active_attack 0.1.14
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/MIT-LICENSE +20 -0
- data/README.md +50 -0
- data/Rakefile +32 -0
- data/app/assets/config/active_attack_manifest.js +2 -0
- data/app/assets/images/active_attack/logo.png +0 -0
- data/app/assets/javascripts/active_attack/application.js +8 -0
- data/app/assets/javascripts/active_attack/controllers/campaign_controller.es6 +23 -0
- data/app/assets/javascripts/active_attack/controllers/matrix_controller.es6 +23 -0
- data/app/assets/javascripts/active_attack/controllers/playbooks_controller.es6 +28 -0
- data/app/assets/javascripts/active_attack/initializers/stimulus.coffee +2 -0
- data/app/assets/stylesheets/active_attack/application.css +15 -0
- data/app/assets/stylesheets/active_attack/data_sources.css +4 -0
- data/app/assets/stylesheets/active_attack/detections.css +4 -0
- data/app/assets/stylesheets/active_attack/difficulty_for_adversaries.css +4 -0
- data/app/assets/stylesheets/active_attack/matrices.css +4 -0
- data/app/assets/stylesheets/active_attack/permissions_requireds.css +4 -0
- data/app/assets/stylesheets/active_attack/platforms.css +4 -0
- data/app/assets/stylesheets/active_attack/playbooks.css +400 -0
- data/app/assets/stylesheets/active_attack/tactics.css +4 -0
- data/app/assets/stylesheets/active_attack/versions.css +4 -0
- data/app/controllers/active_attack/application_controller.rb +5 -0
- data/app/controllers/active_attack/matrices_controller.rb +82 -0
- data/app/controllers/active_attack/playbooks_controller.rb +89 -0
- data/app/controllers/active_attack/tactics_controller.rb +62 -0
- data/app/helpers/active_attack/application_helper.rb +4 -0
- data/app/helpers/active_attack/playbooks_helper.rb +21 -0
- data/app/helpers/active_attack/tactics_helper.rb +4 -0
- data/app/jobs/active_attack/application_job.rb +4 -0
- data/app/mailers/active_attack/application_mailer.rb +6 -0
- data/app/models/active_attack/active_attack.rb +7 -0
- data/app/models/active_attack/application_record.rb +5 -0
- data/app/models/active_attack/build.rb +6 -0
- data/app/models/active_attack/data_source.rb +15 -0
- data/app/models/active_attack/detection.rb +14 -0
- data/app/models/active_attack/difficulty_for_adversary.rb +10 -0
- data/app/models/active_attack/matrix.rb +82 -0
- data/app/models/active_attack/permissions_required.rb +14 -0
- data/app/models/active_attack/platform.rb +16 -0
- data/app/models/active_attack/playbook.rb +177 -0
- data/app/models/active_attack/tactic.rb +61 -0
- data/app/models/active_attack/version.rb +14 -0
- data/app/overrides/models/active_stix/active_stix_override.rb +7 -0
- data/app/overrides/models/active_stix/attack_pattern_override.rb +75 -0
- data/app/overrides/models/active_stix/bundle_override.rb +18 -0
- data/app/overrides/models/active_stix/malware_override.rb +40 -0
- data/app/overrides/models/active_stix/report_override.rb +18 -0
- data/app/overrides/models/active_stix/tool_override.rb +36 -0
- data/app/views/active_attack/matrices/_form.html.erb +27 -0
- data/app/views/active_attack/matrices/_stix_attack_matrix.json.jbuilder +2 -0
- data/app/views/active_attack/matrices/edit.html.erb +6 -0
- data/app/views/active_attack/matrices/index.html.erb +16 -0
- data/app/views/active_attack/matrices/index.json.jbuilder +1 -0
- data/app/views/active_attack/matrices/new.html.erb +5 -0
- data/app/views/active_attack/matrices/show.html.erb +33 -0
- data/app/views/active_attack/matrices/show.json.jbuilder +1 -0
- data/app/views/active_attack/playbooks/_attack_playbook.json.jbuilder +2 -0
- data/app/views/active_attack/playbooks/_form.html.erb +32 -0
- data/app/views/active_attack/playbooks/edit.html.erb +6 -0
- data/app/views/active_attack/playbooks/index.html.erb +38 -0
- data/app/views/active_attack/playbooks/index.json.jbuilder +1 -0
- data/app/views/active_attack/playbooks/new.html.erb +5 -0
- data/app/views/active_attack/playbooks/show.html.erb +70 -0
- data/app/views/active_attack/playbooks/show.json.jbuilder +1 -0
- data/app/views/active_attack/tactics/_form.html.erb +42 -0
- data/app/views/active_attack/tactics/edit.html.erb +6 -0
- data/app/views/active_attack/tactics/index.html.erb +35 -0
- data/app/views/active_attack/tactics/new.html.erb +5 -0
- data/app/views/active_attack/tactics/show.html.erb +29 -0
- data/app/views/layouts/active_attack/application.html.erb +15 -0
- data/config/routes.rb +11 -0
- data/db/migrate/20191211202017_create_active_attack_data_sources.rb +10 -0
- data/db/migrate/20191211202101_create_active_attack_detections.rb +10 -0
- data/db/migrate/20191211202127_create_active_attack_difficulty_for_adversaries.rb +10 -0
- data/db/migrate/20191211202210_create_active_attack_matrices.rb +10 -0
- data/db/migrate/20191211202241_create_active_attack_permissions_requireds.rb +9 -0
- data/db/migrate/20191211202303_create_active_attack_platforms.rb +10 -0
- data/db/migrate/20191211202358_create_active_attack_playbooks.rb +11 -0
- data/db/migrate/20191211202448_create_active_attack_versions.rb +10 -0
- data/db/migrate/20191212205423_create_active_attack_tactics.rb +14 -0
- data/db/migrate/20200405004308_create_active_attack_builds.rb +10 -0
- data/db/migrate/20200405005101_add_buildable_type_to_builds.rb +5 -0
- data/db/migrate/20200405040306_add_stix_id_to_active_attack_matrices.rb +5 -0
- data/db/migrate/20200405040455_add_attributes_to_active_attack_matrices.rb +6 -0
- data/db/migrate/20200405041534_add_matrix_ref_to_active_attack_tactics.rb +5 -0
- data/db/migrate/20200405041824_add_created_by_ref_to_active_attack_matrices.rb +5 -0
- data/db/migrate/20200410170440_add_threat_actor_to_active_attack_playbooks.rb +5 -0
- data/lib/active_attack.rb +6 -0
- data/lib/active_attack/engine.rb +25 -0
- data/lib/active_attack/version.rb +3 -0
- data/lib/enterprise-attack.json +145354 -0
- data/lib/tasks/active_attack_tasks.rake +4 -0
- metadata +238 -0
@@ -0,0 +1,14 @@
|
|
1
|
+
module ActiveAttack
|
2
|
+
class PermissionsRequired < ApplicationRecord
|
3
|
+
has_many :attack_patterns, :class_name => 'ActiveStix::AttackPattern', through: :permissions_required_attack_pattern
|
4
|
+
|
5
|
+
def self.create_perm(perm)
|
6
|
+
permission = find_or_create_by(permission:perm)
|
7
|
+
permission
|
8
|
+
end
|
9
|
+
|
10
|
+
def convert_to_json
|
11
|
+
permission
|
12
|
+
end
|
13
|
+
end
|
14
|
+
end
|
@@ -0,0 +1,16 @@
|
|
1
|
+
module ActiveAttack
|
2
|
+
class Platform < ApplicationRecord
|
3
|
+
has_many :attack_patterns, :class_name => 'ActiveStix::AttackPattern', through: :platform_attack_pattern
|
4
|
+
has_many :malware_platform
|
5
|
+
has_many :malwares, :class_name => 'ActiveStix::Malware', through: :malware_platform
|
6
|
+
|
7
|
+
def self.create_platform(plat_name)
|
8
|
+
plat = find_or_create_by(name:plat_name)
|
9
|
+
plat
|
10
|
+
end
|
11
|
+
|
12
|
+
def convert_to_json
|
13
|
+
platform
|
14
|
+
end
|
15
|
+
end
|
16
|
+
end
|
@@ -0,0 +1,177 @@
|
|
1
|
+
module ActiveAttack
|
2
|
+
class Playbook < ApplicationRecord
|
3
|
+
belongs_to :bundle, :class_name => 'ActiveStix::Bundle', foreign_key: 'bundle_id', primary_key: 'stix_id', optional: true
|
4
|
+
belongs_to :threat_actor, :class_name => 'ActiveStix::ThreatActor', foreign_key: 'threat_actor_id', primary_key: 'stix_id', optional: true
|
5
|
+
|
6
|
+
def as_stix(classification = nil, chess = nil)
|
7
|
+
|
8
|
+
end
|
9
|
+
|
10
|
+
def campaigns
|
11
|
+
@campaigns ||= bundle.bundled_objects.select {|b| b.stix_object.type == "campaign"}.collect {|bo| bo.stix_object}
|
12
|
+
end
|
13
|
+
|
14
|
+
def campaign
|
15
|
+
@campaign ||= bundle.bundled_objects.find {|b| b.stix_object.type == "campaign"}.stix_object
|
16
|
+
end
|
17
|
+
|
18
|
+
def attack_patterns
|
19
|
+
@attack_patterns ||= campaign.attack_patterns
|
20
|
+
end
|
21
|
+
|
22
|
+
def kill_chain
|
23
|
+
return @kill_chain if @kill_chain
|
24
|
+
@kill_chain = attack_patterns.first.kill_chain_phases.first.phase.kill_chain
|
25
|
+
end
|
26
|
+
|
27
|
+
def number_of_rows
|
28
|
+
phased_attack_patterns.collect {|k, v| v.size}.max
|
29
|
+
end
|
30
|
+
|
31
|
+
def campaign_attack_patterns
|
32
|
+
return @campaign_attack_patterns if @campaign_attack_patterns
|
33
|
+
@campaign_attack_patterns = {}
|
34
|
+
campaigns.each do |campaign|
|
35
|
+
@campaign_attack_patterns[campaign] = campaign.attack_patterns
|
36
|
+
end
|
37
|
+
@campaign_attack_patterns
|
38
|
+
end
|
39
|
+
|
40
|
+
def attack_pattern_campaign_list(phase, row)
|
41
|
+
attack_pattern = attack_pattern_matrix(phase, row)
|
42
|
+
campaigns.select do |campaign|
|
43
|
+
campaign_attack_patterns[campaign].collect(&:name).include? attack_pattern
|
44
|
+
end.collect(&:stix_id).join(" ")
|
45
|
+
end
|
46
|
+
|
47
|
+
def phased_attack_patterns
|
48
|
+
return @phased_attack_patterns if @phased_attack_patterns
|
49
|
+
@phased_attack_patterns = {}
|
50
|
+
@kill_chain.phases.each do |phase|
|
51
|
+
@phased_attack_patterns[phase.name] = phase.attack_patterns
|
52
|
+
end
|
53
|
+
@phased_attack_patterns
|
54
|
+
end
|
55
|
+
|
56
|
+
def attack_pattern_matrix(phase, row)
|
57
|
+
phase = phased_attack_patterns[phase]
|
58
|
+
if row < phase.size
|
59
|
+
phase[row].name
|
60
|
+
else
|
61
|
+
nil
|
62
|
+
end
|
63
|
+
end
|
64
|
+
|
65
|
+
def self.ingest_json(bundle)
|
66
|
+
puts "ingesting"
|
67
|
+
bundle = ActiveStix::Bundle.ingest_json(bundle, nil)
|
68
|
+
|
69
|
+
intrusion_set_report = bundle.bundled_objects.where(object_type: "ActiveStix::Report").select {|bo| bo.stix_object.labels.map(&:name).include?('intrusion-set')}.first.stix_object
|
70
|
+
intrusion_set = intrusion_set_report.report_objects.find {|ro| ro.stix_object.type == 'intrusion-set'}.stix_object
|
71
|
+
threat_actor = ActiveStix::ThreatActor.find_or_create_by(name: intrusion_set.name)
|
72
|
+
ActiveStix::Relationship.relate(intrusion_set, threat_actor, 'attributed-to')
|
73
|
+
|
74
|
+
campaign_reports = bundle.bundled_objects.where(object_type: "ActiveStix::Report").select {|bo| bo.stix_object.labels.map(&:name).include?('campaign')}.map(&:stix_object)
|
75
|
+
|
76
|
+
campaign_reports.each do |report|
|
77
|
+
campaign = report.report_objects.find_by(object_type: 'ActiveStix::Campaign').stix_object
|
78
|
+
ActiveStix::Relationship.relate(campaign, intrusion_set, 'attributed-to')
|
79
|
+
ActiveStix::Relationship.relate(campaign, threat_actor, 'attributed-to')
|
80
|
+
end
|
81
|
+
|
82
|
+
playbook = Playbook.create
|
83
|
+
playbook.threat_actor = threat_actor
|
84
|
+
playbook.bundle = bundle
|
85
|
+
playbook.save
|
86
|
+
|
87
|
+
end
|
88
|
+
|
89
|
+
def report(threat_actor)
|
90
|
+
bundle = ActiveStix::Bundle.create
|
91
|
+
if threat_actor.intrusion_sets.empty?
|
92
|
+
intrusion_set = ActiveStix::IntrusionSet.find_or_create_by(name: threat_actor.name)
|
93
|
+
rel = ActiveStix::Relationship.relate(intrusion_set, threat_actor, "attributed-to")
|
94
|
+
bundle.add(rel)
|
95
|
+
else
|
96
|
+
intrusion_set = threat_actor.intrusion_sets.last
|
97
|
+
bundle.add(ActiveStix::Relationship.relate(intrusion_set, threat_actor, 'attributed-to'))
|
98
|
+
end
|
99
|
+
|
100
|
+
ActiveStix::Relationship.where(target: intrusion_set, source_type: "ActiveStix::Campaign", relationship_type: 'attributed-to').all.each do |rel|
|
101
|
+
bundle.add(rel.source)
|
102
|
+
end
|
103
|
+
|
104
|
+
|
105
|
+
campaign_reports = threat_actor.campaigns.collect do |campaign|
|
106
|
+
report = ActiveStix::Report.create
|
107
|
+
label = ActiveStix::OpenVocabulary.find_or_create_by(name: 'report-labels').labels.find_or_create_by(name: 'campaign')
|
108
|
+
report.labels << label
|
109
|
+
report.add_stix_object(campaign)
|
110
|
+
bundle.add(campaign)
|
111
|
+
campaign.attack_pattern_relationships.each do |attack_pattern_relationship|
|
112
|
+
report.add_stix_object(attack_pattern_relationship)
|
113
|
+
report.add_stix_object(attack_pattern_relationship.target)
|
114
|
+
bundle.add(attack_pattern_relationship)
|
115
|
+
bundle.add(attack_pattern_relationship.target)
|
116
|
+
attack_pattern_relationship.target.indicator_relationships.each do |indicator_relationship|
|
117
|
+
report.add_stix_object(indicator_relationship)
|
118
|
+
report.add_stix_object(indicator_relationship.source)
|
119
|
+
bundle.add(indicator_relationship)
|
120
|
+
bundle.add(indicator_relationship.source)
|
121
|
+
end
|
122
|
+
end
|
123
|
+
|
124
|
+
campaign.indicator_relationships.each do |indicator_relationship|
|
125
|
+
report.add_stix_object(indicator_relationship)
|
126
|
+
report.add_stix_object(indicator_relationship.source)
|
127
|
+
bundle.add(indicator_relationship)
|
128
|
+
bundle.add(indicator_relationship.source)
|
129
|
+
end
|
130
|
+
bundle.add(report)
|
131
|
+
report
|
132
|
+
end
|
133
|
+
|
134
|
+
intrusion_set_report = ActiveStix::Report.create
|
135
|
+
label = ActiveStix::OpenVocabulary.find_or_create_by(name: 'report-labels').labels.find_or_create_by(name: 'intrusion-set')
|
136
|
+
intrusion_set_report.labels << label
|
137
|
+
intrusion_set_report.add_stix_object(intrusion_set)
|
138
|
+
campaign_reports.each do |campaign_report|
|
139
|
+
intrusion_set_report.add_stix_object(campaign_report)
|
140
|
+
end
|
141
|
+
|
142
|
+
bundle.add(threat_actor)
|
143
|
+
bundle.add(intrusion_set)
|
144
|
+
bundle.add(intrusion_set_report)
|
145
|
+
|
146
|
+
self.bundle = bundle
|
147
|
+
save
|
148
|
+
bundle
|
149
|
+
end
|
150
|
+
|
151
|
+
def engagement_report(threat_actor)
|
152
|
+
bundle = report(threat_actor)
|
153
|
+
identity_relationships = threat_actor.source_relationships.where(target_type: "ActiveStix::Identity", relationship_type: "attributed-to")
|
154
|
+
identity_relationships.each do |relationship|
|
155
|
+
bundle.add(relationship)
|
156
|
+
bundle.add(relationship.target)
|
157
|
+
relationship.target.source_relationships.where(relationship_type: "employs").each do |employment_rel|
|
158
|
+
bundle.add(employment_rel)
|
159
|
+
bundle.add(employment_rel.target)
|
160
|
+
end
|
161
|
+
end
|
162
|
+
|
163
|
+
ActiveStix::Relationship.where(
|
164
|
+
source: threat_actor,
|
165
|
+
source_type: 'ActiveStix::ThreatActor',
|
166
|
+
target_type: 'ActiveStix::ObservedDatum',
|
167
|
+
relationship_type: 'related-to',
|
168
|
+
).each do |observed_datum_rel|
|
169
|
+
bundle.add(observed_datum_rel)
|
170
|
+
bundle.add(observed_datum_rel.target)
|
171
|
+
end
|
172
|
+
|
173
|
+
bundle
|
174
|
+
end
|
175
|
+
|
176
|
+
end
|
177
|
+
end
|
@@ -0,0 +1,61 @@
|
|
1
|
+
module ActiveAttack
|
2
|
+
class Tactic < ApplicationRecord
|
3
|
+
has_many :reference_items, class_name: "ActiveStix::ReferenceItem", as: :referrer
|
4
|
+
has_many :external_references, class_name: "ActiveStix::ExternalReference", through: :reference_items
|
5
|
+
|
6
|
+
def self.ingest_json(obj)
|
7
|
+
xmt = find_or_create_by(stix_id: obj['id'], name: obj['name'])
|
8
|
+
|
9
|
+
if obj.has_key?('created_by_ref')
|
10
|
+
xmt.created_by_ref = obj['created_by_ref']
|
11
|
+
end
|
12
|
+
|
13
|
+
if obj.has_key?('description')
|
14
|
+
xmt.description = obj['description']
|
15
|
+
end
|
16
|
+
|
17
|
+
if obj.has_key?('external_references')
|
18
|
+
obj['external_references'].each do |er|
|
19
|
+
external_reference = ActiveStix::ExternalReference.ingest_json(er, obj['id'])
|
20
|
+
xmt.external_references << external_reference unless ActiveStix::ReferenceItem.find_by(external_reference_id: external_reference.id, referrer_id: xmt.id, referrer_type: "ActiveAttack::Tactic")
|
21
|
+
end
|
22
|
+
end
|
23
|
+
|
24
|
+
if obj.has_key?('object_marking_refs')
|
25
|
+
# todo
|
26
|
+
end
|
27
|
+
|
28
|
+
if obj.has_key?('x_mitre_shortname')
|
29
|
+
xmt.shortname = obj['x_mitre_shortname']
|
30
|
+
end
|
31
|
+
|
32
|
+
xmt.save
|
33
|
+
xmt
|
34
|
+
end
|
35
|
+
|
36
|
+
def convert_to_json
|
37
|
+
external_refs_arr = []
|
38
|
+
external_references.each do |x|
|
39
|
+
external_refs_arr << x.convert_to_json
|
40
|
+
end
|
41
|
+
|
42
|
+
marking_def_arr = []
|
43
|
+
marking_definitions.each do |x|
|
44
|
+
marking_def_arr << x.convert_to_json
|
45
|
+
end
|
46
|
+
|
47
|
+
{
|
48
|
+
:external_references => external_refs_arr,
|
49
|
+
:object_marking_refs => marking_def_arr,
|
50
|
+
:id => stix_id,
|
51
|
+
:name => name,
|
52
|
+
:created => created_at.to_s,
|
53
|
+
:modified => updated_at.to_s,
|
54
|
+
:type => "type",
|
55
|
+
:created_by_ref => created_by_ref,
|
56
|
+
:description => description,
|
57
|
+
:x_mitre_shortname => shortnames.first.convert_to_json
|
58
|
+
}
|
59
|
+
end
|
60
|
+
end
|
61
|
+
end
|
@@ -0,0 +1,14 @@
|
|
1
|
+
module ActiveAttack
|
2
|
+
class Version < ApplicationRecord
|
3
|
+
has_many :attack_patterns, :class_name => 'ActiveStix::AttackPattern', through: :version_attack_pattern
|
4
|
+
|
5
|
+
def self.create_version(ver)
|
6
|
+
vers = find_or_create_by(version:ver)
|
7
|
+
vers
|
8
|
+
end
|
9
|
+
|
10
|
+
def convert_to_json
|
11
|
+
version
|
12
|
+
end
|
13
|
+
end
|
14
|
+
end
|
@@ -0,0 +1,75 @@
|
|
1
|
+
ActiveStix::AttackPattern.class_eval do
|
2
|
+
|
3
|
+
|
4
|
+
def expected_keys
|
5
|
+
[
|
6
|
+
'external_references',
|
7
|
+
'kill_chain_phases',
|
8
|
+
'object_marking_refs',
|
9
|
+
'x_mitre_detection',
|
10
|
+
'x_mitre_data_sources',
|
11
|
+
'x_mitre_platforms',
|
12
|
+
'x_mitre_permissions_required',
|
13
|
+
'x_mitre_detectable_by_common_defenses',
|
14
|
+
'x_mitre_difficulty_for_adversary_explanation',
|
15
|
+
'x_mitre_difficulty_for_adversary',
|
16
|
+
'x_mitre_detectable_by_common_defenses_explanation',
|
17
|
+
'x_mitre_version'
|
18
|
+
]
|
19
|
+
end
|
20
|
+
|
21
|
+
|
22
|
+
def self.x_mitre_detection(attack_pattern, ob)
|
23
|
+
xmd = ActiveAttack::Detection.create_descr(obj['x_mitre_detection'])
|
24
|
+
#ensure no duplicate entries
|
25
|
+
attack_pattern.detections << xmd unless ActiveAttack::DetectionAttackPattern.find_by(x_mitre_detection_id: xmd.id, attack_pattern_id: attack_pattern.id)
|
26
|
+
end
|
27
|
+
|
28
|
+
def self.x_mitre_data_sources(attack_pattern, obj)
|
29
|
+
obj['x_mitre_data_sources'].each do |ds|
|
30
|
+
d_source = ActiveAttack::DataSource.create_source(ds)
|
31
|
+
attack_pattern.data_sources << d_source unless ActiveAttack::DataSourceAttackPattern.find_by(data_source_id: d_source.id, attack_pattern_id: attack_pattern.id)
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
35
|
+
def self.x_mitre_platforms(attack_pattern, obj)
|
36
|
+
obj['x_mitre_platforms'].each do |plat|
|
37
|
+
platform = ActiveAttack::Platform.create_platform(plat)
|
38
|
+
attack_pattern.platforms << platform unless ActiveAttack::PlatformAttackPattern.find_by(platform_id: platform.id, attack_pattern_id: attack_pattern.id)
|
39
|
+
end
|
40
|
+
end
|
41
|
+
|
42
|
+
|
43
|
+
def self.x_mitre_permissions_required(attack_pattern, obj)
|
44
|
+
obj['x_mitre_permissions_required'].each do |perm|
|
45
|
+
permission = ActiveAttack::PermissionsRequired.create_perm(perm)
|
46
|
+
attack_pattern.permissions_requireds << permission unless ActiveAttack::PermissionsRequiredAttackPattern.find_by(permissions_required_id: permission.id, attack_pattern_id: attack_pattern.id)
|
47
|
+
end
|
48
|
+
end
|
49
|
+
|
50
|
+
def self.x_mitre_detectable_by_common_defenses(attack_pattern, obj)
|
51
|
+
det = ActiveAttack::DetectableByCommonDefense.create_detectable(obj['x_mitre_detectable_by_common_defenses'])
|
52
|
+
attack_pattern.detectable_by_common_defenses << det unless ActiveAttack::DetectableByCommonDefenseAttackPattern.find_by(detectable_by_common_defense_id: det.id, attack_pattern_id: attack_pattern.id)
|
53
|
+
end
|
54
|
+
|
55
|
+
def self.x_mitre_difficulty_for_adversary_explanation(attack_pattern, obj)
|
56
|
+
diff_exp = ActiveAttack::DifficultyForAdversaryExplanation.create_explanation(obj['x_mitre_difficulty_for_adversary_explanation'])
|
57
|
+
attack_pattern.difficulty_for_adversary_explanations << diff_exp unless ActiveAttack::DifficultyForAdversaryExplanationAttackPattern.find_by(difficulty_for_adversary_id: diff_exp.id, attack_pattern_id: attack_pattern.id)
|
58
|
+
end
|
59
|
+
|
60
|
+
def self.x_mitre_difficulty_for_adversary(attack_pattern, obj)
|
61
|
+
diff = ActiveAttack::DifficultyForAdversary.create_difficulty(obj['x_mitre_difficulty_for_adversary'])
|
62
|
+
attack_pattern.difficulty_for_adversaries << diff unless ActiveAttack::DifficultyForAdversaryAttackPattern.find_by(difficulty_for_adversary_id: diff.id, attack_pattern_id: attack_pattern.id)
|
63
|
+
end
|
64
|
+
|
65
|
+
def self.x_mitre_detectable_by_common_defenses_explanation(attack_pattern, obj)
|
66
|
+
det_exp = ActiveAttack::DetectableByCommonDefensesExplanation.create_explanation(obj['x_mitre_detectable_by_common_defenses_explanation'])
|
67
|
+
attack_pattern.detectable_by_common_defenses_explanations << det_exp unless ActiveAttack::DetectableByCommonDefensesExplanationAttackPattern.find_by(detectable_by_common_defenses_explanation_id: det_exp.id, attack_pattern_id: attack_pattern.id)
|
68
|
+
end
|
69
|
+
|
70
|
+
def self.x_mitre_version(attack_pattern, obj)
|
71
|
+
version = ActiveAttack::Version.create_version(obj['x_mitre_version'])
|
72
|
+
attack_pattern.versions << version unless ActiveAttack::VersionAttackPattern.find_by(version_id: version.id, attack_pattern_id: attack_pattern.id)
|
73
|
+
end
|
74
|
+
|
75
|
+
end
|
@@ -0,0 +1,18 @@
|
|
1
|
+
ActiveStix::Bundle.class_eval do
|
2
|
+
@@stix_map = {
|
3
|
+
'bundle' => ActiveStix::Bundle,
|
4
|
+
'attack-pattern' => ActiveStix::AttackPattern,
|
5
|
+
'relationship' => ActiveStix::Relationship,
|
6
|
+
'course-of-action' => ActiveStix::CourseOfAction,
|
7
|
+
'identity' => ActiveStix::Identity,
|
8
|
+
'intrusion-set' => ActiveStix::IntrusionSet,
|
9
|
+
'malware' => ActiveStix::Malware,
|
10
|
+
'tool' => ActiveStix::Tool,
|
11
|
+
'x-mitre-tactic' => ActiveAttack::Tactic,
|
12
|
+
'x-mitre-matrix' => ActiveAttack::Matrix,
|
13
|
+
'marking-definition' => ActiveStix::MarkingDefinition,
|
14
|
+
'report' => ActiveStix::Report,
|
15
|
+
'campaign' => ActiveStix::Campaign,
|
16
|
+
'indicator' => ActiveStix::Indicator
|
17
|
+
}
|
18
|
+
end
|
@@ -0,0 +1,40 @@
|
|
1
|
+
ActiveStix::Malware.class_eval do
|
2
|
+
has_many :builds, class_name: "ActiveAttack::Build", as: :buildable
|
3
|
+
has_many :platforms, through: :builds, class_name: "ActiveAttack::Platform"
|
4
|
+
def self.expected_keys
|
5
|
+
[
|
6
|
+
'description',
|
7
|
+
'external_references',
|
8
|
+
'object_marking_refs',
|
9
|
+
'x_mitre_aliases',
|
10
|
+
'x_mitre_platforms',
|
11
|
+
'labels',
|
12
|
+
'x_mitre_version'
|
13
|
+
]
|
14
|
+
end
|
15
|
+
|
16
|
+
|
17
|
+
def self.x_mitre_aliases(malware, obj)
|
18
|
+
malware.aliases = obj['x_mitre_aliases']
|
19
|
+
end
|
20
|
+
|
21
|
+
def self.x_mitre_platforms(malware, obj)
|
22
|
+
obj['x_mitre_platforms'].each do |plat|
|
23
|
+
platform = ActiveAttack::Platform.create_platform(plat)
|
24
|
+
malware.platforms << platform unless ActiveAttack::Build.find_by(platform_id: platform.id, buildable_id: malware.id)
|
25
|
+
end
|
26
|
+
end
|
27
|
+
|
28
|
+
def self.labels(malware, obj)
|
29
|
+
obj['labels'].each do |lab|
|
30
|
+
label = ActiveStix::Label.ingest_label('malware', lab)
|
31
|
+
malware.labels << label unless ActiveStix::Markup.find_by(labelable: malware, label: label)
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
35
|
+
def self.x_mitre_version(malware, obj)
|
36
|
+
# todo
|
37
|
+
# version = ActiveAttack::Version.create_version(obj['x_mitre_version'])
|
38
|
+
# malware.versions << version unless ActiveAttack::MalwareVersion.find_by(version_id: version.id, malware_id: malware.id)
|
39
|
+
end
|
40
|
+
end
|
@@ -0,0 +1,18 @@
|
|
1
|
+
ActiveStix::Report.class_eval do
|
2
|
+
@@stix_map = {
|
3
|
+
'bundle' => ActiveStix::Bundle,
|
4
|
+
'attack-pattern' => ActiveStix::AttackPattern,
|
5
|
+
'relationship' => ActiveStix::Relationship,
|
6
|
+
'course-of-action' => ActiveStix::CourseOfAction,
|
7
|
+
'identity' => ActiveStix::Identity,
|
8
|
+
'intrusion-set' => ActiveStix::IntrusionSet,
|
9
|
+
'malware' => ActiveStix::Malware,
|
10
|
+
'tool' => ActiveStix::Tool,
|
11
|
+
'x-mitre-tactic' => ActiveAttack::Tactic,
|
12
|
+
'x-mitre-matrix' => ActiveAttack::Matrix,
|
13
|
+
'marking-definition' => ActiveStix::MarkingDefinition,
|
14
|
+
'report' => ActiveStix::Report,
|
15
|
+
'campaign' => ActiveStix::Campaign,
|
16
|
+
'indicator' => ActiveStix::Indicator
|
17
|
+
}
|
18
|
+
end
|