def add_external_or_partner_actor_ttem(item, pkg):
ta = ThreatActor()
ta.identity = CIQIdentity3_0Instance()
identity_spec = STIXCIQIdentity3_0()
country_item = item.get('country')
if not country_item:
error("Required 'country' item is missing in 'actor/external' or 'actor/partner' item")
else:
for c in country_item:
address = Address()
address.country = Country()
address.country.add_name_element(c)
identity_spec.add_address(address)
ta.identity.specification = identity_spec
motive_item = item.get('motive')
if not motive_item:
error("Required 'motive' item is missing in 'actor/external' or 'actor/partner' item")
else:
for m in motive_item:
motivation = Statement()
motivation.value = map_motive_item_to_motivation(m)
ta.add_motivation(motivation)
variety_item = item.get('variety')
if not variety_item:
error("Required 'variety' item is missing in 'actor/external' or 'actor/partner' item")
else:
for v in variety_item:
ta_type = Statement()
ta_type.value = map_actor_variety_item_to_threat_actor_type(v)
ta.add_type(ta_type)
notes_item = item.get('notes')
if notes_item:
ta.description = "Notes: " + escape(notes_item)
pkg.add_threat_actor(ta)
def main():
stix_package = STIXPackage()
ta = ThreatActor()
ta.title = "Disco Team Threat Actor Group"
ta.identity = CIQIdentity3_0Instance()
identity_spec = STIXCIQIdentity3_0()
identity_spec.party_name = PartyName()
identity_spec.party_name.add_organisation_name(OrganisationName("Disco Tean", type_="CommonUse"))
identity_spec.party_name.add_organisation_name(OrganisationName("Equipo del Discoteca", type_="UnofficialName"))
identity_spec.add_language("Spanish")
address = Address()
address.country = Country()
address.country.add_name_element("United States")
address.administrative_area = AdministrativeArea()
address.administrative_area.add_name_element("California")
identity_spec.add_address(address)
identity_spec.add_electronic_address_identifier("*****@*****.**")
ta.identity.specification = identity_spec
stix_package.add_threat_actor(ta)
print stix_package.to_xml()
def main():
stix_package = STIXPackage()
ta = ThreatActor()
ta.title = "Disco Team Threat Actor Group"
ta.identity = CIQIdentity3_0Instance()
identity_spec = STIXCIQIdentity3_0()
identity_spec.party_name = PartyName()
identity_spec.party_name.add_organisation_name(
OrganisationName("Disco Team", type_="CommonUse"))
identity_spec.party_name.add_organisation_name(
OrganisationName("Equipo del Discoteca", type_="UnofficialName"))
identity_spec.add_language("Spanish")
address = Address()
address.country = Country()
address.country.add_name_element("United States")
address.administrative_area = AdministrativeArea()
address.administrative_area.add_name_element("California")
identity_spec.add_address(address)
identity_spec.add_electronic_address_identifier(
"*****@*****.**")
identity_spec.add_electronic_address_identifier(
"facebook.com/thediscoteam")
identity_spec.add_electronic_address_identifier(
"twitter.com/realdiscoteam")
ta.identity.specification = identity_spec
stix_package.add_threat_actor(ta)
print(stix_package.to_xml(encoding=None))
def resolveIdentityAttribute(incident, attribute, namespace):
ciq_identity = CIQIdentity3_0Instance()
identity_spec = STIXCIQIdentity3_0()
if attribute["type"] == 'target-user':
identity_spec.party_name = PartyName(person_names=[attribute["value"]])
elif attribute["type"] == 'target-external':
# we don't know if target-external is a person or an organisation, so as described at http://docs.oasis-open.org/ciq/v3.0/prd03/specs/ciq-specs-v3-prd3.html#_Toc207716018, use NameLine
identity_spec.party_name = PartyName(
name_lines=["External target: " + attribute["value"]])
elif attribute["type"] == 'target-org':
identity_spec.party_name = PartyName(
organisation_names=[attribute["value"]])
elif attribute["type"] == 'target-location':
identity_spec.add_address(
Address(FreeTextAddress(address_lines=[attribute["value"]])))
elif attribute["type"] == 'target-email':
identity_spec.add_electronic_address_identifier(
ElectronicAddressIdentifier(value=attribute["value"]))
ciq_identity.specification = identity_spec
ciq_identity.id_ = "example:Identity-" + attribute["uuid"]
# is this a good idea?
ciq_identity.name = attribute["type"] + ": " + attribute[
"value"] + " (MISP Attribute #" + attribute["id"] + ")"
incident.add_victim(ciq_identity)
return incident
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.party_name = PartyName.from_dict(
dict_repr.get('party_name'))
return_obj.languages = [
Language.from_dict(x) for x in dict_repr.get('languages', [])
]
return_obj.addresses = [
Address.from_dict(x) for x in dict_repr.get('addresses', [])
]
return_obj.electronic_address_identifiers = [
ElectronicAddressIdentifier.from_dict(x)
for x in dict_repr.get('electronic_address_identifiers', [])
]
return_obj.free_text_lines = [
FreeTextLine.from_dict(x)
for x in dict_repr.get('free_text_lines', [])
]
return_obj.contact_numbers = [
ContactNumber.from_dict(x)
for x in dict_repr.get('contact_numbers', [])
]
return_obj.organisation_info = OrganisationInfo.from_dict(
dict_repr.get('organisation_info'))
return return_obj
def add_victim_item(victim_item, incident):
global targets_item
victim_identity = CIQIdentity3_0Instance()
identity_spec = STIXCIQIdentity3_0()
victim_identity.specification = identity_spec
if targets_item:
for item in targets_item:
victim_identity.add_role(item)
country_item = victim_item.get('country')
if not country_item:
error("Required 'country' item is missing in 'victim' item")
else:
for c in country_item:
address = Address()
address.country = Country()
address.country.add_name_element(c)
state_item = victim_item.get('state')
if state_item:
address.administrative_area = AdministrativeArea()
address.administrative_area.add_name_element(state_item)
identity_spec.add_address(address)
# no organisationInfo details - https://github.com/STIXProject/python-stix/issues/108
if victim_item.get("employee_count"):
warn("'victim/employee_count' item not handled, yet")
if victim_item.get("industry"):
warn("'victim/industry' item not handled, yet")
if victim_item.get("revenue"):
warn("'victim/revenue' item not handled, yet")
victim_id_item = victim_item.get('victim_id')
if victim_id_item:
partyName = PartyName()
# id might be inappropriate for name
partyName.add_name_line(victim_id_item)
identity_spec.party_name = partyName
incident.add_victim(victim_identity)
def add_ais_marking(stix_package, proprietary, consent, color, **kwargs):
"""
This utility functions aids in the creation of an AIS marking and appends
it to the provided STIX package.
Args:
stix_package: A stix.core.STIXPackage object.
proprietary: True if marking uses IsProprietary, False for
NotProprietary.
consent: A string with one of the following values: "EVERYONE", "NONE"
or "USG".
color: A string that corresponds to TLP values: "WHITE", "GREEN" or
"AMBER".
**kwargs: Six required keyword arguments that are used to create a CIQ
identity object. These are: country_name_code,
country_name_code_type, admin_area_name_code,
admin_area_name_code_type, organisation_name, industry_type.
Raises:
ValueError: When keyword arguments are missing. User did not supply
correct values for: proprietary, color and consent.
Note:
The following line is required to register the AIS extension::
>>> import stix.extensions.marking.ais
Any Markings under STIX Header will be removed. Please follow the
guidelines for `AIS`_.
The industry_type keyword argument accepts: a list of string based on
defined sectors, a pipe-delimited string of sectors, or a single
sector.
.. _AIS:
https://www.us-cert.gov/ais
"""
from stix.common import InformationSource
from stix.extensions.identity.ciq_identity_3_0 import (
CIQIdentity3_0Instance, STIXCIQIdentity3_0, PartyName, Address,
Country, NameElement, OrganisationInfo, AdministrativeArea)
from stix.core.stix_header import STIXHeader
from stix.data_marking import MarkingSpecification, Marking
args = ('country_name_code', 'country_name_code_type', 'industry_type',
'admin_area_name_code', 'admin_area_name_code_type',
'organisation_name')
diff = set(args) - set(kwargs.keys())
if diff:
msg = 'All keyword arguments must be provided. Missing: {0}'
raise ValueError(msg.format(tuple(diff)))
party_name = PartyName()
party_name.add_organisation_name(kwargs['organisation_name'])
country = Country()
country_name = NameElement()
country_name.name_code = kwargs['country_name_code']
country_name.name_code_type = kwargs['country_name_code_type']
country.add_name_element(country_name)
admin_area = AdministrativeArea()
admin_area_name = NameElement()
admin_area_name.name_code = kwargs['admin_area_name_code']
admin_area_name.name_code_type = kwargs['admin_area_name_code_type']
admin_area.add_name_element(admin_area_name)
address = Address()
address.country = country
address.administrative_area = admin_area
org_info = OrganisationInfo()
org_info.industry_type = _validate_and_create_industry_type(
kwargs['industry_type'])
id_spec = STIXCIQIdentity3_0()
id_spec.party_name = party_name
id_spec.add_address(address)
id_spec.organisation_info = org_info
identity = CIQIdentity3_0Instance()
identity.specification = id_spec
if proprietary is True:
proprietary_obj = IsProprietary()
consent = 'EVERYONE'
elif proprietary is False:
proprietary_obj = NotProprietary()
else:
raise ValueError('proprietary expected True or False.')
proprietary_obj.ais_consent = AISConsentType(consent=consent)
proprietary_obj.tlp_marking = TLPMarkingType(color=color)
ais_marking = AISMarkingStructure()
if isinstance(proprietary_obj, IsProprietary):
ais_marking.is_proprietary = proprietary_obj
else:
ais_marking.not_proprietary = proprietary_obj
marking_spec = MarkingSpecification()
marking_spec.controlled_structure = '//node() | //@*'
marking_spec.marking_structures.append(ais_marking)
marking_spec.information_source = InformationSource()
marking_spec.information_source.identity = identity
if not stix_package.stix_header:
stix_package.stix_header = STIXHeader()
# Removes any other Markings if present.
stix_package.stix_header.handling = Marking()
stix_package.stix_header.handling.add_marking(marking_spec)
def add_ais_marking(stix_package, proprietary, consent, color, **kwargs):
"""
This utility functions aids in the creation of an AIS marking and appends
it to the provided STIX package.
Args:
stix_package: A stix.core.STIXPackage object.
proprietary: True if marking uses IsProprietary, False for
NotProprietary.
consent: A string with one of the following values: "EVERYONE", "NONE"
or "USG".
color: A string that corresponds to TLP values: "WHITE", "GREEN" or
"AMBER".
**kwargs: Six required keyword arguments that are used to create a CIQ
identity object. These are: country_name_code,
country_name_code_type, admin_area_name_code,
admin_area_name_code_type, organisation_name, industry_type.
Raises:
ValueError: When keyword arguments are missing. User did not supply
correct values for: proprietary, color and consent.
Note:
The following line is required to register the AIS extension::
>>> import stix.extensions.marking.ais
Any Markings under STIX Header will be removed. Please follow the
guidelines for `AIS`_.
The industry_type keyword argument accepts: a list of string based on
defined sectors, a pipe-delimited string of sectors, or a single
sector.
.. _AIS:
https://www.us-cert.gov/ais
"""
from stix.common import InformationSource
from stix.extensions.identity.ciq_identity_3_0 import (
CIQIdentity3_0Instance, STIXCIQIdentity3_0, PartyName, Address,
Country, NameElement, OrganisationInfo, AdministrativeArea)
from stix.core.stix_header import STIXHeader
from stix.data_marking import MarkingSpecification, Marking
args = ('country_name_code', 'country_name_code_type', 'industry_type',
'admin_area_name_code', 'admin_area_name_code_type',
'organisation_name')
diff = set(args) - set(kwargs.keys())
if diff:
msg = 'All keyword arguments must be provided. Missing: {0}'
raise ValueError(msg.format(tuple(diff)))
party_name = PartyName()
party_name.add_organisation_name(kwargs['organisation_name'])
country = Country()
country_name = NameElement()
country_name.name_code = kwargs['country_name_code']
country_name.name_code_type = kwargs['country_name_code_type']
country.add_name_element(country_name)
admin_area = AdministrativeArea()
admin_area_name = NameElement()
admin_area_name.name_code = kwargs['admin_area_name_code']
admin_area_name.name_code_type = kwargs['admin_area_name_code_type']
admin_area.add_name_element(admin_area_name)
address = Address()
address.country = country
address.administrative_area = admin_area
org_info = OrganisationInfo()
org_info.industry_type = _validate_and_create_industry_type(kwargs['industry_type'])
id_spec = STIXCIQIdentity3_0()
id_spec.party_name = party_name
id_spec.add_address(address)
id_spec.organisation_info = org_info
identity = CIQIdentity3_0Instance()
identity.specification = id_spec
if proprietary is True:
proprietary_obj = IsProprietary()
consent = 'EVERYONE'
elif proprietary is False:
proprietary_obj = NotProprietary()
else:
raise ValueError('proprietary expected True or False.')
proprietary_obj.ais_consent = AISConsentType(consent=consent)
proprietary_obj.tlp_marking = TLPMarkingType(color=color)
ais_marking = AISMarkingStructure()
if isinstance(proprietary_obj, IsProprietary):
ais_marking.is_proprietary = proprietary_obj
else:
ais_marking.not_proprietary = proprietary_obj
marking_spec = MarkingSpecification()
marking_spec.controlled_structure = '//node() | //@*'
marking_spec.marking_structures.append(ais_marking)
marking_spec.information_source = InformationSource()
marking_spec.information_source.identity = identity
if not stix_package.stix_header:
stix_package.stix_header = STIXHeader()
# Removes any other Markings if present.
stix_package.stix_header.handling = Marking()
stix_package.stix_header.handling.add_marking(marking_spec)
ttp2.behavior = Behavior()
ttp2.behavior.add_malware_instance(malware_instance)
ttp2.behavior.add_malware_instance(maec)
# TTP2 - Victim Targeting
victim_targeting = VictimTargeting()
victim_targeting.add_targeted_system(SystemType('Enterprise Systems'))
victim_targeting.add_targeted_information(
InformationType('Information Assets - User Credentials'))
identity = CIQIdentity3_0Instance()
# identity.name = 'Bob Ricca'
identity_spec = STIXCIQIdentity3_0()
identity_spec.add_address(Address(country='Germany'))
identity_spec.add_address(Address(country='United States'))
identity_spec.add_language('German')
identity_spec.add_language('English')
identity_spec.add_nationality('American')
identity_spec.add_contact_number('727-867-5309')
identity_spec.add_electronic_address_identifier('bricca')
identity_spec.add_electronic_address_identifier(
ElectronicAddressIdentifier(value='*****@*****.**', type_='Email'))
party_name = PartyName()
party_name.add_person_name('Bob Ricca')
party_name.add_person_name('Robert Ricca')
party_name.add_organisation_name('ThreatQuotient')
identity_spec.party_name = party_name
organization = OrganisationInfo(industry_type='Cybersecurity')
identity_spec.organisation_info = organization