def test_add_lmco_phase(self):
phase = lmco.PHASE_DELIVERY
refs = KillChainPhasesReference()
refs.append(phase)
self.assertTrue(isinstance(refs[0], KillChainPhaseReference))
self.assertTrue(refs[0].phase_id, lmco.PHASE_DELIVERY.phase_id)
def __init__(self,
id_=None,
idref=None,
timestamp=None,
title=None,
description=None,
short_description=None):
super(Indicator, self).__init__(id_=id_,
idref=idref,
timestamp=timestamp,
title=title,
description=description,
short_description=short_description)
self.observable = None
self.indicator_types = IndicatorTypes()
self.test_mechanisms = TestMechanisms()
self.alternative_id = None
self.suggested_coas = SuggestedCOAs()
self.sightings = Sightings()
self.composite_indicator_expression = None
self.kill_chain_phases = KillChainPhasesReference()
self.related_indicators = RelatedIndicators()
self.related_campaigns = RelatedCampaignRefs()
self.observable_composition_operator = "OR"
self.related_packages = RelatedPackageRefs()
def __init__(self,
id_=None,
idref=None,
timestamp=None,
title=None,
description=None,
short_description=None):
super(Indicator, self).__init__(id_=id_,
idref=idref,
timestamp=timestamp,
title=title,
description=description,
short_description=short_description)
self.producer = None
self.observables = None
self.indicator_types = IndicatorTypes()
self.confidence = None
self.indicated_ttps = _IndicatedTTPs()
self.test_mechanisms = TestMechanisms()
self.alternative_id = None
self.suggested_coas = SuggestedCOAs()
self.sightings = Sightings()
self.composite_indicator_expression = None
self.handling = None
self.kill_chain_phases = KillChainPhasesReference()
self.valid_time_positions = _ValidTimePositions()
self.related_indicators = None
self.related_campaigns = RelatedCampaignRefs()
self.observable_composition_operator = "OR"
self.likely_impact = None
self.negate = None
self.related_packages = RelatedPackageRefs()
def __init__(self, id_=None, idref=None, timestamp=None, title=None, description=None, short_description=None):
self.id_ = id_ or stix.utils.create_id("indicator")
self.idref = idref
self.version = self._version
self.producer = None
self.observables = None
self.title = title
self.description = description
self.short_description = short_description
self.indicator_types = None
self.confidence = None
self.indicated_ttps = None
self.test_mechanisms = None
self.alternative_id = None
self.suggested_coas = SuggestedCOAs()
self.sightings = Sightings()
self.composite_indicator_expression = None
self.handling = None
self.kill_chain_phases = KillChainPhasesReference()
self.valid_time_positions = None
self.related_indicators = None
self.observable_composition_operator = "AND"
self.likely_impact = None
if timestamp:
self.timestamp = timestamp
else:
self.timestamp = datetime.now(tzutc()) if not idref else None
def generate_indicators(self, count):
'''Generate a list of STIX Indicators'''
indicators = []
for i in range(0, count):
indicator = Indicator(title='Multiple indicator types')
indicator.set_producer_identity(Identity(name='Secret Source'))
indicator.set_produced_time(datetime.today())
indicator.add_indicator_type(choice(['Malware Artifacts', 'C2', 'Exfiltration']))
indicator.add_short_description('Short description...')
indicator.add_description('Long description...')
indicator.confidence = Confidence(choice(['High', 'Medium', 'Low', 'None', 'Unknown']))
kill_chain_phase = choice(LMCO_KILL_CHAIN_PHASES)
indicator.kill_chain_phases = KillChainPhasesReference(
[KillChainPhaseReference(name=kill_chain_phase.name)])
ips = self.gen_ips(randint(0, 5))
for ip in ips:
indicator.add_observable(ip)
# user_agents = self.gen_user_agents(randint(0, 5))
# for ua in user_agents:
# indicator.add_observable(ua)
# fqnds = self.gen_fqdns(randint(0, 5))
# for f in fqnds:
# indicator.add_observable(f)
# urls = self.gen_urls(randint(0, 5))
# for u in urls:
# indicator.add_observable(u)
indicators.append(indicator)
return indicators
def add_kill_chain_phase_reference_data_from_frame(api_object, frame):
indicator = api_object.obj
indicator_builder_data = frame[0].f_locals['indicator_data']
kill_chain_phase_id = indicator_builder_data.get('kill_chain_phase')
if kill_chain_phase_id:
kill_chain_phase = KillChainPhaseReference(
kill_chain_id=KILL_CHAIN_ID, phase_id=kill_chain_phase_id)
indicator._object.kill_chain_phases = KillChainPhasesReference(
[kill_chain_phase])
return api_object
def __init__(self,
id_=None,
idref=None,
timestamp=None,
title=None,
description=None,
short_description=None):
super(TTP, self).__init__(id_=id_,
idref=idref,
timestamp=timestamp,
title=title,
description=description,
short_description=short_description)
self.related_packages = RelatedPackageRefs()
self.exploit_targets = ExploitTargets()
self.related_ttps = RelatedTTPs()
self.kill_chain_phases = KillChainPhasesReference()
def main():
stix_pkg = STIXPackage()
# create LM-style kill chain
# REF: http://stix.mitre.org/language/version{{site.current_version}}/stix_v{{site.current_version}}_lmco_killchain.xml
recon = KillChainPhase(phase_id="stix:TTP-af1016d6-a744-4ed7-ac91-00fe2272185a", name="Reconnaissance", ordinality="1")
weapon = KillChainPhase(phase_id="stix:TTP-445b4827-3cca-42bd-8421-f2e947133c16", name="Weaponization", ordinality="2")
deliver = KillChainPhase(phase_id="stix:TTP-79a0e041-9d5f-49bb-ada4-8322622b162d", name="Delivery", ordinality="3")
exploit = KillChainPhase(phase_id="stix:TTP-f706e4e7-53d8-44ef-967f-81535c9db7d0", name="Exploitation", ordinality="4")
install = KillChainPhase(phase_id="stix:TTP-e1e4e3f7-be3b-4b39-b80a-a593cfd99a4f", name="Installation", ordinality="5")
control = KillChainPhase(phase_id="stix:TTP-d6dc32b9-2538-4951-8733-3cb9ef1daae2", name="Command and Control", ordinality="6")
action = KillChainPhase(phase_id="stix:TTP-786ca8f9-2d9a-4213-b38e-399af4a2e5d6", name="Actions on Objectives", ordinality="7")
lmchain = KillChain(id_="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff", name="LM Cyber Kill Chain")
lmchain.definer = "LMCO"
lmchain.kill_chain_phases = [recon, weapon, deliver, exploit, install, control, action]
stix_pkg.ttps.kill_chains.append(lmchain)
infect = KillChainPhase(name="Infect Machine")
exfil = KillChainPhase(name="Exfiltrate Data")
mychain = KillChain(name="Organization-specific Kill Chain")
mychain.definer = "Myself"
mychain.kill_chain_phases = [infect, exfil]
stix_pkg.ttps.add_ttp(TTP())
stix_pkg.ttps.kill_chains.append(mychain)
indicator = Indicator()
indicator.kill_chain_phases = KillChainPhasesReference([
KillChainPhaseReference(phase_id=exfil.phase_id, kill_chain_id=mychain.id_),
KillChainPhaseReference(phase_id=action.phase_id, kill_chain_id=lmchain.id_)
])
stix_pkg.add_indicator(indicator)
print(stix_pkg.to_xml(encoding=None))
def process_kill_chain_phases(phases, obj1x):
for phase in phases:
if phase["kill_chain_name"] in _KILL_CHAINS:
kill_chain_phases = _KILL_CHAINS[
phase["kill_chain_name"]]["phases"]
if not phase["phase_name"] in kill_chain_phases:
kill_chain_phases.update({
phase["phase_name"]:
KillChainPhase(phase_id=create_id1x("TTP"),
name=phase["phase_name"],
ordinality=None)
})
_KILL_CHAINS[phase["kill_chain_name"]][
"kill_chain"].add_kill_chain_phase(
kill_chain_phases[phase["phase_name"]])
kcp = kill_chain_phases[phase["phase_name"]]
if not obj1x.kill_chain_phases:
obj1x.kill_chain_phases = KillChainPhasesReference()
else:
kc = KillChain(id_=create_id1x("TTP"),
name=phase["kill_chain_name"])
_KILL_CHAINS[phase["kill_chain_name"]] = {"kill_chain": kc}
kcp = KillChainPhase(name=phase["phase_name"],
phase_id=create_id1x("TTP"))
kc.add_kill_chain_phase(kcp)
_KILL_CHAINS[phase["kill_chain_name"]]["phases"] = {
phase["phase_name"]: kcp
}
obj1x.add_kill_chain_phase(
KillChainPhaseReference(
phase_id=kcp.phase_id,
name=kcp.name,
ordinality=None,
kill_chain_id=_KILL_CHAINS[
phase["kill_chain_name"]]["kill_chain"].id_,
kill_chain_name=_KILL_CHAINS[
phase["kill_chain_name"]]["kill_chain"].name))
def test_add_no_id_phase(self):
refs = KillChainPhasesReference()
phase = KillChainPhase()
self.assertRaises(ValueError, refs.append, phase)
def kill_chain_phases(self, value):
self._kill_chain_phases = KillChainPhasesReference(value)
ttp.add_intended_effect(IntendedEffect('Account Takeover'))
# TTP - Attack Pattern
attack_pattern = AttackPattern()
attack_pattern.capec_id = 'CAPEC-98'
attack_pattern.description = 'Phishing'
attack_pattern.short_description = 'Phishing'
ttp.behavior = Behavior()
ttp.behavior.add_attack_pattern(attack_pattern)
# TTP - Kill Chain Phase
phase = KillChainPhase(
name='Infect Machine',
phase_id='example:TTP-7a0fb8e4-a778-4c79-9c7e-8747675da5f1')
kc_phases = KillChainPhasesReference()
kc_phases.append(KillChainPhaseReference(name=phase.name))
ttp.kill_chain_phases = kc_phases
# TTP - Resource (Tool, Infrastructure, Personas)
resource = Resource()
tool = ToolInformation(title='malware.exe')
tool.type_ = AttackerToolType('Malware')
tool.description = 'Tool Description'
tool.short_description = 'Tool Short Description'
infrastructure = Infrastructure(title='Leveraged Domains')
infrastructure.types = AttackerInfrastructureType('Domain Registration')
infrastructure.description = 'Infrastructure Description'
infrastructure.short_description = 'Infrastructure Short Description'
domain = DomainName()
