def build_stix():
# setup stix document
stix_package = STIXPackage()
# add incident and confidence
breach = Incident()
breach.description = "Intrusion into enterprise network"
breach.confidence = "High"
# stamp with reporter
breach.reporter = InformationSource()
breach.reporter.description = "The person who reported it"
breach.reporter.time = Time()
breach.reporter.time.produced_time = datetime.strptime(
"2014-03-11", "%Y-%m-%d") # when they submitted it
breach.reporter.identity = Identity()
breach.reporter.identity.name = "Sample Investigations, LLC"
# set incident-specific timestamps
breach.time = incidentTime()
breach.title = "Breach of CyberTech Dynamics"
breach.time.initial_compromise = datetime.strptime("2012-01-30",
"%Y-%m-%d")
breach.time.incident_discovery = datetime.strptime("2012-05-10",
"%Y-%m-%d")
breach.time.restoration_achieved = datetime.strptime(
"2012-08-10", "%Y-%m-%d")
breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d")
# add the impact
impact = ImpactAssessment()
impact.effects = Effects("Unintended Access")
breach.impact_assessment = impact
# add the victim
victim = Identity()
victim.name = "CyberTech Dynamics"
breach.add_victim(victim)
# add the impact
impact = ImpactAssessment()
impact.effects = Effects("Financial Loss")
breach.impact_assessment = impact
stix_package.add_incident(breach)
return stix_package
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
super(ThreatActor, cls).from_dict(dict_repr, return_obj=return_obj)
get = dict_repr.get
return_obj.identity = Identity.from_dict(get('identity'))
return_obj.types = _Types.from_dict(get('types'))
return_obj.motivations = _Motivations.from_dict(get('motivations'))
return_obj.sophistications = _Sophistications.from_dict(get('sophistications'))
return_obj.intended_effects = _IntendedEffects.from_dict(get('intended_effects'))
return_obj.planning_and_operational_supports = \
_PlanningAndOperationalSupports.from_dict(get('planning_and_operational_supports'))
return_obj.observed_ttps = ObservedTTPs.from_dict(get('observed_ttps'))
return_obj.associated_campaigns = AssociatedCampaigns.from_dict(get('associated_campaigns'))
return_obj.associated_actors = AssociatedActors.from_dict(get('associated_actors'))
return_obj.handling = Marking.from_dict(get('handling'))
return_obj.confidence = Confidence.from_dict(get('confidence'))
return_obj.related_packages = RelatedPackageRefs.from_dict(get('related_packages'))
return return_obj
def add_victim(self, victim):
if not victim:
return
elif isinstance(victim, Identity):
self.victims.append(victim)
else:
self.victims.append(Identity(name=victim))
def main():
campaign = Campaign(title="Campaign against ICS")
ttp = TTP(title="DrownedRat")
alpha_report = Report()
alpha_report.header = Header()
alpha_report.header.title = "Report on Adversary Alpha's Campaign against the Industrial Control Sector"
alpha_report.header.descriptions = "Adversary Alpha has a campaign against the ICS sector!"
alpha_report.header.intents = "Campaign Characterization"
alpha_report.add_campaign(Campaign(idref=campaign.id_))
rat_report = Report()
rat_report.header = Header()
rat_report.header.title = "Indicators for Malware DrownedRat"
rat_report.header.intents = "Indicators - Malware Artifacts"
rat_report.add_ttp(TTP(idref=ttp.id_))
wrapper = STIXPackage()
info_src = InformationSource()
info_src.identity = Identity(name="Government Sharing Program - GSP")
wrapper.stix_header = STIXHeader(information_source=info_src)
wrapper.add_report(alpha_report)
wrapper.add_report(rat_report)
wrapper.add_campaign(campaign)
wrapper.add_ttp(ttp)
print(wrapper.to_xml())
def main():
rule = """
rule silent_banker : banker
{
meta:
description = "This is just an example"
thread_level = 3
in_the_wild = true
strings:
$a = {6A 40 68 00 30 00 00 6A 14 8D 91}
$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
condition:
$a or $b or $c
}
"""
stix_package = STIXPackage()
indicator = Indicator(title="silent_banker",
description="This is just an example")
tm = YaraTestMechanism()
tm.rule = rule
tm.producer = InformationSource(identity=Identity(name="Yara"))
tm.producer.references = ["http://plusvic.github.io/yara/"]
indicator.test_mechanisms = TestMechanisms([tm])
stix_package.add_indicator(indicator)
print(stix_package.to_xml(encoding=None))
def main():
ioc = etree.parse('6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc')
stix_package = STIXPackage()
ttp = TTP()
malware_instance = MalwareInstance()
malware_instance.names = ['Zeus', 'twexts', 'sdra64', 'ntos']
ttp = TTP(title="Zeus")
ttp.behavior = Behavior()
ttp.behavior.add_malware_instance(malware_instance)
indicator = Indicator(title="Zeus", description="Finds Zeus variants, twexts, sdra64, ntos")
tm = OpenIOCTestMechanism()
tm.ioc = ioc
tm.producer = InformationSource(identity=Identity(name="Yara"))
time = Time()
time.produced_time = "0001-01-01T00:00:00"
tm.producer.time = time
tm.producer.references = ["http://openioc.org/iocs/6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc"]
indicator.test_mechanisms = [tm]
indicator.add_indicated_ttp(TTP(idref=ttp.id_))
stix_package.add_indicator(indicator)
stix_package.add_ttp(ttp)
print stix_package.to_xml()
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
super(ThreatActor, cls).from_obj(obj, return_obj=return_obj)
if isinstance(obj, cls._binding_class): # ThreatActorType properties
return_obj.identity = Identity.from_obj(obj.Identity)
return_obj.types = _Types.from_obj(obj.Type)
return_obj.motivations = _Motivations.from_obj(obj.Motivation)
return_obj.sophistications = _Sophistications.from_obj(
obj.Sophistication)
return_obj.intended_effects = _IntendedEffects.from_obj(
obj.Intended_Effect)
return_obj.planning_and_operational_supports = \
_PlanningAndOperationalSupports.from_obj(obj.Planning_And_Operational_Support)
return_obj.observed_ttps = ObservedTTPs.from_obj(obj.Observed_TTPs)
return_obj.associated_campaigns = AssociatedCampaigns.from_obj(
obj.Associated_Campaigns)
return_obj.associated_actors = AssociatedActors.from_obj(
obj.Associated_Actors)
return_obj.confidence = Confidence.from_obj(obj.Confidence)
return_obj.related_packages = RelatedPackageRefs.from_obj(
obj.Related_Packages)
return return_obj
def main():
stix_package = STIXPackage()
ttp_phishing = TTP(title="Phishing")
attack_pattern = AttackPattern()
attack_pattern.capec_id = "CAPEC-98"
attack_pattern.description = ("Phishing")
ttp_phishing.behavior = Behavior()
ttp_phishing.behavior.add_attack_pattern(attack_pattern)
ttp_pivy = TTP(title="Poison Ivy Variant d1c6")
malware_instance = MalwareInstance()
malware_instance.add_name("Poison Ivy Variant d1c6")
malware_instance.add_type("Remote Access Trojan")
ttp_pivy.behavior = Behavior()
ttp_pivy.behavior.add_malware_instance(malware_instance)
ta_bravo = ThreatActor(title="Adversary Bravo")
ta_bravo.identity = Identity(name="Adversary Bravo")
related_ttp_phishing = RelatedTTP(TTP(idref=ttp_phishing.id_),
relationship="Leverages Attack Pattern")
ta_bravo.observed_ttps.append(related_ttp_phishing)
related_ttp_pivy = RelatedTTP(TTP(idref=ttp_pivy.id_),
relationship="Leverages Malware")
ta_bravo.observed_ttps.append(related_ttp_pivy)
stix_package.add_ttp(ttp_phishing)
stix_package.add_ttp(ttp_pivy)
stix_package.add_threat_actor(ta_bravo)
print stix_package.to_xml()
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.idref = dict_repr.get('idref')
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version', cls._version)
return_obj.title = dict_repr.get('title')
return_obj.description = StructuredText.from_dict(dict_repr.get('description'))
return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description'))
return_obj.time = Time.from_dict(dict_repr.get('time'))
return_obj.victims = [Identity.from_dict(x) for x in dict_repr.get('victims', [])]
return_obj.categories = [IncidentCategory.from_dict(x) for x in dict_repr.get('categories', [])]
return_obj.attributed_threat_actors = AttributedThreatActors.from_dict(dict_repr.get('attributed_threat_actors'))
return_obj.related_indicators = RelatedIndicators.from_dict(dict_repr.get('related_indicators'))
return_obj.related_observables = RelatedObservables.from_dict(dict_repr.get('related_observables'))
return_obj.related_incidents = RelatedIncidents.from_dict(dict_repr.get('related_incidents'))
return_obj.intended_effects = [Statement.from_dict(x) for x in dict_repr.get('intended_effects', [])]
return_obj.leveraged_ttps = LeveragedTTPs.from_dict(dict_repr.get('leveraged_ttps'))
return_obj.affected_assets = [AffectedAsset.from_dict(x) for x in dict_repr.get('affected_assets', [])]
return_obj.discovery_methdos = [DiscoveryMethod.from_dict(x) for x in dict_repr.get('discovery_methods', [])]
return_obj.reporter = InformationSource.from_dict(dict_repr.get('reporter'))
return_obj.responders = [InformationSource.from_dict(x) for x in dict_repr.get('responders', [])]
return_obj.coordinators = [InformationSource.from_dict(x) for x in dict_repr.get('coordinators', [])]
return_obj.external_ids = [ExternalID.from_dict(x) for x in dict_repr.get('external_ids', [])]
return_obj.impact_assessment = ImpactAssessment.from_dict(dict_repr.get('impact_assessment'))
return_obj.information_source = InformationSource.from_dict(dict_repr.get('information_source'))
return_obj.security_compromise = SecurityCompromise.from_dict(dict_repr.get('security_compromise'))
return_obj.confidence = Confidence.from_dict(dict_repr.get('confidence'))
return_obj.coa_taken = [COATaken.from_dict(x) for x in dict_repr.get('coa_taken', [])]
return return_obj
def generate_indicators(self, count):
'''Generate a list of STIX Indicators'''
indicators = []
for i in range(0, count):
indicator = Indicator(title='Multiple indicator types')
indicator.set_producer_identity(Identity(name='Secret Source'))
indicator.set_produced_time(datetime.today())
indicator.add_indicator_type(choice(['Malware Artifacts', 'C2', 'Exfiltration']))
indicator.add_short_description('Short description...')
indicator.add_description('Long description...')
indicator.confidence = Confidence(choice(['High', 'Medium', 'Low', 'None', 'Unknown']))
kill_chain_phase = choice(LMCO_KILL_CHAIN_PHASES)
indicator.kill_chain_phases = KillChainPhasesReference(
[KillChainPhaseReference(name=kill_chain_phase.name)])
ips = self.gen_ips(randint(0, 5))
for ip in ips:
indicator.add_observable(ip)
# user_agents = self.gen_user_agents(randint(0, 5))
# for ua in user_agents:
# indicator.add_observable(ua)
# fqnds = self.gen_fqdns(randint(0, 5))
# for f in fqnds:
# indicator.add_observable(f)
# urls = self.gen_urls(randint(0, 5))
# for u in urls:
# indicator.add_observable(u)
indicators.append(indicator)
return indicators
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
if isinstance(obj, cls._binding_class): # ThreatActorType properties
return_obj.version = obj.get_version() if obj.get_version() else cls._version
return_obj.title = obj.get_Title()
return_obj.description = StructuredText.from_obj(obj.get_Description())
return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description())
return_obj.identity = Identity.from_obj(obj.get_Identity())
return_obj.types = [Statement.from_obj(x) for x in obj.get_Type()]
return_obj.motivations = [Statement.from_obj(x) for x in obj.get_Motivation()]
return_obj.sophistications = [Statement.from_obj(x) for x in obj.get_Sophistication()]
return_obj.intended_effects = [Statement.from_obj(x) for x in obj.get_Intended_Effect()]
return_obj.planning_and_operational_supports = [Statement.from_obj(x) for x in obj.get_Planning_And_Operational_Support()]
return_obj.observed_ttps = ObservedTTPs.from_obj(obj.get_Observed_TTPs())
return_obj.associated_campaigns = AssociatedCampaigns.from_obj(obj.get_Associated_Campaigns())
return_obj.associated_actors = AssociatedActors.from_obj(obj.get_Associated_Actors())
return_obj.handling = Marking.from_obj(obj.get_Handling())
return_obj.confidence = Confidence.from_obj(obj.get_Confidence())
return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source())
return_obj.related_packages = RelatedPackageRefs.from_obj(obj.get_Related_Packages())
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
if isinstance(obj, cls._binding_class):
return_obj.version = obj.get_version() or cls._version
return_obj.title = obj.get_Title()
return_obj.description = StructuredText.from_obj(obj.get_Description())
return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description())
return_obj.time = Time.from_obj(obj.get_Time())
if obj.get_Victim():
return_obj.victims = [Identity.from_obj(x) for x in obj.get_Victim()]
if obj.get_Categories():
return_obj.categories = [IncidentCategory.from_obj(x) for x in obj.get_Categories().get_Category()]
if obj.get_Intended_Effect():
return_obj.intended_effects = [Statement.from_obj(x) for x in obj.get_Intended_Effect()]
if obj.get_Affected_Assets():
return_obj.affected_assets = [AffectedAsset.from_obj(x) for x in obj.get_Affected_Assets().get_Affected_Asset()]
return_obj.attributed_threat_actors = AttributedThreatActors.from_obj(obj.get_Attributed_Threat_Actors())
return_obj.related_indicators = RelatedIndicators.from_obj(obj.get_Related_Indicators())
return_obj.related_observables = RelatedObservable.from_obj(obj.get_Related_Observables())
return_obj.leveraged_ttps = LeveragedTTPs.from_obj(obj.get_Leveraged_TTPs())
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
if isinstance(obj, cls._binding_class): # ThreatActorType properties
return_obj.version = obj.version
return_obj.title = obj.Title
return_obj.description = StructuredText.from_obj(obj.Description)
return_obj.short_description = StructuredText.from_obj(obj.Short_Description)
return_obj.identity = Identity.from_obj(obj.Identity)
return_obj.types = [Statement.from_obj(x) for x in obj.Type]
return_obj.motivations = [Statement.from_obj(x) for x in obj.Motivation]
return_obj.sophistications = [Statement.from_obj(x) for x in obj.Sophistication]
return_obj.intended_effects = [Statement.from_obj(x) for x in obj.Intended_Effect]
return_obj.planning_and_operational_supports = [Statement.from_obj(x) for x in obj.Planning_And_Operational_Support]
return_obj.observed_ttps = ObservedTTPs.from_obj(obj.Observed_TTPs)
return_obj.associated_campaigns = AssociatedCampaigns.from_obj(obj.Associated_Campaigns)
return_obj.associated_actors = AssociatedActors.from_obj(obj.Associated_Actors)
return_obj.handling = Marking.from_obj(obj.Handling)
return_obj.confidence = Confidence.from_obj(obj.Confidence)
return_obj.information_source = InformationSource.from_obj(obj.Information_Source)
return_obj.related_packages = RelatedPackageRefs.from_obj(obj.Related_Packages)
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.idref = dict_repr.get('idref')
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version')
return_obj.title = dict_repr.get('title')
return_obj.description = StructuredText.from_dict(dict_repr.get('description'))
return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description'))
return_obj.identity = Identity.from_dict(dict_repr.get('identity'))
return_obj.types = [Statement.from_dict(x) for x in dict_repr.get('types', [])]
return_obj.motivations = [Statement.from_dict(x) for x in dict_repr.get('motivations', [])]
return_obj.sophistications = [Statement.from_dict(x) for x in dict_repr.get('sophistications', [])]
return_obj.intended_effects = [Statement.from_dict(x) for x in dict_repr.get('intended_effects', [])]
return_obj.planning_and_operational_supports = [Statement.from_dict(x)
for x in dict_repr.get('planning_and_operational_supports', [])]
return_obj.observed_ttps = ObservedTTPs.from_dict(dict_repr.get('observed_ttps'))
return_obj.associated_campaigns = AssociatedCampaigns.from_dict(dict_repr.get('associated_campaigns'))
return_obj.associated_actors = AssociatedActors.from_dict(dict_repr.get('associated_actors'))
return_obj.handling = Marking.from_dict(dict_repr.get('handling'))
return_obj.confidence = Confidence.from_dict(dict_repr.get('confidence'))
return_obj.information_source = InformationSource.from_dict(dict_repr.get('information_source'))
return_obj.related_packages = RelatedPackageRefs.from_dict(dict_repr.get('related_packages'))
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
super(ThreatActor, cls).from_dict(dict_repr, return_obj=return_obj)
get = dict_repr.get
return_obj.identity = Identity.from_dict(get('identity'))
return_obj.types = _Types.from_dict(get('types'))
return_obj.motivations = _Motivations.from_dict(get('motivations'))
return_obj.sophistications = _Sophistications.from_dict(
get('sophistications'))
return_obj.intended_effects = _IntendedEffects.from_dict(
get('intended_effects'))
return_obj.planning_and_operational_supports = \
_PlanningAndOperationalSupports.from_dict(get('planning_and_operational_supports'))
return_obj.observed_ttps = ObservedTTPs.from_dict(get('observed_ttps'))
return_obj.associated_campaigns = AssociatedCampaigns.from_dict(
get('associated_campaigns'))
return_obj.associated_actors = AssociatedActors.from_dict(
get('associated_actors'))
return_obj.confidence = Confidence.from_dict(get('confidence'))
return_obj.related_packages = RelatedPackageRefs.from_dict(
get('related_packages'))
return return_obj
def add_persona(self, persona):
if not persona:
return
elif isinstance(persona, Identity):
self._personas.append(persona)
else:
self._personas.append(Identity(name=persona))
def to_source(obj):
from stix.common import InformationSource, Identity
mySource = InformationSource()
mySource.time = Time(obj.request.date)
mySource.description = obj.request.rfi
mySource.identity = Identity(name=obj.request.source)
for item in obj.response:
itemSource = InformationSource()
itemSource.time = Time(item.date)
itemSource.identity = Identity(name=item.source)
itemSource.description = item.rfi
mySource.add_contributing_source(itemSource)
return mySource
def main():
mydata = loaddata()
'''
Your Namespace
'''
# NAMESPACE = {sanitizer(mydata["NSXURL"]) : (mydata["NS"])}
# set_id_namespace(NAMESPACE)
NAMESPACE = Namespace(sanitizer(mydata['NSXURL']), sanitizer(mydata['NS']))
set_id_namespace(NAMESPACE) # new ids will be prefixed by "myNS"
wrapper = STIXPackage()
info_src = InformationSource()
info_src.identity = Identity(name=sanitizer(mydata["Identity"]))
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "//node() | //@*"
tlp = TLPMarkingStructure()
tlp.color = sanitizer(mydata["TLP_COLOR"])
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
timestamp = datetime.datetime.fromtimestamp(
time.time()).strftime('%Y-%m-%d %H:%M:%S')
MyTITLE = sanitizer(mydata["Title"])
SHORT = timestamp
DESCRIPTION = sanitizer(mydata["Description"])
wrapper.stix_header = STIXHeader(information_source=info_src,
title=MyTITLE,
description=DESCRIPTION,
short_description=SHORT)
wrapper.stix_header.handling = handling
indiDom = Indicator()
indiDom.title = MyTITLE
indiDom.add_indicator_type("IP Watchlist")
for key in mydata["IOC"].keys():
myip = Address(address_value=sanitizer(key), category=Address.CAT_IPV4)
myip.condition = "Equals"
obsu = Observable(myip)
#if mydata[key].size:
for idx, mydata["IOC"][key] in enumerate(mydata["IOC"][key]):
ioc = File()
ioc.add_hash(sanitizer(mydata["IOC"][key]))
myip.add_related(ioc, "Downloaded")
indiDom.add_observable(obsu)
wrapper.add_indicator(indiDom)
print(wrapper.to_xml())
def cvebuild(var):
"""Search for a CVE ID and return a STIX formatted response."""
cve = CVESearch()
data = json.loads(cve.id(var))
if data:
try:
from stix.utils import set_id_namespace
namespace = {NS: NS_PREFIX}
set_id_namespace(namespace)
except ImportError:
from mixbox.idgen import set_id_namespace
from mixbox.namespaces import Namespace
namespace = Namespace(NS, NS_PREFIX, "")
set_id_namespace(namespace)
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg = STIXPackage()
pkg.stix_header = STIXHeader()
pkg.stix_header.handling = _marking()
# Define the exploit target
expt = ExploitTarget()
expt.title = data['id']
expt.description = data['summary']
expt.information_source = InformationSource(identity=Identity(
name="National Vulnerability Database"))
# Add the vulnerability object to the package object
expt.add_vulnerability(_vulnbuild(data))
# Add the COA object to the ET object
for coa in COAS:
expt.potential_coas.append(
CourseOfAction(idref=coa['id'], timestamp=expt.timestamp))
# Do some TTP stuff with CAPEC objects
if TTPON is True:
try:
for i in data['capec']:
pkg.add_ttp(_buildttp(i, expt))
except KeyError:
pass
expt.add_weakness(_weakbuild(data))
# Add the exploit target to the package object
pkg.add_exploit_target(expt)
xml = pkg.to_xml()
title = pkg.id_.split(':', 1)[-1]
# If the function is not imported then output the xml to a file.
if __name__ == '__main__':
_postconstruct(xml, title)
return xml
else:
sys.exit("[-] Error retrieving details for " + var)
def build_stix():
# setup stix document
stix_package = STIXPackage()
# add incident and confidence
breach = Incident()
breach.description = "Intrusion into enterprise network"
breach.confidence = "High"
# stamp with reporter
breach.reporter = InformationSource()
breach.reporter.description = "The person who reported it"
breach.reporter.time = Time()
breach.reporter.time.produced_time = datetime.strptime("2014-03-11", "%Y-%m-%d") # when they submitted it
breach.reporter.identity = Identity()
breach.reporter.identity.name = "Sample Investigations, LLC"
# set incident-specific timestamps
breach.time = incidentTime()
breach.title = "Breach of CyberTech Dynamics"
breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d")
breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d")
breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d")
breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d")
# add the impact
impact = ImpactAssessment()
impact.effects = Effects("Unintended Access")
breach.impact_assessment = impact
# add the victim
victim = Identity()
victim.name = "CyberTech Dynamics"
breach.add_victim(victim)
# add the impact
impact = ImpactAssessment()
impact.effects = Effects("Financial Loss")
breach.impact_assessment = impact
stix_package.add_incident(breach)
return stix_package
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
if isinstance(obj, cls._binding_class):
return_obj.version = obj.get_version() or cls._version
return_obj.title = obj.get_Title()
return_obj.description = StructuredText.from_obj(obj.get_Description())
return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description())
return_obj.time = Time.from_obj(obj.get_Time())
if obj.get_Victim():
return_obj.victims = [Identity.from_obj(x) for x in obj.get_Victim()]
if obj.get_Categories():
return_obj.categories = [IncidentCategory.from_obj(x) for x in obj.get_Categories().get_Category()]
if obj.get_Intended_Effect():
return_obj.intended_effects = [Statement.from_obj(x) for x in obj.get_Intended_Effect()]
if obj.get_Affected_Assets():
return_obj.affected_assets = [AffectedAsset.from_obj(x) for x in obj.get_Affected_Assets().get_Affected_Asset()]
if obj.get_Discovery_Method():
return_obj.discovery_methods = [DiscoveryMethod.from_obj(x) for x in obj.get_Discovery_Method()]
if obj.get_Reporter():
return_obj.reporter = InformationSource.from_obj(obj.get_Reporter())
if obj.get_Responder():
return_obj.responders = [InformationSource.from_obj(x) for x in obj.get_Responder()]
if obj.get_Coordinator():
return_obj.coordinators = [InformationSource.from_obj(x) for x in obj.get_Coordinator()]
if obj.get_External_ID():
return_obj.external_ids = [ExternalID.from_obj(x) for x in obj.get_External_ID()]
if obj.get_Impact_Assessment():
return_obj.impact_assessment = ImpactAssessment.from_obj(obj.get_Impact_Assessment())
if obj.get_Information_Source():
return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source())
if obj.get_Security_Compromise():
return_obj.security_compromise = SecurityCompromise.from_obj(obj.get_Security_Compromise())
return_obj.coa_taken = [COATaken.from_obj(x) for x in obj.get_COA_Taken()]
return_obj.confidence = Confidence.from_obj(obj.get_Confidence())
return_obj.attributed_threat_actors = AttributedThreatActors.from_obj(obj.get_Attributed_Threat_Actors())
return_obj.related_indicators = RelatedIndicators.from_obj(obj.get_Related_Indicators())
return_obj.related_observables = RelatedObservables.from_obj(obj.get_Related_Observables())
return_obj.leveraged_ttps = LeveragedTTPs.from_obj(obj.get_Leveraged_TTPs())
return_obj.related_incidents = RelatedIncidents.from_obj(obj.get_Related_Incidents())
return_obj.status = VocabString.from_obj(obj.get_Status())
return_obj.handling = Marking.from_obj(obj.get_Handling())
return_obj.history = History.from_obj(obj.get_History())
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.tools = [ToolInformation.from_dict(x) for x in dict_repr.get('tools', [])]
return_obj.infrastructure = Infrastructure.from_dict(dict_repr.get('infrastructure'))
return_obj.personas = [Identity.from_dict(x) for x in dict_repr.get('personas', [])]
return return_obj
def buildSTIX(ident,confid,restconfid, effect, resteffect,typeIncident,resttype,asset,restasset,hashPkg):
# IMPLEMENTATION WORKAROUND -
# restConfid --> header.description
# resteffect --> breach.description
# resttype --> reporter.description
# restasset --> reporter.identity.name
# setup stix document
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = restconfid # "Example description"
stix_package.stix_header = stix_header
# add incident and confidence
breach = Incident(id_=ident)
breach.description = resteffect # "Intrusion into enterprise network"
breach.confidence = Confidence()
breach.confidence.value=confid
print("confidence set to %s"%(str(breach.confidence.value)))
breach._binding_class.xml_type = typeIncident
print("incident set to %s"%(str(breach._binding_class.xml_type)))
# stamp with reporter
breach.reporter = InformationSource()
breach.reporter.description = resttype #"The person who reported it"
breach.reporter.time = Time()
breach.reporter.time.produced_time = datetime.strptime("2014-03-11","%Y-%m-%d") # when they submitted it
breach.reporter.identity = Identity()
breach.reporter.identity.name = restasset
# set incident-specific timestamps
breach.time = incidentTime()
breach.title = "Breach of Company Dynamics"
breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d")
breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d")
breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d")
breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d")
affected_asset = AffectedAsset()
affected_asset.description = "Database server at hr-data1.example.com"
affected_asset.type_ = asset
breach.affected_assets = affected_asset
# add the victim
breach.add_victim (hashPkg)
# add the impact
impact = ImpactAssessment()
impact.add_effect(effect)
breach.impact_assessment = impact
stix_package.add_incident(breach)
return stix_package
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
if isinstance(obj, cls._binding_class):
return_obj.version = obj.version
return_obj.title = obj.Title
return_obj.description = StructuredText.from_obj(obj.Description)
return_obj.short_description = StructuredText.from_obj(obj.Short_Description)
return_obj.time = Time.from_obj(obj.Time)
if obj.Victim:
return_obj.victims = [Identity.from_obj(x) for x in obj.Victim]
if obj.Categories:
return_obj.categories = [IncidentCategory.from_obj(x) for x in obj.Categories.Category]
if obj.Intended_Effect:
return_obj.intended_effects = [Statement.from_obj(x) for x in obj.Intended_Effect]
if obj.Affected_Assets:
return_obj.affected_assets = [AffectedAsset.from_obj(x) for x in obj.Affected_Assets.Affected_Asset]
if obj.Discovery_Method:
return_obj.discovery_methods = [DiscoveryMethod.from_obj(x) for x in obj.Discovery_Method]
if obj.Reporter:
return_obj.reporter = InformationSource.from_obj(obj.Reporter)
if obj.Responder:
return_obj.responders = [InformationSource.from_obj(x) for x in obj.Responder]
if obj.Coordinator:
return_obj.coordinators = [InformationSource.from_obj(x) for x in obj.Coordinator]
if obj.External_ID:
return_obj.external_ids = [ExternalID.from_obj(x) for x in obj.External_ID]
if obj.Impact_Assessment:
return_obj.impact_assessment = ImpactAssessment.from_obj(obj.Impact_Assessment)
if obj.Information_Source:
return_obj.information_source = InformationSource.from_obj(obj.Information_Source)
if obj.Security_Compromise:
return_obj.security_compromise = SecurityCompromise.from_obj(obj.Security_Compromise)
return_obj.coa_taken = [COATaken.from_obj(x) for x in obj.COA_Taken]
return_obj.confidence = Confidence.from_obj(obj.Confidence)
return_obj.attributed_threat_actors = AttributedThreatActors.from_obj(obj.Attributed_Threat_Actors)
return_obj.related_indicators = RelatedIndicators.from_obj(obj.Related_Indicators)
return_obj.related_observables = RelatedObservables.from_obj(obj.Related_Observables)
return_obj.leveraged_ttps = LeveragedTTPs.from_obj(obj.Leveraged_TTPs)
return_obj.related_incidents = RelatedIncidents.from_obj(obj.Related_Incidents)
return_obj.status = VocabString.from_obj(obj.Status)
return_obj.handling = Marking.from_obj(obj.Handling)
return_obj.history = History.from_obj(obj.History)
return return_obj
def to_stix_sightings(obj):
from stix.indicator.sightings import Sighting
from stix.common import InformationSource, Identity
mySighting = Sighting()
mySighting.source = InformationSource()
if obj.sightings.sighting:
itemSighting = InformationSource()
itemSighting.time = Time(obj.sightings.date)
itemSighting.identity = Identity(name=settings.COMPANY_NAME)
mySighting.source.add_contributing_source(itemSighting)
for each in obj.sightings.instances:
itemSighting = InformationSource()
itemSighting.time = Time(each.date)
itemSighting.identity = Identity(name=each.name)
mySighting.source.add_contributing_source(itemSighting)
return mySighting
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.id
return_obj.idref = obj.idref
return_obj.timestamp = obj.timestamp
if isinstance(obj, cls._binding_class):
return_obj.version = obj.version
return_obj.title = obj.Title
return_obj.description = StructuredText.from_obj(obj.Description)
return_obj.short_description = StructuredText.from_obj(obj.Short_Description)
return_obj.time = Time.from_obj(obj.Time)
if obj.Victim:
return_obj.victims = [Identity.from_obj(x) for x in obj.Victim]
if obj.Categories:
return_obj.categories = [IncidentCategory.from_obj(x) for x in obj.Categories.Category]
if obj.Intended_Effect:
return_obj.intended_effects = [Statement.from_obj(x) for x in obj.Intended_Effect]
if obj.Affected_Assets:
return_obj.affected_assets = [AffectedAsset.from_obj(x) for x in obj.Affected_Assets.Affected_Asset]
if obj.Discovery_Method:
return_obj.discovery_methods = [DiscoveryMethod.from_obj(x) for x in obj.Discovery_Method]
if obj.Reporter:
return_obj.reporter = InformationSource.from_obj(obj.Reporter)
if obj.Responder:
return_obj.responders = [InformationSource.from_obj(x) for x in obj.Responder]
if obj.Coordinator:
return_obj.coordinators = [InformationSource.from_obj(x) for x in obj.Coordinator]
if obj.External_ID:
return_obj.external_ids = [ExternalID.from_obj(x) for x in obj.External_ID]
if obj.Impact_Assessment:
return_obj.impact_assessment = ImpactAssessment.from_obj(obj.Impact_Assessment)
if obj.Information_Source:
return_obj.information_source = InformationSource.from_obj(obj.Information_Source)
if obj.Security_Compromise:
return_obj.security_compromise = SecurityCompromise.from_obj(obj.Security_Compromise)
return_obj.coa_taken = [COATaken.from_obj(x) for x in obj.COA_Taken]
return_obj.confidence = Confidence.from_obj(obj.Confidence)
return_obj.attributed_threat_actors = AttributedThreatActors.from_obj(obj.Attributed_Threat_Actors)
return_obj.related_indicators = RelatedIndicators.from_obj(obj.Related_Indicators)
return_obj.related_observables = RelatedObservables.from_obj(obj.Related_Observables)
return_obj.leveraged_ttps = LeveragedTTPs.from_obj(obj.Leveraged_TTPs)
return_obj.related_incidents = RelatedIncidents.from_obj(obj.Related_Incidents)
return_obj.status = VocabString.from_obj(obj.Status)
return_obj.handling = Marking.from_obj(obj.Handling)
return_obj.history = History.from_obj(obj.History)
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.identity = Identity.from_dict(dict_repr.get('identity'))
return_obj.targeted_systems = [VocabString.from_dict(x) for x in dict_repr.get('targeted_systems', [])]
return_obj.targeted_information = [VocabString.from_dict(x) for x in dict_repr.get('targeted_information', [])]
return_obj.targeted_technical_details = Observables.from_dict(dict_repr.get('targeted_technical_details'))
return return_obj
def genData_VictimTargeting(data):
from stix.common.vocabs import InformationType, SystemType
from stix.common.identity import Identity
from stix.ttp.victim_targeting import VictimTargeting
objVictimTargeting = VictimTargeting()
objVictimTargeting.identity = Identity(name=data['target'])
objVictimTargeting.targeted_systems = [SystemType.TERM_USERS]
objVictimTargeting.targeted_information = InformationType.TERM_INFORMATION_ASSETS_USER_CREDENTIALS
return (objVictimTargeting)
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.identity = Identity.from_obj(obj.Identity)
return_obj.targeted_technical_details = Observables.from_obj(obj.Targeted_Technical_Details)
return_obj.targeted_systems = TargetedSystems.from_obj(obj.Targeted_Systems)
return_obj.targeted_information = TargetedInformation.from_obj(obj.Targeted_Information)
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.identity = Identity.from_dict(dict_repr.get('identity'))
return_obj.targeted_systems = [VocabString.from_dict(x) for x in dict_repr.get('targeted_systems', [])]
return_obj.targeted_information = [VocabString.from_dict(x) for x in dict_repr.get('targeted_information', [])]
return_obj.targeted_technical_details = Observables.from_dict(dict_repr.get('targeted_technical_details'))
return return_obj
def create_stix_identity(self, obj):
idenfitier = 'ce1sus:Group-{0}'.format(obj.creator_group.uuid)
if idenfitier in self.seen_groups:
identity = Identity()
identity.idref = idenfitier
else:
identity = Identity()
identity.id_ = idenfitier
identity.name = obj.creator_group.name
self.seen_groups.append(idenfitier)
return identity
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.idref = dict_repr.get('idref')
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version')
return_obj.title = dict_repr.get('title')
return_obj.description = StructuredText.from_dict(
dict_repr.get('description'))
return_obj.short_description = StructuredText.from_dict(
dict_repr.get('short_description'))
return_obj.identity = Identity.from_dict(dict_repr.get('identity'))
return_obj.types = [
Statement.from_dict(x) for x in dict_repr.get('types', [])
]
return_obj.motivations = [
Statement.from_dict(x) for x in dict_repr.get('motivations', [])
]
return_obj.sophistications = [
Statement.from_dict(x)
for x in dict_repr.get('sophistications', [])
]
return_obj.intended_effects = [
Statement.from_dict(x)
for x in dict_repr.get('intended_effects', [])
]
return_obj.planning_and_operational_supports = [
Statement.from_dict(x)
for x in dict_repr.get('planning_and_operational_supports', [])
]
return_obj.observed_ttps = ObservedTTPs.from_dict(
dict_repr.get('observed_ttps'))
return_obj.associated_campaigns = AssociatedCampaigns.from_dict(
dict_repr.get('associated_campaigns'))
return_obj.associated_actors = AssociatedActors.from_dict(
dict_repr.get('associated_actors'))
return_obj.handling = Marking.from_dict(dict_repr.get('handling'))
return_obj.confidence = Confidence.from_dict(
dict_repr.get('confidence'))
return_obj.information_source = InformationSource.from_dict(
dict_repr.get('information_source'))
return_obj.related_packages = RelatedPackageRefs.from_dict(
dict_repr.get('related_packages'))
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
get = dict_repr.get
return_obj.identity = Identity.from_dict(get('identity'))
return_obj.targeted_systems = TargetedSystems.from_dict(get('targeted_systems'))
return_obj.targeted_information = TargetedInformation.from_dict(get('targeted_information'))
return_obj.targeted_technical_details = Observables.from_dict(get('targeted_technical_details'))
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.infrastructure = Infrastructure.from_obj(obj.Infrastructure)
if obj.Tools:
return_obj.tools = [ToolInformation.from_obj(x) for x in obj.Tools.Tool]
if obj.Personas:
return_obj.personas = [Identity.from_obj(x) for x in obj.Personas.Persona]
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.identity = Identity.from_obj(obj.Identity)
return_obj.targeted_technical_details = Observables.from_obj(obj.Targeted_Technical_Details)
if obj.Targeted_Systems:
return_obj.targeted_systems = [VocabString.from_obj(x) for x in obj.Targeted_Systems]
if obj.Targeted_Information:
return_obj.targeted_information = [VocabString.from_obj(x) for x in obj.Targeted_Information]
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.identity = Identity.from_obj(obj.get_Identity())
return_obj.targeted_technical_details = Observables.from_obj(obj.get_Targeted_Technical_Details())
if obj.get_Targeted_Systems():
return_obj.targeted_systems = [VocabString.from_obj(x) for x in obj.get_Targeted_Systems()]
if obj.get_Targeted_Information():
return_obj.targeted_information = [VocabString.from_obj(x) for x in obj.get_Targeted_Information()]
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.identity = Identity.from_obj(obj.Identity)
return_obj.targeted_technical_details = Observables.from_obj(
obj.Targeted_Technical_Details)
return_obj.targeted_systems = TargetedSystems.from_obj(
obj.Targeted_Systems)
return_obj.targeted_information = TargetedInformation.from_obj(
obj.Targeted_Information)
return return_obj
def _buildttp(data):
ttp = TTP()
ttp.title = data['name']
ttp.description = data['description']
attack_pattern = AttackPattern()
attack_pattern.capec_id = "CAPEC-" + str(data['id'])
attack_pattern.title = data['name']
attack_pattern.description = data['description']
ttp.behavior = Behavior()
ttp.behavior.add_attack_pattern(attack_pattern)
ttp.information_source = InformationSource()
ttp.information_source.identity = Identity()
ttp.information_source.identity.name = "The MITRE Corporation"
ttp.information_source.references = data['references']
return ttp
def to_stix_information_source(obj):
from stix.common import InformationSource, Identity
mySource = InformationSource()
for item in obj.source:
for each in item.instances:
itemSource = InformationSource()
itemSource.time = Time(each.date)
itemSource.identity = Identity(name=item.name)
itemSource.add_description(each.reference)
itemSource.add_description(each.method)
mySource.add_contributing_source(itemSource)
return mySource
def set_producer_identity(self, identity):
'''
Sets the name of the producer of this indicator.
The identity param can be a string (name) or an Identity
instance.
'''
if not self.producer:
self.producer = InformationSource()
if isinstance(identity, Identity):
self.producer.identity = identity
else:
if not self.producer.identity:
self.producer.identity = Identity()
self.producer.identity.name = identity # assume it's a string
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
get = dict_repr.get
return_obj.identity = Identity.from_dict(get('identity'))
return_obj.targeted_systems = TargetedSystems.from_dict(
get('targeted_systems'))
return_obj.targeted_information = TargetedInformation.from_dict(
get('targeted_information'))
return_obj.targeted_technical_details = Observables.from_dict(
get('targeted_technical_details'))
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = obj.get_id()
return_obj.idref = obj.get_idref()
return_obj.timestamp = obj.get_timestamp()
if isinstance(obj, cls._binding_class): # ThreatActorType properties
return_obj.version = obj.get_version() if obj.get_version(
) else cls._version
return_obj.title = obj.get_Title()
return_obj.description = StructuredText.from_obj(
obj.get_Description())
return_obj.short_description = StructuredText.from_obj(
obj.get_Short_Description())
return_obj.identity = Identity.from_obj(obj.get_Identity())
return_obj.types = [Statement.from_obj(x) for x in obj.get_Type()]
return_obj.motivations = [
Statement.from_obj(x) for x in obj.get_Motivation()
]
return_obj.sophistications = [
Statement.from_obj(x) for x in obj.get_Sophistication()
]
return_obj.intended_effects = [
Statement.from_obj(x) for x in obj.get_Intended_Effect()
]
return_obj.planning_and_operational_supports = [
Statement.from_obj(x)
for x in obj.get_Planning_And_Operational_Support()
]
return_obj.observed_ttps = ObservedTTPs.from_obj(
obj.get_Observed_TTPs())
return_obj.associated_campaigns = AssociatedCampaigns.from_obj(
obj.get_Associated_Campaigns())
return_obj.associated_actors = AssociatedActors.from_obj(
obj.get_Associated_Actors())
return_obj.handling = Marking.from_obj(obj.get_Handling())
return_obj.confidence = Confidence.from_obj(obj.get_Confidence())
return_obj.information_source = InformationSource.from_obj(
obj.get_Information_Source())
return_obj.related_packages = RelatedPackageRefs.from_obj(
obj.get_Related_Packages())
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
super(ThreatActor, cls).from_obj(obj, return_obj=return_obj)
if isinstance(obj, cls._binding_class): # ThreatActorType properties
return_obj.identity = Identity.from_obj(obj.Identity)
return_obj.types = _Types.from_obj(obj.Type)
return_obj.motivations = _Motivations.from_obj(obj.Motivation)
return_obj.sophistications = _Sophistications.from_obj(obj.Sophistication)
return_obj.intended_effects = _IntendedEffects.from_obj(obj.Intended_Effect)
return_obj.planning_and_operational_supports = \
_PlanningAndOperationalSupports.from_obj(obj.Planning_And_Operational_Support)
return_obj.observed_ttps = ObservedTTPs.from_obj(obj.Observed_TTPs)
return_obj.associated_campaigns = AssociatedCampaigns.from_obj(obj.Associated_Campaigns)
return_obj.associated_actors = AssociatedActors.from_obj(obj.Associated_Actors)
return_obj.confidence = Confidence.from_obj(obj.Confidence)
return_obj.related_packages = RelatedPackageRefs.from_obj(obj.Related_Packages)
return return_obj
def from_dict(cls, dict_repr, return_obj=None):
if not dict_repr:
return None
if not return_obj:
return_obj = cls()
return_obj.id_ = dict_repr.get('id')
return_obj.idref = dict_repr.get('idref')
return_obj.timestamp = dict_repr.get('timestamp')
return_obj.version = dict_repr.get('version', cls._version)
return_obj.title = dict_repr.get('title')
return_obj.description = StructuredText.from_dict(dict_repr.get('description'))
return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description'))
return_obj.time = Time.from_dict(dict_repr.get('time'))
return_obj.victims = [Identity.from_dict(x) for x in dict_repr.get('victims', [])]
return_obj.categories = [IncidentCategory.from_dict(x) for x in dict_repr.get('categories', [])]
return_obj.attributed_threat_actors = AttributedThreatActors.from_dict(dict_repr.get('attributed_threat_actors'))
return_obj.related_indicators = RelatedIndicators.from_dict(dict_repr.get('related_indicators'))
return_obj.related_observables = RelatedObservables.from_dict(dict_repr.get('related_observables'))
return_obj.intended_effects = [Statement.from_dict(x) for x in dict_repr.get('intended_effects', [])]
return_obj.leveraged_ttps = LeveragedTTPs.from_dict(dict_repr.get('leveraged_ttps'))
return_obj.affected_assets = [AffectedAsset.from_dict(x) for x in dict_repr.get('affected_assets', [])]
return return_obj
def main():
# get args
parser = argparse.ArgumentParser ( description = "Parse a given CSV from Shadowserver and output STIX XML to stdout"
, formatter_class=argparse.ArgumentDefaultsHelpFormatter )
parser.add_argument("--infile","-f", help="input CSV with bot data", default = "bots.csv")
args = parser.parse_args()
# setup stix document
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.title = "Bot Server IP addresses"
stix_header.description = "IP addresses connecting to bot control servers at a given port"
stix_header.add_package_intent ("Indicators - Watchlist")
# add marking
mark = Marking()
markspec = MarkingSpecification()
markstruct = SimpleMarkingStructure()
markstruct.statement = "Usage of this information, including integration into security mechanisms implies agreement with the Shadowserver Terms of Service available at https://www.shadowserver.org/wiki/pmwiki.php/Shadowserver/TermsOfService"
markspec.marking_structures.append(markstruct)
mark.add_marking(markspec)
stix_header.handling = mark
# include author info
stix_header.information_source = InformationSource()
stix_header.information_source.time = Time()
stix_header.information_source.time.produced_time =datetime.now(tzutc())
stix_header.information_source.tools = ToolInformationList()
stix_header.information_source.tools.append("ShadowBotnetIP-STIXParser")
stix_header.information_source.identity = Identity()
stix_header.information_source.identity.name = "MITRE STIX Team"
stix_header.information_source.add_role(VocabString("Format Transformer"))
src = InformationSource()
src.description = "https://www.shadowserver.org/wiki/pmwiki.php/Services/Botnet-CCIP"
srcident = Identity()
srcident.name = "shadowserver.org"
src.identity = srcident
src.add_role(VocabString("Originating Publisher"))
stix_header.information_source.add_contributing_source(src)
stix_package.stix_header = stix_header
# add TTP for overall indicators
bot_ttp = TTP()
bot_ttp.title = 'Botnet C2'
bot_ttp.resources = Resource()
bot_ttp.resources.infrastructure = Infrastructure()
bot_ttp.resources.infrastructure.title = 'Botnet C2'
stix_package.add_ttp(bot_ttp)
# read input data
fd = open (args.infile, "rb")
infile = csv.DictReader(fd)
for row in infile:
# split indicators out, may be 1..n with positional storage, same port and channel, inconsistent delims
domain = row['Domain'].split()
country = row['Country'].split()
region = row['Region'].split('|')
state = row['State'].split('|')
asn = row['ASN'].split()
asname = row['AS Name'].split()
asdesc = row['AS Description'].split('|')
index = 0
for ip in row['IP Address'].split():
indicator = Indicator()
indicator.title = "IP indicator for " + row['Channel']
indicator.description = "Bot connecting to control server"
# point to overall TTP
indicator.add_indicated_ttp(TTP(idref=bot_ttp.id_))
# add our IP and port
sock = SocketAddress()
sock.ip_address = ip
# add sighting
sight = Sighting()
sight.timestamp = ""
obs = Observable(item=sock.ip_address)
obsref = Observable(idref=obs.id_)
sight.related_observables.append(obsref)
indicator.sightings.append(sight)
stix_package.add_observable(obs)
# add pattern for indicator
sock_pattern = SocketAddress()
sock_pattern.ip_address = ip
port = Port()
port.port_value = row['Port']
sock_pattern.port = port
sock_pattern.ip_address.condition= "Equals"
sock_pattern.port.port_value.condition= "Equals"
indicator.add_object(sock_pattern)
stix_package.add_indicator(indicator)
# add domain
domain_obj = DomainName()
domain_obj.value = domain[index]
domain_obj.add_related(sock.ip_address,"Resolved_To", inline=False)
stix_package.add_observable(domain_obj)
# add whois obs
whois_obj = WhoisEntry()
registrar = WhoisRegistrar()
registrar.name = asname[index]
registrar.address = state[index] + region[index] + country[index]
whois_obj.registrar_info = registrar
whois_obj.add_related(sock.ip_address,"Characterizes", inline=False)
stix_package.add_observable(whois_obj)
# add ASN obj
asn_obj = AutonomousSystem()
asn_obj.name = asname[index]
asn_obj.number = asn[index]
asn_obj.handle = "AS" + str(asn[index])
asn_obj.add_related(sock.ip_address,"Contains", inline=False)
stix_package.add_observable(asn_obj)
# iterate
index = index + 1
print stix_package.to_xml()
def stix(json):
"""
Created a stix file based on a json file that is being handed over
"""
# Create a new STIXPackage
stix_package = STIXPackage()
# Create a new STIXHeader
stix_header = STIXHeader()
# Add Information Source. This is where we will add the tool information.
stix_header.information_source = InformationSource()
# Create a ToolInformation object. Use the initialization parameters
# to set the tool and vendor names.
#
# Note: This is an instance of cybox.common.ToolInformation and NOT
# stix.common.ToolInformation.
tool = ToolInformation(
tool_name="viper2stix",
tool_vendor="The Viper group http://viper.li - developed by Alexander Jaeger https://github.com/deralexxx/viper2stix"
)
#Adding your identity to the header
identity = Identity()
identity.name = Config.get('stix', 'producer_name')
stix_header.information_source.identity=identity
# Set the Information Source "tools" section to a
# cybox.common.ToolInformationList which contains our tool that we
# created above.
stix_header.information_source.tools = ToolInformationList(tool)
stix_header.title = Config.get('stix', 'title')
# Set the produced time to now
stix_header.information_source.time = Time()
stix_header.information_source.time.produced_time = datetime.now()
marking_specification = MarkingSpecification()
marking_specification.controlled_structure = "../../../descendant-or-self::node()"
tlp = TLPMarkingStructure()
tlp.color = Config.get('stix', 'TLP')
marking_specification.marking_structures.append(tlp)
handling = Marking()
handling.add_marking(marking_specification)
# Set the header description
stix_header.description = Config.get('stix', 'description')
# Set the STIXPackage header
stix_package.stix_header = stix_header
stix_package.stix_header.handling = handling
try:
pp = pprint.PrettyPrinter(indent=5)
pp.pprint(json['default'])
#for key, value in json['default'].iteritems():
# print key, value
for item in json['default']:
#logger.debug("item %s", item)
indicator = Indicator()
indicator.title = "File Hash"
indicator.description = (
"An indicator containing a File observable with an associated hash"
)
# Create a CyboX File Object
f = File()
sha_value = item['sha256']
if sha_value is not None:
sha256 = Hash()
sha256.simple_hash_value = sha_value
h = Hash(sha256, Hash.TYPE_SHA256)
f.add_hash(h)
sha1_value = item['sha1']
if sha_value is not None:
sha1 = Hash()
sha1.simple_hash_value = sha1_value
h = Hash(sha1, Hash.TYPE_SHA1)
f.add_hash(h)
sha512_value = item['sha512']
if sha_value is not None:
sha512 = Hash()
sha512.simple_hash_value = sha512_value
h = Hash(sha512, Hash.TYPE_SHA512)
f.add_hash(h)
f.add_hash(item['md5'])
#adding the md5 hash to the title as well
stix_header.title+=' '+item['md5']
#print(item['type'])
f.size_in_bytes=item['size']
f.file_format=item['type']
f.file_name = item['name']
indicator.description = "File hash served by a Viper instance"
indicator.add_object(f)
stix_package.add_indicator(indicator)
except Exception, e:
logger.error('Error: %s',format(e))
return False
