def add_software(client, attack: MemoryStore, output_format: Text = "json") -> List[stix2.AttackPattern]: """ extract objects/facts related to ATT&CK Software Insert to ACT if client.baseurl is set, if not, print to stdout Args: attack (stix2): Stix attack instance """ notify = [] for software in attack.query([Filter("type", "in", ["tool", "malware"])]): tool_name = software.name.lower() # Tool category handle_fact(client.fact("category", software.type).source("tool", tool_name), output_format=output_format) if getattr(software, "revoked", None): # Object is revoked, add to notification list but do not add to facts that should be added to the platform notify.append(software) continue if getattr(software, "x_mitre_deprecated", None): # Object is revoked, add to notification list AND continue to add to facts that should be added to the platform notify.append(software) for alias in getattr(software, "x_mitre_aliases", []): if tool_name != alias.lower(): # Tool category (alias) handle_fact(client.fact("category", software.type).source( "tool", alias.lower()), output_format=output_format) handle_fact(client.fact("alias").bidirectional( "tool", tool_name, "tool", alias.lower()), output_format=output_format) # ATT&CK concept STIX Properties # ========================================================================== # Technqiues relationship where relationship_type == "uses", points to # a target object with type == "attack-pattern" for technique in attack.related_to(software, relationship_type="uses"): if technique.type != "attack-pattern": continue handle_fact(client.fact("implements").source( "tool", software.name.lower()).destination("technique", technique.name), output_format=output_format) return notify
def add_groups(client, attack: MemoryStore, output_format: Text = "json") -> List[stix2.AttackPattern]: """ extract objects/facts related to ATT&CK Groups Args: attack (stix2): Stix attack instance """ notify = [] # ATT&CK concept STIX Object type ACT object # ========================================================= # Group intrusion-set threatActor # # Filter out ATT&CK groups (intrusion-set) from bundle for group in attack.query([Filter("type", "=", "intrusion-set")]): if getattr(group, "revoked", None): # Object is revoked, add to notification list but do not add to facts that should be added to the platform notify.append(group) continue if getattr(group, "x_mitre_deprecated", None): # Object is revoked, add to notification list AND continue to add to facts that should be added to the platform notify.append(group) for alias in getattr(group, "aliases", []): if group.name != alias: handle_fact(client.fact("alias").bidirectional( "threatActor", group.name, "threatActor", alias), output_format=output_format) # ATT&CK concept STIX Properties # ========================================================================== # Software relationship where relationship_type == "uses", # points to a target object with type== "malware" or "tool" for tool in attack.related_to(group, relationship_type="uses"): if tool.type not in ("malware", "tool"): continue chain = act.api.fact.fact_chain( client.fact("classifiedAs").source("content", "*").destination( "tool", tool.name.lower()), client.fact("observedIn").source("content", "*").destination( "event", "*"), client.fact("attributedTo").source("event", "*").destination( "incident", "*"), client.fact("attributedTo").source( "incident", "*").destination("threatActor", group.name)) for fact in chain: handle_fact(fact, output_format=output_format) # ATT&CK concept STIX Properties # ========================================================================== # Technqiues relationship where relationship_type == "uses", points to # a target object with type == "attack-pattern" for technique in attack.related_to(group, relationship_type="uses"): if technique.type != "attack-pattern": continue chain = act.api.fact.fact_chain( client.fact("classifiedAs").source("event", "*").destination( "technique", technique.name), client.fact("attributedTo").source("event", "*").destination( "incident", "*"), client.fact("attributedTo").source( "incident", "*").destination("threatActor", group.name)) for fact in chain: handle_fact(fact, output_format=output_format) return notify