In [1]:
import stix2 
import itertools


In [2]:
firstActivity = "2007-04-27T09:00:00.000Z"
reportDate = "2013-01-27T09:00:00.000Z"

# Observed Data - 2 each

## File

In [3]:
#List of sample attachment filenames that were sent to some of the victims.

obs_emailFiles = stix2.ObservedData(first_observed=firstActivity, 
                                    last_observed=reportDate, 
                                    number_observed=1,
                                    objects={"0":stix2.File(name="Katyn_-_opinia_Rosjan.xls"),
                                             "1":stix2.File(name="FIEO contacts update.xls")})


## URL

In [4]:
# Checks if the internet connection is available by connecting to three Microsoft hosts.

obs_checkConnectionUrl = stix2.ObservedData(first_observed=firstActivity, 
                                            last_observed=reportDate, 
                                            number_observed=1,
                                            objects={"0":stix2.URL(value="update.microsoft.com"),
                                                     "1":stix2.URL(value="www.microsoft.com"),
                                                     "2":stix2.URL(value="support.microsoft.com")})

## Process

In [5]:
# loader module
obs_loaderProc = stix2.ObservedData(first_observed=firstActivity, 
                                    last_observed=reportDate, 
                                    number_observed=1,
                                    objects={"0":stix2.Process(name="svchost.exe")})


## HTTP Request

In [6]:
# loader module
obs_scriptDownload = stix2.ObservedData(first_observed=firstActivity, 
                              last_observed=reportDate, 
                              number_observed=11,
                              objects={"0":{"type": "ipv4-addr","value": "178.63.208.49"},
                                       "2": {"type": "network-traffic",
                                             "dst_ref": "0",
                                             "protocols": ["http", "ipv4","tcp"],
                                             "extensions": {"http-request-ext": {"request_method": "post",
                                                                                 "request_value": "/cgi-bin/nt/th",
                                                                                 "request_version": "http/1.1",
                                                                                 "request_header": {"Host":"nt-windows-online.com"}}}}})
  

## Software

In [7]:
obs_software = stix2.ObservedData(first_observed=firstActivity, 
                                    last_observed=reportDate, 
                                    number_observed=1,
                                    objects={"0":stix2.Software(name="Word", vendor="Microsoft"),
                                             "1":stix2.Software(name="Exal", vendor="Microsoft")})


## Domain Name

In [8]:
obs_domain = stix2.ObservedData(first_observed=firstActivity, 
                                    last_observed=reportDate, 
                                    number_observed=1,
                                    objects={"0":stix2.DomainName(value="nt-windows-online.com"),
                                             "1":stix2.DomainName(value="microsoft.com")})


## IPv4 Address

In [9]:
obs_ipv4 = stix2.ObservedData(first_observed=firstActivity, 
                                    last_observed=reportDate, 
                                    number_observed=1,
                                    objects={"0":stix2.IPv4Address(value="31.41.45.139"),
                                             "1":stix2.IPv4Address(value="91.226.31.40")})

In [10]:
observedList = [obs_checkConnectionUrl, obs_emailFiles, obs_loaderProc, obs_scriptDownload, obs_domain, obs_ipv4, obs_software]

# Identity (victim) - up to 5

In [11]:
target_algeria = stix2.Identity(name="Algeria Embassy", identity_class="organization")
target_israel = stix2.Identity(name="Israel Embassy", identity_class="organization")
target_qatar = stix2.Identity(name="Qatar Embassy", identity_class="organization")
target_iraq = stix2.Identity(name="Iraq Governmental Organization", identity_class="organization")
target_spain = stix2.Identity(name="Spain Governmental Organization", identity_class="organization")

targetList = [target_algeria, target_israel, target_qatar, target_iraq, target_spain]

# Tool - 5

In [12]:
tool_socat = stix2.Tool(name="socat", labels=["network-capture"])
tool_acidCrypt = stix2.Tool(name="Acid Cryptofiler", labels=["credential-exploitation"])

toolsList = [tool_socat, tool_acidCrypt]

# Vulnerability - 5

In [13]:
vul_office1 = stix2.Vulnerability(name="CVE-2009-3129", 
                                  description="Vulnerability in MS Excel",
                                  external_references=[stix2.ExternalReference(source_name="cve",
                                                                               external_id="CVE-2009-3129")])

vul_office2 = stix2.Vulnerability(name="CVE-2010-3333", 
                                  description="Vulnerability in MS Word",
                                  external_references=[stix2.ExternalReference(source_name="cve",
                                                                               external_id="CVE-2010-3333")])
vul_office3 = stix2.Vulnerability(name="CVE-2012-0158", 
                                  description="Vulnerability in MS Word",
                                  external_references=[stix2.ExternalReference(source_name="cve",
                                                                               external_id="CVE-2012-0158")])
vul_java = stix2.Vulnerability(name="Rhino",
                               description="Vulnerability in Java",
                               external_references=[stix2.ExternalReference(source_name="cve",
                                                                            external_id="CVE-2011-3544")])

vulList = [vul_office1, vul_office2, vul_office3, vul_java]

# Malware - 5

In [14]:
malware_dropper = stix2.Malware(name="Trojan.Win32.Generic",
                                 labels=["dropper","trojan"])

malware_backdoor = stix2.Malware(name="Unknwon (LHAFD.GCP)",
                                 labels=["backdoor","trojan"])

malwareList = [malware_dropper, malware_backdoor]

# Threat Actor - 1

In [15]:
attackers = stix2.ThreatActor(name = "Unknown",
                              labels = ['spy'],
                              description="Strongly believe that the attackers have Russian-speaking origins. Current attackers and executables developed by them have been unknown until recently, they have never related toany other targeted cyberattacks.",
                              roles=["infrastructure-operator"],
                              goals=["gather intelligence"],
                              sophistication="advanced") 



# Indicator - 2 each

## Trojan Files

In [16]:
indicator_files = stix2.Indicator(labels=["malicious-activity", "compromised"],
                                  name="Trojan Files",
                                  description="Those files is extract and run by the file-dropper.",
                                  valid_from=firstActivity,
                                  pattern="[file:name = 'MSC.BAT' AND file:name = 'NTSVCHOST.EXE']") # NTLHAFD.GCP file name varies


## C2 Domain Name

In [17]:
indicator_c2Domain = stix2.Indicator(labels=["malicious-activity"],
                                  name="C2 Domains",
                                  description="Domains used for command and control",
                                  valid_from=firstActivity,
                                  pattern="([network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'shellupdate.com'] OR [network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'msgenuine.net'])") 
# There are many more


## Connection to C2 (IP)

In [18]:
indicator_c2IP = stix2.Indicator(labels=["malicious-activity"],
                                  name="Stream Redirection to 'mini-motherships'",
                                  description="The C2 servers proved to be a proxy, which was forwarding the request to another server",
                                  valid_from=firstActivity,
                                  pattern="[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '37.235.54.48'] OR [network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '31.41.45.119']")

## Stream Redirection to "mini-motherships"

In [19]:
indicator_redirect = stix2.Indicator(labels=["malicious-activity"],
                                  name="C2 servers IP",
                                  description="Different servers which exhibited confirmed malicious behavior.",
                                  valid_from=firstActivity,
                                  pattern="([file:name = '/root/scp.pl' AND process:name = 'scp.pl' AND software:name = 'socat']) FOLLOWEDBY [network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '31.41.45.139']")
# There are more IPs and more scripts

## HTTP

In [20]:
indicatorList = [indicator_files, indicator_c2Domain, indicator_c2IP, indicator_redirect]

# Attack Pattern - all you can find

In [21]:
ap_phishing = stix2.AttackPattern(name="Spear Phishing",
                                  description="The malicious code was delivered via e-mail as attachments (Microsoft Excel, Word and, probably PDF documents) which were rigged with exploit code for known security vulnerabilities in the mentioned applications. E-mail subject lines as well as the text in e-mail bodies varied depending on the target (recipient). The attached file contained the exploit code which activated a Trojan dropper in the system.",
                                  kill_chain_phases=stix2.KillChainPhase(kill_chain_name="mandiant-attack-lifecycle-model",
                                                                         phase_name="initial-compromise"), 
                                  external_references=stix2.ExternalReference(source_name="capec",
                                                                               external_id="CAPEC-163",
                                                                               description="Spear Phishing"))

ap_targetMalware = stix2.AttackPattern(name="Targeted Malware",
                                  description="Right after the victim opened the malicious document or visit malicious URL on a vulnerable system, the embedded malicious code initiated the setup of the main component which in turn handled further communication with the C&C servers. The main purpose of the spying modules is to steal information. This includes files from different cryptographic systems, such as \"Acid Cryptofiler\", which is known to be used in organizations of European Union/European Parliament/European Commission since the summer of 2011. All gathered information is packed, encrypted and only then transferred to the C&C server.",
                                  kill_chain_phases=stix2.KillChainPhase(kill_chain_name="mandiant-attack-lifecycle-model",
                                                                         phase_name="installation"), 
                                  external_references=stix2.ExternalReference(source_name="capec",
                                                                               external_id="CAPEC-542",
                                                                               description="Targeted Malware"))

ap_passwords = stix2.AttackPattern(name="Dictionary-based Password Attack",
                                  description="Stolen credentials were compiled in a list and used when the attackers needed to guess secret phrase in other locations.",
                                  kill_chain_phases=stix2.KillChainPhase(kill_chain_name="mandiant-attack-lifecycle-model",
                                                                          phase_name="installation"), 
                                  external_references=stix2.ExternalReference(source_name="capec",
                                                                               external_id="CAPEC-542",
                                                                               description="Dictionary-based Password Attack"))

apList = [ap_phishing, ap_targetMalware, ap_passwords]

# Course of Action - all you can find

# Relationship

## Indicator

In [22]:
indicatorRelationshipList = []

### Indicator indicates Attack Pattern

In [23]:

indicatorRelationshipList.append(stix2.Relationship(relationship_type="indicates",
                                                    source_ref=indicator_files,
                                                    target_ref=ap_phishing))

indicatorRelationshipList.append(stix2.Relationship(relationship_type="indicates",
                                                    source_ref=indicator_c2Domain,
                                                    target_ref=ap_phishing))

for indicator in indicatorList:
    indicatorRelationshipList.append(stix2.Relationship(relationship_type="indicates",
                                                        source_ref=indicator,
                                                        target_ref=ap_targetMalware))


### Indicator indicates Malware

In [24]:
indicatorRelationshipList.append(stix2.Relationship(relationship_type="indicates",
                                                    source_ref=indicator_files,
                                                    target_ref=malware_backdoor))

indicatorRelationshipList.append(stix2.Relationship(relationship_type="indicates",
                                                    source_ref=indicator_c2Domain,
                                                    target_ref=malware_backdoor))

indicatorRelationshipList.append(stix2.Relationship(relationship_type="indicates",
                                                    source_ref=indicator_c2IP,
                                                    target_ref=malware_backdoor))


### Indicator indicates Threat Actor

In [25]:
for indicator in indicatorList:
    indicatorRelationshipList.append(stix2.Relationship(relationship_type="indicates",
                                                        source_ref=indicator,
                                                        target_ref=attackers))


### Indicator indicates Tool

In [26]:
indicatorRelationshipList.append(stix2.Relationship(relationship_type="indicates",
                                                        source_ref=indicator_redirect,
                                                        target_ref=tool_socat))



## Threat Actor Relationship

In [27]:
taRelationshipList = []

### Threat Actor targets Identity / Vulnerability

In [28]:
vulAndTargetList = targetList + vulList

for identity in vulAndTargetList:
    taRelationshipList.append(stix2.Relationship(relationship_type="targets",
                                                  source_ref=attackers,
                                                  target_ref=identity))
    


### Threat Actor uses Attack Pattern\Tool\Malware

In [29]:
apToolAndMalwareList = apList + toolsList + malwareList

for i in apToolAndMalwareList:
    taRelationshipList.append(stix2.Relationship(relationship_type="uses",
                                                  source_ref=attackers,
                                                  target_ref=i))


## Malware Relationship

In [30]:
malwareRelationshipList = []

### Malware target Vulnerability

In [31]:
for vul in vulList:
    malwareRelationshipList.append(stix2.Relationship(relationship_type="targets",
                                                      source_ref=malware_dropper,
                                                      target_ref=vul))

### Malware target Identity

In [32]:
for target in targetList:
    malwareRelationshipList.append(stix2.Relationship(relationship_type="targets",
                                                      source_ref=malware_dropper,
                                                      target_ref=target))

    malwareRelationshipList.append(stix2.Relationship(relationship_type="targets",
                                                      source_ref=malware_backdoor,
                                                      target_ref=target))

### Malware uses Tool

In [33]:
malwareRelationshipList.append(stix2.Relationship(relationship_type="targets",
                                                      source_ref=malware_backdoor,
                                                      target_ref=tool_acidCrypt))

## Attack Pattern

In [34]:
apRelationshipList = []

### Attack Pattern targets Identity\Vulnerability

In [35]:
for i in vulAndTargetList:
    apRelationshipList.append(stix2.Relationship(relationship_type="targets",
                                                  source_ref=ap_phishing,
                                                  target_ref=i))
    
    apRelationshipList.append(stix2.Relationship(relationship_type="targets",
                                                  source_ref=ap_targetMalware,
                                                  target_ref=i))

for target in targetList:
    apRelationshipList.append(stix2.Relationship(relationship_type="targets",
                                                  source_ref=ap_passwords,
                                                  target_ref=target))    
    


### Attack Pattern uses Tool\Malware

In [36]:
apRelationshipList.append(stix2.Relationship(relationship_type="uses",
                                                  source_ref=ap_phishing,
                                                  target_ref=malware_dropper))  

apRelationshipList.append(stix2.Relationship(relationship_type="uses",
                                                  source_ref=ap_targetMalware,
                                                  target_ref=malware_dropper))

apRelationshipList.append(stix2.Relationship(relationship_type="uses",
                                                  source_ref=ap_targetMalware,
                                                  target_ref=malware_backdoor))

In [37]:
relationshipList = apRelationshipList + malwareRelationshipList + taRelationshipList + indicatorRelationshipList

# Report - 1

In [38]:
everythingArray = relationshipList + apList + indicatorList + [attackers] + malwareList + vulList + toolsList + targetList + observedList

report = stix2.Report(labels=["threat-actor"],
                      name="\"Red October\" Diplomatic Cyber Attacks Investigation",
                      description="This report is based on detailed technical analysis of a series of targeted attacks against diplomatic, governmental and scientific research organizations in different countries, mostly related to the region of Eastern Europe, former USSR members and countries in Central Asia.",
                      published=reportDate,
                      object_refs=everythingArray)


# Bundle

In [39]:
everythingArray = [report] + everythingArray
stix_bundle = stix2.Bundle(everythingArray)
print(stix_bundle)



{
    "type": "bundle",
    "id": "bundle--039c459e-aadc-4106-ae3d-2ba57ee9ce4f",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "report",
            "id": "report--55032acd-0599-42fd-b223-568d42bb2c8a",
            "created": "2018-01-13T14:58:38.264Z",
            "modified": "2018-01-13T14:58:38.264Z",
            "name": "\"Red October\" Diplomatic Cyber Attacks Investigation",
            "description": "This report is based on detailed technical analysis of a series of targeted attacks against diplomatic, governmental and scientific research organizations in different countries, mostly related to the region of Eastern Europe, former USSR members and countries in Central Asia.",
            "published": "2013-01-27T09:00:00Z",
            "object_refs": [
                "relationship--3fbc945e-6d96-4c47-a6ce-9feca1ce9a68",
                "relationship--8de8bb18-66ab-4517-b7ac-7611b133ed34",
                "relationship--b868f872-7092-479e-955d-eae9bd

In [42]:
file = open("203303474_300936069_HW2_RedOctober.json","w+") 
file.write(str(stix_bundle)) 
file.close() 