def main(): campaign = Campaign(title="Campaign against ICS") ttp = TTP(title="DrownedRat") alpha_report = Report() alpha_report.header = Header() alpha_report.header.title = "Report on Adversary Alpha's Campaign against the Industrial Control Sector" alpha_report.header.descriptions = "Adversary Alpha has a campaign against the ICS sector!" alpha_report.header.intents = "Campaign Characterization" alpha_report.add_campaign(Campaign(idref=campaign.id_)) rat_report = Report() rat_report.header = Header() rat_report.header.title = "Indicators for Malware DrownedRat" rat_report.header.intents = "Indicators - Malware Artifacts" rat_report.add_ttp(TTP(idref=ttp.id_)) wrapper = STIXPackage() info_src = InformationSource() info_src.identity = Identity(name="Government Sharing Program - GSP") wrapper.stix_header = STIXHeader(information_source=info_src) wrapper.add_report(alpha_report) wrapper.add_report(rat_report) wrapper.add_campaign(campaign) wrapper.add_ttp(ttp) print(wrapper.to_xml())
def main(): campaign = Campaign(title="Campaign against ICS") ttp = TTP(title="DrownedRat") alpha_report = Report() alpha_report.header = Header() alpha_report.header.title = "Report on Adversary Alpha's Campaign against the Industrial Control Sector" alpha_report.header.descriptions = "Adversary Alpha has a campaign against the ICS sector!" alpha_report.header.intents = "Campaign Characterization" alpha_report.add_campaign(Campaign(idref=campaign._id)) rat_report = Report() rat_report.header = Header() rat_report.header.title = "Indicators for Malware DrownedRat" rat_report.header.intents = "Indicators - Malware Artifacts" rat_report.add_ttp(TTP(idref=ttp._id)) wrapper = STIXPackage() info_src = InformationSource() info_src.identity = Identity(name="Government Sharing Program - GSP") wrapper.stix_header = STIXHeader(information_source=info_src) wrapper.add_report(alpha_report) wrapper.add_report(rat_report) wrapper.add_campaign(campaign) wrapper.add_ttp(ttp) print wrapper.to_xml()
def build_stix( input_dict ): # setup stix document stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = "TTP " + input_dict['title'] # Add handling requirements if needed if input_dict['marking']: mark = SimpleMarkingStructure() mark.statement = input_dict['marking'] mark_spec = MarkingSpecification() mark_spec.marking_structures.append(mark) stix_header.handling = Marking(mark_spec) stix_package.stix_header = stix_header report = Report() if input_dict['incidents']: for each in input_dict['incidents'].split(','): result = query_db('select * from incidents where id = ?', [each], one=True) report.add_incident(buildIncident(result)) if input_dict['ttps']: for each in input_dict['ttps'].split(','): result = query_db('select * from ttps where id = ?', [each], one=True) report.add_ttp(buildTtp(result)) if input_dict['indicators']: for each in input_dict['indicators'].split(','): result = query_db('select * from indicators where id = ?', [each], one=True) report.add_indicator(buildIndicator(result)) if input_dict['observables']: for each in input_dict['observables'].split(','): result = query_db('select * from observables where id = ?', [each], one=True) report.add_observable(buildObservable(result)) if input_dict['threatActors']: for each in input_dict['threatActors'].split(','): result = query_db('select * from threatActors where id = ?', [each], one=True) report.add_threat_actor(buildThreatActor(result)) if input_dict['targets']: for each in input_dict['targets'].split(','): result = query_db('select * from targets where id = ?', [each], one=True) report.add_exploit_target(buildTarget(result)) if input_dict['coas']: for each in input_dict['coas'].split(','): result = query_db('select * from coas where id = ?', [each], one=True) report.add_course_of_action(buildCoa(result)) if input_dict['campaigns']: for each in input_dict['campaigns'].split(','): result = query_db('select * from campaigns where id = ?', [each], one=True) report.add_campaign(buildCampaign(result)) stix_package.add_report(report) return stix_package
def gatherIOCs(folderPath, synConn, synackConn, ackConn, resolvedIPs, results, fullHTTPArray, udpconn, dnspacket, icmpPacket, ftpconn, sshconn, foundIPs): stix_package = STIXPackage() stix_report = stixReport() # need to add indicator references to this stix_header_information_source = InformationSource() stix_header_information_source.description = "From Cuckoo sandbox IOC_STIX reporting module" stix_report.header = Header() stix_report.header.title = "A bunch of related indicators" stix_report.header.short_description = "A short description for the indicators oooooh!" stix_report.header.information_source = stix_header_information_source # IP address for susip in resolvedIPs: stix_package.add(susIP(susip)) stix_report.add_indicator(Indicator()) # IPs found as static strings in the file for IP in foundIPs: stix_package.add(susIPfound(IP)) stix_report.add_indicator(Indicator()) # TCP Connection attempt and Connection established for tcp in synConn: if tcp not in ackConn: stix_package.add(TCPConnectionAttemptFailedObj(tcp)) stix_report.add_indicator(Indicator()) for tcpest in synConn: if tcpest in synackConn and tcpest in ackConn: stix_package.add(TCPConnectionEstablishedObj(tcpest)) stix_report.add_indicator(Indicator()) # Full HTTP Request for ht in fullHTTPArray: stix_package.add(HTTPFullObj(ht)) stix_report.add_indicator(Indicator()) # UDP Connection for udp in udpconn: if udp[0] != '53' and udp[ 1] != '53': # ignore DNS UDP packets (they are logged else where) stix_package.add(UDPRequestObj(udp)) stix_report.add_indicator(Indicator()) # DNS Connection for dns in dnspacket: stix_package.add(DNSRequestObj(dns)) stix_report.add_indicator(Indicator()) # ICMP Connection for icmp in icmpPacket: if icmp[0] == 0 or icmp[0] == 8: stix_package.add(ICMPObj(icmp)) stix_report.add_indicator(Indicator()) # FTP Connection for ftp in ftpconn: if ftp[4] == '220' or ftp[4] == '230' or ftp[4] == '250': stix_package.add(FTPObj(ftp)) stix_report.add_indicator(Indicator()) elif ftp[5] == "USER" or ftp[5] == "PASS" or ftp[5] == "STOR" or ftp[ 5] == "RETR": stix_package.add(FTPObj(ftp)) stix_report.add_indicator(Indicator()) # SSH Connection for ssh in sshconn: stix_package.add(SSHObj(ssh)) stix_report.add_indicator(Indicator()) stix_package.add_report(stix_report) IOCStix = open( folderPath + "/" + str(results["target"]["file"]["name"]) + ".xml", 'w') IOCStix.write(stix_package.to_xml()) IOCStix.close()