def convert_tool(tool20):
tool1x = ToolInformation()
if "name" in tool20:
tool1x.title = tool20["name"]
if "description" in tool20:
tool1x.description = tool20["description"]
if "tool_version" in tool20:
tool1x.version = tool20["tool_version"]
if "labels" in tool20:
warn(
"labels not representable in a STIX 1.x ToolInformation. Found in %s",
502, tool20["id"])
# bug in python_stix prevents using next line of code
# tool1x.type_ = convert_open_vocabs_to_controlled_vocabs(tool20["labels"], TOOL_LABELS_MAP)
ttp = TTP(id_=convert_id20(tool20["id"]),
timestamp=text_type(tool20["modified"]))
if not ttp.resources:
ttp.resources = Resource()
if not ttp.resources.tools:
ttp.resources.tools = Tools()
ttp.resources.tools.append(tool1x)
if "kill_chain_phases" in tool20:
process_kill_chain_phases(tool20["kill_chain_phases"], ttp)
if "object_marking_refs" in tool20:
for m_id in tool20["object_marking_refs"]:
ms = create_marking_specification(m_id)
if ms:
CONTAINER.add_marking(ttp, ms, descendants=True)
if "granular_markings" in tool20:
error(
"Granular Markings present in '%s' are not supported by stix2slider",
604, tool20["id"])
record_id_object_mapping(tool20["id"], ttp)
return ttp
def main():
stix_package = STIXPackage()
addr1 = Observable(Address(address_value="198.51.100.2", category=Address.CAT_IPV4))
addr2 = Observable(Address(address_value="198.51.100.17", category=Address.CAT_IPV4))
addr3 = Observable(Address(address_value="203.0.113.19", category=Address.CAT_IPV4))
stix_package.add_observable(addr1)
stix_package.add_observable(addr2)
stix_package.add_observable(addr3)
obs_addr1 = Observable()
obs_addr2 = Observable()
obs_addr3 = Observable()
obs_addr1.id_ = None
obs_addr2.id_ = None
obs_addr3.id_ = None
obs_addr1.idref = addr1.id_
obs_addr2.idref = addr2.id_
obs_addr3.idref = addr3.id_
infrastructure = Infrastructure()
infrastructure.observable_characterization = Observables([obs_addr1, obs_addr2, obs_addr3])
resource = Resource()
resource.infrastructure = infrastructure
ttp = TTP(title="Malware C2 Channel")
ttp.resources = resource
stix_package.add_ttp(ttp)
print stix_package.to_xml()
def main():
stix_package = STIXPackage()
addr1 = Observable(
Address(address_value="198.51.100.2", category=Address.CAT_IPV4))
addr2 = Observable(
Address(address_value="198.51.100.17", category=Address.CAT_IPV4))
addr3 = Observable(
Address(address_value="203.0.113.19", category=Address.CAT_IPV4))
stix_package.add_observable(addr1)
stix_package.add_observable(addr2)
stix_package.add_observable(addr3)
obs_addr1 = Observable()
obs_addr2 = Observable()
obs_addr3 = Observable()
obs_addr1.id_ = None
obs_addr2.id_ = None
obs_addr3.id_ = None
obs_addr1.idref = addr1.id_
obs_addr2.idref = addr2.id_
obs_addr3.idref = addr3.id_
vocab_string = VocabString(value='Malware C2')
infrastructure = Infrastructure()
infrastructure.observable_characterization = Observables(
[obs_addr1, obs_addr2, obs_addr3])
infrastructure.add_type(vocab_string)
resource = Resource()
resource.infrastructure = infrastructure
ttp = TTP(title="Malware C2 Channel")
ttp.resources = resource
stix_package.add_ttp(ttp)
print(stix_package.to_xml())
def buildTtp(input_dict):
ttp = TTP()
ttp.title = input_dict['title']
ttp.description = input_dict['description']
if input_dict['intendedEffect']:
ttp.add_intended_effect(input_dict['intendedEffect'])
if input_dict['behavior']:
ttp.behavior = Behavior(input_dict['behavior'])
if input_dict['resources']:
ttp.resources = input_dict['resources']
if input_dict['victimTargeting']:
#TODO look into adding more victim fields
vic = VictimTargeting()
vic.add_targeted_information(input_dict['victimTargeting'])
ttp.victim_targeting = vic
#target = ExploitTargets().
#target.append(input_dict['exploitTargets'])
#ttp.exploit_targets = target
if input_dict['informationSource']:
ttp.information_source = InformationSource(input_dict['informationSource'])
if input_dict['killChain']:
ttp.kill_chain_phases = input_dict['killChain']
return ttp
infrastructure.types = AttackerInfrastructureType('Domain Registration')
infrastructure.description = 'Infrastructure Description'
infrastructure.short_description = 'Infrastructure Short Description'
domain = DomainName()
domain.value = 'totally-not-malware.biz'
observable = Observable(domain)
infrastructure.observable_characterization = Observables(
Observable(idref=observable.id_))
personas = Personas()
personas.append(Identity(name='Stephen Golub'))
resource = Resource(tools=Tools(tool),
infrastructure=infrastructure,
personas=personas)
ttp.resources = resource
related_ttp = RelatedTTP(TTP(idref=ttp.id_))
# TTP - Related Threat Actor (basic; by id)
ta = ThreatActor(title='Adversary Bravo')
ta.observed_ttps.append(related_ttp)
# TTP - Related TTP2 (Malware; by id)
ttp2 = TTP(title='Poison Ivy Variant')
malware_instance = MalwareInstance(title='Poison Ivy Variant d1c6')
malware_instance.description = 'Attack Pattern Description'
malware_instance.short_description = 'Attack Pattern Short Description'
malware_instance.add_type(MalwareType('Remote Access Trojan'))
maec = MAECInstance()
def main():
# NOTE: ID values will differ due to being regenerated on each script execution
pkg1 = STIXPackage()
pkg1.title = "Example of Indicator Composition for an aggregate indicator composition"
# USE CASE: Indicator with aggregate pattern
# Add TTP for malware usage
malware_ttp = TTP()
malware_ttp.behavior = Behavior()
malware = MalwareInstance()
malware.title = "foobar malware"
malware.add_type("Remote Access Trojan")
malware_ttp.behavior.add_malware_instance(malware)
c2_ttp = TTP()
c2_ttp.resources = Resource()
c2_ttp.resources.infrastructure = Infrastructure()
c2_ttp.resources.infrastructure.add_type(VocabString("Malware C2"))
pkg1.add_ttp(c2_ttp)
pkg1.add_ttp(malware_ttp)
nw_ind = Indicator()
nw_ind.description = "Indicator for a particular C2 infstructure IP address."
# add network network connection to this indicator
obs = NetworkConnection()
sock = SocketAddress()
sock.ip_address = "46.123.99.25"
sock.ip_address.category = "ipv4-addr"
sock.ip_address.condition = "Equals"
obs.destination_socket_address = sock
nw_ind.add_observable(obs)
nw_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_))
# create File Hash indicator w/ embedded Observable
file_ind = Indicator()
file_ind.description = "Indicator for the hash of the foobar malware."
file_ind.add_indicator_type("File Hash Watchlist")
file_obs = File()
file_obs.add_hash("01234567890abcdef01234567890abcdef")
file_obs.hashes[0].type_ = "MD5"
file_obs.hashes[0].type_.condition = "Equals"
file_ind.add_observable(file_obs)
# create references
file_ind.add_indicated_ttp(TTP(idref=malware_ttp.id_))
# create container indicator
ind = Indicator()
ind.add_indicator_type(VocabString("Campaign Characteristics"))
ind.description = "Indicator for a composite of characteristics for the use of specific malware and C2 infrastructure within a Campaign."
# Add campaign with related
camp = Campaign()
camp.title = "holy grail"
pkg1.add_campaign(camp)
camp.related_ttps.append(TTP(idref=c2_ttp.id_))
camp.related_ttps.append(TTP(idref=malware_ttp.id_))
# Add threat actor
ta = ThreatActor()
ta.identity = Identity()
ta.identity.name = "boobear"
ta.observed_ttps.append(TTP(idref=malware_ttp.id_))
pkg1.add_threat_actor(ta)
# Create composite expression
ind.composite_indicator_expression = CompositeIndicatorExpression()
ind.composite_indicator_expression.operator = "AND"
ind.composite_indicator_expression.append(file_ind)
ind.composite_indicator_expression.append(nw_ind)
pkg1.add_indicator(ind)
print pkg1.to_xml()
# USE CASE: Indicator with partial matching
pkg2 = STIXPackage()
pkg2.title = "Example of Indicator Composition for a one of many indicator composition"
# create container indicator
watchlistind = Indicator()
watchlistind.add_indicator_type("IP Watchlist")
watchlistind.description = "This Indicator specifies a pattern where any one or more of a set of three IP addresses are observed."
watchlistind.add_indicated_ttp(TTP(idref=c2_ttp.id_))
# Create composite expression
watchlistind.composite_indicator_expression = CompositeIndicatorExpression()
watchlistind.composite_indicator_expression.operator = "OR"
ips = ['23.5.111.68', '23.5.111.99', '46.123.99.25']
for ip in ips:
new_ind = Indicator()
new_ind.description = "This Indicator specifies a pattern where one specific IP address is observed"
# add network network connection to this indicator
obs = Address()
obs.address_value = ip
obs.address_value.condition = "Equals"
new_ind.add_observable(obs)
new_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_))
watchlistind.composite_indicator_expression.append(new_ind)
pkg2.add_indicator(watchlistind)
print pkg2.to_xml()
# USE CASE: Indicator with compound detection
pkg3 = STIXPackage()
pkg3.title = "Example of Indicator Composition for compound detection"
# create container indicator
watchlistind2 = Indicator()
watchlistind2.add_indicator_type("IP Watchlist")
watchlistind2.description = "This Indicator specifies a composite condition of two preexisting Indicators (each identifying a particular TTP with low confidence) that in aggregate identify the particular TTP with high confidence."
# Create composite expression
watchlistind2.composite_indicator_expression = CompositeIndicatorExpression()
watchlistind2.composite_indicator_expression.operator = "OR"
watchlistind2.add_indicated_ttp(TTP(idref=c2_ttp.id_))
watchlistind2.confidence = "High"
nw_ind.description = "Indicator for a particular C2 IP address used by a malware variant."
nw_ind.confidence = "Low"
nw_ind.indicator_types = ["C2"]
file_ind.description = "Indicator that contains malicious file hashes for a particular malware variant."
file_ind.confidence = "Low"
watchlistind2.composite_indicator_expression.append(nw_ind)
watchlistind2.composite_indicator_expression.append(file_ind)
pkg3.add_indicator(watchlistind2)
print pkg3.to_xml()
def main():
# NOTE: ID values will differ due to being regenerated on each script execution
pkg1 = STIXPackage()
pkg1.title = "Example of Indicator Composition for an aggregate indicator composition"
# USE CASE: Indicator with aggregate pattern
# Add TTP for malware usage
malware_ttp = TTP()
malware_ttp.behavior = Behavior()
malware = MalwareInstance()
malware.title = "foobar malware"
malware.add_type("Remote Access Trojan")
malware_ttp.behavior.add_malware_instance(malware)
c2_ttp = TTP()
c2_ttp.resources = Resource()
c2_ttp.resources.infrastructure = Infrastructure()
c2_ttp.resources.infrastructure.add_type(VocabString("Malware C2"))
pkg1.add_ttp(c2_ttp)
pkg1.add_ttp(malware_ttp)
nw_ind = Indicator()
nw_ind.description = "Indicator for a particular C2 infstructure IP address."
# add network network connection to this indicator
obs = NetworkConnection()
sock = SocketAddress()
sock.ip_address = "46.123.99.25"
sock.ip_address.category = "ipv4-addr"
sock.ip_address.condition = "Equals"
obs.destination_socket_address = sock
nw_ind.add_observable(obs)
nw_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_))
# create File Hash indicator w/ embedded Observable
file_ind = Indicator()
file_ind.description = "Indicator for the hash of the foobar malware."
file_ind.add_indicator_type("File Hash Watchlist")
file_obs = File()
file_obs.add_hash("01234567890abcdef01234567890abcdef")
file_obs.hashes[0].type_ = "MD5"
file_obs.hashes[0].type_.condition = "Equals"
file_ind.add_observable(file_obs)
# create references
file_ind.add_indicated_ttp(TTP(idref=malware_ttp.id_))
# create container indicator
ind = Indicator()
ind.add_indicator_type(VocabString("Campaign Characteristics"))
ind.description = "Indicator for a composite of characteristics for the use of specific malware and C2 infrastructure within a Campaign."
# Add campaign with related
camp = Campaign()
camp.title = "holy grail"
pkg1.add_campaign(camp)
camp.related_ttps.append(TTP(idref=c2_ttp.id_))
camp.related_ttps.append(TTP(idref=malware_ttp.id_))
# Add threat actor
ta = ThreatActor()
ta.identity = Identity()
ta.identity.name = "boobear"
ta.observed_ttps.append(TTP(idref=malware_ttp.id_))
pkg1.add_threat_actor(ta)
# Create composite expression
ind.composite_indicator_expression = CompositeIndicatorExpression()
ind.composite_indicator_expression.operator = "AND"
ind.composite_indicator_expression.append(file_ind)
ind.composite_indicator_expression.append(nw_ind)
pkg1.add_indicator(ind)
print pkg1.to_xml()
# USE CASE: Indicator with partial matching
pkg2 = STIXPackage()
pkg2.title = "Example of Indicator Composition for a one of many indicator composition"
# create container indicator
watchlistind = Indicator()
watchlistind.add_indicator_type("IP Watchlist")
watchlistind.description = "This Indicator specifies a pattern where any one or more of a set of three IP addresses are observed."
watchlistind.add_indicated_ttp(TTP(idref=c2_ttp.id_))
# Create composite expression
watchlistind.composite_indicator_expression = CompositeIndicatorExpression(
)
watchlistind.composite_indicator_expression.operator = "OR"
ips = ['23.5.111.68', '23.5.111.99', '46.123.99.25']
for ip in ips:
new_ind = Indicator()
new_ind.description = "This Indicator specifies a pattern where one specific IP address is observed"
# add network network connection to this indicator
obs = Address()
obs.address_value = ip
obs.address_value.condition = "Equals"
new_ind.add_observable(obs)
new_ind.add_indicated_ttp(TTP(idref=c2_ttp.id_))
watchlistind.composite_indicator_expression.append(new_ind)
pkg2.add_indicator(watchlistind)
print pkg2.to_xml()
# USE CASE: Indicator with compound detection
pkg3 = STIXPackage()
pkg3.title = "Example of Indicator Composition for compound detection"
# create container indicator
watchlistind2 = Indicator()
watchlistind2.add_indicator_type("IP Watchlist")
watchlistind2.description = "This Indicator specifies a composite condition of two preexisting Indicators (each identifying a particular TTP with low confidence) that in aggregate identify the particular TTP with high confidence."
# Create composite expression
watchlistind2.composite_indicator_expression = CompositeIndicatorExpression(
)
watchlistind2.composite_indicator_expression.operator = "OR"
watchlistind2.add_indicated_ttp(TTP(idref=c2_ttp.id_))
watchlistind2.confidence = "High"
nw_ind.description = "Indicator for a particular C2 IP address used by a malware variant."
nw_ind.confidence = "Low"
nw_ind.indicator_types = ["C2"]
file_ind.description = "Indicator that contains malicious file hashes for a particular malware variant."
file_ind.confidence = "Low"
watchlistind2.composite_indicator_expression.append(nw_ind)
watchlistind2.composite_indicator_expression.append(file_ind)
pkg3.add_indicator(watchlistind2)
print pkg3.to_xml()
def main():
# get args
parser = argparse.ArgumentParser ( description = "Parse a given CSV from Shadowserver and output STIX XML to stdout"
, formatter_class=argparse.ArgumentDefaultsHelpFormatter )
parser.add_argument("--infile","-f", help="input CSV with bot data", default = "bots.csv")
args = parser.parse_args()
# setup stix document
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.title = "Bot Server IP addresses"
stix_header.description = "IP addresses connecting to bot control servers at a given port"
stix_header.add_package_intent ("Indicators - Watchlist")
# add marking
mark = Marking()
markspec = MarkingSpecification()
markstruct = SimpleMarkingStructure()
markstruct.statement = "Usage of this information, including integration into security mechanisms implies agreement with the Shadowserver Terms of Service available at https://www.shadowserver.org/wiki/pmwiki.php/Shadowserver/TermsOfService"
markspec.marking_structures.append(markstruct)
mark.add_marking(markspec)
stix_header.handling = mark
# include author info
stix_header.information_source = InformationSource()
stix_header.information_source.time = Time()
stix_header.information_source.time.produced_time =datetime.now(tzutc())
stix_header.information_source.tools = ToolInformationList()
stix_header.information_source.tools.append("ShadowBotnetIP-STIXParser")
stix_header.information_source.identity = Identity()
stix_header.information_source.identity.name = "MITRE STIX Team"
stix_header.information_source.add_role(VocabString("Format Transformer"))
src = InformationSource()
src.description = "https://www.shadowserver.org/wiki/pmwiki.php/Services/Botnet-CCIP"
srcident = Identity()
srcident.name = "shadowserver.org"
src.identity = srcident
src.add_role(VocabString("Originating Publisher"))
stix_header.information_source.add_contributing_source(src)
stix_package.stix_header = stix_header
# add TTP for overall indicators
bot_ttp = TTP()
bot_ttp.title = 'Botnet C2'
bot_ttp.resources = Resource()
bot_ttp.resources.infrastructure = Infrastructure()
bot_ttp.resources.infrastructure.title = 'Botnet C2'
stix_package.add_ttp(bot_ttp)
# read input data
fd = open (args.infile, "rb")
infile = csv.DictReader(fd)
for row in infile:
# split indicators out, may be 1..n with positional storage, same port and channel, inconsistent delims
domain = row['Domain'].split()
country = row['Country'].split()
region = row['Region'].split('|')
state = row['State'].split('|')
asn = row['ASN'].split()
asname = row['AS Name'].split()
asdesc = row['AS Description'].split('|')
index = 0
for ip in row['IP Address'].split():
indicator = Indicator()
indicator.title = "IP indicator for " + row['Channel']
indicator.description = "Bot connecting to control server"
# point to overall TTP
indicator.add_indicated_ttp(TTP(idref=bot_ttp.id_))
# add our IP and port
sock = SocketAddress()
sock.ip_address = ip
# add sighting
sight = Sighting()
sight.timestamp = ""
obs = Observable(item=sock.ip_address)
obsref = Observable(idref=obs.id_)
sight.related_observables.append(obsref)
indicator.sightings.append(sight)
stix_package.add_observable(obs)
# add pattern for indicator
sock_pattern = SocketAddress()
sock_pattern.ip_address = ip
port = Port()
port.port_value = row['Port']
sock_pattern.port = port
sock_pattern.ip_address.condition= "Equals"
sock_pattern.port.port_value.condition= "Equals"
indicator.add_object(sock_pattern)
stix_package.add_indicator(indicator)
# add domain
domain_obj = DomainName()
domain_obj.value = domain[index]
domain_obj.add_related(sock.ip_address,"Resolved_To", inline=False)
stix_package.add_observable(domain_obj)
# add whois obs
whois_obj = WhoisEntry()
registrar = WhoisRegistrar()
registrar.name = asname[index]
registrar.address = state[index] + region[index] + country[index]
whois_obj.registrar_info = registrar
whois_obj.add_related(sock.ip_address,"Characterizes", inline=False)
stix_package.add_observable(whois_obj)
# add ASN obj
asn_obj = AutonomousSystem()
asn_obj.name = asname[index]
asn_obj.number = asn[index]
asn_obj.handle = "AS" + str(asn[index])
asn_obj.add_related(sock.ip_address,"Contains", inline=False)
stix_package.add_observable(asn_obj)
# iterate
index = index + 1
print stix_package.to_xml()