def main():
campaign = Campaign(title="Campaign against ICS")
ttp = TTP(title="DrownedRat")
alpha_report = Report()
alpha_report.header = Header()
alpha_report.header.title = "Report on Adversary Alpha's Campaign against the Industrial Control Sector"
alpha_report.header.descriptions = "Adversary Alpha has a campaign against the ICS sector!"
alpha_report.header.intents = "Campaign Characterization"
alpha_report.add_campaign(Campaign(idref=campaign.id_))
rat_report = Report()
rat_report.header = Header()
rat_report.header.title = "Indicators for Malware DrownedRat"
rat_report.header.intents = "Indicators - Malware Artifacts"
rat_report.add_ttp(TTP(idref=ttp.id_))
wrapper = STIXPackage()
info_src = InformationSource()
info_src.identity = Identity(name="Government Sharing Program - GSP")
wrapper.stix_header = STIXHeader(information_source=info_src)
wrapper.add_report(alpha_report)
wrapper.add_report(rat_report)
wrapper.add_campaign(campaign)
wrapper.add_ttp(ttp)
print(wrapper.to_xml())
def main():
campaign = Campaign(title="Campaign against ICS")
ttp = TTP(title="DrownedRat")
alpha_report = Report()
alpha_report.header = Header()
alpha_report.header.title = "Report on Adversary Alpha's Campaign against the Industrial Control Sector"
alpha_report.header.descriptions = "Adversary Alpha has a campaign against the ICS sector!"
alpha_report.header.intents = "Campaign Characterization"
alpha_report.add_campaign(Campaign(idref=campaign._id))
rat_report = Report()
rat_report.header = Header()
rat_report.header.title = "Indicators for Malware DrownedRat"
rat_report.header.intents = "Indicators - Malware Artifacts"
rat_report.add_ttp(TTP(idref=ttp._id))
wrapper = STIXPackage()
info_src = InformationSource()
info_src.identity = Identity(name="Government Sharing Program - GSP")
wrapper.stix_header = STIXHeader(information_source=info_src)
wrapper.add_report(alpha_report)
wrapper.add_report(rat_report)
wrapper.add_campaign(campaign)
wrapper.add_ttp(ttp)
print wrapper.to_xml()
def build_stix( input_dict ):
# setup stix document
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "TTP " + input_dict['title']
# Add handling requirements if needed
if input_dict['marking']:
mark = SimpleMarkingStructure()
mark.statement = input_dict['marking']
mark_spec = MarkingSpecification()
mark_spec.marking_structures.append(mark)
stix_header.handling = Marking(mark_spec)
stix_package.stix_header = stix_header
report = Report()
if input_dict['incidents']:
for each in input_dict['incidents'].split(','):
result = query_db('select * from incidents where id = ?',
[each], one=True)
report.add_incident(buildIncident(result))
if input_dict['ttps']:
for each in input_dict['ttps'].split(','):
result = query_db('select * from ttps where id = ?',
[each], one=True)
report.add_ttp(buildTtp(result))
if input_dict['indicators']:
for each in input_dict['indicators'].split(','):
result = query_db('select * from indicators where id = ?',
[each], one=True)
report.add_indicator(buildIndicator(result))
if input_dict['observables']:
for each in input_dict['observables'].split(','):
result = query_db('select * from observables where id = ?',
[each], one=True)
report.add_observable(buildObservable(result))
if input_dict['threatActors']:
for each in input_dict['threatActors'].split(','):
result = query_db('select * from threatActors where id = ?',
[each], one=True)
report.add_threat_actor(buildThreatActor(result))
if input_dict['targets']:
for each in input_dict['targets'].split(','):
result = query_db('select * from targets where id = ?',
[each], one=True)
report.add_exploit_target(buildTarget(result))
if input_dict['coas']:
for each in input_dict['coas'].split(','):
result = query_db('select * from coas where id = ?',
[each], one=True)
report.add_course_of_action(buildCoa(result))
if input_dict['campaigns']:
for each in input_dict['campaigns'].split(','):
result = query_db('select * from campaigns where id = ?',
[each], one=True)
report.add_campaign(buildCampaign(result))
stix_package.add_report(report)
return stix_package
def gatherIOCs(folderPath, synConn, synackConn, ackConn, resolvedIPs, results,
fullHTTPArray, udpconn, dnspacket, icmpPacket, ftpconn, sshconn,
foundIPs):
stix_package = STIXPackage()
stix_report = stixReport() # need to add indicator references to this
stix_header_information_source = InformationSource()
stix_header_information_source.description = "From Cuckoo sandbox IOC_STIX reporting module"
stix_report.header = Header()
stix_report.header.title = "A bunch of related indicators"
stix_report.header.short_description = "A short description for the indicators oooooh!"
stix_report.header.information_source = stix_header_information_source
# IP address
for susip in resolvedIPs:
stix_package.add(susIP(susip))
stix_report.add_indicator(Indicator())
# IPs found as static strings in the file
for IP in foundIPs:
stix_package.add(susIPfound(IP))
stix_report.add_indicator(Indicator())
# TCP Connection attempt and Connection established
for tcp in synConn:
if tcp not in ackConn:
stix_package.add(TCPConnectionAttemptFailedObj(tcp))
stix_report.add_indicator(Indicator())
for tcpest in synConn:
if tcpest in synackConn and tcpest in ackConn:
stix_package.add(TCPConnectionEstablishedObj(tcpest))
stix_report.add_indicator(Indicator())
# Full HTTP Request
for ht in fullHTTPArray:
stix_package.add(HTTPFullObj(ht))
stix_report.add_indicator(Indicator())
# UDP Connection
for udp in udpconn:
if udp[0] != '53' and udp[
1] != '53': # ignore DNS UDP packets (they are logged else where)
stix_package.add(UDPRequestObj(udp))
stix_report.add_indicator(Indicator())
# DNS Connection
for dns in dnspacket:
stix_package.add(DNSRequestObj(dns))
stix_report.add_indicator(Indicator())
# ICMP Connection
for icmp in icmpPacket:
if icmp[0] == 0 or icmp[0] == 8:
stix_package.add(ICMPObj(icmp))
stix_report.add_indicator(Indicator())
# FTP Connection
for ftp in ftpconn:
if ftp[4] == '220' or ftp[4] == '230' or ftp[4] == '250':
stix_package.add(FTPObj(ftp))
stix_report.add_indicator(Indicator())
elif ftp[5] == "USER" or ftp[5] == "PASS" or ftp[5] == "STOR" or ftp[
5] == "RETR":
stix_package.add(FTPObj(ftp))
stix_report.add_indicator(Indicator())
# SSH Connection
for ssh in sshconn:
stix_package.add(SSHObj(ssh))
stix_report.add_indicator(Indicator())
stix_package.add_report(stix_report)
IOCStix = open(
folderPath + "/" + str(results["target"]["file"]["name"]) + ".xml",
'w')
IOCStix.write(stix_package.to_xml())
IOCStix.close()
