-09-11' incident.time = t related_incident = RelatedIncident(Incident(idref=incident.id_)) campaign.related_incidents.append(related_incident) # Related Indicator (by id) fake = Faker() indicator = Indicator() addr2 = Address(address_value=fake.ipv4(), category=Address.CAT_IPV4) indicator.add_observable(addr2) related_indicator = RelatedIndicator(Indicator(idref=indicator.id_)) campaign.related_indicators.append(related_indicator) # Related Threat Actor (by id) ta = ThreatActor(title='Albino Rhino') attrib_ta = Attribution() attrib_ta.append(ThreatActor(idref=ta.id_)) campaign.attribution.append(attrib_ta) # Related Campaign (basic; by id) campaign2 = Campaign(title='Another Campaign') cassoc_campaign = CAssociatedCampaigns() cassoc_campaign.append(RelatedCampaign(Campaign(idref=campaign2.id_))) campaign.associated_campaigns = cassoc_campaign # Related Other Objects to Campaign (by id) campaign3 = Campaign(title='Another Another Campaign') tassoc_campaign = TAssociatedCampaigns() tassoc_campaign.append(RelatedCampaign(Campaign(idref=campaign3.id_))) ta.associated_campaigns = tassoc_campaign
def csv2stix(outFormat,inFile): #============= # Build package metadata #============= stix_package = STIXPackage() stix_package.stix_header = STIXHeader() stix_package.stix_header.title = "TG3390" stix_package.stix_header.description = "Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers investigated activities associated with Threat Group-3390[1] (TG-3390) - http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/" marking_specification = MarkingSpecification() marking_specification.controlled_structure = "../../../../descendant-or-self::node()" tlp = TLPMarkingStructure() tlp.color = "WHITE" marking_specification.marking_structures.append(tlp) handling = Marking() handling.add_marking(marking_specification) stix_package.stix_header.handling = handling #============= # Build package structure #============= ta_tg3390 = ThreatActor(title="TG3390") ta_tg3390.identity = Identity(name="TG3390") attack_pattern = AttackPattern() attack_pattern.description = ("Infrastructure Building") ttp_infrastructure = TTP(title="Infrastructure Building") ttp_infrastructure.behavior = Behavior() ttp_infrastructure.behavior.add_attack_pattern(attack_pattern) ttp_infrastructure.add_intended_effect("Unauthorized Access") infra_domainInd = Indicator(title="Domains associated with TG3390 Infrastructure") infra_domainInd.add_indicator_type("Domain Watchlist") infra_domainInd.confidence = "High" infra_domainInd.add_indicated_ttp(TTP(idref=ttp_infrastructure.id_)) infra_IPInd = Indicator(title="[H] IP Addresses associated with TG3390 Infrastructure") infra_IPInd.add_indicator_type("IP Watchlist") infra_IPInd.confidence = "High" infra_IPInd.add_indicated_ttp(TTP(idref=ttp_infrastructure.id_)) infra_IPInd_M = Indicator(title="[M] IP Addresses associated with TG3390 Infrastructure") infra_IPInd_M.add_indicator_type("IP Watchlist") infra_IPInd_M.confidence = "Medium" infra_IPInd_M.add_indicated_ttp(TTP(idref=ttp_infrastructure.id_)) httpBrowserObj = MalwareInstance() httpBrowserObj.add_name("HTTP Browser") ttp_httpB = TTP(title="HTTP Browser") ttp_httpB.behavior = Behavior() ttp_httpB.behavior.add_malware_instance(httpBrowserObj) ttp_httpB.add_intended_effect("Theft - Intellectual Property") httpB_hashInd = Indicator(title="File hashes for HTTP Browser") httpB_hashInd.add_indicator_type("File Hash Watchlist") httpB_hashInd.confidence = "High" httpB_hashInd.add_indicated_ttp(TTP(idref=ttp_httpB.id_)) httpBrowserDropperObj = MalwareInstance() httpBrowserDropperObj.add_name("HTTP Browser Dropper") ttp_httpBDpr = TTP(title="HTTP Browser Dropper") ttp_httpBDpr.behavior = Behavior() ttp_httpBDpr.behavior.add_malware_instance(httpBrowserDropperObj) ttp_httpBDpr.add_intended_effect("Theft - Intellectual Property") httpBDpr_hashInd = Indicator(title="File hashes for HTTP Browser Dropper") httpBDpr_hashInd.add_indicator_type("File Hash Watchlist") httpBDpr_hashInd.confidence = "High" httpBDpr_hashInd.add_indicated_ttp(TTP(idref=ttp_httpBDpr.id_)) plugXObj = MalwareInstance() plugXObj.add_name("PlugX Dropper") ttp_plugX = TTP(title="PlugX Dropper") ttp_plugX.behavior = Behavior() ttp_plugX.behavior.add_malware_instance(plugXObj) ttp_plugX.add_intended_effect("Theft - Intellectual Property") plugX_hashInd = Indicator(title="File hashes for PlugX Dropper") plugX_hashInd.add_indicator_type("File Hash Watchlist") plugX_hashInd.confidence = "High" plugX_hashInd.add_indicated_ttp(TTP(idref=ttp_plugX.id_)) #============= # Process content in to structure #============= ip_rules = [] ip_rules_M = [] domain_rules = [] with open(inFile, 'rb') as f: reader = csv.reader(f) for row in reader: obs = row[0] obsType = row[1] description = row[2] confidence = row[3] #print obs,obsType,description,confidence if description == 'TG-3390 infrastructure': if obsType == 'Domain name': domain_obj = DomainName() domain_obj.value = obs #domain_obj.title = description infra_domainInd.add_object(domain_obj) domain_rule = generate_snort([obs], 'DomainName', str(infra_domainInd.id_).split(':',1)[1].split('-',1)[1]) domain_rules.append(domain_rule) elif obsType == 'IP address': ipv4_obj = Address() ipv4_obj.category = "ipv4-addr" ipv4_obj.address_value = obs ipv4_obj.title = description ind_ref = str(infra_IPInd.id_).split(':',1)[1].split('-',1)[1] if confidence == "High": infra_IPInd.add_object(ipv4_obj) ip_rules.append(obs) else: infra_IPInd_M.add_object(ipv4_obj) ip_rules_M.append(obs) else: print "TTP Infra: obsType is wrong" elif description == 'HttpBrowser RAT dropper': file_obj = File() file_obj.add_hash(Hash(obs)) file_obj.title = description httpBDpr_hashInd.add_observable(file_obj) elif description == 'HttpBrowser RAT': file_obj = File() file_obj.add_hash(Hash(obs)) file_obj.title = description httpB_hashInd.add_observable(file_obj) elif description == 'PlugX RAT dropper': file_obj = File() file_obj.add_hash(Hash(obs)) file_obj.title = description plugX_hashInd.add_observable(file_obj) else: print "TTP not found" #print ip_rules ip_rule = generate_snort(ip_rules, 'Address', str(infra_IPInd.id_).split(':',1)[1].split('-',1)[1]) ip_rule_M = generate_snort(ip_rules_M, 'Address', str(infra_IPInd_M.id_).split(':',1)[1].split('-',1)[1]) ip_tm = SnortTestMechanism() ip_tm.rules = [ip_rule] ip_tm.efficacy = "High" ip_tm.producer = InformationSource(identity=Identity(name="Auto")) infra_IPInd.test_mechanisms = [ip_tm] ip_M_tm = SnortTestMechanism() ip_M_tm.rules = [ip_rule_M] ip_M_tm.efficacy = "Medium" ip_M_tm.producer = InformationSource(identity=Identity(name="Auto")) infra_IPInd_M.test_mechanisms = [ip_M_tm] domain_tm = SnortTestMechanism() domain_tm.rules = domain_rules domain_tm.efficacy = "High" domain_tm.producer = InformationSource(identity=Identity(name="Auto")) infra_domainInd.test_mechanisms = [domain_tm] #============= # Add the composed content to the structure #============= stix_package.add_indicator(infra_domainInd) stix_package.add_indicator(infra_IPInd) stix_package.add_indicator(infra_IPInd_M) stix_package.add_indicator(httpBDpr_hashInd) stix_package.add_indicator(httpB_hashInd) stix_package.add_indicator(plugX_hashInd) stix_package.add_ttp(ttp_infrastructure) stix_package.add_ttp(ttp_httpB) stix_package.add_ttp(ttp_httpBDpr) stix_package.add_ttp(ttp_plugX) """ if outFormat =='dict': print stix_package.to_dict() if outFormat =='json': parsed = stix_package.to_json() jsonpkg = json.loads(parsed) pprint.pprint(jsonpkg) if outFormat =='stix': print stix_package.to_xml() """ #if verbose: #print stix_package.to_xml() #pprint(stix_package.to_json()) return stix_package
def buildThreatActor(input_dict): threatActor = ThreatActor() threatActor.title = input_dict["title"] threatActor.description = input_dict["description"] if input_dict["identity"]: threatActor.identity = Identity(input_dict["identity"]) if input_dict["type"]: threatActor.add_type(input_dict["type"]) if input_dict["motivation"]: threatActor.add_motivation(input_dict["motivation"]) if input_dict["sophistication"]: threatActor.add_sophistication(input_dict["sophistication"]) if input_dict["intendedEffect"]: threatActor.add_intended_effect(input_dict["intendedEffect"]) if input_dict["support"]: threatActor.add_planning_and_operational_support(input_dict["support"]) if input_dict["confidence"]: threatActor.confidence = Confidence(input_dict["confidence"]) if input_dict["informationSource"]: threatActor.information_source = InformationSource(input_dict["informationSource"]) return threatActor
def convert_threat_actor(ta20): ta1x = ThreatActor(id_=convert_id20(ta20["id"]), timestamp=text_type(ta20["modified"])) ta1x.title = ta20["name"] types = convert_open_vocabs_to_controlled_vocabs(ta20["labels"], THREAT_ACTOR_LABEL_MAP) for t in types: ta1x.add_type(t) if "description" in ta20: ta1x.add_description(ta20["description"]) if "aliases" in ta20: add_missing_list_property_to_description(ta1x, "aliases", ta20["aliases"]) if "roles" in ta20: add_missing_list_property_to_description(ta1x, "roles", ta20["roles"]) if "goals" in ta20: for g in ta20["goals"]: ta1x.add_intended_effect(g) if "sophistication" in ta20: sophistications = convert_open_vocabs_to_controlled_vocabs( [ta20["sophistication"]], THREAT_ACTOR_SOPHISTICATION_MAP) for s in sophistications: ta1x.add_sophistication(s) if "resource_level" in ta20: add_missing_list_property_to_description(ta1x, "resource_level", ta20["resource_level"]) all_motivations = [] if "primary_motivation" in ta20: all_motivations = [ta20["primary_motivation"]] if "secondary_motivation" in ta20: all_motivations.extend(ta20["secondary_motivation"]) if "personal_motivation" in ta20: all_motivations.extend(ta20["personal_motivation"]) motivations = convert_open_vocabs_to_controlled_vocabs( all_motivations, ATTACK_MOTIVATION_MAP) for m in motivations: ta1x.add_motivation(m) if "object_marking_refs" in ta20: for m_id in ta20["object_marking_refs"]: ms = create_marking_specification(m_id) if ms: CONTAINER.add_marking(ta1x, ms, descendants=True) if "granular_markings" in ta20: error( "Granular Markings present in '%s' are not supported by stix2slider", 604, ta20["id"]) record_id_object_mapping(ta20["id"], ta1x) return ta1x
def to_stix_actor(self): """ Create a STIX Actor. """ from stix.threat_actor import ThreatActor ta = ThreatActor() ta.title = self.name ta.description = self.description for tt in self.threat_types: ta.add_type(tt) for m in self.motivations: ta.add_motivation(m) for ie in self.intended_effects: ta.add_intended_effect(ie) for s in self.sophistications: ta.add_sophistication(s) #for i in self.identifiers: return (ta, self.releasability)
# Related Observable (by id) addr1 = Address(address_value=fake.ipv4(), category=Address.CAT_IPV4) observable = Observable(addr1) related_observable = RelatedObservable(Observable(idref=observable.id_)) incident.related_observables.append(related_observable) # Related Indicator (by id) indicator = Indicator() addr2 = Address(address_value=fake.ipv4(), category=Address.CAT_IPV4) indicator.add_observable(addr2) related_indicator = RelatedIndicator(Indicator(idref=indicator.id_)) incident.related_indicators.append(related_indicator) # Related Threat Actor (by id) ta = ThreatActor(title='Albino Rhino') attrib_ta = AttributedThreatActors() related_ta = RelatedThreatActor(ThreatActor(idref=ta.id_)) attrib_ta.append(related_ta) incident.attributed_threat_actors = attrib_ta # Related Incident (basic; by id) incident2 = Incident(title='Malware outbreak') incident2.time = '2018-06-12T11:00:05.470947+00:00' related_incident = RelatedIncident(Incident(idref=incident2.id_)) incident.add_related_incidents(related_incident) # Related TTP (basic; by id) ttp = TTP(title='Phishing') beh = Behavior() attack_pattern = AttackPattern()
def main(): # NOTE: ID values will differ due to being regenerated on each script execution pkg1 = STIXPackage() pkg1.title = "Example of Indicator Composition for an aggregate indicator composition" # USE CASE: Indicator with aggregate pattern # Add TTP for malware usage malware_ttp = TTP() malware_ttp.behavior = Behavior() malware = MalwareInstance() malware.title = "foobar malware" malware.add_type("Remote Access Trojan") malware_ttp.behavior.add_malware_instance(malware) c2_ttp = TTP() c2_ttp.resources = Resource() c2_ttp.resources.infrastructure = Infrastructure() c2_ttp.resources.infrastructure.add_type(VocabString("Malware C2")) pkg1.add_ttp(c2_ttp) pkg1.add_ttp(malware_ttp) nw_ind = Indicator() nw_ind.description = "Indicator for a particular C2 infstructure IP address." # add network network connection to this indicator obs = NetworkConnection() sock = SocketAddress() sock.ip_address = "46.123.99.25" sock.ip_address.category = "ipv4-addr" sock.ip_address.condition = "Equals" obs.destination_socket_address = sock nw_ind.add_observable(obs) nw_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_)) # create File Hash indicator w/ embedded Observable file_ind = Indicator() file_ind.description = "Indicator for the hash of the foobar malware." file_ind.add_indicator_type("File Hash Watchlist") file_obs = File() file_obs.add_hash("01234567890abcdef01234567890abcdef") file_obs.hashes[0].type_ = "MD5" file_obs.hashes[0].type_.condition = "Equals" file_ind.add_observable(file_obs) # create references file_ind.add_indicated_ttp(TTP(idref=malware_ttp.id_)) # create container indicator ind = Indicator() ind.add_indicator_type(VocabString("Campaign Characteristics")) ind.description = "Indicator for a composite of characteristics for the use of specific malware and C2 infrastructure within a Campaign." # Add campaign with related camp = Campaign() camp.title = "holy grail" pkg1.add_campaign(camp) camp.related_ttps.append(TTP(idref=c2_ttp.id_)) camp.related_ttps.append(TTP(idref=malware_ttp.id_)) # Add threat actor ta = ThreatActor() ta.identity = Identity() ta.identity.name = "boobear" ta.observed_ttps.append(TTP(idref=malware_ttp.id_)) pkg1.add_threat_actor(ta) # Create composite expression ind.composite_indicator_expression = CompositeIndicatorExpression() ind.composite_indicator_expression.operator = "AND" ind.composite_indicator_expression.append(file_ind) ind.composite_indicator_expression.append(nw_ind) pkg1.add_indicator(ind) print pkg1.to_xml() # USE CASE: Indicator with partial matching pkg2 = STIXPackage() pkg2.title = "Example of Indicator Composition for a one of many indicator composition" # create container indicator watchlistind = Indicator() watchlistind.add_indicator_type("IP Watchlist") watchlistind.description = "This Indicator specifies a pattern where any one or more of a set of three IP addresses are observed." watchlistind.add_indicated_ttp(TTP(idref=c2_ttp.id_)) # Create composite expression watchlistind.composite_indicator_expression = CompositeIndicatorExpression( ) watchlistind.composite_indicator_expression.operator = "OR" ips = ['23.5.111.68', '23.5.111.99', '46.123.99.25'] for ip in ips: new_ind = Indicator() new_ind.description = "This Indicator specifies a pattern where one specific IP address is observed" # add network network connection to this indicator obs = Address() obs.address_value = ip obs.address_value.condition = "Equals" new_ind.add_observable(obs) new_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_)) watchlistind.composite_indicator_expression.append(new_ind) pkg2.add_indicator(watchlistind) print pkg2.to_xml() # USE CASE: Indicator with compound detection pkg3 = STIXPackage() pkg3.title = "Example of Indicator Composition for compound detection" # create container indicator watchlistind2 = Indicator() watchlistind2.add_indicator_type("IP Watchlist") watchlistind2.description = "This Indicator specifies a composite condition of two preexisting Indicators (each identifying a particular TTP with low confidence) that in aggregate identify the particular TTP with high confidence." # Create composite expression watchlistind2.composite_indicator_expression = CompositeIndicatorExpression( ) watchlistind2.composite_indicator_expression.operator = "OR" watchlistind2.add_indicated_ttp(TTP(idref=c2_ttp.id_)) watchlistind2.confidence = "High" nw_ind.description = "Indicator for a particular C2 IP address used by a malware variant." nw_ind.confidence = "Low" nw_ind.indicator_types = ["C2"] file_ind.description = "Indicator that contains malicious file hashes for a particular malware variant." file_ind.confidence = "Low" watchlistind2.composite_indicator_expression.append(nw_ind) watchlistind2.composite_indicator_expression.append(file_ind) pkg3.add_indicator(watchlistind2) print pkg3.to_xml()
def main(): # NOTE: ID values will differ due to being regenerated on each script execution pkg1 = STIXPackage() pkg1.title = "Example of Indicator Composition for an aggregate indicator composition" # USE CASE: Indicator with aggregate pattern # Add TTP for malware usage malware_ttp = TTP() malware_ttp.behavior = Behavior() malware = MalwareInstance() malware.title = "foobar malware" malware.add_type("Remote Access Trojan") malware_ttp.behavior.add_malware_instance(malware) c2_ttp = TTP() c2_ttp.resources = Resource() c2_ttp.resources.infrastructure = Infrastructure() c2_ttp.resources.infrastructure.add_type(VocabString("Malware C2")) pkg1.add_ttp(c2_ttp) pkg1.add_ttp(malware_ttp) nw_ind = Indicator() nw_ind.description = "Indicator for a particular C2 infstructure IP address." # add network network connection to this indicator obs = NetworkConnection() sock = SocketAddress() sock.ip_address = "46.123.99.25" sock.ip_address.category = "ipv4-addr" sock.ip_address.condition = "Equals" obs.destination_socket_address = sock nw_ind.add_observable(obs) nw_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_)) # create File Hash indicator w/ embedded Observable file_ind = Indicator() file_ind.description = "Indicator for the hash of the foobar malware." file_ind.add_indicator_type("File Hash Watchlist") file_obs = File() file_obs.add_hash("01234567890abcdef01234567890abcdef") file_obs.hashes[0].type_ = "MD5" file_obs.hashes[0].type_.condition = "Equals" file_ind.add_observable(file_obs) # create references file_ind.add_indicated_ttp(TTP(idref=malware_ttp.id_)) # create container indicator ind = Indicator() ind.add_indicator_type(VocabString("Campaign Characteristics")) ind.description = "Indicator for a composite of characteristics for the use of specific malware and C2 infrastructure within a Campaign." # Add campaign with related camp = Campaign() camp.title = "holy grail" pkg1.add_campaign(camp) camp.related_ttps.append(TTP(idref=c2_ttp.id_)) camp.related_ttps.append(TTP(idref=malware_ttp.id_)) # Add threat actor ta = ThreatActor() ta.identity = Identity() ta.identity.name = "boobear" ta.observed_ttps.append(TTP(idref=malware_ttp.id_)) pkg1.add_threat_actor(ta) # Create composite expression ind.composite_indicator_expression = CompositeIndicatorExpression() ind.composite_indicator_expression.operator = "AND" ind.composite_indicator_expression.append(file_ind) ind.composite_indicator_expression.append(nw_ind) pkg1.add_indicator(ind) print pkg1.to_xml() # USE CASE: Indicator with partial matching pkg2 = STIXPackage() pkg2.title = "Example of Indicator Composition for a one of many indicator composition" # create container indicator watchlistind = Indicator() watchlistind.add_indicator_type("IP Watchlist") watchlistind.description = "This Indicator specifies a pattern where any one or more of a set of three IP addresses are observed." watchlistind.add_indicated_ttp(TTP(idref=c2_ttp.id_)) # Create composite expression watchlistind.composite_indicator_expression = CompositeIndicatorExpression() watchlistind.composite_indicator_expression.operator = "OR" ips = ['23.5.111.68', '23.5.111.99', '46.123.99.25'] for ip in ips: new_ind = Indicator() new_ind.description = "This Indicator specifies a pattern where one specific IP address is observed" # add network network connection to this indicator obs = Address() obs.address_value = ip obs.address_value.condition = "Equals" new_ind.add_observable(obs) new_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_)) watchlistind.composite_indicator_expression.append(new_ind) pkg2.add_indicator(watchlistind) print pkg2.to_xml() # USE CASE: Indicator with compound detection pkg3 = STIXPackage() pkg3.title = "Example of Indicator Composition for compound detection" # create container indicator watchlistind2 = Indicator() watchlistind2.add_indicator_type("IP Watchlist") watchlistind2.description = "This Indicator specifies a composite condition of two preexisting Indicators (each identifying a particular TTP with low confidence) that in aggregate identify the particular TTP with high confidence." # Create composite expression watchlistind2.composite_indicator_expression = CompositeIndicatorExpression() watchlistind2.composite_indicator_expression.operator = "OR" watchlistind2.add_indicated_ttp(TTP(idref=c2_ttp.id_)) watchlistind2.confidence = "High" nw_ind.description = "Indicator for a particular C2 IP address used by a malware variant." nw_ind.confidence = "Low" nw_ind.indicator_types = ["C2"] file_ind.description = "Indicator that contains malicious file hashes for a particular malware variant." file_ind.confidence = "Low" watchlistind2.composite_indicator_expression.append(nw_ind) watchlistind2.composite_indicator_expression.append(file_ind) pkg3.add_indicator(watchlistind2) print pkg3.to_xml()
def test_ta_idref_deprecation(self): package = core.STIXPackage() package.add(ThreatActor(idref='test-idref-dep'))
def generateThreatActor(attribute): ta = ThreatActor() ta.id_="example:threatactor-" + attribute["uuid"] ta.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"] ta.description = attribute["value"] return ta