def setTLP(target, distribution): marking_specification = MarkingSpecification() marking_specification.controlled_structure = "../../../descendant-or-self::node()" tlp = TLPMarkingStructure() colour = TLP_mapping.get(distribution, None) if colour is None: return target tlp.color = colour marking_specification.marking_structures.append(tlp) handling = Marking() handling.add_marking(marking_specification) target.handling = handling
def marking(): """Define the TLP marking and the inheritence.""" marking_specification = MarkingSpecification() marking_specification.controlled_structure = "../../../../descendant"\ "-or-self::node() | ../../../../descendant-or-self::node()/@*" simple = SimpleMarkingStructure() simple.statement = HNDL_ST marking_specification.marking_structures.append(simple) tlp = TLPMarkingStructure() tlp.color = "WHITE" marking_specification.marking_structures.append(tlp) handling = Marking() handling.add_marking(marking_specification) return handling
def _marking(): """Define the TLP marking and the inheritance.""" marking_specification = MarkingSpecification() tlp = TLPMarkingStructure() tlp.color = SETTINGS['stix']['tlp'] marking_specification.marking_structures.append(tlp) marking_specification.controlled_structure = SETTINGS[ 'stix']['controlled_structure'] simple = SimpleMarkingStructure() simple.statement = SETTINGS['stix']['statement'] marking_specification.marking_structures.append(simple) handling = Marking() handling.add_marking(marking_specification) return handling
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() if isinstance(obj, cls._binding_class): # ThreatActorType properties return_obj.version = obj.get_version() if obj.get_version() else cls._version return_obj.title = obj.get_Title() return_obj.description = StructuredText.from_obj(obj.get_Description()) return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description()) return_obj.identity = Identity.from_obj(obj.get_Identity()) return_obj.types = [Statement.from_obj(x) for x in obj.get_Type()] return_obj.motivations = [Statement.from_obj(x) for x in obj.get_Motivation()] return_obj.sophistications = [Statement.from_obj(x) for x in obj.get_Sophistication()] return_obj.intended_effects = [Statement.from_obj(x) for x in obj.get_Intended_Effect()] return_obj.planning_and_operational_supports = [Statement.from_obj(x) for x in obj.get_Planning_And_Operational_Support()] return_obj.observed_ttps = ObservedTTPs.from_obj(obj.get_Observed_TTPs()) return_obj.associated_campaigns = AssociatedCampaigns.from_obj(obj.get_Associated_Campaigns()) return_obj.associated_actors = AssociatedActors.from_obj(obj.get_Associated_Actors()) return_obj.handling = Marking.from_obj(obj.get_Handling()) return_obj.confidence = Confidence.from_obj(obj.get_Confidence()) return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source()) return_obj.related_packages = RelatedPackageRefs.from_obj(obj.get_Related_Packages()) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() if isinstance(obj, cls._binding_class): # CourseOfActionType properties return_obj.version = obj.get_version() or cls._version return_obj.title = obj.get_Title() return_obj.stage = VocabString.from_obj(obj.get_Stage()) return_obj.type_ = VocabString.from_obj(obj.get_Type()) return_obj.description = StructuredText.from_obj(obj.get_Description()) return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description()) return_obj.objective = Objective.from_obj(obj.get_Objective()) return_obj.parameter_observables = \ Observables.from_obj(obj.get_Parameter_Observables()) return_obj.impact = Statement.from_obj(obj.get_Impact()) return_obj.cost = Statement.from_obj(obj.get_Cost()) return_obj.efficacy = Statement.from_obj(obj.get_Efficacy()) return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source()) return_obj.handling = Marking.from_obj(obj.get_Handling()) return_obj.related_coas = \ RelatedCOAs.from_obj(obj.get_Related_COAs()) return_obj.related_packages = \ RelatedPackageRefs.from_obj(obj.get_Related_Packages()) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp if isinstance(obj, cls._binding_class): # CourseOfActionType properties return_obj.version = obj.version return_obj.title = obj.Title return_obj.stage = VocabString.from_obj(obj.Stage) return_obj.type_ = VocabString.from_obj(obj.Type) return_obj.description = StructuredText.from_obj(obj.Description) return_obj.short_description = StructuredText.from_obj(obj.Short_Description) return_obj.objective = Objective.from_obj(obj.Objective) return_obj.parameter_observables = \ Observables.from_obj(obj.Parameter_Observables) return_obj.impact = Statement.from_obj(obj.Impact) return_obj.cost = Statement.from_obj(obj.Cost) return_obj.efficacy = Statement.from_obj(obj.Efficacy) return_obj.information_source = InformationSource.from_obj(obj.Information_Source) return_obj.handling = Marking.from_obj(obj.Handling) return_obj.related_coas = \ RelatedCOAs.from_obj(obj.Related_COAs) return_obj.related_packages = \ RelatedPackageRefs.from_obj(obj.Related_Packages) return return_obj
def from_obj(cls, obj, return_obj=None): from stix.common import StructuredTextList, InformationSource from stix.data_marking import Marking if not return_obj: raise ValueError("Must provide a return_obj argument") if not obj: raise ValueError("Must provide an obj argument") return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp # These may not be found on the input obj if it isn't a full # type definition (e.g., used as a reference) return_obj.version = getattr(obj, 'version', None) return_obj.title = getattr(obj, 'Title', None) return_obj.descriptions = \ StructuredTextList.from_obj(getattr(obj, 'Description', None)) return_obj.short_descriptions = \ StructuredTextList.from_obj(getattr(obj, 'Short_Description', None)) return_obj.information_source = \ InformationSource.from_obj(getattr(obj, 'Information_Source', None)) return_obj.handling = \ Marking.from_obj(getattr(obj, 'Handling', None)) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() super(CourseOfAction, cls).from_dict(dict_repr, return_obj=return_obj) get = dict_repr.get return_obj.stage = VocabString.from_dict(get('stage')) return_obj.type_ = VocabString.from_dict(get('type')) return_obj.objective = Objective.from_dict(get('objective')) return_obj.parameter_observables = \ Observables.from_dict(get('parameter_observables')) return_obj.impact = Statement.from_dict(get('impact')) return_obj.cost = Statement.from_dict(get('cost')) return_obj.efficacy = Statement.from_dict(get('efficacy')) return_obj.handling = Marking.from_dict(get('handling')) return_obj.related_coas = \ RelatedCOAs.from_dict(get('related_coas')) return_obj.related_packages = \ related.RelatedPackageRefs.from_dict(get('related_packages')) return_obj.structured_coa = \ _BaseStructuredCOA.from_dict(get('structured_coa')) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() super(ThreatActor, cls).from_dict(dict_repr, return_obj=return_obj) get = dict_repr.get return_obj.identity = Identity.from_dict(get('identity')) return_obj.types = _Types.from_dict(get('types')) return_obj.motivations = _Motivations.from_dict(get('motivations')) return_obj.sophistications = _Sophistications.from_dict(get('sophistications')) return_obj.intended_effects = _IntendedEffects.from_dict(get('intended_effects')) return_obj.planning_and_operational_supports = \ _PlanningAndOperationalSupports.from_dict(get('planning_and_operational_supports')) return_obj.observed_ttps = ObservedTTPs.from_dict(get('observed_ttps')) return_obj.associated_campaigns = AssociatedCampaigns.from_dict(get('associated_campaigns')) return_obj.associated_actors = AssociatedActors.from_dict(get('associated_actors')) return_obj.handling = Marking.from_dict(get('handling')) return_obj.confidence = Confidence.from_dict(get('confidence')) return_obj.related_packages = RelatedPackageRefs.from_dict(get('related_packages')) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp if isinstance(obj, cls._binding_class): # ThreatActorType properties return_obj.version = obj.version return_obj.title = obj.Title return_obj.description = StructuredText.from_obj(obj.Description) return_obj.short_description = StructuredText.from_obj(obj.Short_Description) return_obj.identity = Identity.from_obj(obj.Identity) return_obj.types = [Statement.from_obj(x) for x in obj.Type] return_obj.motivations = [Statement.from_obj(x) for x in obj.Motivation] return_obj.sophistications = [Statement.from_obj(x) for x in obj.Sophistication] return_obj.intended_effects = [Statement.from_obj(x) for x in obj.Intended_Effect] return_obj.planning_and_operational_supports = [Statement.from_obj(x) for x in obj.Planning_And_Operational_Support] return_obj.observed_ttps = ObservedTTPs.from_obj(obj.Observed_TTPs) return_obj.associated_campaigns = AssociatedCampaigns.from_obj(obj.Associated_Campaigns) return_obj.associated_actors = AssociatedActors.from_obj(obj.Associated_Actors) return_obj.handling = Marking.from_obj(obj.Handling) return_obj.confidence = Confidence.from_obj(obj.Confidence) return_obj.information_source = InformationSource.from_obj(obj.Information_Source) return_obj.related_packages = RelatedPackageRefs.from_obj(obj.Related_Packages) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.idref = dict_repr.get('idref') return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version') return_obj.title = dict_repr.get('title') return_obj.description = StructuredText.from_dict(dict_repr.get('description')) return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description')) return_obj.identity = Identity.from_dict(dict_repr.get('identity')) return_obj.types = [Statement.from_dict(x) for x in dict_repr.get('types', [])] return_obj.motivations = [Statement.from_dict(x) for x in dict_repr.get('motivations', [])] return_obj.sophistications = [Statement.from_dict(x) for x in dict_repr.get('sophistications', [])] return_obj.intended_effects = [Statement.from_dict(x) for x in dict_repr.get('intended_effects', [])] return_obj.planning_and_operational_supports = [Statement.from_dict(x) for x in dict_repr.get('planning_and_operational_supports', [])] return_obj.observed_ttps = ObservedTTPs.from_dict(dict_repr.get('observed_ttps')) return_obj.associated_campaigns = AssociatedCampaigns.from_dict(dict_repr.get('associated_campaigns')) return_obj.associated_actors = AssociatedActors.from_dict(dict_repr.get('associated_actors')) return_obj.handling = Marking.from_dict(dict_repr.get('handling')) return_obj.confidence = Confidence.from_dict(dict_repr.get('confidence')) return_obj.information_source = InformationSource.from_dict(dict_repr.get('information_source')) return_obj.related_packages = RelatedPackageRefs.from_dict(dict_repr.get('related_packages')) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() super(Campaign, cls).from_dict(dict_repr, return_obj=return_obj) get = dict_repr.get # PEP 8 line lengths return_obj.names = Names.from_dict(get('names')) return_obj.intended_effects = \ _IntendedEffects.from_dict(get('intended_effects')) return_obj.status = VocabString.from_dict(get('status')) return_obj.related_ttps = \ RelatedTTPs.from_dict(get('related_ttps')) return_obj.related_incidents = \ RelatedIncidents.from_dict(get('related_incidents')) return_obj.related_indicators = \ RelatedIndicators.from_dict(get('related_indicators')) return_obj.attribution = _AttributionList.from_list(get('attribution')) return_obj.associated_campaigns = \ AssociatedCampaigns.from_dict(get('associated_campaigns')) return_obj.confidence = \ Confidence.from_dict(get('confidence')) return_obj.activity = _Activities.from_dict(get('activity')) return_obj.handling = Marking.from_dict(get('handling')) return_obj.related_packages = \ RelatedPackageRefs.from_dict(get('related_packages')) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() super(Campaign, cls).from_obj(obj, return_obj=return_obj) if isinstance(obj, cls._binding_class): return_obj.names = Names.from_obj(obj.Names) return_obj.intended_effects = \ _IntendedEffects.from_obj(obj.Intended_Effect) return_obj.status = VocabString.from_obj(obj.Status) return_obj.related_ttps = RelatedTTPs.from_obj(obj.Related_TTPs) return_obj.related_incidents = \ RelatedIncidents.from_obj(obj.Related_Incidents) return_obj.related_indicators = \ RelatedIndicators.from_obj(obj.Related_Indicators) return_obj.attribution = _AttributionList.from_obj(obj.Attribution) return_obj.associated_campaigns = \ AssociatedCampaigns.from_obj(obj.Associated_Campaigns) return_obj.confidence = Confidence.from_obj(obj.Confidence) return_obj.activity = _Activities.from_obj(obj.Activity) return_obj.handling = Marking.from_obj(obj.Handling) return_obj.related_packages = \ RelatedPackageRefs.from_obj(obj.Related_Packages) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() super(Incident, cls).from_dict(dict_repr, return_obj=return_obj) get = dict_repr.get return_obj.time = Time.from_dict(get('time')) return_obj.victims = _Victims.from_dict(get('victims')) return_obj.categories = IncidentCategories.from_dict(get('categories')) return_obj.attributed_threat_actors = AttributedThreatActors.from_dict(get('attributed_threat_actors')) return_obj.related_indicators = RelatedIndicators.from_dict(get('related_indicators')) return_obj.related_observables = RelatedObservables.from_dict(get('related_observables')) return_obj.related_incidents = RelatedIncidents.from_dict(get('related_incidents')) return_obj.intended_effects = _IntendedEffects.from_list(get('intended_effects')) return_obj.leveraged_ttps = LeveragedTTPs.from_dict(get('leveraged_ttps')) return_obj.affected_assets = AffectedAssets.from_dict(get('affected_assets')) return_obj.discovery_methods = DiscoveryMethods.from_dict(get('discovery_methods')) return_obj.reporter = InformationSource.from_dict(get('reporter')) return_obj.responders = _InformationSources.from_dict(get('responders')) return_obj.coordinators = _InformationSources.from_dict(get('coordinators')) return_obj.external_ids = _ExternalIDs.from_dict(get('external_ids')) return_obj.impact_assessment = ImpactAssessment.from_dict(get('impact_assessment')) return_obj.security_compromise = VocabString.from_dict(get('security_compromise')) return_obj.confidence = Confidence.from_dict(get('confidence')) return_obj.coa_taken = _COAsTaken.from_dict(get('coa_taken')) return_obj.coa_requested = _COAsRequested.from_dict(get('coa_requested')) return_obj.status = VocabString.from_dict(get('status')) return_obj.handling = Marking.from_dict(get('handling')) return_obj.history = History.from_dict(get('history')) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.idref = dict_repr.get('idref') return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version') return_obj.title = dict_repr.get('title') return_obj.stage = VocabString.from_dict(dict_repr.get('stage')) return_obj.type_ = VocabString.from_dict(dict_repr.get('type')) return_obj.description = StructuredText.from_dict(dict_repr.get('description')) return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description')) return_obj.objective = Objective.from_dict(dict_repr.get('objective')) return_obj.parameter_observables = \ Observables.from_dict(dict_repr.get('parameter_observables')) return_obj.impact = Statement.from_dict(dict_repr.get('impact')) return_obj.cost = Statement.from_dict(dict_repr.get('cost')) return_obj.efficacy = Statement.from_dict(dict_repr.get('efficacy')) return_obj.information_source = InformationSource.from_dict(dict_repr.get('information_source')) return_obj.handling = Marking.from_dict(dict_repr.get('handling')) return_obj.related_coas = \ RelatedCOAs.from_dict(dict_repr.get('related_coas')) return_obj.related_packages = \ RelatedPackageRefs.from_dict(dict_repr.get('related_packages')) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() super(CourseOfAction, cls).from_obj(obj, return_obj=return_obj) if isinstance(obj, cls._binding_class): # CourseOfActionType properties return_obj.title = obj.Title return_obj.stage = VocabString.from_obj(obj.Stage) return_obj.type_ = VocabString.from_obj(obj.Type) return_obj.objective = Objective.from_obj(obj.Objective) return_obj.parameter_observables = \ Observables.from_obj(obj.Parameter_Observables) return_obj.impact = Statement.from_obj(obj.Impact) return_obj.cost = Statement.from_obj(obj.Cost) return_obj.efficacy = Statement.from_obj(obj.Efficacy) return_obj.handling = Marking.from_obj(obj.Handling) return_obj.related_coas = \ RelatedCOAs.from_obj(obj.Related_COAs) return_obj.related_packages = \ related.RelatedPackageRefs.from_obj(obj.Related_Packages) return_obj.structured_coa = \ _BaseStructuredCOA.from_obj(obj.Structured_COA) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() super(Incident, cls).from_obj(obj, return_obj=return_obj) if isinstance(obj, cls._binding_class): return_obj.time = Time.from_obj(obj.Time) return_obj.victims = _Victims.from_obj(obj.Victim) return_obj.categories = IncidentCategories.from_obj(obj.Categories) return_obj.intended_effects = _IntendedEffects.from_obj(obj.Intended_Effect) return_obj.affected_assets = AffectedAssets.from_obj(obj.Affected_Assets) return_obj.discovery_methods = DiscoveryMethods.from_obj(obj.Discovery_Method) return_obj.coa_taken = _COAsTaken.from_obj(obj.COA_Taken) return_obj.coa_requested = _COAsRequested.from_obj(obj.COA_Requested) return_obj.confidence = Confidence.from_obj(obj.Confidence) return_obj.attributed_threat_actors = AttributedThreatActors.from_obj(obj.Attributed_Threat_Actors) return_obj.related_indicators = RelatedIndicators.from_obj(obj.Related_Indicators) return_obj.related_observables = RelatedObservables.from_obj(obj.Related_Observables) return_obj.leveraged_ttps = LeveragedTTPs.from_obj(obj.Leveraged_TTPs) return_obj.related_incidents = RelatedIncidents.from_obj(obj.Related_Incidents) return_obj.status = VocabString.from_obj(obj.Status) return_obj.handling = Marking.from_obj(obj.Handling) return_obj.history = History.from_obj(obj.History) return_obj.responders = _InformationSources.from_obj(obj.Responder) return_obj.coordinators = _InformationSources.from_obj(obj.Coordinator) return_obj.external_ids = _ExternalIDs.from_obj(obj.External_ID) return_obj.reporter = InformationSource.from_obj(obj.Reporter) return_obj.impact_assessment = ImpactAssessment.from_obj(obj.Impact_Assessment) return_obj.security_compromise = VocabString.from_obj(obj.Security_Compromise) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp if isinstance(obj, cls._binding_class): # TTPType properties return_obj.version = obj.version return_obj.title = obj.Title return_obj.description = StructuredText.from_obj(obj.Description) return_obj.short_description = StructuredText.from_obj(obj.Short_Description) return_obj.behavior = Behavior.from_obj(obj.Behavior) return_obj.related_ttps = RelatedTTPs.from_obj(obj.Related_TTPs) return_obj.exploit_targets = ExploitTargets.from_obj(obj.Exploit_Targets) return_obj.information_source = InformationSource.from_obj(obj.Information_Source) return_obj.resources = Resource.from_obj(obj.Resources) return_obj.victim_targeting = VictimTargeting.from_obj(obj.Victim_Targeting) return_obj.handling = Marking.from_obj(obj.Handling) if obj.Intended_Effect: return_obj.intended_effects = [Statement.from_obj(x) for x in obj.Intended_Effect] return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp # not yet implemented if isinstance(obj, cls._binding_class): # TTPType properties return_obj.version = obj.version return_obj.title = obj.Title return_obj.description = StructuredText.from_obj(obj.Description) return_obj.short_description = StructuredText.from_obj(obj.Short_Description) return_obj.information_source = InformationSource.from_obj(obj.Information_Source) return_obj.handling = Marking.from_obj(obj.Handling) return_obj.potential_coas = PotentialCOAs.from_obj(obj.Potential_COAs) return_obj.related_exploit_targets = RelatedExploitTargets.from_obj(obj.Related_Exploit_Targets) return_obj.vulnerabilities = [Vulnerability.from_obj(x) for x in obj.Vulnerability] return_obj.weaknesses = [Weakness.from_obj(x) for x in obj.Weakness] return_obj.configuration = [Configuration.from_obj(x) for x in obj.Configuration] return_obj.related_packages = RelatedPackageRefs.from_obj(obj.Related_Packages) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() # not yet implemented if isinstance(obj, cls._binding_class): # TTPType properties return_obj.version = obj.get_version() or cls._version return_obj.title = obj.get_Title() return_obj.description = StructuredText.from_obj(obj.get_Description()) return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description()) return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source()) return_obj.handling = Marking.from_obj(obj.get_Handling()) return_obj.potential_coas = PotentialCOAs.from_obj(obj.get_Potential_COAs()) return_obj.related_exploit_targets = RelatedExploitTargets.from_obj(obj.get_Related_Exploit_Targets()) return_obj.vulnerabilities = [Vulnerability.from_obj(x) for x in obj.get_Vulnerability()] return_obj.weakness = [Weakness.from_obj(x) for x in obj.get_Weakness()] return_obj.configuration = [Configuration.from_obj(x) for x in obj.get_Configuration()] return_obj.related_packages = RelatedPackageRefs.from_obj(obj.get_Related_Packages()) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() if isinstance(obj, cls._binding_class): return_obj.version = obj.get_version() or cls._version return_obj.title = obj.get_Title() return_obj.description = StructuredText.from_obj(obj.get_Description()) return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description()) return_obj.time = Time.from_obj(obj.get_Time()) if obj.get_Victim(): return_obj.victims = [Identity.from_obj(x) for x in obj.get_Victim()] if obj.get_Categories(): return_obj.categories = [IncidentCategory.from_obj(x) for x in obj.get_Categories().get_Category()] if obj.get_Intended_Effect(): return_obj.intended_effects = [Statement.from_obj(x) for x in obj.get_Intended_Effect()] if obj.get_Affected_Assets(): return_obj.affected_assets = [AffectedAsset.from_obj(x) for x in obj.get_Affected_Assets().get_Affected_Asset()] if obj.get_Discovery_Method(): return_obj.discovery_methods = [DiscoveryMethod.from_obj(x) for x in obj.get_Discovery_Method()] if obj.get_Reporter(): return_obj.reporter = InformationSource.from_obj(obj.get_Reporter()) if obj.get_Responder(): return_obj.responders = [InformationSource.from_obj(x) for x in obj.get_Responder()] if obj.get_Coordinator(): return_obj.coordinators = [InformationSource.from_obj(x) for x in obj.get_Coordinator()] if obj.get_External_ID(): return_obj.external_ids = [ExternalID.from_obj(x) for x in obj.get_External_ID()] if obj.get_Impact_Assessment(): return_obj.impact_assessment = ImpactAssessment.from_obj(obj.get_Impact_Assessment()) if obj.get_Information_Source(): return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source()) if obj.get_Security_Compromise(): return_obj.security_compromise = SecurityCompromise.from_obj(obj.get_Security_Compromise()) return_obj.coa_taken = [COATaken.from_obj(x) for x in obj.get_COA_Taken()] return_obj.confidence = Confidence.from_obj(obj.get_Confidence()) return_obj.attributed_threat_actors = AttributedThreatActors.from_obj(obj.get_Attributed_Threat_Actors()) return_obj.related_indicators = RelatedIndicators.from_obj(obj.get_Related_Indicators()) return_obj.related_observables = RelatedObservables.from_obj(obj.get_Related_Observables()) return_obj.leveraged_ttps = LeveragedTTPs.from_obj(obj.get_Leveraged_TTPs()) return_obj.related_incidents = RelatedIncidents.from_obj(obj.get_Related_Incidents()) return_obj.status = VocabString.from_obj(obj.get_Status()) return_obj.handling = Marking.from_obj(obj.get_Handling()) return_obj.history = History.from_obj(obj.get_History()) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp if isinstance(obj, cls._binding_class): return_obj.version = obj.version return_obj.title = obj.Title return_obj.description = StructuredText.from_obj(obj.Description) return_obj.short_description = StructuredText.from_obj(obj.Short_Description) return_obj.time = Time.from_obj(obj.Time) if obj.Victim: return_obj.victims = [Identity.from_obj(x) for x in obj.Victim] if obj.Categories: return_obj.categories = [IncidentCategory.from_obj(x) for x in obj.Categories.Category] if obj.Intended_Effect: return_obj.intended_effects = [Statement.from_obj(x) for x in obj.Intended_Effect] if obj.Affected_Assets: return_obj.affected_assets = [AffectedAsset.from_obj(x) for x in obj.Affected_Assets.Affected_Asset] if obj.Discovery_Method: return_obj.discovery_methods = [DiscoveryMethod.from_obj(x) for x in obj.Discovery_Method] if obj.Reporter: return_obj.reporter = InformationSource.from_obj(obj.Reporter) if obj.Responder: return_obj.responders = [InformationSource.from_obj(x) for x in obj.Responder] if obj.Coordinator: return_obj.coordinators = [InformationSource.from_obj(x) for x in obj.Coordinator] if obj.External_ID: return_obj.external_ids = [ExternalID.from_obj(x) for x in obj.External_ID] if obj.Impact_Assessment: return_obj.impact_assessment = ImpactAssessment.from_obj(obj.Impact_Assessment) if obj.Information_Source: return_obj.information_source = InformationSource.from_obj(obj.Information_Source) if obj.Security_Compromise: return_obj.security_compromise = SecurityCompromise.from_obj(obj.Security_Compromise) return_obj.coa_taken = [COATaken.from_obj(x) for x in obj.COA_Taken] return_obj.confidence = Confidence.from_obj(obj.Confidence) return_obj.attributed_threat_actors = AttributedThreatActors.from_obj(obj.Attributed_Threat_Actors) return_obj.related_indicators = RelatedIndicators.from_obj(obj.Related_Indicators) return_obj.related_observables = RelatedObservables.from_obj(obj.Related_Observables) return_obj.leveraged_ttps = LeveragedTTPs.from_obj(obj.Leveraged_TTPs) return_obj.related_incidents = RelatedIncidents.from_obj(obj.Related_Incidents) return_obj.status = VocabString.from_obj(obj.Status) return_obj.handling = Marking.from_obj(obj.Handling) return_obj.history = History.from_obj(obj.History) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.title = dict_repr.get('title') return_obj.package_intents = [VocabString.from_dict(x) for x in dict_repr.get('package_intents', [])] return_obj.description = StructuredText.from_dict(dict_repr.get('description')) return_obj.handling = Marking.from_dict(dict_repr.get('handling')) return_obj.information_source = InformationSource.from_dict(dict_repr.get('information_source')) return_obj.profiles = dict_repr.get('profiles') return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.title = obj.Title return_obj.descriptions = StructuredTextList.from_obj(obj.Description) return_obj.short_descriptions = StructuredTextList.from_obj(obj.Short_Description) return_obj.handling = Marking.from_obj(obj.Handling) return_obj.information_source = InformationSource.from_obj(obj.Information_Source) return_obj.intents = _ReportIntents.from_obj(obj.Intent) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.title = obj.get_Title() return_obj.description = StructuredText.from_obj(obj.get_Description()) return_obj.handling = Marking.from_obj(obj.get_Handling()) return_obj.information_source = InformationSource.from_obj(obj.get_Information_Source()) if obj.get_Package_Intent(): return_obj.package_intents = [PackageIntent.from_obj(x) for x in obj.get_Package_Intent()] return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.title = obj.Title return_obj.descriptions = StructuredTextList.from_obj(obj.Description) return_obj.short_descriptions = StructuredTextList.from_obj(obj.Short_Description) return_obj.handling = Marking.from_obj(obj.Handling) return_obj.information_source = InformationSource.from_obj(obj.Information_Source) return_obj.package_intents = _PackageIntents.from_obj(obj.Package_Intent) return_obj.profiles = obj.Profiles.Profile if obj.Profiles else [] return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.idref = dict_repr.get('idref') return_obj.timestamp = dict_repr.get('timestamp') return_obj.title = dict_repr.get('title') return_obj.version = dict_repr.get('version', cls._version) observable_dict = dict_repr.get('observable') producer_dict = dict_repr.get('producer') description_dict = dict_repr.get('description') indicator_type_list = dict_repr.get('indicator_types', []) confidence_dict = dict_repr.get('confidence') alternative_id_dict = dict_repr.get('alternative_id') valid_time_position_dict = dict_repr.get('valid_time_positions') return_obj.short_description = StructuredText.from_dict(dict_repr.get('short_description')) return_obj.indicated_ttps = [RelatedTTP.from_dict(x) for x in dict_repr.get('indicated_ttps', [])] return_obj.test_mechanisms = [_BaseTestMechanism.from_dict(x) for x in dict_repr.get('test_mechanisms', [])] return_obj.suggested_coas = SuggestedCOAs.from_dict(dict_repr.get('suggested_coas')) return_obj.sightings = Sightings.from_dict(dict_repr.get('sightings')) return_obj.composite_indicator_expression = CompositeIndicatorExpression.from_dict(dict_repr.get('composite_indicator_expression')) return_obj.handling = Marking.from_dict(dict_repr.get('handling')) return_obj.kill_chain_phases = KillChainPhasesReference.from_dict(dict_repr.get('kill_chain_phases')) return_obj.related_indicators = RelatedIndicators.from_dict(dict_repr.get('related_indicators')) return_obj.likely_impact = Statement.from_dict(dict_repr.get('likely_impact')) if observable_dict: return_obj.add_observable(Observable.from_dict(observable_dict)) if producer_dict: return_obj.producer = InformationSource.from_dict(producer_dict) if description_dict: return_obj.description = StructuredText.from_dict(description_dict) for indicator_type_dict in indicator_type_list: return_obj.add_indicator_type(VocabString.from_dict(indicator_type_dict)) if confidence_dict: return_obj.confidence = Confidence.from_dict(confidence_dict) if alternative_id_dict: return_obj.alternative_id = alternative_id_dict if valid_time_position_dict: for valid_time_position_type_dict in valid_time_position_dict: return_obj.add_valid_time_position(ValidTime.from_dict(valid_time_position_type_dict)) return return_obj
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() get = dict_repr.get return_obj.title = get('title') return_obj.intents = _ReportIntents.from_list(get('intents')) return_obj.descriptions = StructuredTextList.from_dict(get('description')) return_obj.short_descriptions = StructuredTextList.from_dict(get('short_description')) return_obj.handling = Marking.from_dict(get('handling')) return_obj.information_source = InformationSource.from_dict(get('information_source')) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.title = obj.Title return_obj.description = StructuredText.from_obj(obj.Description) return_obj.handling = Marking.from_obj(obj.Handling) return_obj.information_source = InformationSource.from_obj(obj.Information_Source) if obj.Package_Intent: return_obj.package_intents = [VocabString.from_obj(x) for x in obj.Package_Intent] if obj.Profiles: return_obj.profiles = obj.Profiles.Profile return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.get_id() return_obj.idref = obj.get_idref() return_obj.timestamp = obj.get_timestamp() if isinstance(obj, cls._binding_class): return_obj.title = obj.get_Title() return_obj.description = StructuredText.from_obj(obj.get_Description()) return_obj.short_description = StructuredText.from_obj(obj.get_Short_Description()) return_obj.producer = InformationSource.from_obj(obj.get_Producer()) return_obj.confidence = Confidence.from_obj(obj.get_Confidence()) return_obj.sightings = Sightings.from_obj(obj.get_Sightings()) return_obj.composite_indicator_expression = CompositeIndicatorExpression.from_obj(obj.get_Composite_Indicator_Expression()) return_obj.handling = Marking.from_obj(obj.get_Handling()) return_obj.kill_chain_phases = KillChainPhasesReference.from_obj(obj.get_Kill_Chain_Phases()) return_obj.related_indicators = RelatedIndicators.from_obj(obj.get_Related_Indicators()) return_obj.likely_impact = Statement.from_obj(obj.get_Likely_Impact()) if obj.get_version(): return_obj.version = obj.get_version() if obj.get_Type(): for indicator_type in obj.get_Type(): return_obj.add_indicator_type(VocabString.from_obj(indicator_type)) if obj.get_Observable(): observable_obj = obj.get_Observable() observable = Observable.from_obj(observable_obj) return_obj.observables.append(observable) if obj.get_Indicated_TTP(): return_obj.indicated_ttps = [RelatedTTP.from_obj(x) for x in obj.get_Indicated_TTP()] if obj.get_Test_Mechanisms(): return_obj.test_mechanisms = [_BaseTestMechanism.from_obj(x) for x in obj.get_Test_Mechanisms().get_Test_Mechanism()] if obj.get_Suggested_COAs(): return_obj.suggested_coas = SuggestedCOAs.from_obj(obj.get_Suggested_COAs()) if obj.get_Alternative_ID(): return_obj.alternative_id = obj.get_Alternative_ID() if obj.get_Valid_Time_Position(): return_obj.valid_time_positions = [ValidTime.from_obj(x) for x in obj.get_Valid_Time_Position()] return return_obj
def createstix(db, themail): # Create the stix object # Set the cybox namespace NAMESPACE = {companyurl: companyname} # new ids will be prefixed with your company name set_id_namespace(NAMESPACE) # Set the TLP color to Green marking_specification = MarkingSpecification() marking_specification.controlled_structure = "//node() | //@*" tlp = TLPMarkingStructure() tlp.color = "GREEN" marking_specification.marking_structures.append(tlp) handling = Marking() handling.add_marking(marking_specification) # stix assignments stix_package = STIXPackage() ttp = TTP(title="Phishing") stix_package.add_ttp(ttp) stix_package.stix_header = STIXHeader() stix_package.stix_header.handling = handling # Get data from the email dictionary object xid = themail['_id'] xdate = themail['date'] xoriginatingip = themail['x_originating_ip'] xmailer = themail['x_mailer'] xhelo = themail['helo'] xfrom = themail['from'] xsender = themail['sender'] xreplyto = themail['reply_to'] xsubject = themail['subject'] xbody = themail['raw_body'] # Routines to remove unwanted company identifiers from the emails xsubject = scrubit(xsubject) xbody = scrubit(xbody) # Terms to search for in email addresses. # replaces spoofed internal email addresses with [SPOOFED] # change to match your company's domain name without the '.com/.net/etc' searchterms = ['term1', 'term2'] for term in searchterms: if term.upper() in xfrom.upper(): xfrom = '[SPOOFED]' if term.upper() in xsender.upper(): xsender = '[SPOOFED]' if term.upper() in xreplyto.upper(): xreplyto = '[SPOOFED]' # Remove brackets from xoriginating IP xoriginatingip = re.sub(r'\[|\]', '', xoriginatingip) # get email comments ecomment = getcomments(db, xid) # Look for attachment and get info if true if themail['relationships']: # check if the first relationship is a sample because when an email object with attachment # is uploaded to crits the first relationship is always the attachment # which is uploaded seperately as a sample and related back to the original email if themail['relationships'][0]['type'] in 'Sample': myattachment = themail['relationships'][0]['value'] try: myfile = db.sample.find_one({'_id': ObjectId(myattachment)}) hasattachment = True except Exception, e: logger.error( "received error when querying samples collection for email with id %s", xid, exc_info=True) hasattachment = False else: hasattachment = False
def main(): mydata = loaddata() # NAMESPACE = {sanitizer(mydata["NSXURL"]) : sanitizer(mydata["NS"])} # set_id_namespace(NAMESPACE) NAMESPACE = Namespace(sanitizer(mydata['NSXURL']), sanitizer(mydata['NS'])) set_id_namespace(NAMESPACE) # new ids will be prefixed by "myNS" wrapper = STIXPackage() info_src = InformationSource() info_src.identity = Identity(name=sanitizer(mydata["Identity"])) marking_specification = MarkingSpecification() marking_specification.controlled_structure = "//node() | //@*" tlp = TLPMarkingStructure() tlp.color = sanitizer(mydata["TLP_COLOR"]) marking_specification.marking_structures.append(tlp) handling = Marking() handling.add_marking(marking_specification) timestamp = datetime.datetime.fromtimestamp( time.time()).strftime('%Y-%m-%d %H:%M:%S') MyTITLE = sanitizer(mydata["filename"]) + ": " + sanitizer( mydata["hashes"]["md5"]) ShortDescription = timestamp DESCRIPTION = "STIX Report for: " + sanitizer( mydata["filename"]) + " - " + sanitizer(mydata["hashes"]["md5"]) wrapper.stix_header = STIXHeader(information_source=info_src, title=MyTITLE, description=DESCRIPTION, short_description=ShortDescription) wrapper.stix_header.handling = handling fileobj = File() fileobj.file_name = sanitizer(mydata["filename"]) fileobj.file_format = sanitizer(mydata["file_type"]) fileobj.size_in_bytes = sanitizer(mydata["file_size"]) fileobj.add_hash(Hash(sanitizer(mydata["hashes"]["md5"]))) fileobj.add_hash(Hash(sanitizer(mydata["hashes"]["sha1"]))) fileobj.add_hash(Hash(sanitizer(mydata["hashes"]["sha256"]))) observable = Observable(fileobj) if "URL_file_hosting" in mydata: for idx, mydata["URL_file_hosting"] in enumerate( mydata["URL_file_hosting"]): url = URI() url.value = sanitizer(mydata["URL_file_hosting"]) url.type_ = URI.TYPE_URL url.condition = "Equals" fileobj.add_related(url, "Downloaded_From") indicator = Indicator() indicator.title = MyTITLE indicator.add_indicator_type("File Hash Watchlist") indicator.add_observable(observable) wrapper.add_indicator(indicator) print(wrapper.to_xml())
def main(argv): ###################################################################### # Se non impostati da command line vengono utilizzati i seguenti valori per TITLE, DESCRIPTION, IDENTITY # Il title e' ID univoco della minaccia (es. Cobalt / Danabot / APT28) TITLE = raw_input("Insert Title Ioc:") # La description strutturiamola come segue # <IOC PRODUCER> - <Descrizione della minaccia/campagna> - <URL (if any)> DESCRIPTION = raw_input("Insert Decription:") # La sorgente che ha generato l'IoC con riferimento a Cyber Saiyan Community IDENTITY = raw_input("Insert User Identity:") # File degli IoC IOCFILE = raw_input("Add IoC Source File:") # Prefisso STIX output files STIX 1.2 e STIX 2 OUTFILEPREFIX = "package" # Short Description - UNUSED #SHORT = "Emotet" ###################################################################### VERBOSE = 0 # UTF8 encode TITLE = TITLE.encode('utf8') DESCRIPTION = DESCRIPTION.encode('utf8') IDENTITY = IDENTITY.encode('utf8') print "\nStix File generation in progress...." #print (TITLE) #"TITLE: " + TITLE #print (DESCRIPTION) #"DESCRIPTION: " + DESCRIPTION #print (IDENTITY) #"IDENTITY: " + IDENTITY #print (IOCFILE) #"IOC FILE: " + IOCFILE #print "---------------------" ######################## # Commond data timestamp = datetime.datetime.fromtimestamp( time.time()).strftime('%Y-%m-%d %H:%M:%S') ######################## # Build STIX 1.2 file info_src = InformationSource() info_src.identity = Identity(name=IDENTITY) NAMESPACE = Namespace("https://infosharing.cybersaiyan.it", "CYBERSAIYAN") set_id_namespace(NAMESPACE) wrapper = STIXPackage() marking_specification = MarkingSpecification() marking_specification.controlled_structure = "//node() | //@*" tlp = TLPMarkingStructure() tlp.color = "WHITE" marking_specification.marking_structures.append(tlp) handling = Marking() handling.add_marking(marking_specification) # HASH indicators indicatorHASH = Indicator() indicatorHASH.title = TITLE + " - HASH" indicatorHASH.add_indicator_type("File Hash Watchlist") # DOMAIN indicators indiDOMAIN = Indicator() indiDOMAIN.title = TITLE + " - DOMAIN" indiDOMAIN.add_indicator_type("Domain Watchlist") # URL indicators indiURL = Indicator() indiURL.title = TITLE + " - URL" indiURL.add_indicator_type("URL Watchlist") # IP indicators indiIP = Indicator() indiIP.title = TITLE + " - IP" indiIP.add_indicator_type("IP Watchlist") # EMAIL indicators indiEMAIL = Indicator() indiEMAIL.title = TITLE + " - EMAIL" indiEMAIL.add_indicator_type("Malicious E-mail") ######################## # Build STIX 2 file pattern_sha256 = [] pattern_md5 = [] pattern_sha1 = [] pattern_domain = [] pattern_url = [] pattern_ip = [] pattern_email = [] # Marking marking_def_white = stix2.MarkingDefinition(definition_type="tlp", definition={"tlp": "WHITE"}) # campagna # [TODO] aggiungere tutti i campi dello STIX 1.2 (es. IDENTITY) campaign_MAIN = stix2.Campaign(created=timestamp, modified=timestamp, name=TITLE, description=DESCRIPTION, first_seen=timestamp, objective="TBD") ######################## # Read IoC file ioc = loaddata(IOCFILE) if (VERBOSE): print "Reading IoC file " + IOCFILE + "..." for idx, ioc in enumerate(ioc): notfound = 1 # sha256 p = re.compile(r"^[0-9a-f]{64}$", re.IGNORECASE) m = p.match(ioc) if m and notfound: # STIX 1.2 filei = File() filei.add_hash(Hash(ioc)) obsi = Observable(filei) indicatorHASH.add_observable(obsi) if (VERBOSE): print "SHA256: " + ioc notfound = 0 # STIX 2 pattern_sha256.append("[file:hashes.'SHA-256' = '" + ioc + "'] OR ") #md5 p = re.compile(r"^[0-9a-f]{32}$", re.IGNORECASE) m = p.match(ioc) if m and notfound: # STIX 1.2 filej = File() filej.add_hash(Hash(ioc)) obsj = Observable(filej) indicatorHASH.add_observable(obsj) if (VERBOSE): print "MD5: " + ioc notfound = 0 # STIX 2 pattern_md5.append("[file:hashes.'MD5' = '" + ioc + "'] OR ") #sha1 p = re.compile(r"^[0-9a-f]{40}$", re.IGNORECASE) m = p.match(ioc) if m and notfound: # STIX 1.2 filek = File() filek.add_hash(Hash(ioc)) obsk = Observable(filek) indicatorHASH.add_observable(obsk) if (VERBOSE): print "SHA1: " + ioc notfound = 0 # STIX 2 pattern_sha1.append("[file:hashes.'SHA1' = '" + ioc + "'] OR ") #domains if validators.domain(ioc) and notfound: # STIX 1.2 url = URI() url.value = ioc url.type_ = URI.TYPE_DOMAIN url.condition = "Equals" obsu = Observable(url) indiDOMAIN.add_observable(obsu) if (VERBOSE): print "DOMAIN: " + ioc notfound = 0 # STIX 2 pattern_domain.append("[domain-name:value = '" + ioc + "'] OR ") #url if validators.url(ioc) and notfound: # STIX 1.2 url = URI() url.value = ioc url.type_ = URI.TYPE_URL url.condition = "Equals" obsu = Observable(url) indiURL.add_observable(obsu) if (VERBOSE): print "URL: " + ioc notfound = 0 # STIX 2 pattern_url.append("[url:value = '" + ioc + "'] OR ") #ip if validators.ipv4(ioc) and notfound: # STIX 1.2 ip = Address() ip.address_value = ioc obsu = Observable(ip) indiIP.add_observable(obsu) if (VERBOSE): print "IP: " + ioc notfound = 0 # STIX 2 pattern_ip.append("[ipv4-addr:value = '" + ioc + "'] OR ") #email if validators.email(ioc) and notfound: # STIX 1.2 email = EmailAddress() email.address_value = ioc obsu = Observable(email) indiEMAIL.add_observable(obsu) if (VERBOSE): print "Email: " + ioc notfound = 0 # STIX 2 pattern_email.append("[email-message:from_ref.value = '" + ioc + "'] OR ") ######################## # add all indicators to STIX 1.2 wrapper.add_indicator(indicatorHASH) wrapper.add_indicator(indiDOMAIN) wrapper.add_indicator(indiURL) wrapper.add_indicator(indiIP) wrapper.add_indicator(indiEMAIL) ######################## # prepare for STIX 2 bundle_objects = [campaign_MAIN, marking_def_white] if len(pattern_sha256) != 0: stix2_sha256 = "".join(pattern_sha256) stix2_sha256 = stix2_sha256[:-4] indicator_SHA256 = stix2.Indicator( name=TITLE + " - SHA256", created=timestamp, modified=timestamp, description=DESCRIPTION, labels=["malicious-activity"], pattern=stix2_sha256, object_marking_refs=[marking_def_white]) relationship_indicator_SHA256 = stix2.Relationship( indicator_SHA256, 'indicates', campaign_MAIN) bundle_objects.append(indicator_SHA256) bundle_objects.append(relationship_indicator_SHA256) if len(pattern_md5) != 0: stix2_md5 = "".join(pattern_md5) stix2_md5 = stix2_md5[:-4] indicator_MD5 = stix2.Indicator( name=TITLE + " - MD5", created=timestamp, modified=timestamp, description=DESCRIPTION, labels=["malicious-activity"], pattern=stix2_md5, object_marking_refs=[marking_def_white]) relationship_indicator_MD5 = stix2.Relationship( indicator_MD5, 'indicates', campaign_MAIN) bundle_objects.append(indicator_MD5) bundle_objects.append(relationship_indicator_MD5) if len(pattern_sha1) != 0: stix2_sha1 = "".join(pattern_sha1) stix2_sha1 = stix2_sha1[:-4] indicator_SHA1 = stix2.Indicator( name=TITLE + " - SHA1", created=timestamp, modified=timestamp, description=DESCRIPTION, labels=["malicious-activity"], pattern=stix2_sha1, object_marking_refs=[marking_def_white]) relationship_indicator_SHA1 = stix2.Relationship( indicator_SHA1, 'indicates', campaign_MAIN) bundle_objects.append(indicator_SHA1) bundle_objects.append(relationship_indicator_SHA1) if len(pattern_domain) != 0: stix2_domain = "".join(pattern_domain) stix2_domain = stix2_domain[:-4] indicator_DOMAINS = stix2.Indicator( name=TITLE + " - DOMAINS", created=timestamp, modified=timestamp, description=DESCRIPTION, labels=["malicious-activity"], pattern=stix2_domain, object_marking_refs=[marking_def_white]) relationship_indicator_DOMAINS = stix2.Relationship( indicator_DOMAINS, 'indicates', campaign_MAIN) bundle_objects.append(indicator_DOMAINS) bundle_objects.append(relationship_indicator_DOMAINS) if len(pattern_url) != 0: stix2_url = "".join(pattern_url) stix2_url = stix2_url[:-4] indicator_URLS = stix2.Indicator( name=TITLE + " - URL", created=timestamp, modified=timestamp, description=DESCRIPTION, labels=["malicious-activity"], pattern=stix2_url, object_marking_refs=[marking_def_white]) relationship_indicator_URLS = stix2.Relationship( indicator_URLS, 'indicates', campaign_MAIN) bundle_objects.append(indicator_URLS) bundle_objects.append(relationship_indicator_URLS) if len(pattern_ip) != 0: stix2_ip = "".join(pattern_ip) stix2_ip = stix2_ip[:-4] indicator_IPS = stix2.Indicator( name=TITLE + " - IPS", created=timestamp, modified=timestamp, description=DESCRIPTION, labels=["malicious-activity"], pattern=stix2_ip, object_marking_refs=[marking_def_white]) relationship_indicator_IPS = stix2.Relationship( indicator_IPS, 'indicates', campaign_MAIN) bundle_objects.append(indicator_IPS) bundle_objects.append(relationship_indicator_IPS) if len(pattern_email) != 0: stix2_email = "".join(pattern_email) stix2_email = stix2_email[:-4] indicator_EMAILS = stix2.Indicator( name=TITLE + " - EMAILS", created=timestamp, modified=timestamp, description=DESCRIPTION, labels=["malicious-activity"], pattern=stix2_email, object_marking_refs=[marking_def_white]) relationship_indicator_EMAILS = stix2.Relationship( indicator_EMAILS, 'indicates', campaign_MAIN) bundle_objects.append(indicator_EMAILS) bundle_objects.append(relationship_indicator_EMAILS) # creo il bunble STIX 2 bundle = stix2.Bundle(objects=bundle_objects) ######################## # save to STIX 1.2 file print print "Writing STIX 1.2 package: " + OUTFILEPREFIX + ".stix" f = open(OUTFILEPREFIX + ".stix", "w") f.write(wrapper.to_xml()) f.close() ######################## # save to STIX 2 file print "Writing STIX 2 package: " + OUTFILEPREFIX + ".stix2" g = open(OUTFILEPREFIX + ".stix2", "w") sys.stdout = g print bundle
def convert_bundle(bundle_obj): global _ID_OBJECT_MAPPING global _IDENTITIES global _VICTIM_TARGET_TTPS global _KILL_CHAINS global CONTAINER _ID_OBJECT_MAPPING = {} _IDENTITIES = {} _VICTIM_TARGET_TTPS = [] _KILL_CHAINS = {} CONTAINER = stixmarx.new() pkg = CONTAINER.package pkg.id_ = convert_id20(bundle_obj["id"]) for identity in (v for v in bundle_obj["objects"] if v["type"] == "identity"): debug("Found '%s'", 0, identity["id"]) i1x = convert_identity(identity) record_identity(identity, i1x) for marking_definition in (v for v in bundle_obj["objects"] if v["type"] == "marking-definition"): debug("Found '%s'", 0, marking_definition["id"]) m1x = convert_marking_definition(marking_definition) if not pkg.stix_header: pkg.stix_header = STIXHeader(handling=Marking()) pkg.stix_header.handling.add_marking(m1x) for o in bundle_obj["objects"]: if o["type"] == "attack-pattern": pkg.add_ttp(convert_attack_pattern(o)) elif o["type"] == "campaign": pkg.add_campaign(convert_campaign(o)) elif o["type"] == 'course-of-action': pkg.add_course_of_action(convert_coa(o)) elif o["type"] == "indicator": pkg.add_indicator(convert_indicator(o)) elif o["type"] == "intrusion-set": error( "Cannot convert STIX 2.0 content that contains intrusion-sets", 524) return None elif o["type"] == "malware": pkg.add_ttp(convert_malware(o)) elif o["type"] == "observed-data": pkg.add_observable(convert_observed_data(o)) elif o["type"] == "report": pkg.add_report(convert_report(o)) elif o["type"] == "threat-actor": pkg.add_threat_actor(convert_threat_actor(o)) elif o["type"] == "tool": pkg.add_ttp(convert_tool(o)) elif o["type"] == "vulnerability": pkg.add_exploit_target(convert_vulnerability(o)) # second passes for o in bundle_obj["objects"]: if o["type"] == "relationship": process_relationships(o) for o in bundle_obj["objects"]: if "created_by_ref" in o: process_created_by_ref(o) if "external_references" in o: create_references(o) for o in bundle_obj["objects"]: if o["type"] == "sighting": process_sighting(o) for k, v in _KILL_CHAINS.items(): pkg.ttps.kill_chains.append(v["kill_chain"]) CONTAINER.flush() CONTAINER = None return pkg
def main(): ###################################################################### # MODIFICARE LE VARIABILI SEGUENTI # Il title e' ID univoco della minaccia (es. Cobalt / Danabot / APT28) MyTITLE = "Gootkit" # La description strutturiamola come segue # <IOC PRODUCER> - <Descrizione della minaccia/campagna> - <URL (if any)> DESCRIPTION = "D3Lab - Malspam Gootkit con dropper da 450+ MB - https://www.d3lab.net/malspam-gootkit-con-dropper-da-450-mb/" # La sorgente che ha generato l'IoC con riferimento a Cyber Saiyan Community IDENTITY = "D3Lab via Cyber Saiyan Community" # ###################################################################### # read IoC files file_sha256 = "CS-sha256.txt" sha256 = loaddata(file_sha256) file_md5 = "CS-md5.txt" md5 = loaddata(file_md5) file_sha1 = "CS-sha1.txt" sha1 = loaddata(file_sha1) file_domains = "CS-domain.txt" domains = loaddata(file_domains) file_urls = "CS-url.txt" urls = loaddata(file_urls) file_ips = "CS-ipv4.txt" ips = loaddata(file_ips) file_emails = "CS-email.txt" emails = loaddata(file_emails) # Build STIX file info_src = InformationSource() info_src.identity = Identity(name=IDENTITY) NAMESPACE = Namespace("https://infosharing.cybersaiyan.it", "CYBERSAIYAN") set_id_namespace(NAMESPACE) timestamp = datetime.datetime.fromtimestamp( time.time()).strftime('%Y-%m-%d %H:%M:%S') SHORT = timestamp wrapper = STIXPackage() marking_specification = MarkingSpecification() marking_specification.controlled_structure = "//node() | //@*" tlp = TLPMarkingStructure() tlp.color = "WHITE" marking_specification.marking_structures.append(tlp) handling = Marking() handling.add_marking(marking_specification) wrapper.stix_header = STIXHeader( information_source=info_src, title=MyTITLE.encode(encoding='UTF-8', errors='replace'), description=DESCRIPTION.encode(encoding='UTF-8', errors='replace'), short_description=SHORT.encode(encoding='UTF-8', errors='replace')) wrapper.stix_header.handling = handling # HASH indicators indicatorHASH = Indicator() indicatorHASH.title = MyTITLE + " - HASH" indicatorHASH.add_indicator_type("File Hash Watchlist") print "Reading IoC sha256 file..." p = re.compile(r"^[0-9a-f]{64}$", re.IGNORECASE) for idx, sha256 in enumerate(sha256): m = p.match(sha256) if m: filei = File() filei.add_hash(Hash(sha256)) obsi = Observable(filei) indicatorHASH.add_observable(obsi) else: print " Malformed sha256: " + sha256 print print "Reading IoC md5 file..." p = re.compile(r"^[0-9a-f]{32}$", re.IGNORECASE) for idx, md5 in enumerate(md5): m = p.match(md5) if m: filej = File() filej.add_hash(Hash(md5)) obsj = Observable(filej) indicatorHASH.add_observable(obsj) else: print " Malformed md5: " + md5 print print "Reading IoC sha1 file..." p = re.compile(r"^[0-9a-f]{40}$", re.IGNORECASE) for idx, sha1 in enumerate(sha1): m = p.match(sha1) if m: filek = File() filek.add_hash(Hash(sha1)) obsk = Observable(filek) indicatorHASH.add_observable(obsk) else: print " Malformed sha1: " + sha1 print # DOMAIN indicators indiDOMAIN = Indicator() indiDOMAIN.title = MyTITLE + " - DOMAIN" indiDOMAIN.add_indicator_type("Domain Watchlist") print "Reading IoC domains file..." for idu, domains in enumerate(domains): if validators.domain(domains): url = URI() url.value = domains url.type_ = URI.TYPE_DOMAIN url.condition = "Equals" obsu = Observable(url) indiDOMAIN.add_observable(obsu) else: print " Malformed domain: " + domains print # URL indicators indiURL = Indicator() indiURL.title = MyTITLE + " - URL" indiURL.add_indicator_type("URL Watchlist") print "Reading IoC url file..." for idu, urls in enumerate(urls): if validators.url(urls): url = URI() url.value = urls url.type_ = URI.TYPE_URL url.condition = "Equals" obsu = Observable(url) indiURL.add_observable(obsu) else: print " Malformed url: " + urls print # IP indicators indiIP = Indicator() indiIP.title = MyTITLE + " - IP" indiIP.add_indicator_type("IP Watchlist") print "Reading IoC IP file..." for idu, ips in enumerate(ips): if validators.ipv4(ips): ip = Address() ip.address_value = ips obsu = Observable(ip) indiIP.add_observable(obsu) else: print " Malformed IP: " + ips print # EMAIL indicators indiEMAIL = Indicator() indiEMAIL.title = MyTITLE + " - EMAIL" indiEMAIL.add_indicator_type("Malicious E-mail") print "Reading IoC email file..." for idu, emails in enumerate(emails): if validators.email(emails): email = EmailAddress() email.address_value = emails obsu = Observable(email) indiEMAIL.add_observable(obsu) else: print " Malformed email: " + emails print # add all indicators wrapper.add_indicator(indicatorHASH) wrapper.add_indicator(indiDOMAIN) wrapper.add_indicator(indiURL) wrapper.add_indicator(indiIP) wrapper.add_indicator(indiEMAIL) # print STIX file to stdout print "Writing STIX package: package.stix" f = open("package.stix", "w") f.write(wrapper.to_xml()) f.close() print
def adptr_dict2STIX(srcObj, data): sTxt = "Called... " sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()') ### Input Check if srcObj is None or data is None: # TODO: Needs error msg: Missing srcData Object return False ### Generate NameSpace id tags STIX_NAMESPACE = {"http://hailataxii.com": "opensource"} OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource") stix_set_id_namespace(STIX_NAMESPACE) obs_set_id_namespace(OBS_NAMESPACE) ### Building STIX Wrapper stix_package = STIXPackage() ### Bulid Object Data for sKey in data: objIndicator = Indicator() listOBS = [] ### Parsing IP Address sAddr = data[sKey]['attrib']['ipAddr'] if sAddr: objAddr = Address() objAddr.is_source = True objAddr.address_value = sAddr objAddr.address_value.condition = 'Equals' if isIPv4(sAddr): objAddr.category = 'ipv4-addr' elif isIPv6(sAddr): objAddr.category = 'ipv6-addr' else: continue obsAddr = Observable(objAddr) obsAddr.sighting_count = 1 obsAddr.title = 'IP: ' + sAddr sDscrpt = 'IPv4' + ': ' + sAddr + " | " sDscrpt += "isSource: True | " obsAddr.description = "<![CDATA[" + sDscrpt + "]]>" listOBS.append(obsAddr) objIndicator.add_indicator_type("IP Watchlist") ### Parsing Domain sDomain = data[sKey]['attrib']['domain'] if sDomain: objDomain = DomainName() objDomain.value = sDomain objDomain.value.condition = 'Equals' if isFQDN(sDomain): objDomain.type = 'FQDN' elif isTLD(sDomain): objDomain.type = 'TLD' else: continue obsDomain = Observable(objDomain) obsDomain.sighting_count = 1 obsDomain.title = 'Domain: ' + sDomain sDscrpt = 'Domain: ' + sDomain + " | " sDscrpt += "isFQDN: True | " obsDomain.description = "<![CDATA[" + sDscrpt + "]]>" listOBS.append(obsDomain) objIndicator.add_indicator_type("Domain Watchlist") # Parser File Hash # sHash = data[sKey]['attrib']['hash']; # if len(sHash) > 0: # objFile = File() # sFileName = data[sKey]['attrib']['fileName'] # if len(sFileName) > 0: # objFile.file_name = sFileName # objFile.file_format = sFileName.split('.')[1] # objFile.add_hash(Hash(sHash, exact=True)) # obsFile = Observable(objFile) # objFile = None; # obsFile.sighting_count = 1 # obsFile.title = 'File: ' + sFileName # sDscrpt = 'FileName: ' + sFileName + " | " # sDscrpt += "FileHash: " + sHash + " | " # obsFile.description = "<![CDATA[" + sDscrpt + "]]>" # listOBS.append(obsFile) # obsFile = None; # objIndicator.add_indicator_type("File Hash Watchlist") ### Add Generated observable to Indicator objIndicator.observables = listOBS objIndicator.observable_composition_operator = 'OR' #Parsing Producer sProducer = srcObj.Domain if len(srcObj.Domain) > 0: objIndicator.set_producer_identity(srcObj.Domain) if data[sKey]['attrib']['dateVF']: objIndicator.set_produced_time(data[sKey]['attrib']['dateVF']) objIndicator.set_received_time(data[sKey]['dateDL']) ### Old Title / Description Generator #objIndicator.title = data[sKey]['attrib']['title']; #objIndicator.description = "<![CDATA[" + data[sKey]['attrib']['dscrpt'] + "]]>"; ### Generate Indicator Title based on availbe data sTitle = 'Feodo Tracker: ' if sAddr: sAddLine = "This IP address has been identified as malicious" if sDomain: sAddLine = "This domain has been identified as malicious" if len(sAddLine) > 0: sTitle += " | " + sAddLine if len(srcObj.Domain) > 0: sTitle += " by " + srcObj.Domain else: sTitle += "." if len(sTitle) > 0: objIndicator.title = sTitle #Generate Indicator Description based on availbe data sDscrpt = "" if sAddr: sAddLine = "This IP address " + sAddr if sDomain: sAddLine = "This domain " + sDomain if sAddr and sDomain: sAddLine = "This domain " + sDomain + " (" + sAddr + ")" if len(sAddLine) > 0: sDscrpt += sAddLine sDscrpt += " has been identified as malicious" if len(srcObj.Domain) > 0: sDscrpt += " by " + srcObj.Domain else: sDscrpt += "." sDscrpt = sDscrpt + ". For more detailed infomation about this indicator go to [CAUTION!!Read-URL-Before-Click] [" + \ data[sKey]['attrib']['link'] + "]." if len(sDscrpt) > 0: objIndicator.description = "<![CDATA[" + sDscrpt + "]]>" #Parse TTP objMalware = MalwareInstance() objMalware.add_name("Cridex") objMalware.add_name("Bugat") objMalware.add_name("Dridex") objMalware.add_type("Remote Access Trojan") objMalware.short_description = "Feodo (also known as Cridex or Bugat) is a Trojan used to commit ebanking fraud and steal sensitive information from the victims computer, such as credit card details or credentials" sDscrpt = "Feodo (also known as Cridex or Bugat) is a Trojan used to commit ebanking fraud and steal sensitive information from the victims computer, such as credit card details or credentials. At the moment, Feodo Tracker is tracking four versions of Feodo, and they are labeled by Feodo Tracker as version A, version B, version C and version D:\n" sDscrpt += "\n" sDscrpt += " Version A: Hosted on compromised webservers running an nginx proxy on port 8080 TCP forwarding all botnet traffic to a tier 2 proxy node. Botnet traffic usually directly hits these hosts on port 8080 TCP without using a domain name.\n" sDscrpt += " Version B: Hosted on servers rented and operated by cybercriminals for the exclusive purpose of hosting a Feodo botnet controller. Usually taking advantage of a domain name within ccTLD .ru. Botnet traffic usually hits these domain names using port 80 TCP.\n" sDscrpt += " Version C: Successor of Feodo, completely different code. Hosted on the same botnet infrastructure as Version A (compromised webservers, nginx on port 8080 TCP or port 7779 TCP, no domain names) but using a different URL structure. This Version is also known as Geodo.\n" sDscrpt += " Version D: Successor of Cridex. This version is also known as Dridex\n" objMalware.description = "<![CDATA[" + sDscrpt + "]]>" objTTP = TTP(title="Feodo") objTTP.behavior = Behavior() objTTP.behavior.add_malware_instance(objMalware) objIndicator.add_indicated_ttp(objTTP) #objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_)) #stix_package.add_ttp(objTTP) stix_package.add_indicator(objIndicator) ### STIX Package Meta Data stix_header = STIXHeader() stix_header.title = srcObj.pkgTitle stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>" ### Understanding markings http://stixproject.github.io/idioms/features/data-markings/ marking_specification = MarkingSpecification() classLevel = SimpleMarkingStructure() classLevel.statement = "Unclassified (Public)" marking_specification.marking_structures.append(classLevel) objTOU = TermsOfUseMarkingStructure() sTOU = open('tou.txt').read() objTOU.terms_of_use = srcObj.Domain + " | " + sTOU marking_specification.marking_structures.append(objTOU) tlp = TLPMarkingStructure() tlp.color = "WHITE" marking_specification.marking_structures.append(tlp) marking_specification.controlled_structure = "//node()" handling = Marking() handling.add_marking(marking_specification) stix_header.handling = handling stix_package.stix_header = stix_header ### Generate STIX XML File locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml' sndFile(stix_package.to_xml(), locSTIXFile) return stix_package
def adptr_dict2STIX(srcObj, data): sTxt = "Called... " sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()') stixObj = None ### Input Check if srcObj == None or data == None: #TODO: Needs error msg: Missing srcData Object return (False) ### Generate NameSpace id tags STIX_NAMESPACE = {"http://hailataxii.com": "opensource"} OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource") stix_set_id_namespace(STIX_NAMESPACE) obs_set_id_namespace(OBS_NAMESPACE) ### Building STIX Wrapper stix_package = STIXPackage() objIndicator = Indicator() ### Bulid Object Data for sKey in data: objIndicator = Indicator() # if 'indicator' in data[sKey]['meta']['IDs']: # objIndicator.id_ = data[sKey]['meta']['IDs'].key # else: # data[sKey]['meta']['IDs'].update({objIndicator.id_:'indicator'}) listOBS = [] ### Parsing IP Address sAddr = data[sKey]['attrib']['IP Address'] if sAddr: objAddr = Address() objAddr.is_source = True objAddr.address_value = sAddr objAddr.address_value.condition = 'Equals' if isIPv4(sAddr): objAddr.category = 'ipv4-addr' elif isIPv6(sAddr): objAddr.category = 'ipv6-addr' else: continue obsAddr = Observable(objAddr) # if 'address"' in data[sKey]['meta']['IDs']: # obsAddr.id_ = data[sKey]['meta']['IDs'].key # else: # data[sKey]['meta']['IDs'].update({objIndicator.id_:'address'}) objAddr = None obsAddr.sighting_count = 1 obsAddr.title = 'IP: ' + sAddr sDscrpt = 'IPv4' + ': ' + sAddr + " | " sDscrpt += "isSource: True | " obsAddr.description = "<![CDATA[" + sDscrpt + "]]>" listOBS.append(obsAddr) obsAddr = None objIndicator.add_indicator_type("IP Watchlist") ### Parsing Domain sDomain = data[sKey]['attrib']['Hostname'] if sDomain: objDomain = DomainName() objDomain.value = sDomain objDomain.value.condition = 'Equals' if isFQDN(sDomain): objDomain.type = 'FQDN' elif isTLD(sDomain): objDomain.type = 'TLD' else: continue obsDomain = Observable(objDomain) # if 'domain' in data[sKey]['meta']['IDs']: # obsDomain.id_ = data[sKey]['meta']['IDs'].key # else: # data[sKey]['meta']['IDs'].update({obsDomain.id_:'domain'}) objDomain = None obsDomain.sighting_count = 1 obsDomain.title = 'Domain: ' + sDomain sDscrpt = 'Domain: ' + sDomain + " | " sDscrpt += "isFQDN: True | " obsDomain.description = "<![CDATA[" + sDscrpt + "]]>" listOBS.append(obsDomain) obsDomain = None objIndicator.add_indicator_type("Domain Watchlist") ### Parsing Port Number sPortList = data[sKey]['attrib']['Ports'] for item in sPortList: if sPortList[item]: objPort = Port() sPort = sPortList[item] objPort.port_value = int(sPort) objPort.port_value.condition = 'Equals' objPort.layer4_protocol = 'TCP' obsPort = Observable(objPort) objPort = None obsPort.sighting_count = 1 obsPort.title = 'Port: ' + str(sPort) sDscrpt = 'PortNumber: ' + str(sPort) + " | " sDscrpt += "Protocol: TCP | " obsPort.description = "<![CDATA[" + sDscrpt + "]]>" listOBS.append(obsPort) ### Add Generated observable to Indicator objIndicator.observable_composition_operator = 'OR' objIndicator.observables = listOBS #Parsing Producer infoSrc = InformationSource(identity=Identity(name=srcObj.Domain)) #infoSrc.add_contributing_source(data[sKey]['attrib']['ref']) objIndicator.producer = infoSrc # if data[sKey]['attrib']['lstDateVF']: # objIndicator.set_produced_time(data[sKey]['attrib']['lstDateVF'][0]); objIndicator.set_received_time(data[sKey]['meta']['dateDL']) ### Generate Indicator Title based on availbe data lstContainng = [] lstIs = [] sTitle = ' This' if data[sKey]['attrib']['Hostname']: sTitle += ' domain ' + data[sKey]['attrib']['Hostname'] else: sTitle += ' ipAddress ' + sKey sTitle += ' has been identified as a TOR network "Exit Point" router' objIndicator.title = sTitle ### Generate Indicator Description based on availbe data sDscrpt = ' torstatus.blutmagie.de has identified this' if data[sKey]['attrib']['Hostname']: sDscrpt += ' domain ' + data[sKey]['attrib']['Hostname'] else: sDscrpt += ' ipAddress ' + sKey # sDscrpt += ' with a router name of "' + data[sKey]['attrib']['Router Name'] + '"' # if data[sKey]['attrib']['Ports']['ORPort']: # sDscrpt += ' using ORPort: ' + str(data[sKey]['attrib']['Ports']['ORPort']) # if data[sKey]['attrib']['Ports']['DirPort']: # sDscrpt += ' and DirPort: ' + str(data[sKey]['attrib']['Ports']['DirPort']) sDscrpt += ' as a TOR network "Exit Point" router' if data[sKey]['attrib']['Country Code']: sCntry_code = data[sKey]['attrib']['Country Code'] if sCntry_code in dictCC2CN: sCntry_name = dictCC2CN[sCntry_code] sDscrpt += ', which appears to be located in ' + sCntry_name sDscrpt += '. \n\n RawData: ' + str(data[sKey]['attrib']) objIndicator.description = "<![CDATA[" + sDscrpt + "]]>" #Parse TTP # objMalware = MalwareInstance() # objMalware.add_type("Remote Access Trojan") # ttpTitle = data[sKey]['attrib']['type'] # objTTP = TTP(title=ttpTitle) # objTTP.behavior = Behavior() # objTTP.behavior.add_malware_instance(objMalware) # objIndicator.add_indicated_ttp(objTTP) #objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_)) #stix_package.add_ttp(objTTP) stix_package.add_indicator(objIndicator) objIndicator = None ### STIX Package Meta Data stix_header = STIXHeader() stix_header.title = srcObj.pkgTitle stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>" ### Understanding markings http://stixproject.github.io/idioms/features/data-markings/ marking_specification = MarkingSpecification() classLevel = SimpleMarkingStructure() classLevel.statement = "Unclassified (Public)" marking_specification.marking_structures.append(classLevel) tlp = TLPMarkingStructure() tlp.color = "WHITE" marking_specification.marking_structures.append(tlp) marking_specification.controlled_structure = "//node()" objTOU = TermsOfUseMarkingStructure() sTOU = open('tou.txt').read() objTOU.terms_of_use = srcObj.Domain + " | " + sTOU marking_specification.marking_structures.append(objTOU) handling = Marking() handling.add_marking(marking_specification) stix_header.handling = handling stix_package.stix_header = stix_header stix_header = None ### Generate STIX XML File locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml' sndFile(stix_package.to_xml(), locSTIXFile) # locDataFile = 'db_' + srcObj.fileName.split('.')[0] + '.json' # sndFile_Dict2JSON(data,locDataFile); # data = None return (stix_package)
def from_dict(cls, dict_repr, return_obj=None): if not dict_repr: return None if not return_obj: return_obj = cls() return_obj.id_ = dict_repr.get('id') return_obj.idref = dict_repr.get('idref') return_obj.timestamp = dict_repr.get('timestamp') return_obj.version = dict_repr.get('version') return_obj.title = dict_repr.get('title') return_obj.description = StructuredText.from_dict( dict_repr.get('description')) return_obj.short_description = StructuredText.from_dict( dict_repr.get('short_description')) return_obj.time = Time.from_dict(dict_repr.get('time')) return_obj.victims = [ Identity.from_dict(x) for x in dict_repr.get('victims', []) ] return_obj.categories = [ IncidentCategory.from_dict(x) for x in dict_repr.get('categories', []) ] return_obj.attributed_threat_actors = AttributedThreatActors.from_dict( dict_repr.get('attributed_threat_actors')) return_obj.related_indicators = RelatedIndicators.from_dict( dict_repr.get('related_indicators')) return_obj.related_observables = RelatedObservables.from_dict( dict_repr.get('related_observables')) return_obj.related_incidents = RelatedIncidents.from_dict( dict_repr.get('related_incidents')) return_obj.intended_effects = [ Statement.from_dict(x) for x in dict_repr.get('intended_effects', []) ] return_obj.leveraged_ttps = LeveragedTTPs.from_dict( dict_repr.get('leveraged_ttps')) return_obj.affected_assets = [ AffectedAsset.from_dict(x) for x in dict_repr.get('affected_assets', []) ] return_obj.discovery_methods = [ DiscoveryMethod.from_dict(x) for x in dict_repr.get('discovery_methods', []) ] return_obj.reporter = InformationSource.from_dict( dict_repr.get('reporter')) return_obj.responders = [ InformationSource.from_dict(x) for x in dict_repr.get('responders', []) ] return_obj.coordinators = [ InformationSource.from_dict(x) for x in dict_repr.get('coordinators', []) ] return_obj.external_ids = [ ExternalID.from_dict(x) for x in dict_repr.get('external_ids', []) ] return_obj.impact_assessment = ImpactAssessment.from_dict( dict_repr.get('impact_assessment')) return_obj.information_source = InformationSource.from_dict( dict_repr.get('information_source')) return_obj.security_compromise = SecurityCompromise.from_dict( dict_repr.get('security_compromise')) return_obj.confidence = Confidence.from_dict( dict_repr.get('confidence')) return_obj.coa_taken = [ COATaken.from_dict(x) for x in dict_repr.get('coa_taken', []) ] return_obj.status = VocabString.from_dict(dict_repr.get('status')) return_obj.handling = Marking.from_dict(dict_repr.get('handling')) return_obj.history = History.from_dict(dict_repr.get('history')) return return_obj
def adptr_dict2STIX(srcObj, data): sTxt = "Called... " sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()') stixObj = None ### Input Check if srcObj == None or data == None: #TODO: Needs error msg: Missing srcData Object return (False) ### Generate NameSpace id tags STIX_NAMESPACE = {"http://hailataxii.com": "opensource"} OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource") stix_set_id_namespace(STIX_NAMESPACE) obs_set_id_namespace(OBS_NAMESPACE) ### Building STIX Wrapper stix_package = STIXPackage() objIndicator = Indicator() ### Bulid Object Data for sKey in data: objIndicator = Indicator() listOBS = [] ### Parsing IP Address for sAddr in data[sKey]['attrib']['ipAddrList']: if len(sAddr) > 0: objAddr = Address() objAddr.is_destination = True objAddr.address_value = sAddr #objAddr.address_value.operator = 'Equals' objAddr.address_value.condition = 'Equals' if isIPv4(sAddr): objAddr.category = 'ipv4-addr' elif isIPv6(sAddr): objAddr.category = 'ipv6-addr' else: continue obsAddr = Observable(objAddr) objAddr = None obsAddr.sighting_count = 1 obsAddr.title = 'IP: ' + sAddr sDscrpt = 'IPv4' + ': ' + sAddr + " | " sDscrpt += "isDestination: True | " obsAddr.description = "<![CDATA[" + sDscrpt + "]]>" listOBS.append(obsAddr) obsAddr = None ### Parsing Port Number sPort = data[sKey]['attrib']['ipPort'] if len(sPort) > 0: objPort = Port() objPort.port_value = int(sPort) objPort.port_value.condition = 'Equals' sProtocol = data[sKey]['attrib']['ipProt'] if len(sProtocol) > 0: objPort.layer4_protocol = sProtocol.upper() obsPort = Observable(objPort) objPort = None obsPort.sighting_count = 1 obsPort.title = 'Port: ' + sPort sDscrpt = 'PortNumber' + ': ' + sPort + " | " sDscrpt += "Protocol: " + sProtocol.upper() + " | " obsPort.description = "<![CDATA[" + sDscrpt + "]]>" listOBS.append(obsPort) ### Add Generated observable to Indicator objIndicator.add_indicator_type("IP Watchlist") objIndicator.observable_composition_operator = 'OR' objIndicator.observables = listOBS from stix.extensions.test_mechanism.snort_test_mechanism import SnortTestMechanism from stix.common import InformationSource, Identity testMech = SnortTestMechanism() testMech.rules = [data[sKey]['attrib']['rule']] testMech.efficacy = "Unknown" infoSrc = InformationSource(identity=Identity(name=srcObj.Domain)) infoSrc.add_contributing_source("http://www.shadowserver.org") infoSrc.add_contributing_source("https://spyeyetracker.abuse.ch") infoSrc.add_contributing_source("https://palevotracker.abuse.ch") infoSrc.add_contributing_source("https://zeustracker.abuse.ch") testMech.producer = infoSrc lstRef = data[sKey]['attrib']['reference'].split('|') testMech.producer.references = lstRef objIndicator.test_mechanisms = [testMech] #Parsing Producer sProducer = srcObj.Domain if len(sProducer) > 0: objIndicator.set_producer_identity(sProducer) #objIndicator.set_produced_time(data[sKey]['attrib']['dateVF']); objIndicator.set_received_time(data[sKey]['dateDL']) ### Title / Description Generator objIndicator.set_received_time(data[sKey]['dateDL']) sTitle = "sid:" + data[sKey]['attrib']['sid'] + " | " sTitle += data[sKey]['attrib']['msg'] + " | " sTitle += "rev:" + data[sKey]['attrib']['rev'] objIndicator.title = sTitle sDscrpt = "SNORT Rule by Emergingthreats | " + data[sKey]['attrib'][ 'rule'] objIndicator.description = "<![CDATA[" + sDscrpt + "]]>" #Parse TTP objMalware = MalwareInstance() nameList = data[sKey]['attrib']['flowbits'] if len(nameList) > 0: nameList = nameList.split("|") for sName in nameList: sName = sName.split(",")[1] objMalware.add_name(sName) #objMalware.add_type("Remote Access Trojan") objMalware.short_description = data[sKey]['attrib']['msg'] ttpTitle = data[sKey]['attrib']['classtype'] + " | " + data[sKey][ 'attrib']['msg'] objTTP = TTP(title=ttpTitle) objTTP.behavior = Behavior() objTTP.behavior.add_malware_instance(objMalware) objIndicator.add_indicated_ttp(objTTP) #objIndicator.add_indicated_ttp(TTP(idref=objTTP.id_)) #stix_package.add_ttp(objTTP) stix_package.add_indicator(objIndicator) objIndicator = None ### STIX Package Meta Data stix_header = STIXHeader() stix_header.title = srcObj.pkgTitle stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>" ### Understanding markings http://stixproject.github.io/idioms/features/data-markings/ marking_specification = MarkingSpecification() classLevel = SimpleMarkingStructure() classLevel.statement = "Unclassified (Public)" marking_specification.marking_structures.append(classLevel) tlp = TLPMarkingStructure() tlp.color = "WHITE" marking_specification.marking_structures.append(tlp) marking_specification.controlled_structure = "//node()" objTOU = TermsOfUseMarkingStructure() sTOU = open('tou.txt').read() objTOU.terms_of_use = sProducer + " | " + sTOU marking_specification.marking_structures.append(objTOU) handling = Marking() handling.add_marking(marking_specification) stix_header.handling = handling stix_package.stix_header = stix_header stix_header = None ### Generate STIX XML File locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml' sndFile(stix_package.to_xml(), locSTIXFile) return (stix_package)
def gen_stix_observable_sample(config, target=None, datatype=None, title='random test data', description='random test data', package_intents='Indicators - Watchlist', tlp_color='WHITE'): '''generate sample stix data comprised of indicator_count indicators of type datatype''' # setup the xmlns... xmlns_url = config['edge']['sites'][target]['stix']['xmlns_url'] xmlns_name = config['edge']['sites'][target]['stix']['xmlns_name'] set_stix_id_namespace({xmlns_url: xmlns_name}) set_cybox_id_namespace(Namespace(xmlns_url, xmlns_name)) # construct a stix package... stix_package = STIXPackage() stix_header = STIXHeader() stix_header.title = title stix_header.description = description stix_header.package_intents = package_intents marking = MarkingSpecification() marking.controlled_structure = '../../../../descendant-or-self::node()' tlp_marking = TLPMarkingStructure() tlp_marking.color = tlp_color marking.marking_structures.append(tlp_marking) stix_package.stix_header = stix_header stix_package.stix_header.handling = Marking() stix_package.stix_header.handling.add_marking(marking) # ...and stuff it full of random sample data :-) if datatype == 'ip': addr = Address(address_value=datagen.generate_random_ip_address(), category='ipv4-addr') addr.condition = 'Equals' stix_package.add_observable(Observable(addr)) elif datatype == 'domain': domain = DomainName() domain.type_ = 'FQDN' domain.value = datagen.generate_random_domain(config) domain.condition = 'Equals' stix_package.add_observable(Observable(domain)) elif datatype == 'filehash': file_object = File() file_object.file_name = str(uuid.uuid4()) + '.exe' hashes = datagen.generate_random_hashes() for hash in hashes.keys(): file_object.add_hash(Hash(hashes[hash], type_=hash.upper())) for i in file_object.hashes: i.simple_hash_value.condition = "Equals" stix_package.add_observable(Observable(file_object)) elif datatype == 'email': try: msg = datagen.get_random_spam_msg(config) email = EmailMessage() email.header = EmailHeader() header_map = { 'Subject': 'subject', 'To': 'to', 'Cc': 'cc', 'Bcc': 'bcc', 'From': 'from_', 'Sender': 'sender', 'Date': 'date', 'Message-ID': 'message_id', 'Reply-To': 'reply_to', 'In-Reply-To': 'in_reply_to', 'Content-Type': 'content_type', 'Errors-To': 'errors_to', 'Precedence': 'precedence', 'Boundary': 'boundary', 'MIME-Version': 'mime_version', 'X-Mailer': 'x_mailer', 'User-Agent': 'user_agent', 'X-Originating-IP': 'x_originating_ip', 'X-Priority': 'x_priority' } # TODO handle received_lines for key in header_map.keys(): val = msg.get(key, None) if val: email.header.__setattr__(header_map[key], val) email.header.__getattribute__(header_map[key]).condition = \ 'Equals' # TODO handle email bodies (it's mostly all there except for # handling weird text encoding problems that were making # libcybox stacktrace) # body = get_email_payload(random_spam_msg) # if body: # email.raw_body = body stix_package.add_observable(Observable(email)) except: return (None) observable_id = stix_package.observables.observables[0].id_ return (observable_id, stix_package)
def main(): ###################################################################### # MODIFICARE LE VARIABILI SEGUENTI MyTITLE = "APT28 / Fancy Bear" DESCRIPTION = "Emanuele De Lucia - APT28 / Fancy Bear still targeting military institutions - https://www.emanueledelucia.net/apt28-targeting-military-institutions/" sha256 = [] md5 = [ '43D7FFD611932CF51D7150B176ECFC29', '549726B8BFB1919A343AC764D48FDC81' ] sha1 = [] domains = ['beatguitar.com'] urls = [ 'https://beatguitar.com/aadv/gJNn/X2/ep/VQOA/3.SMPTE292M/?ct=+lMQKtXi0kf+3MVk38U=', 'https://beatguitar.com/n2qqSy/HPSe0/SY/yAsFy8/mSaYZP/lw.sip/?n=VxL0BnijNmtTnSFIcoQ=' ] ips = ['185.99.133.72'] emails = [] ###################################################################### # Costruzione STIX file NAMESPACE = Namespace("https://infosharing.cybersaiyan.it", "CYBERSAIYAN") set_id_namespace(NAMESPACE) timestamp = datetime.datetime.fromtimestamp( time.time()).strftime('%Y-%m-%d %H:%M:%S') SHORT = timestamp wrapper = STIXPackage() info_src = InformationSource() info_src.identity = Identity(name="CyberSaiyan Community") marking_specification = MarkingSpecification() marking_specification.controlled_structure = "//node() | //@*" tlp = TLPMarkingStructure() tlp.color = "WHITE" marking_specification.marking_structures.append(tlp) handling = Marking() handling.add_marking(marking_specification) wrapper.stix_header = STIXHeader(information_source=info_src, title=MyTITLE, description=DESCRIPTION, short_description=SHORT) wrapper.stix_header.handling = handling # HASH indicators indicatorHASH = Indicator() indicatorHASH.title = MyTITLE + " - HASH" indicatorHASH.add_indicator_type("File Hash Watchlist") for idx, sha256 in enumerate(sha256): filei = File() filei.add_hash(Hash(sha256)) obsi = Observable(filei) indicatorHASH.add_observable(obsi) for idx, md5 in enumerate(md5): filej = File() filej.add_hash(Hash(md5)) obsj = Observable(filej) indicatorHASH.add_observable(obsj) for idx, sha1 in enumerate(sha1): filek = File() filek.add_hash(Hash(sha1)) obsk = Observable(filek) indicatorHASH.add_observable(obsk) # DOMAIN indicators indiDOMAIN = Indicator() indiDOMAIN.title = MyTITLE + " - DOMAIN" indiDOMAIN.add_indicator_type("Domain Watchlist") for idu, domains in enumerate(domains): url = URI() url.value = domains url.type_ = URI.TYPE_DOMAIN url.condition = "Equals" obsu = Observable(url) indiDOMAIN.add_observable(obsu) # URL indicators indiURL = Indicator() indiURL.title = MyTITLE + " - URL" indiURL.add_indicator_type("URL Watchlist") for idu, urls in enumerate(urls): url = URI() url.value = urls url.type_ = URI.TYPE_URL url.condition = "Equals" obsu = Observable(url) indiURL.add_observable(obsu) # IP indicators indiIP = Indicator() indiIP.title = MyTITLE + " - IP" indiIP.add_indicator_type("IP Watchlist") for idu, ips in enumerate(ips): ip = Address() ip.address_value = ips obsu = Observable(ip) indiIP.add_observable(obsu) # EMAIL indicators indiEMAIL = Indicator() indiEMAIL.title = MyTITLE + " - EMAIL" indiEMAIL.add_indicator_type("Malicious E-mail") for idu, emails in enumerate(emails): email = EmailAddress() email.address_value = emails obsu = Observable(email) indiEMAIL.add_observable(obsu) # add all indicators wrapper.add_indicator(indicatorHASH) wrapper.add_indicator(indiDOMAIN) wrapper.add_indicator(indiURL) wrapper.add_indicator(indiIP) wrapper.add_indicator(indiEMAIL) print(wrapper.to_xml())
def main(argv): ###################################################################### # Se non impostati da command line vengono utilizzati i seguenti valori per TITLE, DESCRIPTION, IDENTITY # Il title e' ID univoco della minaccia (es. Cobalt / Danabot / APT28) TITLE = "Test" # La description strutturiamola come segue # <IOC PRODUCER> - <Descrizione della minaccia/campagna> - <URL (if any)> DESCRIPTION = "Cyber Saiyan - Test - https://infosharing.cybersaiyan.it" # La sorgente che ha generato l'IoC con riferimento a Cyber Saiyan Community IDENTITY = "Cyber Saiyan Community" # File degli IoC IOCFILE = "CS-ioc.txt" # Prefisso STIX output files STIX 1.2 e STIX 2 OUTFILEPREFIX = "package" # Short Description - UNUSED SHORT = "unused" ###################################################################### VERBOSE = 0 # Parse ARGV[] try: opts, args = getopt.getopt(argv, "ht:d:i:f:o:v") except getopt.GetoptError: print( "CS_build_stix-from_files.py [-t TITLE] [-d DESCRIPTION] [-i IDENTITY] [-f IOC_FILE] [-o STIX_FILES_PREFIX]") sys.exit(2) for opt, arg in opts: if opt == "-h": print( "CS_build_stix-from_files.py [-t TITLE] [-d DESCRIPTION] [-i IDENTITY] [-f IOC_FILE] [-o STIX_FILES_PREFIX]") sys.exit() elif opt == "-t": TITLE = arg elif opt == "-d": DESCRIPTION = arg elif opt == "-i": IDENTITY = arg elif opt == "-f": IOCFILE = arg elif opt == "-o": OUTFILEPREFIX = arg elif opt == "-v": VERBOSE = 1 print("---------------------") print("TITLE: " + TITLE) print("DESCRIPTION: " + DESCRIPTION) print("IDENTITY: " + IDENTITY) print("IOC FILE: " + IOCFILE) print("---------------------") ######################## # Commond data timestamp = datetime.utcnow().strftime("%Y-%m-%d %H:%M:%S") ######################## # Build STIX 1.2 file info_src = InformationSource() info_src.identity = Identity(name=IDENTITY) NAMESPACE = Namespace("https://infosharing.cybersaiyan.it", "CYBERSAIYAN") set_id_namespace(NAMESPACE) wrapper = STIXPackage() marking_specification = MarkingSpecification() marking_specification.controlled_structure = "//node() | //@*" tlp = TLPMarkingStructure() tlp.color = "white" marking_specification.marking_structures.append(tlp) handling = Marking() handling.add_marking(marking_specification) wrapper.stix_header = STIXHeader(information_source=info_src, title=TITLE, description=DESCRIPTION, short_description=SHORT) wrapper.stix_header.handling = handling # HASH indicators indicatorHASH = Indicator() indicatorHASH.title = TITLE + " - HASH" indicatorHASH.add_indicator_type("File Hash Watchlist") # DOMAIN indicators indiDOMAIN = Indicator() indiDOMAIN.title = TITLE + " - DOMAIN" indiDOMAIN.add_indicator_type("Domain Watchlist") # URL indicators indiURL = Indicator() indiURL.title = TITLE + " - URL" indiURL.add_indicator_type("URL Watchlist") # IP indicators indiIP = Indicator() indiIP.title = TITLE + " - IP" indiIP.add_indicator_type("IP Watchlist") # EMAIL indicators indiEMAIL = Indicator() indiEMAIL.title = TITLE + " - EMAIL" indiEMAIL.add_indicator_type("Malicious E-mail") ######################## # Build STIX 2 file pattern_sha256 = [] pattern_md5 = [] pattern_sha1 = [] pattern_domain = [] pattern_url = [] pattern_ip = [] pattern_email = [] # Marking marking_def_white = stix2.TLP_WHITE # campagna # [TODO] aggiungere tutti i campi dello STIX 1.2 (es. IDENTITY) campaign_MAIN = stix2.Campaign( created=timestamp, modified=timestamp, name=TITLE, description=DESCRIPTION, first_seen=timestamp, objective="TBD" ) ######################## # Read IoC file loaddata(IOCFILE) if (VERBOSE): print("Reading IoC file " + IOCFILE + "...") ioccount = 0 # sha256 for ioc in listSHA256: # STIX 1.2 filei = File() filei.add_hash(Hash(ioc)) obsi = Observable(filei) indicatorHASH.add_observable(obsi) if (VERBOSE): print("SHA256: " + ioc) ioccount += 1 # STIX 2 pattern_sha256.append("[file:hashes.'SHA-256' = '" + ioc + "'] OR ") # md5 for ioc in listMD5: # STIX 1.2 filej = File() filej.add_hash(Hash(ioc)) obsj = Observable(filej) indicatorHASH.add_observable(obsj) if (VERBOSE): print("MD5: " + ioc) ioccount += 1 # STIX 2 pattern_md5.append("[file:hashes.'MD5' = '" + ioc + "'] OR ") # sha1 for ioc in listSHA1: # STIX 1.2 filek = File() filek.add_hash(Hash(ioc)) obsk = Observable(filek) indicatorHASH.add_observable(obsk) if (VERBOSE): print("SHA1: " + ioc) ioccount += 1 # STIX 2 pattern_sha1.append("[file:hashes.'SHA1' = '" + ioc + "'] OR ") # domains for ioc in listDOMAIN: # STIX 1.2 url = URI() url.value = ioc url.type_ = URI.TYPE_DOMAIN url.condition = "Equals" obsu = Observable(url) indiDOMAIN.add_observable(obsu) if (VERBOSE): print("DOMAIN: " + ioc) ioccount += 1 # STIX 2 pattern_domain.append("[domain-name:value = '" + ioc + "'] OR ") # url for ioc in listURL: # STIX 1.2 url = URI() url.value = ioc url.type_ = URI.TYPE_URL url.condition = "Equals" obsu = Observable(url) indiURL.add_observable(obsu) if (VERBOSE): print("URL: " + ioc) ioccount += 1 # STIX 2 pattern_url.append("[url:value = '" + ioc + "'] OR ") # ip for ioc in listIP: # STIX 1.2 ip = Address() ip.address_value = ioc obsu = Observable(ip) indiIP.add_observable(obsu) if (VERBOSE): print("IP: " + ioc) ioccount += 1 # STIX 2 pattern_ip.append("[ipv4-addr:value = '" + ioc + "'] OR ") # email for ioc in listEMAIL: # STIX 1.2 email = EmailAddress() email.address_value = ioc obsu = Observable(email) indiEMAIL.add_observable(obsu) if (VERBOSE): print("Email: " + ioc) ioccount += 1 # STIX 2 pattern_email.append("[email-message:from_ref.value = '" + ioc + "'] OR ") # subject for ioc in listSUBJECT: # STIX 1.2 emailsubject = EmailMessage() emailsubject.subject = ioc obsu = Observable(emailsubject) indiEMAIL.add_observable(obsu) if (VERBOSE): print("Subject: " + ioc) ioccount += 1 # STIX 2 (http://docs.oasis-open.org/cti/stix/v2.0/stix-v2.0-part5-stix-patterning.html) # Replace all quotes in a subject string with escaped quotes pattern_email.append("[email-message:subject = '" + ioc.replace("'", "\\'") + "'] OR ") ######################## # add all indicators to STIX 1.2 wrapper.add_indicator(indicatorHASH) wrapper.add_indicator(indiDOMAIN) wrapper.add_indicator(indiURL) wrapper.add_indicator(indiIP) wrapper.add_indicator(indiEMAIL) ######################## # prepare for STIX 2 bundle_objects = [campaign_MAIN, marking_def_white] if len(pattern_sha256) != 0: stix2_sha256 = "".join(pattern_sha256) stix2_sha256 = stix2_sha256[:-4] indicator_SHA256 = stix2.Indicator( name=TITLE + " - SHA256", created=timestamp, modified=timestamp, description=DESCRIPTION, labels=["malicious-activity"], pattern=stix2_sha256, object_marking_refs=[marking_def_white] ) relationship_indicator_SHA256 = stix2.Relationship(indicator_SHA256, "indicates", campaign_MAIN) bundle_objects.append(indicator_SHA256) bundle_objects.append(relationship_indicator_SHA256) if len(pattern_md5) != 0: stix2_md5 = "".join(pattern_md5) stix2_md5 = stix2_md5[:-4] indicator_MD5 = stix2.Indicator( name=TITLE + " - MD5", created=timestamp, modified=timestamp, description=DESCRIPTION, labels=["malicious-activity"], pattern=stix2_md5, object_marking_refs=[marking_def_white] ) relationship_indicator_MD5 = stix2.Relationship(indicator_MD5, "indicates", campaign_MAIN) bundle_objects.append(indicator_MD5) bundle_objects.append(relationship_indicator_MD5) if len(pattern_sha1) != 0: stix2_sha1 = "".join(pattern_sha1) stix2_sha1 = stix2_sha1[:-4] indicator_SHA1 = stix2.Indicator( name=TITLE + " - SHA1", created=timestamp, modified=timestamp, description=DESCRIPTION, labels=["malicious-activity"], pattern=stix2_sha1, object_marking_refs=[marking_def_white] ) relationship_indicator_SHA1 = stix2.Relationship(indicator_SHA1, "indicates", campaign_MAIN) bundle_objects.append(indicator_SHA1) bundle_objects.append(relationship_indicator_SHA1) if len(pattern_domain) != 0: stix2_domain = "".join(pattern_domain) stix2_domain = stix2_domain[:-4] indicator_DOMAINS = stix2.Indicator( name=TITLE + " - DOMAINS", created=timestamp, modified=timestamp, description=DESCRIPTION, labels=["malicious-activity"], pattern=stix2_domain, object_marking_refs=[marking_def_white] ) relationship_indicator_DOMAINS = stix2.Relationship(indicator_DOMAINS, "indicates", campaign_MAIN) bundle_objects.append(indicator_DOMAINS) bundle_objects.append(relationship_indicator_DOMAINS) if len(pattern_url) != 0: stix2_url = "".join(pattern_url) stix2_url = stix2_url[:-4] indicator_URLS = stix2.Indicator( name=TITLE + " - URL", created=timestamp, modified=timestamp, description=DESCRIPTION, labels=["malicious-activity"], pattern=stix2_url, object_marking_refs=[marking_def_white] ) relationship_indicator_URLS = stix2.Relationship(indicator_URLS, "indicates", campaign_MAIN) bundle_objects.append(indicator_URLS) bundle_objects.append(relationship_indicator_URLS) if len(pattern_ip) != 0: stix2_ip = "".join(pattern_ip) stix2_ip = stix2_ip[:-4] indicator_IPS = stix2.Indicator( name=TITLE + " - IPS", created=timestamp, modified=timestamp, description=DESCRIPTION, labels=["malicious-activity"], pattern=stix2_ip, object_marking_refs=[marking_def_white] ) relationship_indicator_IPS = stix2.Relationship(indicator_IPS, "indicates", campaign_MAIN) bundle_objects.append(indicator_IPS) bundle_objects.append(relationship_indicator_IPS) if len(pattern_email) != 0: stix2_email = "".join(pattern_email) stix2_email = stix2_email[:-4] indicator_EMAILS = stix2.Indicator( name=TITLE + " - EMAILS", created=timestamp, modified=timestamp, description=DESCRIPTION, labels=["malicious-activity"], pattern=stix2_email, object_marking_refs=[marking_def_white] ) relationship_indicator_EMAILS = stix2.Relationship(indicator_EMAILS, "indicates", campaign_MAIN) bundle_objects.append(indicator_EMAILS) bundle_objects.append(relationship_indicator_EMAILS) # creo il bunble STIX 2 bundlestix2 = stix2.Bundle(objects=bundle_objects) if (ioccount > 0): ######################## # save to STIX 1.2 file print("Writing STIX 1.2 package: " + OUTFILEPREFIX + ".stix") f = open(OUTFILEPREFIX + ".stix", "wb") f.write(wrapper.to_xml()) f.close() ######################## # save to STIX 2 file print("Writing STIX 2 package: " + OUTFILEPREFIX + ".stix2") g = open(OUTFILEPREFIX + ".stix2", "w") g.write(str(bundlestix2)) g.close() else: print("No IoC found")
def _get_stix_header_marking(self, feed, creator=None): if creator is None: user = feed.user else: user = creator s = STIXPackage() if user.region is not None: country_name_code = user.region.country_code admin_area_name_code = user.region.code else: country_name_code = user.country_code admin_area_name_code = None industry_type = ais.OTHER organisation_name = ais.OTHER ais_tlp = feed.tlp # REDの場合はAISではエラーとなるのでNoneとする if ais_tlp == 'RED': ais_tlp = None ais.add_ais_marking(s, False, 'EVERYONE', ais_tlp, country_name_code=country_name_code, country_name_code_type='ISO_3166-1_alpha-2', admin_area_name_code=admin_area_name_code, organisation_name=organisation_name, industry_type=industry_type, admin_area_name_code_type="ISO_3166-2", ) ais_marking_specification = s.stix_header.handling.marking[0] # Marking作成 marking = Marking() marking.add_marking(ais_marking_specification) # 汎用のTLPmarking_specification作成 marking_specification = self._get_tlp_marking_structure(feed) marking.add_marking(marking_specification) # Critical Infrastructure marking_critical_infrastructure = self._make_marking_specification_statement(const.STIP_SNS_CI_KEY, user.ci) marking.add_marking(marking_critical_infrastructure) # スクリーン名 marking_screen_name = self._make_marking_specification_statement(const.STIP_SNS_SCREEN_NAME_KEY, user.get_screen_name()) marking.add_marking(marking_screen_name) # username marking_user_name = self._make_marking_specification_statement(const.STIP_SNS_USER_NAME_KEY, user.username) marking.add_marking(marking_user_name) # 会社名 marking_affiliation = self._make_marking_specification_statement(const.STIP_SNS_AFFILIATION_KEY, user.affiliation) marking.add_marking(marking_affiliation) # region code if user.region is not None: marking_region_code = self._make_marking_specification_statement(const.STIP_SNS_REGION_CODE_KEY, user.region.code) marking.add_marking(marking_region_code) # Sharing Range if feed.sharing_range_type == const.SHARING_RANGE_TYPE_KEY_ALL: sharing_range = 'CIC Community' elif feed.sharing_range_type == const.SHARING_RANGE_TYPE_KEY_GROUP: sharing_range = 'Group: %s' % (feed.sharing_group.en_name) elif feed.sharing_range_type == const.SHARING_RANGE_TYPE_KEY_PEOPLE: sharing_range = 'People: ' feed.save() for sharing_stip_user in feed.tmp_sharing_people: sharing_range += sharing_stip_user.username sharing_range += ',' # 最後の改行を取り除く sharing_range = sharing_range[:-1] marking_sharing_range = self._make_marking_specification_statement('Sharing Range', sharing_range) marking.add_marking(marking_sharing_range) # referred_url if feed.referred_url is not None: marking_referred_url = self._make_marking_specification_statement(const.STIP_SNS_REFERRED_URL_KEY, feed.referred_url) marking.add_marking(marking_referred_url) # stix2_package_id if feed.stix2_package_id is not None and len(feed.stix2_package_id) != 0: marking_stix2_package_id = self._make_marking_specification_statement(const.STIP_SNS_STIX2_PACKAGE_ID_KEY, feed.stix2_package_id) marking.add_marking(marking_stix2_package_id) return marking
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() return_obj.id_ = obj.id return_obj.idref = obj.idref return_obj.timestamp = obj.timestamp if isinstance(obj, cls._binding_class): return_obj.version = obj.version return_obj.title = obj.Title return_obj.description = StructuredText.from_obj(obj.Description) return_obj.short_description = StructuredText.from_obj( obj.Short_Description) return_obj.time = Time.from_obj(obj.Time) if obj.Victim: return_obj.victims = [Identity.from_obj(x) for x in obj.Victim] if obj.Categories: return_obj.categories = [ IncidentCategory.from_obj(x) for x in obj.Categories.Category ] if obj.Intended_Effect: return_obj.intended_effects = [ Statement.from_obj(x) for x in obj.Intended_Effect ] if obj.Affected_Assets: return_obj.affected_assets = [ AffectedAsset.from_obj(x) for x in obj.Affected_Assets.Affected_Asset ] if obj.Discovery_Method: return_obj.discovery_methods = [ DiscoveryMethod.from_obj(x) for x in obj.Discovery_Method ] if obj.Reporter: return_obj.reporter = InformationSource.from_obj(obj.Reporter) if obj.Responder: return_obj.responders = [ InformationSource.from_obj(x) for x in obj.Responder ] if obj.Coordinator: return_obj.coordinators = [ InformationSource.from_obj(x) for x in obj.Coordinator ] if obj.External_ID: return_obj.external_ids = [ ExternalID.from_obj(x) for x in obj.External_ID ] if obj.Impact_Assessment: return_obj.impact_assessment = ImpactAssessment.from_obj( obj.Impact_Assessment) if obj.Information_Source: return_obj.information_source = InformationSource.from_obj( obj.Information_Source) if obj.Security_Compromise: return_obj.security_compromise = SecurityCompromise.from_obj( obj.Security_Compromise) return_obj.coa_taken = [ COATaken.from_obj(x) for x in obj.COA_Taken ] return_obj.confidence = Confidence.from_obj(obj.Confidence) return_obj.attributed_threat_actors = AttributedThreatActors.from_obj( obj.Attributed_Threat_Actors) return_obj.related_indicators = RelatedIndicators.from_obj( obj.Related_Indicators) return_obj.related_observables = RelatedObservables.from_obj( obj.Related_Observables) return_obj.leveraged_ttps = LeveragedTTPs.from_obj( obj.Leveraged_TTPs) return_obj.related_incidents = RelatedIncidents.from_obj( obj.Related_Incidents) return_obj.status = VocabString.from_obj(obj.Status) return_obj.handling = Marking.from_obj(obj.Handling) return_obj.history = History.from_obj(obj.History) return return_obj
def apply_markings(stix_package, prefix, selector): cntrl = generate_cntrl_exp(prefix, selector) red_marking = generate_marking_spec(generate_red_marking_struct(), cntrl) stix_package.indicators[0].handling = Marking(markings=red_marking)
def adptr_dict2STIX(srcObj, data): sTxt = "Called... " sndMSG(sTxt, 'INFO', 'adptr_dict2STIX()') stixObj = None ### Input Check if srcObj == None or data == None: #TODO: Needs error msg: Missing srcData Object return (False) ### Generate NameSpace id tags STIX_NAMESPACE = {"http://hailataxii.com": "opensource"} OBS_NAMESPACE = Namespace("http://hailataxii.com", "opensource") stix_set_id_namespace(STIX_NAMESPACE) obs_set_id_namespace(OBS_NAMESPACE) ### Building STIX Wrapper stix_package = STIXPackage() objIndicator = Indicator() ### Bulid Object Data for sKey in data: objIndicator = Indicator() listOBS = [] ### Parsing IP Address sAddr = data[sKey]['attrib']['ipAddr'] if len(sAddr) > 0: objAddr = Address() objAddr.is_destination = True objAddr.address_value = sAddr objAddr.address_value.condition = 'Equals' if isIPv4(sAddr): objAddr.category = objAddr.CAT_IPV4 elif isIPv6(sAddr): objAddr.category = objAddr.CAT_IPV6 else: continue obsAddr = Observable(objAddr) objAddr = None obsAddr.sighting_count = 1 obsAddr.title = 'IP: ' + sAddr sDscrpt = 'IPv4' + ': ' + sAddr + " | " sDscrpt += "isDestination: True | " obsAddr.description = "<![CDATA[" + sDscrpt + "]]>" listOBS.append(obsAddr) obsAddr = None objIndicator.add_indicator_type("IP Watchlist") ### Parsing Domain sDomain = data[sKey]['attrib']['domain'] if len(sDomain) > 0: objDomain = DomainName() objDomain.value = sDomain objDomain.value.condition = 'Equals' if isFQDN(sDomain): objDomain.type = 'FQDN' elif isTLD(sDomain): objDomain.type = 'TLD' else: continue obsDomain = Observable(objDomain) objDomain = None obsDomain.sighting_count = 1 obsDomain.title = 'Domain: ' + sDomain sDscrpt = 'Domain: ' + sDomain + " | " sDscrpt += "isFQDN: True | " obsDomain.description = "<![CDATA[" + sDscrpt + "]]>" listOBS.append(obsDomain) obsDomain = None objIndicator.add_indicator_type("Domain Watchlist") #Parser URI sURI = data[sKey]['attrib']['title'] if len(sURI) > 0: objURI = URI() objURI.value = sURI objURI.value.condition = 'Equals' objURI.type_ = URI.TYPE_URL obsURI = Observable(objURI) objURI = None obsURI.sighting_count = 1 obsURI.title = 'URI: ' + sURI sDscrpt = 'URI: ' + sURI + " | " sDscrpt += "Type: URL | " obsURI.description = "<![CDATA[" + sDscrpt + "]]>" listOBS.append(obsURI) obsURI = None objIndicator.add_indicator_type("URL Watchlist") ### Add Generated observable to Indicator objIndicator.observables = listOBS objIndicator.observable_composition_operator = 'OR' #Parsing Producer sProducer = srcObj.Domain if len(sProducer) > 0: objIndicator.set_producer_identity(sProducer) objIndicator.set_produced_time(data[sKey]['attrib']['dateVF']) objIndicator.set_received_time(data[sKey]['dateDL']) ### Generate Indicator Title based on availbe data sTitle = 'C2C Site: ' + sURI objIndicator.title = sTitle #Generate Indicator Description based on availbe data sDscrpt = "" if len(sAddr) > 0: sAddLine = "This IP address " + sAddr if len(sDomain) > 0: sAddLine = "This domain " + sDomain if len(sAddr) > 0 and len(sDomain) > 0: sAddLine = "This domain " + sDomain + " (" + sAddr + ")" if len(sAddLine) > 0: sDscrpt += sAddLine sDscrpt = sDscrpt + " has been identified as a command and control site for " + data[ sKey]['attrib']['dscrpt'] + ' malware' if len(srcObj.Domain) > 0: sDscrpt = sDscrpt + " by " + srcObj.Domain else: sDscrpt = sDscrpt + "." sDscrpt = sDscrpt + ". For more detailed infomation about this indicator go to [CAUTION!!Read-URL-Before-Click] [" + data[ sKey]['attrib']['link'] + "]." if len(sDscrpt) > 0: objIndicator.description = "<![CDATA[" + sDscrpt + "]]>" pass #Parse TTP sType = data[sKey]['attrib']['dscrpt'] if len(sType) > 0: objMalware = MalwareInstance() objMalware.add_name(sType) objMalware.add_type("Remote Access Trojan") objMalware.short_description = "" objMalware.description = "" objTTP = TTP(title=sType) objTTP.behavior = Behavior() objTTP.behavior.add_malware_instance(objMalware) objIndicator.add_indicated_ttp(objTTP) stix_package.add_indicator(objIndicator) objIndicator = None ### STIX Package Meta Data stix_header = STIXHeader() stix_header.title = srcObj.pkgTitle stix_header.description = "<![CDATA[" + srcObj.pkgDscrpt + "]]>" ### Understanding markings http://stixproject.github.io/idioms/features/data-markings/ marking_specification = MarkingSpecification() classLevel = SimpleMarkingStructure() classLevel.statement = "Unclassified (Public)" marking_specification.marking_structures.append(classLevel) tlp = TLPMarkingStructure() tlp.color = "WHITE" marking_specification.marking_structures.append(tlp) marking_specification.controlled_structure = "//node()" objTOU = TermsOfUseMarkingStructure() sTOU = open('tou.txt').read() objTOU.terms_of_use = sProducer + " | " + sTOU marking_specification.marking_structures.append(objTOU) handling = Marking() handling.add_marking(marking_specification) stix_header.handling = handling stix_package.stix_header = stix_header stix_header = None ### Generate STIX XML File locSTIXFile = 'STIX_' + srcObj.fileName.split('.')[0] + '.xml' sndFile(stix_package.to_xml(), locSTIXFile) return (stix_package)