In [100]:
import json
import os

def extract_threat_actors_from_folder(folder_path):
    threat_actors = []

    # Iterate over each file in the folder
    for file_name in os.listdir(folder_path):
        file_path = os.path.join(folder_path, file_name)

        # Check if the file is a JSON file
        if file_name.endswith('.json'):
            with open(file_path, 'r') as json_file:
                try:
                    json_data = json.load(json_file)
                    threat_actor = extract_threat_actor(json_data)
                    threat_actors.append(threat_actor)
                except json.JSONDecodeError:
                    print(f"Error parsing JSON file: {file_path}")

    return threat_actors

def extract_threat_actor(json_data):
    threat_actor = {}

    if 'objects' in json_data and isinstance(json_data['objects'], list):
        for obj in json_data['objects']:
            if obj.get('type') == 'intrusion-set':
                threat_actor['id'] = obj.get('id')
                threat_actor['name'] = obj.get('name')
                #threat_actor['aliases'] = obj.get('aliases', [])
                #threat_actor['description'] = obj.get('description')
                # Add more attributes as needed

    return threat_actor


# Provide the path to the folder containing the JSON files
folder_path = 'F:\Projects\CTI\enterprise-attack\intrusion-set'

# Extract threat actors from the folder
threat_actors = extract_threat_actors_from_folder(folder_path)

# Print the extracted threat actors
for threat_actor in threat_actors:
    print(threat_actor)
print(len(threat_actors))

{'id': 'intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340', 'name': 'APT38'}
{'id': 'intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae', 'name': 'ALLANITE'}
{'id': 'intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1', 'name': 'Dragonfly'}
{'id': 'intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb', 'name': 'FIN6'}
{'id': 'intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc', 'name': 'FIN7'}
{'id': 'intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192', 'name': 'Sandworm Team'}
{'id': 'intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d', 'name': 'OilRig'}
{'id': 'intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6', 'name': 'APT34'}
{'id': 'intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71', 'name': 'Dragonfly 2.0'}
{'id': 'intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4', 'name': 'TEMP.Veles'}
{'id': 'intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133', 'name': 'GOLD SOUTHFIELD'}
{'id': 'intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a', 'name': 'Lazarus Group'}
{'id': 

In [103]:
def extract_ttps_from_folder(folder_path):
    ttps = []

    for filename in os.listdir(folder_path):
        file_path = os.path.join(folder_path, filename)
        if os.path.isfile(file_path) and filename.endswith('.json'):
            with open(file_path, 'r') as file:
                json_data = json.load(file)
                ttps.extend(extract_ttps(json_data))

    return ttps

def extract_ttps(json_data):
    ttps = []

    if 'objects' in json_data and isinstance(json_data['objects'], list):
        for obj in json_data['objects']:
            if obj.get('type') == 'attack-pattern':
                ttp = {
                    'id': obj.get('id'),
                    'name': obj.get('name'),
                    'external_id': obj['external_references'][0].get('external_id')
                }
                ttps.append(ttp)

    return ttps


# Example usage
folder_path = "F:\\Projects\\CTI\\enterprise-attack\\attack-pattern"
ttps = extract_ttps_from_folder(folder_path)

# Print the extracted TTPs
for ttp in ttps:
    print('ID:', ttp['id'])
    print('Name:', ttp['name'])
    print('External_id:', ttp['external_id'])
    print('---')
    
print(len(ttps))

ID: attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61
Name: Block Command Message
External_id: T0803
---
ID: attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8
Name: Service Stop
External_id: T0881
---
ID: attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722
Name: Modify Parameter
External_id: T0836
---
ID: attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243
Name: Modify Controller Tasking
External_id: T0821
---
ID: attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72
Name: Wireless Sniffing
External_id: T0887
---
ID: attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36
Name: Loss of View
External_id: T0829
---
ID: attack-pattern--19a71d1e-6334-4233-8260-b749cae37953
Name: Activate Firmware Update Mode
External_id: T0800
---
ID: attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1
Name: Manipulation of Control
External_id: T0831
---
ID: attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b
Name: Denial of Service
External_id: T0814
---
ID: attack-pattern--1c478716-71d9-46a4-9a53-f

In [104]:
def extract_malware_from_folder(folder_path):
    malware_list = []

    for filename in os.listdir(folder_path):
        file_path = os.path.join(folder_path, filename)
        if os.path.isfile(file_path):
            with open(file_path, 'r') as file:
                try:
                    json_data = json.load(file)
                    malware = extract_malware(json_data)
                    if malware:
                        malware_list.append(malware)
                except json.JSONDecodeError:
                    print(f"Error decoding JSON file: {file_path}")
                except KeyError:
                    print(f"Missing key in JSON file: {file_path}")

    return malware_list


def extract_malware(json_data):
    malware = None

    if 'objects' in json_data and isinstance(json_data['objects'], list):
        for obj in json_data['objects']:
            if obj.get('type') == 'malware':
                malware = {
                    'id': obj.get('id'),
                    'name': obj.get('name')
                }
                break

    return malware


# Example usage
folder_path = "F:\Projects\CTI\enterprise-attack\malware"
malware_objects = extract_malware_from_folder(folder_path)

for malware in malware_objects:
    print(f"ID: {malware['id']}, Name: {malware['name']}")
    
print(len(malware_objects))

ID: malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5, Name: EKANS
ID: malware--083bb47b-02c8-4423-81a2-f9ef58572974, Name: Backdoor.Oldrea
ID: malware--088f1d6e-0783-47c6-9923-9c79b2af43d4, Name: Stuxnet
ID: malware--1d8dccb3-e779-4702-aeb1-6627a22cc585, Name: Industroyer
ID: malware--242622ca-3903-43d5-8aa0-3bbdaa3020ec, Name: Bad Rabbit
ID: malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a, Name: Bad Rabbit
ID: malware--496bff4d-0700-4b28-b06f-f30a63002be7, Name: Stuxnet
ID: malware--49c04994-1035-4b58-89b7-cf8956e3b423, Name: Conficker
ID: malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe, Name: PLC-Blaster
ID: malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4, Name: BlackEnergy
ID: malware--5719af9d-6b16-46f9-9b28-fb019541ddbb, Name: NotPetya
ID: malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55, Name: Conficker
ID: malware--5af7a825-2d9f-400d-931a-e00eb9e27f48, Name: LockerGoga
ID: malware--6108f800-10b8-4090-944e-be579f01263d, Name: VPNFilter
ID: malware--68dca94f-c11d-421e-9287-7c501108e18c, Name:

In [105]:

def extract_relationships_from_folder(folder_path):
    relationships = []

    for filename in os.listdir(folder_path):
        file_path = os.path.join(folder_path, filename)
        if os.path.isfile(file_path):
            with open(file_path, 'r') as file:
                try:
                    json_data = json.load(file)
                    relationship = extract_relationship(json_data)
                    if relationship:
                        relationships.append(relationship)
                except json.JSONDecodeError:
                    print(f"Error decoding JSON file: {file_path}")
                except KeyError:
                    print(f"Missing key in JSON file: {file_path}")

    return relationships


def extract_relationship(json_data):
    relationship = None

    if 'objects' in json_data and isinstance(json_data['objects'], list):
        for obj in json_data['objects']:
            if obj.get('type') == 'relationship':
                relationship = {
                    'id': obj.get('id'),
                    'type': obj.get('relationship_type'),
                    'source_ref': obj.get('source_ref'),
                    'target_ref': obj.get('target_ref')
                }
                break

    return relationship

# Example usage
folder_path = "F:\\Projects\\CTI\\enterprise-attack\\relationship"
relationships = extract_relationships_from_folder(folder_path)

for relationship in relationships:
    print('ID:', relationship['id'])
    print('Type:', relationship['type'])
    print('Source Ref:', relationship['source_ref'])
    print('Target Ref:', relationship['target_ref'])
    print('---')

print(len(relationships))


ID: relationship--00b98fa6-4913-40a4-8920-befed8621c41
Type: detects
Source Ref: x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa
Target Ref: attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92
---
ID: relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6
Type: mitigates
Source Ref: course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a
Target Ref: attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9
---
ID: relationship--01b4a92f-da42-4dfa-8d59-53709b65940e
Type: mitigates
Source Ref: course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48
Target Ref: attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8
---
ID: relationship--0278ddbc-67d5-444d-8082-bf9974dee920
Type: detects
Source Ref: x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e
Target Ref: attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101
---
ID: relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81
Type: mitigates
Source Ref: course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549
Target Ref: attack-pattern

ID: relationship--97538255-b049-4d15-91c4-6b227cbea476
Type: detects
Source Ref: x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95
Target Ref: attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92
---
ID: relationship--97641754-f215-4b8f-b0cd-0d3142053c76
Type: detects
Source Ref: x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd
Target Ref: attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707
---
ID: relationship--97c5b388-518a-46ec-b2b0-41bfa6a83204
Type: mitigates
Source Ref: course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e
Target Ref: attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03
---
ID: relationship--97df42a5-e6d3-4fb7-a158-c161d14624ab
Type: detects
Source Ref: x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa
Target Ref: attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722
---
ID: relationship--984992e3-0407-406a-b8dd-c114d8b2d9a2
Type: mitigates
Source Ref: course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549
Target Ref: attack-pat

In [89]:
def get_entity_name_enterprise():
    entity_data = []
    
    for relationship in relationships:
        if relationship['source_ref'].startswith('intrusion-set'):
            threat_actor_id = relationship['source_ref']
            
            for threat_actor in threat_actors:
                if threat_actor['id'] == threat_actor_id:
                    threat_actor_name = threat_actor['name']
                    break
                    
            if relationship['target_ref'].startswith('attack-pattern'):
                for ttp in ttps:
                    if ttp['id'] == relationship['target_ref']:
                        ttp_id = ttp['external_id']
                        if threat_actor_name.startswith('APT'):
                            entity_data.append({
                                'name': threat_actor_name,
                                'type': relationship['type'],
                                'ttp': ttp_id
                            })
                        break
           
            elif relationship['target_ref'].startswith('malware'):
                for malware in malware_objects:
                    if malware['id'] == relationship['target_ref']:
                        malware_name = malware['name']
                        if threat_actor_name.startswith('APT'):
                            entity_data.append({
                                'name': threat_actor_name,
                                'type': relationship['type'],
                                'malware': malware_name
                            })
                        break
                        
    return entity_data



### Reuse the above codes to generate dictionaries for mobile attacks and ics attaks

In [122]:
enterprise_dict = get_entity_name_enterprise()

def append_dictionaries(enterprise_dict, mobile_dict, ics_dict):
    appended_dict = enterprise_dict.copy()
    
    for i in s:
        appended_dict.append(i)
    for i in t:
        appended_dict.append(i)
    return appended_dict
qu = append_dictionaries(enterprise_dict,s,t)

print(len(qu))
qu

679


[{'name': 'APT28', 'type': 'uses', 'ttp': 'T1003.003'},
 {'name': 'APT29', 'type': 'uses', 'malware': 'PinchDuke'},
 {'name': 'APT39', 'type': 'uses', 'ttp': 'T1046'},
 {'name': 'APT38', 'type': 'uses', 'ttp': 'T1486'},
 {'name': 'APT19', 'type': 'uses', 'ttp': 'T1547.001'},
 {'name': 'APT29', 'type': 'uses', 'malware': 'WellMail'},
 {'name': 'APT37', 'type': 'uses', 'ttp': 'T1547.001'},
 {'name': 'APT41', 'type': 'uses', 'ttp': 'T1078'},
 {'name': 'APT39', 'type': 'uses', 'ttp': 'T1547.001'},
 {'name': 'APT29', 'type': 'uses', 'malware': 'CozyCar'},
 {'name': 'APT28', 'type': 'uses', 'ttp': 'T1589.001'},
 {'name': 'APT38', 'type': 'uses', 'ttp': 'T1033'},
 {'name': 'APT39', 'type': 'uses', 'ttp': 'T1090.002'},
 {'name': 'APT32', 'type': 'uses', 'ttp': 'T1550.002'},
 {'name': 'APT39', 'type': 'uses', 'ttp': 'T1140'},
 {'name': 'APT30', 'type': 'uses', 'malware': 'SHIPSHAPE'},
 {'name': 'APT28', 'type': 'uses', 'ttp': 'T1564.001'},
 {'name': 'APT37', 'type': 'uses', 'ttp': 'T1120'},
 {'

In [153]:

node_queries = []
relationship_queries = []
processed_names = set()
processed_ttps = set()
processed_malware = set()

for item in qu:
    if 'name' in item:
        name = item['name']
        if name not in processed_names:
            node_query = f"CREATE (:Threat_actor {{name: '{name}'}})"
            node_queries.append(node_query)
            processed_names.add(name)

    if 'ttp' in item:
        ttp = item['ttp']
        if ttp not in processed_ttps:
            node_query = f"CREATE (:TTP {{ttp: '{ttp}'}})"
            node_queries.append(node_query)
            processed_ttps.add(ttp)

        relationship_query = f"MATCH (n:Threat_actor {{name: '{item['name']}'}}), (t:TTP {{ttp: '{ttp}'}})\nCREATE (n)-[:USES]->(t);"
        relationship_queries.append(relationship_query)

    elif 'malware' in item:
        malware = item['malware']
        if malware not in processed_malware:
            node_query = f"CREATE (:Malware {{malware: '{malware}'}})"
            node_queries.append(node_query)
            processed_malware.add(malware)

        relationship_query = f"MATCH (n:Threat_actor {{name: '{item['name']}'}}), (m:Malware {{malware: '{malware}'}})\nCREATE (n)-[:USES]->(m);"
        relationship_queries.append(relationship_query)


for query in node_queries + relationship_queries:
    print(query)


CREATE (:Threat_actor {name: 'APT28'})
CREATE (:TTP {ttp: 'T1003.003'})
CREATE (:Threat_actor {name: 'APT29'})
CREATE (:Malware {malware: 'PinchDuke'})
CREATE (:Threat_actor {name: 'APT39'})
CREATE (:TTP {ttp: 'T1046'})
CREATE (:Threat_actor {name: 'APT38'})
CREATE (:TTP {ttp: 'T1486'})
CREATE (:Threat_actor {name: 'APT19'})
CREATE (:TTP {ttp: 'T1547.001'})
CREATE (:Malware {malware: 'WellMail'})
CREATE (:Threat_actor {name: 'APT37'})
CREATE (:Threat_actor {name: 'APT41'})
CREATE (:TTP {ttp: 'T1078'})
CREATE (:Malware {malware: 'CozyCar'})
CREATE (:TTP {ttp: 'T1589.001'})
CREATE (:TTP {ttp: 'T1033'})
CREATE (:TTP {ttp: 'T1090.002'})
CREATE (:Threat_actor {name: 'APT32'})
CREATE (:TTP {ttp: 'T1550.002'})
CREATE (:TTP {ttp: 'T1140'})
CREATE (:Threat_actor {name: 'APT30'})
CREATE (:Malware {malware: 'SHIPSHAPE'})
CREATE (:TTP {ttp: 'T1564.001'})
CREATE (:TTP {ttp: 'T1120'})
CREATE (:Threat_actor {name: 'APT12'})
CREATE (:TTP {ttp: 'T1204.002'})
CREATE (:Threat_actor {name: 'APT3'})
CREATE