def main():
    ioc = etree.parse('6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc')

    stix_package = STIXPackage()

    ttp = TTP()
    malware_instance = MalwareInstance()
    malware_instance.names = ['Zeus', 'twexts', 'sdra64', 'ntos']

    ttp = TTP(title="Zeus")
    ttp.behavior = Behavior()
    ttp.behavior.add_malware_instance(malware_instance)

    indicator = Indicator(title="Zeus", description="Finds Zeus variants, twexts, sdra64, ntos")

    tm = OpenIOCTestMechanism()
    tm.ioc = ioc
    tm.producer = InformationSource(identity=Identity(name="Mandiant"))
    time = Time()
    time.produced_time = "0001-01-01T00:00:00"
    tm.producer.time = time
    tm.producer.references = ["http://openioc.org/iocs/6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc"]
    indicator.test_mechanisms = TestMechanisms([tm])
    indicator.add_indicated_ttp(TTP(idref=ttp.id_))

    stix_package.add_indicator(indicator)
    stix_package.add_ttp(ttp)

    print(stix_package.to_xml(encoding=None))
Exemplo n.º 2
0
 def test_ttp(self):
     t = TTP()
     t.title = UNICODE_STR
     t.description = UNICODE_STR
     t.short_description = UNICODE_STR
     t2 = round_trip(t)
     self._test_equal(t, t2)
Exemplo n.º 3
0
def main():

    data = json.load(open("data.json"))

    stix_package = STIXPackage(stix_header=STIXHeader(
        title=data['title'], package_intents='Incident'))

    ttps = {}

    for info in data['ips']:
        if info['bot'] not in ttps:
            ttps[info['bot']] = TTP(title=info['bot'])
            stix_package.add_ttp(ttps[info['bot']])

        incident = Incident(title=info['ip'])
        incident.time = Time()
        incident.time.first_malicious_action = info['first_seen']

        addr = Address(address_value=info['ip'], category=Address.CAT_IPV4)
        observable = Observable(item=addr)
        stix_package.add_observable(observable)

        related_ttp = RelatedTTP(TTP(idref=ttps[info['bot']].id_),
                                 relationship="Used Malware")
        incident.leveraged_ttps.append(related_ttp)

        related_observable = RelatedObservable(
            Observable(idref=observable.id_))
        incident.related_observables.append(related_observable)

        stix_package.add_incident(incident)

    print(stix_package.to_xml(encoding=None))
def main():
    stix_package = STIXPackage()
    ttp_phishing = TTP(title="Phishing")

    attack_pattern = AttackPattern()
    attack_pattern.capec_id = "CAPEC-98"
    attack_pattern.description = ("Phishing")

    ttp_phishing.behavior = Behavior()
    ttp_phishing.behavior.add_attack_pattern(attack_pattern)

    ttp_pivy = TTP(title="Poison Ivy Variant d1c6")
    malware_instance = MalwareInstance()
    malware_instance.add_name("Poison Ivy Variant d1c6")
    malware_instance.add_type("Remote Access Trojan")

    ttp_pivy.behavior = Behavior()
    ttp_pivy.behavior.add_malware_instance(malware_instance)

    ta_bravo = ThreatActor(title="Adversary Bravo")
    ta_bravo.identity = Identity(name="Adversary Bravo")

    related_ttp_phishing = RelatedTTP(TTP(idref=ttp_phishing.id_), relationship="Leverages Attack Pattern")
    ta_bravo.observed_ttps.append(related_ttp_phishing)

    related_ttp_pivy = RelatedTTP(TTP(idref=ttp_pivy.id_), relationship="Leverages Malware")
    ta_bravo.observed_ttps.append(related_ttp_pivy)

    stix_package.add_ttp(ttp_phishing)
    stix_package.add_ttp(ttp_pivy)
    stix_package.add_threat_actor(ta_bravo)

    print(stix_package.to_xml(encoding=None))
Exemplo n.º 5
0
def convert_tool(tool20):
    tool1x = ToolInformation()
    if "name" in tool20:
        tool1x.title = tool20["name"]
    if "description" in tool20:
        tool1x.description = tool20["description"]
    if "tool_version" in tool20:
        tool1x.version = tool20["tool_version"]
    if "labels" in tool20:
        warn(
            "labels not representable in a STIX 1.x ToolInformation.  Found in %s",
            502, tool20["id"])
        # bug in python_stix prevents using next line of code
        # tool1x.type_ = convert_open_vocabs_to_controlled_vocabs(tool20["labels"], TOOL_LABELS_MAP)
    ttp = TTP(id_=convert_id20(tool20["id"]),
              timestamp=text_type(tool20["modified"]))
    if not ttp.resources:
        ttp.resources = Resource()
    if not ttp.resources.tools:
        ttp.resources.tools = Tools()
    ttp.resources.tools.append(tool1x)
    if "kill_chain_phases" in tool20:
        process_kill_chain_phases(tool20["kill_chain_phases"], ttp)
    if "object_marking_refs" in tool20:
        for m_id in tool20["object_marking_refs"]:
            ms = create_marking_specification(m_id)
            if ms:
                CONTAINER.add_marking(ttp, ms, descendants=True)
    if "granular_markings" in tool20:
        error(
            "Granular Markings present in '%s' are not supported by stix2slider",
            604, tool20["id"])
    record_id_object_mapping(tool20["id"], ttp)
    return ttp
Exemplo n.º 6
0
def convert_attack_pattern(ap20):
    ap1x = AttackPattern()
    if "name" in ap20:
        ap1x.title = ap20["name"]
    if "description" in ap20:
        ap1x.add_description(ap20["description"])
    if "labels" in ap20:
        for l in ap20["labels"]:
            add_missing_property_to_description(ap1x, "label", l)
    if "external_references" in ap20:
        ap1x.capec_id = extract_external_id("capec",
                                            ap20["external_references"])
    ttp = TTP(id_=convert_id20(ap20["id"]),
              timestamp=text_type(ap20["modified"]))
    ttp.behavior = Behavior()
    ttp.behavior.add_attack_pattern(ap1x)
    if "kill_chain_phases" in ap20:
        process_kill_chain_phases(ap20["kill_chain_phases"], ttp)
    if "object_marking_refs" in ap20:
        for m_id in ap20["object_marking_refs"]:
            ms = create_marking_specification(m_id)
            if ms:
                CONTAINER.add_marking(ttp, ms, descendants=True)
    if "granular_markings" in ap20:
        error(
            "Granular Markings present in '%s' are not supported by stix2slider",
            604, ap20["id"])
    # if "kill_chain_phases" in ap20:
    #     process_kill_chain_phases(ap20["kill_chain_phases"], ttp)
    record_id_object_mapping(ap20["id"], ttp)
    return ttp
def main():
    from stix.campaign import Campaign
    from stix.common.related import RelatedTTP
    from stix.core import STIXPackage
    from stix.ttp import TTP

    ttp = TTP()
    ttp.title = "Victim Targeting: Customer PII and Financial Data"
    ttp.victim_targeting.add_targeted_information("Information Assets - Customer PII")
    ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data")

    ttp_ref = TTP()
    ttp_ref.idref = ttp.id_
    related_ttp = RelatedTTP(ttp_ref)
    related_ttp.relationship = "Targets"

    c = Campaign()
    c.title = "Operation Alpha"
    c.related_ttps.append(related_ttp)

    pkg = STIXPackage()
    pkg.add_campaign(c)
    pkg.add_ttp(ttp)

    print pkg.to_xml()
def main():

    campaign = Campaign(title="Campaign against ICS")
    ttp = TTP(title="DrownedRat")

    alpha_report = Report()
    alpha_report.header = Header()
    alpha_report.header.title = "Report on Adversary Alpha's Campaign against the Industrial Control Sector"
    alpha_report.header.descriptions = "Adversary Alpha has a campaign against the ICS sector!"
    alpha_report.header.intents = "Campaign Characterization"
    alpha_report.add_campaign(Campaign(idref=campaign.id_))

    rat_report = Report()
    rat_report.header = Header()
    rat_report.header.title = "Indicators for Malware DrownedRat"
    rat_report.header.intents = "Indicators - Malware Artifacts"
    rat_report.add_ttp(TTP(idref=ttp.id_))

    wrapper = STIXPackage()
    info_src = InformationSource()
    info_src.identity = Identity(name="Government Sharing Program - GSP")
    wrapper.stix_header = STIXHeader(information_source=info_src)
    wrapper.add_report(alpha_report)
    wrapper.add_report(rat_report)
    wrapper.add_campaign(campaign)
    wrapper.add_ttp(ttp)

    print(wrapper.to_xml())
def main():
    stix_package = STIXPackage()
    
    addr1 = Observable(Address(address_value="198.51.100.2", category=Address.CAT_IPV4))
    addr2 = Observable(Address(address_value="198.51.100.17", category=Address.CAT_IPV4))
    addr3 = Observable(Address(address_value="203.0.113.19", category=Address.CAT_IPV4))
    
    stix_package.add_observable(addr1)
    stix_package.add_observable(addr2)
    stix_package.add_observable(addr3)
    
    obs_addr1 = Observable()
    obs_addr2 = Observable()
    obs_addr3 = Observable()
    
    obs_addr1.id_ = None
    obs_addr2.id_ = None
    obs_addr3.id_ = None
    
    obs_addr1.idref = addr1.id_
    obs_addr2.idref = addr2.id_
    obs_addr3.idref = addr3.id_
    
    infrastructure = Infrastructure()
    infrastructure.observable_characterization = Observables([obs_addr1, obs_addr2, obs_addr3])
    
    resource = Resource()
    resource.infrastructure = infrastructure
    
    ttp = TTP(title="Malware C2 Channel")
    ttp.resources = resource
    
    stix_package.add_ttp(ttp)
    print stix_package.to_xml()
def main():
    from stix.campaign import Campaign, Attribution
    from stix.threat_actor import ThreatActor
    from stix.incident import Incident
    from stix.core import STIXPackage
    from stix.ttp import TTP, VictimTargeting

    ttp = TTP()
    ttp.title = "Victim Targeting: Customer PII and Financial Data"
    ttp.victim_targeting = VictimTargeting()
    ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data")

    actor = ThreatActor()
    actor.title = "People behind the intrusion"
    attrib = Attribution()
    attrib.append(actor)

    c = Campaign()
    c.attribution = []
    c.attribution.append(attrib)
    c.title = "Compromise of ATM Machines"
    c.related_ttps.append(ttp)

    c.related_incidents.append(Incident(idref="example:incident-229ab6ba-0eb2-415b-bdf2-079e6b42f51e"))
    c.related_incidents.append(Incident(idref="example:incident-517cf274-038d-4ed4-a3ec-3ac18ad9db8a"))
    c.related_incidents.append(Incident(idref="example:incident-7d8cf96f-91cb-42d0-a1e0-bfa38ea08621"))

    pkg = STIXPackage()
    pkg.add_campaign(c)

    print pkg.to_xml()
Exemplo n.º 11
0
def resolveAttributes(incident, ttps, attributes):
    for attribute in attributes:
        if attribute["type"] in not_implemented_attributes:
            addJournalEntry(
                incident,
                "!Not implemented attribute category/type combination caught! attribute["
                + attribute["category"]
                + "]["
                + attribute["type"]
                + "]: "
                + attribute["value"],
            )
        elif attribute["type"] in non_indicator_attributes:
            # types that will definitely not become indicators
            handleNonIndicatorAttribute(incident, ttps, attribute)
        else:
            # types that may become indicators
            handleIndicatorAttribute(incident, ttps, attribute)
    if incident.related_indicators and not ttps:
        ttp = TTP(timestamp=incident.timestamp)
        ttp.id_ = incident.id_.replace("incident", "ttp")
        ttp.title = "Unknown"
        ttps.append(ttp)
    for rindicator in incident.related_indicators:
        for ttp in ttps:
            ittp = TTP(idref=ttp.id_, timestamp=ttp.timestamp)
            rindicator.item.add_indicated_ttp(ittp)
    return [incident, ttps]
Exemplo n.º 12
0
 def test_ttp(self):
     t = TTP()
     t.title = UNICODE_STR
     t.description = UNICODE_STR
     t.short_description = UNICODE_STR
     t2 = round_trip(t)
     self._test_equal(t, t2)
Exemplo n.º 13
0
def convert_malware(malware20):
    malware1x = MalwareInstance()
    if "name" in malware20:
        malware1x.add_name(malware20["name"])
    if "description" in malware20:
        malware1x.add_description(malware20["description"])
    types = convert_open_vocabs_to_controlled_vocabs(malware20["labels"],
                                                     MALWARE_LABELS_MAP)
    for t in types:
        malware1x.add_type(t)
    ttp = TTP(id_=convert_id20(malware20["id"]),
              timestamp=text_type(malware20["modified"]))
    ttp.behavior = Behavior()
    ttp.behavior.add_malware_instance(malware1x)
    if "kill_chain_phases" in malware20:
        process_kill_chain_phases(malware20["kill_chain_phases"], ttp)
    if "object_marking_refs" in malware20:
        for m_id in malware20["object_marking_refs"]:
            ms = create_marking_specification(m_id)
            if ms:
                CONTAINER.add_marking(ttp, ms, descendants=True)
    if "granular_markings" in malware20:
        error(
            "Granular Markings present in '%s' are not supported by stix2slider",
            604, malware20["id"])
    record_id_object_mapping(malware20["id"], ttp)
    return ttp
Exemplo n.º 14
0
def cvebuild(var):
    """Search for a CVE ID and return a STIX formatted response."""
    cve = CVESearch()
    data = json.loads(cve.id(var))
    if data:
        try:
            from stix.utils import set_id_namespace
            namespace = {NS: NS_PREFIX}
            set_id_namespace(namespace)
        except ImportError:
            from stix.utils import idgen
            from mixbox.namespaces import Namespace
            namespace = Namespace(NS, NS_PREFIX, "")
            idgen.set_id_namespace(namespace)

        pkg = STIXPackage()
        pkg.stix_header = STIXHeader()
        pkg = STIXPackage()
        pkg.stix_header = STIXHeader()

        pkg.stix_header.handling = marking()

        # Define the exploit target
        expt = ExploitTarget()
        expt.title = data['id']
        expt.description = data['summary']

        # Add the vulnerability object to the package object
        expt.add_vulnerability(vulnbuild(data))

        # Do some TTP stuff with CAPEC objects
        try:
            for i in data['capec']:
                ttp = TTP()
                ttp.title = "CAPEC-" + str(i['id'])
                ttp.description = i['summary']
                ttp.exploit_targets.append(ExploitTarget(idref=expt.id_))
                pkg.add_ttp(ttp)
        except KeyError:
            pass

        # Do some weakness stuff
        if data['cwe'] != 'Unknown':
            weak = Weakness()
            weak.cwe_id = data['cwe']
            expt.add_weakness(weak)

        # Add the exploit target to the package object
        pkg.add_exploit_target(expt)

        xml = pkg.to_xml()

        # If the function is not imported then output the xml to a file.
        if __name__ == '__main__':
            title = pkg.id_.split(':', 1)[-1]
            with open(title + ".xml", "w") as text_file:
                text_file.write(xml)
        return xml
Exemplo n.º 15
0
def main():
    # get args
    parser = argparse.ArgumentParser(
        description="Parse an input JSON file and output STIX XML ",
        formatter_class=argparse.ArgumentDefaultsHelpFormatter)

    parser.add_argument("infile",help="input file")
    parser.add_argument("--outfile","-o", help="output file")

    args = parser.parse_args()
    
    # We assume the input file is a flat JSON file
    # format 'bot_name':[list,of,ips]
    content = json.load(open(args.infile))
        
    # Set up STIX document
    stix_package = STIXPackage()
    stix_header = STIXHeader()
    stix_header.title = "C2 Server IP Addresses"
    stix_header.add_package_intent (PackageIntent.TERM_INDICATORS_WATCHLIST)
    stix_package.stix_header = stix_header

    # Create Indicator and TTP for each item in JSON document
    for item in content:

        # Create TTP for C2 server
        ttp = TTP()
        ttp.title = item
        stix_package.add_ttp(ttp)

        # Create Indicator for C2 IP addresses
        indicator = Indicator()
        indicator.title = "IP addresses for known C2 channel"
        indicator.description = "Bot connecting to control server"

        # Add IPs for C2 node
        addr = Address(address_value=content[item], category=Address.CAT_IPV4)
        addr.address_value.condition= "Equals"
        indicator.add_object(addr)

        # Relate Indicator and TTP
        indicator.add_indicated_ttp(TTP(idref=ttp.id_))

        # Add Indicator to STIX PAckage
        stix_package.add_indicator(indicator)

    # Output to given file
    # The context manager is just to make the output look nicer by ignoring
    # warnings from to_xml()
    with warnings.catch_warnings():
        warnings.simplefilter("ignore")
        stix_out = stix_package.to_xml()

        if args.outfile:
            fd = open(args.outfile,'w')
            fd.write(stix_out)
        else:
            print stix_out
Exemplo n.º 16
0
def create_victim_target(source, target_ref, target_obj_ref_1x):
    global _VICTIM_TARGET_TTPS
    target, identity1x_tuple = handle_identity(target_ref, target_obj_ref_1x)
    ttp = TTP()
    ttp.victim_targeting = VictimTargeting()
    ttp.victim_targeting.identity = target
    _VICTIM_TARGET_TTPS.append(ttp)
    source.observed_ttps.append(ttp)
    identity1x_tuple[1] = True
Exemplo n.º 17
0
def convert_report(r20):
    r1x = Report(id_=convert_id20(r20["id"]),
                 timestamp=text_type(r20["modified"]))
    r1x.header = Header()
    if "name" in r20:
        r1x.header.title = r20["name"]
    if "description" in r20:
        r1x.header.add_description(r20["description"])
    intents = convert_open_vocabs_to_controlled_vocabs(r20["labels"],
                                                       REPORT_LABELS_MAP)
    for i in intents:
        r1x.header.add_intent(i)
    if "published" in r20:
        add_missing_property_to_description(r1x.header, "published",
                                            r20["published"])
    for ref in r20["object_refs"]:
        ref_type = get_type_from_id(ref)
        ref1x = convert_id20(ref)
        if ref_type == "attack-pattern":
            r1x.add_ttp(TTP(idref=ref1x))
        elif ref_type == "campaign":
            r1x.add_campaign(Campaign(idref=ref1x))
        elif ref_type == 'course-of-action':
            r1x.add_course_of_action(CourseOfAction(idref=ref1x))
        elif ref_type == "indicator":
            r1x.add_indicator(Indicator(idref=ref1x))
        elif ref_type == "observed-data":
            r1x.add_observable(Observable(idref=ref1x))
        elif ref_type == "malware":
            r1x.add_ttp(TTP(idref=ref1x))
        elif ref_type == "threat-actor":
            r1x.add_threat_actor(ThreatActor(idref=ref1x))
        elif ref_type == "tool":
            r1x.add_ttp(TTP(idref=ref1x))
        elif ref_type == "vulnerability":
            r1x.add_exploit_target(ExploitTarget(idref=ref1x))
        elif ref_type == "identity" or ref_type == "relationship":
            warn("%s in %s is not explicitly a member of a STIX 1.x report",
                 703, ref, r20["id"])
        elif ref_type == "intrusion-set":
            warn("%s in %s cannot be represented in STIX 1.x", 612, ref,
                 r20["id"])
        else:
            warn("ref type %s in %s is not known", 0, ref_type, r20["id"])
    if "object_marking_refs" in r20:
        for m_id in r20["object_marking_refs"]:
            ms = create_marking_specification(m_id)
            if ms:
                CONTAINER.add_marking(r1x, ms, descendants=True)
    if "granular_markings" in r20:
        error(
            "Granular Markings present in '%s' are not supported by stix2slider",
            604, r20["id"])
    return r1x
Exemplo n.º 18
0
def create_victim_target_for_threat_actor(source, target_ref,
                                          target_obj_ref_1x):
    global _VICTIM_TARGET_TTPS
    target, identity1x_tuple = choose_full_object_or_idref(
        target_ref, target_obj_ref_1x)
    ttp = TTP()
    ttp.victim_targeting = VictimTargeting()
    ttp.victim_targeting.identity = target
    _VICTIM_TARGET_TTPS.append(ttp)
    source.observed_ttps.append(ttp)
    identity1x_tuple[1] = True
Exemplo n.º 19
0
def to_stix_ttps(obj):
    from stix.ttp import TTP

    ttp_list = []

    for each in obj.ttps:
        ttp = TTP()
        ttp.timestamp = each.date
        ttp.description = each.ttp
        ttp_list.append(ttp)

    return ttp_list
Exemplo n.º 20
0
def _buildttp(i, expt):
    """Do some TTP stuff."""
    ttp = TTP()
    ttp.title = str(i['name'])
    # The summary key is a list. In 1.2 this is represented
    # properly using description ordinality.
    ttp.description = i['summary']
    attack_pattern = AttackPattern()
    attack_pattern.capec_id = "CAPEC-" + str(i['id'])
    ttp.behavior = Behavior()
    ttp.behavior.add_attack_pattern(attack_pattern)
    ttp.exploit_targets.append(ExploitTarget(idref=expt.id_))
    return ttp
Exemplo n.º 21
0
def _buildttp(i, expt):
    """Do some TTP stuff."""
    ttp = TTP()
    ttp.title = str(i['name'])
    # The summary key is a list. In 1.2 this is represented
    # properly using description ordinality.
    ttp.description = i['summary']
    attack_pattern = AttackPattern()
    attack_pattern.capec_id = "CAPEC-" + str(i['id'])
    ttp.behavior = Behavior()
    ttp.behavior.add_attack_pattern(attack_pattern)
    ttp.exploit_targets.append(ExploitTarget(idref=expt.id_))
    return ttp
def main():
    maec_malware_instance = MAECInstance()
    maec_malware_instance.add_name("Poison Ivy Variant v4392-acc")
    maec_malware_instance.add_type("Remote Access Trojan")
    maec_malware_instance.maec = etree.fromstring(MAEC_XML, parser=etree.ETCompatXMLParser())

    ttp = TTP(title="Poison Ivy Variant v4392-acc")
    ttp.behavior = Behavior()
    ttp.behavior.add_malware_instance(maec_malware_instance)

    stix_package = STIXPackage()
    stix_package.add_ttp(ttp)

    print(stix_package.to_xml(encoding=None))
def main():
    ciq_identity = CIQIdentity3_0Instance()
    identity_spec = STIXCIQIdentity3_0()
    identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems")
    ciq_identity.specification = identity_spec

    ttp = TTP(title="Victim Targeting: Electricity Sector and Industrial Control System Sector")
    ttp.victim_targeting = VictimTargeting()
    ttp.victim_targeting.identity = ciq_identity

    stix_package = STIXPackage()
    stix_package.add_ttp(ttp)

    print(stix_package.to_xml(encoding=None))
def main():
    stix_package = STIXPackage()
    ttp_phishing = TTP(title="Phishing")

    attack_pattern = AttackPattern()
    attack_pattern.capec_id = "CAPEC-98"
    attack_pattern.description = ("Phishing")

    ttp_phishing.behavior = Behavior()
    ttp_phishing.behavior.add_attack_pattern(attack_pattern)

    ttp_pivy = TTP(title="Poison Ivy Variant d1c6")
    malware_instance = MalwareInstance()
    malware_instance.add_name("Poison Ivy Variant d1c6")
    malware_instance.add_type("Remote Access Trojan")

    ttp_pivy.behavior = Behavior()
    ttp_pivy.behavior.add_malware_instance(malware_instance)

    ta_bravo = ThreatActor(title="Adversary Bravo")
    ta_bravo.identity = Identity(name="Adversary Bravo")

    related_ttp_phishing = RelatedTTP(TTP(idref=ttp_phishing.id_),
                                      relationship="Leverages Attack Pattern")
    ta_bravo.observed_ttps.append(related_ttp_phishing)

    related_ttp_pivy = RelatedTTP(TTP(idref=ttp_pivy.id_),
                                  relationship="Leverages Malware")
    ta_bravo.observed_ttps.append(related_ttp_pivy)

    stix_package.add_ttp(ttp_phishing)
    stix_package.add_ttp(ttp_pivy)
    stix_package.add_threat_actor(ta_bravo)

    print stix_package.to_xml()
Exemplo n.º 25
0
def main():
    maec_malware_instance = MAECInstance()
    maec_malware_instance.add_name("Poison Ivy Variant v4392-acc")
    maec_malware_instance.add_type("Remote Access Trojan")
    maec_malware_instance.maec = etree.fromstring(
        MAEC_XML, parser=etree.ETCompatXMLParser())

    ttp = TTP(title="Poison Ivy Variant v4392-acc")
    ttp.behavior = Behavior()
    ttp.behavior.add_malware_instance(maec_malware_instance)

    stix_package = STIXPackage()
    stix_package.add_ttp(ttp)

    print stix_package.to_xml()
Exemplo n.º 26
0
def _buildttp(data):
    ttp = TTP()
    ttp.title = data['name']
    ttp.description = data['description']
    attack_pattern = AttackPattern()
    attack_pattern.capec_id = "CAPEC-" + str(data['id'])
    attack_pattern.title = data['name']
    attack_pattern.description = data['description']
    ttp.behavior = Behavior()
    ttp.behavior.add_attack_pattern(attack_pattern)
    ttp.information_source = InformationSource()
    ttp.information_source.identity = Identity()
    ttp.information_source.identity.name = "The MITRE Corporation"
    ttp.information_source.references = data['references']
    return ttp
Exemplo n.º 27
0
def _dostix(hashes):
    '''This function creates a STIX packages containing hashes.'''
    print("[+] Creating STIX Package")
    title = SETTINGS['stix']['ind_title'] + " " + str(datetime.datetime.now())
    _custom_namespace(SETTINGS['stix']['ns'], SETTINGS['stix']['ns_prefix'])
    stix_package = STIXPackage()
    stix_package.stix_header = STIXHeader()
    stix_package.stix_header.title = title
    stix_package.stix_header.handling = _marking()
    try:
        indicator = Indicator()
        indicator.set_producer_identity(SETTINGS['stix']['producer'])
        indicator.set_produced_time(indicator.timestamp)
        indicator.set_received_time(indicator.timestamp)
        indicator.add_kill_chain_phase(PHASE_DELIVERY)
        indicator.confidence = "Low"

        indicator.title = title
        indicator.add_indicator_type("File Hash Watchlist")
        indicator.description = SETTINGS['stix']['ind_desc']

        try:
            indicator.add_indicated_ttp(
                TTP(idref=SETTINGS['indicated_ttp'],
                    timestamp=indicator.timestamp))
            indicator.suggested_coas.append(
                CourseOfAction(idref=SETTINGS['suggested_coa'],
                               timestamp=indicator.timestamp))
        except KeyError:
            pass

        for info in hashes:
            try:
                file_name = info['filename']
                file_object = File()
                file_object.file_name = file_name
                file_object.file_name.condition = "Equals"
                file_object.file_extension = "." + file_name.split('.')[-1]
                file_object.file_extension.condition = "Equals"
                file_object.size_in_bytes = info['filesize']
                file_object.size_in_bytes.condition = "Equals"
                file_object.file_format = info['fileformat']
                file_object.file_format.condition = "Equals"
                file_object.add_hash(Hash(info['md5']))
                file_object.add_hash(Hash(info['sha1']))
                file_object.add_hash(Hash(info['sha256']))
                file_object.add_hash(Hash(info['sha512']))
                file_object.add_hash(Hash(info['ssdeep'], Hash.TYPE_SSDEEP))
                for hashobj in file_object.hashes:
                    hashobj.simple_hash_value.condition = "Equals"
                    hashobj.type_.condition = "Equals"
                file_obs = Observable(file_object)
                file_obs.title = "File: " + file_name
                indicator.add_observable(file_obs)
            except TypeError:
                pass
        stix_package.add_indicator(indicator)
        return stix_package
    except KeyError:
        pass
Exemplo n.º 28
0
def main():
    file_hash = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'

    stix_header = STIXHeader(
        title="File Hash Reputation Service Results",
        package_intents=["Indicators - Malware Artifacts"])
    stix_package = STIXPackage(stix_header=stix_header)

    indicator = Indicator(
        title=
        "File Reputation for SHA256=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
    )
    indicator.add_indicator_type("File Hash Watchlist")

    file_object = File()
    file_object.add_hash(Hash(file_hash))
    file_object.hashes[0].simple_hash_value.condition = "Equals"
    file_object.hashes[0].type_.condition = "Equals"
    indicator.add_observable(file_object)

    indicator.add_indicated_ttp(TTP(title="Malicious file"))

    indicator.confidence = Confidence(value=VocabString('75'))
    indicator.confidence.value.vocab_name = "Percentage"
    indicator.confidence.value.vocab_reference = "https://en.wikipedia.org/wiki/Percentage"

    stix_package.add_indicator(indicator)

    print(stix_package.to_xml(encoding=None))
Exemplo n.º 29
0
 def append_ttp(self, incident, attribute, ttp):
     if attribute.comment:
         ttp.description = attribute.comment
     self.ttps.append(ttp)
     rttp = TTP(idref=ttp.id_, timestamp=ttp.timestamp)
     related_ttp = RelatedTTP(rttp, relationship=attribute.category)
     incident.leveraged_ttps.append(related_ttp)
def main():
    stix_package = STIXPackage()
    ttp = TTP(title="C2 Behavior")

    indicator = Indicator(title="IP Address for known C2 Channel")
    indicator.add_indicator_type("IP Watchlist")

    addr = Address(address_value="10.0.0.0", category=Address.CAT_IPV4)
    addr.condition = "Equals"
    indicator.add_observable(addr)
    indicator.add_indicated_ttp(TTP(idref=ttp.id_))

    stix_package.add_indicator(indicator)
    stix_package.add_ttp(ttp)

    print(stix_package.to_xml(encoding=None))
Exemplo n.º 31
0
 def from_dict(cls, dict_repr, return_obj=None):
     if not dict_repr:
         return None
     if not return_obj:
         return_obj = cls()
     
     return_obj.ttps = [TTP.from_dict(x) for x in dict_repr.get('ttps', [])]
     return return_obj
Exemplo n.º 32
0
def generateTTP(incident, attribute, ttps, eventTags):
    ttp = TTP(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
    ttp.id_= namespace[1] + ":ttp-" + attribute["uuid"]
    setTLP(ttp, attribute["distribution"], mergeTags(eventTags, attribute["AttributeTag"]))
    ttp.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")"
    if attribute["type"] == "vulnerability":
        vulnerability = Vulnerability()
        vulnerability.cve_id = attribute["value"]
        et = ExploitTarget(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
        et.id_= namespace[1] + ":et-" + attribute["uuid"]
        if attribute["comment"] != "" and attribute["comment"] != "Imported via the freetext import.":
            et.title = attribute["comment"]
        else:
            et.title = "Vulnerability " + attribute["value"]
        et.add_vulnerability(vulnerability)
        ttp.exploit_targets.append(et)
    else:
        malware = MalwareInstance()
        malware.add_name(attribute["value"])
        ttp.behavior = Behavior()
        ttp.behavior.add_malware_instance(malware)
    if attribute["comment"] != "":
        ttp.description = attribute["comment"]
    ttps.append(ttp)
    rttp = TTP(idref=ttp.id_, timestamp=ttp.timestamp)
    relatedTTP = RelatedTTP(rttp, relationship=attribute["category"])
    incident.leveraged_ttps.append(relatedTTP)
Exemplo n.º 33
0
def main():
    from stix.campaign import Campaign
    from stix.common.related import RelatedTTP
    from stix.core import STIXPackage
    from stix.ttp import TTP, VictimTargeting

    ttp = TTP()
    ttp.title = "Victim Targeting: Customer PII and Financial Data"
    ttp.victim_targeting = VictimTargeting()
    ttp.victim_targeting.add_targeted_information(
        "Information Assets - Customer PII")
    ttp.victim_targeting.add_targeted_information(
        "Information Assets - Financial Data")

    ttp_ref = TTP()
    ttp_ref.idref = ttp.id_
    related_ttp = RelatedTTP(ttp_ref)
    related_ttp.relationship = "Targets"

    c = Campaign()
    c.title = "Operation Alpha"
    c.related_ttps.append(related_ttp)

    pkg = STIXPackage()
    pkg.add_campaign(c)
    pkg.add_ttp(ttp)

    print(pkg.to_xml(encoding=None))
def main():
    malware = MalwareInstance()
    malware.add_name("Poison Ivy")
    malware.add_type("Remote Access Trojan")
    
    ttp = TTP(title="Poison Ivy")
    ttp.behavior = Behavior()
    ttp.behavior.add_malware_instance(malware)
    
    incident = Incident(title="Detected Poison Ivy beaconing through perimeter firewalls")
    related_ttp = RelatedTTP(TTP(idref=ttp.id_), relationship="Uses Malware")
    incident.leveraged_ttps.append(related_ttp)
    
    stix_package = STIXPackage()
    stix_package.add_ttp(ttp)
    stix_package.add_incident(incident)
    
    print stix_package.to_xml() 
Exemplo n.º 35
0
def main():
    ciq_identity = CIQIdentity3_0Instance()
    identity_spec = STIXCIQIdentity3_0()
    identity_spec.organisation_info = OrganisationInfo(
        industry_type="Electricity, Industrial Control Systems")
    ciq_identity.specification = identity_spec

    ttp = TTP(
        title=
        "Victim Targeting: Electricity Sector and Industrial Control System Sector"
    )
    ttp.victim_targeting = VictimTargeting()
    ttp.victim_targeting.identity = ciq_identity

    stix_package = STIXPackage()
    stix_package.add_ttp(ttp)

    print stix_package.to_xml()
Exemplo n.º 36
0
 def from_dict(cls, dict_repr, return_obj=None):
     if not dict_repr:
         return None
     if not return_obj:
         return_obj = cls()
     
     return_obj.ttps = [TTP.from_dict(x) for x in dict_repr.get('ttps', [])]
     return_obj.kill_chains = KillChains.from_dict(dict_repr.get('kill_chains'))
     return return_obj
Exemplo n.º 37
0
def generateTTP(incident, attribute):
    ttp = TTP()
    ttp.id_="example:ttp-" + attribute["uuid"]
    setTLP(ttp, attribute["distribution"])
    ttp.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute["uuid"]
    if attribute["type"] == "vulnerability":
        vulnerability = Vulnerability()
        vulnerability.cve_id = attribute["value"]
        et = ExploitTarget()
        et.add_vulnerability(vulnerability)
        ttp.exploit_targets.append(et)
    else:
        malware = MalwareInstance()
        malware.add_name(attribute["value"])
        ttp.behavior = Behavior()
        ttp.behavior.add_malware_instance(malware)
    relatedTTP = RelatedTTP(ttp, relationship=attribute["category"])
    incident.leveraged_ttps.append(relatedTTP)
Exemplo n.º 38
0
def wrap_maec(maec_package, file_name=None):
    """Wrap a MAEC Package in a STIX TTP/Package. Return the newly created STIX Package.

    Args:
        maec_package: the ``maec.package.package.Package`` instance to wrap in STIX.
        file_name: the name of the input file from which the MAEC Package originated,
            to be used in the Title of the STIX TTP that wraps the MAEC Package. Optional.

    Returns:
        A ``stix.STIXPackage`` instance with a single TTP that wraps the input MAEC Package.
    """

    # Set the namespace to be used in the STIX Package
    stix.utils.set_id_namespace(
        {"https://github.com/MAECProject/maec-to-stix": "MAECtoSTIX"})

    # Create the STIX MAEC Instance
    maec_malware_instance = MAECInstance()
    maec_malware_instance.maec = maec_package

    # Create the STIX TTP that includes the MAEC Instance
    ttp = TTP()
    ttp.behavior = Behavior()
    ttp.behavior.add_malware_instance(maec_malware_instance)

    # Create the STIX Package and add the TTP to it
    stix_package = STIXPackage()
    stix_package.add_ttp(ttp)

    # Create the STIX Header and add it to the Package
    stix_header = STIXHeader()
    if file_name:
        stix_header.title = "STIX TTP wrapper around MAEC file: " + str(
            file_name)
    stix_header.add_package_intent("Malware Characterization")
    # Add the Information Source to the STIX Header
    tool_info = ToolInformation()
    stix_header.information_source = InformationSource()
    tool_info.name = "MAEC to STIX"
    tool_info.version = str(maec_to_stix.__version__)
    stix_header.information_source.tools = ToolInformationList(tool_info)
    stix_package.stix_header = stix_header

    return stix_package
Exemplo n.º 39
0
def generateTTP(incident, attribute):
    ttp = TTP()
    ttp.id_ = "example:ttp-" + attribute["uuid"]
    setTLP(ttp, attribute["distribution"])
    ttp.title = "MISP Attribute #" + attribute["id"] + " uuid: " + attribute[
        "uuid"]
    if attribute["type"] == "vulnerability":
        vulnerability = Vulnerability()
        vulnerability.cve_id = attribute["value"]
        et = ExploitTarget()
        et.add_vulnerability(vulnerability)
        ttp.exploit_targets.append(et)
    else:
        malware = MalwareInstance()
        malware.add_name(attribute["value"])
        ttp.behavior = Behavior()
        ttp.behavior.add_malware_instance(malware)
    relatedTTP = RelatedTTP(ttp, relationship=attribute["category"])
    incident.leveraged_ttps.append(relatedTTP)
Exemplo n.º 40
0
    def from_obj(cls, obj, return_obj=None):
        if not obj:
            return None
        if not return_obj:
            return_obj = cls()
        
        if obj.get_TTP():
            return_obj.ttps = [TTP.from_obj(x) for x in obj.get_TTP()]

        return return_obj
Exemplo n.º 41
0
def add_malware(hashVal, TTPTitle, malware_uuid):
    malware_instance = MalwareInstance()
    malware_instance.add_name(TTPTitle)
    # malware_instance.add_type("Malware")

    ttp = TTP(title=TTPTitle)
    ttp.behavior = Behavior()
    ttp.behavior.add_malware_instance(malware_instance)

    file_object = File()
    file_object.add_hash(Hash(hashVal))
    file_object.hashes[0].simple_hash_value.condition = "Equals"

    indicator = Indicator(id_="indicator-{0}".format(malware_uuid),
                          title="File hash")
    indicator.add_indicator_type("File Hash Watchlist")
    indicator.add_observable(file_object)
    indicator.add_indicated_ttp(TTP(idref=ttp.id_))
    return (indicator)
Exemplo n.º 42
0
    def from_dict(cls, dict_repr, return_obj=None):
        if not dict_repr:
            return None
        if not return_obj:
            return_obj = cls()

        return_obj.ttps = [TTP.from_dict(x) for x in dict_repr.get('ttps', [])]
        return_obj.kill_chains = KillChains.from_dict(
            dict_repr.get('kill_chains'))
        return return_obj
def main():
    malware = MalwareInstance()
    malware.add_name("Poison Ivy")
    malware.add_type("Remote Access Trojan")

    ttp = TTP(title="Poison Ivy")
    ttp.behavior = Behavior()
    ttp.behavior.add_malware_instance(malware)

    incident = Incident(
        title="Detected Poison Ivy beaconing through perimeter firewalls")
    related_ttp = RelatedTTP(TTP(idref=ttp.id_), relationship="Uses Malware")
    incident.leveraged_ttps.append(related_ttp)

    stix_package = STIXPackage()
    stix_package.add_ttp(ttp)
    stix_package.add_incident(incident)

    print(stix_package.to_xml(encoding=None))
Exemplo n.º 44
0
def wrap_maec(maec_package, file_name=None):
    """Wrap a MAEC Package in a STIX TTP/Package. Return the newly created STIX Package.

    Args:
        maec_package: the ``maec.package.package.Package`` instance to wrap in STIX.
        file_name: the name of the input file from which the MAEC Package originated,
            to be used in the Title of the STIX TTP that wraps the MAEC Package. Optional.

    Returns:
        A ``stix.STIXPackage`` instance with a single TTP that wraps the input MAEC Package.
    """

    # Set the namespace to be used in the STIX Package
    stix.utils.set_id_namespace({"https://github.com/MAECProject/maec-to-stix":"MAECtoSTIX"})

    # Create the STIX MAEC Instance
    maec_malware_instance = MAECInstance()
    maec_malware_instance.maec = maec_package
    
    # Create the STIX TTP that includes the MAEC Instance
    ttp = TTP()
    ttp.behavior = Behavior()
    ttp.behavior.add_malware_instance(maec_malware_instance)
    
    # Create the STIX Package and add the TTP to it
    stix_package = STIXPackage()
    stix_package.add_ttp(ttp)

    # Create the STIX Header and add it to the Package
    stix_header = STIXHeader()
    if file_name:
        stix_header.title = "STIX TTP wrapper around MAEC file: " + str(file_name)
    stix_header.add_package_intent("Malware Characterization")
    # Add the Information Source to the STIX Header
    tool_info = ToolInformation()
    stix_header.information_source = InformationSource()
    tool_info.name = "MAEC to STIX"
    tool_info.version = str(maec_to_stix.__version__)
    stix_header.information_source.tools = ToolInformationList(tool_info)
    stix_package.stix_header = stix_header
    
    return stix_package
Exemplo n.º 45
0
def generateTTP(incident, attribute):
    ttp = TTP(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
    ttp.id_= namespace[1] + ":ttp-" + attribute["uuid"]
    setTLP(ttp, attribute["distribution"])
    ttp.title = attribute["category"] + ": " + attribute["value"] + " (MISP Attribute #" + attribute["id"] + ")"
    if attribute["type"] == "vulnerability":
        vulnerability = Vulnerability()
        vulnerability.cve_id = attribute["value"]
        et = ExploitTarget(timestamp=getDateFromTimestamp(int(attribute["timestamp"])))
        et.add_vulnerability(vulnerability)
        ttp.exploit_targets.append(et)
    else:
        malware = MalwareInstance()
        malware.add_name(attribute["value"])
        ttp.behavior = Behavior()
        ttp.behavior.add_malware_instance(malware)
    if attribute["comment"] != "":
        ttp.description = attribute["comment"]
    relatedTTP = RelatedTTP(ttp, relationship=attribute["category"])
    incident.leveraged_ttps.append(relatedTTP)
Exemplo n.º 46
0
def resolveAttributes(incident, ttps, attributes):
    for attribute in attributes:
        if (attribute["type"] in not_implemented_attributes):
            addJournalEntry(incident, "!Not implemented attribute category/type combination caught! attribute[" + attribute["category"] + "][" + attribute["type"] + "]: " + attribute["value"])
        elif (attribute["type"] in non_indicator_attributes):
            #types that will definitely not become indicators
            handleNonIndicatorAttribute(incident, ttps, attribute)
        else:
            #types that may become indicators
            handleIndicatorAttribute(incident, ttps, attribute)
    if incident.related_indicators and not ttps:
        ttp = TTP(timestamp=incident.timestamp)
        ttp.id_= incident.id_.replace("incident","ttp")
        ttp.title = "Unknown"
        ttps.append(ttp)
    for rindicator in incident.related_indicators:
        for ttp in ttps:
            ittp=TTP(idref=ttp.id_, timestamp=ttp.timestamp)
            rindicator.item.add_indicated_ttp(ittp)
    return [incident, ttps]
def main():
    stix_package = STIXPackage()

    addr1 = Observable(
        Address(address_value="198.51.100.2", category=Address.CAT_IPV4))
    addr2 = Observable(
        Address(address_value="198.51.100.17", category=Address.CAT_IPV4))
    addr3 = Observable(
        Address(address_value="203.0.113.19", category=Address.CAT_IPV4))

    stix_package.add_observable(addr1)
    stix_package.add_observable(addr2)
    stix_package.add_observable(addr3)

    obs_addr1 = Observable()
    obs_addr2 = Observable()
    obs_addr3 = Observable()

    obs_addr1.id_ = None
    obs_addr2.id_ = None
    obs_addr3.id_ = None

    obs_addr1.idref = addr1.id_
    obs_addr2.idref = addr2.id_
    obs_addr3.idref = addr3.id_

    vocab_string = VocabString(value='Malware C2')

    infrastructure = Infrastructure()
    infrastructure.observable_characterization = Observables(
        [obs_addr1, obs_addr2, obs_addr3])
    infrastructure.add_type(vocab_string)

    resource = Resource()
    resource.infrastructure = infrastructure

    ttp = TTP(title="Malware C2 Channel")
    ttp.resources = resource

    stix_package.add_ttp(ttp)
    print(stix_package.to_xml())
Exemplo n.º 48
0
    def _add_stix_indicators(self, final_indicator_objects, ttp_id):
        """Create and add STIX Indicators for a list of Object History entries. 
        Link each Indicator to their Indicated TTP.

        Note:
            Each STIX Indicator is added to the STIX Package stored in the ``stix_package`` class
            member.

        Args:
            final_indicator_objects: a list of ``maec.bundle.object_history.ObjectHistoryEntry`` objects representing
                the final, pruned list of Objects to be used in the STIX Indicators.
            ttp_id: the id of the STIX TTP that each STIX Indicator should reference as its Indicated TTP.
        """
        object_values_list = []
        actions_list = []
        final_object_list = []

        # Deduplicate the Objects and combine their Actions
        for entry in final_indicator_objects:
            object = entry.object
            # Test if we've already created an Indicator for this Object
            obj_values = BundleDeduplicator.get_object_values(object)
            if obj_values not in object_values_list:
                object_values_list.append(obj_values)
                final_object_list.append(object)
                actions_list.append(entry.get_action_names())
            else:
                object_index = object_values_list.index(obj_values)
                existing_actions = actions_list[object_index]
                existing_actions += entry.get_action_names()

        # Create the STIX Indicators
        for object in final_object_list:
            object_index = final_object_list.index(object)
            indicator = Indicator()
            indicator.title = "Malware Artifact Extracted from MAEC Document"
            indicator.add_indicator_type("Malware Artifacts")
            indicator.add_observable(object.properties)
            # Add the Action-derived description to the Indicator
            description = "Corresponding Action(s): "
            for action_name in actions_list[object_index]:
                description += (action_name + ", ")
            indicator.description = description[:-2]
            # Set the proper Confidence on the Indicator
            confidence = Confidence()
            confidence.value = "Low"
            confidence.description = "Tool-generated Indicator. It is HIGHLY recommended that it be vetted by a human analyst before usage."
            indicator.confidence = confidence
            # Link the Indicator to its Indicated TTP
            ttp = TTP(idref=ttp_id)
            indicator.add_indicated_ttp(ttp)
            # Add the Indicator to the STIX Package
            self.stix_package.add_indicator(indicator)
Exemplo n.º 49
0
    def from_obj(cls, obj, return_obj=None):
        if not obj:
            return None
        if not return_obj:
            return_obj = cls()

        return_obj.kill_chains = KillChains.from_obj(obj.get_Kill_Chains())

        if obj.get_TTP():
            return_obj.ttps = [TTP.from_obj(x) for x in obj.get_TTP()]

        return return_obj
Exemplo n.º 50
0
 def from_obj(cls, obj, return_obj=None):
     if not obj:
         return None
     if not return_obj:
         return_obj = cls()
     
     return_obj.kill_chains = KillChains.from_obj(obj.get_Kill_Chains())
     
     if obj.get_TTP():
         return_obj.ttps = [TTP.from_obj(x) for x in obj.get_TTP()]
     
     return return_obj
Exemplo n.º 51
0
def add_action_item(action_item, pkg):
    if action_item.get('environmental'):
        warn("'environmental' item in 'action' item does not map to any STIX concept")
    error_item = action_item.get('error')
    if  error_item:
        warn("'error' item in 'action' item not handled, yet")
    hacking_item = action_item.get('hacking')
    if  hacking_item:
        hacking_ttp = TTP()
        add_hacking(hacking_item, hacking_ttp)
        pkg.add_ttp(hacking_ttp)
    malware_item = action_item.get('malware')
    if malware_item:
        malware_ttp = TTP()
        add_malware(malware_item, malware_ttp)
        pkg.add_ttp(malware_ttp)
    misuse_item = action_item.get('misuse')
    if misuse_item:
        warn("'misuse' item in 'action' item not handled, yet")
        #warn("'misuse' item in 'action' item maps to TTP")
        #misusattack_patternTP = TTP()
        #add_misuse_item(misuse_item, misuseTTP)
        #pkg.add_ttp(misuseTTP)
    physical_item = action_item.get('physical')
    if physical_item:
        add_physical(physical_item, pkg)
    social_item = action_item.get('social') 
    if social_item:
        social_ttp = TTP()
        add_social(social_item, social_ttp)
        pkg.add_ttp(social_ttp)
    unknown_item = action_item.get('unknown')
    if  unknown_item:
        unknown_ttp = TTP()
        unknown_ttp.title = "Unknown"
        notes_item = unknown_item.get("notes")
        if notes_item:
            unknown_ttp.title += " - " + escape(notes_item)
        pkg.add_ttp(unknown_ttp)
Exemplo n.º 52
0
    def _add_stix_ttp(self, malware_subject):
        """Create and add a STIX TTP for a MAEC Malware Subject.
        Args:
            malware_subject: the ``maec.malware_subject.MalwareSubject`` for which the STIX TTP will be created.

        Returns:
            The ID of the newly created STIX TTP.
        """
        # Create the STIX TTP that includes the MAEC Instance
        ttp = TTP()
        ttp.behavior = Behavior()
        # Add a MAEC Package with just the Malware Subject
        # For capturing the identity of the malware binary that the Indicators target
        maec_package = Package()
        new_malware_subject = MalwareSubject()
        new_malware_subject.malware_instance_object_attributes = malware_subject.malware_instance_object_attributes
        maec_package.add_malware_subject(new_malware_subject)
        maec_malware_instance = MAECInstance()
        maec_malware_instance.maec = maec_package
        ttp.behavior.add_malware_instance(maec_malware_instance)
        self.stix_package.add_ttp(ttp)
        return ttp.id_
def main():
    from stix.campaign import Campaign, Attribution
    from stix.threat_actor import ThreatActor
    from stix.core import STIXPackage
    from stix.ttp import TTP, VictimTargeting

    ttp = TTP()
    ttp.title = "Victim Targeting: Customer PII and Financial Data"
    ttp.victim_targeting = VictimTargeting()
    ttp.victim_targeting.add_targeted_information("Information Assets - Financial Data")

    actor = ThreatActor()
    actor.title = "People behind the intrusion"

    c = Campaign()
    c.attribution.append(actor)
    c.title = "Compromise of ATM Machines"
    c.related_ttps.append(ttp)

    pkg = STIXPackage()
    pkg.add_campaign(c)

    print pkg.to_xml()
def main():
    stix_package = STIXPackage()
        
    malware_instance = MalwareInstance()
    malware_instance.add_name("Poison Ivy")
    malware_instance.add_type("Remote Access Trojan")
    
    ttp = TTP(title="Poison Ivy")
    ttp.behavior = Behavior()
    ttp.behavior.add_malware_instance(malware_instance)
    
    file_object = File()
    file_object.add_hash(Hash("e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"))
    
    indicator = Indicator(title="File hash for Poison Ivy variant")
    indicator.add_indicator_type("File Hash Watchlist")
    indicator.add_observable(file_object)
    indicator.add_indicated_ttp(TTP(idref=ttp.id_))
    
    stix_package.add_indicator(indicator)
    stix_package.add_ttp(ttp)
    
    print stix_package.to_xml()
Exemplo n.º 55
0
def buildTtp(input_dict):
    ttp = TTP()
    ttp.title = input_dict['title']
    ttp.description = input_dict['description']
    if input_dict['intendedEffect']:
        ttp.add_intended_effect(input_dict['intendedEffect'])
    if input_dict['behavior']:
        ttp.behavior = Behavior(input_dict['behavior'])
    if input_dict['resources']:
        ttp.resources = input_dict['resources']
    if input_dict['victimTargeting']:
        #TODO look into adding more victim fields
        vic = VictimTargeting()
        vic.add_targeted_information(input_dict['victimTargeting'])
        ttp.victim_targeting = vic
    #target = ExploitTargets().
    #target.append(input_dict['exploitTargets'])
    #ttp.exploit_targets = target
    if input_dict['informationSource']:
        ttp.information_source = InformationSource(input_dict['informationSource'])
    if input_dict['killChain']:
        ttp.kill_chain_phases = input_dict['killChain']

    return ttp
def main():

    # "hardcoded" values
    ns = "urn:example.com:marks_malware_metadata_mart"
    ns_alias = "m4"

    # Set the STIX ID Namespace
    stix_namespace = {ns: ns_alias}
    stix_sin(stix_namespace)

    # Set the CybOX ID Namespace
    cybox_namespace = Namespace(ns, ns_alias)
    cybox_sin(cybox_namespace)

    ttp_id = 'ttp-d539bb85-9363-4814-83c8-fa9975045686'
    ttp_timestamp = '2014-09-30T15:56:27.000000+00:00'

    # Fake database values
    md5_hash = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
    object_id = 'File-927731f2-cc2c-421c-a40e-dc6f4a6c75a4'
    observable_id = 'Observable-45e3e64c-8438-441e-bc49-51e417466e29'
    confidence = 'High'
    confidence_timestamp = '2014-09-29T14:32:00.000000'
    indicator_id = 'Indicator-54baefc1-4742-4b40-ba83-afd51115015b'
    indicator_timestamp = '2014-09-29T14:32:00.000000'

    # Code to create the STIX Package
    sp = STIXPackage()
    sp.stix_header = STIXHeader()
    sp.stix_header.title = "File Hash Reputation for %s" % md5_hash
    sp.stix_header.add_package_intent("Indicators - Malware Artifacts")
    sp.stix_header.information_source = InformationSource()
    sp.stix_header.information_source.identity = Identity()
    sp.stix_header.information_source.identity.name = "Mark's Malware Metadata Mart"

    file_hash = Hash(hash_value=md5_hash, type_='MD5', exact=True)
    file_hash.type_.condition = "Equals"

    file_obj = File()
    file_obj.id_ = (ns_alias + ':' + object_id)
    file_obj.add_hash(file_hash)

    indicator = Indicator(title="File Hash Reputation",
                          id_=(ns_alias + ':' + indicator_id),
                          timestamp=indicator_timestamp)
    indicator.indicator_type = "File Hash Reputation"
    indicator.add_observable(file_obj)
    indicator.observables[0].id_ = ns_alias + ':' + observable_id

    ttp = TTP()
    ttp.id_ = ns_alias + ':' + ttp_id
    ttp.timestamp = ttp_timestamp
    ttp.title = "Malicious File"

    indicator.add_indicated_ttp(TTP(idref=ttp.id_, timestamp=ttp.timestamp))
    indicator.indicated_ttps[0].confidence = confidence
    indicator.indicated_ttps[0].confidence.timestamp = confidence_timestamp

    sp.add_indicator(indicator)
    sp.add_ttp(ttp)

    stix_xml = sp.to_xml()

    poll_response = tm11.PollResponse(message_id=generate_message_id(),
                                      in_response_to="1234",
                                      collection_name='file_hash_reputation')
    cb = tm11.ContentBlock(content_binding=CB_STIX_XML_111,
                           content=stix_xml)
    poll_response.content_blocks.append(cb)
    print poll_response.to_xml(pretty_print=True)
Exemplo n.º 57
0
def genStixDoc(
        outputDir_,
        targetFileSha1_,
        targetFileSha256_,
        targetFileSha512_,
        targetFileSsdeep_,
        targetFileMd5_,
        targetFileSize_,
        targetFileName_,
        ipv4Addresses_,
        hostNames_):
    """
    Generate Stix document from the input values. The doc structure is the file
    object along with the related network items: addresses, domain names. Output
    is written to files, which are then wrapped with taxii and uploaded using a 
    separate script.
    """
    parsedTargetFileName = reFileName(targetFileName_)[1]
    parsedTargetFilePrefix = reFileName(targetFileName_)[0]
    stix.utils.set_id_namespace({"http://www.equifax.com/cuckoo2Stix" : "cuckoo2Stix"})
    NS = cybox.utils.Namespace("http://www.equifax.com/cuckoo2Stix", "cuckoo2Stix")
    cybox.utils.set_id_namespace(NS)
    stix_package = STIXPackage()

    stix_header = STIXHeader()
    stix_header.title = 'File: ' + parsedTargetFileName + ' with the associated hashes, network indicators'
    stix_header.description = 'File: ' + parsedTargetFileName + ' with the associated hashes, network indicators'
    stix_package.stix_header = stix_header

    # Create the ttp
    malware_instance = MalwareInstance()
    malware_instance.add_name(parsedTargetFileName)
    malware_instance.description = targetFileSha1_
    ttp = TTP(title='TTP: ' + parsedTargetFileName)
    ttp.behavior = Behavior()
    ttp.behavior.add_malware_instance(malware_instance)
    stix_package.add_ttp(ttp)
    
    # Create the indicator for the ipv4 addresses
    ipv4Object = Address(ipv4Addresses_, Address.CAT_IPV4)
    ipv4Object.condition = 'Equals'
    ipv4Indicator = Indicator()
    ipv4Indicator.title = parsedTargetFileName + ': ipv4 addresses'
    ipv4Indicator.add_indicator_type('IP Watchlist')
    ipv4Indicator.add_indicated_ttp(RelatedTTP(TTP(idref=ttp.id_), relationship='Indicates Malware'))
    ipv4Indicator.observable = ipv4Object
    ipv4Indicator.confidence = 'Low'
    
    # Create the indicator for the domain names
    domainNameObject = DomainName()
    domainNameObject.value = hostNames_
    domainNameObject.condition = 'Equals'
    domainNameIndicator = Indicator()
    domainNameIndicator.title = parsedTargetFileName + ': domain names'
    domainNameIndicator.add_indicator_type('Domain Watchlist')
    domainNameIndicator.add_indicated_ttp(RelatedTTP(TTP(idref=ttp.id_), relationship='Indicates Malware'))
    domainNameIndicator.observable = domainNameObject
    domainNameIndicator.confidence = 'Low'

    # Create the indicator for the file
    fileObject = File()
    fileObject.file_name = parsedTargetFileName
    fileObject.file_name.condition = 'Equals'
    fileObject.size_in_bytes = targetFileSize_
    fileObject.size_in_bytes.condition = 'Equals'
    fileObject.add_hash(Hash(targetFileSha1_, type_='SHA1', exact=True))
    fileObject.add_hash(Hash(targetFileSha256_, type_='SHA256', exact=True))
    fileObject.add_hash(Hash(targetFileSha512_, type_='SHA512', exact=True))
    fileObject.add_hash(Hash(targetFileSsdeep_, type_='SSDEEP', exact=True))
    fileObject.add_hash(Hash(targetFileMd5_, type_='MD5', exact=True))
    fileIndicator = Indicator()
    fileIndicator.title = parsedTargetFileName + ': hashes'
    fileIndicator.description = parsedTargetFilePrefix
    fileIndicator.add_indicator_type('File Hash Watchlist')
    fileIndicator.add_indicated_ttp(RelatedTTP(TTP(idref=ttp.id_), relationship="Indicates Malware"))
    fileIndicator.observable = fileObject
    fileIndicator.confidence = 'Low'
    
    stix_package.indicators = [fileIndicator, ipv4Indicator, domainNameIndicator]

    stagedStixDoc = stix_package.to_xml()
    stagedStixDoc = fixAddressObject(stagedStixDoc)
    stagedStixDoc = fixDomainObject(stagedStixDoc)
    today = datetime.datetime.now()
    now = today.strftime('%Y-%m-%d_%H%M%S')
    if not os.path.exists(outputDir_):
        os.makedirs(outputDir_)
    with open (outputDir_ + '/' + now + '-' + targetFileSha1_ + '.stix.xml', 'a') as myfile:
        myfile.write(stagedStixDoc)
    _l.debug('Wrote file: ' + now + '-' + targetFileSha1_ + '.stix.xml')
    return
Exemplo n.º 58
0
def csv2stix(outFormat,inFile):

	#=============
	# Build package metadata
	#=============

	stix_package = STIXPackage()
	stix_package.stix_header = STIXHeader()
	stix_package.stix_header.title = "TG3390"
	stix_package.stix_header.description = "Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers investigated activities associated with Threat Group-3390[1] (TG-3390) - http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/"

	marking_specification = MarkingSpecification()
	marking_specification.controlled_structure = "../../../../descendant-or-self::node()"

	tlp = TLPMarkingStructure()
	tlp.color = "WHITE"
	marking_specification.marking_structures.append(tlp)

	handling = Marking()
	handling.add_marking(marking_specification)

	stix_package.stix_header.handling = handling

        #=============
        # Build package structure
        #=============

	ta_tg3390 = ThreatActor(title="TG3390")
	ta_tg3390.identity = Identity(name="TG3390")

	attack_pattern = AttackPattern()
	attack_pattern.description = ("Infrastructure Building")
	ttp_infrastructure = TTP(title="Infrastructure Building")
	ttp_infrastructure.behavior = Behavior()
	ttp_infrastructure.behavior.add_attack_pattern(attack_pattern)
	ttp_infrastructure.add_intended_effect("Unauthorized Access")
	infra_domainInd = Indicator(title="Domains associated with TG3390 Infrastructure")
	infra_domainInd.add_indicator_type("Domain Watchlist")
	infra_domainInd.confidence = "High"
	infra_domainInd.add_indicated_ttp(TTP(idref=ttp_infrastructure.id_))

	infra_IPInd = Indicator(title="[H] IP Addresses associated with TG3390 Infrastructure")
	infra_IPInd.add_indicator_type("IP Watchlist")
	infra_IPInd.confidence = "High"
	infra_IPInd.add_indicated_ttp(TTP(idref=ttp_infrastructure.id_))

	infra_IPInd_M = Indicator(title="[M] IP Addresses associated with TG3390 Infrastructure")
        infra_IPInd_M.add_indicator_type("IP Watchlist")
	infra_IPInd_M.confidence = "Medium"
        infra_IPInd_M.add_indicated_ttp(TTP(idref=ttp_infrastructure.id_))


	httpBrowserObj = MalwareInstance()
	httpBrowserObj.add_name("HTTP Browser")
	ttp_httpB = TTP(title="HTTP Browser")
	ttp_httpB.behavior = Behavior()
	ttp_httpB.behavior.add_malware_instance(httpBrowserObj)
	ttp_httpB.add_intended_effect("Theft - Intellectual Property")
	httpB_hashInd = Indicator(title="File hashes for HTTP Browser")
	httpB_hashInd.add_indicator_type("File Hash Watchlist")
	httpB_hashInd.confidence = "High"
	httpB_hashInd.add_indicated_ttp(TTP(idref=ttp_httpB.id_))

	httpBrowserDropperObj = MalwareInstance()
	httpBrowserDropperObj.add_name("HTTP Browser Dropper")
	ttp_httpBDpr = TTP(title="HTTP Browser Dropper")
	ttp_httpBDpr.behavior = Behavior()
	ttp_httpBDpr.behavior.add_malware_instance(httpBrowserDropperObj)
	ttp_httpBDpr.add_intended_effect("Theft - Intellectual Property")
	httpBDpr_hashInd = Indicator(title="File hashes for HTTP Browser Dropper")
	httpBDpr_hashInd.add_indicator_type("File Hash Watchlist")
	httpBDpr_hashInd.confidence = "High"
	httpBDpr_hashInd.add_indicated_ttp(TTP(idref=ttp_httpBDpr.id_))


	plugXObj = MalwareInstance()
	plugXObj.add_name("PlugX Dropper")
	ttp_plugX = TTP(title="PlugX Dropper")
	ttp_plugX.behavior = Behavior()
	ttp_plugX.behavior.add_malware_instance(plugXObj)
	ttp_plugX.add_intended_effect("Theft - Intellectual Property")
	plugX_hashInd = Indicator(title="File hashes for PlugX Dropper")
	plugX_hashInd.add_indicator_type("File Hash Watchlist")
	plugX_hashInd.confidence = "High"
	plugX_hashInd.add_indicated_ttp(TTP(idref=ttp_plugX.id_))

        #=============
        # Process content in to structure
        #=============
	ip_rules = []
	ip_rules_M = []
	domain_rules = []
	with open(inFile, 'rb') as f:
                reader = csv.reader(f)
		for row in reader:
                        obs = row[0]
                        obsType = row[1]
                        description = row[2]
                        confidence = row[3]
			#print obs,obsType,description,confidence
			if description == 'TG-3390 infrastructure':
				if obsType == 'Domain name':
					domain_obj = DomainName()
        	                        domain_obj.value = obs
					#domain_obj.title = description
	                                infra_domainInd.add_object(domain_obj)
					domain_rule = generate_snort([obs], 'DomainName', str(infra_domainInd.id_).split(':',1)[1].split('-',1)[1])
					domain_rules.append(domain_rule)
				elif obsType == 'IP address':
					ipv4_obj = Address()
                	                ipv4_obj.category = "ipv4-addr"
        	                        ipv4_obj.address_value = obs
					ipv4_obj.title = description
					ind_ref = str(infra_IPInd.id_).split(':',1)[1].split('-',1)[1]
					if confidence == "High":
	                                	infra_IPInd.add_object(ipv4_obj)
						ip_rules.append(obs)
					else:
						infra_IPInd_M.add_object(ipv4_obj)
						ip_rules_M.append(obs)
				else:
					print "TTP Infra: obsType is wrong"
			elif description == 'HttpBrowser RAT dropper':
				file_obj = File()
				file_obj.add_hash(Hash(obs))
				file_obj.title = description
				httpBDpr_hashInd.add_observable(file_obj)
			elif description == 'HttpBrowser RAT':
				file_obj = File()
                                file_obj.add_hash(Hash(obs))
				file_obj.title = description
                                httpB_hashInd.add_observable(file_obj)
			elif description == 'PlugX RAT dropper':
				file_obj = File()
                                file_obj.add_hash(Hash(obs))
				file_obj.title = description
                                plugX_hashInd.add_observable(file_obj)
			else:
				print "TTP not found"
	#print ip_rules
	ip_rule = generate_snort(ip_rules, 'Address', str(infra_IPInd.id_).split(':',1)[1].split('-',1)[1])
	ip_rule_M = generate_snort(ip_rules_M, 'Address', str(infra_IPInd_M.id_).split(':',1)[1].split('-',1)[1])

	ip_tm = SnortTestMechanism()
	ip_tm.rules = [ip_rule]
	ip_tm.efficacy = "High"
	ip_tm.producer = InformationSource(identity=Identity(name="Auto"))
	infra_IPInd.test_mechanisms = [ip_tm]

	ip_M_tm = SnortTestMechanism()
        ip_M_tm.rules = [ip_rule_M]
        ip_M_tm.efficacy = "Medium"
        ip_M_tm.producer = InformationSource(identity=Identity(name="Auto"))
	infra_IPInd_M.test_mechanisms = [ip_M_tm]

	domain_tm = SnortTestMechanism()
        domain_tm.rules = domain_rules
        domain_tm.efficacy = "High"
        domain_tm.producer = InformationSource(identity=Identity(name="Auto"))
        infra_domainInd.test_mechanisms = [domain_tm]
	
        #=============
        # Add the composed content to the structure
        #=============

	stix_package.add_indicator(infra_domainInd)
	stix_package.add_indicator(infra_IPInd)
	stix_package.add_indicator(infra_IPInd_M)
	stix_package.add_indicator(httpBDpr_hashInd)
	stix_package.add_indicator(httpB_hashInd)
	stix_package.add_indicator(plugX_hashInd)

	stix_package.add_ttp(ttp_infrastructure)
	stix_package.add_ttp(ttp_httpB)
	stix_package.add_ttp(ttp_httpBDpr)
	stix_package.add_ttp(ttp_plugX)
					
				
	"""
	if outFormat =='dict':
		print stix_package.to_dict()
	if outFormat =='json':
		parsed = stix_package.to_json()
		jsonpkg = json.loads(parsed)
		pprint.pprint(jsonpkg)
	if outFormat =='stix':
		print stix_package.to_xml()
	"""
	#if verbose:
		#print stix_package.to_xml()
	#pprint(stix_package.to_json())
	return stix_package
Exemplo n.º 59
0
    def transform(self, event):
        self._set_namespace(self.config['contact_domain'], self.config['contact_name'])
        stix_package = STIXPackage()
        self._add_header(stix_package, "Unauthorized traffic to honeypot", "Describes one or more honeypot incidents")

        incident = Incident(id_="%s:%s-%s" % (self.config['contact_name'], 'incident', event['session_id']))
        initial_time = StixTime()
        initial_time.initial_compromise = event['timestamp'].isoformat()
        incident.time = initial_time
        incident.title = "Conpot Event"
        incident.short_description = "Traffic to Conpot ICS honeypot"
        incident.add_category(VocabString(value='Scans/Probes/Attempted Access'))

        tool_list = ToolInformationList()
        tool_list.append(ToolInformation.from_dict({
            'name': "Conpot",
            'vendor': "Conpot Team",
            'version': conpot.__version__,
            'description': textwrap.dedent('Conpot is a low interactive server side Industrial Control Systems '
                                           'honeypot designed to be easy to deploy, modify and extend.')
        }))
        incident.reporter = InformationSource(tools=tool_list)

        incident.add_discovery_method("Monitoring Service")
        incident.confidence = "High"

        # Victim Targeting by Sector
        ciq_identity = CIQIdentity3_0Instance()
        #identity_spec = STIXCIQIdentity3_0()
        #identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems")
        #ciq_identity.specification = identity_spec
        ttp = TTP(title="Victim Targeting: Electricity Sector and Industrial Control System Sector")
        ttp.victim_targeting = VictimTargeting()
        ttp.victim_targeting.identity = ciq_identity

        incident.leveraged_ttps.append(ttp)

        indicator = Indicator(title="Conpot Event")
        indicator.description = "Conpot network event"
        indicator.confidence = "High"
        source_port = Port.from_dict({'port_value': event['remote'][1], 'layer4_protocol': 'tcp'})
        dest_port = Port.from_dict({'port_value': self.protocol_to_port_mapping[event['data_type']],
                                    'layer4_protocol': 'tcp'})
        source_ip = Address.from_dict({'address_value': event['remote'][0], 'category': Address.CAT_IPV4})
        dest_ip = Address.from_dict({'address_value': event['public_ip'], 'category': Address.CAT_IPV4})
        source_address = SocketAddress.from_dict({'ip_address': source_ip.to_dict(), 'port': source_port.to_dict()})
        dest_address = SocketAddress.from_dict({'ip_address': dest_ip.to_dict(), 'port': dest_port.to_dict()})
        network_connection = NetworkConnection.from_dict(
            {'source_socket_address': source_address.to_dict(),
             'destination_socket_address': dest_address.to_dict(),
             'layer3_protocol': u"IPv4",
             'layer4_protocol': u"TCP",
             'layer7_protocol': event['data_type'],
             'source_tcp_state': u"ESTABLISHED",
             'destination_tcp_state': u"ESTABLISHED",
             }
        )
        indicator.add_observable(Observable(network_connection))

        artifact = Artifact()
        artifact.data = json.dumps(event['data'])
        artifact.packaging.append(ZlibCompression())
        artifact.packaging.append(Base64Encoding())
        indicator.add_observable(Observable(artifact))

        incident.related_indicators.append(indicator)
        stix_package.add_incident(incident)

        stix_package_xml = stix_package.to_xml()
        return stix_package_xml