def main():
campaign = Campaign(title="Campaign against ICS")
ttp = TTP(title="DrownedRat")
alpha_report = Report()
alpha_report.header = Header()
alpha_report.header.title = "Report on Adversary Alpha's Campaign against the Industrial Control Sector"
alpha_report.header.descriptions = "Adversary Alpha has a campaign against the ICS sector!"
alpha_report.header.intents = "Campaign Characterization"
alpha_report.add_campaign(Campaign(idref=campaign.id_))
rat_report = Report()
rat_report.header = Header()
rat_report.header.title = "Indicators for Malware DrownedRat"
rat_report.header.intents = "Indicators - Malware Artifacts"
rat_report.add_ttp(TTP(idref=ttp.id_))
wrapper = STIXPackage()
info_src = InformationSource()
info_src.identity = Identity(name="Government Sharing Program - GSP")
wrapper.stix_header = STIXHeader(information_source=info_src)
wrapper.add_report(alpha_report)
wrapper.add_report(rat_report)
wrapper.add_campaign(campaign)
wrapper.add_ttp(ttp)
print(wrapper.to_xml())
def main():
campaign = Campaign(title="Campaign against ICS")
ttp = TTP(title="DrownedRat")
alpha_report = Report()
alpha_report.header = Header()
alpha_report.header.title = "Report on Adversary Alpha's Campaign against the Industrial Control Sector"
alpha_report.header.descriptions = "Adversary Alpha has a campaign against the ICS sector!"
alpha_report.header.intents = "Campaign Characterization"
alpha_report.add_campaign(Campaign(idref=campaign._id))
rat_report = Report()
rat_report.header = Header()
rat_report.header.title = "Indicators for Malware DrownedRat"
rat_report.header.intents = "Indicators - Malware Artifacts"
rat_report.add_ttp(TTP(idref=ttp._id))
wrapper = STIXPackage()
info_src = InformationSource()
info_src.identity = Identity(name="Government Sharing Program - GSP")
wrapper.stix_header = STIXHeader(information_source=info_src)
wrapper.add_report(alpha_report)
wrapper.add_report(rat_report)
wrapper.add_campaign(campaign)
wrapper.add_ttp(ttp)
print wrapper.to_xml()
def convert_report(r20):
r1x = Report(id_=convert_id20(r20["id"]),
timestamp=text_type(r20["modified"]))
r1x.header = Header()
if "name" in r20:
r1x.header.title = r20["name"]
if "description" in r20:
r1x.header.add_description(r20["description"])
intents = convert_open_vocabs_to_controlled_vocabs(r20["labels"],
REPORT_LABELS_MAP)
for i in intents:
r1x.header.add_intent(i)
if "published" in r20:
add_missing_property_to_description(r1x.header, "published",
r20["published"])
for ref in r20["object_refs"]:
ref_type = get_type_from_id(ref)
ref1x = convert_id20(ref)
if ref_type == "attack-pattern":
r1x.add_ttp(TTP(idref=ref1x))
elif ref_type == "campaign":
r1x.add_campaign(Campaign(idref=ref1x))
elif ref_type == 'course-of-action':
r1x.add_course_of_action(CourseOfAction(idref=ref1x))
elif ref_type == "indicator":
r1x.add_indicator(Indicator(idref=ref1x))
elif ref_type == "observed-data":
r1x.add_observable(Observable(idref=ref1x))
elif ref_type == "malware":
r1x.add_ttp(TTP(idref=ref1x))
elif ref_type == "threat-actor":
r1x.add_threat_actor(ThreatActor(idref=ref1x))
elif ref_type == "tool":
r1x.add_ttp(TTP(idref=ref1x))
elif ref_type == "vulnerability":
r1x.add_exploit_target(ExploitTarget(idref=ref1x))
elif ref_type == "identity" or ref_type == "relationship":
warn("%s in %s is not explicitly a member of a STIX 1.x report",
703, ref, r20["id"])
elif ref_type == "intrusion-set":
warn("%s in %s cannot be represented in STIX 1.x", 612, ref,
r20["id"])
else:
warn("ref type %s in %s is not known", 0, ref_type, r20["id"])
if "object_marking_refs" in r20:
for m_id in r20["object_marking_refs"]:
ms = create_marking_specification(m_id)
if ms:
CONTAINER.add_marking(r1x, ms, descendants=True)
if "granular_markings" in r20:
error(
"Granular Markings present in '%s' are not supported by stix2slider",
604, r20["id"])
return r1x
def build_stix( input_dict ):
# setup stix document
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "TTP " + input_dict['title']
# Add handling requirements if needed
if input_dict['marking']:
mark = SimpleMarkingStructure()
mark.statement = input_dict['marking']
mark_spec = MarkingSpecification()
mark_spec.marking_structures.append(mark)
stix_header.handling = Marking(mark_spec)
stix_package.stix_header = stix_header
report = Report()
if input_dict['incidents']:
for each in input_dict['incidents'].split(','):
result = query_db('select * from incidents where id = ?',
[each], one=True)
report.add_incident(buildIncident(result))
if input_dict['ttps']:
for each in input_dict['ttps'].split(','):
result = query_db('select * from ttps where id = ?',
[each], one=True)
report.add_ttp(buildTtp(result))
if input_dict['indicators']:
for each in input_dict['indicators'].split(','):
result = query_db('select * from indicators where id = ?',
[each], one=True)
report.add_indicator(buildIndicator(result))
if input_dict['observables']:
for each in input_dict['observables'].split(','):
result = query_db('select * from observables where id = ?',
[each], one=True)
report.add_observable(buildObservable(result))
if input_dict['threatActors']:
for each in input_dict['threatActors'].split(','):
result = query_db('select * from threatActors where id = ?',
[each], one=True)
report.add_threat_actor(buildThreatActor(result))
if input_dict['targets']:
for each in input_dict['targets'].split(','):
result = query_db('select * from targets where id = ?',
[each], one=True)
report.add_exploit_target(buildTarget(result))
if input_dict['coas']:
for each in input_dict['coas'].split(','):
result = query_db('select * from coas where id = ?',
[each], one=True)
report.add_course_of_action(buildCoa(result))
if input_dict['campaigns']:
for each in input_dict['campaigns'].split(','):
result = query_db('select * from campaigns where id = ?',
[each], one=True)
report.add_campaign(buildCampaign(result))
stix_package.add_report(report)
return stix_package