def get_all_mobile_techniques(self): mobile_techniques = self.TC_MOBILE_SOURCE.query(Filter("type", "=", "attack-pattern")) mobile_techniques = self.parse_stix_objects(mobile_techniques, 'techniques') return mobile_techniques
def get_enterprise_tools(self, stix_format=True): enterprise_tools = self.TC_ENTERPRISE_SOURCE.query( Filter("type", "=", "tool")) if not stix_format: enterprise_tools = self.translate_stix_objects(enterprise_tools) return enterprise_tools
def get_pre_groups(self, stix_format=True): pre_groups = self.TC_PRE_SOURCE.query( Filter("type", "=", "intrusion-set")) if not stix_format: pre_groups = self.translate_stix_objects(pre_groups) return pre_groups
def test_memory_store_query_single_filter(mem_store): query = Filter('id', '=', 'indicator--00000000-0000-4000-8000-000000000001') resp = mem_store.query(query) assert len(resp) == 2
all_tactics = enterprise_tactics + pre_tactics + mobile_tactics if not stix_format: all_tactics = self.translate_stix_objects(all_tactics) return all_tactics # ******** Custom Functions ******** def get_technique_by_name(self, name, case=True, stix_format=True): if not case: all_techniques = self.get_techniques() all_techniques_list = list() for tech in all_techniques: if name.lower() in tech['name'].lower(): all_techniques_list.append(tech) else: filter_objects = [ Filter('type', '=', 'attack-pattern'), Filter('name', '=', name) ] all_techniques_list = self.COMPOSITE_DS.query(filter_objects) if not stix_format: all_techniques_list = self.translate_stix_objects( all_techniques_list) return all_techniques_list def get_techniques_by_content(self, name, case=True, stix_format=True): all_techniques = self.get_techniques() all_techniques_list = list() for tech in all_techniques: if "description" in tech.keys(): if name.lower() in tech['description'].lower(): all_techniques_list.append(tech)
def get_intrusion_set(self, src): return src.query([Filter('type', '=', 'intrusion-set')])
def lookup_by_attack_id(self, attack_id: str): return self.src.query([ Filter("external_references.external_id", "=", attack_id), Filter("type", "in", ["attack-pattern", "course-of-action"]), ])
def get_enterprise_techniques(self, stix_format=True): enterprise_techniques = self.TC_ENTERPRISE_SOURCE.query(Filter("type", "=", "attack-pattern")) if not stix_format: enterprise_techniques = self.translate_stix_objects(enterprise_techniques) return enterprise_techniques
def get_enterprise_mitigations(self, stix_format=True): enterprise_mitigations = self.TC_ENTERPRISE_SOURCE.query(Filter("type", "=", "course-of-action")) if not stix_format: enterprise_mitigations = self.translate_stix_objects(enterprise_mitigations) return enterprise_mitigations
def add_groups(client, attack: MemoryStore, output_format: Text = "json") -> List[stix2.AttackPattern]: """ extract objects/facts related to ATT&CK Groups Args: attack (stix2): Stix attack instance """ notify = [] # ATT&CK concept STIX Object type ACT object # ========================================================= # Group intrusion-set threatActor # # Filter out ATT&CK groups (intrusion-set) from bundle for group in attack.query([Filter("type", "=", "intrusion-set")]): if getattr(group, "revoked", None): # Object is revoked, add to notification list but do not add to facts that should be added to the platform notify.append(group) continue if getattr(group, "x_mitre_deprecated", None): # Object is revoked, add to notification list AND continue to add to facts that should be added to the platform notify.append(group) for alias in getattr(group, "aliases", []): if group.name != alias: handle_fact(client.fact("alias").bidirectional( "threatActor", group.name, "threatActor", alias), output_format=output_format) # ATT&CK concept STIX Properties # ========================================================================== # Software relationship where relationship_type == "uses", # points to a target object with type== "malware" or "tool" for tool in attack.related_to(group, relationship_type="uses"): if tool.type not in ("malware", "tool"): continue chain = act.api.fact.fact_chain( client.fact("classifiedAs").source("content", "*").destination( "tool", tool.name.lower()), client.fact("observedIn", "incident").source("content", "*").destination( "incident", "*"), client.fact("attributedTo").source( "incident", "*").destination("threatActor", group.name)) for fact in chain: handle_fact(fact, output_format=output_format) # ATT&CK concept STIX Properties # ========================================================================== # Technqiues relationship where relationship_type == "uses", points to # a target object with type == "attack-pattern" for technique in attack.related_to(group, relationship_type="uses"): if technique.type != "attack-pattern": continue chain = act.api.fact.fact_chain( client.fact("observedIn", "incident").source( "technique", technique.name).destination("incident", "*"), client.fact("attributedTo").source( "incident", "*").destination("threatActor", group.name)) for fact in chain: handle_fact(fact, output_format=output_format) return notify
# # Create filters to retrieve content from Enterprise ATT&CK based on type # filter_objs = { # "techniques": Filter("type", "=", "attack-pattern") # } # filter_objs = { # "techniques": Filter("type", "=", "kill-chain-phase") # } # # Retrieve all Enterprise ATT&CK content # for key in filter_objs: # attack_dict[key] = tc_source.query(filter_objs[key]) # # # For visual purposes, print the first technique received from the server # print(attack_dict["techniques"][1]) # =============================================================================== technique_filter = Filter("type", "=", "attack-pattern") response = tc_source.query(technique_filter) print('Type: ' + str(type(response))) print('--') print(response[0]) print(response[0]['kill_chain_phases']) print('Type: ' + str(type(response[0]['kill_chain_phases']))) print('Len: ' + str(len(response[0]['kill_chain_phases']))) print('List:' + str(response[0]['kill_chain_phases'][0])) print(response[0]['kill_chain_phases'][0]['phase_name']) # Test test
def get_all_mobile_relationships(self): mobile_relationships = self.TC_MOBILE_SOURCE.query(Filter("type", "=", "relationship")) mobile_relationships = self.parse_stix_objects(mobile_relationships, 'relationships') return mobile_relationships
def get_all_mobile_mitigations(self): mobile_mitigations = self.TC_MOBILE_SOURCE.query(Filter("type", "=", "course-of-action")) mobile_mitigations = self.parse_stix_objects(mobile_mitigations, 'mitigations') return mobile_mitigations
def get_all_mobile_groups(self): mobile_groups = self.TC_MOBILE_SOURCE.query(Filter("type", "=", "intrusion-set")) mobile_groups = self.parse_stix_objects(mobile_groups, 'groups') return mobile_groups
def get_mobile_relationships(self, stix_format=True): mobile_relationships = self.TC_MOBILE_SOURCE.query(Filter("type", "=", "relationship")) if not stix_format: mobile_relationships = self.translate_stix_objects(mobile_relationships) return mobile_relationships
def get_enterprise_malware(self, stix_format=True): enterprise_malware = self.TC_ENTERPRISE_SOURCE.query(Filter("type", "=", "malware")) if not stix_format: enterprise_malware = self.translate_stix_objects(enterprise_malware) return enterprise_malware
def get_mobile_tactics(self, stix_format=True): mobile_tactics = self.TC_MOBILE_SOURCE.query(Filter("type", "=", "x-mitre-tactic")) if not stix_format: mobile_tactics = self.translate_stix_objects(mobile_tactics) return mobile_tactics
def get_pre_tactics(self, stix_format=True): pre_tactics = self.TC_PRE_SOURCE.query(Filter("type", "=", "x-mitre-tactic")) if not stix_format: pre_tactics = self.translate_stix_objects(pre_tactics) return pre_tactics
def get_attack_pattern(self, src, stix_id): relations = src.relationships(stix_id, 'uses', source_only=True) return src.query([ Filter('type', '=', 'attack-pattern'), Filter('id', 'in', [r.target_ref for r in relations]) ])
def get_mobile_techniques(self, stix_format=True): mobile_techniques = self.TC_MOBILE_SOURCE.query(Filter("type", "=", "attack-pattern")) if not stix_format: mobile_techniques = self.translate_stix_objects(mobile_techniques) return mobile_techniques
def test_memory_store_query(mem_store): query = [Filter('type', '=', 'malware')] resp = mem_store.query(query) assert len(resp) == 0
def get_mobile_mitigations(self, stix_format=True): mobile_mitigations = self.TC_MOBILE_SOURCE.query(Filter("type", "=", "course-of-action")) if not stix_format: mobile_mitigations = self.translate_stix_objects(mobile_mitigations) return mobile_mitigations
def test_memory_store_query_multiple_filters(mem_store): mem_store.source.filters.add(Filter('type', '=', 'indicator')) query = Filter('id', '=', 'indicator--00000000-0000-4000-8000-000000000001') resp = mem_store.query(query) assert len(resp) == 2
def get_mobile_groups(self, stix_format=True): mobile_groups = self.TC_MOBILE_SOURCE.query(Filter("type", "=", "intrusion-set")) if not stix_format: mobile_groups = self.translate_stix_objects(mobile_groups) return mobile_groups
def get_enterprise_groups(self, stix_format=True): enterprise_groups = self.TC_ENTERPRISE_SOURCE.query( Filter("type", "=", "intrusion-set")) if not stix_format: enterprise_groups = self.translate_stix_objects(enterprise_groups) return enterprise_groups
def get_mobile_malware(self, stix_format=True): mobile_malware = self.TC_MOBILE_SOURCE.query(Filter("type", "=", "malware")) if not stix_format: mobile_malware = self.translate_stix_objects(mobile_malware) return mobile_malware
def get_pre_techniques(self, stix_format=True): pre_techniques = self.TC_PRE_SOURCE.query( Filter("type", "=", "attack-pattern")) if not stix_format: pre_techniques = self.translate_stix_objects(pre_techniques) return pre_techniques
def get_mobile_tools(self, stix_format=True): mobile_tools = self.TC_MOBILE_SOURCE.query(Filter("type", "=", "tool")) if not stix_format: mobile_tools = self.translate_stix_objects(mobile_tools) return mobile_tools
def get_pre_relationships(self, stix_format=True): pre_relationships = self.TC_PRE_SOURCE.query( Filter("type", "=", "relationship")) if not stix_format: pre_relationships = self.translate_stix_objects(pre_relationships) return pre_relationships
def get_all_pre_relationships(self): pre_relationships = self.TC_PRE_SOURCE.query(Filter("type", "=", "relationship")) pre_relationships = self.parse_stix_objects(pre_relationships, 'relationships') return pre_relationships