def test_lockheed_martin_cyber_kill_chain(): recon = stix2.KillChainPhase( kill_chain_name="lockheed-martin-cyber-kill-chain", phase_name="reconnaissance", ) assert str(recon) == LMCO_RECON
def test_kill_chain_example(): preattack = stix2.KillChainPhase( kill_chain_name="foo", phase_name="pre-attack", ) assert str(preattack) == FOO_PRE_ATTACK
def test_kill_chain_required_property_chain_name(): with pytest.raises(stix2.exceptions.MissingPropertiesError) as excinfo: stix2.KillChainPhase(phase_name="weaponization") assert excinfo.value.cls == stix2.KillChainPhase assert excinfo.value.properties == ["kill_chain_name"]
def test_kill_chain_required_property_phase_name(): with pytest.raises(stix2.exceptions.MissingPropertiesError) as excinfo: stix2.KillChainPhase(kill_chain_name="lockheed-martin-cyber-kill-chain") assert excinfo.value.cls == stix2.KillChainPhase assert excinfo.value.properties == ["phase_name"]
def get(self): if not self.flag: if self.selected_items: #----hotfix for report------ try: templist=[] for item in self.selected_items: templist.append(item.split(": ")[1]) return templist #----hotfix for report END-- except: return self.selected_items else: return "" elif self.flag=="killchain": killchains=[] for item in self.selected_items: try: killchains.append(json.load(open(os.path.join(getkcpfolder(), item+".kcp")))) except: killchains.append(stix2.KillChainPhase(kill_chain_name=item.split("_")[0], phase_name=item.split("_")[1])) tk.messagebox.showinfo("Notice", item+" is not present in the filesystem.") return killchains else: exrefs=[] for item in self.selected_items: try: exrefs.append(json.load(open(os.path.join(getexreffolder(),item+".ext")))) except: exrefs=[] tk.messagebox.showinfo("Notice", item + " is not present in the filesystem.") return exrefs
def test_kill_chain_required_field_chain_name(): with pytest.raises(stix2.exceptions.MissingFieldsError) as excinfo: stix2.KillChainPhase(phase_name="weaponization") assert excinfo.value.cls == stix2.KillChainPhase assert excinfo.value.fields == ["kill_chain_name"] assert str( excinfo.value ) == "Missing required field(s) for KillChainPhase: (kill_chain_name)."
def stix2killchain(obj): kcps = [] for k in obj.kill_chain_phases.all(): kcp = stix2.KillChainPhase( kill_chain_name=k.kill_chain_name, phase_name=k.phase_name, ) if not kcp in kcps: kcps.append(kcp) return kcps
def test_kill_chain_required_field_phase_name(): with pytest.raises(stix2.exceptions.MissingFieldsError) as excinfo: stix2.KillChainPhase( kill_chain_name="lockheed-martin-cyber-kill-chain") assert excinfo.value.cls == stix2.KillChainPhase assert excinfo.value.fields == ["phase_name"] assert str( excinfo.value ) == "Missing required field(s) for KillChainPhase: (phase_name)."
name="Adversary Bravo", description= "Adversary Bravo is known to use phishing attacks to deliver remote access malware to the targets.", labels=["spy", "criminal"]) identity = stix2.Identity( id="identity--1621d4d4-b67d-41e3-9670-f01faf20d111", created="2015-05-10T16:27:17.760Z", modified="2015-05-10T16:27:17.760Z", name="Adversary Bravo", description= "Adversary Bravo is a threat actor that utilizes phishing attacks.", identity_class="unknown") init_comp = stix2.KillChainPhase( kill_chain_name="mandiant-attack-lifecycle-model", phase_name="initial-compromise") malware = stix2.Malware(id="malware--d1c612bc-146f-4b65-b7b0-9a54a14150a4", created="2015-04-23T11:12:34.760Z", modified="2015-04-23T11:12:34.760Z", name="Poison Ivy Variant d1c6", labels=["remote-access-trojan"], kill_chain_phases=[init_comp]) ref = stix2.ExternalReference( source_name="capec", description="phishing", url="https://capec.mitre.org/data/definitions/98.html", external_id="CAPEC-98")
import stix2 indicator = stix2.Indicator( id="indicator--d81f86b9-975b-4c0b-875e-810c5ad45a4f", created="2014-06-29T13:49:37.079Z", modified="2014-06-29T13:49:37.079Z", name="Malicious site hosting downloader", description= "This organized threat actor group operates to create profit from all types of crime.", labels=["malicious-activity"], pattern="[url:value = 'http://x4z9arb.cn/4712/']", valid_from="2014-06-29T13:49:37.079000Z") foothold = stix2.KillChainPhase( kill_chain_name="mandiant-attack-lifecycle-model", phase_name="establish-foothold") malware = stix2.Malware( id="malware--162d917e-766f-4611-b5d6-652791454fca", created="2014-06-30T09:15:17.182Z", modified="2014-06-30T09:15:17.182Z", name="x4z9arb backdoor", labels=["backdoor", "remote-access-trojan"], description= "This malware attempts to download remote files after establishing a foothold as a backdoor.", kill_chain_phases=[foothold]) relationship = stix2.Relationship(indicator, 'indicates', malware) bundle = stix2.Bundle(objects=[indicator, malware, relationship])
def test_kill_chain_required_field_phase_name(): with pytest.raises(ValueError) as excinfo: stix2.KillChainPhase(kill_chain_name="lockheed-martin-cyber-kill-chain") assert str(excinfo.value) == "Missing required field(s) for KillChainPhase: (phase_name)."
def test_kill_chain_required_field_chain_name(): with pytest.raises(ValueError) as excinfo: stix2.KillChainPhase(phase_name="weaponization") assert str(excinfo.value) == "Missing required field(s) for KillChainPhase: (kill_chain_name)."
def widgets(self): self.killchainlabel = tk.Label(self.frame, text="Kill Chain Name:", font=("OpenSans", 12)) self.killchainlabel.grid(row=0, column=0, padx=5, pady=5, sticky=tk.E) self.killchaintext = tk.Entry(self.frame, font=("OpenSans", 12)) self.killchaintext.grid(row=0, column=1, padx=5, pady=5) self.killchaintext.bind('<KeyPress>', lambda event : self.keyPress(event)) self.phaselabel = tk.Label(self.frame, text="Phase Name:", font=("OpenSans", 12)) self.phaselabel.grid(row=1, column=0, padx=5, pady=5, sticky=tk.E) self.phasetext = tk.Entry(self.frame, font=("OpenSans", 12)) self.phasetext.grid(row=1, column=1, padx=5, pady=5) self.killchaintext.bind('<KeyPress>', lambda event : self.keyPress(event)) self.label = tk.Label(self.btframe, font=("OpenSans", 8, "bold"), text="Existing Kill Chain Phase into workspace:", bg="black", fg="white") self.label.pack(fill=tk.X, padx=10) self.listview = tk.Listbox(self.btframe, font=("OpenSans", 10, "bold"), height=5) self.listview.pack(fill=tk.X, expand=True, padx=10) self.getlist() self.addbutton = tk.Button(self.btframe, text="Create", font=("OpenSans", 12), fg="white", bg="#03AC13", command=lambda : [(killchainphasetofile(self.killchaintext.get()+"_"+self.phasetext.get(), stix2.KillChainPhase(kill_chain_name=self.killchaintext.get(), phase_name=self.phasetext.get())), self.getlist(), tk.messagebox.showinfo("Success", "Kill Chain Phase created successfully!", parent=self), self.killchaintext.delete(0, tk.END), self.phasetext.delete(0, tk.END)) if self.killchaintext.get()!="" and self.phasetext.get()!="" else tk.messagebox.showerror("Error", "Input fields cannot be empty!", parent=self)]) self.addbutton.pack(side=tk.LEFT, fill=tk.X, expand=True, padx=5, pady=5) self.cancelbutton = tk.Button(self.btframe, text="Delete", font=("OpenSans", 12), fg="white", bg="#FF3B30", command=lambda : [(killchainphasedelete(self.listview.get(tk.ACTIVE), self), self.getlist()) if self.listview.get(tk.ACTIVE)!="" else print("")]) self.cancelbutton.pack(side=tk.LEFT, fill=tk.X, expand=True, padx=5, pady=5)