Exemplo n.º 1
0
 def test_campaign(self):
     c = Campaign()
     c.title = UNICODE_STR
     c.description = UNICODE_STR
     c.short_description = UNICODE_STR
     c2 = round_trip(c)
     self._test_equal(c, c2)
Exemplo n.º 2
0
def main():
    from stix.campaign import Campaign
    from stix.common.related import RelatedTTP
    from stix.core import STIXPackage
    from stix.ttp import TTP, VictimTargeting

    ttp = TTP()
    ttp.title = "Victim Targeting: Customer PII and Financial Data"
    ttp.victim_targeting = VictimTargeting()
    ttp.victim_targeting.add_targeted_information(
        "Information Assets - Customer PII")
    ttp.victim_targeting.add_targeted_information(
        "Information Assets - Financial Data")

    ttp_ref = TTP()
    ttp_ref.idref = ttp.id_
    related_ttp = RelatedTTP(ttp_ref)
    related_ttp.relationship = "Targets"

    c = Campaign()
    c.title = "Operation Alpha"
    c.related_ttps.append(related_ttp)

    pkg = STIXPackage()
    pkg.add_campaign(c)
    pkg.add_ttp(ttp)

    print(pkg.to_xml(encoding=None))
Exemplo n.º 3
0
def main():
    # Build Campaign instances
    camp1 = Campaign(title='Campaign 1')
    camp2 = Campaign(title='Campaign 2')

    # Build a CampaignRef object, setting the `idref` to the `id_` value of
    # our `camp2` Campaign object.
    campaign_ref = CampaignRef(idref=camp2.id_)

    # Build an Indicator object.
    i = Indicator()

    # Add CampaignRef object pointing to `camp2`.
    i.add_related_campaign(campaign_ref)

    # Add Campaign object, which gets promoted into an instance of
    # CampaignRef type internally. Only the `idref` is set.
    i.add_related_campaign(camp1)

    # Build our STIX Package and attach our Indicator and Campaign objects.
    package = STIXPackage()
    package.add_indicator(i)
    package.add_campaign(camp1)
    package.add_campaign(camp2)

    # Print!
    print package.to_xml()
def main():
    from stix.campaign import Campaign
    from stix.common.related import RelatedTTP
    from stix.core import STIXPackage
    from stix.ttp import TTP

    ttp = TTP()
    ttp.title = "Victim Targeting: Customer PII and Financial Data"
    ttp.victim_targeting.add_targeted_information("Information Assets - Customer PII")
    ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data")

    ttp_ref = TTP()
    ttp_ref.idref = ttp.id_
    related_ttp = RelatedTTP(ttp_ref)
    related_ttp.relationship = "Targets"

    c = Campaign()
    c.title = "Operation Alpha"
    c.related_ttps.append(related_ttp)

    pkg = STIXPackage()
    pkg.add_campaign(c)
    pkg.add_ttp(ttp)

    print pkg.to_xml()
Exemplo n.º 5
0
 def test_campaign(self):
     c = Campaign()
     c.title = UNICODE_STR
     c.description = UNICODE_STR
     c.short_description = UNICODE_STR
     c2 = round_trip(c)
     self._test_equal(c, c2)
def main():
    from stix.campaign import Campaign, Attribution
    from stix.threat_actor import ThreatActor
    from stix.incident import Incident
    from stix.core import STIXPackage
    from stix.ttp import TTP, VictimTargeting

    ttp = TTP()
    ttp.title = "Victim Targeting: Customer PII and Financial Data"
    ttp.victim_targeting = VictimTargeting()
    ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data")

    actor = ThreatActor()
    actor.title = "People behind the intrusion"
    attrib = Attribution()
    attrib.append(actor)

    c = Campaign()
    c.attribution = []
    c.attribution.append(attrib)
    c.title = "Compromise of ATM Machines"
    c.related_ttps.append(ttp)

    c.related_incidents.append(Incident(idref="example:incident-229ab6ba-0eb2-415b-bdf2-079e6b42f51e"))
    c.related_incidents.append(Incident(idref="example:incident-517cf274-038d-4ed4-a3ec-3ac18ad9db8a"))
    c.related_incidents.append(Incident(idref="example:incident-7d8cf96f-91cb-42d0-a1e0-bfa38ea08621"))

    pkg = STIXPackage()
    pkg.add_campaign(c)

    print pkg.to_xml()
def main():

    campaign = Campaign(title="Campaign against ICS")
    ttp = TTP(title="DrownedRat")

    alpha_report = Report()
    alpha_report.header = Header()
    alpha_report.header.title = "Report on Adversary Alpha's Campaign against the Industrial Control Sector"
    alpha_report.header.descriptions = "Adversary Alpha has a campaign against the ICS sector!"
    alpha_report.header.intents = "Campaign Characterization"
    alpha_report.add_campaign(Campaign(idref=campaign.id_))

    rat_report = Report()
    rat_report.header = Header()
    rat_report.header.title = "Indicators for Malware DrownedRat"
    rat_report.header.intents = "Indicators - Malware Artifacts"
    rat_report.add_ttp(TTP(idref=ttp.id_))

    wrapper = STIXPackage()
    info_src = InformationSource()
    info_src.identity = Identity(name="Government Sharing Program - GSP")
    wrapper.stix_header = STIXHeader(information_source=info_src)
    wrapper.add_report(alpha_report)
    wrapper.add_report(rat_report)
    wrapper.add_campaign(campaign)
    wrapper.add_ttp(ttp)

    print(wrapper.to_xml())
Exemplo n.º 8
0
    def test_add_campaign(self):
        from stix.campaign import Campaign

        l = RelatedCampaignRefs()
        l.append(Campaign())

        self.assertEqual(1, len(l))
Exemplo n.º 9
0
    def from_obj(cls, obj, return_obj=None):
        if not return_obj:
            return_obj = cls()

        return_obj.id_ = obj.id
        return_obj.idref = obj.idref
        return_obj.timestamp = obj.timestamp
        return_obj.stix_header = STIXHeader.from_obj(obj.STIX_Header)
        return_obj.related_packages = RelatedPackages.from_obj(obj.Related_Packages)

        if obj.version:
            return_obj.version = obj.version
        if obj.Campaigns:
            return_obj.campaigns = [Campaign.from_obj(x) for x in obj.Campaigns.Campaign]
        if obj.Courses_Of_Action:
            return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.Courses_Of_Action.Course_Of_Action]
        if obj.Exploit_Targets:
            return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.Exploit_Targets.Exploit_Target]
        if obj.Indicators:
            return_obj.indicators = [Indicator.from_obj(x) for x in obj.Indicators.Indicator]
        if obj.Observables:
            return_obj.observables = Observables.from_obj(obj.Observables)
        if obj.Incidents:
            return_obj.incidents = [Incident.from_obj(x) for x in obj.Incidents.Incident]
        if obj.Threat_Actors:
            return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.Threat_Actors.Threat_Actor]
        if obj.TTPs:
            return_obj.ttps = TTPs.from_obj(obj.TTPs)
            
        return return_obj
Exemplo n.º 10
0
    def from_obj(cls, obj, return_obj=None):
        if not return_obj:
            return_obj = cls()

        return_obj.id_ = obj.get_id()
        return_obj.idref = obj.get_idref()
        return_obj.timestamp = obj.get_timestamp()
        return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header())
        return_obj.related_packages = RelatedPackages.from_obj(obj.get_Related_Packages())

        if obj.get_version():
            return_obj.version = obj.get_version()
        if obj.get_Campaigns():
            return_obj.campaigns = [Campaign.from_obj(x) for x in obj.get_Campaigns().get_Campaign()]
        if obj.get_Courses_Of_Action():
            return_obj.courses_of_action = [CourseOfAction.from_obj(x) for x in obj.get_Courses_Of_Action().get_Course_Of_Action()]
        if obj.get_Exploit_Targets():
            return_obj.exploit_targets = [ExploitTarget.from_obj(x) for x in obj.get_Exploit_Targets().get_Exploit_Target()]
        if obj.get_Indicators():
            return_obj.indicators = [Indicator.from_obj(x) for x in obj.get_Indicators().get_Indicator()]
        if obj.get_Observables():
            return_obj.observables = Observables.from_obj(obj.get_Observables())
        if obj.get_Incidents():
            return_obj.incidents = [Incident.from_obj(x) for x in obj.get_Incidents().get_Incident()]
        if obj.get_Threat_Actors():
            return_obj.threat_actors = [ThreatActor.from_obj(x) for x in obj.get_Threat_Actors().get_Threat_Actor()]
        if obj.get_TTPs():
            return_obj.ttps = TTPs.from_obj(obj.get_TTPs())
            
        return return_obj
Exemplo n.º 11
0
def campaign_details(stix_id):
   print(" get campaign detail for stix_id {0}".format(stix_id) )
   
   camp_dict = stixExtractIntf.get_campaign_detail(stix_id)
   camp_doc = Campaign.from_dict(camp_dict)
   threat_actors = stixExtractIntf.get_campaign_threat_actors(stix_id)
   ttps = stixExtractIntf.get_campaign_ttps(stix_id)
   return render_template("campaign_detail.html", stix_id = stix_id, camp_dict = camp_dict, camp_doc = camp_doc, threat_actors = threat_actors, ttps = ttps )
Exemplo n.º 12
0
def convert_campaign(c20):
    c1x = Campaign(id_=convert_id20(c20["id"]),
                   timestamp=text_type(c20["modified"]))
    if "name" in c20:
        c1x.title = c20["name"]
    if "description" in c20:
        c1x.add_description(c20["description"])
    if "labels" in c20:
        for l in c20["labels"]:
            add_missing_property_to_description(c1x, "label", l)
    names = Names()
    if "aliases" in c20:
        for a in c20["aliases"]:
            names.name.append(VocabString(a))
    if names:
        c1x.names = names
    if "first_seen" in c20:
        add_missing_property_to_description(c1x, "first_seen",
                                            text_type(c20["first_seen"]))
    if "last_seen" in c20:
        add_missing_property_to_description(c1x, "last_seen",
                                            text_type(c20["last_seen"]))
    if "objective" in c20:
        c1x.intended_effects = [Statement(description=c20["objective"])]
    if "object_marking_refs" in c20:
        for m_id in c20["object_marking_refs"]:
            ms = create_marking_specification(m_id)
            if ms:
                CONTAINER.add_marking(c1x, ms, descendants=True)
    if "granular_markings" in c20:
        error(
            "Granular Markings present in '%s' are not supported by stix2slider",
            604, c20["id"])
    record_id_object_mapping(c20["id"], c1x)
    return c1x
Exemplo n.º 13
0
def get_all_stix_campaigns( ):
    camps = []
    camp_docs = extract.get_campaigns_simple()
    # camp_docs = db.campaigns.find({"status":CampaignStatus.TERM_ONGOING})
    # get = dict_repr.get  
    for c in camp_docs: 
        #camp_status = VocabString.from_dict(c.get('status'))
        camps.append(Campaign.from_dict(c))
    return camps
Exemplo n.º 14
0
def buildCampaign(input_dict):
    campaign = Campaign()
    campaign.title = input_dict['title']
    campaign.description = input_dict['description']
    if input_dict['intendedEffect']:
        campaign.add_intended_effect(input_dict['intendedEffect'])
    if input_dict['names']:
        campaign.names = Names(input_dict['names'])
    if input_dict['status']:
        campaign.status = input_dict['status']
    if input_dict['confidence']:
        campaign.confidence = Confidence(input_dict['confidence'])
    if input_dict['informationSource']:
        campaign.information_source = InformationSource(input_dict['informationSource'])

    return campaign
Exemplo n.º 15
0
def convert_report(r20):
    r1x = Report(id_=convert_id20(r20["id"]),
                 timestamp=text_type(r20["modified"]))
    r1x.header = Header()
    if "name" in r20:
        r1x.header.title = r20["name"]
    if "description" in r20:
        r1x.header.add_description(r20["description"])
    intents = convert_open_vocabs_to_controlled_vocabs(r20["labels"],
                                                       REPORT_LABELS_MAP)
    for i in intents:
        r1x.header.add_intent(i)
    if "published" in r20:
        add_missing_property_to_description(r1x.header, "published",
                                            r20["published"])
    for ref in r20["object_refs"]:
        ref_type = get_type_from_id(ref)
        ref1x = convert_id20(ref)
        if ref_type == "attack-pattern":
            r1x.add_ttp(TTP(idref=ref1x))
        elif ref_type == "campaign":
            r1x.add_campaign(Campaign(idref=ref1x))
        elif ref_type == 'course-of-action':
            r1x.add_course_of_action(CourseOfAction(idref=ref1x))
        elif ref_type == "indicator":
            r1x.add_indicator(Indicator(idref=ref1x))
        elif ref_type == "observed-data":
            r1x.add_observable(Observable(idref=ref1x))
        elif ref_type == "malware":
            r1x.add_ttp(TTP(idref=ref1x))
        elif ref_type == "threat-actor":
            r1x.add_threat_actor(ThreatActor(idref=ref1x))
        elif ref_type == "tool":
            r1x.add_ttp(TTP(idref=ref1x))
        elif ref_type == "vulnerability":
            r1x.add_exploit_target(ExploitTarget(idref=ref1x))
        elif ref_type == "identity" or ref_type == "relationship":
            warn("%s in %s is not explicitly a member of a STIX 1.x report",
                 703, ref, r20["id"])
        elif ref_type == "intrusion-set":
            warn("%s in %s cannot be represented in STIX 1.x", 612, ref,
                 r20["id"])
        else:
            warn("ref type %s in %s is not known", 0, ref_type, r20["id"])
    if "object_marking_refs" in r20:
        for m_id in r20["object_marking_refs"]:
            ms = create_marking_specification(m_id)
            if ms:
                CONTAINER.add_marking(r1x, ms, descendants=True)
    if "granular_markings" in r20:
        error(
            "Granular Markings present in '%s' are not supported by stix2slider",
            604, r20["id"])
    return r1x
def main():
    from stix.campaign import Campaign, Attribution
    from stix.threat_actor import ThreatActor
    from stix.incident import Incident
    from stix.core import STIXPackage
    from stix.ttp import TTP, VictimTargeting

    ttp = TTP()
    ttp.title = "Victim Targeting: Customer PII and Financial Data"
    ttp.victim_targeting = VictimTargeting()
    ttp.victim_targeting.add_targeted_information(
        "Information Assets - Financial Data")

    actor = ThreatActor()
    actor.title = "People behind the intrusion"
    attrib = Attribution()
    attrib.append(actor)

    c = Campaign()
    c.attribution = []
    c.attribution.append(attrib)
    c.title = "Compromise of ATM Machines"
    c.related_ttps.append(ttp)

    c.related_incidents.append(
        Incident(
            idref="example:incident-229ab6ba-0eb2-415b-bdf2-079e6b42f51e"))
    c.related_incidents.append(
        Incident(
            idref="example:incident-517cf274-038d-4ed4-a3ec-3ac18ad9db8a"))
    c.related_incidents.append(
        Incident(
            idref="example:incident-7d8cf96f-91cb-42d0-a1e0-bfa38ea08621"))

    pkg = STIXPackage()
    pkg.add_campaign(c)

    print(pkg.to_xml(encoding=None))
Exemplo n.º 17
0
    def from_obj(cls, obj, return_obj=None):
        if not return_obj:
            return_obj = cls()

        return_obj.id_ = obj.get_id()
        return_obj.idref = obj.get_idref()
        return_obj.timestamp = obj.get_timestamp()
        return_obj.stix_header = STIXHeader.from_obj(obj.get_STIX_Header())
        return_obj.related_packages = RelatedPackages.from_obj(
            obj.get_Related_Packages())

        if obj.get_version():
            return_obj.version = obj.get_version()
        if obj.get_Campaigns():
            return_obj.campaigns = [
                Campaign.from_obj(x)
                for x in obj.get_Campaigns().get_Campaign()
            ]
        if obj.get_Courses_Of_Action():
            return_obj.courses_of_action = [
                CourseOfAction.from_obj(x)
                for x in obj.get_Courses_Of_Action().get_Course_Of_Action()
            ]
        if obj.get_Exploit_Targets():
            return_obj.exploit_targets = [
                ExploitTarget.from_obj(x)
                for x in obj.get_Exploit_Targets().get_Exploit_Target()
            ]
        if obj.get_Indicators():
            return_obj.indicators = [
                Indicator.from_obj(x)
                for x in obj.get_Indicators().get_Indicator()
            ]
        if obj.get_Observables():
            return_obj.observables = Observables.from_obj(
                obj.get_Observables())
        if obj.get_Incidents():
            return_obj.incidents = [
                Incident.from_obj(x)
                for x in obj.get_Incidents().get_Incident()
            ]
        if obj.get_Threat_Actors():
            return_obj.threat_actors = [
                ThreatActor.from_obj(x)
                for x in obj.get_Threat_Actors().get_Threat_Actor()
            ]
        if obj.get_TTPs():
            return_obj.ttps = TTPs.from_obj(obj.get_TTPs())

        return return_obj
def main():
    from stix.campaign import Campaign, Attribution
    from stix.threat_actor import ThreatActor
    from stix.core import STIXPackage
    from stix.ttp import TTP, VictimTargeting

    ttp = TTP()
    ttp.title = "Victim Targeting: Customer PII and Financial Data"
    ttp.victim_targeting = VictimTargeting()
    ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data")

    actor = ThreatActor()
    actor.title = "People behind the intrusion"

    c = Campaign()
    c.attribution.append(actor)
    c.title = "Compromise of ATM Machines"
    c.related_ttps.append(ttp)

    pkg = STIXPackage()
    pkg.add_campaign(c)

    print pkg.to_xml()
Exemplo n.º 19
0
    def from_dict(cls, dict_repr, return_obj=None):
        if not return_obj:
            return_obj = cls()

        return_obj.id_ = dict_repr.get('id', None)
        return_obj.idref = dict_repr.get('idref', None)
        return_obj.timestamp = dict_repr.get('timestamp')
        return_obj.version = dict_repr.get('version', cls._version)
        return_obj.stix_header = STIXHeader.from_dict(dict_repr.get('stix_header', None))
        return_obj.campaigns = [Campaign.from_dict(x) for x in dict_repr.get('campaigns', [])]
        return_obj.courses_of_action = [CourseOfAction.from_dict(x) for x in dict_repr.get('courses_of_action', [])]
        return_obj.exploit_targets = [ExploitTarget.from_dict(x) for x in dict_repr.get('exploit_targets', [])]
        return_obj.indicators = [Indicator.from_dict(x) for x in dict_repr.get('indicators', [])]
        return_obj.observables = Observables.from_dict(dict_repr.get('observables'))
        return_obj.incidents = [Incident.from_dict(x) for x in dict_repr.get('incidents', [])]
        return_obj.threat_actors = [ThreatActor.from_dict(x) for x in dict_repr.get('threat_actors', [])]
        return_obj.ttps = TTPs.from_dict(dict_repr.get('ttps'))
        return_obj.related_packages = RelatedPackages.from_dict(dict_repr.get('related_packages'))
        
        return return_obj
def main():
    package = STIXPackage()

    # Create the indicator
    indicator = Indicator(title="IP Address for known C2 Channel")
    indicator.add_indicator_type("IP Watchlist")
    address = Address(category="ipv4-addr")
    address.address_value = "10.0.0.0"
    address.address_value.condition = "Equals"
    indicator.observable = address
    package.add_indicator(indicator)

    # Create the campaign
    campaign = Campaign(title="Operation Omega")
    package.add_campaign(campaign)

    # Link the campaign to the indicator
    campaign.related_indicators.append(
        RelatedIndicator(item=Indicator(idref=indicator.id_)))

    print package.to_xml()
def main():
    # NOTE: ID values will differ due to being regenerated on each script execution
    pkg1 = STIXPackage()
    pkg1.title = "Example of Indicator Composition for an aggregate indicator composition"

    # USE CASE: Indicator with aggregate pattern

    # Add TTP for malware usage
    malware_ttp = TTP()
    malware_ttp.behavior = Behavior()

    malware = MalwareInstance()
    malware.title = "foobar malware"
    malware.add_type("Remote Access Trojan")
    malware_ttp.behavior.add_malware_instance(malware)

    c2_ttp = TTP()
    c2_ttp.resources = Resource()
    c2_ttp.resources.infrastructure = Infrastructure()
    c2_ttp.resources.infrastructure.add_type(VocabString("Malware C2"))

    pkg1.add_ttp(c2_ttp)
    pkg1.add_ttp(malware_ttp)

    nw_ind = Indicator()
    nw_ind.description = "Indicator for a particular C2 infstructure IP address."
    # add network network connection to this indicator
    obs = NetworkConnection()
    sock = SocketAddress()
    sock.ip_address = "46.123.99.25"
    sock.ip_address.category = "ipv4-addr"
    sock.ip_address.condition = "Equals"
    obs.destination_socket_address = sock
    nw_ind.add_observable(obs)

    nw_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_))

    # create File Hash indicator w/ embedded Observable
    file_ind = Indicator()

    file_ind.description = "Indicator for the hash of the foobar malware."
    file_ind.add_indicator_type("File Hash Watchlist")

    file_obs = File()
    file_obs.add_hash("01234567890abcdef01234567890abcdef")
    file_obs.hashes[0].type_ = "MD5"
    file_obs.hashes[0].type_.condition = "Equals"
    file_ind.add_observable(file_obs)

    # create references
    file_ind.add_indicated_ttp(TTP(idref=malware_ttp.id_))

    # create container indicator
    ind = Indicator()
    ind.add_indicator_type(VocabString("Campaign Characteristics"))
    ind.description = "Indicator for a composite of characteristics for the use of specific malware and C2 infrastructure within a Campaign."

    # Add campaign with related
    camp = Campaign()
    camp.title = "holy grail"
    pkg1.add_campaign(camp)
    camp.related_ttps.append(TTP(idref=c2_ttp.id_))
    camp.related_ttps.append(TTP(idref=malware_ttp.id_))

    # Add threat actor
    ta = ThreatActor()
    ta.identity = Identity()
    ta.identity.name = "boobear"
    ta.observed_ttps.append(TTP(idref=malware_ttp.id_))
    pkg1.add_threat_actor(ta)

    # Create composite expression

    ind.composite_indicator_expression = CompositeIndicatorExpression()
    ind.composite_indicator_expression.operator = "AND"

    ind.composite_indicator_expression.append(file_ind)
    ind.composite_indicator_expression.append(nw_ind)

    pkg1.add_indicator(ind)

    print pkg1.to_xml()

#  USE CASE: Indicator with partial matching

    pkg2 = STIXPackage()
    pkg2.title = "Example of Indicator Composition for a one of many indicator composition"

    # create container indicator
    watchlistind = Indicator()
    watchlistind.add_indicator_type("IP Watchlist")
    watchlistind.description = "This Indicator specifies a pattern where any one or more of a set of three IP addresses are observed."

    watchlistind.add_indicated_ttp(TTP(idref=c2_ttp.id_))

    # Create composite expression
    watchlistind.composite_indicator_expression = CompositeIndicatorExpression()
    watchlistind.composite_indicator_expression.operator = "OR"

    ips = ['23.5.111.68', '23.5.111.99', '46.123.99.25']
    for ip in ips:
        new_ind = Indicator()
        new_ind.description = "This Indicator specifies a pattern where one specific IP address is observed"
        # add network network connection to this indicator
        obs = Address()
        obs.address_value = ip
        obs.address_value.condition = "Equals"
        new_ind.add_observable(obs)

        new_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_))

        watchlistind.composite_indicator_expression.append(new_ind)

    pkg2.add_indicator(watchlistind)

    print pkg2.to_xml()

    #  USE CASE: Indicator with compound detection

    pkg3 = STIXPackage()
    pkg3.title = "Example of Indicator Composition for compound detection"

    # create container indicator
    watchlistind2 = Indicator()
    watchlistind2.add_indicator_type("IP Watchlist")
    watchlistind2.description = "This Indicator specifies a composite condition of two preexisting Indicators (each identifying a particular TTP with low confidence) that in aggregate identify the particular TTP with high confidence."
    # Create composite expression
    watchlistind2.composite_indicator_expression = CompositeIndicatorExpression()
    watchlistind2.composite_indicator_expression.operator = "OR"

    watchlistind2.add_indicated_ttp(TTP(idref=c2_ttp.id_))
    watchlistind2.confidence = "High"

    nw_ind.description = "Indicator for a particular C2 IP address used by a malware variant."
    nw_ind.confidence = "Low"
    nw_ind.indicator_types = ["C2"]
    file_ind.description = "Indicator that contains malicious file hashes for a particular malware variant."
    file_ind.confidence = "Low"
    watchlistind2.composite_indicator_expression.append(nw_ind)
    watchlistind2.composite_indicator_expression.append(file_ind)

    pkg3.add_indicator(watchlistind2)

    print pkg3.to_xml()
Exemplo n.º 22
0
def create_campaign(title=None, description=None):
    campaign = Campaign()
    campaign.title = title
    campaign.add_description(description)
    return campaign
Exemplo n.º 23
0
 def test_campaign_idref_deprecation(self):
     package = core.STIXPackage()
     package.add(Campaign(idref='test-idref-dep'))
Exemplo n.º 24
0
from stix.campaign import Activity, Attribution, Campaign, Names
from stix.campaign import AssociatedCampaigns as CAssociatedCampaigns
from stix.common.vocabs import IntendedEffect, CampaignStatus, HighMediumLow
from stix.core import STIXPackage
from stix.incident import Incident, Time
from stix.threat_actor import ThreatActor
from stix.threat_actor import AssociatedCampaigns as TAssociatedCampaigns
from stix.ttp import TTP
from stix.common.related import RelatedTTP, RelatedIncident, RelatedIndicator, RelatedCampaign
from stix.indicator import Indicator, RelatedCampaignRef
from cybox.objects.address_object import Address
from faker import Faker
from stix.common import CampaignRef

# Basics
campaign = Campaign(title='Compromise Machines')
campaign.description = 'Vestibulum id ligula porta felis euismod semper. Cras mattis consectetur purus sit amet fermentum.'
campaign.short_description = 'Mattis Ipsum Ultricies Quam Malesuada'

# Attributes
names = Names()
names.name = ['Operation Sparky', 'Operation Dingo']
campaign.names = names
activity = Activity()
activity.description = 'Foo'
campaign.add_activity(activity)
campaign.add_intended_effect(IntendedEffect('Extortion'))
campaign.status = CampaignStatus('Ongoing')
campaign.confidence = HighMediumLow('Medium')

# Related TTP (basic; by id)
def main():
    # NOTE: ID values will differ due to being regenerated on each script execution
    pkg1 = STIXPackage()
    pkg1.title = "Example of Indicator Composition for an aggregate indicator composition"

    # USE CASE: Indicator with aggregate pattern

    # Add TTP for malware usage
    malware_ttp = TTP()
    malware_ttp.behavior = Behavior()

    malware = MalwareInstance()
    malware.title = "foobar malware"
    malware.add_type("Remote Access Trojan")
    malware_ttp.behavior.add_malware_instance(malware)

    c2_ttp = TTP()
    c2_ttp.resources = Resource()
    c2_ttp.resources.infrastructure = Infrastructure()
    c2_ttp.resources.infrastructure.add_type(VocabString("Malware C2"))

    pkg1.add_ttp(c2_ttp)
    pkg1.add_ttp(malware_ttp)

    nw_ind = Indicator()
    nw_ind.description = "Indicator for a particular C2 infstructure IP address."
    # add network network connection to this indicator
    obs = NetworkConnection()
    sock = SocketAddress()
    sock.ip_address = "46.123.99.25"
    sock.ip_address.category = "ipv4-addr"
    sock.ip_address.condition = "Equals"
    obs.destination_socket_address = sock
    nw_ind.add_observable(obs)

    nw_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_))

    # create File Hash indicator w/ embedded Observable
    file_ind = Indicator()

    file_ind.description = "Indicator for the hash of the foobar malware."
    file_ind.add_indicator_type("File Hash Watchlist")

    file_obs = File()
    file_obs.add_hash("01234567890abcdef01234567890abcdef")
    file_obs.hashes[0].type_ = "MD5"
    file_obs.hashes[0].type_.condition = "Equals"
    file_ind.add_observable(file_obs)

    # create references
    file_ind.add_indicated_ttp(TTP(idref=malware_ttp.id_))

    # create container indicator
    ind = Indicator()
    ind.add_indicator_type(VocabString("Campaign Characteristics"))
    ind.description = "Indicator for a composite of characteristics for the use of specific malware and C2 infrastructure within a Campaign."

    # Add campaign with related
    camp = Campaign()
    camp.title = "holy grail"
    pkg1.add_campaign(camp)
    camp.related_ttps.append(TTP(idref=c2_ttp.id_))
    camp.related_ttps.append(TTP(idref=malware_ttp.id_))

    # Add threat actor
    ta = ThreatActor()
    ta.identity = Identity()
    ta.identity.name = "boobear"
    ta.observed_ttps.append(TTP(idref=malware_ttp.id_))
    pkg1.add_threat_actor(ta)

    # Create composite expression

    ind.composite_indicator_expression = CompositeIndicatorExpression()
    ind.composite_indicator_expression.operator = "AND"

    ind.composite_indicator_expression.append(file_ind)
    ind.composite_indicator_expression.append(nw_ind)

    pkg1.add_indicator(ind)

    print pkg1.to_xml()

    #  USE CASE: Indicator with partial matching

    pkg2 = STIXPackage()
    pkg2.title = "Example of Indicator Composition for a one of many indicator composition"

    # create container indicator
    watchlistind = Indicator()
    watchlistind.add_indicator_type("IP Watchlist")
    watchlistind.description = "This Indicator specifies a pattern where any one or more of a set of three IP addresses are observed."

    watchlistind.add_indicated_ttp(TTP(idref=c2_ttp.id_))

    # Create composite expression
    watchlistind.composite_indicator_expression = CompositeIndicatorExpression(
    )
    watchlistind.composite_indicator_expression.operator = "OR"

    ips = ['23.5.111.68', '23.5.111.99', '46.123.99.25']
    for ip in ips:
        new_ind = Indicator()
        new_ind.description = "This Indicator specifies a pattern where one specific IP address is observed"
        # add network network connection to this indicator
        obs = Address()
        obs.address_value = ip
        obs.address_value.condition = "Equals"
        new_ind.add_observable(obs)

        new_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_))

        watchlistind.composite_indicator_expression.append(new_ind)

    pkg2.add_indicator(watchlistind)

    print pkg2.to_xml()

    #  USE CASE: Indicator with compound detection

    pkg3 = STIXPackage()
    pkg3.title = "Example of Indicator Composition for compound detection"

    # create container indicator
    watchlistind2 = Indicator()
    watchlistind2.add_indicator_type("IP Watchlist")
    watchlistind2.description = "This Indicator specifies a composite condition of two preexisting Indicators (each identifying a particular TTP with low confidence) that in aggregate identify the particular TTP with high confidence."
    # Create composite expression
    watchlistind2.composite_indicator_expression = CompositeIndicatorExpression(
    )
    watchlistind2.composite_indicator_expression.operator = "OR"

    watchlistind2.add_indicated_ttp(TTP(idref=c2_ttp.id_))
    watchlistind2.confidence = "High"

    nw_ind.description = "Indicator for a particular C2 IP address used by a malware variant."
    nw_ind.confidence = "Low"
    nw_ind.indicator_types = ["C2"]
    file_ind.description = "Indicator that contains malicious file hashes for a particular malware variant."
    file_ind.confidence = "Low"
    watchlistind2.composite_indicator_expression.append(nw_ind)
    watchlistind2.composite_indicator_expression.append(file_ind)

    pkg3.add_indicator(watchlistind2)

    print pkg3.to_xml()
Exemplo n.º 26
0
def add_campaign_item(campaign_id_item, pkg):
    campaign = Campaign()
    campaign.names = Names()
    campaign.names.append(VocabString(campaign_id_item))
    pkg.add_campaign(campaign)