mirror of https://github.com/MISP/misp-modules
commit
0089983661
|
@ -28,6 +28,7 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/
|
||||||
### Import modules
|
### Import modules
|
||||||
|
|
||||||
* [OCR](misp_modules/modules/import_mod/ocr.py) Optical Character Recognition (OCR) module for MISP to import attributes from images, scan or faxes.
|
* [OCR](misp_modules/modules/import_mod/ocr.py) Optical Character Recognition (OCR) module for MISP to import attributes from images, scan or faxes.
|
||||||
|
* [stiximport](misp_modules/modules/expansion/stiximport.py) - An import module to process STIX xml/json
|
||||||
|
|
||||||
## How to install and start MISP modules?
|
## How to install and start MISP modules?
|
||||||
|
|
||||||
|
|
|
@ -1,3 +1,5 @@
|
||||||
|
stix
|
||||||
|
cybox
|
||||||
tornado
|
tornado
|
||||||
dnspython3
|
dnspython3
|
||||||
requests
|
requests
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
__all__ = ['testimport', 'ocr']
|
__all__ = ['testimport', 'ocr', 'stiximport']
|
||||||
|
|
|
@ -0,0 +1,214 @@
|
||||||
|
import json
|
||||||
|
from stix.core import STIXPackage
|
||||||
|
import re
|
||||||
|
import base64
|
||||||
|
import hashlib
|
||||||
|
|
||||||
|
misperrors = {'error': 'Error'}
|
||||||
|
userConfig = {}
|
||||||
|
inputSource = ['file']
|
||||||
|
|
||||||
|
moduleinfo = {'version': '0.1', 'author': 'Hannah Ward',
|
||||||
|
'description': 'Import some stix stuff',
|
||||||
|
'module-type': ['import']}
|
||||||
|
|
||||||
|
moduleconfig = []
|
||||||
|
|
||||||
|
|
||||||
|
def handler(q=False):
|
||||||
|
# Just in case we have no data
|
||||||
|
if q is False:
|
||||||
|
return False
|
||||||
|
|
||||||
|
# The return value
|
||||||
|
r = {'results': []}
|
||||||
|
|
||||||
|
# Load up that JSON
|
||||||
|
q = json.loads(q)
|
||||||
|
|
||||||
|
# It's b64 encoded, so decode that stuff
|
||||||
|
package = str(base64.b64decode(q.get("data", None)), 'utf-8')
|
||||||
|
|
||||||
|
# If something really weird happened
|
||||||
|
if not package:
|
||||||
|
return json.dumps({"success": 0})
|
||||||
|
|
||||||
|
# Load up the package into STIX
|
||||||
|
package = loadPackage(package)
|
||||||
|
|
||||||
|
# Build all the observables
|
||||||
|
if package.observables:
|
||||||
|
for obs in package.observables:
|
||||||
|
r["results"].append(buildObservable(obs))
|
||||||
|
|
||||||
|
if package.threat_actors:
|
||||||
|
for ta in package.threat_actors:
|
||||||
|
r["results"].append(buildActor(ta))
|
||||||
|
|
||||||
|
if package.indicators:
|
||||||
|
for ind in package.indicators:
|
||||||
|
r["results"].append(buildIndicator(ind))
|
||||||
|
|
||||||
|
if package.exploit_targets:
|
||||||
|
for et in package.exploit_targets:
|
||||||
|
r["results"].append(buildExploitTarget(et))
|
||||||
|
|
||||||
|
if package.campaigns:
|
||||||
|
for cpn in package.campaigns:
|
||||||
|
r["results"].append(buildCampaign(cpn))
|
||||||
|
# Clean up results
|
||||||
|
# Don't send on anything that didn't have a value
|
||||||
|
r["results"] = [x for x in r["results"] if len(x["values"]) != 0]
|
||||||
|
return r
|
||||||
|
|
||||||
|
# Quick and dirty regex for IP addresses
|
||||||
|
ipre = re.compile("([0-9]{1,3}.){3}[0-9]{1,3}")
|
||||||
|
|
||||||
|
|
||||||
|
def buildCampaign(cpn):
|
||||||
|
"""
|
||||||
|
Extract a campaign name
|
||||||
|
"""
|
||||||
|
return {"values": [cpn.title], "types": ["campaign-name"]}
|
||||||
|
|
||||||
|
|
||||||
|
def buildExploitTarget(et):
|
||||||
|
"""
|
||||||
|
Extract CVEs from exploit targets
|
||||||
|
"""
|
||||||
|
|
||||||
|
r = {"values": [], "types": ["vulnerability"]}
|
||||||
|
|
||||||
|
if et.vulnerabilities:
|
||||||
|
for v in et.vulnerabilities:
|
||||||
|
if v.cve_id:
|
||||||
|
r["values"].append(v.cve_id)
|
||||||
|
return r
|
||||||
|
|
||||||
|
|
||||||
|
def identifyHash(hsh):
|
||||||
|
"""
|
||||||
|
What's that hash!?
|
||||||
|
"""
|
||||||
|
|
||||||
|
possible_hashes = []
|
||||||
|
|
||||||
|
hashes = [x for x in hashlib.algorithms_guaranteed]
|
||||||
|
|
||||||
|
for h in hashes:
|
||||||
|
if len(str(hsh)) == len(hashlib.new(h).hexdigest()):
|
||||||
|
possible_hashes.append(h)
|
||||||
|
possible_hashes.append("filename|{}".format(h))
|
||||||
|
return possible_hashes
|
||||||
|
|
||||||
|
|
||||||
|
def buildIndicator(ind):
|
||||||
|
"""
|
||||||
|
Extract hashes
|
||||||
|
and other fun things
|
||||||
|
like that
|
||||||
|
"""
|
||||||
|
r = {"values": [], "types": []}
|
||||||
|
|
||||||
|
# Try to get hashes. I hate stix
|
||||||
|
if ind.observable:
|
||||||
|
return buildObservable(ind.observable)
|
||||||
|
return r
|
||||||
|
|
||||||
|
|
||||||
|
def buildActor(ta):
|
||||||
|
"""
|
||||||
|
Extract the name
|
||||||
|
and comment of a
|
||||||
|
threat actor
|
||||||
|
"""
|
||||||
|
|
||||||
|
r = {"values": [ta.title], "types": ["threat-actor"]}
|
||||||
|
|
||||||
|
return r
|
||||||
|
|
||||||
|
|
||||||
|
def buildObservable(o):
|
||||||
|
"""
|
||||||
|
Take a STIX observable
|
||||||
|
and extract the value
|
||||||
|
and category
|
||||||
|
"""
|
||||||
|
|
||||||
|
# Life is easier with json
|
||||||
|
if not isinstance(o, dict):
|
||||||
|
o = json.loads(o.to_json())
|
||||||
|
# Make a new record to store values in
|
||||||
|
r = {"values": []}
|
||||||
|
|
||||||
|
# Get the object properties. This contains all the
|
||||||
|
# fun stuff like values
|
||||||
|
if "observable_composition" in o:
|
||||||
|
# May as well be useless
|
||||||
|
return r
|
||||||
|
|
||||||
|
props = o["object"]["properties"]
|
||||||
|
|
||||||
|
# If it has an address_value field, it's gonna be an address
|
||||||
|
# print(props)
|
||||||
|
# Kinda obvious really
|
||||||
|
if "address_value" in props:
|
||||||
|
|
||||||
|
# We've got ourselves a nice little address
|
||||||
|
value = props["address_value"]
|
||||||
|
|
||||||
|
if isinstance(value, dict):
|
||||||
|
# Sometimes it's embedded in a dictionary
|
||||||
|
value = value["value"]
|
||||||
|
|
||||||
|
# Is it an IP?
|
||||||
|
if ipre.match(str(value)):
|
||||||
|
# Yes!
|
||||||
|
r["values"].append(value)
|
||||||
|
r["types"] = ["ip-src", "ip-dst"]
|
||||||
|
else:
|
||||||
|
# Probably a domain yo
|
||||||
|
r["values"].append(value)
|
||||||
|
r["types"] = ["domain", "hostname"]
|
||||||
|
|
||||||
|
if "hashes" in props:
|
||||||
|
for hsh in props["hashes"]:
|
||||||
|
r["values"].append(hsh["simple_hash_value"]["value"])
|
||||||
|
r["types"] = identifyHash(hsh["simple_hash_value"]["value"])
|
||||||
|
return r
|
||||||
|
|
||||||
|
|
||||||
|
def loadPackage(data):
|
||||||
|
# Write the stix package to a tmp file
|
||||||
|
with open("/tmp/stixdump", "w") as f:
|
||||||
|
f.write(data)
|
||||||
|
try:
|
||||||
|
# Try loading it into every format we know of
|
||||||
|
try:
|
||||||
|
package = STIXPackage().from_xml(open("/tmp/stixdump", "r"))
|
||||||
|
except:
|
||||||
|
package = STIXPackage().from_json(open("/tmp/stixdump", "r"))
|
||||||
|
except Exception:
|
||||||
|
print("Failed to load package")
|
||||||
|
raise ValueError("COULD NOT LOAD STIX PACKAGE!")
|
||||||
|
return package
|
||||||
|
|
||||||
|
|
||||||
|
def introspection():
|
||||||
|
modulesetup = {}
|
||||||
|
try:
|
||||||
|
userConfig
|
||||||
|
modulesetup['userConfig'] = userConfig
|
||||||
|
except NameError:
|
||||||
|
pass
|
||||||
|
try:
|
||||||
|
inputSource
|
||||||
|
modulesetup['inputSource'] = inputSource
|
||||||
|
except NameError:
|
||||||
|
pass
|
||||||
|
return modulesetup
|
||||||
|
|
||||||
|
|
||||||
|
def version():
|
||||||
|
moduleinfo['config'] = moduleconfig
|
||||||
|
return moduleinfo
|
2
setup.py
2
setup.py
|
@ -33,6 +33,8 @@ setup(
|
||||||
'pyeupi',
|
'pyeupi',
|
||||||
'ipasn-redis',
|
'ipasn-redis',
|
||||||
'asnhistory',
|
'asnhistory',
|
||||||
|
'stix',
|
||||||
|
'cybox',
|
||||||
'pillow',
|
'pillow',
|
||||||
'pytesseract',
|
'pytesseract',
|
||||||
]
|
]
|
||||||
|
|
|
@ -0,0 +1,331 @@
|
||||||
|
<stix:STIX_Package
|
||||||
|
xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2"
|
||||||
|
xmlns:campaign="http://stix.mitre.org/Campaign-1"
|
||||||
|
xmlns:ciqIdentity="http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1"
|
||||||
|
xmlns:cybox="http://cybox.mitre.org/cybox-2"
|
||||||
|
xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
|
||||||
|
xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
|
||||||
|
xmlns:et="http://stix.mitre.org/ExploitTarget-1"
|
||||||
|
xmlns:bae="http://bae.com"
|
||||||
|
xmlns:indicator="http://stix.mitre.org/Indicator-2"
|
||||||
|
xmlns:stix="http://stix.mitre.org/stix-1"
|
||||||
|
xmlns:stixCommon="http://stix.mitre.org/common-1"
|
||||||
|
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
|
||||||
|
xmlns:ta="http://stix.mitre.org/ThreatActor-1"
|
||||||
|
xmlns:ttp="http://stix.mitre.org/TTP-1"
|
||||||
|
xmlns:xal="urn:oasis:names:tc:ciq:xal:3"
|
||||||
|
xmlns:xnl="urn:oasis:names:tc:ciq:xnl:3"
|
||||||
|
xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3"
|
||||||
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="bae:Package-f0b927dd-9356-49ba-8f56-6d9f3d42fe25" version="1.1.1">
|
||||||
|
<stix:Observables cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
|
||||||
|
<cybox:Observable id="bae:Observable-3a106400-cc90-4b5f-ad3d-6837dded226d">
|
||||||
|
<cybox:Title>CNC Server 1</cybox:Title>
|
||||||
|
<cybox:Object id="bae:Address-6e6990d8-20b6-4482-97a2-55732c993982">
|
||||||
|
<cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">
|
||||||
|
<AddressObj:Address_Value>82.146.166.56</AddressObj:Address_Value>
|
||||||
|
</cybox:Properties>
|
||||||
|
</cybox:Object>
|
||||||
|
</cybox:Observable>
|
||||||
|
<cybox:Observable id="bae:Observable-9b6bd172-96e6-451f-93c6-3632fe05daf7">
|
||||||
|
<cybox:Title>CNC Server 2</cybox:Title>
|
||||||
|
<cybox:Object id="bae:Address-00dc7361-ca55-48ef-8529-72a3ac9c58d7">
|
||||||
|
<cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">
|
||||||
|
<AddressObj:Address_Value>209.239.79.47</AddressObj:Address_Value>
|
||||||
|
</cybox:Properties>
|
||||||
|
</cybox:Object>
|
||||||
|
</cybox:Observable>
|
||||||
|
<cybox:Observable id="bae:Observable-7605b9f2-af49-429d-95ff-7029681dc20b">
|
||||||
|
<cybox:Title>CNC Server 3</cybox:Title>
|
||||||
|
<cybox:Object id="bae:Address-bbbbdcad-e8f5-449d-99d3-264de0ed512e">
|
||||||
|
<cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">
|
||||||
|
<AddressObj:Address_Value>41.213.121.180</AddressObj:Address_Value>
|
||||||
|
</cybox:Properties>
|
||||||
|
</cybox:Object>
|
||||||
|
</cybox:Observable>
|
||||||
|
<cybox:Observable id="bae:Observable-f7c32ba1-91bb-4bb1-aee6-80afae13bbad">
|
||||||
|
<cybox:Title>Watering Hole Wordpress</cybox:Title>
|
||||||
|
<cybox:Object id="bae:Address-c0e85056-de10-44f7-a600-73144514e7a1">
|
||||||
|
<cybox:Properties xsi:type="AddressObj:AddressObjectType">
|
||||||
|
<AddressObj:Address_Value>eu-society.com</AddressObj:Address_Value>
|
||||||
|
</cybox:Properties>
|
||||||
|
</cybox:Object>
|
||||||
|
</cybox:Observable>
|
||||||
|
<cybox:Observable id="bae:Observable-d4e819f1-0af9-49d4-826b-02ada3386cf5">
|
||||||
|
<cybox:Title>Watering Hole Wordpress</cybox:Title>
|
||||||
|
<cybox:Object id="bae:Address-ae972731-3b33-4fb1-bab6-053b0056deb5">
|
||||||
|
<cybox:Properties xsi:type="AddressObj:AddressObjectType">
|
||||||
|
<AddressObj:Address_Value>aromatravel.org</AddressObj:Address_Value>
|
||||||
|
</cybox:Properties>
|
||||||
|
</cybox:Object>
|
||||||
|
</cybox:Observable>
|
||||||
|
<cybox:Observable id="bae:Observable-5a951ea5-5beb-40b8-8043-97f05e020993">
|
||||||
|
<cybox:Title>Watering Hole Wordpress</cybox:Title>
|
||||||
|
<cybox:Object id="bae:Address-f0d9ef90-af2d-462d-aa69-bfd55da9e65c">
|
||||||
|
<cybox:Properties xsi:type="AddressObj:AddressObjectType">
|
||||||
|
<AddressObj:Address_Value>bss.servebbs.com</AddressObj:Address_Value>
|
||||||
|
</cybox:Properties>
|
||||||
|
</cybox:Object>
|
||||||
|
</cybox:Observable>
|
||||||
|
</stix:Observables>
|
||||||
|
<stix:Indicators>
|
||||||
|
<stix:Indicator id="bae:indicator-1c3fc03e-86dc-4440-9e95-8b9964f03b92" timestamp="2016-07-04T15:17:14.479542+00:00" xsi:type='indicator:IndicatorType'>
|
||||||
|
<indicator:Title>Watering Hole Detected</indicator:Title>
|
||||||
|
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">URL Watchlist</indicator:Type>
|
||||||
|
<indicator:Observable id="bae:Observable-4e173154-e739-4917-86e8-8b30e4cf39e5">
|
||||||
|
<cybox:Observable_Composition operator="OR">
|
||||||
|
<cybox:Observable idref="bae:Observable-f7c32ba1-91bb-4bb1-aee6-80afae13bbad">
|
||||||
|
<cybox:Title>C2 List</cybox:Title>
|
||||||
|
</cybox:Observable>
|
||||||
|
<cybox:Observable idref="bae:Observable-d4e819f1-0af9-49d4-826b-02ada3386cf5">
|
||||||
|
<cybox:Title>C2 List</cybox:Title>
|
||||||
|
</cybox:Observable>
|
||||||
|
<cybox:Observable idref="bae:Observable-5a951ea5-5beb-40b8-8043-97f05e020993">
|
||||||
|
<cybox:Title>C2 List</cybox:Title>
|
||||||
|
</cybox:Observable>
|
||||||
|
</cybox:Observable_Composition>
|
||||||
|
</indicator:Observable>
|
||||||
|
</stix:Indicator>
|
||||||
|
<stix:Indicator id="bae:indicator-e5ff413f-074e-41fe-ab20-6d0e0bf10f9c" timestamp="2016-07-04T15:17:14.480747+00:00" xsi:type='indicator:IndicatorType'>
|
||||||
|
<indicator:Title>CnC Beaconing Detected</indicator:Title>
|
||||||
|
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">C2</indicator:Type>
|
||||||
|
<indicator:Observable id="bae:Observable-f4695e3e-5a27-4889-ba48-456b14146911">
|
||||||
|
<cybox:Observable_Composition operator="OR">
|
||||||
|
<cybox:Observable idref="bae:Observable-3a106400-cc90-4b5f-ad3d-6837dded226d">
|
||||||
|
</cybox:Observable>
|
||||||
|
<cybox:Observable idref="bae:Observable-9b6bd172-96e6-451f-93c6-3632fe05daf7">
|
||||||
|
</cybox:Observable>
|
||||||
|
<cybox:Observable idref="bae:Observable-7605b9f2-af49-429d-95ff-7029681dc20b">
|
||||||
|
</cybox:Observable>
|
||||||
|
</cybox:Observable_Composition>
|
||||||
|
</indicator:Observable>
|
||||||
|
</stix:Indicator>
|
||||||
|
</stix:Indicators>
|
||||||
|
<stix:TTPs>
|
||||||
|
<stix:TTP id="bae:ttp-801d59e9-28c2-4016-976e-011dcab22cfd" timestamp="2016-07-04T15:17:14.479244+00:00" xsi:type='ttp:TTPType'>
|
||||||
|
<ttp:Title>Malware CnC Channels</ttp:Title>
|
||||||
|
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.479332+00:00">
|
||||||
|
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage</stixCommon:Value>
|
||||||
|
</ttp:Intended_Effect>
|
||||||
|
<ttp:Resources>
|
||||||
|
<ttp:Infrastructure>
|
||||||
|
<ttp:Type xsi:type="stixVocabs:AttackerInfrastructureTypeVocab-1.0">Hosting</ttp:Type>
|
||||||
|
<ttp:Observable_Characterization cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
|
||||||
|
<cybox:Observable idref="bae:Observable-3a106400-cc90-4b5f-ad3d-6837dded226d">
|
||||||
|
</cybox:Observable>
|
||||||
|
<cybox:Observable idref="bae:Observable-9b6bd172-96e6-451f-93c6-3632fe05daf7">
|
||||||
|
</cybox:Observable>
|
||||||
|
<cybox:Observable idref="bae:Observable-7605b9f2-af49-429d-95ff-7029681dc20b">
|
||||||
|
</cybox:Observable>
|
||||||
|
</ttp:Observable_Characterization>
|
||||||
|
</ttp:Infrastructure>
|
||||||
|
</ttp:Resources>
|
||||||
|
</stix:TTP>
|
||||||
|
<stix:TTP id="bae:ttp-62c59e28-9480-4080-ad20-6b4092cb118d" timestamp="2016-07-04T15:17:14.476428+00:00" xsi:type='ttp:TTPType'>
|
||||||
|
<ttp:Title>Fingerprinting and whitelisting during watering-hole operations</ttp:Title>
|
||||||
|
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477552+00:00">
|
||||||
|
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft - Credential Theft</stixCommon:Value>
|
||||||
|
</ttp:Intended_Effect>
|
||||||
|
<ttp:Resources>
|
||||||
|
<ttp:Infrastructure>
|
||||||
|
<ttp:Type xsi:type="stixVocabs:AttackerInfrastructureTypeVocab-1.0">Domain Registration</ttp:Type>
|
||||||
|
<ttp:Observable_Characterization cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
|
||||||
|
<cybox:Observable idref="bae:Observable-f7c32ba1-91bb-4bb1-aee6-80afae13bbad">
|
||||||
|
<cybox:Title>C2 List</cybox:Title>
|
||||||
|
</cybox:Observable>
|
||||||
|
<cybox:Observable idref="bae:Observable-d4e819f1-0af9-49d4-826b-02ada3386cf5">
|
||||||
|
<cybox:Title>C2 List</cybox:Title>
|
||||||
|
</cybox:Observable>
|
||||||
|
<cybox:Observable idref="bae:Observable-5a951ea5-5beb-40b8-8043-97f05e020993">
|
||||||
|
<cybox:Title>C2 List</cybox:Title>
|
||||||
|
</cybox:Observable>
|
||||||
|
</ttp:Observable_Characterization>
|
||||||
|
</ttp:Infrastructure>
|
||||||
|
</ttp:Resources>
|
||||||
|
<ttp:Kill_Chain_Phases>
|
||||||
|
<stixCommon:Kill_Chain_Phase phase_id="stix:TTP-af1016d6-a744-4ed7-ac91-00fe2272185a" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
|
||||||
|
</ttp:Kill_Chain_Phases>
|
||||||
|
</stix:TTP>
|
||||||
|
<stix:TTP id="bae:ttp-7ffb9e3d-688a-4ec4-8919-f8ccb91d4b59" timestamp="2016-07-04T15:17:14.476589+00:00" xsi:type='ttp:TTPType'>
|
||||||
|
<ttp:Title>Spear-phishing in tandem with 0-day exploits</ttp:Title>
|
||||||
|
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477592+00:00">
|
||||||
|
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Unauthorized Access</stixCommon:Value>
|
||||||
|
</ttp:Intended_Effect>
|
||||||
|
<ttp:Kill_Chain_Phases>
|
||||||
|
<stixCommon:Kill_Chain_Phase phase_id="stix:TTP-445b4827-3cca-42bd-8421-f2e947133c16" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
|
||||||
|
</ttp:Kill_Chain_Phases>
|
||||||
|
</stix:TTP>
|
||||||
|
<stix:TTP id="bae:ttp-f13297d6-0963-4a74-89dc-12745db39845" timestamp="2016-07-04T15:17:14.476707+00:00" xsi:type='ttp:TTPType'>
|
||||||
|
<ttp:Title>Infiltration of organisations via third party supplier/partner</ttp:Title>
|
||||||
|
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477629+00:00">
|
||||||
|
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Unauthorized Access</stixCommon:Value>
|
||||||
|
</ttp:Intended_Effect>
|
||||||
|
<ttp:Kill_Chain_Phases>
|
||||||
|
<stixCommon:Kill_Chain_Phase phase_id="stix:TTP-79a0e041-9d5f-49bb-ada4-8322622b162d" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
|
||||||
|
</ttp:Kill_Chain_Phases>
|
||||||
|
</stix:TTP>
|
||||||
|
<stix:TTP id="bae:ttp-78aef1ee-8c7d-4a6e-87cc-a4471b29ac45" timestamp="2016-07-04T15:17:14.476822+00:00" xsi:type='ttp:TTPType'>
|
||||||
|
<ttp:Title>Custom recon tool to compromise and identify credentials of the network</ttp:Title>
|
||||||
|
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477665+00:00">
|
||||||
|
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft - Credential Theft</stixCommon:Value>
|
||||||
|
</ttp:Intended_Effect>
|
||||||
|
<ttp:Kill_Chain_Phases>
|
||||||
|
<stixCommon:Kill_Chain_Phase phase_id="stix:TTP-af1016d6-a744-4ed7-ac91-00fe2272185a" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
|
||||||
|
</ttp:Kill_Chain_Phases>
|
||||||
|
</stix:TTP>
|
||||||
|
<stix:TTP id="bae:ttp-3a5f9a19-fa56-4b7d-ad7f-df64b7efdf98" timestamp="2016-07-04T15:17:14.476932+00:00" xsi:type='ttp:TTPType'>
|
||||||
|
<ttp:Title>Multiple means of C2 communications given the diversity of the attacker toolset</ttp:Title>
|
||||||
|
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477708+00:00">
|
||||||
|
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage</stixCommon:Value>
|
||||||
|
</ttp:Intended_Effect>
|
||||||
|
<ttp:Kill_Chain_Phases>
|
||||||
|
<stixCommon:Kill_Chain_Phase phase_id="stix:TTP-d6dc32b9-2538-4951-8733-3cb9ef1daae2" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
|
||||||
|
</ttp:Kill_Chain_Phases>
|
||||||
|
</stix:TTP>
|
||||||
|
<stix:TTP id="bae:ttp-e08d9d94-0294-4fa7-9e1d-8f1e087e3dc0" timestamp="2016-07-04T15:17:14.477046+00:00" xsi:type='ttp:TTPType'>
|
||||||
|
<ttp:Title>rootkit communicates during the same time as network activity, encoded with an XOR key</ttp:Title>
|
||||||
|
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477744+00:00">
|
||||||
|
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage</stixCommon:Value>
|
||||||
|
</ttp:Intended_Effect>
|
||||||
|
<ttp:Kill_Chain_Phases>
|
||||||
|
<stixCommon:Kill_Chain_Phase phase_id="stix:TTP-d6dc32b9-2538-4951-8733-3cb9ef1daae2" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
|
||||||
|
</ttp:Kill_Chain_Phases>
|
||||||
|
</stix:TTP>
|
||||||
|
<stix:TTP id="bae:ttp-898d58cd-369c-4b76-892b-2f5ced35cf0e" timestamp="2016-07-04T15:17:14.477159+00:00" xsi:type='ttp:TTPType'>
|
||||||
|
<ttp:Title>Kernel-centric rootkit waits for network trigger before launching</ttp:Title>
|
||||||
|
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477779+00:00">
|
||||||
|
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage</stixCommon:Value>
|
||||||
|
</ttp:Intended_Effect>
|
||||||
|
<ttp:Kill_Chain_Phases>
|
||||||
|
<stixCommon:Kill_Chain_Phase phase_id="stix:TTP-d6dc32b9-2538-4951-8733-3cb9ef1daae2" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
|
||||||
|
</ttp:Kill_Chain_Phases>
|
||||||
|
</stix:TTP>
|
||||||
|
<stix:TTP id="bae:ttp-fb1ac371-8e28-48d9-8905-03f54bd546ee" timestamp="2016-07-04T15:17:14.477269+00:00" xsi:type='ttp:TTPType'>
|
||||||
|
<ttp:Title>Kernel centric exfiltration over TCP/UDP/DNS/ICMP/HTTP</ttp:Title>
|
||||||
|
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477814+00:00">
|
||||||
|
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft</stixCommon:Value>
|
||||||
|
</ttp:Intended_Effect>
|
||||||
|
<ttp:Kill_Chain_Phases>
|
||||||
|
<stixCommon:Kill_Chain_Phase phase_id="stix:TTP-786ca8f9-2d9a-4213-b38e-399af4a2e5d6" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
|
||||||
|
</ttp:Kill_Chain_Phases>
|
||||||
|
</stix:TTP>
|
||||||
|
<stix:TTP id="bae:ttp-27872de0-c3ce-425d-9348-8f1439645398" timestamp="2016-07-04T15:17:14.477382+00:00" xsi:type='ttp:TTPType'>
|
||||||
|
<ttp:Title>Exfiltration over HTTP/HTTPS</ttp:Title>
|
||||||
|
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477849+00:00">
|
||||||
|
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft</stixCommon:Value>
|
||||||
|
</ttp:Intended_Effect>
|
||||||
|
<ttp:Kill_Chain_Phases>
|
||||||
|
<stixCommon:Kill_Chain_Phase phase_id="stix:TTP-786ca8f9-2d9a-4213-b38e-399af4a2e5d6" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
|
||||||
|
</ttp:Kill_Chain_Phases>
|
||||||
|
</stix:TTP>
|
||||||
|
<stix:TTP id="bae:ttp-c3a4fec7-00b7-4efb-adf9-a38feee005fe" timestamp="2016-07-04T15:17:14.477499+00:00" xsi:type='ttp:TTPType'>
|
||||||
|
<ttp:Title>Use of previously undocumented functions in their Kernel centric attacks</ttp:Title>
|
||||||
|
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477888+00:00">
|
||||||
|
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage</stixCommon:Value>
|
||||||
|
</ttp:Intended_Effect>
|
||||||
|
</stix:TTP>
|
||||||
|
<stix:Kill_Chains>
|
||||||
|
<stixCommon:Kill_Chain id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff" definer="LMCO" name="LM Cyber Kill Chain">
|
||||||
|
<stixCommon:Kill_Chain_Phase ordinality="1" name="Reconnaissance" phase_id="stix:TTP-af1016d6-a744-4ed7-ac91-00fe2272185a"/>
|
||||||
|
<stixCommon:Kill_Chain_Phase ordinality="2" name="Weaponization" phase_id="stix:TTP-445b4827-3cca-42bd-8421-f2e947133c16"/>
|
||||||
|
<stixCommon:Kill_Chain_Phase ordinality="3" name="Delivery" phase_id="stix:TTP-79a0e041-9d5f-49bb-ada4-8322622b162d"/>
|
||||||
|
<stixCommon:Kill_Chain_Phase ordinality="4" name="Exploitation" phase_id="stix:TTP-f706e4e7-53d8-44ef-967f-81535c9db7d0"/>
|
||||||
|
<stixCommon:Kill_Chain_Phase ordinality="5" name="Installation" phase_id="stix:TTP-e1e4e3f7-be3b-4b39-b80a-a593cfd99a4f"/>
|
||||||
|
<stixCommon:Kill_Chain_Phase ordinality="6" name="Command and Control" phase_id="stix:TTP-d6dc32b9-2538-4951-8733-3cb9ef1daae2"/>
|
||||||
|
<stixCommon:Kill_Chain_Phase ordinality="7" name="Actions on Objectives" phase_id="stix:TTP-786ca8f9-2d9a-4213-b38e-399af4a2e5d6"/>
|
||||||
|
</stixCommon:Kill_Chain>
|
||||||
|
</stix:Kill_Chains>
|
||||||
|
</stix:TTPs>
|
||||||
|
<stix:Exploit_Targets>
|
||||||
|
<stixCommon:Exploit_Target id="bae:et-ca916690-1221-46b3-8e69-dabd46018892" timestamp="2016-07-04T15:17:14.480615+00:00" xsi:type='et:ExploitTargetType'>
|
||||||
|
<et:Title>Privilage Escalation Vulnerability</et:Title>
|
||||||
|
<et:Vulnerability>
|
||||||
|
<et:CVE_ID>CVE-2013-5065</et:CVE_ID>
|
||||||
|
</et:Vulnerability>
|
||||||
|
</stixCommon:Exploit_Target>
|
||||||
|
</stix:Exploit_Targets>
|
||||||
|
<stix:Campaigns>
|
||||||
|
<stix:Campaign id="bae:campaign-2b81268f-c0f0-4bd4-aa63-a880dc05ed82" timestamp="2016-07-04T15:17:14.478248+00:00" xsi:type='campaign:CampaignType'>
|
||||||
|
<campaign:Title>The Epic Turla Campaign</campaign:Title>
|
||||||
|
<campaign:Description>The Epic Turla Campaign</campaign:Description>
|
||||||
|
<campaign:Intended_Effect timestamp="2016-07-04T15:17:14.478460+00:00">
|
||||||
|
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage - Political</stixCommon:Value>
|
||||||
|
</campaign:Intended_Effect>
|
||||||
|
<campaign:Attribution>
|
||||||
|
<campaign:Attributed_Threat_Actor>
|
||||||
|
<stixCommon:Threat_Actor idref="bae:threatactor-857fd80b-1b4e-4add-bfa1-d1e90911421b" xsi:type='ta:ThreatActorType'>
|
||||||
|
</stixCommon:Threat_Actor>
|
||||||
|
</campaign:Attributed_Threat_Actor>
|
||||||
|
</campaign:Attribution>
|
||||||
|
</stix:Campaign>
|
||||||
|
<stix:Campaign id="bae:campaign-53a0ca81-b065-431a-b043-0457b0bcfffa" timestamp="2016-07-04T15:17:14.478394+00:00" xsi:type='campaign:CampaignType'>
|
||||||
|
<campaign:Title>SNAKE Campaign</campaign:Title>
|
||||||
|
<campaign:Description>The SNAKE Campaign</campaign:Description>
|
||||||
|
<campaign:Intended_Effect timestamp="2016-07-04T15:17:14.478500+00:00">
|
||||||
|
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage - Political</stixCommon:Value>
|
||||||
|
</campaign:Intended_Effect>
|
||||||
|
<campaign:Attribution>
|
||||||
|
<campaign:Attributed_Threat_Actor>
|
||||||
|
<stixCommon:Threat_Actor idref="bae:threatactor-857fd80b-1b4e-4add-bfa1-d1e90911421b" xsi:type='ta:ThreatActorType'>
|
||||||
|
</stixCommon:Threat_Actor>
|
||||||
|
</campaign:Attributed_Threat_Actor>
|
||||||
|
</campaign:Attribution>
|
||||||
|
</stix:Campaign>
|
||||||
|
</stix:Campaigns>
|
||||||
|
<stix:Threat_Actors>
|
||||||
|
<stix:Threat_Actor id="bae:threatactor-857fd80b-1b4e-4add-bfa1-d1e90911421b" timestamp="2016-07-04T15:17:14.454074+00:00" xsi:type='ta:ThreatActorType'>
|
||||||
|
<ta:Title>SNAKE</ta:Title>
|
||||||
|
<ta:Description>
|
||||||
|
The group behind the SNAKE campaign are a top tier nation-state threat. Their capabilities extend from subtle watering-hole attacks to sophisticated server rootkits – virtually undetectable by conventional security products.
|
||||||
|
This threat actor group has been operating continuously for over a decade, infiltrating governments and strategic private sector networks in that time. The most notorious of their early campaigns led to a breach of classified US military systems, an extensive clean-up called ‘Operation Buckshot Yankee’, and led to the creation of the US Cyber Command.
|
||||||
|
Whilst the sophisticated rootkit is used for persistent access to networks, the group also leverage more straight-forward capabilities for gaining an initial toe-hold on targets. This includes the use of watering-hole attacks and basic remote access tools.
|
||||||
|
</ta:Description>
|
||||||
|
<ta:Short_Description>
|
||||||
|
The group behind the SNAKE campaign are a top tier nation-state threat. Their capabilities extend from subtle watering-hole attacks to sophisticated server rootkits – virtually undetectable by conventional security products.
|
||||||
|
</ta:Short_Description>
|
||||||
|
<ta:Identity xsi:type="ciqIdentity:CIQIdentity3.0InstanceType">
|
||||||
|
<ExtSch:Specification xmlns:ExtSch="http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1">
|
||||||
|
<xpil:PartyName xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3">
|
||||||
|
<xnl:OrganisationName xmlns:xnl="urn:oasis:names:tc:ciq:xnl:3" xnl:Type="OfficialName">
|
||||||
|
<xnl:NameElement>SNAKE</xnl:NameElement>
|
||||||
|
</xnl:OrganisationName>
|
||||||
|
<xnl:OrganisationName xmlns:xnl="urn:oasis:names:tc:ciq:xnl:3" xnl:Type="OfficialName">
|
||||||
|
<xnl:NameElement>Turla</xnl:NameElement>
|
||||||
|
</xnl:OrganisationName>
|
||||||
|
<xnl:OrganisationName xmlns:xnl="urn:oasis:names:tc:ciq:xnl:3" xnl:Type="UnofficialName">
|
||||||
|
<xnl:NameElement>WRAITH</xnl:NameElement>
|
||||||
|
</xnl:OrganisationName>
|
||||||
|
</xpil:PartyName>
|
||||||
|
<xpil:Addresses xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3">
|
||||||
|
<xpil:Address>
|
||||||
|
<xal:Country xmlns:xal="urn:oasis:names:tc:ciq:xal:3">
|
||||||
|
<xal:NameElement>Russia</xal:NameElement>
|
||||||
|
</xal:Country>
|
||||||
|
<xal:AdministrativeArea xmlns:xal="urn:oasis:names:tc:ciq:xal:3">
|
||||||
|
<xal:NameElement>Moscow</xal:NameElement>
|
||||||
|
</xal:AdministrativeArea>
|
||||||
|
</xpil:Address>
|
||||||
|
</xpil:Addresses>
|
||||||
|
<xpil:ElectronicAddressIdentifiers xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3">
|
||||||
|
<xpil:ElectronicAddressIdentifier>snake@gmail.com</xpil:ElectronicAddressIdentifier>
|
||||||
|
<xpil:ElectronicAddressIdentifier>twitter.com/snake</xpil:ElectronicAddressIdentifier>
|
||||||
|
</xpil:ElectronicAddressIdentifiers>
|
||||||
|
<xpil:Languages xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3">
|
||||||
|
<xpil:Language>Russian</xpil:Language>
|
||||||
|
</xpil:Languages>
|
||||||
|
</ExtSch:Specification>
|
||||||
|
</ta:Identity>
|
||||||
|
<ta:Motivation timestamp="2016-07-04T15:17:14.475968+00:00">
|
||||||
|
<stixCommon:Value xsi:type="stixVocabs:MotivationVocab-1.1">Political</stixCommon:Value>
|
||||||
|
</ta:Motivation>
|
||||||
|
<ta:Sophistication timestamp="2016-07-04T15:17:14.454350+00:00">
|
||||||
|
<stixCommon:Value xsi:type="stixVocabs:ThreatActorSophisticationVocab-1.0">Expert</stixCommon:Value>
|
||||||
|
</ta:Sophistication>
|
||||||
|
<ta:Intended_Effect timestamp="2016-07-04T15:17:14.476056+00:00">
|
||||||
|
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage - Political</stixCommon:Value>
|
||||||
|
</ta:Intended_Effect>
|
||||||
|
<ta:Intended_Effect timestamp="2016-07-04T15:17:14.476095+00:00">
|
||||||
|
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft - Intellectual Property</stixCommon:Value>
|
||||||
|
</ta:Intended_Effect>
|
||||||
|
</stix:Threat_Actor>
|
||||||
|
</stix:Threat_Actors>
|
||||||
|
</stix:STIX_Package>
|
|
@ -3,24 +3,37 @@
|
||||||
|
|
||||||
import unittest
|
import unittest
|
||||||
import requests
|
import requests
|
||||||
|
import base64
|
||||||
|
import json
|
||||||
|
|
||||||
class TestModules(unittest.TestCase):
|
class TestModules(unittest.TestCase):
|
||||||
|
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
self.maxDiff = None
|
self.maxDiff = None
|
||||||
self.headers = {'Content-Type': 'application/json'}
|
self.headers = {'Content-Type': 'application/json'}
|
||||||
|
self.url = "http://127.0.0.1:6666/"
|
||||||
|
|
||||||
def test_introspection(self):
|
def test_introspection(self):
|
||||||
response = requests.get('http://127.0.0.1:6666/modules')
|
response = requests.get(self.url + "modules")
|
||||||
print(response.json())
|
print(response.json())
|
||||||
|
|
||||||
def test_cve(self):
|
def test_cve(self):
|
||||||
with open('tests/bodycve.json', 'r') as f:
|
with open('tests/bodycve.json', 'r') as f:
|
||||||
response = requests.post('http://127.0.0.1:6666/query', data=f.read())
|
response = requests.post(self.url + "query", data=f.read())
|
||||||
print(response.json())
|
print(response.json())
|
||||||
|
|
||||||
def test_dns(self):
|
def test_dns(self):
|
||||||
with open('tests/body.json', 'r') as f:
|
with open('tests/body.json', 'r') as f:
|
||||||
response = requests.post('http://127.0.0.1:6666/query', data=f.read())
|
response = requests.post(self.url + "query", data=f.read())
|
||||||
print(response.json())
|
print(response.json())
|
||||||
|
|
||||||
|
def test_stix(self):
|
||||||
|
with open("tests/stix.xml", "r") as f:
|
||||||
|
data = json.dumps({"module":"stiximport",
|
||||||
|
"data":str(base64.b64encode(bytes(f.read(), 'utf-8')), 'utf-8')
|
||||||
|
})
|
||||||
|
response = requests.post(self.url + "query", data=data)
|
||||||
|
print(response.json())
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
unittest.main()
|
||||||
|
|
Loading…
Reference in New Issue