def test_add_lmco_phase(self): phase = lmco.PHASE_DELIVERY refs = KillChainPhasesReference() refs.append(phase) self.assertTrue(isinstance(refs[0], KillChainPhaseReference)) self.assertTrue(refs[0].phase_id, lmco.PHASE_DELIVERY.phase_id)
def __init__(self, id_=None, idref=None, timestamp=None, title=None, description=None, short_description=None): super(Indicator, self).__init__(id_=id_, idref=idref, timestamp=timestamp, title=title, description=description, short_description=short_description) self.observable = None self.indicator_types = IndicatorTypes() self.test_mechanisms = TestMechanisms() self.alternative_id = None self.suggested_coas = SuggestedCOAs() self.sightings = Sightings() self.composite_indicator_expression = None self.kill_chain_phases = KillChainPhasesReference() self.related_indicators = RelatedIndicators() self.related_campaigns = RelatedCampaignRefs() self.observable_composition_operator = "OR" self.related_packages = RelatedPackageRefs()
def __init__(self, id_=None, idref=None, timestamp=None, title=None, description=None, short_description=None): super(Indicator, self).__init__(id_=id_, idref=idref, timestamp=timestamp, title=title, description=description, short_description=short_description) self.producer = None self.observables = None self.indicator_types = IndicatorTypes() self.confidence = None self.indicated_ttps = _IndicatedTTPs() self.test_mechanisms = TestMechanisms() self.alternative_id = None self.suggested_coas = SuggestedCOAs() self.sightings = Sightings() self.composite_indicator_expression = None self.handling = None self.kill_chain_phases = KillChainPhasesReference() self.valid_time_positions = _ValidTimePositions() self.related_indicators = None self.related_campaigns = RelatedCampaignRefs() self.observable_composition_operator = "OR" self.likely_impact = None self.negate = None self.related_packages = RelatedPackageRefs()
def __init__(self, id_=None, idref=None, timestamp=None, title=None, description=None, short_description=None): self.id_ = id_ or stix.utils.create_id("indicator") self.idref = idref self.version = self._version self.producer = None self.observables = None self.title = title self.description = description self.short_description = short_description self.indicator_types = None self.confidence = None self.indicated_ttps = None self.test_mechanisms = None self.alternative_id = None self.suggested_coas = SuggestedCOAs() self.sightings = Sightings() self.composite_indicator_expression = None self.handling = None self.kill_chain_phases = KillChainPhasesReference() self.valid_time_positions = None self.related_indicators = None self.observable_composition_operator = "AND" self.likely_impact = None if timestamp: self.timestamp = timestamp else: self.timestamp = datetime.now(tzutc()) if not idref else None
def generate_indicators(self, count): '''Generate a list of STIX Indicators''' indicators = [] for i in range(0, count): indicator = Indicator(title='Multiple indicator types') indicator.set_producer_identity(Identity(name='Secret Source')) indicator.set_produced_time(datetime.today()) indicator.add_indicator_type(choice(['Malware Artifacts', 'C2', 'Exfiltration'])) indicator.add_short_description('Short description...') indicator.add_description('Long description...') indicator.confidence = Confidence(choice(['High', 'Medium', 'Low', 'None', 'Unknown'])) kill_chain_phase = choice(LMCO_KILL_CHAIN_PHASES) indicator.kill_chain_phases = KillChainPhasesReference( [KillChainPhaseReference(name=kill_chain_phase.name)]) ips = self.gen_ips(randint(0, 5)) for ip in ips: indicator.add_observable(ip) # user_agents = self.gen_user_agents(randint(0, 5)) # for ua in user_agents: # indicator.add_observable(ua) # fqnds = self.gen_fqdns(randint(0, 5)) # for f in fqnds: # indicator.add_observable(f) # urls = self.gen_urls(randint(0, 5)) # for u in urls: # indicator.add_observable(u) indicators.append(indicator) return indicators
def add_kill_chain_phase_reference_data_from_frame(api_object, frame): indicator = api_object.obj indicator_builder_data = frame[0].f_locals['indicator_data'] kill_chain_phase_id = indicator_builder_data.get('kill_chain_phase') if kill_chain_phase_id: kill_chain_phase = KillChainPhaseReference( kill_chain_id=KILL_CHAIN_ID, phase_id=kill_chain_phase_id) indicator._object.kill_chain_phases = KillChainPhasesReference( [kill_chain_phase]) return api_object
def __init__(self, id_=None, idref=None, timestamp=None, title=None, description=None, short_description=None): super(TTP, self).__init__(id_=id_, idref=idref, timestamp=timestamp, title=title, description=description, short_description=short_description) self.related_packages = RelatedPackageRefs() self.exploit_targets = ExploitTargets() self.related_ttps = RelatedTTPs() self.kill_chain_phases = KillChainPhasesReference()
def main(): stix_pkg = STIXPackage() # create LM-style kill chain # REF: http://stix.mitre.org/language/version{{site.current_version}}/stix_v{{site.current_version}}_lmco_killchain.xml recon = KillChainPhase(phase_id="stix:TTP-af1016d6-a744-4ed7-ac91-00fe2272185a", name="Reconnaissance", ordinality="1") weapon = KillChainPhase(phase_id="stix:TTP-445b4827-3cca-42bd-8421-f2e947133c16", name="Weaponization", ordinality="2") deliver = KillChainPhase(phase_id="stix:TTP-79a0e041-9d5f-49bb-ada4-8322622b162d", name="Delivery", ordinality="3") exploit = KillChainPhase(phase_id="stix:TTP-f706e4e7-53d8-44ef-967f-81535c9db7d0", name="Exploitation", ordinality="4") install = KillChainPhase(phase_id="stix:TTP-e1e4e3f7-be3b-4b39-b80a-a593cfd99a4f", name="Installation", ordinality="5") control = KillChainPhase(phase_id="stix:TTP-d6dc32b9-2538-4951-8733-3cb9ef1daae2", name="Command and Control", ordinality="6") action = KillChainPhase(phase_id="stix:TTP-786ca8f9-2d9a-4213-b38e-399af4a2e5d6", name="Actions on Objectives", ordinality="7") lmchain = KillChain(id_="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff", name="LM Cyber Kill Chain") lmchain.definer = "LMCO" lmchain.kill_chain_phases = [recon, weapon, deliver, exploit, install, control, action] stix_pkg.ttps.kill_chains.append(lmchain) infect = KillChainPhase(name="Infect Machine") exfil = KillChainPhase(name="Exfiltrate Data") mychain = KillChain(name="Organization-specific Kill Chain") mychain.definer = "Myself" mychain.kill_chain_phases = [infect, exfil] stix_pkg.ttps.add_ttp(TTP()) stix_pkg.ttps.kill_chains.append(mychain) indicator = Indicator() indicator.kill_chain_phases = KillChainPhasesReference([ KillChainPhaseReference(phase_id=exfil.phase_id, kill_chain_id=mychain.id_), KillChainPhaseReference(phase_id=action.phase_id, kill_chain_id=lmchain.id_) ]) stix_pkg.add_indicator(indicator) print(stix_pkg.to_xml(encoding=None))
def process_kill_chain_phases(phases, obj1x): for phase in phases: if phase["kill_chain_name"] in _KILL_CHAINS: kill_chain_phases = _KILL_CHAINS[ phase["kill_chain_name"]]["phases"] if not phase["phase_name"] in kill_chain_phases: kill_chain_phases.update({ phase["phase_name"]: KillChainPhase(phase_id=create_id1x("TTP"), name=phase["phase_name"], ordinality=None) }) _KILL_CHAINS[phase["kill_chain_name"]][ "kill_chain"].add_kill_chain_phase( kill_chain_phases[phase["phase_name"]]) kcp = kill_chain_phases[phase["phase_name"]] if not obj1x.kill_chain_phases: obj1x.kill_chain_phases = KillChainPhasesReference() else: kc = KillChain(id_=create_id1x("TTP"), name=phase["kill_chain_name"]) _KILL_CHAINS[phase["kill_chain_name"]] = {"kill_chain": kc} kcp = KillChainPhase(name=phase["phase_name"], phase_id=create_id1x("TTP")) kc.add_kill_chain_phase(kcp) _KILL_CHAINS[phase["kill_chain_name"]]["phases"] = { phase["phase_name"]: kcp } obj1x.add_kill_chain_phase( KillChainPhaseReference( phase_id=kcp.phase_id, name=kcp.name, ordinality=None, kill_chain_id=_KILL_CHAINS[ phase["kill_chain_name"]]["kill_chain"].id_, kill_chain_name=_KILL_CHAINS[ phase["kill_chain_name"]]["kill_chain"].name))
def test_add_no_id_phase(self): refs = KillChainPhasesReference() phase = KillChainPhase() self.assertRaises(ValueError, refs.append, phase)
def kill_chain_phases(self, value): self._kill_chain_phases = KillChainPhasesReference(value)
ttp.add_intended_effect(IntendedEffect('Account Takeover')) # TTP - Attack Pattern attack_pattern = AttackPattern() attack_pattern.capec_id = 'CAPEC-98' attack_pattern.description = 'Phishing' attack_pattern.short_description = 'Phishing' ttp.behavior = Behavior() ttp.behavior.add_attack_pattern(attack_pattern) # TTP - Kill Chain Phase phase = KillChainPhase( name='Infect Machine', phase_id='example:TTP-7a0fb8e4-a778-4c79-9c7e-8747675da5f1') kc_phases = KillChainPhasesReference() kc_phases.append(KillChainPhaseReference(name=phase.name)) ttp.kill_chain_phases = kc_phases # TTP - Resource (Tool, Infrastructure, Personas) resource = Resource() tool = ToolInformation(title='malware.exe') tool.type_ = AttackerToolType('Malware') tool.description = 'Tool Description' tool.short_description = 'Tool Short Description' infrastructure = Infrastructure(title='Leveraged Domains') infrastructure.types = AttackerInfrastructureType('Domain Registration') infrastructure.description = 'Infrastructure Description' infrastructure.short_description = 'Infrastructure Short Description' domain = DomainName()