def test_malware_id_must_start_with_malware():
with pytest.raises(ValueError) as excinfo:
malware = stix2.Malware(id='my-prefix--', **MALWARE_KWARGS)
assert str(
excinfo.value
) == "Invalid value for Malware 'id': must start with 'malware--'."
def test_invalid_kwarg_to_malware():
with pytest.raises(stix2.exceptions.ExtraPropertiesError) as excinfo:
stix2.Malware(my_custom_property="foo", **MALWARE_KWARGS)
assert excinfo.value.cls == stix2.Malware
assert excinfo.value.properties == ['my_custom_property']
assert str(excinfo.value) == "Unexpected properties for Malware: (my_custom_property)."
def test_malware_id_must_start_with_malware():
with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
stix2.Malware(id='my-prefix--', **MALWARE_KWARGS)
assert excinfo.value.cls == stix2.Malware
assert excinfo.value.prop_name == "id"
assert excinfo.value.reason == "must start with 'malware--'."
assert str(excinfo.value) == "Invalid value for Malware 'id': must start with 'malware--'."
def test_malware_type_must_be_malware():
with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
stix2.Malware(type='xxx', **MALWARE_KWARGS)
assert excinfo.value.cls == stix2.Malware
assert excinfo.value.prop_name == "type"
assert excinfo.value.reason == "must equal 'malware'."
assert str(excinfo.value) == "Invalid value for Malware 'type': must equal 'malware'."
def test_malware_required_field_name():
with pytest.raises(stix2.exceptions.MissingFieldsError) as excinfo:
stix2.Malware(labels=['ransomware'])
assert excinfo.value.cls == stix2.Malware
assert excinfo.value.fields == ["name"]
assert str(
excinfo.value) == "Missing required field(s) for Malware: (name)."
def create_stix(self, atd_report):
malware = stix2.Malware(
name="McAfee ATD Report",
labels=["atd-report"],
kill_chain_name="mitre-attack",
phase_name=tactic # TODO: get Tactic from ATD Report
)
def ds():
cam = stix2.Campaign(id=CAMPAIGN_ID, **CAMPAIGN_KWARGS)
idy = stix2.Identity(id=IDENTITY_ID, **IDENTITY_KWARGS)
ind = stix2.Indicator(id=INDICATOR_ID, **INDICATOR_KWARGS)
mal = stix2.Malware(id=MALWARE_ID, **MALWARE_KWARGS)
rel1 = stix2.Relationship(ind, 'indicates', mal, id=RELATIONSHIP_IDS[0])
rel2 = stix2.Relationship(mal, 'targets', idy, id=RELATIONSHIP_IDS[1])
rel3 = stix2.Relationship(cam, 'uses', mal, id=RELATIONSHIP_IDS[2])
stix_objs = [cam, idy, ind, mal, rel1, rel2, rel3]
yield stix2.MemoryStore(stix_objs)
def test_remove_custom_stix_property():
mal = stix2.Malware(name="ColePowers",
labels=["rootkit"],
x_custom="armada",
allow_custom=True)
mal_nc = stix2.utils.remove_custom_stix(mal)
assert "x_custom" not in mal_nc
assert stix2.utils.parse_into_datetime(
mal["modified"],
precision="millisecond") < stix2.utils.parse_into_datetime(
mal_nc["modified"], precision="millisecond")
def test_malware_with_all_required_fields():
now = dt.datetime(2016, 5, 12, 8, 17, 27, tzinfo=pytz.utc)
malware = stix2.Malware(
type="malware",
id=MALWARE_ID,
created=now,
modified=now,
labels=["ransomware"],
name="Cryptolocker",
)
assert str(malware) == EXPECTED_MALWARE
def test_malware_required_property_name():
with pytest.raises(stix2.exceptions.MissingPropertiesError) as excinfo:
stix2.Malware(labels=['ransomware'])
assert excinfo.value.cls == stix2.Malware
assert excinfo.value.properties == ["name"]
import stix2
indicator = stix2.Indicator(
id="indicator--d81f86b9-975b-4c0b-875e-810c5ad45a4f",
created="2014-06-29T13:49:37.079Z",
modified="2014-06-29T13:49:37.079Z",
name="Malicious site hosting downloader",
description=
"This organized threat actor group operates to create profit from all types of crime.",
labels=["malicious-activity"],
pattern="[url:value = 'http://x4z9arb.cn/4712/']",
valid_from="2014-06-29T13:49:37.079000Z")
foothold = stix2.KillChainPhase(
kill_chain_name="mandiant-attack-lifecycle-model",
phase_name="establish-foothold")
malware = stix2.Malware(
id="malware--162d917e-766f-4611-b5d6-652791454fca",
created="2014-06-30T09:15:17.182Z",
modified="2014-06-30T09:15:17.182Z",
name="x4z9arb backdoor",
labels=["backdoor", "remote-access-trojan"],
description=
"This malware attempts to download remote files after establishing a foothold as a backdoor.",
kill_chain_phases=[foothold])
relationship = stix2.Relationship(indicator, 'indicates', malware)
bundle = stix2.Bundle(objects=[indicator, malware, relationship])
def malware(uuid4, clock):
return stix2.Malware(**MALWARE_KWARGS)
def test_invalid_kwarg_to_malware():
with pytest.raises(TypeError) as excinfo:
malware = stix2.Malware(my_custom_property="foo", **MALWARE_KWARGS)
assert str(excinfo.value
) == "unexpected keyword arguments: ['my_custom_property']"
def test_malware_required_field_name():
with pytest.raises(ValueError) as excinfo:
malware = stix2.Malware(labels=['ransomware'])
assert str(
excinfo.value) == "Missing required field(s) for Malware: (name)."
def stix_bundle(rep):
objects = ()
for ref in rep.object_refs.all():
obj = myforms.get_obj_from_id(ref)
if obj.object_type.name == 'identity':
i = stix2.Identity(
id=obj.object_id.object_id,
name=obj.name,
identity_class=obj.identity_class,
description=obj.description,
#sectors=[str(s.value) for s in obj.sectors.all()],
sectors=[str(l.value) for l in obj.labels.all()],
created=obj.created,
modified=obj.modified,
)
objects += (i, )
elif obj.object_type.name == 'attack-pattern':
a = stix2.AttackPattern(
id=obj.object_id.object_id,
name=obj.name,
description=obj.description,
created=obj.created,
modified=obj.modified,
)
objects += (a, )
elif obj.object_type.name == 'malware':
m = stix2.Malware(
id=obj.object_id.object_id,
name=obj.name,
description=obj.description,
labels=[str(l.value) for l in obj.labels.all()],
created=obj.created,
modified=obj.modified,
)
objects += (m, )
elif obj.object_type.name == 'threat-actor':
t = stix2.ThreatActor(
id=obj.object_id.object_id,
name=obj.name,
description=obj.description,
labels=[str(l.value) for l in obj.labels.all()],
aliases=[str(a.name) for a in obj.aliases.all()],
created=obj.created,
modified=obj.modified,
)
objects += (t, )
elif obj.object_type.name == 'relationship':
r = stix2.Relationship(
id=obj.object_id.object_id,
relationship_type=obj.relationship_type.name,
description=obj.description,
source_ref=obj.source_ref.object_id,
target_ref=obj.target_ref.object_id,
created=obj.created,
modified=obj.modified,
)
objects += (r, )
elif obj.object_type.name == 'sighting':
s = stix2.Sighting(
id=obj.object_id.object_id,
sighting_of_ref=obj.sighting_of_ref.object_id,
where_sighted_refs=[
str(w.object_id) for w in obj.where_sighted_refs.all()
],
first_seen=obj.first_seen,
last_seen=obj.last_seen,
created=obj.created,
modified=obj.modified,
)
objects += (s, )
report = stix2.Report(
id=rep.object_id.object_id,
labels=[str(l.value) for l in rep.labels.all()],
name=rep.name,
description=rep.description,
published=rep.published,
object_refs=[str(r.object_id) for r in rep.object_refs.all()],
created=obj.created,
modified=obj.modified,
)
objects += (report, )
bundle = stix2.Bundle(*objects)
return bundle
def test_malware_type_must_be_malware():
with pytest.raises(ValueError) as excinfo:
malware = stix2.Malware(type='xxx', **MALWARE_KWARGS)
assert str(excinfo.value
) == "Invalid value for Malware 'type': must equal 'malware'."
def malware_maker(**kwargs):
malware = stix2.Malware(**kwargs)
flag = itemtofile(malware)
return flag, malware
def run(self):
self.helper.log_info("Fetching data CYBERCRIME-TRACKER.NET...")
tlp = self.helper.api.marking_definition.read(
filters=[
{"key": "definition", "values": "TLP:{}".format(self.connector_tlp)}
]
)
while True:
try:
# Get the current timestamp and check
timestamp = int(time.time())
current_state = self.helper.get_state()
if current_state is not None and "last_run" in current_state:
last_run = current_state["last_run"]
self.helper.log_info(
"Connector last run: {}".format(
datetime.datetime.utcfromtimestamp(last_run).strftime(
"%Y-%m-%d %H:%M:%S"
)
)
)
else:
last_run = None
self.helper.log_info("Connector has never run")
# Run if it is the first time or we are past the interval
if last_run is None or ((timestamp - last_run) > self.interval):
self.helper.log_info("Connector will run!")
now = datetime.datetime.utcfromtimestamp(timestamp)
friendly_name = "MITRE run @ " + now.strftime("%Y-%m-%d %H:%M:%S")
work_id = self.helper.api.work.initiate_work(
self.helper.connect_id, friendly_name
)
# Get Feed Content
feed = feedparser.parse(self.feed_url)
self.helper.log_info(
"Found: {} entries.".format(len(feed["entries"]))
)
self.feed_summary = {
"Source": feed["feed"]["title"],
"Date": self._time_to_datetime(
feed["feed"]["published_parsed"]
),
"Details": feed["feed"]["subtitle"],
"Link": feed["feed"]["link"],
}
# Create the bundle
bundle_objects = list()
organization = stix2.Identity(
id=OpenCTIStix2Utils.generate_random_stix_id("identity"),
name="CYBERCRIME-TRACKER.NET",
identity_class="organization",
description="Tracker collecting and sharing daily updates of C2 IPs/Urls. http://cybercrime-tracker.net",
)
bundle_objects.append(organization)
for entry in feed["entries"]:
parsed_entry = self.parse_feed_entry(entry)
external_reference = stix2.ExternalReference(
source_name="{}".format(self.feed_summary["Source"]),
url=parsed_entry["ext_link"],
)
indicator_pattern = self.gen_indicator_pattern(parsed_entry)
malware = stix2.Malware(
id=OpenCTIStix2Utils.generate_random_stix_id("malware"),
is_family=True,
name=parsed_entry["type"],
description="{} malware.".format(parsed_entry["type"]),
)
bundle_objects.append(malware)
indicator = None
if self.create_indicators:
indicator = stix2.Indicator(
id=OpenCTIStix2Utils.generate_random_stix_id(
"indicator"
),
name=parsed_entry["url"],
description="C2 URL for: {}".format(
parsed_entry["type"]
),
labels=["C2 Server"],
pattern_type="stix",
pattern=indicator_pattern,
valid_from=parsed_entry["date"],
created=parsed_entry["date"],
modified=parsed_entry["date"],
created_by_ref=organization.id,
object_marking_refs=[tlp["standard_id"]],
external_references=[external_reference],
custom_properties={
"x_opencti_main_observable_type": "Url"
},
)
bundle_objects.append(indicator)
relation = stix2.Relationship(
id=OpenCTIStix2Utils.generate_random_stix_id(
"relationship"
),
source_ref=indicator.id,
target_ref=malware.id,
relationship_type="indicates",
start_time=self._time_to_datetime(
entry["published_parsed"]
),
stop_time=self._time_to_datetime(
entry["published_parsed"]
)
+ datetime.timedelta(0, 3),
description="URLs associated to: "
+ parsed_entry["type"],
confidence=self.confidence_level,
created_by_ref=organization.id,
object_marking_refs=[tlp["standard_id"]],
created=parsed_entry["date"],
modified=parsed_entry["date"],
external_references=[external_reference],
)
bundle_objects.append(relation)
if self.create_observables:
observable_url = SimpleObservable(
id=OpenCTIStix2Utils.generate_random_stix_id(
"x-opencti-simple-observable"
),
key="Url.value",
labels=["C2 Server"],
value=parsed_entry["url"],
created_by_ref=organization.id,
object_marking_refs=[tlp["standard_id"]],
external_references=[external_reference],
)
bundle_objects.append(observable_url)
observable_ip = SimpleObservable(
id=OpenCTIStix2Utils.generate_random_stix_id(
"x-opencti-simple-observable"
),
key="IPv4-Addr.value",
labels=["C2 Server"],
value=parsed_entry["ip"],
created_by_ref=organization.id,
object_marking_refs=[tlp["standard_id"]],
external_references=[external_reference],
)
bundle_objects.append(observable_ip)
observable_domain = None
if "domain" in parsed_entry.keys():
observable_domain = SimpleObservable(
id=OpenCTIStix2Utils.generate_random_stix_id(
"x-opencti-simple-observable"
),
key="Domain-Name.value",
labels=["C2 Server"],
value=parsed_entry["domain"],
created_by_ref=organization.id,
object_marking_refs=[tlp["standard_id"]],
external_references=[external_reference],
)
bundle_objects.append(observable_domain)
if indicator is not None:
relationship_1 = stix2.Relationship(
id=OpenCTIStix2Utils.generate_random_stix_id(
"relationship"
),
relationship_type="based-on",
created_by_ref=organization.id,
source_ref=indicator.id,
target_ref=observable_url.id,
)
bundle_objects.append(relationship_1)
relationship_2 = stix2.Relationship(
id=OpenCTIStix2Utils.generate_random_stix_id(
"relationship"
),
relationship_type="based-on",
created_by_ref=organization.id,
source_ref=indicator.id,
target_ref=observable_ip.id,
)
bundle_objects.append(relationship_2)
if observable_domain is not None:
relationship_3 = stix2.Relationship(
id=OpenCTIStix2Utils.generate_random_stix_id(
"relationship"
),
relationship_type="based-on",
created_by_ref=organization.id,
source_ref=indicator.id,
target_ref=observable_domain.id,
)
bundle_objects.append(relationship_3)
# create stix bundle
bundle = stix2.Bundle(objects=bundle_objects)
# send data
self.helper.send_stix2_bundle(
bundle=bundle.serialize(),
update=self.update_existing_data,
work_id=work_id,
)
# Store the current timestamp as a last run
message = (
"Connector successfully run, storing last_run as: {}".format(
str(timestamp)
)
)
self.helper.log_info(message)
self.helper.set_state({"last_run": timestamp})
self.helper.api.work.to_processed(work_id, message)
self.helper.log_info(
"Last_run stored, next run in: {} seconds.".format(
str(round(self.interval, 2))
)
)
time.sleep(60)
else:
new_interval = self.interval - (timestamp - last_run)
self.helper.log_info(
"Connector will not run. \
Next run in: {} seconds.".format(
str(round(new_interval, 2))
)
)
time.sleep(60)
except (KeyboardInterrupt, SystemExit):
self.helper.log_info("Connector stop")
exit(0)
except Exception as e:
self.helper.log_error(str(e))
time.sleep(60)
def stix_bundle(objs, mask=True):
objects = ()
for obj in objs:
oid = obj.object_id.object_id
dscr = ""
if not mask and hasattr(obj, "description"):
dscr = obj.description
if obj.object_type.name == 'attack-pattern':
a = stix2.AttackPattern(
id=oid,
name=obj.name,
description=dscr,
created=obj.created,
modified=obj.modified,
kill_chain_phases=stix2killchain(obj),
)
objects += (a, )
elif obj.object_type.name == 'campaign':
c = stix2.Campaign(
id=oid,
name=obj.name,
description=dscr,
aliases=[str(a.name) for a in obj.aliases.all()],
created=obj.created,
modified=obj.modified,
first_seen=obj.first_seen,
last_seen=obj.last_seen,
)
objects += (c, )
elif obj.object_type.name == 'course-of-action':
c = stix2.CourseOfAction(
id=oid,
name=obj.name,
description=dscr,
created=obj.created,
modified=obj.modified,
)
objects += (c, )
elif obj.object_type.name == 'identity':
name = obj.name
if mask:
name = oid
label = obj.labels.all()
if label.count() >= 1:
name = str(obj.id)
if label[0].alias:
name += '-' + label[0].alias
else:
name += '-' + label[0].value
i = stix2.Identity(
id=oid,
name=name,
identity_class=obj.identity_class,
description=dscr,
sectors=[str(s.value) for s in obj.sectors.all()],
labels=[str(l.value) for l in obj.labels.all()],
created=obj.created,
modified=obj.modified,
)
objects += (i, )
elif obj.object_type.name == 'indicator':
pattern = "[]"
if not mask and obj.pattern:
pattern = obj.pattern.pattern
i = stix2.Indicator(
id=oid,
name=obj.name,
description=dscr,
labels=[str(l.value) for l in obj.labels.all()],
pattern=pattern,
created=obj.created,
modified=obj.modified,
valid_from=obj.valid_from,
valid_until=obj.valid_until,
)
objects += (i, )
elif obj.object_type.name == 'intrusion-set':
i = stix2.IntrusionSet(
id=oid,
name=obj.name,
description=dscr,
aliases=[str(a.name) for a in obj.aliases.all()],
created=obj.created,
modified=obj.modified,
first_seen=obj.first_seen,
#last_seen=obj.last_seen,
)
objects += (i, )
elif obj.object_type.name == 'malware':
m = stix2.Malware(
id=oid,
name=obj.name,
description=dscr,
labels=[str(l.value) for l in obj.labels.all()],
created=obj.created,
modified=obj.modified,
kill_chain_phases=stix2killchain(obj),
)
objects += (m, )
elif obj.object_type.name == 'observed-data':
obs = {}
for o in obj.observable_objects.all():
ob = None
if o.type.name == "file":
f = FileObject.objects.get(id=o.id)
ob = stix2.File(name=f.name)
elif o.type.name == "ipv4-addr":
i = IPv4AddressObject.objects.get(id=o.id)
ob = stix2.IPv4Address(value=i.value)
elif o.type.name == "url":
u = URLObject.objects.get(id=o.id)
ob = stix2.URL(value=u.value)
elif o.type.name == "domain-name":
dn = DomainNameObject.objects.get(id=o.id)
ob = stix2.DomainName(value=dn.value)
if ob and not mask:
obs[str(o.id)] = json.loads(str(ob))
od = stix2.ObservedData(
id=oid,
created=obj.created,
modified=obj.modified,
first_observed=obj.first_observed,
last_observed=obj.last_observed,
number_observed=obj.number_observed,
objects=obs,
)
objects += (od, )
elif obj.object_type.name == 'report':
created_by = None
if obj.created_by_ref:
created_by = obj.created_by_ref.object_id
r = stix2.Report(
id=oid,
labels=[str(l.value) for l in obj.labels.all()],
name=obj.name,
description=dscr,
published=obj.published,
object_refs=[str(r.object_id) for r in obj.object_refs.all()],
created_by_ref=created_by,
created=obj.created,
modified=obj.modified,
)
objects += (r, )
elif obj.object_type.name == 'threat-actor':
t = stix2.ThreatActor(
id=oid,
name=obj.name,
description=dscr,
labels=[str(l.value) for l in obj.labels.all()],
aliases=[str(a.name) for a in obj.aliases.all()],
created=obj.created,
modified=obj.modified,
)
objects += (t, )
elif obj.object_type.name == 'tool':
t = stix2.Tool(
id=oid,
name=obj.name,
description=dscr,
labels=[str(l.value) for l in obj.labels.all()],
created=obj.created,
modified=obj.modified,
kill_chain_phases=stix2killchain(obj),
)
objects += (t, )
elif obj.object_type.name == 'vulnerability':
v = stix2.Vulnerability(
id=oid,
name=obj.name,
description=dscr,
created=obj.created,
modified=obj.modified,
)
objects += (v, )
elif obj.object_type.name == 'relationship':
r = stix2.Relationship(
id=oid,
relationship_type=obj.relationship_type.name,
description=dscr,
source_ref=obj.source_ref.object_id,
target_ref=obj.target_ref.object_id,
created=obj.created,
modified=obj.modified,
)
objects += (r, )
elif obj.object_type.name == 'sighting':
s = stix2.Sighting(
id=oid,
sighting_of_ref=obj.sighting_of_ref.object_id,
where_sighted_refs=[
str(w.object_id.object_id)
for w in obj.where_sighted_refs.all()
],
observed_data_refs=[
str(od.object_id.object_id)
for od in obj.observed_data_refs.all()
],
first_seen=obj.first_seen,
last_seen=obj.last_seen,
created=obj.created,
modified=obj.modified,
)
objects += (s, )
bundle = stix2.Bundle(*objects)
return bundle
identity = stix2.Identity(
id="identity--1621d4d4-b67d-41e3-9670-f01faf20d111",
created="2015-05-10T16:27:17.760Z",
modified="2015-05-10T16:27:17.760Z",
name="Adversary Bravo",
description=
"Adversary Bravo is a threat actor that utilizes phishing attacks.",
identity_class="unknown")
init_comp = stix2.KillChainPhase(
kill_chain_name="mandiant-attack-lifecycle-model",
phase_name="initial-compromise")
malware = stix2.Malware(id="malware--d1c612bc-146f-4b65-b7b0-9a54a14150a4",
created="2015-04-23T11:12:34.760Z",
modified="2015-04-23T11:12:34.760Z",
name="Poison Ivy Variant d1c6",
labels=["remote-access-trojan"],
kill_chain_phases=[init_comp])
ref = stix2.ExternalReference(
source_name="capec",
description="phishing",
url="https://capec.mitre.org/data/definitions/98.html",
external_id="CAPEC-98")
attack_pattern = stix2.AttackPattern(
id="attack-pattern--8ac90ff3-ecf8-4835-95b8-6aea6a623df5",
created="2015-05-07T14:22:14.760Z",
modified="2015-05-07T14:22:14.760Z",
name="Phishing",
description="Spear phishing used as a delivery mechanism for malware.",
def stix_bundle(objs, rel=True, sight=True):
objects = ()
ids = []
for o in objs:
if not o.object_id.id in ids:
ids.append(o.object_id.id)
if o.object_type.name == "report":
r = Report.objects.get(id=o.id)
for i in r.object_refs.all().values_list("id", flat=True):
if i in ids:
ids.append(i)
if rel:
rels = Relationship.objects.filter(
Q(source_ref=o.object_id)\
|Q(target_ref=o.object_id)\
)
lists = list(rels.values_list("object_id", flat=True)) + \
list(rels.values_list("source_ref", flat=True)) + \
list(rels.values_list("target_ref", flat=True))
for i in lists:
if not i in ids:
ids.append(i)
if sight:
sights = Sighting.objects.filter(
Q(where_sighted_refs=o.object_id)\
|Q(sighting_of_ref=o.object_id)\
)
lists = list(sights.values_list("object_id", flat=True)) + \
list(sights.values_list("sighting_of_ref", flat=True))
for i in lists:
if not i in ids:
ids += i
oids = STIXObjectID.objects.filter(id__in=ids)
for oid in oids:
obj = myforms.get_obj_from_id(oid)
if obj.object_type.name == 'identity':
i = stix2.Identity(
id=obj.object_id.object_id,
name=obj.name,
identity_class=obj.identity_class,
description=obj.description,
#sectors=[str(s.value) for s in obj.sectors.all()],
sectors=[str(l.value) for l in obj.labels.all()],
created=obj.created,
modified=obj.modified,
)
objects += (i, )
elif obj.object_type.name == 'attack-pattern':
a = stix2.AttackPattern(
id=obj.object_id.object_id,
name=obj.name,
description=obj.description,
created=obj.created,
modified=obj.modified,
)
objects += (a, )
elif obj.object_type.name == 'malware':
m = stix2.Malware(
id=obj.object_id.object_id,
name=obj.name,
description=obj.description,
labels=[str(l.value) for l in obj.labels.all()],
created=obj.created,
modified=obj.modified,
)
objects += (m, )
elif obj.object_type.name == 'indicator':
i = stix2.Indicator(
id=obj.object_id.object_id,
name=obj.name,
description=obj.description,
labels=[str(l.value) for l in obj.labels.all()],
pattern=[str(p.value) for p in obj.pattern.all()],
created=obj.created,
modified=obj.modified,
)
objects += (i, )
elif obj.object_type.name == 'threat-actor':
t = stix2.ThreatActor(
id=obj.object_id.object_id,
name=obj.name,
description=obj.description,
labels=[str(l.value) for l in obj.labels.all()],
aliases=[str(a.name) for a in obj.aliases.all()],
created=obj.created,
modified=obj.modified,
)
objects += (t, )
elif obj.object_type.name == 'relationship':
r = stix2.Relationship(
id=obj.object_id.object_id,
relationship_type=obj.relationship_type.name,
description=obj.description,
source_ref=obj.source_ref.object_id,
target_ref=obj.target_ref.object_id,
created=obj.created,
modified=obj.modified,
)
objects += (r, )
elif obj.object_type.name == 'sighting':
s = stix2.Sighting(
id=obj.object_id.object_id,
sighting_of_ref=obj.sighting_of_ref.object_id,
where_sighted_refs=[
str(w.object_id) for w in obj.where_sighted_refs.all()
],
first_seen=obj.first_seen,
last_seen=obj.last_seen,
created=obj.created,
modified=obj.modified,
)
objects += (s, )
elif obj.object_type.name == 'report':
r = stix2.Report(
id=obj.object_id.object_id,
labels=[str(l.value) for l in obj.labels.all()],
name=obj.name,
description=obj.description,
published=obj.published,
object_refs=[str(r.object_id) for r in obj.object_refs.all()],
created=obj.created,
modified=obj.modified,
)
objects += (r, )
bundle = stix2.Bundle(*objects)
return bundle
sectors=["technology"])
identityPym = stix2.Identity(
id="identity--7865b6d2-a4af-45c5-b582-afe5ec376c33",
created="2017-04-14T13:07:49.812Z",
modified="2017-04-14T13:07:49.812Z",
name="Pym Technologies",
identity_class="organization",
contact_information="*****@*****.**",
sectors=["technology"])
malware = stix2.Malware(
id="malware--ae560258-a5cb-4be8-8f05-013d6712295f",
created="2014-02-20T09:16:08.989Z",
modified="2014-02-20T09:16:08.989Z",
created_by_ref="identity--7865b6d2-a4af-45c5-b582-afe5ec376c33",
name="Online Job Site Trojan",
description=
"Trojan that is disguised as the executable file resume.pdf., it also creates a registry key.",
labels=["remote-access-trojan"])
observedDataFile = stix2.ObservedData(
id="observed-data--cf8eaa41-6f4c-482e-89b9-9cd2d6a83cb1",
created="2017-02-28T19:37:11.213Z",
modified="2017-02-28T19:37:11.213Z",
first_observed="2017-02-27T21:37:11.213Z",
last_observed="2017-02-27T21:37:11.213Z",
number_observed=1,
created_by_ref="identity--7865b6d2-a4af-45c5-b582-afe5ec376c33",
objects={
"0": {
VULNERABILITY_KWARGS = dict(type='vulnerability',
id=VULNERABILITY_ID,
name="Heartbleed",
created_by_ref=IDENTITY_ID)
if __name__ == '__main__':
attack_pattern = stix2.AttackPattern(**ATTACK_PATTERN_KWARGS,
interoperability=True)
campaign = stix2.Campaign(**CAMPAIGN_KWARGS, interoperability=True)
course_of_action = stix2.CourseOfAction(**COURSE_OF_ACTION_KWARGS,
interoperability=True)
identity = stix2.Identity(**IDENTITY_KWARGS, interoperability=True)
indicator = stix2.Indicator(**INDICATOR_KWARGS, interoperability=True)
intrusion_set = stix2.IntrusionSet(**INTRUSION_SET_KWARGS,
interoperability=True)
malware = stix2.Malware(**MALWARE_KWARGS, interoperability=True)
marking_definition = stix2.MarkingDefinition(**MARKING_DEFINITION_KWARGS,
interoperability=True)
observed_data = stix2.ObservedData(**OBSERVED_DATA_KWARGS,
interoperability=True)
relationship = stix2.Relationship(**RELATIONSHIP_KWARGS,
interoperability=True)
sighting = stix2.Sighting(**SIGHTING_KWARGS, interoperability=True)
threat_actor = stix2.ThreatActor(**THREAT_ACTOR_KWARGS,
interoperability=True)
tool = stix2.Tool(**TOOL_KWARGS) #, interoperability=True),
vulnerability = stix2.Vulnerability(**VULNERABILITY_KWARGS,
interoperability=True)
report = stix2.Report(**REPORT_KWARGS, interoperability=True)
bundle = stix2.Bundle(**BUNDLE_KWARGS,
interoperability=True,
def csvtostix(file_type, file_name):
count = 0
data = {}
labels = ""
maldesc = ''
malname = ''
tot_file_path = ''
url = []
domain = []
filename = []
ip = []
md5 = []
registry = []
email = []
indlist = []
rellist = []
sha1 = []
sha256 = []
m = datetime.datetime.now()
c = m.strftime("%Y-%m-%d %H:%M:%S.{}".format(str(m).split('.')[1][:3]) +
"Z")
m = m.strftime("%Y-%m-%d %H:%M:%S.{}".format(str(m).split('.')[1][:3]) +
"Z")
malware = stix2.Malware(created=c,
modified=m,
name=malname,
labels=labels,
description=maldesc)
try:
each_data = []
if file_type == "-f":
each_data = []
with open(file_name, "r") as f:
csv_reader = csv.reader(f, delimiter=',')
fields = csv_reader.next()
tab = -1
for i in fields:
#print(i)
samp = []
tab += 1
with open(file_name, "r") as f:
csv_reader = csv.reader(f, delimiter=',')
for lines in csv_reader:
if lines[tab].strip():
if lines[tab] not in fields:
samp.append(lines[tab].strip())
data[i] = samp
#print(data)
elif file_type == "-F":
each_data = []
indiv_data = []
if os.path.exists(file_name):
for eachfile in os.walk(file_name):
for each_file in eachfile[2]:
with open(file_name + '/' + each_file, "r") as f:
csv_reader = csv.reader(f, delimiter=',')
fields = csv_reader.next()
tab = -1
for i in fields:
samp1 = []
tab += 1
with open(file_name, "r") as f:
csv_reader = csv.reader(f, delimiter=',')
for lines in csv_reader:
if lines[tab].strip():
if lines[tab] not in fields:
samp1.append(
lines[tab].strip())
data[i].extend(samp1)
else:
print(
"please enter a valid folder containing json files with valid folder path"
)
print(
"Usage : python csvtostix.py <-f>/<-F> file_name/folder_name"
)
print(" Example : python csvtostix.py -f APT34.csv")
print(
" Example : python csvtostix.py -F /home/user/Desktop/IOC_files/"
)
print(
"Submit the folder, which does not contain any subfolders")
sys.exit()
else:
print(
"Please enter the command as -f (for file) or -F (for folder) followed by File name or Folder name with sapce"
)
print(
"Usage : python csvtostix.py <-f>/<-F> file_name/folder_name")
print(" Example : python csvtostix.py -f APT34.csv")
print(
" Example : python csvtostix.py -F /home/user/Desktop/IOC_files/"
)
sys.exit()
#print(data)
if data:
domain = data.get("Domain", "")
filepath1 = data.get("FilePath", "")
sha1 = data.get("SHA1", "")
registry = data.get("RegistryPath", "")
filename = data.get("FileName", "")
url = data.get("URL", "")
ip = data.get("IPAddress", "")
filename1 = data.get("FileName", "")
#filename = filename1 + filepath1
filename = filename1
sha256 = data.get("SHA256", "")
md5 = data.get("MD5", "")
for each_ip in ip:
indicator = stix2.Indicator(created=c,
modified=m,
name='IP',
description=" ",
labels=["malicious-activity"],
pattern="[ipv4-addr:value = '" +
each_ip.strip() + "']",
valid_from=c)
if indicator not in indlist:
indlist.append(indicator)
for each_url in url:
indicator = stix2.Indicator(
created=c,
modified=m,
name='url',
description=" ",
labels=["malicious-activity"],
pattern="[url:value = 'http://" +
each_url.split('//')[-1].split('/')[0].strip("'") + "'" +
"]",
valid_from=c)
if indicator not in indlist:
indlist.append(indicator)
for each_domain in domain:
indicator = stix2.Indicator(
created=c,
modified=m,
name='domain-name',
description=" ",
labels=["malicious-activity"],
pattern="[domain-name:value = '" +
each_domain.split('//')[-1].split('/')[0].strip("'") +
"']",
valid_from=c)
if indicator not in indlist:
indlist.append(indicator)
for each_filename in filename:
tot_file_path = ''
exact_name = each_filename.split('\\')
split_path_name = each_filename.split('\\')[0:-1]
if split_path_name:
for path in split_path_name:
tot_file_path = tot_file_path + '\\\\' + path
if len(exact_name) > 1:
indicator = stix2.Indicator(
created=c,
modified=m,
name='file',
description=" ",
labels=["malicious-activity"],
#pattern="[file:name = '" + each_filename.split('\\')[-1].strip("'") + "']",
pattern="[file:name = '" +
each_filename.split('\\')[-1].strip("'") +
"' AND file:parent_directory_ref.path = '" +
tot_file_path + "']",
valid_from=c)
else:
indicator = stix2.Indicator(created=c,
modified=m,
name='file',
description=" ",
labels=["malicious-activity"],
pattern="[file:name = '" +
each_filename.strip("'") +
"']",
valid_from=c)
if indicator not in indlist:
indlist.append(indicator)
for each_registry in registry:
each_registry = each_registry.replace("\\", "\\\\")
indicator = stix2.Indicator(
created=c,
modified=m,
name='win-registry-key',
description=" ",
labels=["malicious-activity"],
pattern="[windows-registry-key:key = '" + each_registry +
"']",
valid_from=c)
if indicator not in indlist:
indlist.append(indicator)
for each_md5 in md5:
each_md5 = re.sub(r'[^A-Za-z0-9]+', '', each_md5)
indicator = stix2.Indicator(created=c,
modified=m,
name='MD5',
description=" ",
labels=["malicious-activity"],
pattern="[file:hashes.md5 = '" +
each_md5.strip() + "']",
valid_from=c)
if indicator not in indlist:
indlist.append(indicator)
for each_sha1 in sha1:
each_sha1 = re.sub(r'[^A-Za-z0-9]+', '', each_sha1)
indicator = stix2.Indicator(
created=c,
modified=m,
name='MD5',
description=" ",
labels=["malicious-activity"],
pattern="[file:hashes.'SHA-1' = '" + each_sha1.strip() +
"']",
valid_from=c)
if indicator not in indlist:
indlist.append(indicator)
for each_sha256 in sha256:
each_sha256 = re.sub(r'[^A-Za-z0-9]+', '', each_sha256)
indicator = stix2.Indicator(
created=c,
modified=m,
name='MD5',
description=" ",
labels=["malicious-activity"],
pattern="[file:hashes.'SHA-256' = '" +
each_sha256.strip() + "']",
valid_from=c)
if indicator not in indlist:
indlist.append(indicator)
print(len(indlist))
obj_range = int((len(indlist) / 50)) + 1
ind1 = 0
ind2 = 50
print(obj_range)
for num in range(obj_range):
new_list = []
if (ind2 - ind1) != 50:
new_list = indlist[ind1:]
else:
new_list = indlist[ind1:ind2]
for ind in new_list:
print(ind)
count += 1
val = 'relationship' + str(count)
val = stix2.Relationship(ind, 'indicates', malware)
rellist.append(val)
IOC = stix2.Bundle(objects=[malware] + rellist + new_list)
if IOC:
print(type(num))
print(num)
num = str(num)
if sys.argv[1].split("/")[-1]:
with open(
sys.argv[1].split("/")[-1].split(".")[0] +
'_' + str(int(num) + 1) + '.ioc', 'w') as fp:
fp.write(json.dumps(json.loads(str(IOC)),
indent=2))
fp.close()
elif sys.argv[1].split("/")[-2]:
with open(
sys.argv[1].split("/")[-2].split(".")[0] +
'_' + str(int(num) + 1) + '+.ioc', 'w') as fp:
fp.write(json.dumps(json.loads(str(IOC)),
indent=2))
fp.close()
else:
with open(
sys.argv[1].split("/")[0].split(".")[0] + '_' +
str(int(num) + 1) + '+.ioc', 'w') as fp:
fp.write(json.dumps(json.loads(str(IOC)),
indent=2))
fp.close()
else:
pass
ind1 = ind1 + 50
ind2 = ind2 + 50
rellist = []
else:
print(
"please enter a valid file/folder containing json files containing indicator data"
)
print(
"Usage : python csvtostix.py <-f>/<-F> file_name/folder_name")
print(" Example : python csvtostix.py -f APT34.csv")
print(
" Example : python csvtostix.py -F /home/user/Desktop/IOC_files/"
)
except IOError as err:
print(
"please enter a valid folder containing csv files with valid folder path"
)
print("Usage : python csvtostix.py <-f>/<-F> file_name/folder_name")
print(" Example : python csvtostix.py -f APT34.csv")
print(
" Example : python csvtostix.py -F /home/user/Desktop/IOC_files/")
print("Submit the folder, which does not contain any subfolders")
except Exception as e:
print(traceback.format_exc())
print(e)
return
import stix2
indicator = stix2.Indicator(
id="indicator--a932fcc6-e032-476c-826f-cb970a5a1ade",
created="2014-02-20T09:16:08.989Z",
modified="2014-02-20T09:16:08.989Z",
name="File hash for Poison Ivy variant",
description=
"This file hash indicates that a sample of Poison Ivy is present.",
labels=["malicious-activity"],
pattern=
"[file:hashes.'SHA-256' = 'ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c']",
valid_from="2014-02-20T09:00:00.000000Z")
malware = stix2.Malware(id="malware--fdd60b30-b67c-41e3-b0b9-f01faf20d111",
created="2014-02-20T09:16:08.989Z",
modified="2014-02-20T09:16:08.989Z",
name="Poison Ivy",
labels=["remote-access-trojan"])
relationship = stix2.Relationship(indicator, 'indicates', malware)
bundle = stix2.Bundle(objects=[indicator, malware, relationship])
