PyPI - txt2stix - Versions diffs - 1.0.7__tar.gz → 1.0.9__tar.gz - Mend

txt2stix 1.0.7tar.gz → 1.0.9tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (260) hide show

{txt2stix-1.0.7 → txt2stix-1.0.9}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: txt2stix
-Version: 1.0.7
+Version: 1.0.9
 Summary: txt2stix is a Python script that is designed to identify and extract IoCs and TTPs from text files, identify the relationships between them, convert them to STIX 2.1 objects, and output as a STIX 2.1 bundle.
 Project-URL: Homepage, https://github.com/muchdogesec/txt2stix
 Project-URL: Issues, https://github.com/muchdogesec/txt2stix/issues

{txt2stix-1.0.7 → txt2stix-1.0.9}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "txt2stix"
-version = "1.0.7"
+version = "1.0.9"
 authors = [{ name = "dogesec" }]
 maintainers = [{ name = "dogesec" }]
 description = "txt2stix is a Python script that is designed to identify and extract IoCs and TTPs from text files, identify the relationships between them, convert them to STIX 2.1 objects, and output as a STIX 2.1 bundle."

{txt2stix-1.0.7 → txt2stix-1.0.9}/tests/data/manually_generated_reports/attack_flow_demo.txt RENAMED Viewed

@@ -4,4 +4,6 @@ Due to password protection, the zip files are able to bypass some AV detections.
 The zip files are extracted and usually contain a malicious document, such as a .doc, .pdf, or .xls. Some examples are malware.pdf and bad.com
-The extracted files contain malicious macros that connect to a C2 server 1.1.1.1
+The extracted files contain malicious macros that connect to a C2 server 1.1.1.1
+And here is a mobile ID to test behaviour of multiple matrices T1630.001

{txt2stix-1.0.7 → txt2stix-1.0.9}/tests/manual-tests/cases-standard-tests.md RENAMED Viewed

@@ -486,6 +486,24 @@ python3 txt2stix.py \
     --report_id 3b160a8d-12dd-4e7c-aee8-5af6e371b425
 ```
+with two domains
+no indicators
+```shell
+python3 txt2stix.py \
+    --relationship_mode ai \
+    --ai_settings_relationships openai:gpt-5 \
+    --input_file tests/data/manually_generated_reports/attack_flow_demo.txt \
+    --name 'Test MITRE ATT&CK Flow demo' \
+    --tlp_level clear \
+    --confidence 100 \
+    --use_extractions 'ai_mitre_attack_*' \
+    --ai_settings_extractions openai:gpt-5 \
+    --ai_create_attack_flow \
+    --report_id ccc8c844-6a89-4762-b4e7-77c918fa4b8f
+```
 ### attack navigator demo
 ```shell

{txt2stix-1.0.7 → txt2stix-1.0.9}/tests/src/test_attack_flow.py RENAMED Viewed

@@ -8,6 +8,7 @@ from txt2stix.attack_flow import (
     create_navigator_layer,
     get_all_tactics,
     get_techniques_from_extracted_objects,
+    parse_domain_flow,
     parse_flow,
     extract_attack_flow_and_navigator,
 )
@@ -21,31 +22,30 @@ def test_parse_flow(dummy_report, dummy_objects, dummy_flow):
     techniques = get_techniques_from_extracted_objects(dummy_objects, tactics)
     flow = dummy_flow
     report = dummy_report
-    expected_ids = set(
-        [
-            "report--9c88fbcb-8c0d-4124-868b-3dcb1e9b696c",
-            "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4",
-            "attack-flow--9c88fbcb-8c0d-4124-868b-3dcb1e9b696c",
-            "relationship--6346ead9-49cc-5ede-89e2-449f1c22ed13",
-            "x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453",
-            "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72",
-            "attack-action--51dc1572-cb10-581b-b9ef-9e589615ecaa",
-            "x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92",
-            "attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a",
-            "attack-action--e03c89ba-a476-5509-ac0a-049b61514be7",
-            "x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134",
-            "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b",
-            "attack-action--1fd63972-ef98-5da5-81f5-4090c7dfa585",
-            "x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263",
-            "attack-pattern--1a80d097-54df-41d8-9d33-34e755ec5e72",
-            "attack-action--c7e06b10-252d-520d-82eb-e32314bbec34",
-        ]
-    )
+    expected_ids = {
+        "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b",
+        "x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134",
+        "attack-action--1fd63972-ef98-5da5-81f5-4090c7dfa585",
+        "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4",
+        "attack-pattern--1a80d097-54df-41d8-9d33-34e755ec5e72",
+        "report--9c88fbcb-8c0d-4124-868b-3dcb1e9b696c",
+        "attack-flow--bb21585c-5f82-55cf-b73d-89b5217ef092",
+        "relationship--22e97298-819a-55ac-b57b-2185ffb72c62",
+        "x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263",
+        "attack-action--c7e06b10-252d-520d-82eb-e32314bbec34",
+        "x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453",
+        "x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92",
+        "attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a",
+        "attack-action--51dc1572-cb10-581b-b9ef-9e589615ecaa",
+        "relationship--931f6b0d-5136-534a-93bc-8cce065e04dc",
+        "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72",
+        "attack-flow--b48ec5d9-407c-5e4a-a6d0-fe851cd4ea0e",
+        "attack-action--e03c89ba-a476-5509-ac0a-049b61514be7",
+    }
     flow_objects = parse_flow(report, flow, techniques, tactics)
     assert {obj["id"] for obj in flow_objects} == expected_ids
 def test_parse_flow__no_success(dummy_report):
     flow_objects = parse_flow(
         dummy_report,
@@ -61,6 +61,48 @@ def test_parse_flow__no_success(dummy_report):
     assert len(flow_objects) == 0
+@pytest.mark.parametrize(
+    ["domain", "expected_ids"],
+    [
+        ("mobile-attack", set()),
+        [
+            "ics-attack",
+            {
+                "x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134",
+                "x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453",
+                "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b",
+                "relationship--22e97298-819a-55ac-b57b-2185ffb72c62",
+                "attack-action--1fd63972-ef98-5da5-81f5-4090c7dfa585",
+                "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72",
+                "attack-flow--bb21585c-5f82-55cf-b73d-89b5217ef092",
+                "attack-action--51dc1572-cb10-581b-b9ef-9e589615ecaa",
+            },
+        ],
+        [
+            "enterprise-attack",
+            {
+                "attack-action--e03c89ba-a476-5509-ac0a-049b61514be7",
+                "relationship--931f6b0d-5136-534a-93bc-8cce065e04dc",
+                "attack-flow--b48ec5d9-407c-5e4a-a6d0-fe851cd4ea0e",
+                "attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a",
+                "x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263",
+                "attack-pattern--1a80d097-54df-41d8-9d33-34e755ec5e72",
+                "x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92",
+                "attack-action--c7e06b10-252d-520d-82eb-e32314bbec34",
+            },
+        ],
+    ],
+)
+def test_parse_domain_flow(dummy_report, dummy_objects, dummy_flow, domain, expected_ids):
+    tactics = get_all_tactics()
+    techniques = get_techniques_from_extracted_objects(dummy_objects, tactics)
+    flow = dummy_flow
+    report = dummy_report
+    flow_objects = parse_domain_flow(report, flow, techniques, tactics, domain)
+    print([domain, {obj["id"] for obj in flow_objects}], ",")
+    assert {obj["id"] for obj in flow_objects} == expected_ids
 def test_get_techniques_from_extracted_objects(dummy_objects):
     tactics = get_all_tactics()
     techniques = get_techniques_from_extracted_objects(dummy_objects, tactics)
@@ -142,7 +184,11 @@ def test_extract_attack_flow_and_navigator(dummy_objects, dummy_report):
         mock_extract_flow.assert_called_once_with(text, techniques)
         mock_create_navigator_layer.assert_called_once_with(
-            bundler.report, bundler.summary, mock_extract_flow.return_value, techniques
+            bundler.report,
+            bundler.summary,
+            mock_extract_flow.return_value,
+            techniques,
+            tactics,
         )
         ### reset mocks
@@ -181,7 +227,11 @@ def test_extract_attack_flow_and_navigator(dummy_objects, dummy_report):
         mock_parse_flow.assert_not_called()
         mock_create_navigator_layer.assert_called_once_with(
-            bundler.report, bundler.summary, mock_extract_flow.return_value, techniques
+            bundler.report,
+            bundler.summary,
+            mock_extract_flow.return_value,
+            techniques,
+            tactics,
         )
         ### reset mocks
@@ -265,11 +315,25 @@ def test_create_navigator_layer(dummy_report):
         "T2003": dict(id="T2003", domain="mobile-attack", possible_tactics=tactics_2),
     }
-    retval = create_navigator_layer(dummy_report, summary, flow, techniques)
+    retval = create_navigator_layer(
+        dummy_report,
+        summary,
+        flow,
+        techniques,
+        tactics={
+            "mobile-attack": {"version": "13.1"},
+            "ics-attack": {"version": "17.0"},
+            "enterprise-attack": {"version": "16.1"},
+        },
+    )
     assert len(retval) == 3
     assert retval == [
         {
-            "version": "4.5",
+            "versions": {
+                "layer": "4.5",
+                "attack": "16.1",
+                "navigator": "5.1.0",
+            },
             "name": "some markdown document",
             "domain": "enterprise-attack",
             "description": "this is a summary",
@@ -295,7 +359,11 @@ def test_create_navigator_layer(dummy_report):
             "layout": {"layout": "side"},
         },
         {
-            "version": "4.5",
+            "versions": {
+                "layer": "4.5",
+                "attack": "17.0",
+                "navigator": "5.1.0",
+            },
             "name": "some markdown document",
             "domain": "ics-attack",
             "description": "this is a summary",
@@ -321,7 +389,11 @@ def test_create_navigator_layer(dummy_report):
             "layout": {"layout": "side"},
         },
         {
-            "version": "4.5",
+            "versions": {
+                "layer": "4.5",
+                "attack": "13.1",
+                "navigator": "5.1.0",
+            },
             "name": "some markdown document",
             "domain": "mobile-attack",
             "description": "this is a summary",
@@ -352,12 +424,17 @@ def test_create_navigator_layer(dummy_report):
 def test_create_navigator_layer__real_flow(dummy_report, dummy_flow, dummy_objects):
     tactics = get_all_tactics()
     techniques = get_techniques_from_extracted_objects(dummy_objects, tactics)
-    retval = create_navigator_layer(dummy_report, "a summary", dummy_flow, techniques)
+    retval = create_navigator_layer(
+        dummy_report, "a summary", dummy_flow, techniques, tactics
+    )
     assert len(retval) == 2
-    print(retval)
     assert retval == [
         {
-            "version": "4.5",
+            "versions": {
+                "layer": "4.5",
+                "attack": tactics["ics-attack"]["version"],
+                "navigator": "5.1.0",
+            },
             "name": "some markdown document",
             "domain": "ics-attack",
             "description": "a summary",
@@ -398,7 +475,11 @@ def test_create_navigator_layer__real_flow(dummy_report, dummy_flow, dummy_objec
             "layout": {"layout": "side"},
         },
         {
-            "version": "4.5",
+            "versions": {
+                "layer": "4.5",
+                "attack": tactics["enterprise-attack"]["version"],
+                "navigator": "5.1.0",
+            },
             "name": "some markdown document",
             "domain": "enterprise-attack",
             "description": "a summary",

{txt2stix-1.0.7 → txt2stix-1.0.9}/txt2stix/attack_flow.py RENAMED Viewed

@@ -16,15 +16,26 @@ def parse_flow(report, flow: AttackFlowList, techniques, tactics):
     logging.info(f"flow.success = {flow.success}")
     if not flow.success:
         return []
-    flow_objects = [report, attack_flow_ExtensionDefinitionSMO]
+    objects = [report, attack_flow_ExtensionDefinitionSMO]
+    for domain in ["enterprise-attack", "mobile-attack", "ics-attack"]:
+        flow_objects = parse_domain_flow(report, flow, techniques, tactics, domain)
+        objects.extend(flow_objects)
+    return objects
+def parse_domain_flow(report, flow: AttackFlowList, techniques, tactics, domain):
+    flow_objects = []
+    flow_obj = None
     last_action = None
     for i, item in enumerate(flow.items):
         try:
             technique = techniques[item.attack_technique_id]
+            if technique["domain"] != domain:
+                continue
             tactic_id = technique["possible_tactics"][
                 flow.tactic_mapping[item.attack_technique_id]
             ]
             technique_obj = technique["stix_obj"]
             tactic_obj = tactics[technique["domain"]][tactic_id]
             action_obj = AttackAction(
                 **{
@@ -40,16 +51,16 @@ def parse_flow(report, flow: AttackFlowList, techniques, tactics):
                 allow_custom=True,
             )
             action_obj.effect_refs.clear()
-            if i == 0:
+            if not flow_obj:
                 flow_obj = {
                     "type": "attack-flow",
-                    "id": report.id.replace("report", "attack-flow"),
+                    "id": "attack-flow--"+str(uuid.uuid5(UUID_NAMESPACE, f"attack-flow+{domain}+{report.id}")),
                     "spec_version": "2.1",
                     "created": report.created,
                     "modified": report.modified,
                     "created_by_ref": report.created_by_ref,
                     "start_refs": [action_obj["id"]],
-                    "name": report.name,
+                    "name": f"[{domain.split('-')[0].upper()}] {report.name}",
                     "description": report.description,
                     "scope": "malware",
                     "external_references": report.external_references,
@@ -61,7 +72,7 @@ def parse_flow(report, flow: AttackFlowList, techniques, tactics):
                         type="relationship",
                         spec_version="2.1",
                         id="relationship--"
-                        + str(uuid.uuid5(UUID_NAMESPACE, f"attack-flow+{report.id}")),
+                        + str(uuid.uuid5(UUID_NAMESPACE, f"attack-flow+{report.id}+{flow_obj['id']}")),
                         created_by_ref=report.created_by_ref,
                         created=report.created,
                         modified=report.modified,
@@ -147,7 +158,7 @@ def get_techniques_from_extracted_objects(objects: dict, tactics: dict):
     return techniques
-def create_navigator_layer(report, summary, flow: AttackFlowList, techniques):
+def create_navigator_layer(report, summary, flow: AttackFlowList, techniques, tactics):
     domains = {}
     comments = {item.attack_technique_id: item.description for item in flow.items}
     for technique in techniques.values():
@@ -170,7 +181,11 @@ def create_navigator_layer(report, summary, flow: AttackFlowList, techniques):
     for domain, domain_techniques in domains.items():
         retval.append(
             {
-                "version": "4.5",
+                "versions": {
+                    "layer": "4.5",
+                    "attack": tactics[domain]['version'],
+                    "navigator": "5.1.0"
+                },
                 "name": report.name,
                 "domain": domain,
                 "description": summary,
@@ -220,6 +235,6 @@ def extract_attack_flow_and_navigator(
     if ai_create_attack_navigator_layer:
         navigator = create_navigator_layer(
-            bundler.report, bundler.summary, flow, techniques
+            bundler.report, bundler.summary, flow, techniques, tactics
         )
     return flow, navigator

{txt2stix-1.0.7 → txt2stix-1.0.9}/txt2stix/retriever.py RENAMED Viewed

@@ -28,8 +28,9 @@ class STIXObjectRetriever:
     def get_attack_tactics(self, matrix):
         endpoint = urljoin(self.api_root, f"v1/attack-{matrix}/objects/?attack_type=Tactic")
+        version_url = urljoin(self.api_root, f'v1/attack-{matrix}/versions/installed/')
         tactics = self._retrieve_objects(endpoint)
-        retval = {}
+        retval = dict(version=self.session.get(version_url).json()['latest'])
         for tac in tactics:
             retval[tac['x_mitre_shortname']] = tac
             retval[tac['external_references'][0]['external_id']] = tac