Merge pull request #194 from chrisr3d/master

Removed STIX1 related requirements to avoid version issues
pull/198/head
Alexandre Dulaunoy 2018-06-15 06:59:35 +02:00 committed by GitHub
commit d409eadce5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 0 additions and 352 deletions

View File

@ -60,7 +60,6 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/
* [GoAML import](misp_modules/modules/import_mod/) Module to import [GoAML](http://goaml.unodc.org/goaml/en/index.html) XML format.
* [OCR](misp_modules/modules/import_mod/ocr.py) Optical Character Recognition (OCR) module for MISP to import attributes from images, scan or faxes.
* [OpenIOC](misp_modules/modules/import_mod/openiocimport.py) OpenIOC import based on PyMISP library.
* [stiximport](misp_modules/modules/import_mod/stiximport.py) - An import module to process STIX xml/json.
* [ThreatAnalyzer](misp_modules/modules/import_mod/threatanalyzer_import.py) - An import module to process ThreatAnalyzer archive.zip/analysis.json sandbox exports.
* [VMRay](misp_modules/modules/import_mod/vmray_import.py) - An import module to process VMRay export.

View File

@ -1,5 +1,3 @@
stix
cybox
tornado
dnspython
requests
@ -12,7 +10,6 @@ pyeupi
ipasn-redis
asnhistory
git+https://github.com/Rafiot/uwhoisd.git@testing#egg=uwhois&subdirectory=client
git+https://github.com/MISP/MISP-STIX-Converter.git#egg=misp_stix_converter
git+https://github.com/MISP/PyMISP.git#egg=pymisp
git+https://github.com/sebdraven/pyonyphe#egg=pyonyphe
pillow

View File

@ -33,8 +33,6 @@ setup(
'pyeupi',
'ipasn-redis',
'asnhistory',
'stix',
'cybox',
'pillow',
'pytesseract',
'shodan',

View File

@ -1,331 +0,0 @@
<stix:STIX_Package
xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2"
xmlns:campaign="http://stix.mitre.org/Campaign-1"
xmlns:ciqIdentity="http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
xmlns:et="http://stix.mitre.org/ExploitTarget-1"
xmlns:bae="http://bae.com"
xmlns:indicator="http://stix.mitre.org/Indicator-2"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:ta="http://stix.mitre.org/ThreatActor-1"
xmlns:ttp="http://stix.mitre.org/TTP-1"
xmlns:xal="urn:oasis:names:tc:ciq:xal:3"
xmlns:xnl="urn:oasis:names:tc:ciq:xnl:3"
xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="bae:Package-f0b927dd-9356-49ba-8f56-6d9f3d42fe25" version="1.1.1">
<stix:Observables cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
<cybox:Observable id="bae:Observable-3a106400-cc90-4b5f-ad3d-6837dded226d">
<cybox:Title>CNC Server 1</cybox:Title>
<cybox:Object id="bae:Address-6e6990d8-20b6-4482-97a2-55732c993982">
<cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">
<AddressObj:Address_Value>82.146.166.56</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="bae:Observable-9b6bd172-96e6-451f-93c6-3632fe05daf7">
<cybox:Title>CNC Server 2</cybox:Title>
<cybox:Object id="bae:Address-00dc7361-ca55-48ef-8529-72a3ac9c58d7">
<cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">
<AddressObj:Address_Value>209.239.79.47</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="bae:Observable-7605b9f2-af49-429d-95ff-7029681dc20b">
<cybox:Title>CNC Server 3</cybox:Title>
<cybox:Object id="bae:Address-bbbbdcad-e8f5-449d-99d3-264de0ed512e">
<cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">
<AddressObj:Address_Value>41.213.121.180</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="bae:Observable-f7c32ba1-91bb-4bb1-aee6-80afae13bbad">
<cybox:Title>Watering Hole Wordpress</cybox:Title>
<cybox:Object id="bae:Address-c0e85056-de10-44f7-a600-73144514e7a1">
<cybox:Properties xsi:type="AddressObj:AddressObjectType">
<AddressObj:Address_Value>eu-society.com</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="bae:Observable-d4e819f1-0af9-49d4-826b-02ada3386cf5">
<cybox:Title>Watering Hole Wordpress</cybox:Title>
<cybox:Object id="bae:Address-ae972731-3b33-4fb1-bab6-053b0056deb5">
<cybox:Properties xsi:type="AddressObj:AddressObjectType">
<AddressObj:Address_Value>aromatravel.org</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="bae:Observable-5a951ea5-5beb-40b8-8043-97f05e020993">
<cybox:Title>Watering Hole Wordpress</cybox:Title>
<cybox:Object id="bae:Address-f0d9ef90-af2d-462d-aa69-bfd55da9e65c">
<cybox:Properties xsi:type="AddressObj:AddressObjectType">
<AddressObj:Address_Value>bss.servebbs.com</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</stix:Observables>
<stix:Indicators>
<stix:Indicator id="bae:indicator-1c3fc03e-86dc-4440-9e95-8b9964f03b92" timestamp="2016-07-04T15:17:14.479542+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>Watering Hole Detected</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">URL Watchlist</indicator:Type>
<indicator:Observable id="bae:Observable-4e173154-e739-4917-86e8-8b30e4cf39e5">
<cybox:Observable_Composition operator="OR">
<cybox:Observable idref="bae:Observable-f7c32ba1-91bb-4bb1-aee6-80afae13bbad">
<cybox:Title>C2 List</cybox:Title>
</cybox:Observable>
<cybox:Observable idref="bae:Observable-d4e819f1-0af9-49d4-826b-02ada3386cf5">
<cybox:Title>C2 List</cybox:Title>
</cybox:Observable>
<cybox:Observable idref="bae:Observable-5a951ea5-5beb-40b8-8043-97f05e020993">
<cybox:Title>C2 List</cybox:Title>
</cybox:Observable>
</cybox:Observable_Composition>
</indicator:Observable>
</stix:Indicator>
<stix:Indicator id="bae:indicator-e5ff413f-074e-41fe-ab20-6d0e0bf10f9c" timestamp="2016-07-04T15:17:14.480747+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>CnC Beaconing Detected</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">C2</indicator:Type>
<indicator:Observable id="bae:Observable-f4695e3e-5a27-4889-ba48-456b14146911">
<cybox:Observable_Composition operator="OR">
<cybox:Observable idref="bae:Observable-3a106400-cc90-4b5f-ad3d-6837dded226d">
</cybox:Observable>
<cybox:Observable idref="bae:Observable-9b6bd172-96e6-451f-93c6-3632fe05daf7">
</cybox:Observable>
<cybox:Observable idref="bae:Observable-7605b9f2-af49-429d-95ff-7029681dc20b">
</cybox:Observable>
</cybox:Observable_Composition>
</indicator:Observable>
</stix:Indicator>
</stix:Indicators>
<stix:TTPs>
<stix:TTP id="bae:ttp-801d59e9-28c2-4016-976e-011dcab22cfd" timestamp="2016-07-04T15:17:14.479244+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Malware CnC Channels</ttp:Title>
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.479332+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Resources>
<ttp:Infrastructure>
<ttp:Type xsi:type="stixVocabs:AttackerInfrastructureTypeVocab-1.0">Hosting</ttp:Type>
<ttp:Observable_Characterization cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
<cybox:Observable idref="bae:Observable-3a106400-cc90-4b5f-ad3d-6837dded226d">
</cybox:Observable>
<cybox:Observable idref="bae:Observable-9b6bd172-96e6-451f-93c6-3632fe05daf7">
</cybox:Observable>
<cybox:Observable idref="bae:Observable-7605b9f2-af49-429d-95ff-7029681dc20b">
</cybox:Observable>
</ttp:Observable_Characterization>
</ttp:Infrastructure>
</ttp:Resources>
</stix:TTP>
<stix:TTP id="bae:ttp-62c59e28-9480-4080-ad20-6b4092cb118d" timestamp="2016-07-04T15:17:14.476428+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Fingerprinting and whitelisting during watering-hole operations</ttp:Title>
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477552+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft - Credential Theft</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Resources>
<ttp:Infrastructure>
<ttp:Type xsi:type="stixVocabs:AttackerInfrastructureTypeVocab-1.0">Domain Registration</ttp:Type>
<ttp:Observable_Characterization cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
<cybox:Observable idref="bae:Observable-f7c32ba1-91bb-4bb1-aee6-80afae13bbad">
<cybox:Title>C2 List</cybox:Title>
</cybox:Observable>
<cybox:Observable idref="bae:Observable-d4e819f1-0af9-49d4-826b-02ada3386cf5">
<cybox:Title>C2 List</cybox:Title>
</cybox:Observable>
<cybox:Observable idref="bae:Observable-5a951ea5-5beb-40b8-8043-97f05e020993">
<cybox:Title>C2 List</cybox:Title>
</cybox:Observable>
</ttp:Observable_Characterization>
</ttp:Infrastructure>
</ttp:Resources>
<ttp:Kill_Chain_Phases>
<stixCommon:Kill_Chain_Phase phase_id="stix:TTP-af1016d6-a744-4ed7-ac91-00fe2272185a" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
<stix:TTP id="bae:ttp-7ffb9e3d-688a-4ec4-8919-f8ccb91d4b59" timestamp="2016-07-04T15:17:14.476589+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Spear-phishing in tandem with 0-day exploits</ttp:Title>
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477592+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Unauthorized Access</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Kill_Chain_Phases>
<stixCommon:Kill_Chain_Phase phase_id="stix:TTP-445b4827-3cca-42bd-8421-f2e947133c16" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
<stix:TTP id="bae:ttp-f13297d6-0963-4a74-89dc-12745db39845" timestamp="2016-07-04T15:17:14.476707+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Infiltration of organisations via third party supplier/partner</ttp:Title>
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477629+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Unauthorized Access</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Kill_Chain_Phases>
<stixCommon:Kill_Chain_Phase phase_id="stix:TTP-79a0e041-9d5f-49bb-ada4-8322622b162d" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
<stix:TTP id="bae:ttp-78aef1ee-8c7d-4a6e-87cc-a4471b29ac45" timestamp="2016-07-04T15:17:14.476822+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Custom recon tool to compromise and identify credentials of the network</ttp:Title>
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477665+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft - Credential Theft</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Kill_Chain_Phases>
<stixCommon:Kill_Chain_Phase phase_id="stix:TTP-af1016d6-a744-4ed7-ac91-00fe2272185a" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
<stix:TTP id="bae:ttp-3a5f9a19-fa56-4b7d-ad7f-df64b7efdf98" timestamp="2016-07-04T15:17:14.476932+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Multiple means of C2 communications given the diversity of the attacker toolset</ttp:Title>
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477708+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Kill_Chain_Phases>
<stixCommon:Kill_Chain_Phase phase_id="stix:TTP-d6dc32b9-2538-4951-8733-3cb9ef1daae2" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
<stix:TTP id="bae:ttp-e08d9d94-0294-4fa7-9e1d-8f1e087e3dc0" timestamp="2016-07-04T15:17:14.477046+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>rootkit communicates during the same time as network activity, encoded with an XOR key</ttp:Title>
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477744+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Kill_Chain_Phases>
<stixCommon:Kill_Chain_Phase phase_id="stix:TTP-d6dc32b9-2538-4951-8733-3cb9ef1daae2" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
<stix:TTP id="bae:ttp-898d58cd-369c-4b76-892b-2f5ced35cf0e" timestamp="2016-07-04T15:17:14.477159+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Kernel-centric rootkit waits for network trigger before launching</ttp:Title>
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477779+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Kill_Chain_Phases>
<stixCommon:Kill_Chain_Phase phase_id="stix:TTP-d6dc32b9-2538-4951-8733-3cb9ef1daae2" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
<stix:TTP id="bae:ttp-fb1ac371-8e28-48d9-8905-03f54bd546ee" timestamp="2016-07-04T15:17:14.477269+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Kernel centric exfiltration over TCP/UDP/DNS/ICMP/HTTP</ttp:Title>
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477814+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Kill_Chain_Phases>
<stixCommon:Kill_Chain_Phase phase_id="stix:TTP-786ca8f9-2d9a-4213-b38e-399af4a2e5d6" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
<stix:TTP id="bae:ttp-27872de0-c3ce-425d-9348-8f1439645398" timestamp="2016-07-04T15:17:14.477382+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Exfiltration over HTTP/HTTPS</ttp:Title>
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477849+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Kill_Chain_Phases>
<stixCommon:Kill_Chain_Phase phase_id="stix:TTP-786ca8f9-2d9a-4213-b38e-399af4a2e5d6" kill_chain_id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
<stix:TTP id="bae:ttp-c3a4fec7-00b7-4efb-adf9-a38feee005fe" timestamp="2016-07-04T15:17:14.477499+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Use of previously undocumented functions in their Kernel centric attacks</ttp:Title>
<ttp:Intended_Effect timestamp="2016-07-04T15:17:14.477888+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage</stixCommon:Value>
</ttp:Intended_Effect>
</stix:TTP>
<stix:Kill_Chains>
<stixCommon:Kill_Chain id="stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff" definer="LMCO" name="LM Cyber Kill Chain">
<stixCommon:Kill_Chain_Phase ordinality="1" name="Reconnaissance" phase_id="stix:TTP-af1016d6-a744-4ed7-ac91-00fe2272185a"/>
<stixCommon:Kill_Chain_Phase ordinality="2" name="Weaponization" phase_id="stix:TTP-445b4827-3cca-42bd-8421-f2e947133c16"/>
<stixCommon:Kill_Chain_Phase ordinality="3" name="Delivery" phase_id="stix:TTP-79a0e041-9d5f-49bb-ada4-8322622b162d"/>
<stixCommon:Kill_Chain_Phase ordinality="4" name="Exploitation" phase_id="stix:TTP-f706e4e7-53d8-44ef-967f-81535c9db7d0"/>
<stixCommon:Kill_Chain_Phase ordinality="5" name="Installation" phase_id="stix:TTP-e1e4e3f7-be3b-4b39-b80a-a593cfd99a4f"/>
<stixCommon:Kill_Chain_Phase ordinality="6" name="Command and Control" phase_id="stix:TTP-d6dc32b9-2538-4951-8733-3cb9ef1daae2"/>
<stixCommon:Kill_Chain_Phase ordinality="7" name="Actions on Objectives" phase_id="stix:TTP-786ca8f9-2d9a-4213-b38e-399af4a2e5d6"/>
</stixCommon:Kill_Chain>
</stix:Kill_Chains>
</stix:TTPs>
<stix:Exploit_Targets>
<stixCommon:Exploit_Target id="bae:et-ca916690-1221-46b3-8e69-dabd46018892" timestamp="2016-07-04T15:17:14.480615+00:00" xsi:type='et:ExploitTargetType'>
<et:Title>Privilage Escalation Vulnerability</et:Title>
<et:Vulnerability>
<et:CVE_ID>CVE-2013-5065</et:CVE_ID>
</et:Vulnerability>
</stixCommon:Exploit_Target>
</stix:Exploit_Targets>
<stix:Campaigns>
<stix:Campaign id="bae:campaign-2b81268f-c0f0-4bd4-aa63-a880dc05ed82" timestamp="2016-07-04T15:17:14.478248+00:00" xsi:type='campaign:CampaignType'>
<campaign:Title>The Epic Turla Campaign</campaign:Title>
<campaign:Description>The Epic Turla Campaign</campaign:Description>
<campaign:Intended_Effect timestamp="2016-07-04T15:17:14.478460+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage - Political</stixCommon:Value>
</campaign:Intended_Effect>
<campaign:Attribution>
<campaign:Attributed_Threat_Actor>
<stixCommon:Threat_Actor idref="bae:threatactor-857fd80b-1b4e-4add-bfa1-d1e90911421b" xsi:type='ta:ThreatActorType'>
</stixCommon:Threat_Actor>
</campaign:Attributed_Threat_Actor>
</campaign:Attribution>
</stix:Campaign>
<stix:Campaign id="bae:campaign-53a0ca81-b065-431a-b043-0457b0bcfffa" timestamp="2016-07-04T15:17:14.478394+00:00" xsi:type='campaign:CampaignType'>
<campaign:Title>SNAKE Campaign</campaign:Title>
<campaign:Description>The SNAKE Campaign</campaign:Description>
<campaign:Intended_Effect timestamp="2016-07-04T15:17:14.478500+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage - Political</stixCommon:Value>
</campaign:Intended_Effect>
<campaign:Attribution>
<campaign:Attributed_Threat_Actor>
<stixCommon:Threat_Actor idref="bae:threatactor-857fd80b-1b4e-4add-bfa1-d1e90911421b" xsi:type='ta:ThreatActorType'>
</stixCommon:Threat_Actor>
</campaign:Attributed_Threat_Actor>
</campaign:Attribution>
</stix:Campaign>
</stix:Campaigns>
<stix:Threat_Actors>
<stix:Threat_Actor id="bae:threatactor-857fd80b-1b4e-4add-bfa1-d1e90911421b" timestamp="2016-07-04T15:17:14.454074+00:00" xsi:type='ta:ThreatActorType'>
<ta:Title>SNAKE</ta:Title>
<ta:Description>
The group behind the SNAKE campaign are a top tier nation-state threat. Their capabilities extend from subtle watering-hole attacks to sophisticated server rootkits virtually undetectable by conventional security products.
This threat actor group has been operating continuously for over a decade, infiltrating governments and strategic private sector networks in that time. The most notorious of their early campaigns led to a breach of classified US military systems, an extensive clean-up called Operation Buckshot Yankee, and led to the creation of the US Cyber Command.
Whilst the sophisticated rootkit is used for persistent access to networks, the group also leverage more straight-forward capabilities for gaining an initial toe-hold on targets. This includes the use of watering-hole attacks and basic remote access tools.
</ta:Description>
<ta:Short_Description>
The group behind the SNAKE campaign are a top tier nation-state threat. Their capabilities extend from subtle watering-hole attacks to sophisticated server rootkits virtually undetectable by conventional security products.
</ta:Short_Description>
<ta:Identity xsi:type="ciqIdentity:CIQIdentity3.0InstanceType">
<ExtSch:Specification xmlns:ExtSch="http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1">
<xpil:PartyName xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3">
<xnl:OrganisationName xmlns:xnl="urn:oasis:names:tc:ciq:xnl:3" xnl:Type="OfficialName">
<xnl:NameElement>SNAKE</xnl:NameElement>
</xnl:OrganisationName>
<xnl:OrganisationName xmlns:xnl="urn:oasis:names:tc:ciq:xnl:3" xnl:Type="OfficialName">
<xnl:NameElement>Turla</xnl:NameElement>
</xnl:OrganisationName>
<xnl:OrganisationName xmlns:xnl="urn:oasis:names:tc:ciq:xnl:3" xnl:Type="UnofficialName">
<xnl:NameElement>WRAITH</xnl:NameElement>
</xnl:OrganisationName>
</xpil:PartyName>
<xpil:Addresses xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3">
<xpil:Address>
<xal:Country xmlns:xal="urn:oasis:names:tc:ciq:xal:3">
<xal:NameElement>Russia</xal:NameElement>
</xal:Country>
<xal:AdministrativeArea xmlns:xal="urn:oasis:names:tc:ciq:xal:3">
<xal:NameElement>Moscow</xal:NameElement>
</xal:AdministrativeArea>
</xpil:Address>
</xpil:Addresses>
<xpil:ElectronicAddressIdentifiers xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3">
<xpil:ElectronicAddressIdentifier>snake@gmail.com</xpil:ElectronicAddressIdentifier>
<xpil:ElectronicAddressIdentifier>twitter.com/snake</xpil:ElectronicAddressIdentifier>
</xpil:ElectronicAddressIdentifiers>
<xpil:Languages xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3">
<xpil:Language>Russian</xpil:Language>
</xpil:Languages>
</ExtSch:Specification>
</ta:Identity>
<ta:Motivation timestamp="2016-07-04T15:17:14.475968+00:00">
<stixCommon:Value xsi:type="stixVocabs:MotivationVocab-1.1">Political</stixCommon:Value>
</ta:Motivation>
<ta:Sophistication timestamp="2016-07-04T15:17:14.454350+00:00">
<stixCommon:Value xsi:type="stixVocabs:ThreatActorSophisticationVocab-1.0">Expert</stixCommon:Value>
</ta:Sophistication>
<ta:Intended_Effect timestamp="2016-07-04T15:17:14.476056+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage - Political</stixCommon:Value>
</ta:Intended_Effect>
<ta:Intended_Effect timestamp="2016-07-04T15:17:14.476095+00:00">
<stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft - Intellectual Property</stixCommon:Value>
</ta:Intended_Effect>
</stix:Threat_Actor>
</stix:Threat_Actors>
</stix:STIX_Package>

View File

@ -57,21 +57,6 @@ class TestModules(unittest.TestCase):
assert("mrxcls.sys" in values)
assert("mdmcpq3.PNF" in values)
def test_stix(self):
with open("tests/stix.xml", "rb") as f:
content = base64.b64encode(f.read())
data = json.dumps({"module": "stiximport",
"data": content.decode('utf-8'),
})
response = requests.post(self.url + "query", data=data).json()
print("STIX :: {}".format(response))
values = [x["values"][0] for x in response["results"]]
assert("209.239.79.47" in values)
assert("41.213.121.180" in values)
assert("eu-society.com" in values)
def test_email_headers(self):
query = {"module": "email_import"}
query["config"] = {"unzip_attachments": None,