A bulk_conversion/campaña.py => bulk_conversion/campaña.py +130 -0
@@ 0,0 1,130 @@
+from stix2 import Indicator
+from stix2 import Malware
+from stix2 import Relationship
+from stix2 import Bundle
+from stix2 import Identity
+from stix2 import KillChainPhase
+from stix2 import CustomObject, properties
+import copy
+
+
+@CustomObject('x-origin', [
+ ('resource', properties.StringProperty(required=True)),
+ ('resource_class', properties.StringProperty()),
+ ('visibility_class', properties.StringProperty()),
+])
+
+class Origin(object):
+ def __init__(self, resource_class=None, visibility_class=None, **kwargs):
+ if resource_class and resource_class not in ['external', 'internal']:
+ raise ValueError("'%s' is not a recognized class of resource.." % resource_class)
+ if visibility_class and visibility_class not in ['TLP:RED', 'TLP:AMBER', 'TLP:GREEN','TLP:WHITE']:
+ raise ValueError("'%s' is not a recognized class of visibility." % resource_class)
+
+# creating identity for the bundle
+
+print("IDENTITY\n")
+
+myname = input("Name of author: ")
+i_class = input("Team (f.e. Threat Hunting): ")
+
+
+print("\n****************************************************\n")
+
+# creating custom origin type
+# this is to make it easier for the researcher to be transparent
+# about the origin and the visbility for the indicators
+
+print("RESOURCE/ORIGIN\n")
+
+r_name = input("Name of the resource: ")
+r_type = input("Type of the resource (internal/external): ")
+r_visibility = input("Visibility of the indicators('TLP:RED', 'TLP:AMBER', 'TLP:GREEN','TLP:WHITE'): ")
+
+campaign_origin = Origin(resource=r_name,
+ resource_class=r_type,
+ visibility_class=r_visibility)
+
+print("\n****************************************************\n")
+
+
+
+# this is custom and will onl be available with the latest version of stix :( :
+#dep = input("Department (default is Threat Hunting): ")
+
+# Creating the identity object default
+
+
+my_identity = Identity(name = myname,
+ identity_class = i_class)
+# reading malware from user prompt
+
+print("MALWARE DEFINITION AND CAMPAIGN\n")
+
+mal_rel = input("Relationship type between the malware and the hashes (uses, consists-of, indicates, analysis_of, controls, derived-from, mitigates, delivers): ")
+mal_name = input("Malware name which is related: ")
+mal_des = input("Malware description: ")
+mal_type = input("Malware type (f.e.: ransomware, trojan, backdoor...) write none if various types are considered: ")
+
+name_KC = input("Name of the specific case (not the same as the phase! for example: the name of the campaign) : ")
+phase_KC = input("Killchain phase (Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Actions on Objectives or other): ")
+
+print("\n****************************************************\n")
+
+malware = Malware(name=mal_name,
+ description=mal_des,
+ malware_types=[mal_type],
+ kill_chain_phases=[{
+ "kill_chain_name": name_KC,
+ "phase_name": phase_KC}],
+ is_family=True)
+
+print("INDICATOR\n")
+i_type = input("Indicator type (SHA1,SHA256,URL,IP): ")
+
+if i_type == "SHA1":
+ i_name = input("Name of the indicator: ")
+ i_hash = input("Hash of the indicator: ")
+ indicator = Indicator(name=i_name,
+ pattern="[file:hashes.sha1 = '" + i_hash +"']",
+ pattern_type="stix")
+elif i_type == "SHA256":
+ i_name = input("Name of the indicator: ")
+ i_hash = input("Hash of the indicator: ")
+ indicator = Indicator(name=i_name,
+ pattern="[file:hashes.sha256 = '" + i_hash +"']",
+ pattern_type="stix")
+else:
+ print("INDICATOR TYPE NOT RECOGNISED")
+
+print("\n****************************************************\n")
+
+myrelation = Relationship(relationship_type=mal_rel,
+ source_ref=indicator.id,
+ target_ref=malware.id)
+
+
+print("\nDONE: Creating bundle with the information...")
+
+mybundle = Bundle(indicator, malware, myrelation, my_identity, campaign_origin)
+print(mybundle.serialize(pretty=True))
+
+output_f = mal_name + "_" + phase_KC + "_Bundle.json"
+f_o = open(output_f, "x")
+
+print("\nWriting the contents into " + output_f + " ...")
+
+f_o.write(mybundle.serialize(pretty=True))
+print("Done! Bye bye! :)")
+
+
+
+
+
+
+
+
+
+
+
+
M bulk_conversion/hash_bundle_creator.py => bulk_conversion/hash_bundle_creator.py +4 -4
@@ 188,10 188,10 @@ print("creating the bundle...")
final_trick=bundle_option%2
# debug
-print("final_trick = " + str(final_trick))
-print("bundle_option = " + str(bundle_option))
+# print("final_trick = " + str(final_trick))
+# print("bundle_option = " + str(bundle_option))
-DEBUG=input("DEBUG")
+# DEBUG=input("DEBUG")
if final_trick == 1:
@@ 252,7 252,7 @@ else:
print("\nBye bye!")
-output_f = mal_name + "_Bundle.json"
+output_f = mal_name + "_HASH_Bundle.json"
f_o = open(output_f, "x")
print("\nWriting the contents into " + output_f + " ...")
A bulk_conversion/revisado.py => bulk_conversion/revisado.py +360 -0
@@ 0,0 1,360 @@
+from stix2 import Indicator
+from stix2 import Malware
+from stix2 import Relationship
+from stix2 import Bundle
+from stix2 import Identity
+import copy
+
+# functions
+
+def menu():
+ print("Choose an option: ")
+ print("A - Enter SHA1\nB - Enter SHA256\nC - Enter SHA1 and SHA256\nD - Cancel")
+
+def printin_bundle(mal_name, my_bundle):
+ output_f = mal_name + "_Bundle.json"
+ f_o = open(output_f, "x")
+
+ print("\nWriting the contents into " + output_f + " ...")
+
+ f_o.write(my_bundle.serialize(pretty=True))
+
+
+
+
+# creating identity for the bundle
+
+myname = input("Name of author: ")
+i_class = input("Team (f.e. Threat Hunting): ")
+
+# this is custom and will onl be available with the latest version of stix :( :
+#dep = input("Department (default is Threat Hunting): ")
+
+# Creating the identity object default
+
+
+my_identity = Identity(name = myname,
+ identity_class = i_class)
+# reading malware from user prompt
+
+mal_name = input("Malware name: ")
+mal_des = input("Malware description: ")
+mal_type = input("Malware type (f.e.: ransomware, trojan, backdoor...) write none if various types are considered: ")
+
+if mal_type == "none":
+ malware = Malware(name=mal_name,
+ description=mal_des,
+ is_family=False)
+else:
+ malware = Malware(name=mal_name,
+ description=mal_des,
+ malware_types=[mal_type],
+ #kill_chain_phases=[{
+ # "kill_chain_name": "testing",
+ # "phase_name": "Delivery"}],
+ is_family=False)
+
+typer = input("Relationship type between the malware and the hashes (uses, consists-of, indicates, analysis_of, controls, derived-from, mitigates, delivers): ")
+
+menu()
+option = input("Choose your option: ")
+
+
+############################################################################################################################
+
+if option == "A":
+
+ myfile = input("file with SHA1: ")
+ file1 = open(myfile, 'r')
+ content = file1.readlines()
+
+ count = 0
+
+
+
+ in_name="file hash for " + mal_name
+
+ print("Reading hashes for SHA1...")
+
+ print("SHA1: ")
+
+ # iterating the whole file, for each line it creates a temporary
+ # stix object with the sha1 hash and the malware family
+ # and saves an indicator object with the content. No need to create a
+ # list because the object is already stored as a permanent identifier during the session
+ # although a trash-temp-indicator is also stored.
+
+ for line in content:
+
+ tmp_indicator = Indicator(name=in_name,
+ pattern="[file:hashes.sha1 = '"+ line.strip()+"']",
+ pattern_type="stix")
+ # print("TEMPORARY, DEBUG:")
+ # print(tmp_indicator.serialize(pretty=True))
+
+ count = count + 1
+
+ locals()["indicator_SHA1_" + str(count)] = copy.deepcopy(tmp_indicator)
+
+
+
+ print("no more lines to read")
+
+
+ num_lines = sum(1 for _ in open(myfile))
+
+ # This prints all the indicators for the SHA1 (commented) and creates
+ # a relationship for each one of them with the malware
+
+ for i in range(num_lines):
+ #print("The indicator SHA1 is:\n")
+ #print(locals()["indicator_SHA1_" + str(i+1)].serialize(pretty=True))
+
+ # creating the relationship with the malware
+ locals()["relationship_SHA1_" + str(i+1)] = Relationship(relationship_type=typer,
+ source_ref=locals()["indicator_SHA1_" + str(i+1)].id,
+ target_ref=malware.id)
+ #print("The relationship is:\n")
+ #print(locals()["relationship_SHA1_" + str(i+1)].serialize(pretty=True))
+
+ print("Making the bundle...\n")
+
+ my_indicators_SHA1 = []
+ my_relationships_SHA1 = []
+ for j in range(num_lines):
+ my_indicators_SHA1.append(locals()["indicator_SHA1_" + str(j+1)])
+ my_relationships_SHA1.append(locals()["relationship_SHA1_" + str(j+1)])
+
+ my_bundle = Bundle(my_indicators_SHA1[:], my_relationships_SHA1[:], malware, my_identity)
+ print(my_bundle.serialize(pretty=True))
+ output_f = mal_name + "_SHA1_Bundle.json"
+ f_o = open(output_f, "x")
+
+ print("\nWriting the contents into " + output_f + " ...")
+
+ f_o.write(my_bundle.serialize(pretty=True))
+
+####################################################################################################################################
+
+elif option == "B":
+
+ # getting the file with SHA256 hashes
+ myfile2 = input("file with SHA256: ")
+ file2 = open(myfile2, 'r')
+ content2 = file2.readlines()
+
+ count = 0
+
+
+
+ in_name="file hash SHA256 for " + mal_name
+
+ print("Reading hashes for SHA256...")
+ print("SHA256: ")
+
+ # iterating the whole file, for each line it creates a temporary
+ # stix object with the sha1 hash and the malware family
+ # and saves an indicator object with the content. No need to create a
+ # list because the object is already stored as a permanent identifier during the session
+ # although a trash-temp-indicator is also stored.
+
+ for line2 in content2:
+
+ tmp_indicator = Indicator(name=in_name,
+ pattern="[file:hashes.sha256 = '"+ line2.strip()+"']",
+ pattern_type="stix")
+ # print("TEMPORARY, DEBUG:")
+ # print(tmp_indicator.serialize(pretty=True))
+
+ count = count + 1
+
+ locals()["indicator_SHA256_" + str(count)] = copy.deepcopy(tmp_indicator)
+
+
+
+ print("no more lines to read")
+
+
+ num_lines2 = sum(1 for _ in open(myfile2))
+
+ # This prints all the indicators for the SHA1 (commented) and creates
+ # a relationship for each one of them with the malware
+
+ for i in range(num_lines2):
+ #print("The indicator SHA1 is:\n")
+ #print(locals()["indicator_SHA1_" + str(i+1)].serialize(pretty=True))
+
+ # creating the relationship with the malware
+ locals()["relationship_SHA256_" + str(i+1)] = Relationship(relationship_type=typer,
+ source_ref=locals()["indicator_SHA256_" + str(i+1)].id,
+ target_ref=malware.id)
+ #print("The relationship is:\n")
+ #print(locals()["relationship_SHA1_" + str(i+1)].serialize(pretty=True))
+
+ print("Making the bundle...\n")
+
+ my_indicators_SHA256 = []
+ my_relationships_SHA256 = []
+ for j in range(num_lines2):
+ my_indicators_SHA256.append(locals()["indicator_SHA256_" + str(j+1)])
+ my_relationships_SHA256.append(locals()["relationship_SHA256_" + str(j+1)])
+
+ my_bundle = Bundle(my_indicators_SHA256[:], my_relationships_SHA256[:], malware, my_identity)
+ print(my_bundle.serialize(pretty=True))
+ output_f = mal_name + "_SHA256_Bundle.json"
+ f_o = open(output_f, "x")
+
+ print("\nWriting the contents into " + output_f + " ...")
+
+ f_o.write(my_bundle.serialize(pretty=True))
+
+#################################################################################################################################
+
+elif option == "C":
+
+ myfile = input("file with SHA1: ")
+ file1 = open(myfile, 'r')
+ content = file1.readlines()
+
+ count = 0
+
+
+
+ in_name="file hash for " + mal_name
+
+ print("Reading hashes for SHA1...")
+
+ # iterating the whole file, for each line it creates a temporary
+ # stix object with the sha1 hash and the malware family
+ # and saves an indicator object with the content. No need to create a
+ # list because the object is already stored as a permanent identifier during the session
+ # although a trash-temp-indicator is also stored.
+
+ for line in content:
+
+ tmp_indicator = Indicator(name=in_name,
+ pattern="[file:hashes.sha1 = '"+ line.strip()+"']",
+ pattern_type="stix")
+ # print("TEMPORARY, DEBUG:")
+ # print(tmp_indicator.serialize(pretty=True))
+
+ count = count + 1
+
+ locals()["indicator_SHA1_" + str(count)] = copy.deepcopy(tmp_indicator)
+
+
+
+ print("no more lines to read in " + myfile)
+ num_lines = sum(1 for _ in open(myfile))
+
+ # This prints all the indicators for the SHA1 (commented) and creates
+ # a relationship for each one of them with the malware
+
+ for i in range(num_lines):
+ #print("The indicator SHA1 is:\n")
+ #print(locals()["indicator_SHA1_" + str(i+1)].serialize(pretty=True))
+
+ # creating the relationship with the malware
+ locals()["relationship_SHA1_" + str(i+1)] = Relationship(relationship_type=typer,
+ source_ref=locals()["indicator_SHA1_" + str(i+1)].id,
+ target_ref=malware.id)
+ #print("The relationship is:\n")
+ #print(locals()["relationship_SHA1_" + str(i+1)].serialize(pretty=True))
+
+
+ # getting the file with SHA256 hashes
+ myfile2 = input("file with SHA256: ")
+ file2 = open(myfile2, 'r')
+ content2 = file2.readlines()
+
+ count = 0
+
+
+
+ in_name="file hash SHA256 for " + mal_name
+
+ print("Reading hashes for SHA256...")
+
+ # iterating the whole file, for each line it creates a temporary
+ # stix object with the sha1 hash and the malware family
+ # and saves an indicator object with the content. No need to create a
+ # list because the object is already stored as a permanent identifier during the session
+ # although a trash-temp-indicator is also stored.
+
+ for line2 in content2:
+
+ tmp_indicator = Indicator(name=in_name,
+ pattern="[file:hashes.sha256 = '"+ line2.strip()+"']",
+ pattern_type="stix")
+ # print("TEMPORARY, DEBUG:")
+ # print(tmp_indicator.serialize(pretty=True))
+
+ count = count + 1
+
+ locals()["indicator_SHA256_" + str(count)] = copy.deepcopy(tmp_indicator)
+
+ print("no more lines to read in " + myfile2)
+ num_lines2 = sum(1 for _ in open(myfile2))
+
+ # This prints all the indicators for the SHA1 (commented) and creates
+ # a relationship for each one of them with the malware
+
+ for i in range(num_lines2):
+ #print("The indicator SHA1 is:\n")
+ #print(locals()["indicator_SHA1_" + str(i+1)].serialize(pretty=True))
+
+ # creating the relationship with the malware
+ locals()["relationship_SHA256_" + str(i+1)] = Relationship(relationship_type=typer,
+ source_ref=locals()["indicator_SHA256_" + str(i+1)].id,
+ target_ref=malware.id)
+ #print("The relationship is:\n")
+ #print(locals()["relationship_SHA1_" + str(i+1)].serialize(pretty=True))
+
+ print("Making the bundle...\n")
+
+ my_indicators_SHA256 = []
+ my_relationships_SHA256 = []
+
+ j = 0
+
+ for j in range(num_lines2):
+ my_indicators_SHA256.append(locals()["indicator_SHA256_" + str(j+1)])
+ my_relationships_SHA256.append(locals()["relationship_SHA256_" + str(j+1)])
+
+ my_indicators_SHA1 = []
+ my_relationships_SHA1 = []
+
+ j = 0
+
+ for j in range(num_lines):
+ my_indicators_SHA1.append(locals()["indicator_SHA1_" + str(j+1)])
+ my_relationships_SHA1.append(locals()["relationship_SHA1_" + str(j+1)])
+
+ my_bundle = Bundle(my_indicators_SHA256[:], my_relationships_SHA256[:],my_indicators_SHA1[:], my_relationships_SHA1[:], malware, my_identity)
+ print(my_bundle.serialize(pretty=True))
+ output_f = mal_name + "_SHA1_SHA256_Bundle.json"
+ f_o = open(output_f, "x")
+
+ print("\nWriting the contents into " + output_f + " ...")
+
+ f_o.write(my_bundle.serialize(pretty=True))
+
+
+#print("Bundle:")
+print("\nBye bye!")
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+