[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Example STIX document.
| All, I have been working on some code tonight to hopefully show a potential issue with Observed Data. I am not yet ready to explain it or show it in detail, but I wanted to show you what I have done so far tonight (I still have a bit more work to do). The code for all of this can be found here: JSON Output: [22:43:05] saturn [jordan]:/opt/go/src/github.com/freetaxii/libstix2/examples/bundle-> go run 01-bundle.go { "type": "bundle", "id": "bundle--cf94e6c9-4908-4dc0-90bc-830fb073e3fa", "spec_version": "stix-2.0", "campaigns": [ { "type": "campaign", "id": "campaign--06d4b8e7-0726-43e8-aa30-0808f90bb51a", "created": "2016-09-14T05:06:10Z", "modified": "2016-09-14T05:06:10Z", "version": 1, "name": "Bank Attack 2016", "objective": "Compromise SWIFT system and steal money" } ], "indicators": [ { "type": "indicator", "id": "indicator--413517ea-3f42-4b6a-be29-b6e58f9981b0", "created": "2016-09-14T05:06:10Z", "modified": "2016-09-14T05:06:10Z", "version": 1, "name": "Malware C2 Indicator 2016", "pattern": "file-object:hashes.md5 = 84714c100d2dfc88629531f6456b8276" } ], "malware": [ { "type": "malware", "id": "malware--045513d3-61ab-4a32-accd-548fee1bf1d7", "created": "2016-09-14T05:06:10Z", "modified": "2016-09-14T05:06:10Z", "version": 1, "labels": [ "trojan", "malware-family" ], "name": "Zeus" }, { "type": "malware", "id": "malware--fbeff686-72d1-42b1-8a74-d52d4d8b1b36", "created": "2016-09-14T05:06:10Z", "modified": "2016-09-14T05:06:10Z", "version": 1, "labels": [ "trojan" ], "name": "SpyEye", "filenames": [ "cleansweep.exe", "spyeye2_exe", "build_1_.exe" ], "hashes": { "md5": "84714c100d2dfc88629531f6456b8276", "sha256": "861aa9c5ddcb5284e1ba4e5d7ebacfa297567c353446506ee4b4e39c84454b09" }, "scan_data": [ { "product": "avg", "scanned": "2016-08-30T06:31:48Z", "classification": "Generic16.BFGI" }, { "product": "avast", "scanned": "2016-08-30T06:31:48Z", "classification": "Win32:Downloader-NTU [PUP]" } ] } ], "relationships": [ { "type": "relationship", "id": "relationship--e1fa4b09-49bb-4726-8e46-433841fc2d86", "created": "2016-09-14T05:06:10Z", "modified": "2016-09-14T05:06:10Z", "version": 1, "relationship_type": "member-of", "source_ref": "malware--045513d3-61ab-4a32-accd-548fee1bf1d7", "target_ref": "malware--fbeff686-72d1-42b1-8a74-d52d4d8b1b36" }, { "type": "relationship", "id": "relationship--e8a71f7e-f3e3-4e1e-9bbc-315855021f8b", "created": "2016-09-14T05:06:10Z", "modified": "2016-09-14T05:06:10Z", "version": 1, "relationship_type": "uses", "source_ref": "campaign--06d4b8e7-0726-43e8-aa30-0808f90bb51a", "target_ref": "malware--fbeff686-72d1-42b1-8a74-d52d4d8b1b36" }, { "type": "relationship", "id": "relationship--f9e5545a-25d3-468f-a1fe-bfae8c3bcc3b", "created": "2016-09-14T05:06:10Z", "modified": "2016-09-14T05:06:10Z", "version": 1, "relationship_type": "indicates", "source_ref": "indicator--413517ea-3f42-4b6a-be29-b6e58f9981b0", "target_ref": "malware--fbeff686-72d1-42b1-8a74-d52d4d8b1b36" } ], "sightings": [ { "type": "sighting", "id": "sighting--0f152ef9-17d2-4dd1-8f75-5ecd0607f722", "created": "2016-09-14T05:06:10Z", "modified": "2016-09-14T05:06:10Z", "version": 1, "first_seen": "2016-09-01T00:00:00Z", "last_seen": "2016-09-01T10:30:00Z", "count": 3, "sighting_of_ref": "malware--fbeff686-72d1-42b1-8a74-d52d4d8b1b36" } ] } Source Code to Generate: package main import ( "encoding/json" "fmt" "github.com/freetaxii/libstix2/messages/bundle" ) func main() { sm := bundle.New() // Create a campagin c := sm.NewCampaign() c.SetName("Bank Attack 2016") c.SetObjective("Compromise SWIFT system and steal money") // Create an indicator i := sm.NewIndicator() i.SetName("Malware C2 Indicator 2016") i.SetPattern("file-object:hashes.md5 = 84714c100d2dfc88629531f6456b8276") // Define a family of malware m1 := sm.NewMalware() m1.SetName("Zeus") m1.AddLabel("trojan") m1.AddLabel("malware-family") // Define a piece of malware m2 := sm.NewMalware() m2.SetName("SpyEye") m2.AddLabel("trojan") m2.AddFilename("cleansweep.exe") m2.AddFilename("spyeye2_exe") m2.AddFilename("build_1_.exe") m2.AddHash("md5", "84714c100d2dfc88629531f6456b8276") m2.AddHash("sha256", "861aa9c5ddcb5284e1ba4e5d7ebacfa297567c353446506ee4b4e39c84454b09") // Define some scan data for the malware sample m2s1 := m2.NewScanData() m2s1.SetScannedText("2016-08-30T06:31:48Z") m2s1.SetProduct("avg") m2s1.SetClassification("Generic16.BFGI") m2s2 := m2.NewScanData() m2s2.SetScannedText("2016-08-30T06:31:48Z") m2s2.SetProduct("avast") m2s2.SetClassification("Win32:Downloader-NTU [PUP]") // Connect the malware sample to a malware family r1 := sm.NewRelationship() r1.SetRelationshipType("member-of") r1.SetSourceRef(m1.GetId()) r1.SetTargetRef(m2.GetId()) // Identify that this campaign uses this piece of malware r2 := sm.NewRelationship() r2.SetRelationshipType("uses") r2.SetSourceRef(c.GetId()) r2.SetTargetRef(m2.GetId()) // Identify that this indicator can indicate the presence of this malware r3 := sm.NewRelationship() r3.SetRelationshipType("indicates") r3.SetSourceRef(i.GetId()) r3.SetTargetRef(m2.GetId()) // Add a sighting for the malware s1 := sm.NewSighting() s1.SetFirstSeenText("2016-09-01T00:00:00Z") s1.SetLastSeenText("2016-09-01T10:30:00Z") s1.SetCount(3) s1.SetSightingOfRef(m2.GetId()) var data []byte data, _ = json.MarshalIndent(sm, "", " ") fmt.Println(string(data)) } Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." |
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]