From b8d88f4ab1e1e21225645229be69c4fdb4384813 Mon Sep 17 00:00:00 2001 From: paula Date: Thu, 28 Sep 2023 16:12:17 +0200 Subject: [PATCH] actualizo contenido de opencti y degrado scripts --- .../ingest_opencti.py | 0 OPENCTI_STIX/malware_to_stix.py | 190 ++++++++++++++++++ 2 files changed, 190 insertions(+) rename ingest_opencti.py => DEPRECATED/ingest_opencti.py (100%) create mode 100644 OPENCTI_STIX/malware_to_stix.py diff --git a/ingest_opencti.py b/DEPRECATED/ingest_opencti.py similarity index 100% rename from ingest_opencti.py rename to DEPRECATED/ingest_opencti.py diff --git a/OPENCTI_STIX/malware_to_stix.py b/OPENCTI_STIX/malware_to_stix.py new file mode 100644 index 0000000..ee38ca1 --- /dev/null +++ b/OPENCTI_STIX/malware_to_stix.py @@ -0,0 +1,190 @@ +from stix2 import Indicator +from stix2 import Malware +from stix2 import Relationship +from stix2 import Bundle +from stix2 import Identity +from stix2 import ThreatActor + +import argparse +import copy + +# functions + +parser = argparse.ArgumentParser() +parser.add_argument('-n', '--name', help='name of the malware') +parser.add_argument('-d', '--des', help='description of the malware') +parser.add_argument('-r', '--rel', help='relation of the ioc with the malware') +parser.add_argument('-f', '--file', help='name of the file with malware hashes') + +args = parser.parse_args() + + +def printin_bundle(mal_name, my_bundle): + output_f = mal_name + "_Bundle.json" + f_o = open(output_f, "x") + + print("\nWriting the contents into " + output_f + " ...") + + f_o.write(my_bundle.serialize(pretty=True)) + + + + +# creating identity for the bundle + +myname = "" #input("Name of author: ") +#i_class = "organization" + +# this is custom and will onl be available with the latest version of stix :( : +#dep = input("Department (default is Threat Hunting): ") + +# Creating the identity object default + +############################IDENTITY#################################### + + +my_identity = Identity(name = myname, identity_class = i_class) +# reading malware from user prompt + +#TA_name = input("THEAR ACTOR name: ") +#TA_des = input("THREAT ACTOR description: ") + + +#TA_type = input("nation-state/: ") + +#if mal_type == "none": +# malware = Malware(name=mal_name, +# description=mal_des, +# is_family=False) +#else: +# malware = Malware(name=mal_name, +# description=mal_des, +# malware_types=[mal_type], + #kill_chain_phases=[{ + # "kill_chain_name": "testing", + # "phase_name": "Delivery"}], +# is_family=False) + + +############################3THREAT ACTOR################################ + + +#threatactor = ThreatActor(name=TA_name,description=TA_des) +#print("Threat actor defined") + + + +#############################MALWARE##################################### + +print("Please indicate the malware details:") + +#MA_name = input("MALWARE NAME: ") +MA_name = args.name + +#MA_des = input("MALWARE DESCRIPTION: ") +MA_des = args.des + +#MA_type = input("MALWARE TYPE: ") + +malware = Malware(name=MA_name, description=MA_des,is_family=False) +#else: +# malware = Malware(name=MA_name, +# description=MA_des, +# malware_types=[mal_type], + #kill_chain_phases=[{ + # "kill_chain_name": "testing", + # "phase_name": "Delivery"}], +# is_family=False) + +#typer = input("Relationship type between the malware and the hashes (uses, consists-of, indicates, analysis_of, controls, derived-from, mitigates, delivers): ") +typer = args.rel + +#menu() +#option = input("Choose your option: ") + + + +######################################################################## +######################################################################## + + + # getting the file with SHA256 hashes +#myfile2 = input("file with SHA256: ") +myfile2 = args.file + +file2 = open(myfile2, 'r') +content2 = file2.readlines() + +count = 0 + + +#MARCADOR +in_name="file hash SHA256 for " + MA_name + +print("Reading hashes for SHA256...") +#print("SHA256: ") + + # iterating the whole file, for each line it creates a temporary + # stix object with the sha1 hash and the malware family + # and saves an indicator object with the content. No need to create a + # list because the object is already stored as a permanent identifier during the session + # although a trash-temp-indicator is also stored. + +for line2 in content2: + #MARCADOR + tmp_indicator = Indicator(name=line2.strip(), + pattern="[file:name = '"+ MA_name +"' AND file:hashes.'sha256' = '"+ line2.strip()+"']", + spec_version="2.1", + pattern_type="stix") + # print("TEMPORARY, DEBUG:") + # print(tmp_indicator.serialize(pretty=True)) + + count = count + 1 + + locals()["indicator_SHA256_" + str(count)] = copy.deepcopy(tmp_indicator) + + + +print("no more lines to read") + + +num_lines2 = sum(1 for _ in open(myfile2)) + + # This prints all the indicators for the SHA1 (commented) and creates + # a relationship for each one of them with the malware + +for i in range(num_lines2): + #print("The indicator SHA1 is:\n") + #print(locals()["indicator_SHA1_" + str(i+1)].serialize(pretty=True)) + + # creating the relationship with the malware + locals()["relationship_SHA256_" + str(i+1)] = Relationship(relationship_type=typer, + source_ref=locals()["indicator_SHA256_" + str(i+1)].id, + target_ref=malware.id) + #print("The relationship is:\n") + #print(locals()["relationship_SHA1_" + str(i+1)].serialize(pretty=True)) + +print("Making the bundle...\n") + +my_indicators_SHA256 = [] +my_relationships_SHA256 = [] + +for j in range(num_lines2): + my_indicators_SHA256.append(locals()["indicator_SHA256_" + str(j+1)]) + my_relationships_SHA256.append(locals()["relationship_SHA256_" + str(j+1)]) + +my_bundle = Bundle(my_indicators_SHA256[:], my_relationships_SHA256[:], malware, my_identity) +print(my_bundle.serialize(pretty=True)) +output_f = MA_name + "_SHA256_Bundle.json" +f_o = open(output_f, "x") + +print("\nWriting the contents into " + output_f + " ...") + +f_o.write(my_bundle.serialize(pretty=True)) + + + +#print("Bundle:") +print("\nBye bye!") + + -- 2.45.2