I have been working on some code tonight to hopefully show a potential issue with Observed Data. I am not yet ready to explain it or show it in detail, but I wanted to show you what I have done so far tonight (I still have a bit more work to do).
[22:43:05] saturn
[jordan]:/opt/go/src/
github.com/freetaxii/libstix2/examples/bundle-> go run 01-bundle.go
{
"type": "bundle",
"id": "bundle--cf94e6c9-4908-4dc0-90bc-830fb073e3fa",
"spec_version": "stix-2.0",
"campaigns": [
{
"type": "campaign",
"id": "campaign--06d4b8e7-0726-43e8-aa30-0808f90bb51a",
"created": "2016-09-14T05:06:10Z",
"modified": "2016-09-14T05:06:10Z",
"version": 1,
"name": "Bank Attack 2016",
"objective": "Compromise SWIFT system and steal money"
}
],
"indicators": [
{
"type": "indicator",
"id": "indicator--413517ea-3f42-4b6a-be29-b6e58f9981b0",
"created": "2016-09-14T05:06:10Z",
"modified": "2016-09-14T05:06:10Z",
"version": 1,
"name": "Malware C2 Indicator 2016",
"pattern": "file-object:hashes.md5 = 84714c100d2dfc88629531f6456b8276"
}
],
"malware": [
{
"type": "malware",
"id": "malware--045513d3-61ab-4a32-accd-548fee1bf1d7",
"created": "2016-09-14T05:06:10Z",
"modified": "2016-09-14T05:06:10Z",
"version": 1,
"labels": [
"trojan",
"malware-family"
],
"name": "Zeus"
},
{
"type": "malware",
"id": "malware--fbeff686-72d1-42b1-8a74-d52d4d8b1b36",
"created": "2016-09-14T05:06:10Z",
"modified": "2016-09-14T05:06:10Z",
"version": 1,
"labels": [
"trojan"
],
"name": "SpyEye",
"filenames": [
"cleansweep.exe",
"spyeye2_exe",
"build_1_.exe"
],
"hashes": {
"md5": "84714c100d2dfc88629531f6456b8276",
"sha256": "861aa9c5ddcb5284e1ba4e5d7ebacfa297567c353446506ee4b4e39c84454b09"
},
"scan_data": [
{
"product": "avg",
"scanned": "2016-08-30T06:31:48Z",
"classification": "Generic16.BFGI"
},
{
"product": "avast",
"scanned": "2016-08-30T06:31:48Z",
"classification": "Win32:Downloader-NTU [PUP]"
}
]
}
],
"relationships": [
{
"type": "relationship",
"id": "relationship--e1fa4b09-49bb-4726-8e46-433841fc2d86",
"created": "2016-09-14T05:06:10Z",
"modified": "2016-09-14T05:06:10Z",
"version": 1,
"relationship_type": "member-of",
"source_ref": "malware--045513d3-61ab-4a32-accd-548fee1bf1d7",
"target_ref": "malware--fbeff686-72d1-42b1-8a74-d52d4d8b1b36"
},
{
"type": "relationship",
"id": "relationship--e8a71f7e-f3e3-4e1e-9bbc-315855021f8b",
"created": "2016-09-14T05:06:10Z",
"modified": "2016-09-14T05:06:10Z",
"version": 1,
"relationship_type": "uses",
"source_ref": "campaign--06d4b8e7-0726-43e8-aa30-0808f90bb51a",
"target_ref": "malware--fbeff686-72d1-42b1-8a74-d52d4d8b1b36"
},
{
"type": "relationship",
"id": "relationship--f9e5545a-25d3-468f-a1fe-bfae8c3bcc3b",
"created": "2016-09-14T05:06:10Z",
"modified": "2016-09-14T05:06:10Z",
"version": 1,
"relationship_type": "indicates",
"source_ref": "indicator--413517ea-3f42-4b6a-be29-b6e58f9981b0",
"target_ref": "malware--fbeff686-72d1-42b1-8a74-d52d4d8b1b36"
}
],
"sightings": [
{
"type": "sighting",
"id": "sighting--0f152ef9-17d2-4dd1-8f75-5ecd0607f722",
"created": "2016-09-14T05:06:10Z",
"modified": "2016-09-14T05:06:10Z",
"version": 1,
"first_seen": "2016-09-01T00:00:00Z",
"last_seen": "2016-09-01T10:30:00Z",
"count": 3,
"sighting_of_ref": "malware--fbeff686-72d1-42b1-8a74-d52d4d8b1b36"
}
]
}
Source Code to Generate:
package main
import (
"encoding/json"
"fmt"
"
github.com/freetaxii/libstix2/messages/bundle"
)
func main() {
sm := bundle.New()
// Create a campagin
c := sm.NewCampaign()
c.SetName("Bank Attack 2016")
c.SetObjective("Compromise SWIFT system and steal money")
// Create an indicator
i := sm.NewIndicator()
i.SetName("Malware C2 Indicator 2016")
i.SetPattern("file-object:hashes.md5 = 84714c100d2dfc88629531f6456b8276")
// Define a family of malware
m1 := sm.NewMalware()
m1.SetName("Zeus")
m1.AddLabel("trojan")
m1.AddLabel("malware-family")
// Define a piece of malware
m2 := sm.NewMalware()
m2.SetName("SpyEye")
m2.AddLabel("trojan")
m2.AddFilename("cleansweep.exe")
m2.AddFilename("spyeye2_exe")
m2.AddFilename("build_1_.exe")
m2.AddHash("md5", "84714c100d2dfc88629531f6456b8276")
m2.AddHash("sha256", "861aa9c5ddcb5284e1ba4e5d7ebacfa297567c353446506ee4b4e39c84454b09")
// Define some scan data for the malware sample
m2s1 := m2.NewScanData()
m2s1.SetScannedText("2016-08-30T06:31:48Z")
m2s1.SetProduct("avg")
m2s1.SetClassification("Generic16.BFGI")
m2s2 := m2.NewScanData()
m2s2.SetScannedText("2016-08-30T06:31:48Z")
m2s2.SetProduct("avast")
m2s2.SetClassification("Win32:Downloader-NTU [PUP]")
// Connect the malware sample to a malware family
r1 := sm.NewRelationship()
r1.SetRelationshipType("member-of")
r1.SetSourceRef(m1.GetId())
r1.SetTargetRef(m2.GetId())
// Identify that this campaign uses this piece of malware
r2 := sm.NewRelationship()
r2.SetRelationshipType("uses")
r2.SetSourceRef(c.GetId())
r2.SetTargetRef(m2.GetId())
// Identify that this indicator can indicate the presence of this malware
r3 := sm.NewRelationship()
r3.SetRelationshipType("indicates")
r3.SetSourceRef(i.GetId())
r3.SetTargetRef(m2.GetId())
// Add a sighting for the malware
s1 := sm.NewSighting()
s1.SetFirstSeenText("2016-09-01T00:00:00Z")
s1.SetLastSeenText("2016-09-01T10:30:00Z")
s1.SetCount(3)
s1.SetSightingOfRef(m2.GetId())
var data []byte
data, _ = json.MarshalIndent(sm, "", " ")
fmt.Println(string(data))
}
Thanks,
Bret
Bret Jordan CISSPDirector of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."