txt2stix 1.0.7__py3-none-any.whl → 1.0.9__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- txt2stix/attack_flow.py +23 -8
- txt2stix/retriever.py +2 -1
- {txt2stix-1.0.7.dist-info → txt2stix-1.0.9.dist-info}/METADATA +1 -1
- {txt2stix-1.0.7.dist-info → txt2stix-1.0.9.dist-info}/RECORD +7 -7
- {txt2stix-1.0.7.dist-info → txt2stix-1.0.9.dist-info}/WHEEL +0 -0
- {txt2stix-1.0.7.dist-info → txt2stix-1.0.9.dist-info}/entry_points.txt +0 -0
- {txt2stix-1.0.7.dist-info → txt2stix-1.0.9.dist-info}/licenses/LICENSE +0 -0
txt2stix/attack_flow.py
CHANGED
|
@@ -16,15 +16,26 @@ def parse_flow(report, flow: AttackFlowList, techniques, tactics):
|
|
|
16
16
|
logging.info(f"flow.success = {flow.success}")
|
|
17
17
|
if not flow.success:
|
|
18
18
|
return []
|
|
19
|
-
|
|
19
|
+
objects = [report, attack_flow_ExtensionDefinitionSMO]
|
|
20
|
+
for domain in ["enterprise-attack", "mobile-attack", "ics-attack"]:
|
|
21
|
+
flow_objects = parse_domain_flow(report, flow, techniques, tactics, domain)
|
|
22
|
+
objects.extend(flow_objects)
|
|
23
|
+
return objects
|
|
24
|
+
|
|
25
|
+
def parse_domain_flow(report, flow: AttackFlowList, techniques, tactics, domain):
|
|
26
|
+
flow_objects = []
|
|
27
|
+
flow_obj = None
|
|
20
28
|
last_action = None
|
|
21
29
|
for i, item in enumerate(flow.items):
|
|
22
30
|
try:
|
|
23
31
|
technique = techniques[item.attack_technique_id]
|
|
32
|
+
if technique["domain"] != domain:
|
|
33
|
+
continue
|
|
24
34
|
tactic_id = technique["possible_tactics"][
|
|
25
35
|
flow.tactic_mapping[item.attack_technique_id]
|
|
26
36
|
]
|
|
27
37
|
technique_obj = technique["stix_obj"]
|
|
38
|
+
|
|
28
39
|
tactic_obj = tactics[technique["domain"]][tactic_id]
|
|
29
40
|
action_obj = AttackAction(
|
|
30
41
|
**{
|
|
@@ -40,16 +51,16 @@ def parse_flow(report, flow: AttackFlowList, techniques, tactics):
|
|
|
40
51
|
allow_custom=True,
|
|
41
52
|
)
|
|
42
53
|
action_obj.effect_refs.clear()
|
|
43
|
-
if
|
|
54
|
+
if not flow_obj:
|
|
44
55
|
flow_obj = {
|
|
45
56
|
"type": "attack-flow",
|
|
46
|
-
"id":
|
|
57
|
+
"id": "attack-flow--"+str(uuid.uuid5(UUID_NAMESPACE, f"attack-flow+{domain}+{report.id}")),
|
|
47
58
|
"spec_version": "2.1",
|
|
48
59
|
"created": report.created,
|
|
49
60
|
"modified": report.modified,
|
|
50
61
|
"created_by_ref": report.created_by_ref,
|
|
51
62
|
"start_refs": [action_obj["id"]],
|
|
52
|
-
"name": report.name,
|
|
63
|
+
"name": f"[{domain.split('-')[0].upper()}] {report.name}",
|
|
53
64
|
"description": report.description,
|
|
54
65
|
"scope": "malware",
|
|
55
66
|
"external_references": report.external_references,
|
|
@@ -61,7 +72,7 @@ def parse_flow(report, flow: AttackFlowList, techniques, tactics):
|
|
|
61
72
|
type="relationship",
|
|
62
73
|
spec_version="2.1",
|
|
63
74
|
id="relationship--"
|
|
64
|
-
+ str(uuid.uuid5(UUID_NAMESPACE, f"attack-flow+{report.id}")),
|
|
75
|
+
+ str(uuid.uuid5(UUID_NAMESPACE, f"attack-flow+{report.id}+{flow_obj['id']}")),
|
|
65
76
|
created_by_ref=report.created_by_ref,
|
|
66
77
|
created=report.created,
|
|
67
78
|
modified=report.modified,
|
|
@@ -147,7 +158,7 @@ def get_techniques_from_extracted_objects(objects: dict, tactics: dict):
|
|
|
147
158
|
return techniques
|
|
148
159
|
|
|
149
160
|
|
|
150
|
-
def create_navigator_layer(report, summary, flow: AttackFlowList, techniques):
|
|
161
|
+
def create_navigator_layer(report, summary, flow: AttackFlowList, techniques, tactics):
|
|
151
162
|
domains = {}
|
|
152
163
|
comments = {item.attack_technique_id: item.description for item in flow.items}
|
|
153
164
|
for technique in techniques.values():
|
|
@@ -170,7 +181,11 @@ def create_navigator_layer(report, summary, flow: AttackFlowList, techniques):
|
|
|
170
181
|
for domain, domain_techniques in domains.items():
|
|
171
182
|
retval.append(
|
|
172
183
|
{
|
|
173
|
-
"
|
|
184
|
+
"versions": {
|
|
185
|
+
"layer": "4.5",
|
|
186
|
+
"attack": tactics[domain]['version'],
|
|
187
|
+
"navigator": "5.1.0"
|
|
188
|
+
},
|
|
174
189
|
"name": report.name,
|
|
175
190
|
"domain": domain,
|
|
176
191
|
"description": summary,
|
|
@@ -220,6 +235,6 @@ def extract_attack_flow_and_navigator(
|
|
|
220
235
|
|
|
221
236
|
if ai_create_attack_navigator_layer:
|
|
222
237
|
navigator = create_navigator_layer(
|
|
223
|
-
bundler.report, bundler.summary, flow, techniques
|
|
238
|
+
bundler.report, bundler.summary, flow, techniques, tactics
|
|
224
239
|
)
|
|
225
240
|
return flow, navigator
|
txt2stix/retriever.py
CHANGED
|
@@ -28,8 +28,9 @@ class STIXObjectRetriever:
|
|
|
28
28
|
|
|
29
29
|
def get_attack_tactics(self, matrix):
|
|
30
30
|
endpoint = urljoin(self.api_root, f"v1/attack-{matrix}/objects/?attack_type=Tactic")
|
|
31
|
+
version_url = urljoin(self.api_root, f'v1/attack-{matrix}/versions/installed/')
|
|
31
32
|
tactics = self._retrieve_objects(endpoint)
|
|
32
|
-
retval =
|
|
33
|
+
retval = dict(version=self.session.get(version_url).json()['latest'])
|
|
33
34
|
for tac in tactics:
|
|
34
35
|
retval[tac['x_mitre_shortname']] = tac
|
|
35
36
|
retval[tac['external_references'][0]['external_id']] = tac
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.4
|
|
2
2
|
Name: txt2stix
|
|
3
|
-
Version: 1.0.
|
|
3
|
+
Version: 1.0.9
|
|
4
4
|
Summary: txt2stix is a Python script that is designed to identify and extract IoCs and TTPs from text files, identify the relationships between them, convert them to STIX 2.1 objects, and output as a STIX 2.1 bundle.
|
|
5
5
|
Project-URL: Homepage, https://github.com/muchdogesec/txt2stix
|
|
6
6
|
Project-URL: Issues, https://github.com/muchdogesec/txt2stix/issues
|
|
@@ -1,12 +1,12 @@
|
|
|
1
1
|
txt2stix/__init__.py,sha256=Sm_VT913IFuAZ6dJEdVz3baPwC5VYtHySVfBAOUG92w,803
|
|
2
|
-
txt2stix/attack_flow.py,sha256=
|
|
2
|
+
txt2stix/attack_flow.py,sha256=FA5mRf4iVe9E6e_WfGF9PK6MTz8f3UhvDKjO_PDFHso,9164
|
|
3
3
|
txt2stix/bundler.py,sha256=kqUNW9_jktuMyWSkoAa-ydZY-L5gzSSkthb7OdhUiKo,16854
|
|
4
4
|
txt2stix/common.py,sha256=ISnGNKqJPE1EcfhL-x_4G18mcwt1urmorkW-ru9kV-0,585
|
|
5
5
|
txt2stix/credential_checker.py,sha256=eWDP-jY3-jm8zI0JMoUcyoQZ_JqPNfCIr_HAO8nVYz0,3044
|
|
6
6
|
txt2stix/extractions.py,sha256=_tlsqYHhfAoV-PJzxRHysrX47uxCsMlSg7PQWxww1u0,2171
|
|
7
7
|
txt2stix/indicator.py,sha256=c6S0xx0K8JM-PT_Qd1PlN_ZlDXdnEwiRS8529iUp3yg,30774
|
|
8
8
|
txt2stix/lookups.py,sha256=h42YVtYUkWZm6ZPv2h5hHDHDzDs3yBqrT_T7pj2MDZI,2301
|
|
9
|
-
txt2stix/retriever.py,sha256=
|
|
9
|
+
txt2stix/retriever.py,sha256=biRSRwYsZoSvR758y4OFONjfrEMcxgj1PLHFLFydoSU,5729
|
|
10
10
|
txt2stix/stix.py,sha256=9nXD9a2dCY4uaatl-mlIA1k3srwQBhGW-tUSho3iYe0,30
|
|
11
11
|
txt2stix/txt2stix.py,sha256=b16h8BCSerZrq7PWjXkUZB4WXkDCUDMru1LDJeIXCHo,18587
|
|
12
12
|
txt2stix/utils.py,sha256=n6mh4t9ZRJ7iT4Jvp9ai_dfCXjgXNcRtF_zXO7nkpnk,3304
|
|
@@ -113,8 +113,8 @@ txt2stix/includes/lookups/threat_actor.txt,sha256=QfDO9maQuqKBgW_Sdd7VGv1SHZ9Ra-
|
|
|
113
113
|
txt2stix/includes/lookups/tld.txt,sha256=-MEgJea2NMG_KDsnc4BVvI8eRk5Dm93L-t8SGYx5wMo,8598
|
|
114
114
|
txt2stix/includes/lookups/tool.txt,sha256=HGKG6JpUE26w6ezzSxOjBkp15UpSaB7N-mZ_NU_3G7A,6
|
|
115
115
|
txt2stix/includes/tests/test_cases.yaml,sha256=QD1FdIunpPkOpsn6wJRqs2vil_hv8OSVaqUp4a96aZg,22247
|
|
116
|
-
txt2stix-1.0.
|
|
117
|
-
txt2stix-1.0.
|
|
118
|
-
txt2stix-1.0.
|
|
119
|
-
txt2stix-1.0.
|
|
120
|
-
txt2stix-1.0.
|
|
116
|
+
txt2stix-1.0.9.dist-info/METADATA,sha256=j_usZnd_eI4GYtyvuOKw-9untmHdSLsP9fBs35w71x4,15482
|
|
117
|
+
txt2stix-1.0.9.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
|
|
118
|
+
txt2stix-1.0.9.dist-info/entry_points.txt,sha256=x6QPtt65hWeomw4IpJ_wQUesBl1M4WOLODbhOKyWMFg,55
|
|
119
|
+
txt2stix-1.0.9.dist-info/licenses/LICENSE,sha256=BK8Ppqlc4pdgnNzIxnxde0taoQ1BgicdyqmBvMiNYgY,11364
|
|
120
|
+
txt2stix-1.0.9.dist-info/RECORD,,
|
|
File without changes
|
|
File without changes
|
|
File without changes
|