def test_campaign(self): c = Campaign() c.title = UNICODE_STR c.description = UNICODE_STR c.short_description = UNICODE_STR c2 = round_trip(c) self._test_equal(c, c2)
def main(): from stix.campaign import Campaign from stix.common.related import RelatedTTP from stix.core import STIXPackage from stix.ttp import TTP, VictimTargeting ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.add_targeted_information( "Information Assets - Customer PII") ttp.victim_targeting.add_targeted_information( "Information Assets - Financial Data") ttp_ref = TTP() ttp_ref.idref = ttp.id_ related_ttp = RelatedTTP(ttp_ref) related_ttp.relationship = "Targets" c = Campaign() c.title = "Operation Alpha" c.related_ttps.append(related_ttp) pkg = STIXPackage() pkg.add_campaign(c) pkg.add_ttp(ttp) print(pkg.to_xml(encoding=None))
def main(): # Build Campaign instances camp1 = Campaign(title='Campaign 1') camp2 = Campaign(title='Campaign 2') # Build a CampaignRef object, setting the `idref` to the `id_` value of # our `camp2` Campaign object. campaign_ref = CampaignRef(idref=camp2.id_) # Build an Indicator object. i = Indicator() # Add CampaignRef object pointing to `camp2`. i.add_related_campaign(campaign_ref) # Add Campaign object, which gets promoted into an instance of # CampaignRef type internally. Only the `idref` is set. i.add_related_campaign(camp1) # Build our STIX Package and attach our Indicator and Campaign objects. package = STIXPackage() package.add_indicator(i) package.add_campaign(camp1) package.add_campaign(camp2) # Print! print package.to_xml()
def main(): from stix.campaign import Campaign from stix.common.related import RelatedTTP from stix.core import STIXPackage from stix.ttp import TTP ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting.add_targeted_information("Information Assets - Customer PII") ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data") ttp_ref = TTP() ttp_ref.idref = ttp.id_ related_ttp = RelatedTTP(ttp_ref) related_ttp.relationship = "Targets" c = Campaign() c.title = "Operation Alpha" c.related_ttps.append(related_ttp) pkg = STIXPackage() pkg.add_campaign(c) pkg.add_ttp(ttp) print pkg.to_xml()
def main(): from stix.campaign import Campaign, Attribution from stix.threat_actor import ThreatActor from stix.incident import Incident from stix.core import STIXPackage from stix.ttp import TTP, VictimTargeting ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data") actor = ThreatActor() actor.title = "People behind the intrusion" attrib = Attribution() attrib.append(actor) c = Campaign() c.attribution = [] c.attribution.append(attrib) c.title = "Compromise of ATM Machines" c.related_ttps.append(ttp) c.related_incidents.append(Incident(idref="example:incident-229ab6ba-0eb2-415b-bdf2-079e6b42f51e")) c.related_incidents.append(Incident(idref="example:incident-517cf274-038d-4ed4-a3ec-3ac18ad9db8a")) c.related_incidents.append(Incident(idref="example:incident-7d8cf96f-91cb-42d0-a1e0-bfa38ea08621")) pkg = STIXPackage() pkg.add_campaign(c) print pkg.to_xml()
def main(): campaign = Campaign(title="Campaign against ICS") ttp = TTP(title="DrownedRat") alpha_report = Report() alpha_report.header = Header() alpha_report.header.title = "Report on Adversary Alpha's Campaign against the Industrial Control Sector" alpha_report.header.descriptions = "Adversary Alpha has a campaign against the ICS sector!" alpha_report.header.intents = "Campaign Characterization" alpha_report.add_campaign(Campaign(idref=campaign.id_)) rat_report = Report() rat_report.header = Header() rat_report.header.title = "Indicators for Malware DrownedRat" rat_report.header.intents = "Indicators - Malware Artifacts" rat_report.add_ttp(TTP(idref=ttp.id_)) wrapper = STIXPackage() info_src = InformationSource() info_src.identity = Identity(name="Government Sharing Program - GSP") wrapper.stix_header = STIXHeader(information_source=info_src) wrapper.add_report(alpha_report) wrapper.add_report(rat_report) wrapper.add_campaign(campaign) wrapper.add_ttp(ttp) print(wrapper.to_xml())
def test_add_campaign(self): from stix.campaign import Campaign l = RelatedCampaignRefs() l.append(Campaign()) self.assertEqual(1, len(l))
def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header) return_obj.related_packages = RelatedPackages.from_obj(obj.Related_Packages) if obj.version: return_obj.version = obj.version if obj.Campaigns: return_obj.campaigns = [Campaign.from_obj(x) for x in obj.Campaigns.Campaign] if obj.Courses_Of_Action: return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.Courses_Of_Action.Course_Of_Action] if obj.Exploit_Targets: return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.Exploit_Targets.Exploit_Target] if obj.Indicators: return_obj.indicators = [Indicator.from_obj(x) for x in obj.Indicators.Indicator] if obj.Observables: return_obj.observables = Observables.from_obj(obj.Observables) if obj.Incidents: return_obj.incidents = [Incident.from_obj(x) for x in obj.Incidents.Incident] if obj.Threat_Actors: return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.Threat_Actors.Threat_Actor] if obj.TTPs: return_obj.ttps = TTPs.from_obj(obj.TTPs) return return_obj
def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header()) return_obj.related_packages = RelatedPackages.from_obj(obj.get_Related_Packages()) if obj.get_version(): return_obj.version = obj.get_version() if obj.get_Campaigns(): return_obj.campaigns = [Campaign.from_obj(x) for x in obj.get_Campaigns().get_Campaign()] if obj.get_Courses_Of_Action(): return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.get_Courses_Of_Action().get_Course_Of_Action()] if obj.get_Exploit_Targets(): return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.get_Exploit_Targets().get_Exploit_Target()] if obj.get_Indicators(): return_obj.indicators = [Indicator.from_obj(x) for x in obj.get_Indicators().get_Indicator()] if obj.get_Observables(): return_obj.observables = Observables.from_obj(obj.get_Observables()) if obj.get_Incidents(): return_obj.incidents = [Incident.from_obj(x) for x in obj.get_Incidents().get_Incident()] if obj.get_Threat_Actors(): return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.get_Threat_Actors().get_Threat_Actor()] if obj.get_TTPs(): return_obj.ttps = TTPs.from_obj(obj.get_TTPs()) return return_obj
def campaign_details(stix_id): print(" get campaign detail for stix_id {0}".format(stix_id) ) camp_dict = stixExtractIntf.get_campaign_detail(stix_id) camp_doc = Campaign.from_dict(camp_dict) threat_actors = stixExtractIntf.get_campaign_threat_actors(stix_id) ttps = stixExtractIntf.get_campaign_ttps(stix_id) return render_template("campaign_detail.html", stix_id = stix_id, camp_dict = camp_dict, camp_doc = camp_doc, threat_actors = threat_actors, ttps = ttps )
def convert_campaign(c20): c1x = Campaign(id_=convert_id20(c20["id"]), timestamp=text_type(c20["modified"])) if "name" in c20: c1x.title = c20["name"] if "description" in c20: c1x.add_description(c20["description"]) if "labels" in c20: for l in c20["labels"]: add_missing_property_to_description(c1x, "label", l) names = Names() if "aliases" in c20: for a in c20["aliases"]: names.name.append(VocabString(a)) if names: c1x.names = names if "first_seen" in c20: add_missing_property_to_description(c1x, "first_seen", text_type(c20["first_seen"])) if "last_seen" in c20: add_missing_property_to_description(c1x, "last_seen", text_type(c20["last_seen"])) if "objective" in c20: c1x.intended_effects = [Statement(description=c20["objective"])] if "object_marking_refs" in c20: for m_id in c20["object_marking_refs"]: ms = create_marking_specification(m_id) if ms: CONTAINER.add_marking(c1x, ms, descendants=True) if "granular_markings" in c20: error( "Granular Markings present in '%s' are not supported by stix2slider", 604, c20["id"]) record_id_object_mapping(c20["id"], c1x) return c1x
def get_all_stix_campaigns( ): camps = [] camp_docs = extract.get_campaigns_simple() # camp_docs = db.campaigns.find({"status":CampaignStatus.TERM_ONGOING}) # get = dict_repr.get for c in camp_docs: #camp_status = VocabString.from_dict(c.get('status')) camps.append(Campaign.from_dict(c)) return camps
def buildCampaign(input_dict): campaign = Campaign() campaign.title = input_dict['title'] campaign.description = input_dict['description'] if input_dict['intendedEffect']: campaign.add_intended_effect(input_dict['intendedEffect']) if input_dict['names']: campaign.names = Names(input_dict['names']) if input_dict['status']: campaign.status = input_dict['status'] if input_dict['confidence']: campaign.confidence = Confidence(input_dict['confidence']) if input_dict['informationSource']: campaign.information_source = InformationSource(input_dict['informationSource']) return campaign
def convert_report(r20): r1x = Report(id_=convert_id20(r20["id"]), timestamp=text_type(r20["modified"])) r1x.header = Header() if "name" in r20: r1x.header.title = r20["name"] if "description" in r20: r1x.header.add_description(r20["description"]) intents = convert_open_vocabs_to_controlled_vocabs(r20["labels"], REPORT_LABELS_MAP) for i in intents: r1x.header.add_intent(i) if "published" in r20: add_missing_property_to_description(r1x.header, "published", r20["published"]) for ref in r20["object_refs"]: ref_type = get_type_from_id(ref) ref1x = convert_id20(ref) if ref_type == "attack-pattern": r1x.add_ttp(TTP(idref=ref1x)) elif ref_type == "campaign": r1x.add_campaign(Campaign(idref=ref1x)) elif ref_type == 'course-of-action': r1x.add_course_of_action(CourseOfAction(idref=ref1x)) elif ref_type == "indicator": r1x.add_indicator(Indicator(idref=ref1x)) elif ref_type == "observed-data": r1x.add_observable(Observable(idref=ref1x)) elif ref_type == "malware": r1x.add_ttp(TTP(idref=ref1x)) elif ref_type == "threat-actor": r1x.add_threat_actor(ThreatActor(idref=ref1x)) elif ref_type == "tool": r1x.add_ttp(TTP(idref=ref1x)) elif ref_type == "vulnerability": r1x.add_exploit_target(ExploitTarget(idref=ref1x)) elif ref_type == "identity" or ref_type == "relationship": warn("%s in %s is not explicitly a member of a STIX 1.x report", 703, ref, r20["id"]) elif ref_type == "intrusion-set": warn("%s in %s cannot be represented in STIX 1.x", 612, ref, r20["id"]) else: warn("ref type %s in %s is not known", 0, ref_type, r20["id"]) if "object_marking_refs" in r20: for m_id in r20["object_marking_refs"]: ms = create_marking_specification(m_id) if ms: CONTAINER.add_marking(r1x, ms, descendants=True) if "granular_markings" in r20: error( "Granular Markings present in '%s' are not supported by stix2slider", 604, r20["id"]) return r1x
def main(): from stix.campaign import Campaign, Attribution from stix.threat_actor import ThreatActor from stix.incident import Incident from stix.core import STIXPackage from stix.ttp import TTP, VictimTargeting ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.add_targeted_information( "Information Assets - Financial Data") actor = ThreatActor() actor.title = "People behind the intrusion" attrib = Attribution() attrib.append(actor) c = Campaign() c.attribution = [] c.attribution.append(attrib) c.title = "Compromise of ATM Machines" c.related_ttps.append(ttp) c.related_incidents.append( Incident( idref="example:incident-229ab6ba-0eb2-415b-bdf2-079e6b42f51e")) c.related_incidents.append( Incident( idref="example:incident-517cf274-038d-4ed4-a3ec-3ac18ad9db8a")) c.related_incidents.append( Incident( idref="example:incident-7d8cf96f-91cb-42d0-a1e0-bfa38ea08621")) pkg = STIXPackage() pkg.add_campaign(c) print(pkg.to_xml(encoding=None))
def from_obj(cls, obj, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header()) return_obj.related_packages = RelatedPackages.from_obj( obj.get_Related_Packages()) if obj.get_version(): return_obj.version = obj.get_version() if obj.get_Campaigns(): return_obj.campaigns = [ Campaign.from_obj(x) for x in obj.get_Campaigns().get_Campaign() ] if obj.get_Courses_Of_Action(): return_obj.courses_of_action = [ CourseOfAction.from_obj(x) for x in obj.get_Courses_Of_Action().get_Course_Of_Action() ] if obj.get_Exploit_Targets(): return_obj.exploit_targets = [ ExploitTarget.from_obj(x) for x in obj.get_Exploit_Targets().get_Exploit_Target() ] if obj.get_Indicators(): return_obj.indicators = [ Indicator.from_obj(x) for x in obj.get_Indicators().get_Indicator() ] if obj.get_Observables(): return_obj.observables = Observables.from_obj( obj.get_Observables()) if obj.get_Incidents(): return_obj.incidents = [ Incident.from_obj(x) for x in obj.get_Incidents().get_Incident() ] if obj.get_Threat_Actors(): return_obj.threat_actors = [ ThreatActor.from_obj(x) for x in obj.get_Threat_Actors().get_Threat_Actor() ] if obj.get_TTPs(): return_obj.ttps = TTPs.from_obj(obj.get_TTPs()) return return_obj
def main(): from stix.campaign import Campaign, Attribution from stix.threat_actor import ThreatActor from stix.core import STIXPackage from stix.ttp import TTP, VictimTargeting ttp = TTP() ttp.title = "Victim Targeting: Customer PII and Financial Data" ttp.victim_targeting = VictimTargeting() ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data") actor = ThreatActor() actor.title = "People behind the intrusion" c = Campaign() c.attribution.append(actor) c.title = "Compromise of ATM Machines" c.related_ttps.append(ttp) pkg = STIXPackage() pkg.add_campaign(c) print pkg.to_xml()
def from_dict(cls, dict_repr, return_obj=None): if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id', None) return_obj.idref = dict_repr.get('idref', None) return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version', cls._version) return_obj.stix_header = STIXHeader.from_dict(dict_repr.get('stix_header', None)) return_obj.campaigns = [Campaign.from_dict(x) for x in dict_repr.get('campaigns', [])] return_obj.courses_of_action = [CourseOfAction.from_dict(x) for x in dict_repr.get('courses_of_action', [])] return_obj.exploit_targets = [ExploitTarget.from_dict(x) for x in dict_repr.get('exploit_targets', [])] return_obj.indicators = [Indicator.from_dict(x) for x in dict_repr.get('indicators', [])] return_obj.observables = Observables.from_dict(dict_repr.get('observables')) return_obj.incidents = [Incident.from_dict(x) for x in dict_repr.get('incidents', [])] return_obj.threat_actors = [ThreatActor.from_dict(x) for x in dict_repr.get('threat_actors', [])] return_obj.ttps = TTPs.from_dict(dict_repr.get('ttps')) return_obj.related_packages = RelatedPackages.from_dict(dict_repr.get('related_packages')) return return_obj
def main(): package = STIXPackage() # Create the indicator indicator = Indicator(title="IP Address for known C2 Channel") indicator.add_indicator_type("IP Watchlist") address = Address(category="ipv4-addr") address.address_value = "10.0.0.0" address.address_value.condition = "Equals" indicator.observable = address package.add_indicator(indicator) # Create the campaign campaign = Campaign(title="Operation Omega") package.add_campaign(campaign) # Link the campaign to the indicator campaign.related_indicators.append( RelatedIndicator(item=Indicator(idref=indicator.id_))) print package.to_xml()
def main(): # NOTE: ID values will differ due to being regenerated on each script execution pkg1 = STIXPackage() pkg1.title = "Example of Indicator Composition for an aggregate indicator composition" # USE CASE: Indicator with aggregate pattern # Add TTP for malware usage malware_ttp = TTP() malware_ttp.behavior = Behavior() malware = MalwareInstance() malware.title = "foobar malware" malware.add_type("Remote Access Trojan") malware_ttp.behavior.add_malware_instance(malware) c2_ttp = TTP() c2_ttp.resources = Resource() c2_ttp.resources.infrastructure = Infrastructure() c2_ttp.resources.infrastructure.add_type(VocabString("Malware C2")) pkg1.add_ttp(c2_ttp) pkg1.add_ttp(malware_ttp) nw_ind = Indicator() nw_ind.description = "Indicator for a particular C2 infstructure IP address." # add network network connection to this indicator obs = NetworkConnection() sock = SocketAddress() sock.ip_address = "46.123.99.25" sock.ip_address.category = "ipv4-addr" sock.ip_address.condition = "Equals" obs.destination_socket_address = sock nw_ind.add_observable(obs) nw_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_)) # create File Hash indicator w/ embedded Observable file_ind = Indicator() file_ind.description = "Indicator for the hash of the foobar malware." file_ind.add_indicator_type("File Hash Watchlist") file_obs = File() file_obs.add_hash("01234567890abcdef01234567890abcdef") file_obs.hashes[0].type_ = "MD5" file_obs.hashes[0].type_.condition = "Equals" file_ind.add_observable(file_obs) # create references file_ind.add_indicated_ttp(TTP(idref=malware_ttp.id_)) # create container indicator ind = Indicator() ind.add_indicator_type(VocabString("Campaign Characteristics")) ind.description = "Indicator for a composite of characteristics for the use of specific malware and C2 infrastructure within a Campaign." # Add campaign with related camp = Campaign() camp.title = "holy grail" pkg1.add_campaign(camp) camp.related_ttps.append(TTP(idref=c2_ttp.id_)) camp.related_ttps.append(TTP(idref=malware_ttp.id_)) # Add threat actor ta = ThreatActor() ta.identity = Identity() ta.identity.name = "boobear" ta.observed_ttps.append(TTP(idref=malware_ttp.id_)) pkg1.add_threat_actor(ta) # Create composite expression ind.composite_indicator_expression = CompositeIndicatorExpression() ind.composite_indicator_expression.operator = "AND" ind.composite_indicator_expression.append(file_ind) ind.composite_indicator_expression.append(nw_ind) pkg1.add_indicator(ind) print pkg1.to_xml() # USE CASE: Indicator with partial matching pkg2 = STIXPackage() pkg2.title = "Example of Indicator Composition for a one of many indicator composition" # create container indicator watchlistind = Indicator() watchlistind.add_indicator_type("IP Watchlist") watchlistind.description = "This Indicator specifies a pattern where any one or more of a set of three IP addresses are observed." watchlistind.add_indicated_ttp(TTP(idref=c2_ttp.id_)) # Create composite expression watchlistind.composite_indicator_expression = CompositeIndicatorExpression() watchlistind.composite_indicator_expression.operator = "OR" ips = ['23.5.111.68', '23.5.111.99', '46.123.99.25'] for ip in ips: new_ind = Indicator() new_ind.description = "This Indicator specifies a pattern where one specific IP address is observed" # add network network connection to this indicator obs = Address() obs.address_value = ip obs.address_value.condition = "Equals" new_ind.add_observable(obs) new_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_)) watchlistind.composite_indicator_expression.append(new_ind) pkg2.add_indicator(watchlistind) print pkg2.to_xml() # USE CASE: Indicator with compound detection pkg3 = STIXPackage() pkg3.title = "Example of Indicator Composition for compound detection" # create container indicator watchlistind2 = Indicator() watchlistind2.add_indicator_type("IP Watchlist") watchlistind2.description = "This Indicator specifies a composite condition of two preexisting Indicators (each identifying a particular TTP with low confidence) that in aggregate identify the particular TTP with high confidence." # Create composite expression watchlistind2.composite_indicator_expression = CompositeIndicatorExpression() watchlistind2.composite_indicator_expression.operator = "OR" watchlistind2.add_indicated_ttp(TTP(idref=c2_ttp.id_)) watchlistind2.confidence = "High" nw_ind.description = "Indicator for a particular C2 IP address used by a malware variant." nw_ind.confidence = "Low" nw_ind.indicator_types = ["C2"] file_ind.description = "Indicator that contains malicious file hashes for a particular malware variant." file_ind.confidence = "Low" watchlistind2.composite_indicator_expression.append(nw_ind) watchlistind2.composite_indicator_expression.append(file_ind) pkg3.add_indicator(watchlistind2) print pkg3.to_xml()
def create_campaign(title=None, description=None): campaign = Campaign() campaign.title = title campaign.add_description(description) return campaign
def test_campaign_idref_deprecation(self): package = core.STIXPackage() package.add(Campaign(idref='test-idref-dep'))
from stix.campaign import Activity, Attribution, Campaign, Names from stix.campaign import AssociatedCampaigns as CAssociatedCampaigns from stix.common.vocabs import IntendedEffect, CampaignStatus, HighMediumLow from stix.core import STIXPackage from stix.incident import Incident, Time from stix.threat_actor import ThreatActor from stix.threat_actor import AssociatedCampaigns as TAssociatedCampaigns from stix.ttp import TTP from stix.common.related import RelatedTTP, RelatedIncident, RelatedIndicator, RelatedCampaign from stix.indicator import Indicator, RelatedCampaignRef from cybox.objects.address_object import Address from faker import Faker from stix.common import CampaignRef # Basics campaign = Campaign(title='Compromise Machines') campaign.description = 'Vestibulum id ligula porta felis euismod semper. Cras mattis consectetur purus sit amet fermentum.' campaign.short_description = 'Mattis Ipsum Ultricies Quam Malesuada' # Attributes names = Names() names.name = ['Operation Sparky', 'Operation Dingo'] campaign.names = names activity = Activity() activity.description = 'Foo' campaign.add_activity(activity) campaign.add_intended_effect(IntendedEffect('Extortion')) campaign.status = CampaignStatus('Ongoing') campaign.confidence = HighMediumLow('Medium') # Related TTP (basic; by id)
def main(): # NOTE: ID values will differ due to being regenerated on each script execution pkg1 = STIXPackage() pkg1.title = "Example of Indicator Composition for an aggregate indicator composition" # USE CASE: Indicator with aggregate pattern # Add TTP for malware usage malware_ttp = TTP() malware_ttp.behavior = Behavior() malware = MalwareInstance() malware.title = "foobar malware" malware.add_type("Remote Access Trojan") malware_ttp.behavior.add_malware_instance(malware) c2_ttp = TTP() c2_ttp.resources = Resource() c2_ttp.resources.infrastructure = Infrastructure() c2_ttp.resources.infrastructure.add_type(VocabString("Malware C2")) pkg1.add_ttp(c2_ttp) pkg1.add_ttp(malware_ttp) nw_ind = Indicator() nw_ind.description = "Indicator for a particular C2 infstructure IP address." # add network network connection to this indicator obs = NetworkConnection() sock = SocketAddress() sock.ip_address = "46.123.99.25" sock.ip_address.category = "ipv4-addr" sock.ip_address.condition = "Equals" obs.destination_socket_address = sock nw_ind.add_observable(obs) nw_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_)) # create File Hash indicator w/ embedded Observable file_ind = Indicator() file_ind.description = "Indicator for the hash of the foobar malware." file_ind.add_indicator_type("File Hash Watchlist") file_obs = File() file_obs.add_hash("01234567890abcdef01234567890abcdef") file_obs.hashes[0].type_ = "MD5" file_obs.hashes[0].type_.condition = "Equals" file_ind.add_observable(file_obs) # create references file_ind.add_indicated_ttp(TTP(idref=malware_ttp.id_)) # create container indicator ind = Indicator() ind.add_indicator_type(VocabString("Campaign Characteristics")) ind.description = "Indicator for a composite of characteristics for the use of specific malware and C2 infrastructure within a Campaign." # Add campaign with related camp = Campaign() camp.title = "holy grail" pkg1.add_campaign(camp) camp.related_ttps.append(TTP(idref=c2_ttp.id_)) camp.related_ttps.append(TTP(idref=malware_ttp.id_)) # Add threat actor ta = ThreatActor() ta.identity = Identity() ta.identity.name = "boobear" ta.observed_ttps.append(TTP(idref=malware_ttp.id_)) pkg1.add_threat_actor(ta) # Create composite expression ind.composite_indicator_expression = CompositeIndicatorExpression() ind.composite_indicator_expression.operator = "AND" ind.composite_indicator_expression.append(file_ind) ind.composite_indicator_expression.append(nw_ind) pkg1.add_indicator(ind) print pkg1.to_xml() # USE CASE: Indicator with partial matching pkg2 = STIXPackage() pkg2.title = "Example of Indicator Composition for a one of many indicator composition" # create container indicator watchlistind = Indicator() watchlistind.add_indicator_type("IP Watchlist") watchlistind.description = "This Indicator specifies a pattern where any one or more of a set of three IP addresses are observed." watchlistind.add_indicated_ttp(TTP(idref=c2_ttp.id_)) # Create composite expression watchlistind.composite_indicator_expression = CompositeIndicatorExpression( ) watchlistind.composite_indicator_expression.operator = "OR" ips = ['23.5.111.68', '23.5.111.99', '46.123.99.25'] for ip in ips: new_ind = Indicator() new_ind.description = "This Indicator specifies a pattern where one specific IP address is observed" # add network network connection to this indicator obs = Address() obs.address_value = ip obs.address_value.condition = "Equals" new_ind.add_observable(obs) new_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_)) watchlistind.composite_indicator_expression.append(new_ind) pkg2.add_indicator(watchlistind) print pkg2.to_xml() # USE CASE: Indicator with compound detection pkg3 = STIXPackage() pkg3.title = "Example of Indicator Composition for compound detection" # create container indicator watchlistind2 = Indicator() watchlistind2.add_indicator_type("IP Watchlist") watchlistind2.description = "This Indicator specifies a composite condition of two preexisting Indicators (each identifying a particular TTP with low confidence) that in aggregate identify the particular TTP with high confidence." # Create composite expression watchlistind2.composite_indicator_expression = CompositeIndicatorExpression( ) watchlistind2.composite_indicator_expression.operator = "OR" watchlistind2.add_indicated_ttp(TTP(idref=c2_ttp.id_)) watchlistind2.confidence = "High" nw_ind.description = "Indicator for a particular C2 IP address used by a malware variant." nw_ind.confidence = "Low" nw_ind.indicator_types = ["C2"] file_ind.description = "Indicator that contains malicious file hashes for a particular malware variant." file_ind.confidence = "Low" watchlistind2.composite_indicator_expression.append(nw_ind) watchlistind2.composite_indicator_expression.append(file_ind) pkg3.add_indicator(watchlistind2) print pkg3.to_xml()
def add_campaign_item(campaign_id_item, pkg): campaign = Campaign() campaign.names = Names() campaign.names.append(VocabString(campaign_id_item)) pkg.add_campaign(campaign)