def test_not_equal(self):
phase1 = KillChainPhase(phase_id='stix:test-1', ordinality=1,
name='Reconnaissance')
phase2 = KillChainPhase(phase_id='stix:test-2', ordinality=2,
name='Weaponize')
self.assertNotEqual(phase1, phase2)
def test_equal(self):
chain1 = KillChain(id_="test", name="foo", definer="bar",
reference="foobar.com")
chain2 = KillChain(id_="test", name="foo", definer="bar",
reference="foobar.com")
self.assertEqual(chain1, chain2)
chain1.kill_chain_phases.append(KillChainPhase(phase_id="test"))
chain2.kill_chain_phases.append(KillChainPhase(phase_id="test"))
self.assertEqual(chain1, chain2)
def test_stix_header_marking_placement(self):
"""Test that marking an individual field whose parent does not contain
a handling structure, marking is placed in stix header."""
container = stixmarx.new()
package = container.package
red_marking = generate_marking_spec(generate_red_marking_struct())
kill_chain = KillChain(id_="example:kc-1234", name="Test Kill Chain")
kill_chain_phase = KillChainPhase(phase_id="example:kcp-1234",
name="Test Kill Chain Phase")
test_ttps = ttps.TTPs()
package.ttps = test_ttps
kill_chain.add_kill_chain_phase(kill_chain_phase)
package.ttps.kill_chains.kill_chain.append(kill_chain)
container.add_marking(kill_chain_phase, red_marking)
self.assertTrue(package.stix_header is None)
container.flush()
self.assertTrue(package.stix_header.handling.marking[0].
controlled_structure is not None)
def test_equal(self):
phase1 = KillChainPhase(phase_id='stix:test-1', ordinality=1,
name='Reconnaissance')
phase2 = KillChainPhase(phase_id='stix:test-1', ordinality=1,
name='Reconnaissance')
self.assertEqual(phase1, phase2)
phase1 = KillChainPhase.from_dict(phase1.to_dict())
phase2 = KillChainPhase.from_dict(phase2.to_dict())
self.assertEqual(phase1, phase2)
def main():
stix_pkg = STIXPackage()
# make indicator
ind = Indicator()
ind.title = "Malicious executable"
ind.description = "Resident binary which implements infostealing and credit card grabber"
# link to "Installation" phase and kill chain by ID values
infect = KillChainPhase(name="Infect Machine")
exfil = KillChainPhase(name="Exfiltrate Data")
mychain = KillChain(name="Organization-specific Kill Chain")
mychain.kill_chain_phases = [infect, exfil]
stix_pkg.ttps.add_ttp(TTP())
stix_pkg.ttps.kill_chains.append(mychain)
stix_pkg.add_indicator(ind)
# add referenced phase to indicator
ind.kill_chain_phases.append(KillChainPhaseReference(phase_id=infect.phase_id, kill_chain_id=mychain.id_))
print(stix_pkg.to_xml(encoding=None))
def process_kill_chain_phases(phases, obj1x):
for phase in phases:
if phase["kill_chain_name"] in _KILL_CHAINS:
kill_chain_phases = _KILL_CHAINS[
phase["kill_chain_name"]]["phases"]
if not phase["phase_name"] in kill_chain_phases:
kill_chain_phases.update({
phase["phase_name"]:
KillChainPhase(phase_id=create_id1x("TTP"),
name=phase["phase_name"],
ordinality=None)
})
_KILL_CHAINS[phase["kill_chain_name"]][
"kill_chain"].add_kill_chain_phase(
kill_chain_phases[phase["phase_name"]])
kcp = kill_chain_phases[phase["phase_name"]]
if not obj1x.kill_chain_phases:
obj1x.kill_chain_phases = KillChainPhasesReference()
else:
kc = KillChain(id_=create_id1x("TTP"),
name=phase["kill_chain_name"])
_KILL_CHAINS[phase["kill_chain_name"]] = {"kill_chain": kc}
kcp = KillChainPhase(name=phase["phase_name"],
phase_id=create_id1x("TTP"))
kc.add_kill_chain_phase(kcp)
_KILL_CHAINS[phase["kill_chain_name"]]["phases"] = {
phase["phase_name"]: kcp
}
obj1x.add_kill_chain_phase(
KillChainPhaseReference(
phase_id=kcp.phase_id,
name=kcp.name,
ordinality=None,
kill_chain_id=_KILL_CHAINS[
phase["kill_chain_name"]]["kill_chain"].id_,
kill_chain_name=_KILL_CHAINS[
phase["kill_chain_name"]]["kill_chain"].name))
def test_equal(self):
phase1 = KillChainPhase(phase_id='stix:test-1', ordinality=1,
name='Reconnaissance')
phase2 = KillChainPhase(phase_id='stix:test-1', ordinality=1,
name='Reconnaissance')
self.assertEqual(phase1, phase2)
phase1 = KillChainPhase.from_dict(phase1.to_dict())
phase2 = KillChainPhase.from_dict(phase2.to_dict())
self.assertEqual(phase1, phase2)
def main():
stix_pkg = STIXPackage()
# create LM-style kill chain
# REF: http://stix.mitre.org/language/version{{site.current_version}}/stix_v{{site.current_version}}_lmco_killchain.xml
recon = KillChainPhase(phase_id="stix:TTP-af1016d6-a744-4ed7-ac91-00fe2272185a", name="Reconnaissance", ordinality="1")
weapon = KillChainPhase(phase_id="stix:TTP-445b4827-3cca-42bd-8421-f2e947133c16", name="Weaponization", ordinality="2")
deliver = KillChainPhase(phase_id="stix:TTP-79a0e041-9d5f-49bb-ada4-8322622b162d", name="Delivery", ordinality="3")
exploit = KillChainPhase(phase_id="stix:TTP-f706e4e7-53d8-44ef-967f-81535c9db7d0", name="Exploitation", ordinality="4")
install = KillChainPhase(phase_id="stix:TTP-e1e4e3f7-be3b-4b39-b80a-a593cfd99a4f", name="Installation", ordinality="5")
control = KillChainPhase(phase_id="stix:TTP-d6dc32b9-2538-4951-8733-3cb9ef1daae2", name="Command and Control", ordinality="6")
action = KillChainPhase(phase_id="stix:TTP-786ca8f9-2d9a-4213-b38e-399af4a2e5d6", name="Actions on Objectives", ordinality="7")
lmchain = KillChain(id_="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff", name="LM Cyber Kill Chain")
lmchain.definer = "LMCO"
lmchain.kill_chain_phases = [recon, weapon, deliver, exploit, install, control, action]
stix_pkg.ttps.kill_chains.append(lmchain)
infect = KillChainPhase(name="Infect Machine")
exfil = KillChainPhase(name="Exfiltrate Data")
mychain = KillChain(name="Organization-specific Kill Chain")
mychain.definer = "Myself"
mychain.kill_chain_phases = [infect, exfil]
stix_pkg.ttps.add_ttp(TTP())
stix_pkg.ttps.kill_chains.append(mychain)
indicator = Indicator()
indicator.kill_chain_phases = KillChainPhasesReference([
KillChainPhaseReference(phase_id=exfil.phase_id, kill_chain_id=mychain.id_),
KillChainPhaseReference(phase_id=action.phase_id, kill_chain_id=lmchain.id_)
])
stix_pkg.add_indicator(indicator)
print(stix_pkg.to_xml(encoding=None))
def test_add_no_id_phase(self):
refs = KillChainPhasesReference()
phase = KillChainPhase()
self.assertRaises(ValueError, refs.append, phase)
ttp.description = 'Integer posuere erat a ante venenatis dapibus posuere velit aliquet.'
ttp.short_description = 'Etiam Vestibulum Elit Ligula'
ttp.add_intended_effect(IntendedEffect('Account Takeover'))
# TTP - Attack Pattern
attack_pattern = AttackPattern()
attack_pattern.capec_id = 'CAPEC-98'
attack_pattern.description = 'Phishing'
attack_pattern.short_description = 'Phishing'
ttp.behavior = Behavior()
ttp.behavior.add_attack_pattern(attack_pattern)
# TTP - Kill Chain Phase
phase = KillChainPhase(
name='Infect Machine',
phase_id='example:TTP-7a0fb8e4-a778-4c79-9c7e-8747675da5f1')
kc_phases = KillChainPhasesReference()
kc_phases.append(KillChainPhaseReference(name=phase.name))
ttp.kill_chain_phases = kc_phases
# TTP - Resource (Tool, Infrastructure, Personas)
resource = Resource()
tool = ToolInformation(title='malware.exe')
tool.type_ = AttackerToolType('Malware')
tool.description = 'Tool Description'
tool.short_description = 'Tool Short Description'
infrastructure = Infrastructure(title='Leveraged Domains')
infrastructure.types = AttackerInfrastructureType('Domain Registration')
infrastructure.description = 'Infrastructure Description'