In [1]:
from stix2 import FileSystemSource
# fs = FileSystemSource('./cti/enterprise-attack')
fs = FileSystemSource('./enterprise-attack')

In [2]:
from stix2 import Filter

# Query for data on all malwares
malwares = fs.query(Filter("type", "=", 'malware'))

# Isolate Emotet's data in particular
emotets = [m for m in malwares if m.name == 'Emotet']

In [3]:
emotets[0].id    # View Emotet's id

'malware--32066e94-3112-48ca-b9eb-ba2b59d2f023'

In [4]:
# Query all relationships involving Emotet using its id
all_rs = fs.query(Filter("type", "=", 'relationship'))
relationships = [r for r in all_rs if r.source_ref == 'malware--32066e94-3112-48ca-b9eb-ba2b59d2f023']

In [5]:
print(relationships[0])

{
    "type": "relationship",
    "id": "relationship--e834920f-bc30-458e-b56e-80947d3a7c6e",
    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
    "created": "2019-03-26T17:48:52.139Z",
    "modified": "2019-06-28T15:25:29.477Z",
    "relationship_type": "uses",
    "description": "[Emotet](https://attack.mitre.org/software/S0367) has been observed injecting in to Explorer.exe and other processes.",
    "source_ref": "malware--32066e94-3112-48ca-b9eb-ba2b59d2f023",
    "target_ref": "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
    "external_references": [
        {
            "source_name": "Picus Emotet Dec 2018",
            "description": "\u00d6zarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.",
            "url": "https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html"
        },
        {
  

In [6]:
# Store Emotet's attack patterns' ids in a list
patterns = []

for r in relationships:
    patterns.append(r.target_ref)

In [7]:
patterns

['attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d',
 'attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580',
 'attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a',
 'attack-pattern--ffe742ed-9100-4686-9e00-c331da544787',
 'attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd',
 'attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5',
 'attack-pattern--d54416bd-0803-41ca-870a-ce1af7c05638',
 'attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529',
 'attack-pattern--6aac77c4-eaf2-4366-8c13-ce50ab951f38',
 'attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81',
 'attack-pattern--f4882e23-8aa7-4b12-b28a-b349c12ee9e0',
 'attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00',
 'attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055',
 'attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9',
 'attack-pattern--ba8e391f-14b5-496f-81f2-2d5ecd646c1c',
 'attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22',
 'attack-pattern--4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5',
 'attack-pattern--478aa214-2ca7

In [8]:
# Query all attack patterns
filt = Filter('type', '=', 'attack-pattern')
att = fs.query(filt)

In [9]:
att[0]

AttackPattern(type='attack-pattern', id='attack-pattern--d28ef391-8ed4-45dc-bc4a-2f43abf54416', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2018-04-18T17:59:24.739Z', modified='2019-10-07T19:59:25.985Z', name='Data from Information Repositories', description='Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information.\n\nAdversaries may also collect information from shared storage repositories hosted on cloud infrastructure or in software-as-a-service (SaaS) applications, as storage is one of the more fundamental requirements for cloud services and systems.\n\nThe following is a brief list of example information that may hold potential value to an adversary and m

In [10]:
print(len(att))     # 266 different attack patterns
print(att[0].id)    # View 1st pattern's id

266
attack-pattern--d28ef391-8ed4-45dc-bc4a-2f43abf54416


In [12]:
# View names of all Emotet's patterns
for id in patterns:
    for a in att:
        if a.id == id:
            print(a.name)

Data Encrypted
Standard Cryptographic Protocol
Credentials in Files
Brute Force
Windows Management Instrumentation
Custom Command and Control Protocol
Windows Admin Shares
Valid Accounts
Registry Run Keys / Startup Folder
Spearphishing Link
Exfiltration Over Command and Control Channel
Exploitation of Remote Services
Commonly Used Port
Scheduled Task
PowerShell
Scripting
Uncommonly Used Port
User Execution
Obfuscated Files or Information
Credential Dumping
Network Sniffing
Spearphishing Attachment
Software Packing
Process Discovery
Process Injection
Email Collection
New Service
Command-Line Interface


### More TAXII Queries

In [16]:
from stix2 import TAXIICollectionSource
from taxii2client import Collection

# establish TAXII2 Collection instance
collection = Collection("http://127.0.0.1:5000/trustgroup1/collections/91a7b528-80eb-42ed-a74d-c6fbd5a26116/", user="admin", password="Password0")
# supply the TAXII2 collection to TAXIICollection
tc_source = TAXIICollectionSource(collection)

#retrieve STIX objects by id
# stix_obj = tc_source.get("malware--fdd60b30-b67c-41e3-b0b9-f01faf20d111")
# stix_obj_versions = tc_source.all_versions("indicator--a932fcc6-e032-476c-826f-cb970a5a1ade")

# #for visual purposes
# print(stix_obj)
# print("-------")
# for so in stix_obj_versions:
#     print(so)

ConnectionError: HTTPConnectionPool(host='127.0.0.1', port=5000): Max retries exceeded with url: /trustgroup1/collections/91a7b528-80eb-42ed-a74d-c6fbd5a26116/ (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x10bbf9780>: Failed to establish a new connection: [Errno 61] Connection refused',))

In [20]:
from taxii2client import Collection
from stix2 import CompositeDataSource, FileSystemSource, TAXIICollectionSource

# create FileSystemStore
fs = FileSystemSource("./enterprise-attack")

# create TAXIICollectionSource
colxn = Collection('http://127.0.0.1:5000/trustgroup1/collections/91a7b528-80eb-42ed-a74d-c6fbd5a26116/')
ts = TAXIICollectionSource(colxn)

# add them both to the CompositeDataSource
# cs = CompositeDataSource()
# cs.add_data_sources([fs,ts])

# # get an object that is only in the filesystem
# intrusion_set = cs.get('intrusion-set--f3bdec95-3d62-42d9-a840-29630f6cdc1a')
# print(intrusion_set)

# # get an object that is only in the TAXII collection
# ind = cs.get('indicator--02b90f02-a96a-43ee-88f1-1e87297941f2')
# print(ind)

ConnectionError: HTTPConnectionPool(host='127.0.0.1', port=5000): Max retries exceeded with url: /trustgroup1/collections/91a7b528-80eb-42ed-a74d-c6fbd5a26116/ (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x10bab69e8>: Failed to establish a new connection: [Errno 61] Connection refused',))

In [21]:
from taxii2client import Collection

import stix2

# This example is based on the medallion server with default_data.json
# See https://github.com/oasis-open/cti-taxii-server for more information


def main():
    collection = Collection(
        "http://127.0.0.1:5000/trustgroup1/collections/52892447-4d7e-4f70-b94d-d7f22742ff63/",
        user="admin", password="Password0",
    )

    # instantiate TAXII data source
    taxii = stix2.TAXIICollectionSource(collection)

    # get (url watch indicator)
    indicator_fw = taxii.get("indicator--00000000-0000-4000-8000-000000000001")
    print("\n\n-------Queried for Indicator - got:")
    print(indicator_fw.serialize(indent=4))

    # all versions (url watch indicator - currently two)
    indicator_fw_versions = taxii.all_versions("indicator--00000000-0000-4000-8000-000000000001")
    print("\n\n------Queried for indicator (all_versions()) - got:")
    for indicator in indicator_fw_versions:
        print(indicator.serialize(indent=4))

    # add TAXII filter (ie filter should be passed to TAXII)
    query_filter = stix2.Filter("type", "in", "malware")

    # query() - but with filter attached. There are no malware objects in this collection
    malwares = taxii.query(query=query_filter)
    print("\n\n\n--------Queried for Malware string (with above filter attached) - got:")
    for malware in malwares:
        print(malware.serialize(indent=4))
    if not malwares:
        print(malwares)


if __name__ == "__main__":
    main()

ConnectionError: HTTPConnectionPool(host='127.0.0.1', port=5000): Max retries exceeded with url: /trustgroup1/collections/52892447-4d7e-4f70-b94d-d7f22742ff63/ (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x10bc0f550>: Failed to establish a new connection: [Errno 61] Connection refused',))