def add_software(client,
attack: MemoryStore,
output_format: Text = "json") -> List[stix2.AttackPattern]:
"""
extract objects/facts related to ATT&CK Software
Insert to ACT if client.baseurl is set, if not, print to stdout
Args:
attack (stix2): Stix attack instance
"""
notify = []
for software in attack.query([Filter("type", "in", ["tool", "malware"])]):
tool_name = software.name.lower()
# Tool category
handle_fact(client.fact("category",
software.type).source("tool", tool_name),
output_format=output_format)
if getattr(software, "revoked", None):
# Object is revoked, add to notification list but do not add to facts that should be added to the platform
notify.append(software)
continue
if getattr(software, "x_mitre_deprecated", None):
# Object is revoked, add to notification list AND continue to add to facts that should be added to the platform
notify.append(software)
for alias in getattr(software, "x_mitre_aliases", []):
if tool_name != alias.lower():
# Tool category (alias)
handle_fact(client.fact("category", software.type).source(
"tool", alias.lower()),
output_format=output_format)
handle_fact(client.fact("alias").bidirectional(
"tool", tool_name, "tool", alias.lower()),
output_format=output_format)
# ATT&CK concept STIX Properties
# ==========================================================================
# Technqiues relationship where relationship_type == "uses", points to
# a target object with type == "attack-pattern"
for technique in attack.related_to(software, relationship_type="uses"):
if technique.type != "attack-pattern":
continue
handle_fact(client.fact("implements").source(
"tool",
software.name.lower()).destination("technique",
technique.name),
output_format=output_format)
return notify
def add_groups(client,
attack: MemoryStore,
output_format: Text = "json") -> List[stix2.AttackPattern]:
"""
extract objects/facts related to ATT&CK Groups
Args:
attack (stix2): Stix attack instance
"""
notify = []
# ATT&CK concept STIX Object type ACT object
# =========================================================
# Group intrusion-set threatActor
#
# Filter out ATT&CK groups (intrusion-set) from bundle
for group in attack.query([Filter("type", "=", "intrusion-set")]):
if getattr(group, "revoked", None):
# Object is revoked, add to notification list but do not add to facts that should be added to the platform
notify.append(group)
continue
if getattr(group, "x_mitre_deprecated", None):
# Object is revoked, add to notification list AND continue to add to facts that should be added to the platform
notify.append(group)
for alias in getattr(group, "aliases", []):
if group.name != alias:
handle_fact(client.fact("alias").bidirectional(
"threatActor", group.name, "threatActor", alias),
output_format=output_format)
# ATT&CK concept STIX Properties
# ==========================================================================
# Software relationship where relationship_type == "uses",
# points to a target object with type== "malware" or "tool"
for tool in attack.related_to(group, relationship_type="uses"):
if tool.type not in ("malware", "tool"):
continue
chain = act.api.fact.fact_chain(
client.fact("classifiedAs").source("content", "*").destination(
"tool", tool.name.lower()),
client.fact("observedIn").source("content", "*").destination(
"event", "*"),
client.fact("attributedTo").source("event", "*").destination(
"incident", "*"),
client.fact("attributedTo").source(
"incident", "*").destination("threatActor", group.name))
for fact in chain:
handle_fact(fact, output_format=output_format)
# ATT&CK concept STIX Properties
# ==========================================================================
# Technqiues relationship where relationship_type == "uses", points to
# a target object with type == "attack-pattern"
for technique in attack.related_to(group, relationship_type="uses"):
if technique.type != "attack-pattern":
continue
chain = act.api.fact.fact_chain(
client.fact("classifiedAs").source("event", "*").destination(
"technique", technique.name),
client.fact("attributedTo").source("event", "*").destination(
"incident", "*"),
client.fact("attributedTo").source(
"incident", "*").destination("threatActor", group.name))
for fact in chain:
handle_fact(fact, output_format=output_format)
return notify
