def get_all_mobile_techniques(self):
mobile_techniques = self.TC_MOBILE_SOURCE.query(Filter("type", "=", "attack-pattern"))
mobile_techniques = self.parse_stix_objects(mobile_techniques, 'techniques')
return mobile_techniques
def get_enterprise_tools(self, stix_format=True):
enterprise_tools = self.TC_ENTERPRISE_SOURCE.query(
Filter("type", "=", "tool"))
if not stix_format:
enterprise_tools = self.translate_stix_objects(enterprise_tools)
return enterprise_tools
def get_pre_groups(self, stix_format=True):
pre_groups = self.TC_PRE_SOURCE.query(
Filter("type", "=", "intrusion-set"))
if not stix_format:
pre_groups = self.translate_stix_objects(pre_groups)
return pre_groups
def test_memory_store_query_single_filter(mem_store):
query = Filter('id', '=',
'indicator--00000000-0000-4000-8000-000000000001')
resp = mem_store.query(query)
assert len(resp) == 2
all_tactics = enterprise_tactics + pre_tactics + mobile_tactics
if not stix_format:
all_tactics = self.translate_stix_objects(all_tactics)
return all_tactics
# ******** Custom Functions ********
def get_technique_by_name(self, name, case=True, stix_format=True):
if not case:
all_techniques = self.get_techniques()
all_techniques_list = list()
for tech in all_techniques:
if name.lower() in tech['name'].lower():
all_techniques_list.append(tech)
else:
filter_objects = [
Filter('type', '=', 'attack-pattern'),
Filter('name', '=', name)
]
all_techniques_list = self.COMPOSITE_DS.query(filter_objects)
if not stix_format:
all_techniques_list = self.translate_stix_objects(
all_techniques_list)
return all_techniques_list
def get_techniques_by_content(self, name, case=True, stix_format=True):
all_techniques = self.get_techniques()
all_techniques_list = list()
for tech in all_techniques:
if "description" in tech.keys():
if name.lower() in tech['description'].lower():
all_techniques_list.append(tech)
def get_intrusion_set(self, src):
return src.query([Filter('type', '=', 'intrusion-set')])
def lookup_by_attack_id(self, attack_id: str):
return self.src.query([
Filter("external_references.external_id", "=", attack_id),
Filter("type", "in", ["attack-pattern", "course-of-action"]),
])
def get_enterprise_techniques(self, stix_format=True):
enterprise_techniques = self.TC_ENTERPRISE_SOURCE.query(Filter("type", "=", "attack-pattern"))
if not stix_format:
enterprise_techniques = self.translate_stix_objects(enterprise_techniques)
return enterprise_techniques
def get_enterprise_mitigations(self, stix_format=True):
enterprise_mitigations = self.TC_ENTERPRISE_SOURCE.query(Filter("type", "=", "course-of-action"))
if not stix_format:
enterprise_mitigations = self.translate_stix_objects(enterprise_mitigations)
return enterprise_mitigations
def add_groups(client,
attack: MemoryStore,
output_format: Text = "json") -> List[stix2.AttackPattern]:
"""
extract objects/facts related to ATT&CK Groups
Args:
attack (stix2): Stix attack instance
"""
notify = []
# ATT&CK concept STIX Object type ACT object
# =========================================================
# Group intrusion-set threatActor
#
# Filter out ATT&CK groups (intrusion-set) from bundle
for group in attack.query([Filter("type", "=", "intrusion-set")]):
if getattr(group, "revoked", None):
# Object is revoked, add to notification list but do not add to facts that should be added to the platform
notify.append(group)
continue
if getattr(group, "x_mitre_deprecated", None):
# Object is revoked, add to notification list AND continue to add to facts that should be added to the platform
notify.append(group)
for alias in getattr(group, "aliases", []):
if group.name != alias:
handle_fact(client.fact("alias").bidirectional(
"threatActor", group.name, "threatActor", alias),
output_format=output_format)
# ATT&CK concept STIX Properties
# ==========================================================================
# Software relationship where relationship_type == "uses",
# points to a target object with type== "malware" or "tool"
for tool in attack.related_to(group, relationship_type="uses"):
if tool.type not in ("malware", "tool"):
continue
chain = act.api.fact.fact_chain(
client.fact("classifiedAs").source("content", "*").destination(
"tool", tool.name.lower()),
client.fact("observedIn",
"incident").source("content", "*").destination(
"incident", "*"),
client.fact("attributedTo").source(
"incident", "*").destination("threatActor", group.name))
for fact in chain:
handle_fact(fact, output_format=output_format)
# ATT&CK concept STIX Properties
# ==========================================================================
# Technqiues relationship where relationship_type == "uses", points to
# a target object with type == "attack-pattern"
for technique in attack.related_to(group, relationship_type="uses"):
if technique.type != "attack-pattern":
continue
chain = act.api.fact.fact_chain(
client.fact("observedIn", "incident").source(
"technique", technique.name).destination("incident", "*"),
client.fact("attributedTo").source(
"incident", "*").destination("threatActor", group.name))
for fact in chain:
handle_fact(fact, output_format=output_format)
return notify
# # Create filters to retrieve content from Enterprise ATT&CK based on type
# filter_objs = {
# "techniques": Filter("type", "=", "attack-pattern")
# }
# filter_objs = {
# "techniques": Filter("type", "=", "kill-chain-phase")
# }
# # Retrieve all Enterprise ATT&CK content
# for key in filter_objs:
# attack_dict[key] = tc_source.query(filter_objs[key])
#
# # For visual purposes, print the first technique received from the server
# print(attack_dict["techniques"][1])
# ===============================================================================
technique_filter = Filter("type", "=", "attack-pattern")
response = tc_source.query(technique_filter)
print('Type: ' + str(type(response)))
print('--')
print(response[0])
print(response[0]['kill_chain_phases'])
print('Type: ' + str(type(response[0]['kill_chain_phases'])))
print('Len: ' + str(len(response[0]['kill_chain_phases'])))
print('List:' + str(response[0]['kill_chain_phases'][0]))
print(response[0]['kill_chain_phases'][0]['phase_name'])
# Test test
def get_all_mobile_relationships(self):
mobile_relationships = self.TC_MOBILE_SOURCE.query(Filter("type", "=", "relationship"))
mobile_relationships = self.parse_stix_objects(mobile_relationships, 'relationships')
return mobile_relationships
def get_all_mobile_mitigations(self):
mobile_mitigations = self.TC_MOBILE_SOURCE.query(Filter("type", "=", "course-of-action"))
mobile_mitigations = self.parse_stix_objects(mobile_mitigations, 'mitigations')
return mobile_mitigations
def get_all_mobile_groups(self):
mobile_groups = self.TC_MOBILE_SOURCE.query(Filter("type", "=", "intrusion-set"))
mobile_groups = self.parse_stix_objects(mobile_groups, 'groups')
return mobile_groups
def get_mobile_relationships(self, stix_format=True):
mobile_relationships = self.TC_MOBILE_SOURCE.query(Filter("type", "=", "relationship"))
if not stix_format:
mobile_relationships = self.translate_stix_objects(mobile_relationships)
return mobile_relationships
def get_enterprise_malware(self, stix_format=True):
enterprise_malware = self.TC_ENTERPRISE_SOURCE.query(Filter("type", "=", "malware"))
if not stix_format:
enterprise_malware = self.translate_stix_objects(enterprise_malware)
return enterprise_malware
def get_mobile_tactics(self, stix_format=True):
mobile_tactics = self.TC_MOBILE_SOURCE.query(Filter("type", "=", "x-mitre-tactic"))
if not stix_format:
mobile_tactics = self.translate_stix_objects(mobile_tactics)
return mobile_tactics
def get_pre_tactics(self, stix_format=True):
pre_tactics = self.TC_PRE_SOURCE.query(Filter("type", "=", "x-mitre-tactic"))
if not stix_format:
pre_tactics = self.translate_stix_objects(pre_tactics)
return pre_tactics
def get_attack_pattern(self, src, stix_id):
relations = src.relationships(stix_id, 'uses', source_only=True)
return src.query([
Filter('type', '=', 'attack-pattern'),
Filter('id', 'in', [r.target_ref for r in relations])
])
def get_mobile_techniques(self, stix_format=True):
mobile_techniques = self.TC_MOBILE_SOURCE.query(Filter("type", "=", "attack-pattern"))
if not stix_format:
mobile_techniques = self.translate_stix_objects(mobile_techniques)
return mobile_techniques
def test_memory_store_query(mem_store):
query = [Filter('type', '=', 'malware')]
resp = mem_store.query(query)
assert len(resp) == 0
def get_mobile_mitigations(self, stix_format=True):
mobile_mitigations = self.TC_MOBILE_SOURCE.query(Filter("type", "=", "course-of-action"))
if not stix_format:
mobile_mitigations = self.translate_stix_objects(mobile_mitigations)
return mobile_mitigations
def test_memory_store_query_multiple_filters(mem_store):
mem_store.source.filters.add(Filter('type', '=', 'indicator'))
query = Filter('id', '=',
'indicator--00000000-0000-4000-8000-000000000001')
resp = mem_store.query(query)
assert len(resp) == 2
def get_mobile_groups(self, stix_format=True):
mobile_groups = self.TC_MOBILE_SOURCE.query(Filter("type", "=", "intrusion-set"))
if not stix_format:
mobile_groups = self.translate_stix_objects(mobile_groups)
return mobile_groups
def get_enterprise_groups(self, stix_format=True):
enterprise_groups = self.TC_ENTERPRISE_SOURCE.query(
Filter("type", "=", "intrusion-set"))
if not stix_format:
enterprise_groups = self.translate_stix_objects(enterprise_groups)
return enterprise_groups
def get_mobile_malware(self, stix_format=True):
mobile_malware = self.TC_MOBILE_SOURCE.query(Filter("type", "=", "malware"))
if not stix_format:
mobile_malware = self.translate_stix_objects(mobile_malware)
return mobile_malware
def get_pre_techniques(self, stix_format=True):
pre_techniques = self.TC_PRE_SOURCE.query(
Filter("type", "=", "attack-pattern"))
if not stix_format:
pre_techniques = self.translate_stix_objects(pre_techniques)
return pre_techniques
def get_mobile_tools(self, stix_format=True):
mobile_tools = self.TC_MOBILE_SOURCE.query(Filter("type", "=", "tool"))
if not stix_format:
mobile_tools = self.translate_stix_objects(mobile_tools)
return mobile_tools
def get_pre_relationships(self, stix_format=True):
pre_relationships = self.TC_PRE_SOURCE.query(
Filter("type", "=", "relationship"))
if not stix_format:
pre_relationships = self.translate_stix_objects(pre_relationships)
return pre_relationships
def get_all_pre_relationships(self):
pre_relationships = self.TC_PRE_SOURCE.query(Filter("type", "=", "relationship"))
pre_relationships = self.parse_stix_objects(pre_relationships, 'relationships')
return pre_relationships
