def add_social(social_item, ttp): global targets_item targets_item = social_item.get('target') if not targets_item: error("Required 'target' item is missing in 'action/socal' item") # TODO: target notes_item = social_item.get('notes') if notes_item: ttp.description = "Notes: " + escape(notes_item) variety_item = social_item.get("variety") if not variety_item: error("Required 'variety' item is missing in 'action/socal' item") else: # the only one that makes sense to create an attack pattern for is "Phishing", what if isn't the first? capec_id = map_socal_item_to_capecid(variety_item[0]) if capec_id: ttp.behavior = Behavior() attack_pattern = AttackPattern() attack_pattern.capec_id = capec_id ttp.behavior.add_attack_pattern(attack_pattern)
def convert_attack_pattern(ap20): ap1x = AttackPattern() if "name" in ap20: ap1x.title = ap20["name"] if "description" in ap20: ap1x.add_description(ap20["description"]) if "labels" in ap20: for l in ap20["labels"]: add_missing_property_to_description(ap1x, "label", l) if "external_references" in ap20: ap1x.capec_id = extract_external_id("capec", ap20["external_references"]) ttp = TTP(id_=convert_id20(ap20["id"]), timestamp=text_type(ap20["modified"])) ttp.behavior = Behavior() ttp.behavior.add_attack_pattern(ap1x) if "kill_chain_phases" in ap20: process_kill_chain_phases(ap20["kill_chain_phases"], ttp) if "object_marking_refs" in ap20: for m_id in ap20["object_marking_refs"]: ms = create_marking_specification(m_id) if ms: CONTAINER.add_marking(ttp, ms, descendants=True) if "granular_markings" in ap20: error( "Granular Markings present in '%s' are not supported by stix2slider", 604, ap20["id"]) # if "kill_chain_phases" in ap20: # process_kill_chain_phases(ap20["kill_chain_phases"], ttp) record_id_object_mapping(ap20["id"], ttp) return ttp
def add_hacking(hacking_item, ttp): remember_cves(hacking_item.get('cve'), ttp) ttp.behavior = Behavior() variety_item = hacking_item.get("variety") vector_item = hacking_item.get("vector") # notes? for item in variety_item: attack_pattern = AttackPattern() capec_info = utilities.ATTACK_PATTERN_MAPPING.get(item) if not capec_info: error("'%s' in 'action/hacking' item not found in attack_pattern mapping", item) elif capec_info == 0: warn("'%s' in 'action/hacking' item has no mapping, yet", item) elif capec_info == "Other": attack_pattern.title = "Other" ttp.behavior.add_attack_pattern(attack_pattern) elif capec_info == "Unknown": attack_pattern.title = "Unknown" ttp.behavior.add_attack_pattern(attack_pattern) else: attack_pattern.capec_id = capec_info[0] attack_pattern.title = capec_info[1] ttp.behavior.add_attack_pattern(attack_pattern)
def genData_AttackPattern(data): from stix.utils import create_id as StixID from stix.ttp.attack_pattern import AttackPattern objAttackPattern = AttackPattern() objAttackPattern.capec_id = None objAttackPattern.title = data['source'][ 'stix.ttp.attack_pattern.AttackPattern.title'] objAttackPattern.description = None objAttackPattern.short_description = None return (objAttackPattern)