Пример #1
0
 def get_technique_and_mitigation_relationships() -> List[CourseOfAction]:
     file_system = FileSystemSource(MitreApiInterface.ATTACK_DATA_PATH)
     technique_filter = [
         Filter("type", "=", "relationship"),
         Filter("relationship_type", "=", "mitigates"),
     ]
     all_techniques = file_system.query(technique_filter)
     return all_techniques
Пример #2
0
 def get_technique_and_mitigation_relationships() -> List[CourseOfAction]:
     file_system = FileSystemSource(MitreApiInterface.ATTACK_DATA_PATH)
     technique_filter = [
         Filter('type', '=', 'relationship'),
         Filter('relationship_type', '=', 'mitigates')
     ]
     all_techniques = file_system.query(technique_filter)
     return all_techniques
Пример #3
0
 def get_all_attack_techniques() -> Dict[str, AttackPattern]:
     file_system = FileSystemSource(MitreApiInterface.ATTACK_DATA_PATH)
     technique_filter = [Filter('type', '=', 'attack-pattern')]
     all_techniques = file_system.query(technique_filter)
     all_techniques = {
         technique['id']: technique
         for technique in all_techniques
     }
     return all_techniques
Пример #4
0
 def get_all_mitigations() -> Dict[str, CourseOfAction]:
     file_system = FileSystemSource(MitreApiInterface.ATTACK_DATA_PATH)
     mitigation_filter = [Filter('type', '=', 'course-of-action')]
     all_mitigations = file_system.query(mitigation_filter)
     all_mitigations = {
         mitigation['id']: mitigation
         for mitigation in all_mitigations
     }
     return all_mitigations
Пример #5
0
def get_technique_and_mitigation_relationships(
        attack_data_path: Path) -> List[CourseOfAction]:
    file_system = FileSystemSource(attack_data_path)
    technique_filter = [
        Filter("type", "=", "relationship"),
        Filter("relationship_type", "=", "mitigates"),
    ]
    all_techniques = file_system.query(technique_filter)
    return all_techniques
Пример #6
0
def get_all_mitigations(attack_data_path: Path) -> Dict[str, CourseOfAction]:
    file_system = FileSystemSource(attack_data_path)
    mitigation_filter = [Filter("type", "=", "course-of-action")]
    all_mitigations = file_system.query(mitigation_filter)
    all_mitigations = {
        mitigation["id"]: mitigation
        for mitigation in all_mitigations
    }
    return all_mitigations
Пример #7
0
def get_all_attack_techniques(
        attack_data_path: Path) -> Dict[str, AttackPattern]:
    file_system = FileSystemSource(attack_data_path)
    technique_filter = [Filter("type", "=", "attack-pattern")]
    all_techniques = file_system.query(technique_filter)
    all_techniques = {
        technique["id"]: technique
        for technique in all_techniques
    }
    return all_techniques
Пример #8
0
class AtomicCaldera:
    def __init__(self, services, ac_data_svc):
        self.ac_data_svc = ac_data_svc
        self.data_svc = services.get('data_svc')
        self.auth_svc = services.get('auth_svc')
        self.log = Logger('atomiccaldera')
        self.log.debug('Atomic-Caldera Plugin Logging started.')
        self.get_conf()
        self.fs = FileSystemSource(self.ctipath)

    def get_conf(self):
        confPath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
                                '../conf/artconf.yml')
        try:
            with open(confPath, 'r') as c:
                conf = yaml.load(c, Loader=yaml.Loader)
            self.ctipath = os.path.expanduser(
                os.path.join(conf['ctipath'], 'enterprise-attack/'))
            self.artpath = os.path.expanduser(conf['artpath'])
            self.log.debug(self.ctipath)
            self.log.debug(self.artpath)
        except:
            pass

    @template('atomiccaldera.html')
    async def landing(self, request):
        await self.auth_svc.check_permissions(request)
        abilities = []
        tactics = []
        variables = []
        try:
            abilities = await self.ac_data_svc.explode_art_abilities()
            for ab in abilities:
                if not ab['tactic'] in tactics:
                    tactics.append(ab['tactic'])
        except Exception as e:
            self.log.error(e)

        try:
            variables = await self.ac_data_svc.explode_art_variables()
        except Exception as e:
            self.log.error(e)
        return {
            'abilities': json.dumps(abilities),
            'tactics': tactics,
            'variables': json.dumps(variables)
        }

    async def getMITREPhase(self, attackID):
        filter = [
            Filter('type', '=', 'attack-pattern'),
            Filter('external_references.external_id', '=', attackID)
        ]
        result = self.fs.query(filter)
        if result:
            return result[0].kill_chain_phases[0].phase_name
        else:
            return 'unknown'

    async def get_atomics(self):
        await self.ac_data_svc.build_db(
            os.path.join(os.path.dirname(os.path.realpath(__file__)),
                         '../conf/ac.sql'))
        artAbilities = []
        artVars = []
        if os.path.exists(self.artpath):
            for root, dirs, files in os.walk(self.artpath):
                for procFile in files:
                    fullFile = os.path.join(root, procFile)
                    if os.path.splitext(fullFile)[-1].lower() == '.yaml':
                        self.log.debug('Processing {}'.format(fullFile))
                        try:
                            artObj = ARTyaml()
                        except:
                            continue
                        with open(fullFile, 'r') as yamlFile:
                            try:
                                artObj.load(yamlFile)
                            except:
                                continue
                        # Loop through the tests
                        if artObj.atomicTests:
                            for atomic in artObj.atomicTests:
                                for platform in atomic['supported_platforms']:
                                    if platform.lower() in [
                                            'windows', 'linux', 'macos'
                                    ]:
                                        name = atomic['name']
                                        description = atomic['description']
                                        if 'command' in atomic[
                                                'executor'].keys():
                                            command = re.sub(
                                                r'x07', r'a',
                                                repr(atomic['executor']
                                                     ['command'])).strip()
                                            command = command.encode(
                                                'utf-8').decode(
                                                    'unicode_escape')
                                            executor = atomic['executor'][
                                                'name']
                                            if command[0] == '\'':
                                                command = command.strip('\'')
                                            elif command[0] == '\"':
                                                command = command.strip('\"')
                                        else:
                                            command = ''
                                            executor = ''

                                        try:
                                            if command != '':
                                                checkUnique = {
                                                    'technique':
                                                    int(artObj.attackTech[1:]),
                                                    'command':
                                                    b64encode(
                                                        command.encode('utf-8')
                                                    ).decode('utf-8')
                                                }
                                        except Exception as e:
                                            print(e)

                                        # Check to see if the command has been added to the database
                                        if (command != ''
                                                and not await self.ac_data_svc.
                                                check_art_ability(checkUnique)
                                            ):
                                            uuidBool = True
                                            while (uuidBool):
                                                ability_id = str(uuid.uuid4())
                                                if not await self.ac_data_svc.check_art_ability(
                                                    {'ability_id': ability_id
                                                     }):
                                                    uuidBool = False

                                            try:
                                                # Add the new ability to export
                                                artAbilities.append({
                                                    'ability_id':
                                                    ability_id,
                                                    'technique':
                                                    artObj.attackTech[1:],
                                                    'name':
                                                    name,
                                                    'description':
                                                    description,
                                                    'tactic':
                                                    await self.getMITREPhase(
                                                        artObj.attackTech),
                                                    'attack_name':
                                                    artObj.displayName,
                                                    'platform':
                                                    platform,
                                                    'executor':
                                                    executor,
                                                    'command':
                                                    b64encode(
                                                        command.encode('utf-8')
                                                    ).decode('utf-8')
                                                })
                                            except Exception as e:
                                                print(e)

                                            if 'input_arguments' in atomic.keys(
                                            ):
                                                for argument in atomic[
                                                        'input_arguments'].keys(
                                                        ):
                                                    try:
                                                        curVar = re.sub(
                                                            r'x07', r'a',
                                                            repr(atomic[
                                                                'input_arguments']
                                                                 [argument]
                                                                 ['default'])
                                                        ).strip()
                                                        if curVar[0] == '\'':
                                                            curVar = curVar.strip(
                                                                '\'')
                                                        elif curVar[0] == '\"':
                                                            curVar = curVar.strip(
                                                                '\"')
                                                        curVar = curVar.replace(
                                                            '\\\\', '\\')
                                                        artVars.append({
                                                            'ability_id':
                                                            ability_id,
                                                            'var_name':
                                                            argument,
                                                            'value':
                                                            b64encode(
                                                                curVar.encode(
                                                                    'utf-8')).
                                                            decode('utf-8')
                                                        })
                                                    except:
                                                        pass
        else:
            self.log.debug('Paths are not valid')
            return {'abilities': [], 'variables': []}
        self.log.debug('Got to the end.')
        return {'abilities': artAbilities, 'variables': artVars}

    async def export_all_to_stockpile(self, data):
        try:
            abilities = await self.ac_data_svc.explode_art_abilities()
        except Exception as e:
            self.log.error(e)
        try:
            variables = await self.ac_data_svc.explode_art_variables()
        except Exception as e:
            self.log.error(e)
        if await self.export_to_stockpile(abilities, variables):
            return 'Abilities successfully exported.'
        else:
            return 'Failed to export abilities.'

    async def export_one_to_stockpile(self, data):
        abilities = []
        variables = []
        ability_id = {'ability_id': data.pop('ability_id')}
        try:
            abilities = await self.ac_data_svc.get_art_ability(ability_id)
        except Exception as e:
            self.log.error(e)
        try:
            variables = await self.ac_data_svc.get_art_variable(ability_id)
        except Exception as e:
            self.log.error(e)
        if await self.export_to_stockpile(abilities, variables):
            return 'Ability successfully exported.'
        else:
            return 'Failed to export ability.'

    async def export_to_stockpile(self, abilities, variables):
        # String representer foy PyYAML to format the command string
        yaml.add_representer(cmdStr, cmd_presenter)

        for ability in abilities:
            executor = ability['executor']
            platform = ability['platform']
            payload = ''

            # Fix the command formatting
            command = b64decode(ability['command'])
            command = command.decode('utf-8')
            if command[0] == '\'':
                command = command.strip('\'')
            elif command[0] == '\"':
                command = command.strip('\"')

            # Determin the executor
            # Fill in the variables
            for variable in variables:
                if variable['ability_id'] == ability['ability_id']:
                    value = b64decode(variable['value']).decode('utf-8')
                    if value[0] == '\'':
                        value = value.strip('\'')
                    elif value[0] == '\"':
                        value = value.strip('\"')

                    value = value.replace('\\\\', '\\')
                    command = re.sub(
                        r"\#{{{argName}}}".format(
                            argName=str(variable['var_name'])),
                        value.encode('unicode-escape').decode(), command)

            if (executor.lower() == 'sh' or executor.lower() == 'bash'):
                if platform.lower() == 'linux':
                    platform = 'linux'
                elif platform.lower() == 'macos':
                    platform = 'darwin'
            elif (executor.lower() == 'command_prompt'
                  or executor.lower() == 'powershell'):
                if (executor.lower() == 'command_prompt'):
                    executor = 'cmd'
                else:
                    executor = 'psh'
            command = command.replace('\\n', '\n')

            # Future additions
            parserName = ''
            parserProperty = ''
            parserScript = ''

            # Build the YAML data
            #newYaml = [{ 'id': ability['ability_id'],
            #	'name': ability['name'],
            #	'description': ability['description'],
            #	'tactic': ability['tactic'],
            #	'technique': { 'attack_id': 'T{}'.format(str(ability['technique'])), 'name': ability['attack_name'] },
            #	'platforms': { platform: { executor.lower(): { 'command': cmdStr(command), 'payload': payload, 'parser': { 'name': parserName, 'property': parserProperty, 'script': parserScript }}}}}]

            newYaml = [{
                'id': ability['ability_id'],
                'name': ability['name'],
                'description': ability['description'],
                'tactic': ability['tactic'],
                'technique': {
                    'attack_id': 'T{}'.format(str(ability['technique'])),
                    'name': ability['attack_name']
                },
                'platforms': {
                    platform: {
                        executor.lower(): {
                            'command': cmdStr(command),
                            'payload': payload
                        }
                    }
                }
            }]

            payloadPath = os.path.join(
                os.path.dirname(os.path.realpath(__file__)),
                '../../stockpile/data/payloads/')
            abilityPath = os.path.join(
                os.path.dirname(os.path.realpath(__file__)),
                '../../stockpile//data/abilities/')

            # Check and create payloads folder if it does not exist
            try:
                if not os.path.exists(payloadPath):
                    os.makedirs(payloadPath)
            except Exception as e:
                self.log.error(e)
                return False

            # Write the BAT file if needed
            if payload != '':
                with open(os.path.join(payloadPath, payload),
                          'w') as payloadFile:
                    payloadFile.write(batCommand)

            # Check and create ability folder if it does not exist
            try:
                if not os.path.exists(
                        os.path.join(abilityPath, ability['tactic'])):
                    os.makedirs(os.path.join(abilityPath, ability['tactic']))
            except Exception as e:
                self.log.error(e)
                return False

            # Write the YAML file to the correct directory
            try:
                with open(
                        os.path.join(abilityPath, ability['tactic'],
                                     '{}.yml'.format(ability['ability_id'])),
                        'w') as newYAMLFile:
                    dump = yaml.dump(newYaml,
                                     default_style=None,
                                     default_flow_style=False,
                                     allow_unicode=True,
                                     encoding=None,
                                     sort_keys=False)
                    newYAMLFile.write(dump)
            except Exception as e:
                self.log.error(e)
                return False
        return True

    async def get_art(self, request):
        self.log.debug('Landed in get_art.')
        try:
            atomics = await self.get_atomics()
        except Exception as e:
            self.log.error(e)
            pass
        return atomics

    async def import_art_abilities(self):
        try:
            atomics = await self.get_atomics()
        except Exception as e:
            self.log.error(e)
            return 'Failed to load abilities.'
        for ability in atomics['abilities']:
            await self.ac_data_svc.create_art_ability(ability)
        for variable in atomics['variables']:
            await self.ac_data_svc.create_art_variable(variable)
        return 'Successfully imported new abilities.'

    async def save_art_ability(self, data):
        key = data.pop('key')
        value = data.pop('value')
        updates = data.pop('data')
        if await self.ac_data_svc.update_art_ability(key, value, updates):
            return 'Updated ability: {}'.format(value)
        else:
            return 'Update failed for ability: {}'.format(value)

    async def save_art_variables(self, data):
        updates = data.pop('data')
        if await self.ac_data_svc.update_art_variables(updates):
            return 'Updated variables successfully.'
        else:
            return 'Updates to variables failed.'

    async def delete_all(self):
        abilities = []
        payloadPath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
                                   '../../stockpile/data/payloads/')
        abilityPath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
                                   '../../stockpile/data/abilities/')
        try:
            abilities = await self.ac_data_svc.explode_art_abilities()
        except Exception as e:
            self.log.error(e)

        for ability in abilities:
            if os.path.exists(
                    os.path.join(abilityPath, ability['tactic'],
                                 '{}.yml'.format(ability['ability_id']))):
                os.remove(
                    os.path.join(abilityPath, ability['tactic'],
                                 '{}.yml'.format(ability['ability_id'])))
            if os.path.exists(
                    os.path.join(payloadPath,
                                 '{}.bat'.format(ability['ability_id']))):
                os.remove(
                    os.path.join(payloadPath,
                                 '{}.bat'.format(ability['ability_id'])))
        status = await self.ac_data_svc.delete_all()
        await self.ac_data_svc.build_db(
            os.path.join(os.path.dirname(os.path.realpath(__file__)),
                         '../conf/ac.sql'))
        return status

    async def rest_api(self, request):
        self.log.debug('Starting Rest call.')
        await self.auth_svc.check_permissions(request)
        data = dict(await request.json())
        index = data.pop('index')
        self.log.debug('Index: {}'.format(index))

        options = dict(
            PUT=dict(ac_ability=lambda d: self.import_art_abilities(**d)),
            POST=dict(
                ac_ability=lambda d: self.ac_data_svc.explode_art_abilities(**d
                                                                            ),
                ac_ability_save=lambda d: self.save_art_ability(data=d),
                ac_variables_save=lambda d: self.save_art_variables(data=d),
                ac_export_all=lambda d: self.export_all_to_stockpile(**d),
                ac_export_one=lambda d: self.export_one_to_stockpile(data=d)),
            DELETE=dict(delete_all=lambda d: self.delete_all(**d)))
        try:
            output = await options[request.method][index](data)
        except Exception as e:
            self.log.debug('Stopped at api call.')
            self.log.error(e)
        return web.json_response(output)
Пример #9
0
def main(args, config):
    """
    Wrapper to run all components of CDAS

    Calls context, agents, and asset builders to create simulation componenets.
    Passes resulting components to simulation module. Manages output.

    Parameters
    ----------
    args : list
        The arguments passed in from argparse or read from the configuration 
        file in the arguments method
    config : dict
        The configuration file opened and loaded from json
    """

    # Set up the Output directory
    if os.path.isdir(args.output):
        q = (f"Overwrite the output folder {os.getcwd() + '/' + args.output}? "
             f"(y/n) ")
    else:
        q = f"Output path {os.getcwd() + '/' + args.output} does not exist.\n\
            Create this directory? (y/n) "

    if not args.overwrite_output:
        answer = ""
        while answer not in ['y', 'n']:
            answer = input(q)
    else:
        answer = 'y'
    if answer == 'n':
        sys.exit(f"CDAS exited without completing")
    else:
        if os.path.isdir(args.output):
            for filename in os.listdir(args.output):
                file_path = os.path.join(args.output, filename)
                try:
                    if os.path.isfile(file_path) or os.path.islink(file_path):
                        os.unlink(file_path)
                    elif os.path.isdir(file_path):
                        shutil.rmtree(file_path)
                except Exception as e:
                    print('Failed to delete %s. %s' % (file_path, e))
        else:
            os.mkdir(args.output)

    # Set up the STIX data stores
    # Check if it's okay to overwrite the contents of the temporary data store
    temp_path = pkg_resources.resource_filename(__name__, config['temp_path'])
    if os.path.isdir(temp_path):
        q = f"Overwrite temporary stix data folder ({temp_path})? (y/n) "
        overwrite = input(q)
        if overwrite == 'n':
            print(f"Rename the 'temp path' variable in config file and \
                restart the simulation.")
            sys.exit()
        elif overwrite == 'y':
            shutil.rmtree(temp_path)
            os.mkdir(temp_path)
        else:
            overwrite = input(q)
    else:
        os.mkdir(temp_path)
    fs_gen = FileSystemStore(temp_path)
    fs_real = FileSystemSource(
        pkg_resources.resource_filename(__name__, "assets/mitre_cti/"))

    # Load or create country data
    countries = []
    if args.randomize_geopol is True:
        print("Creating countries...")
        with open(args.random_geodata, encoding='utf-8') as f:
            context_options = json.load(f)  # seed file
        f.close()
        map_matrix = context.Map(args.num_countries)
        for c in range(0, args.num_countries):
            countries.append(
                context.Country(fs_gen, context_options, map_matrix.map))
        for c in countries:
            # This loop is used mainly to convert references to other countries
            # to the names of those countries instead of their ID numbers,
            # since, during the generation of each country it only has access
            # to map_matrix with ID numbers of the other countries

            # Convert the neighbors listed by id# to neighbor country names
            neighbors = {}
            for n in c.neighbors:
                n_name = next((x.name for x in countries if x.id == n), None)
                neighbors[n_name] = c.neighbors[n]
            c.neighbors = neighbors
            if len(c.neighbors) == 0:
                c.neighbors = "None (island nation)"

            # if country is a terrority, find its owner
            if c.government_type == "non-self-governing territory":
                gdps = [(int(gdp.gdp[1:].replace(',', '')), gdp.name)
                        for gdp in countries]
                gdps.sort()
                # Territory owners are most likely to be high GDP countries
                # pick a random one from the top three GDP
                owner_name = np.random.choice([gdp[1] for gdp in gdps][-3:])
                if c.name in [gdp[1] for gdp in gdps][-3:]:
                    # if the territory itself is in the top three GDP, change
                    # its gov type to a republic instead of a territory
                    c.government_type = "federal parliamentary republic"
                else:
                    c.government_type += f" of {str(owner_name)}"
                    # update ethnic groups to include owner instead of random
                    owner = next(
                        (x.id for x in countries if x.name == owner_name),
                        None)
                    if str(owner) not in c.ethnic_groups:
                        egs = {}
                        for eg in c.ethnic_groups:
                            try:
                                int(eg)
                                if str(owner) not in egs:
                                    egs[str(owner)] = c.ethnic_groups[eg]
                                else:
                                    egs[eg] = c.ethnic_groups[eg]
                            except ValueError:
                                egs[eg] = c.ethnic_groups[eg]
                        c.ethnic_groups = egs
                    # update forces to include owner name if necessary
                    msf = c.military_and_security_forces
                    c.military_and_security_forces = msf.replace(
                        "[COUNTRY]", owner_name)
                    # update languages to include owner instead of random
                    if str(owner) not in c.languages:
                        langs = {}
                        for eg in c.languages:
                            try:
                                int(eg)
                                if str(owner) not in langs:
                                    langs[str(owner)] = c.languages[eg]
                                else:
                                    langs[eg] = c.languages[eg]
                            except ValueError:
                                langs[eg] = c.languages[eg]
                        c.languages = langs

            # Apply nationalities to ethnic groups listed by id#
            egs = {}
            for eg in c.ethnic_groups:
                try:
                    egs[next(
                        (x.nationality for x in countries if x.id == int(eg)),
                        None)] = c.ethnic_groups[eg]
                except ValueError:
                    egs[eg] = c.ethnic_groups[eg]
            c.ethnic_groups = egs

            # Convert languges listed by id# to country names
            egs = {}
            for eg in c.languages:
                try:
                    eg_name = next(
                        (x.name for x in countries if x.id == int(eg)), None)
                    if eg_name.endswith(('a', 'e', 'i', 'o', 'u')):
                        eg_name += "nese"
                    else:
                        eg_name += 'ish'
                    egs[eg_name] = c.languages[eg]
                except ValueError:
                    egs[eg] = c.languages[eg]
            c.languages = egs
    else:
        # Using country data files instead of random generation
        print("Loading countries...")
        for fn in os.listdir(args.country_data):
            with open(args.country_data + fn, 'r') as f:
                country_data = json.load(f)
            f.close()
            countries.append(context.Country(fs_gen, **country_data))

    # Load or create actor data
    print("Creating threat actors...")
    with open(pkg_resources.resource_filename(__name__,
                                              "assets/stix_vocab.json"),
              encoding='utf-8') as json_file:
        stix_vocab = json.load(json_file)
    json_file.close()
    if config['agents']['randomize_threat_actors'] is True:
        apt_store = fs_gen
        with open(pkg_resources.resource_filename(
                __name__,
                config['agents']['random_variables']['actor_name_1']),
                  encoding='utf-8') as f:
            adjectives = [line.rstrip() for line in f]
        f.close()
        with open(pkg_resources.resource_filename(
                __name__,
                config['agents']['random_variables']['actor_name_2']),
                  encoding='utf-8') as f:
            nouns = [line.rstrip() for line in f]
        f.close()
        actors = 1
        while actors <= config['agents']['random_variables']['num_agents']:
            agents.create_threatactor(stix_vocab, nouns, adjectives, countries,
                                      apt_store)
            actors += 1
    else:
        # no randomization - use provided data set
        if config['agents']['non_random_vars']['apt_data'] == "mitre_cti":
            apt_store = fs_real
        else:
            apt_store = FileSystemStore(
                config['agents']['non_random_vars']['apt_data'])

    # Create organizations
    print('Creating organizations...')
    with open(
            pkg_resources.resource_filename(
                __name__,
                config['agents']['org_variables']['org_names'])) as f:
        org_names = f.read().splitlines()  # organization name possibilities
    f.close()
    with open(pkg_resources.resource_filename(__name__,
                                              'assets/NIST_assess.json'),
              encoding='utf-8') as json_file:
        assessment = json.load(json_file)
    json_file.close()
    for c in countries:
        orgs = 0
        while orgs < config['agents']['org_variables']["orgs_per_country"]:
            agents.create_organization(stix_vocab, fs_gen, c, org_names,
                                       assessment)
            orgs += 1

    # Run simulation
    print('Running simulation...')
    start = datetime.strptime(config["simulation"]['time_range'][0],
                              '%Y-%m-%d')
    end = datetime.strptime(config["simulation"]['time_range'][1], '%Y-%m-%d')
    td = end - start
    actors = apt_store.query(Filter("type", "=", "intrusion-set"))
    orgs = fs_gen.query([
        Filter("type", "=", "identity"),
        Filter("identity_class", "=", "organization")
    ])
    tools = fs_real.query(Filter('type', '=', 'tool'))
    malwares = fs_real.query(Filter('type', '=', 'malware'))
    for r in range(1, int(config["simulation"]['number_of_rounds']) + 1):
        print(f'\tRound {r}')
        simulator.simulate(
            actors, orgs, tools, malwares, fs_gen, start,
            td.days / (config["simulation"]['number_of_rounds'] * len(actors)))
        start += timedelta(days=td.days /
                           config["simulation"]['number_of_rounds'])

    # Create output files
    print('Saving output...')
    # Map
    country_names = {}
    for country in countries:
        country_names[str(country.id)] = country.name
    try:
        map_matrix.plot_map(args.output, **country_names)
    except NameError:
        pass

    for ot in args.output_types:
        print(f'\t{ot}')
        path = args.output + "/" + ot
        if ot == "stix":
            shutil.copytree(temp_path, path)
        else:
            os.mkdir(path)
            os.mkdir(path + '/countries/')
            os.mkdir(path + '/actors/')
            os.mkdir(path + '/reports/')
            os.mkdir(path + '/organizations/')
            for country in countries:
                country.save(path + '/countries/', ot)
            apts = apt_store.query(Filter("type", "=", "intrusion-set"))
            for apt in apts:
                agents.save(apt, path + '/actors/', ot, fs_gen, fs_real)
            events = fs_gen.query(Filter("type", "=", "sighting"))
            for e in events:
                simulator.save(e, apt_store, fs_real, path + '/reports/', ot)
            for org in orgs:
                agents.save_org(org, path + '/organizations/', ot, assessment)
        if ot == "html":
            html_src = pkg_resources.resource_filename(
                __name__, 'assets/html_templates')
            html_templates = os.listdir(html_src)
            for f in html_templates:
                shutil.copy(html_src + '/' + f, path)
            f = open(path + '/COUNTRY.html', 'r')
            c_template = f.read()
            f.close()
            for country in countries:
                f = open(path + '/countries/' + country.name + '.html', 'w')
                f.write(c_template.replace('COUNTRY', country.name))
                f.close()
            os.remove(path + '/COUNTRY.html')

    shutil.rmtree(temp_path)

    print('Done')
Пример #10
0
from stix2 import FileSystemSource
fs = FileSystemSource('./enterprise-attack')

from stix2 import Filter
filt = Filter('type', '=', 'attack-pattern')

malwares = fs.query(Filter("type", "=", 'malware'))
[print(m) for m in malwares if m.name == 'Emotet']
# print(malwares[3].name)

# * Query relationships
all_rs = fs.query(Filter("type", "=", 'relationship'))
# print(all_rs[3])
relationships = [
    r for r in all_rs
    if r.source_ref == 'malware--32066e94-3112-48ca-b9eb-ba2b59d2f023'
]
print(relationships)
# print(type(relationships))

# * Query relationships
# all_rs = fs.query(Filter("type", "=", 'relationship'))
# [print(r) for r in all_rs if r.target_ref == 'malware--32066e94-3112-48ca-b9eb-ba2b59d2f023']

# * Query techniques
# techniques = fs.query([filt])
# print(techniques[0].x_mitre_data_sources)
# [print(t) for t in techniques]

# * Query software
# from itertools import chain
Пример #11
0
class abilitymanager:
    def __init__(self, services):
        self.data_svc = services.get('data_svc')
        self.auth_svc = services.get('auth_svc')
        self.log = Logger('abilitymanager')
        self.log.debug('Ability Manager Plugin logging started.')
        self.get_conf()
        self.fs = FileSystemSource(self.ctipath)
        self.stockPath = os.path.join(
            os.path.dirname(os.path.realpath(__file__)),
            '../../stockpile//data/abilities/')

    def get_conf(self):
        confPath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
                                '../conf/amconf.yml')
        with open(confPath, 'r') as c:
            conf = yaml.load(c, Loader=yaml.Loader)
        self.ctipath = os.path.expanduser(
            os.path.join(conf['ctipath'], 'enterprise-attack/'))
        self.log.debug('Getting local configuration from: {}'.format(confPath))
        try:
            with open(confPath, 'r') as c:
                conf = yaml.load(c, Loader=yaml.Loader)
            self.ctipath = os.path.expanduser(
                os.path.join(conf['ctipath'], 'enterprise-attack/'))
            if 'payloadPath' in conf.keys():
                self.payloadPath = os.path.expander(conf['payloadPath'])
            else:
                self.payloadPath = os.path.join(
                    os.path.dirname(os.path.realpath(__file__)),
                    '../../stockpile/data/payloads/')
            if 'abilityPath' in conf.keys():
                self.abilityPath = os.path.expander(conf['abilityPath'])
            else:
                self.abilityPath = os.path.join(
                    os.path.dirname(os.path.realpath(__file__)),
                    '../../stockpile//data/abilities/')
        except Exception as e:
            self.log.debug('Stopped at api call.')
            self.log.error(e)
            pass

    async def get_uuid(self, data):
        try:
            return str(uuid.uuid4())
        except Exception as e:
            self.log.debug('Error getting UUID.')
            self.log.error('e')
            return 'Failure'

    async def getMITRETactics(self):
        tacticList = []
        tactics = {}
        matrix = self.fs.query([
            Filter('type', '=', 'x-mitre-matrix'),
        ])

        for i in range(len(matrix)):
            tactics[matrix[i]['name']] = []
            for tactic_id in matrix[i]['tactic_refs']:
                tactics[matrix[i]['name']].append(
                    self.fs.query([Filter('id', '=', tactic_id)])[0])

        for tactic in tactics['Enterprise ATT&CK']:
            tacticList.append(tactic['name'])

        return tacticList

    async def getMITRETechniques(self, data):
        tactic = data['data'].replace(' ', '-').lower()
        techniques = []
        filter = [
            Filter('type', '=', 'attack-pattern'),
            Filter('kill_chain_phases.phase_name', '=', tactic)
        ]
        results = self.fs.query(filter)

        # This is used in the official documentation. I'm not sure it is needed.
        doubleCheck = [
            t for t in results if {
                'kill_chain_name': 'mitre-attack',
                'phase_name': tactic,
            } in t.kill_chain_phases
        ]

        for entry in doubleCheck:
            techniques.append({
                'tactic':
                tactic,
                'name':
                entry['name'],
                'id':
                entry['external_references'][0]['external_id']
            })

        return techniques

    async def getATTACK(self):
        attackList = []
        tactics = await self.getMITRETactics()

        try:
            for tactic in tactics:
                for technique in await self.getMITRETechniques(
                    {'data': tactic}):
                    attackList.append(technique)

            return attackList
        except Exception as e:
            self.log.debug('Failed to parse tactics')
            self.log.error(e)
            return []

    async def explode_stockpile(self):
        self.log.debug('Starting stockpile ability explosion')
        stockAbilities = []
        self.log.debug('Checking stockpile path: {}'.format(self.stockPath))
        if os.path.exists(self.stockPath):
            for root, dirs, files in os.walk(self.stockPath):
                for procFile in files:
                    fullFile = os.path.join(root, procFile)
                    if os.path.splitext(fullFile)[-1].lower() == '.yml':
                        newAbility = {}
                        with open(fullFile, 'r') as yamlFile:
                            try:
                                stockData = yaml.load(yamlFile,
                                                      Loader=yaml.Loader)
                            except:
                                continue
                        platformData = []
                        rawAbility = stockData[0]
                        rawPlatform = rawAbility['platforms']
                        for keyName in rawPlatform.keys():
                            for test in rawPlatform[keyName]:
                                newTest = {'platform': keyName, 'executor': ''}
                                parserName = ''
                                parserProperty = ''
                                parserScript = ''
                                if 'command' in rawPlatform[keyName][
                                        test].keys():
                                    newTest.update({
                                        'command':
                                        b64encode(rawPlatform[keyName][test]
                                                  ['command'].encode(
                                                      'utf-8')).decode('utf-8')
                                    })
                                if 'cleanup' in rawPlatform[keyName][
                                        test].keys():
                                    newTest.update({
                                        'cleanup':
                                        b64encode(rawPlatform[keyName][test]
                                                  ['cleanup'].encode(
                                                      'utf-8')).decode('utf-8')
                                    })
                                if 'payload' in rawPlatform[keyName][
                                        test].keys():
                                    newTest.update({
                                        'payload':
                                        rawPlatform[keyName][test]['payload']
                                    })
                                if 'parser' in rawPlatform[keyName][test].keys(
                                ):
                                    if rawPlatform[keyName][test]['parser'][
                                            'name']:
                                        parserName = rawPlatform[keyName][
                                            test]['parser']['name']
                                    if rawPlatform[keyName][test]['parser'][
                                            'property']:
                                        parserProperty = rawPlatform[keyName][
                                            test]['parser']['property']
                                    if rawPlatform[keyName][test]['parser'][
                                            'script']:
                                        parserScript = rawPlatform[keyName][
                                            test]['parser']['script']
                                    newTest.update({
                                        'parser': {
                                            'name':
                                            parserName,
                                            'property':
                                            parserProperty,
                                            'script':
                                            b64encode(
                                                parserScript.encode(
                                                    'utf-8')).decode('utf-8')
                                        }
                                    })
                                if (len(test.split(',')) > 1):
                                    for subTest in test.split(','):
                                        newTest['executor'] = subTest
                                        platformData.append(newTest.copy())
                                else:
                                    newTest['executor'] = test
                                    platformData.append(newTest)
                        newAbility = {
                            'id': rawAbility['id'],
                            'name': rawAbility['name'],
                            'description': rawAbility['description'],
                            'tactic': rawAbility['tactic'],
                            'technique': rawAbility['technique'],
                            'platforms': platformData,
                            'path': fullFile
                        }

                        stockAbilities.append(newAbility)
        return stockAbilities

    async def delete_ability(self, data):
        pathData = data['data']
        try:
            os.remove(pathData)
            return 'File deleted.'
        except Exception as e:
            self.log.error(e)
            return 'File deletion failed.'

    async def save_ability(self, data):
        abilityData = data.pop('data')
        newYaml = []
        newYamlEntry = {}
        newPlatforms = {}
        osList = []

        # Add the YAML presenter
        yaml.add_representer(cmdStr, cmd_presenter)

        # Get the OS names
        for test in abilityData['platforms']:
            osList.append(test['platform'])

        osList = list(set(osList))

        try:
            for osSys in osList:
                newPlatforms[osSys] = {}
                for test in abilityData['platforms']:
                    if osSys == test['platform']:
                        newTest = {}
                        command = b64decode(test['command'])
                        command = command.decode('utf-8')
                        if command[0] == '\'':
                            command = command.strip('\'')
                        elif command[0] == '\"':
                            command = command.strip('\"')
                        command = command.replace('\\n', '\n')
                        newTest['command'] = cmdStr(command)
                        # Check for payload
                        if 'payload' in test.keys():
                            newTest['payload'] = test['payload']
                        if 'cleanup' in test.keys():
                            cleanup = b64decode(test['cleanup'])
                            cleanup = cleanup.decode('utf-8')
                            if cleanup[0] == '\'':
                                cleanup = cleanup.strip('\'')
                            elif cleanup[0] == '\"':
                                cleanup = cleanup.strip('\"')
                            cleanup = cleanup.replace('\\n', '\n')
                            newTest['cleanup'] = cmdStr(cleanup)
                        if 'parser' in test.keys():
                            newParser = {}
                            newParser['name'] = test['parser']['name']
                            newParser['property'] = test['parser']['property']
                            newParser['script'] = b64decode(
                                test['parser']['script']).decode('utf-8')
                            newTest['parser'] = newParser
                        newPlatforms[osSys][test['executor']] = newTest
                    else:
                        pass

            newYamlEntry['id'] = abilityData['id']
            newYamlEntry['name'] = abilityData['name']
            newYamlEntry['description'] = abilityData['description']
            newYamlEntry['tactic'] = abilityData['tactic']
            newYamlEntry['technique'] = abilityData['technique']
            newYamlEntry['platforms'] = newPlatforms
            newYaml.append(newYamlEntry)
        except Exception as e:
            self.log.error(e)
            return 'Failed to parse ability data.'

        #payloadPath = os.path.join(os.path.dirname(os.path.realpath(__file__)), '../../stockpile/data/payloads/')
        #abilityPath = os.path.join(os.path.dirname(os.path.realpath(__file__)), '../../stockpile//data/abilities/')
        # You can change the output path for testing or to seperate your changes if you like.
        #payloadPath = '/tmp/'
        #abilityPath = '/tmp/'

        # Check and create payloads folder if it does not exist
        try:
            if not os.path.exists(self.payloadPath):
                os.makedirs(self.payloadPath)
        except Exception as e:
            self.log.error(e)
            return False

        # Check and create ability folder if it does not exist
        try:
            if not os.path.exists(
                    os.path.join(self.abilityPath, abilityData['tactic'])):
                os.makedirs(
                    os.path.join(self.abilityPath, abilityData['tactic']))
        except Exception as e:
            self.log.error(e)
            return False

        # Write the YAML file to the correct directory
        try:
            with open(
                    os.path.join(self.abilityPath, abilityData['tactic'],
                                 '{}.yml'.format(abilityData['id'])),
                    'w') as newYAMLFile:
                dump = yaml.dump(newYaml,
                                 default_style=None,
                                 default_flow_style=False,
                                 allow_unicode=True,
                                 encoding=None,
                                 sort_keys=False)
                newYAMLFile.write(dump)
        except Exception as e:
            self.log.error(e)

        # Delete the original file if necessary
        try:
            if (os.path.dirname(abilityData['path']) != os.path.join(
                    self.abilityPath, abilityData['tactic'])) and (
                        os.path.basename(abilityData['path'])
                        == '{}.yml'.format(abilityData['id'])):
                os.remove(abilityData['path'])
        except Exception as e:
            self.log.error(e)

        return 'Test saved successfully. Click the reload button to reload the list of available abilities.'

    @template('abilitymanager.html')
    async def landing(self, request):
        try:
            fullTactics = []
            attackLit = []
            await self.auth_svc.check_permissions(request)
            abilities = await self.explode_stockpile()
            tactics = set([a['tactic'].lower() for a in abilities])
            fullTactics = await self.getMITRETactics()
            attackList = await self.getATTACK()
            self.log.debug('Landing call completed.')
        except Exception as e:
            self.log.debug('Failed to land.')
            self.log.error(e)
        return {
            'abilities': json.dumps(abilities),
            'tactics': tactics,
            'fulltactics': json.dumps(fullTactics),
            'techniques': json.dumps(attackList)
        }

    async def rest_api(self, request):
        self.log.debug('Starting Rest call.')
        await self.auth_svc.check_permissions(request)
        data = dict(await request.json())
        index = data.pop('index')
        self.log.debug('Index: {}'.format(index))

        options = dict(
            PUT=dict(),
            POST=dict(
                am_ability=lambda d: self.explode_stockpile(**d),
                am_ability_save=lambda d: self.save_ability(data=d),
                am_ability_delete=lambda d: self.delete_ability(data=d),
                am_get_uuid=lambda d: self.get_uuid(data=d),
                am_get_tactics=lambda d: self.getMITRETactics(),
                am_get_techniques=lambda d: self.getMITRETechniques(data=d),
                am_get_attack=lambda d: self.getATTACK()),
            DELETE=dict())
        try:
            output = await options[request.method][index](data)
        except Exception as e:
            self.log.error(e)
        return web.json_response(output)