feat(ttp): rich ThreatActor STIX extensions via CustomExtension + CustomObject
- stix_custom.py: DecnetActorFingerprintExt (@CustomExtension) wrapping network_behavior (os_guess/hop_distance/tcp_fingerprint/timing_stats/ phase_sequence/behavior_class/beacon fields/tool_guesses) and protocol_fingerprints (ja3_hashes/hassh_hashes/kex_order_raw/ ssh_client_banners/tls_cert_sha256/payload_simhashes/c2_endpoints). XDecnetBehaveProfile (@CustomObject x-decnet-behave-profile) carrying full BEHAVE-SHELL observation envelopes + kd_digraph_simhash. FINGERPRINT_EXT_DEF singleton extension-definition SDO. - Drop legacy flat x_decnet_ja3_hashes / x_decnet_hassh_hashes / x_decnet_c2_endpoints (pre-v1, no consumers). - stix_export: _threat_actor() wired to behavior + observations; build_attacker_bundle/build_fleet_bundle grow observations parameter. - Repo: list_observations_by_attacker + get_all_observations_for_export abstract + sqlmodel impl; all four export endpoints extended. - 18 new tests; inter-DECNET round-trip (stix2.parse → typed objects) is the primary fidelity assertion.
This commit is contained in:
100
decnet/ttp/stix_custom.py
Normal file
100
decnet/ttp/stix_custom.py
Normal file
@@ -0,0 +1,100 @@
|
||||
"""DECNET-defined STIX 2.1 custom extension and object types.
|
||||
|
||||
Import this module before parsing any DECNET-produced bundle so the types are
|
||||
registered with the stix2 library and ``stix2.parse(bundle, allow_custom=True)``
|
||||
rebuilds them as typed objects rather than opaque dicts.
|
||||
|
||||
Classes
|
||||
-------
|
||||
DecnetActorFingerprintExt
|
||||
``@CustomExtension`` on ThreatActor — carries ``network_behavior``
|
||||
(TCP/TLS/SSH sniffer rollup) and ``protocol_fingerprints`` (hashes +
|
||||
raw orderings).
|
||||
XDecnetBehaveProfile
|
||||
``@CustomObject`` — autonomous STIX SDO carrying the BEHAVE-SHELL
|
||||
observation stream for one attacker. Referenced from ThreatActor via
|
||||
``x_decnet_behave_profile_ref``.
|
||||
|
||||
Constants
|
||||
---------
|
||||
ACTOR_FINGERPRINT_EXT_ID : str
|
||||
Fixed ``extension-definition--`` ID for ``DecnetActorFingerprintExt``.
|
||||
FINGERPRINT_EXT_DEF : stix2.ExtensionDefinition
|
||||
Singleton ``extension-definition`` SDO — add to every bundle that uses
|
||||
the fingerprint extension.
|
||||
"""
|
||||
from __future__ import annotations
|
||||
|
||||
import uuid as _uuid
|
||||
|
||||
import stix2
|
||||
from stix2 import CustomExtension, CustomObject, ExtensionDefinition
|
||||
from stix2 import properties as _P
|
||||
|
||||
_NS = _uuid.UUID("b5d2c3a1-8f4e-4d1b-9a6c-0e7f5b3d2c1a")
|
||||
|
||||
# Stable ID for the actor fingerprint extension-definition SDO.
|
||||
ACTOR_FINGERPRINT_EXT_ID: str = (
|
||||
f"extension-definition--{_uuid.uuid5(_NS, 'decnet-actor-fingerprint-v1')}"
|
||||
)
|
||||
|
||||
_DECNET_ORG_ID = f"identity--{_uuid.uuid5(_NS, 'decnet-honeypot')}"
|
||||
|
||||
|
||||
@CustomExtension(
|
||||
ACTOR_FINGERPRINT_EXT_ID,
|
||||
[
|
||||
("extension_type", _P.StringProperty(required=True)),
|
||||
("network_behavior", _P.DictionaryProperty()),
|
||||
("protocol_fingerprints", _P.DictionaryProperty()),
|
||||
],
|
||||
)
|
||||
class DecnetActorFingerprintExt:
|
||||
"""Property extension on ThreatActor.
|
||||
|
||||
``network_behavior`` keys: os_guess, hop_distance, tcp_fingerprint,
|
||||
retransmit_count, timing_stats, phase_sequence, behavior_class,
|
||||
beacon_interval_s, beacon_jitter_pct, tool_guesses.
|
||||
|
||||
``protocol_fingerprints`` keys: ja3_hashes, hassh_hashes, kex_order_raw,
|
||||
ssh_client_banners, tls_cert_sha256, payload_simhashes, c2_endpoints.
|
||||
"""
|
||||
|
||||
|
||||
@CustomObject(
|
||||
"x-decnet-behave-profile",
|
||||
[
|
||||
("schema_version", _P.IntegerProperty()),
|
||||
("kd_digraph_simhash", _P.StringProperty()),
|
||||
("observations", _P.ListProperty(_P.DictionaryProperty())),
|
||||
],
|
||||
)
|
||||
class XDecnetBehaveProfile:
|
||||
"""BEHAVE-SHELL observation stream for one attacker.
|
||||
|
||||
``observations`` is a list of BEHAVE envelope dicts with keys:
|
||||
primitive, value, confidence, window (start_ts/end_ts), source,
|
||||
evidence_ref, identity_ref (optional).
|
||||
|
||||
``schema_version`` matches ``OBSERVATION_SCHEMA_VERSION`` from
|
||||
decnet_behave_shell.spec.envelope — bump when the envelope schema changes.
|
||||
|
||||
``kd_digraph_simhash`` is the 8-byte digraph SimHash from
|
||||
AttackerIdentity, hex-encoded. Null when identity has not been clustered.
|
||||
"""
|
||||
|
||||
|
||||
# Singleton extension-definition SDO.
|
||||
FINGERPRINT_EXT_DEF: stix2.ExtensionDefinition = ExtensionDefinition(
|
||||
id=ACTOR_FINGERPRINT_EXT_ID,
|
||||
name="DECNET Actor Fingerprint",
|
||||
description=(
|
||||
"Extends ThreatActor with DECNET-observed network behavior "
|
||||
"(TCP/TLS/SSH stack-level fingerprints, IAT timing, phase sequence) "
|
||||
"and BEHAVE-SHELL keystroke-dynamics observation primitives."
|
||||
),
|
||||
schema="https://decnet.dev/schemas/actor-fingerprint/v1",
|
||||
version="1.0.0",
|
||||
extension_types=["property-extension"],
|
||||
created_by_ref=_DECNET_ORG_ID,
|
||||
)
|
||||
Reference in New Issue
Block a user