~alienagain/sec_scripts

b8d88f4ab1e1e21225645229be69c4fdb4384813 — paula 11 months ago 31057d4
actualizo contenido de opencti y degrado scripts
2 files changed, 190 insertions(+), 0 deletions(-)

R ingest_opencti.py => DEPRECATED/ingest_opencti.py
A OPENCTI_STIX/malware_to_stix.py
R ingest_opencti.py => DEPRECATED/ingest_opencti.py +0 -0
A OPENCTI_STIX/malware_to_stix.py => OPENCTI_STIX/malware_to_stix.py +190 -0
@@ 0,0 1,190 @@
from stix2 import Indicator
from stix2 import Malware
from stix2 import Relationship
from stix2 import Bundle
from stix2 import Identity
from stix2 import ThreatActor

import argparse
import copy

# functions

parser = argparse.ArgumentParser()
parser.add_argument('-n', '--name', help='name of the malware')
parser.add_argument('-d', '--des', help='description of the malware')
parser.add_argument('-r', '--rel', help='relation of the ioc with the malware')
parser.add_argument('-f', '--file', help='name of the file with malware hashes')

args = parser.parse_args()


def printin_bundle(mal_name, my_bundle):
    output_f = mal_name + "_Bundle.json"
    f_o = open(output_f, "x")

    print("\nWriting the contents into " + output_f + " ...")

    f_o.write(my_bundle.serialize(pretty=True))




# creating identity for the bundle

myname = "<MY IDENTITY NAME>" #input("Name of author: ")
#i_class = "organization"

# this is custom and will onl be available with the latest version of stix :( : 
#dep = input("Department (default is Threat Hunting): ")

# Creating the identity object default

############################IDENTITY####################################


my_identity = Identity(name = myname, identity_class = i_class)
# reading malware from user prompt

#TA_name = input("THEAR ACTOR name: ")
#TA_des = input("THREAT ACTOR description: ")


#TA_type = input("nation-state/: ")

#if mal_type == "none":
#    malware = Malware(name=mal_name,
#                  description=mal_des,
#                  is_family=False)
#else:
#    malware = Malware(name=mal_name,
#                  description=mal_des,
#                  malware_types=[mal_type],
                 #kill_chain_phases=[{
                 #                       "kill_chain_name": "testing",
                 #                       "phase_name": "Delivery"}],
#                  is_family=False)


############################3THREAT ACTOR################################


#threatactor = ThreatActor(name=TA_name,description=TA_des)
#print("Threat actor defined")



#############################MALWARE#####################################

print("Please indicate the malware details:")

#MA_name = input("MALWARE NAME: ")
MA_name = args.name

#MA_des = input("MALWARE DESCRIPTION: ")
MA_des = args.des

#MA_type = input("MALWARE TYPE: ")

malware = Malware(name=MA_name, description=MA_des,is_family=False)
#else:
#    malware = Malware(name=MA_name,
#                  description=MA_des,
#                  malware_types=[mal_type],
                 #kill_chain_phases=[{
                 #                       "kill_chain_name": "testing",
                 #                       "phase_name": "Delivery"}],
#                  is_family=False)

#typer = input("Relationship type between the malware and the hashes (uses, consists-of, indicates, analysis_of, controls, derived-from, mitigates, delivers): ")
typer = args.rel

#menu()
#option = input("Choose your option: ")



########################################################################
########################################################################


    # getting the file with SHA256 hashes
#myfile2 = input("file with SHA256: ")
myfile2 = args.file

file2 = open(myfile2, 'r')
content2 = file2.readlines()
         
count = 0


#MARCADOR
in_name="file hash SHA256 for " + MA_name

print("Reading hashes for SHA256...")
#print("SHA256: ")

        # iterating the whole file, for each line it creates a temporary 
        # stix object with the sha1 hash and the malware family
        # and saves an indicator object with the content. No need to create a
        # list because the object is already stored as a permanent identifier during the session
        # although a trash-temp-indicator is also stored.

for line2 in content2:
    #MARCADOR
    tmp_indicator = Indicator(name=line2.strip(), 
                                pattern="[file:name = '"+ MA_name +"' AND file:hashes.'sha256' = '"+ line2.strip()+"']",
                                spec_version="2.1",
                                pattern_type="stix")
           # print("TEMPORARY, DEBUG:")
           # print(tmp_indicator.serialize(pretty=True))

    count = count + 1

    locals()["indicator_SHA256_" + str(count)] = copy.deepcopy(tmp_indicator)



print("no more lines to read")


num_lines2 = sum(1 for _ in open(myfile2))

        # This prints all the indicators for the SHA1 (commented) and creates
        # a relationship for each one of them with the malware

for i in range(num_lines2):
            #print("The indicator SHA1 is:\n")
            #print(locals()["indicator_SHA1_" + str(i+1)].serialize(pretty=True))

            # creating the relationship with the malware
    locals()["relationship_SHA256_" + str(i+1)] = Relationship(relationship_type=typer,
                                    source_ref=locals()["indicator_SHA256_" + str(i+1)].id,
                                    target_ref=malware.id)
            #print("The relationship is:\n")
            #print(locals()["relationship_SHA1_" + str(i+1)].serialize(pretty=True))

print("Making the bundle...\n")

my_indicators_SHA256 = []
my_relationships_SHA256 = []

for j in range(num_lines2):
    my_indicators_SHA256.append(locals()["indicator_SHA256_" + str(j+1)])
    my_relationships_SHA256.append(locals()["relationship_SHA256_" + str(j+1)])
        
my_bundle = Bundle(my_indicators_SHA256[:], my_relationships_SHA256[:], malware, my_identity)
print(my_bundle.serialize(pretty=True))
output_f = MA_name + "_SHA256_Bundle.json"
f_o = open(output_f, "x")

print("\nWriting the contents into " + output_f + " ...")

f_o.write(my_bundle.serialize(pretty=True))



#print("Bundle:")
print("\nBye bye!")