~alienagain/Stix_stuff

080872e234645f5adff2b440031f5ad00e4c3ba0 — terceranexus6 1 year, 1 month ago 60788f6
added changes in data of domains- it was redundant
6 files changed, 57 insertions(+), 18 deletions(-)

M docs/from_csv_to_stix.md
D from_csv/domains.csv
M from_csv/domains.py
A from_csv/example_domains.csv
R from_csv/{hashes.csv => example_hashes.csv}
M from_csv/hashes.py
M docs/from_csv_to_stix.md => docs/from_csv_to_stix.md +23 -3
@@ 8,13 8,33 @@ I'm confortable working with CSV files because they can easily be used for creat

# How to use

Now, in order for the script to work, the CSV format should be:
## Hashes

In order to parse hashes (sha256, sha1, MD5) the CSV should have the following row structure:

```
<hash value>,<file name>,<file description>,<indicator type (f.e. malicious-activity)>,<hash type (sha1,sha256,md5)>,<name of the related malware>,<type of the related malware>,<malware family(true/false)> 
```

Then all you need to do is execute the `hashes.py` file with the file argument:
```
<hash>,<name>,<description>,<type of threat>,<is it a family? true/false>,<hash type>
python3 hashes.py <myfile.csv>
```
If you want to try out, use the `example_hashes.csv` file as argument.

## Domains

There's [an example]() in the repo which uses a Linux campaign to make it more clear. All you have to do once you have your csv file is editing the  `read_from_csv.py` file so the csv file is yours and then execute. I will soon improve it so it takes the file as an argument to ease this part.
The domains csv file requires the following row structure:

```
<name of the indicator>,<description>,<URL value>,<related malware name>,<related malware type>,<related malware description>,<is family?(true/false)>
```

And the execution goes pretty much the same as the above:

```
python3 domains.py <myfile.csv>
```
If you want to try out, use the `example_domains.csv` file as argument.



D from_csv/domains.csv => from_csv/domains.csv +0 -3
@@ 1,3 0,0 @@
wget.hostname.help,xmrig,It downloads the miner,xmrig,cryptominer,New Linux xmrig campaign,true
pateu.freevar.com,xmrig,It downloads the miner,xmrig,cryptominer,New Linux xmrig campaign,true
abp.cash,xmrig,It downloads the miner,xmrig,cryptominer,New Linux xmrig campaign,true

M from_csv/domains.py => from_csv/domains.py +17 -11
@@ 5,9 5,12 @@ import sys
import random
import string


#by default, the time for creation and modification is the time of the execution
now = datetime.datetime.now()
mytime=now.strftime('%Y-%m-%dT%H:%M:%S.%fZ')

#funtion to create unique IDs based on random strings starting with the given type (indicator, malware, etc)
def create_id(itype):
    # lenghts for generating random strings for the id
    l1 = 8


@@ 23,7 26,7 @@ def create_id(itype):

    print(itype+"--"+random_string_1+"-"+random_string_2+"-"+random_string_3+"-"+random_string_4+"-"+random_string_5)


#it takes the csv from argument
filename = str(sys.argv[1])
count=0



@@ 35,13 38,14 @@ with open(filename, 'r') as csvfile:
        print("Processing "+str(count)+" row")

        #Domain values:
        #name of the domain
        #URL value
        #description of the domain
        #URL
        #type of the value (malicious-activity, suspicious-activity)

        tname = row[1]
        tdes = row[2]
        tvalue = row[0]
        
        ivalue = row[0]
        ides = row[1]
        itype = row[2]

        #Malware values
        #name of the malware


@@ 55,16 59,14 @@ with open(filename, 'r') as csvfile:
        mfam = row[6]

        myid = create_id("indicator")
        
        # Domain indicator, id is the same right now
        indicator = Indicator(
            id=myid,
            created=mytime,
            modified=mytime,
            name=tname,
            description=tdes,
            indicator_types=["malicious-activity"],
            pattern="[url:value = '"+tvalue+"']",
            description=ides,
            indicator_types=[itype],
            pattern="[url:value = '"+ivalue+"']",
            pattern_type="stix",
            valid_from=mytime
        )       


@@ 87,6 89,10 @@ with open(filename, 'r') as csvfile:
        bundle = Bundle(objects=[indicator, malware, relationship])

        #creating the document that indicates such relationship
        # It prints the result in stix files which describes the relationship in the name 
        # f.e.: disk1_related_with_xmrig_1.stix
        # this way it makes it easier to understand the data before opening it

        print(str(bundle))
        with open(tname+"_domain_indicates_"+mname+"_"+str(count)+".stix", 'a') as f:
            f.write(str(bundle))

A from_csv/example_domains.csv => from_csv/example_domains.csv +3 -0
@@ 0,0 1,3 @@
wget.hostname.help,It downloads the miner,malicious-activity,XMRIG,cryptominer,New Linux xmrig campaign,true
pateu.freevar.com,It downloads the miner,malicious-activity,XMRIG,cryptominer,New Linux xmrig campaign,true
abp.cash,It downloads the miner,malicious-activity,XMRIG,cryptominer,New Linux xmrig campaign,true

R from_csv/hashes.csv => from_csv/example_hashes.csv +0 -0
M from_csv/hashes.py => from_csv/hashes.py +14 -1
@@ 5,9 5,11 @@ import sys
import string
import random

#by default, the time for creation and modification is the time of the execution
now = datetime.datetime.now()
mytime=now.strftime('%Y-%m-%dT%H:%M:%S.%fZ')

#funtion to create unique IDs based on random strings starting with the given type (indicator, malware, etc)
def create_id(itype):
    # lenghts for generating random strings for the id
    l1 = 8


@@ 23,6 25,8 @@ def create_id(itype):

    print(itype+"--"+random_string_1+"-"+random_string_2+"-"+random_string_3+"-"+random_string_4+"-"+random_string_5)


#it takes the csv from argument
filename = str(sys.argv[1])
count=0



@@ 55,8 59,10 @@ with open(filename, 'r') as csvfile:
        mtype = row[6]
        mfam = row[7]

        myid = create_id("indicator")

        # INDICATOR PROCESSING
        
        myid = create_id("indicator")

        indicator = Indicator(
            id=myid,


@@ 70,6 76,8 @@ with open(filename, 'r') as csvfile:
            valid_from=mytime
        )       

        # MALWARE PROCESSING

        myid2 = create_id("malware")

        malware = Malware(


@@ 81,10 89,15 @@ with open(filename, 'r') as csvfile:
            is_family=mfam
        )

        # The relationship among them is created based on the ids

        relationship = Relationship(indicator, 'indicates', malware)
        bundle = Bundle(objects=[indicator, malware, relationship])

        # It prints the result in stix files which describes the relationship in the name 
        # f.e.: disk1_related_with_xmrig_1.stix
        # this way it makes it easier to understand the data before opening it

        print(str(bundle))
        with open(iname+"_related_with_"+mname+"_"+str(count)+".stix", 'a') as f:
            f.write(str(bundle))