def test_stix_header_marking_placement(self): """Test that marking an individual field whose parent does not contain a handling structure, marking is placed in stix header.""" container = stixmarx.new() package = container.package red_marking = generate_marking_spec(generate_red_marking_struct()) kill_chain = KillChain(id_="example:kc-1234", name="Test Kill Chain") kill_chain_phase = KillChainPhase(phase_id="example:kcp-1234", name="Test Kill Chain Phase") test_ttps = ttps.TTPs() package.ttps = test_ttps kill_chain.add_kill_chain_phase(kill_chain_phase) package.ttps.kill_chains.kill_chain.append(kill_chain) container.add_marking(kill_chain_phase, red_marking) self.assertTrue(package.stix_header is None) container.flush() self.assertTrue(package.stix_header.handling.marking[0]. controlled_structure is not None)
def test_not_equal(self): chain1 = KillChain(id_="test", name="foo", definer="bar", reference="foobar.com") chain2 = KillChain(id_="TEST", name="FOO", definer="BAR", reference="FOOBAR.ORG") self.assertNotEqual(chain1, chain2)
def test_equal(self): chain1 = KillChain(id_="test", name="foo", definer="bar", reference="foobar.com") chain2 = KillChain(id_="test", name="foo", definer="bar", reference="foobar.com") self.assertEqual(chain1, chain2) chain1.kill_chain_phases.append(KillChainPhase(phase_id="test")) chain2.kill_chain_phases.append(KillChainPhase(phase_id="test")) self.assertEqual(chain1, chain2)
def main(): stix_pkg = STIXPackage() # make indicator ind = Indicator() ind.title = "Malicious executable" ind.description = "Resident binary which implements infostealing and credit card grabber" # link to "Installation" phase and kill chain by ID values infect = KillChainPhase(name="Infect Machine") exfil = KillChainPhase(name="Exfiltrate Data") mychain = KillChain(name="Organization-specific Kill Chain") mychain.kill_chain_phases = [infect, exfil] stix_pkg.ttps.add_ttp(TTP()) stix_pkg.ttps.kill_chains.append(mychain) stix_pkg.add_indicator(ind) # add referenced phase to indicator ind.kill_chain_phases.append(KillChainPhaseReference(phase_id=infect.phase_id, kill_chain_id=mychain.id_)) print(stix_pkg.to_xml(encoding=None))
def main(): stix_pkg = STIXPackage() # make indicator ind = Indicator() ind.title = "Malicious executable" ind.description = "Resident binary which implements infostealing and credit card grabber" # link to "Installation" phase and kill chain by ID values infect = KillChainPhase(name="Infect Machine") exfil = KillChainPhase(name="Exfiltrate Data") mychain = KillChain(name="Organization-specific Kill Chain") mychain.kill_chain_phases = [infect, exfil] stix_pkg.ttps.kill_chains.append(mychain) stix_pkg.add_indicator(ind) # add referenced phase to indicator ind.kill_chain_phases.append(KillChainPhaseReference(phase_id=infect.phase_id,kill_chain_id = mychain.id_)) print stix_pkg.to_xml()
def process_kill_chain_phases(phases, obj1x): for phase in phases: if phase["kill_chain_name"] in _KILL_CHAINS: kill_chain_phases = _KILL_CHAINS[ phase["kill_chain_name"]]["phases"] if not phase["phase_name"] in kill_chain_phases: kill_chain_phases.update({ phase["phase_name"]: KillChainPhase(phase_id=create_id1x("TTP"), name=phase["phase_name"], ordinality=None) }) _KILL_CHAINS[phase["kill_chain_name"]][ "kill_chain"].add_kill_chain_phase( kill_chain_phases[phase["phase_name"]]) kcp = kill_chain_phases[phase["phase_name"]] if not obj1x.kill_chain_phases: obj1x.kill_chain_phases = KillChainPhasesReference() else: kc = KillChain(id_=create_id1x("TTP"), name=phase["kill_chain_name"]) _KILL_CHAINS[phase["kill_chain_name"]] = {"kill_chain": kc} kcp = KillChainPhase(name=phase["phase_name"], phase_id=create_id1x("TTP")) kc.add_kill_chain_phase(kcp) _KILL_CHAINS[phase["kill_chain_name"]]["phases"] = { phase["phase_name"]: kcp } obj1x.add_kill_chain_phase( KillChainPhaseReference( phase_id=kcp.phase_id, name=kcp.name, ordinality=None, kill_chain_id=_KILL_CHAINS[ phase["kill_chain_name"]]["kill_chain"].id_, kill_chain_name=_KILL_CHAINS[ phase["kill_chain_name"]]["kill_chain"].name))
def main(): stix_pkg = STIXPackage() # create LM-style kill chain # REF: http://stix.mitre.org/language/version{{site.current_version}}/stix_v{{site.current_version}}_lmco_killchain.xml recon = KillChainPhase(phase_id="stix:TTP-af1016d6-a744-4ed7-ac91-00fe2272185a", name="Reconnaissance", ordinality="1") weapon = KillChainPhase(phase_id="stix:TTP-445b4827-3cca-42bd-8421-f2e947133c16", name="Weaponization", ordinality="2") deliver = KillChainPhase(phase_id="stix:TTP-79a0e041-9d5f-49bb-ada4-8322622b162d", name="Delivery", ordinality="3") exploit = KillChainPhase(phase_id="stix:TTP-f706e4e7-53d8-44ef-967f-81535c9db7d0", name="Exploitation", ordinality="4") install = KillChainPhase(phase_id="stix:TTP-e1e4e3f7-be3b-4b39-b80a-a593cfd99a4f", name="Installation", ordinality="5") control = KillChainPhase(phase_id="stix:TTP-d6dc32b9-2538-4951-8733-3cb9ef1daae2", name="Command and Control", ordinality="6") action = KillChainPhase(phase_id="stix:TTP-786ca8f9-2d9a-4213-b38e-399af4a2e5d6", name="Actions on Objectives", ordinality="7") lmchain = KillChain(id_="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff", name="LM Cyber Kill Chain") lmchain.definer = "LMCO" lmchain.kill_chain_phases = [recon, weapon, deliver, exploit, install, control, action] stix_pkg.ttps.kill_chains.append(lmchain) infect = KillChainPhase(name="Infect Machine") exfil = KillChainPhase(name="Exfiltrate Data") mychain = KillChain(name="Organization-specific Kill Chain") mychain.definer = "Myself" mychain.kill_chain_phases = [infect, exfil] stix_pkg.ttps.add_ttp(TTP()) stix_pkg.ttps.kill_chains.append(mychain) indicator = Indicator() indicator.kill_chain_phases = KillChainPhasesReference([ KillChainPhaseReference(phase_id=exfil.phase_id, kill_chain_id=mychain.id_), KillChainPhaseReference(phase_id=action.phase_id, kill_chain_id=lmchain.id_) ]) stix_pkg.add_indicator(indicator) print(stix_pkg.to_xml(encoding=None))
def main(): # get args parser = argparse.ArgumentParser ( description = "Parse a given CSV and output STIX XML" , formatter_class=argparse.ArgumentDefaultsHelpFormatter ) parser.add_argument("--infile","-f", help="input CSV", default = "in.csv") args = parser.parse_args() # setup header contain_pkg = STIXPackage() stix_header = STIXHeader() stix_header.title = "Indicators" stix_header.add_package_intent ("Indicators") # XXX add Information_Source and Handling contain_pkg.stix_header = stix_header # create kill chain with three options (pre, post, unknown), relate as needed pre = KillChainPhase(phase_id="stix:KillChainPhase-1a3c67f7-5623-4621-8d67-74963d1c5fee", name="Pre-infection indicator", ordinality=1) post = KillChainPhase(phase_id="stix:KillChainPhase-d5459305-1a27-4f50-9875-23793d75e4fe", name="Post-infection indicator", ordinality=2) chain = KillChain(id_="stix:KillChain-3fbfebf2-25a7-47b9-ad8b-3f65e56e402d", name="Degenerate Cyber Kill Chain" ) chain.definer = "U5" chain.kill_chain_phases = [pre, post] contain_pkg.ttps.kill_chains.append(chain) # read input data fd = open (args.infile, "rb") infile = csv.DictReader(fd) for row in infile: # create indicator for each row error = False ind = Indicator() ind.add_alternative_id(row['ControlGroupID']) ind.title = "Indicator with ID " + row['IndicatorID'] ind.description = row['Notes'] ind.producer = InformationSource() ind.producer.description = row['Reference'] # XXX unknown purpose for 'Malware' field - omitted # if the field denotes a specific malware family, we might relate as 'Malware TTP' to the indicator # set chain phase if 'Pre' in row['Infection Type']: ind.kill_chain_phases.append(KillChainPhaseReference(phase_id="stix:KillChainPhase-1a3c67f7-5623-4621-8d67-74963d1c5fee",kill_chain_id="stix:KillChain-3fbfebf2-25a7-47b9-ad8b-3f65e56e402d")) elif 'Post' in row['Infection Type']: ind.kill_chain_phases.append(KillChainPhaseReference(phase_id="stix:KillChainPhase-1a3c67f7-5623-4621-8d67-74963d1c5fee",kill_chain_id="stix:KillChain-3fbfebf2-25a7-47b9-ad8b-3f65e56e402d")) ind_type = row['Indicator Type'] if 'IP' in ind_type: ind.add_indicator_type( "IP Watchlist") ind_obj = SocketAddress() ind_obj.ip_address = row['Indicator'] ind_obj.ip_address.condition= "Equals" if row['indValue']: port = Port() # pull port out, since it's in form "TCP Port 42" port.port_value = row['indValue'].split()[-1] port.layer4_protocol = row['indValue'].split()[0] port.port_value.condition= "Equals" ind_obj.port = port elif 'Domain' in ind_type: ind.add_indicator_type ("Domain Watchlist") ind_obj = DomainName() ind_obj.value = row['Indicator'] ind_obj.value.condition= "Equals" elif 'Email' in ind_type: # parse out which part of the email is being # i.e. "Sender: attach | Subject: whatever" tag = row['Indicator'].split(':')[0] val = row['Indicator'].split(':')[1] ind.add_indicator_type ("Malicious E-mail") ind_obj = EmailMessage() if "Subject" in tag: ind_obj.subject = val ind_obj.subject.condition= "Equals" elif "Sender" in tag: ind_obj.sender = val ind_obj.sender.condition= "Equals" elif "Attachment" in tag: # make inline File to store filename file_obj = File() file_obj.id_ = cybox.utils.create_id(prefix="File") file_obj.file_name = val file_obj.file_name.condition = "Equals" ind_obj.add_related(file_obj, "Contains") attach = Attachments() attach.append(file_obj.id_) ind_obj.attachments = attach elif 'User Agent' in ind_type: ind.add_indicator_type( VocabString(row['Indicator Type'])) fields = HTTPRequestHeaderFields() fields.user_agent = row['Indicator'] fields.user_agent.condition = "Equals" header = HTTPRequestHeader() header.parsed_header = fields thing = HTTPRequestResponse() thing.http_client_request = HTTPClientRequest() thing.http_client_request.http_request_header = header ind_obj = HTTPSession() ind_obj.http_request_response = [thing] elif 'URI' in ind_type: ind.add_indicator_type( VocabString(row['Indicator Type'])) thing = HTTPRequestResponse() thing.http_client_request = HTTPClientRequest() thing.http_client_request.http_request_line = HTTPRequestLine() thing.http_client_request.http_request_line.http_method = row['Indicator'].split()[0] thing.http_client_request.http_request_line.http_method.condition = "Equals" thing.http_client_request.http_request_line.value = row['Indicator'].split()[1] thing.http_client_request.http_request_line.value.condition = "Equals" ind_obj = HTTPSession() ind_obj.http_request_response = [thing] elif 'File' in ind_type: ind.add_indicator_type( VocabString(row['Indicator Type'])) ind_obj = File() ind_obj.file_name = row['Indicator'] ind_obj.file_name.condition = "Equals" digest = Hash() # XXX assumes that hash digests are stored in this field in real data digest.simple_hash_value = row['indValue'].strip() digest.simple_hash_value.condition = "Equals" digest.type_.condition = "Equals" ind_obj.add_hash(digest) elif 'Registry' in ind_type: ind.add_indicator_type( VocabString(row['Indicator Type'])) ind_obj = WinRegistryKey() keys = RegistryValues() key = RegistryValue() key.name = row['Indicator'] key.name.condition = "Equals" key.data = row['indValue'] key.data.condition = "Equals" keys.append(key) ind_obj.values = keys elif 'Mutex' in ind_type: ind.add_indicator_type (VocabString(row['Indicator Type'])) ind_obj = Mutex() ind_obj.name = row['Indicator'] ind_obj.name.condition= "Equals" else: print "ERR type not supported: " + ind_type + " <- will be omitted from output" error = True # finalize indicator if not error: ind.add_object(ind_obj) contain_pkg.add_indicator(ind) # DONE looping print contain_pkg.to_xml()