def test_ttp(self): t = TTP() t.title = UNICODE_STR t.description = UNICODE_STR t.short_description = UNICODE_STR t2 = round_trip(t) self._test_equal(t, t2)
def main(): from stix.campaign import Campaign from stix.common.related import RelatedTTP from stix.core import STIXPackage from stix.ttp import TTP ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting.add_targeted_information("Information Assets - Customer PII") ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data") ttp_ref = TTP() ttp_ref.idref = ttp.id_ related_ttp = RelatedTTP(ttp_ref) related_ttp.relationship = "Targets" c = Campaign() c.title = "Operation Alpha" c.related_ttps.append(related_ttp) pkg = STIXPackage() pkg.add_campaign(c) pkg.add_ttp(ttp) print pkg.to_xml()
def main(): from stix.campaign import Campaign from stix.common.related import RelatedTTP from stix.core import STIXPackage from stix.ttp import TTP, VictimTargeting ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.add_targeted_information( "Information Assets - Customer PII") ttp.victim_targeting.add_targeted_information( "Information Assets - Financial Data") ttp_ref = TTP() ttp_ref.idref = ttp.id_ related_ttp = RelatedTTP(ttp_ref) related_ttp.relationship = "Targets" c = Campaign() c.title = "Operation Alpha" c.related_ttps.append(related_ttp) pkg = STIXPackage() pkg.add_campaign(c) pkg.add_ttp(ttp) print(pkg.to_xml(encoding=None))
def main(): from stix.campaign import Campaign, Attribution from stix.threat_actor import ThreatActor from stix.incident import Incident from stix.core import STIXPackage from stix.ttp import TTP, VictimTargeting ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data") actor = ThreatActor() actor.title = "People behind the intrusion" attrib = Attribution() attrib.append(actor) c = Campaign() c.attribution = [] c.attribution.append(attrib) c.title = "Compromise of ATM Machines" c.related_ttps.append(ttp) c.related_incidents.append(Incident(idref="example:incident-229ab6ba-0eb2-415b-bdf2-079e6b42f51e")) c.related_incidents.append(Incident(idref="example:incident-517cf274-038d-4ed4-a3ec-3ac18ad9db8a")) c.related_incidents.append(Incident(idref="example:incident-7d8cf96f-91cb-42d0-a1e0-bfa38ea08621")) pkg = STIXPackage() pkg.add_campaign(c) print pkg.to_xml()
def resolveAttributes(incident, ttps, attributes): for attribute in attributes: if attribute["type"] in not_implemented_attributes: addJournalEntry( incident, "!Not implemented attribute category/type combination caught! attribute[" + attribute["category"] + "][" + attribute["type"] + "]: " + attribute["value"], ) elif attribute["type"] in non_indicator_attributes: # types that will definitely not become indicators handleNonIndicatorAttribute(incident, ttps, attribute) else: # types that may become indicators handleIndicatorAttribute(incident, ttps, attribute) if incident.related_indicators and not ttps: ttp = TTP(timestamp=incident.timestamp) ttp.id_ = incident.id_.replace("incident", "ttp") ttp.title = "Unknown" ttps.append(ttp) for rindicator in incident.related_indicators: for ttp in ttps: ittp = TTP(idref=ttp.id_, timestamp=ttp.timestamp) rindicator.item.add_indicated_ttp(ittp) return [incident, ttps]
def generateTTP(incident, attribute, ttps, eventTags): ttp = TTP(timestamp=getDateFromTimestamp(int(attribute["timestamp"]))) ttp.id_= namespace[1] + ":ttp-" + attribute["uuid"] setTLP(ttp, attribute["distribution"], mergeTags(eventTags, attribute["AttributeTag"])) ttp.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")" if attribute["type"] == "vulnerability": vulnerability = Vulnerability() vulnerability.cve_id = attribute["value"] et = ExploitTarget(timestamp=getDateFromTimestamp(int(attribute["timestamp"]))) et.id_= namespace[1] + ":et-" + attribute["uuid"] if attribute["comment"] != "" and attribute["comment"] != "Imported via the freetext import.": et.title = attribute["comment"] else: et.title = "Vulnerability " + attribute["value"] et.add_vulnerability(vulnerability) ttp.exploit_targets.append(et) else: malware = MalwareInstance() malware.add_name(attribute["value"]) ttp.behavior = Behavior() ttp.behavior.add_malware_instance(malware) if attribute["comment"] != "": ttp.description = attribute["comment"] ttps.append(ttp) rttp = TTP(idref=ttp.id_, timestamp=ttp.timestamp) relatedTTP = RelatedTTP(rttp, relationship=attribute["category"]) incident.leveraged_ttps.append(relatedTTP)
def cvebuild(var): """Search for a CVE ID and return a STIX formatted response.""" cve = CVESearch() data = json.loads(cve.id(var)) if data: try: from stix.utils import set_id_namespace namespace = {NS: NS_PREFIX} set_id_namespace(namespace) except ImportError: from stix.utils import idgen from mixbox.namespaces import Namespace namespace = Namespace(NS, NS_PREFIX, "") idgen.set_id_namespace(namespace) pkg = STIXPackage() pkg.stix_header = STIXHeader() pkg = STIXPackage() pkg.stix_header = STIXHeader() pkg.stix_header.handling = marking() # Define the exploit target expt = ExploitTarget() expt.title = data['id'] expt.description = data['summary'] # Add the vulnerability object to the package object expt.add_vulnerability(vulnbuild(data)) # Do some TTP stuff with CAPEC objects try: for i in data['capec']: ttp = TTP() ttp.title = "CAPEC-" + str(i['id']) ttp.description = i['summary'] ttp.exploit_targets.append(ExploitTarget(idref=expt.id_)) pkg.add_ttp(ttp) except KeyError: pass # Do some weakness stuff if data['cwe'] != 'Unknown': weak = Weakness() weak.cwe_id = data['cwe'] expt.add_weakness(weak) # Add the exploit target to the package object pkg.add_exploit_target(expt) xml = pkg.to_xml() # If the function is not imported then output the xml to a file. if __name__ == '__main__': title = pkg.id_.split(':', 1)[-1] with open(title + ".xml", "w") as text_file: text_file.write(xml) return xml
def main(): # get args parser = argparse.ArgumentParser( description="Parse an input JSON file and output STIX XML ", formatter_class=argparse.ArgumentDefaultsHelpFormatter) parser.add_argument("infile",help="input file") parser.add_argument("--outfile","-o", help="output file") args = parser.parse_args() # We assume the input file is a flat JSON file # format 'bot_name':[list,of,ips] content = json.load(open(args.infile)) # Set up STIX document stix_package = STIXPackage() stix_header = STIXHeader() stix_header.title = "C2 Server IP Addresses" stix_header.add_package_intent (PackageIntent.TERM_INDICATORS_WATCHLIST) stix_package.stix_header = stix_header # Create Indicator and TTP for each item in JSON document for item in content: # Create TTP for C2 server ttp = TTP() ttp.title = item stix_package.add_ttp(ttp) # Create Indicator for C2 IP addresses indicator = Indicator() indicator.title = "IP addresses for known C2 channel" indicator.description = "Bot connecting to control server" # Add IPs for C2 node addr = Address(address_value=content[item], category=Address.CAT_IPV4) addr.address_value.condition= "Equals" indicator.add_object(addr) # Relate Indicator and TTP indicator.add_indicated_ttp(TTP(idref=ttp.id_)) # Add Indicator to STIX PAckage stix_package.add_indicator(indicator) # Output to given file # The context manager is just to make the output look nicer by ignoring # warnings from to_xml() with warnings.catch_warnings(): warnings.simplefilter("ignore") stix_out = stix_package.to_xml() if args.outfile: fd = open(args.outfile,'w') fd.write(stix_out) else: print stix_out
def _buildttp(i, expt): """Do some TTP stuff.""" ttp = TTP() ttp.title = str(i['name']) # The summary key is a list. In 1.2 this is represented # properly using description ordinality. ttp.description = i['summary'] attack_pattern = AttackPattern() attack_pattern.capec_id = "CAPEC-" + str(i['id']) ttp.behavior = Behavior() ttp.behavior.add_attack_pattern(attack_pattern) ttp.exploit_targets.append(ExploitTarget(idref=expt.id_)) return ttp
def _buildttp(data): ttp = TTP() ttp.title = data['name'] ttp.description = data['description'] attack_pattern = AttackPattern() attack_pattern.capec_id = "CAPEC-" + str(data['id']) attack_pattern.title = data['name'] attack_pattern.description = data['description'] ttp.behavior = Behavior() ttp.behavior.add_attack_pattern(attack_pattern) ttp.information_source = InformationSource() ttp.information_source.identity = Identity() ttp.information_source.identity.name = "The MITRE Corporation" ttp.information_source.references = data['references'] return ttp
def generateTTP(incident, attribute): ttp = TTP() ttp.id_="example:ttp-" + attribute["uuid"] setTLP(ttp, attribute["distribution"]) ttp.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"] if attribute["type"] == "vulnerability": vulnerability = Vulnerability() vulnerability.cve_id = attribute["value"] et = ExploitTarget() et.add_vulnerability(vulnerability) ttp.exploit_targets.append(et) else: malware = MalwareInstance() malware.add_name(attribute["value"]) ttp.behavior = Behavior() ttp.behavior.add_malware_instance(malware) relatedTTP = RelatedTTP(ttp, relationship=attribute["category"]) incident.leveraged_ttps.append(relatedTTP)
def generateTTP(incident, attribute): ttp = TTP() ttp.id_ = "example:ttp-" + attribute["uuid"] setTLP(ttp, attribute["distribution"]) ttp.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute[ "uuid"] if attribute["type"] == "vulnerability": vulnerability = Vulnerability() vulnerability.cve_id = attribute["value"] et = ExploitTarget() et.add_vulnerability(vulnerability) ttp.exploit_targets.append(et) else: malware = MalwareInstance() malware.add_name(attribute["value"]) ttp.behavior = Behavior() ttp.behavior.add_malware_instance(malware) relatedTTP = RelatedTTP(ttp, relationship=attribute["category"]) incident.leveraged_ttps.append(relatedTTP)
def generateTTP(incident, attribute): ttp = TTP(timestamp=getDateFromTimestamp(int(attribute["timestamp"]))) ttp.id_= namespace[1] + ":ttp-" + attribute["uuid"] setTLP(ttp, attribute["distribution"]) ttp.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")" if attribute["type"] == "vulnerability": vulnerability = Vulnerability() vulnerability.cve_id = attribute["value"] et = ExploitTarget(timestamp=getDateFromTimestamp(int(attribute["timestamp"]))) et.add_vulnerability(vulnerability) ttp.exploit_targets.append(et) else: malware = MalwareInstance() malware.add_name(attribute["value"]) ttp.behavior = Behavior() ttp.behavior.add_malware_instance(malware) if attribute["comment"] != "": ttp.description = attribute["comment"] relatedTTP = RelatedTTP(ttp, relationship=attribute["category"]) incident.leveraged_ttps.append(relatedTTP)
def resolveAttributes(incident, ttps, attributes): for attribute in attributes: if (attribute["type"] in not_implemented_attributes): addJournalEntry(incident, "!Not implemented attribute category/type combination caught! attribute[" + attribute["category"] + "][" + attribute["type"] + "]: " + attribute["value"]) elif (attribute["type"] in non_indicator_attributes): #types that will definitely not become indicators handleNonIndicatorAttribute(incident, ttps, attribute) else: #types that may become indicators handleIndicatorAttribute(incident, ttps, attribute) if incident.related_indicators and not ttps: ttp = TTP(timestamp=incident.timestamp) ttp.id_= incident.id_.replace("incident","ttp") ttp.title = "Unknown" ttps.append(ttp) for rindicator in incident.related_indicators: for ttp in ttps: ittp=TTP(idref=ttp.id_, timestamp=ttp.timestamp) rindicator.item.add_indicated_ttp(ittp) return [incident, ttps]
def genObject_TTP(data): from stix.utils import create_id as StixID from stix.ttp import TTP from stix.common.vocabs import IntendedEffect objTTP = TTP() objTTP.idref = None objTTP.title = "Email Emmbedded URL" objTTP.description = "Target Users via Email by adding a malicious URL" objTTP.short_description = "Target Users via Email by adding a malicious URL" objTTP.behavior = genData_Behavior(data) objTTP.related_ttps = None ### _ALLOWED_VALUES = ('Advantage', 'Advantage - Economic', 'Advantage - Military', 'Advantage - Political', 'Theft', 'Theft - Intellectual Property', 'Theft - Credential Theft', 'Theft - Identity Theft', 'Theft - Theft of Proprietary Information', 'Account Takeover', 'Brand Damage', 'Competitive Advantage', 'Degradation of Service', 'Denial and Deception', 'Destruction', 'Disruption', 'Embarrassment', 'Exposure', 'Extortion', 'Fraud', 'Harassment', 'ICS Control', 'Traffic Diversion', 'Unauthorized Access') objTTP.intended_effects = data['source']['stix.ttp.TTP.intended_effects'] # objTTP.resources = None # objTTP.victim_targeting = None # objTTP.information_source = None # objTTP.exploit_targets = None # objTTP.handling = None return (objTTP)
def add_action_item(action_item, pkg): if action_item.get('environmental'): warn("'environmental' item in 'action' item does not map to any STIX concept") error_item = action_item.get('error') if error_item: warn("'error' item in 'action' item not handled, yet") hacking_item = action_item.get('hacking') if hacking_item: hacking_ttp = TTP() add_hacking(hacking_item, hacking_ttp) pkg.add_ttp(hacking_ttp) malware_item = action_item.get('malware') if malware_item: malware_ttp = TTP() add_malware(malware_item, malware_ttp) pkg.add_ttp(malware_ttp) misuse_item = action_item.get('misuse') if misuse_item: warn("'misuse' item in 'action' item not handled, yet") #warn("'misuse' item in 'action' item maps to TTP") #misusattack_patternTP = TTP() #add_misuse_item(misuse_item, misuseTTP) #pkg.add_ttp(misuseTTP) physical_item = action_item.get('physical') if physical_item: add_physical(physical_item, pkg) social_item = action_item.get('social') if social_item: social_ttp = TTP() add_social(social_item, social_ttp) pkg.add_ttp(social_ttp) unknown_item = action_item.get('unknown') if unknown_item: unknown_ttp = TTP() unknown_ttp.title = "Unknown" notes_item = unknown_item.get("notes") if notes_item: unknown_ttp.title += " - " + escape(notes_item) pkg.add_ttp(unknown_ttp)
def main(): from stix.campaign import Campaign, Attribution from stix.threat_actor import ThreatActor from stix.incident import Incident from stix.core import STIXPackage from stix.ttp import TTP, VictimTargeting ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.add_targeted_information( "Information Assets - Financial Data") actor = ThreatActor() actor.title = "People behind the intrusion" attrib = Attribution() attrib.append(actor) c = Campaign() c.attribution = [] c.attribution.append(attrib) c.title = "Compromise of ATM Machines" c.related_ttps.append(ttp) c.related_incidents.append( Incident( idref="example:incident-229ab6ba-0eb2-415b-bdf2-079e6b42f51e")) c.related_incidents.append( Incident( idref="example:incident-517cf274-038d-4ed4-a3ec-3ac18ad9db8a")) c.related_incidents.append( Incident( idref="example:incident-7d8cf96f-91cb-42d0-a1e0-bfa38ea08621")) pkg = STIXPackage() pkg.add_campaign(c) print(pkg.to_xml(encoding=None))
def main(): from stix.campaign import Campaign, Attribution from stix.threat_actor import ThreatActor from stix.core import STIXPackage from stix.ttp import TTP, VictimTargeting ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data") actor = ThreatActor() actor.title = "People behind the intrusion" c = Campaign() c.attribution.append(actor) c.title = "Compromise of ATM Machines" c.related_ttps.append(ttp) pkg = STIXPackage() pkg.add_campaign(c) print pkg.to_xml()
def buildTtp(input_dict): ttp = TTP() ttp.title = input_dict['title'] ttp.description = input_dict['description'] if input_dict['intendedEffect']: ttp.add_intended_effect(input_dict['intendedEffect']) if input_dict['behavior']: ttp.behavior = Behavior(input_dict['behavior']) if input_dict['resources']: ttp.resources = input_dict['resources'] if input_dict['victimTargeting']: #TODO look into adding more victim fields vic = VictimTargeting() vic.add_targeted_information(input_dict['victimTargeting']) ttp.victim_targeting = vic #target = ExploitTargets(). #target.append(input_dict['exploitTargets']) #ttp.exploit_targets = target if input_dict['informationSource']: ttp.information_source = InformationSource(input_dict['informationSource']) if input_dict['killChain']: ttp.kill_chain_phases = input_dict['killChain'] return ttp
def create_ttp(self, tags, attribute): ttp = TTP(timestamp=attribute.timestamp) ttp.id_ = "{}:ttp-{}".format(namespace[1], attribute.uuid) self.set_tlp(ttp, attribute.distribution, self.merge_tags(tags, attribute)) ttp.title = "{}: {} (MISP Attribute #{})".format(attribute.category, attribute.value, attribute.id) return ttp
def main(): # "hardcoded" values ns = "urn:example.com:marks_malware_metadata_mart" ns_alias = "m4" # Set the STIX ID Namespace stix_namespace = {ns: ns_alias} stix_sin(stix_namespace) # Set the CybOX ID Namespace cybox_namespace = Namespace(ns, ns_alias) cybox_sin(cybox_namespace) ttp_id = 'ttp-d539bb85-9363-4814-83c8-fa9975045686' ttp_timestamp = '2014-09-30T15:56:27.000000+00:00' # Fake database values md5_hash = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' object_id = 'File-927731f2-cc2c-421c-a40e-dc6f4a6c75a4' observable_id = 'Observable-45e3e64c-8438-441e-bc49-51e417466e29' confidence = 'High' confidence_timestamp = '2014-09-29T14:32:00.000000' indicator_id = 'Indicator-54baefc1-4742-4b40-ba83-afd51115015b' indicator_timestamp = '2014-09-29T14:32:00.000000' # Code to create the STIX Package sp = STIXPackage() sp.stix_header = STIXHeader() sp.stix_header.title = "File Hash Reputation for %s" % md5_hash sp.stix_header.add_package_intent("Indicators - Malware Artifacts") sp.stix_header.information_source = InformationSource() sp.stix_header.information_source.identity = Identity() sp.stix_header.information_source.identity.name = "Mark's Malware Metadata Mart" file_hash = Hash(hash_value=md5_hash, type_='MD5', exact=True) file_hash.type_.condition = "Equals" file_obj = File() file_obj.id_ = (ns_alias + ':' + object_id) file_obj.add_hash(file_hash) indicator = Indicator(title="File Hash Reputation", id_=(ns_alias + ':' + indicator_id), timestamp=indicator_timestamp) indicator.indicator_type = "File Hash Reputation" indicator.add_observable(file_obj) indicator.observables[0].id_ = ns_alias + ':' + observable_id ttp = TTP() ttp.id_ = ns_alias + ':' + ttp_id ttp.timestamp = ttp_timestamp ttp.title = "Malicious File" indicator.add_indicated_ttp(TTP(idref=ttp.id_, timestamp=ttp.timestamp)) indicator.indicated_ttps[0].confidence = confidence indicator.indicated_ttps[0].confidence.timestamp = confidence_timestamp sp.add_indicator(indicator) sp.add_ttp(ttp) stix_xml = sp.to_xml() poll_response = tm11.PollResponse(message_id=generate_message_id(), in_response_to="1234", collection_name='file_hash_reputation') cb = tm11.ContentBlock(content_binding=CB_STIX_XML_111, content=stix_xml) poll_response.content_blocks.append(cb) print poll_response.to_xml(pretty_print=True)
def adptrTransform_Dict2Obj(srcData, data=None): sNAMEFUNC = 'adptrTransform_Dict2Obj' sndMSG('Called...', 'INFO', sNAMEFUNC) if not srcData: return (None) #srcData can not be empty from stix.core import STIXPackage from stix.common import InformationSource, Identity from stix.data_marking import Marking from stix.ttp import TTP ### Build Package objMarkingSpecification = genObject_MarkingSpecification(data) objMarkingSpecification.controlled_structure = "//node()" objHdr = genData_STIXHeader(data) objHdr.handling = Marking(objMarkingSpecification) objHdr.information_source = InformationSource(identity=Identity( name=srcData.pkgLink)) objTTP = genObject_TTP(data) objTTP.information_source = InformationSource(identity=Identity( name=srcData.pkgLink)) objPkg = STIXPackage() objPkg.stix_header = objHdr objPkg.add_ttp(objTTP) for sKey in data['data']: obsList = [] ### Build Observables obsURI = genObject_URI(data['data'][sKey]['src']) try: obsURI.id_ = data['data'][sKey]['meta']['uri'] except: data['data'][sKey]['meta'].update({'uri': obsURI.id_}) ### Srt: Stupid test to make sure URL be output via STIX.to_xml() try: testPkg = STIXPackage() testPkg.add_observable(obsURI) testPkg.to_xml() except: sNAMEFUNC = 'adptrTransform_Dict2Obj' sndMSG('Error Parsing URL for this key: [' + sKey + ']', 'INFO', sNAMEFUNC) testPkg = None continue ### End: Stupid test objPkg.add_observable(obsURI) obsList.append(genRefObs(obsURI)) ### Build Indicators objInd = genObject_Indicator(data['data'][sKey]['src']) try: obsURI.id_ = data['data'][sKey]['meta']['ind'] except: data['data'][sKey]['meta'].update({'ind': objInd.id_}) objInd.producer = InformationSource(identity=Identity( name=srcData.pkgLink)) objInd.observables = obsList objInd.indicator_types = ["URL Watchlist"] objInd.observable_composition_operator = "OR" objInd.set_received_time(data['data'][sKey]['meta']['dateDL']) try: objInd.set_produced_time( data['data'][sKey]['src']['verification_time']) except: pass if not data['data'][sKey]['src']['target'] == 'Other': from stix.ttp import TTP objVictimTargeting = genData_VictimTargeting( data['data'][sKey]['src']) if obsURI: objVictimTargeting.targeted_technical_details = genRefObs( obsURI) objTTP_vic = TTP() objTTP_vic.title = "Targeting: " + data['data'][sKey]['src'][ 'target'] objTTP_vic.victim_targeting = objVictimTargeting objInd.add_indicated_ttp(objTTP_vic) objInd.add_indicated_ttp(TTP(idref=objTTP.id_)) objPkg.add_indicator(objInd) #updateDB_local(data,srcData) return (objPkg)
def main(): # get args parser = argparse.ArgumentParser ( description = "Parse a given CSV from Shadowserver and output STIX XML to stdout" , formatter_class=argparse.ArgumentDefaultsHelpFormatter ) parser.add_argument("--infile","-f", help="input CSV with bot data", default = "bots.csv") args = parser.parse_args() # setup stix document stix_package = STIXPackage() stix_header = STIXHeader() stix_header.title = "Bot Server IP addresses" stix_header.description = "IP addresses connecting to bot control servers at a given port" stix_header.add_package_intent ("Indicators - Watchlist") # add marking mark = Marking() markspec = MarkingSpecification() markstruct = SimpleMarkingStructure() markstruct.statement = "Usage of this information, including integration into security mechanisms implies agreement with the Shadowserver Terms of Service available at https://www.shadowserver.org/wiki/pmwiki.php/Shadowserver/TermsOfService" markspec.marking_structures.append(markstruct) mark.add_marking(markspec) stix_header.handling = mark # include author info stix_header.information_source = InformationSource() stix_header.information_source.time = Time() stix_header.information_source.time.produced_time =datetime.now(tzutc()) stix_header.information_source.tools = ToolInformationList() stix_header.information_source.tools.append("ShadowBotnetIP-STIXParser") stix_header.information_source.identity = Identity() stix_header.information_source.identity.name = "MITRE STIX Team" stix_header.information_source.add_role(VocabString("Format Transformer")) src = InformationSource() src.description = "https://www.shadowserver.org/wiki/pmwiki.php/Services/Botnet-CCIP" srcident = Identity() srcident.name = "shadowserver.org" src.identity = srcident src.add_role(VocabString("Originating Publisher")) stix_header.information_source.add_contributing_source(src) stix_package.stix_header = stix_header # add TTP for overall indicators bot_ttp = TTP() bot_ttp.title = 'Botnet C2' bot_ttp.resources = Resource() bot_ttp.resources.infrastructure = Infrastructure() bot_ttp.resources.infrastructure.title = 'Botnet C2' stix_package.add_ttp(bot_ttp) # read input data fd = open (args.infile, "rb") infile = csv.DictReader(fd) for row in infile: # split indicators out, may be 1..n with positional storage, same port and channel, inconsistent delims domain = row['Domain'].split() country = row['Country'].split() region = row['Region'].split('|') state = row['State'].split('|') asn = row['ASN'].split() asname = row['AS Name'].split() asdesc = row['AS Description'].split('|') index = 0 for ip in row['IP Address'].split(): indicator = Indicator() indicator.title = "IP indicator for " + row['Channel'] indicator.description = "Bot connecting to control server" # point to overall TTP indicator.add_indicated_ttp(TTP(idref=bot_ttp.id_)) # add our IP and port sock = SocketAddress() sock.ip_address = ip # add sighting sight = Sighting() sight.timestamp = "" obs = Observable(item=sock.ip_address) obsref = Observable(idref=obs.id_) sight.related_observables.append(obsref) indicator.sightings.append(sight) stix_package.add_observable(obs) # add pattern for indicator sock_pattern = SocketAddress() sock_pattern.ip_address = ip port = Port() port.port_value = row['Port'] sock_pattern.port = port sock_pattern.ip_address.condition= "Equals" sock_pattern.port.port_value.condition= "Equals" indicator.add_object(sock_pattern) stix_package.add_indicator(indicator) # add domain domain_obj = DomainName() domain_obj.value = domain[index] domain_obj.add_related(sock.ip_address,"Resolved_To", inline=False) stix_package.add_observable(domain_obj) # add whois obs whois_obj = WhoisEntry() registrar = WhoisRegistrar() registrar.name = asname[index] registrar.address = state[index] + region[index] + country[index] whois_obj.registrar_info = registrar whois_obj.add_related(sock.ip_address,"Characterizes", inline=False) stix_package.add_observable(whois_obj) # add ASN obj asn_obj = AutonomousSystem() asn_obj.name = asname[index] asn_obj.number = asn[index] asn_obj.handle = "AS" + str(asn[index]) asn_obj.add_related(sock.ip_address,"Contains", inline=False) stix_package.add_observable(asn_obj) # iterate index = index + 1 print stix_package.to_xml()