feat(ttp): rich ThreatActor STIX extensions via CustomExtension + CustomObject

- stix_custom.py: DecnetActorFingerprintExt (@CustomExtension) wrapping network_behavior (os_guess/hop_distance/tcp_fingerprint/timing_stats/ phase_sequence/behavior_class/beacon fields/tool_guesses) and protocol_fingerprints (ja3_hashes/hassh_hashes/kex_order_raw/ ssh_client_banners/tls_cert_sha256/payload_simhashes/c2_endpoints). XDecnetBehaveProfile (@CustomObject x-decnet-behave-profile) carrying full BEHAVE-SHELL observation envelopes + kd_digraph_simhash. FINGERPRINT_EXT_DEF singleton extension-definition SDO. - Drop legacy flat x_decnet_ja3_hashes / x_decnet_hassh_hashes / x_decnet_c2_endpoints (pre-v1, no consumers). - stix_export: _threat_actor() wired to behavior + observations; build_attacker_bundle/build_fleet_bundle grow observations parameter. - Repo: list_observations_by_attacker + get_all_observations_for_export abstract + sqlmodel impl; all four export endpoints extended. - 18 new tests; inter-DECNET round-trip (stix2.parse → typed objects) is the primary fidelity assertion.
2026-05-09 08:52:19 -04:00
parent 1200ac9132
commit 97c99a4e03
16 changed files with 745 additions and 15 deletions
--- a/tests/db/test_base_repo.py
+++ b/tests/db/test_base_repo.py
@@ -111,6 +111,10 @@ class DummyRepo(BaseRepository):
        await super().get_log_histogram(*a, **kw); return []
    async def has_observations_for_evidence(self, evidence_ref):
        await super().has_observations_for_evidence(evidence_ref); return False
+    async def list_observations_by_attacker(self, attacker_uuid):
+        await super().list_observations_by_attacker(attacker_uuid); return []
+    async def get_all_observations_for_export(self):
+        await super().get_all_observations_for_export(); return {}
    async def get_attacker_uuid_by_ip(self, ip):
        await super().get_attacker_uuid_by_ip(ip); return None
    # TTP rollup surface (TTP_TAGGING.md)
@@ -253,6 +257,10 @@ async def test_base_repo_coverage():
    await dr.get_log_histogram()
    with pytest.raises(NotImplementedError):
        await dr.has_observations_for_evidence("shard:x#1")
+    with pytest.raises(NotImplementedError):
+        await dr.list_observations_by_attacker("a")
+    with pytest.raises(NotImplementedError):
+        await dr.get_all_observations_for_export()
    with pytest.raises(NotImplementedError):
        await dr.get_attacker_uuid_by_ip("1.1.1.1")
    with pytest.raises(NotImplementedError):
--- a/tests/ttp/test_stix_custom.py
+++ b/tests/ttp/test_stix_custom.py
@@ -0,0 +1,157 @@
+"""Unit tests for decnet/ttp/stix_custom.py custom STIX types.
+
+Verifies that:
+- DecnetActorFingerprintExt instantiates, serialises, and round-trips.
+- XDecnetBehaveProfile instantiates, serialises, and round-trips.
+- Both types survive a full bundle parse with allow_custom=True.
+- FINGERPRINT_EXT_DEF is a valid ExtensionDefinition SDO.
+"""
+from __future__ import annotations
+
+import json
+import uuid as _uuid
+
+import pytest
+import stix2
+
+from decnet.ttp.stix_custom import (
+    ACTOR_FINGERPRINT_EXT_ID,
+    FINGERPRINT_EXT_DEF,
+    DecnetActorFingerprintExt,
+    XDecnetBehaveProfile,
+)
+
+_NS = _uuid.UUID("b5d2c3a1-8f4e-4d1b-9a6c-0e7f5b3d2c1a")
+_ORG_ID = f"identity--{_uuid.uuid5(_NS, 'decnet-honeypot')}"
+
+
+def test_ext_id_is_extension_definition():
+    assert ACTOR_FINGERPRINT_EXT_ID.startswith("extension-definition--")
+
+
+def test_fingerprint_ext_def_valid():
+    assert FINGERPRINT_EXT_DEF.id == ACTOR_FINGERPRINT_EXT_ID
+    assert FINGERPRINT_EXT_DEF.type == "extension-definition"
+    assert "property-extension" in FINGERPRINT_EXT_DEF.extension_types
+
+
+def test_decnet_actor_fingerprint_ext_roundtrip():
+    net = {"os_guess": "Linux 4.x", "hop_distance": 7, "retransmit_count": 1}
+    fp = {"ja3_hashes": ["abc123"], "kex_order_raw": ["curve25519-sha256"]}
+    ext = DecnetActorFingerprintExt(
+        extension_type="property-extension",
+        network_behavior=net,
+        protocol_fingerprints=fp,
+    )
+    raw = json.loads(ext.serialize())
+    assert raw["extension_type"] == "property-extension"
+    assert raw["network_behavior"]["os_guess"] == "Linux 4.x"
+    assert raw["protocol_fingerprints"]["ja3_hashes"] == ["abc123"]
+
+
+def test_decnet_actor_fingerprint_ext_partial():
+    ext = DecnetActorFingerprintExt(
+        extension_type="property-extension",
+        network_behavior={"behavior_class": "scanning"},
+    )
+    raw = json.loads(ext.serialize())
+    assert "protocol_fingerprints" not in raw
+
+
+def test_x_decnet_behave_profile_roundtrip():
+    obs = [
+        {
+            "primitive": "motor.input_modality",
+            "value": "typed",
+            "confidence": 0.9,
+            "window": {"start_ts": 1.0, "end_ts": 2.0},
+            "source": "ssh",
+            "evidence_ref": "shard:dky/ssh/2026-01-01.jsonl#1",
+        }
+    ]
+    profile = XDecnetBehaveProfile(  # type: ignore[call-arg]
+        id=f"x-decnet-behave-profile--{_uuid.uuid5(_NS, 'attacker-1')}",
+        created_by_ref=_ORG_ID,
+        schema_version=1,
+        kd_digraph_simhash="deadbeef12345678",
+        observations=obs,
+    )
+    raw = json.loads(profile.serialize())
+    assert raw["type"] == "x-decnet-behave-profile"
+    assert raw["schema_version"] == 1
+    assert raw["kd_digraph_simhash"] == "deadbeef12345678"
+    assert len(raw["observations"]) == 1
+    assert raw["observations"][0]["primitive"] == "motor.input_modality"
+
+
+def test_x_decnet_behave_profile_stix2_parse_roundtrip():
+    profile = XDecnetBehaveProfile(  # type: ignore[call-arg]
+        id=f"x-decnet-behave-profile--{_uuid.uuid5(_NS, 'attacker-2')}",
+        created_by_ref=_ORG_ID,
+        schema_version=1,
+        kd_digraph_simhash=None,
+        observations=[],
+    )
+    parsed = stix2.parse(profile.serialize(), allow_custom=True)
+    assert type(parsed).__name__ == "XDecnetBehaveProfile"
+
+
+def test_threat_actor_with_extension_bundle_roundtrip():
+    """Full bundle round-trip: ThreatActor with ext + profile SDO + ext-def SDO."""
+    net = {"os_guess": "FreeBSD", "hop_distance": 3}
+    fp = {"hassh_hashes": ["h1h2h3"]}
+    ext = DecnetActorFingerprintExt(
+        extension_type="property-extension",
+        network_behavior=net,
+        protocol_fingerprints=fp,
+    )
+    profile_id = f"x-decnet-behave-profile--{_uuid.uuid5(_NS, 'attacker-rt')}"
+    obs = [
+        {
+            "primitive": "cognitive.exploration_style",
+            "value": "targeted",
+            "confidence": 0.85,
+            "window": {"start_ts": 100.0, "end_ts": 200.0},
+            "source": "ssh",
+            "evidence_ref": "shard:dky/ssh/2026-01-02.jsonl#42",
+        }
+    ]
+    profile = XDecnetBehaveProfile(  # type: ignore[call-arg]
+        id=profile_id,
+        created_by_ref=_ORG_ID,
+        schema_version=1,
+        kd_digraph_simhash="cafebabe00000000",
+        observations=obs,
+    )
+    ta = stix2.ThreatActor(
+        id=f"threat-actor--{_uuid.uuid5(_NS, 'attacker-rt')}",
+        name="DECNET-test-actor",
+        threat_actor_types=["unknown"],
+        created_by_ref=_ORG_ID,
+        extensions={ACTOR_FINGERPRINT_EXT_ID: ext},
+        x_decnet_behave_profile_ref=profile_id,
+        allow_custom=True,
+    )
+    bundle = stix2.Bundle(
+        objects=[FINGERPRINT_EXT_DEF, profile, ta], allow_custom=True
+    )
+    parsed = stix2.parse(bundle.serialize(), allow_custom=True)
+
+    parsed_ta = next(o for o in parsed.objects if o.type == "threat-actor")
+    parsed_ext = parsed_ta.extensions[ACTOR_FINGERPRINT_EXT_ID]
+    parsed_profile = next(
+        o for o in parsed.objects if o.type == "x-decnet-behave-profile"
+    )
+
+    # Extension is typed, not a bare dict
+    assert type(parsed_ext).__name__ == "DecnetActorFingerprintExt"
+    assert parsed_ext.network_behavior["os_guess"] == "FreeBSD"
+    assert parsed_ext.protocol_fingerprints["hassh_hashes"] == ["h1h2h3"]
+
+    # Profile SDO is typed and lossless
+    assert type(parsed_profile).__name__ == "XDecnetBehaveProfile"
+    assert parsed_profile.kd_digraph_simhash == "cafebabe00000000"
+    assert parsed_profile.observations[0]["primitive"] == "cognitive.exploration_style"
+
+    # Ref survives
+    assert parsed_ta.x_decnet_behave_profile_ref == profile_id
--- a/tests/ttp/test_stix_export_threat_actor_extensions.py
+++ b/tests/ttp/test_stix_export_threat_actor_extensions.py
@@ -0,0 +1,266 @@
+"""Integration tests for the x_decnet_* ThreatActor extensions in stix_export.py.
+
+Covers:
+- Skinny attacker (no behavior, no identity, no observations) → no extension block,
+  no profile SDO, no extension-definition SDO.
+- Attacker with behavior → extension block with network_behavior populated.
+- Attacker with identity fingerprints → protocol_fingerprints group.
+- Attacker with BEHAVE observations → x-decnet-behave-profile SDO in bundle,
+  x_decnet_behave_profile_ref on ThreatActor, extension-definition SDO present.
+- kd_digraph_simhash hex-encoded correctly (bytes and base64 inputs).
+- Full inter-DECNET round-trip: stix2.parse(bundle, allow_custom=True) yields
+  typed extension objects, not bare dicts.
+"""
+from __future__ import annotations
+
+import base64
+import json
+import uuid as _uuid
+from datetime import datetime, timezone
+
+import pytest
+import stix2
+
+from decnet.ttp.stix_custom import (
+    ACTOR_FINGERPRINT_EXT_ID,
+    DecnetActorFingerprintExt,
+    XDecnetBehaveProfile,
+)
+from decnet.ttp.stix_export import build_attacker_bundle
+
+_NS = _uuid.UUID("b5d2c3a1-8f4e-4d1b-9a6c-0e7f5b3d2c1a")
+
+
+def _attacker(uid: str = "att-aaaabbbbccccdddd") -> dict:
+    return {
+        "uuid": uid,
+        "ip": "1.2.3.4",
+        "first_seen": datetime(2026, 1, 1, tzinfo=timezone.utc),
+        "last_seen": datetime(2026, 1, 31, tzinfo=timezone.utc),
+        "event_count": 100,
+        "country_code": "US",
+        "asn": 15169,
+        "as_name": "GOOGLE",
+    }
+
+
+def _behavior() -> dict:
+    return {
+        "os_guess": "Linux 4.x",
+        "hop_distance": 7,
+        "tcp_fingerprint": json.dumps({
+            "window": 65535, "wscale": 6, "mss": 1460,
+            "options_sig": "MSTNNT", "has_sack": True, "ipid_class": "zero",
+        }),
+        "kex_order_raw": json.dumps(["curve25519-sha256", "ecdh-sha2-nistp256"]),
+        "ssh_client_banners": json.dumps(["SSH-2.0-OpenSSH_8.9"]),
+        "retransmit_count": 3,
+        "behavior_class": "brute_force",
+        "beacon_interval_s": 60.0,
+        "beacon_jitter_pct": 0.05,
+        "timing_stats": json.dumps({"mean": 1.2, "stdev": 0.3}),
+        "phase_sequence": json.dumps({"recon_end": "2026-01-10T00:00:00"}),
+        "tool_guesses": json.dumps(["hydra"]),
+    }
+
+
+def _identity(uid: str = "ident-1111222233334444") -> dict:
+    return {
+        "uuid": uid,
+        "ja3_hashes": json.dumps(["abc123def456"]),
+        "hassh_hashes": json.dumps(["hashhash01"]),
+        "tls_cert_sha256": json.dumps(["a" * 64]),
+        "payload_simhashes": json.dumps(["deadbeef12345678"]),
+        "c2_endpoints": json.dumps([{"host": "bad.example.com", "port": 4444}]),
+        "kd_digraph_simhash": None,
+    }
+
+
+def _obs() -> list[dict]:
+    return [
+        {
+            "primitive": "motor.input_modality",
+            "value": "typed",
+            "confidence": 0.9,
+            "window": {"start_ts": 1000.0, "end_ts": 2000.0},
+            "source": "ssh",
+            "evidence_ref": "shard:dky/ssh/2026-01-01.jsonl#1",
+        },
+        {
+            "primitive": "cognitive.exploration_style",
+            "value": "targeted",
+            "confidence": 0.8,
+            "window": {"start_ts": 2000.0, "end_ts": 3000.0},
+            "source": "ssh",
+            "evidence_ref": "shard:dky/ssh/2026-01-01.jsonl#2",
+        },
+    ]
+
+
+def _get_ta(bundle: stix2.Bundle) -> stix2.ThreatActor:
+    return next(o for o in bundle.objects if o.type == "threat-actor")
+
+
+def test_skinny_attacker_no_extension():
+    """No behavior, no identity, no observations → no extension block."""
+    bundle = build_attacker_bundle(
+        attacker=_attacker(),
+        behavior=None, identity=None, intel=None,
+        technique_rollup=[], raw_tags=[], artifacts=[],
+        smtp_targets=[], observations=None,
+    )
+    ta = _get_ta(bundle)
+    assert not getattr(ta, "extensions", None)
+    profile_sdos = [o for o in bundle.objects if o.type == "x-decnet-behave-profile"]
+    assert len(profile_sdos) == 0
+    ext_def_sdos = [o for o in bundle.objects if o.type == "extension-definition"]
+    assert len(ext_def_sdos) == 0
+
+
+def test_behavior_produces_network_behavior_group():
+    bundle = build_attacker_bundle(
+        attacker=_attacker(),
+        behavior=_behavior(), identity=None, intel=None,
+        technique_rollup=[], raw_tags=[], artifacts=[],
+        smtp_targets=[], observations=None,
+    )
+    ta = _get_ta(bundle)
+    assert ta.extensions, "expected extension block"
+    ext = ta.extensions[ACTOR_FINGERPRINT_EXT_ID]
+    nb = ext.network_behavior
+    assert nb["os_guess"] == "Linux 4.x"
+    assert nb["hop_distance"] == 7
+    assert nb["retransmit_count"] == 3
+    assert nb["behavior_class"] == "brute_force"
+    assert nb["tcp_fingerprint"]["window"] == 65535
+    assert nb["timing_stats"]["mean"] == pytest.approx(1.2)
+    assert "hydra" in nb["tool_guesses"]
+
+
+def test_behavior_produces_protocol_fingerprints_from_behavior():
+    bundle = build_attacker_bundle(
+        attacker=_attacker(),
+        behavior=_behavior(), identity=None, intel=None,
+        technique_rollup=[], raw_tags=[], artifacts=[],
+        smtp_targets=[], observations=None,
+    )
+    ta = _get_ta(bundle)
+    ext = ta.extensions[ACTOR_FINGERPRINT_EXT_ID]
+    fp = ext.protocol_fingerprints
+    assert fp["kex_order_raw"] == ["curve25519-sha256", "ecdh-sha2-nistp256"]
+    assert fp["ssh_client_banners"] == ["SSH-2.0-OpenSSH_8.9"]
+
+
+def test_identity_fingerprints_in_protocol_group():
+    bundle = build_attacker_bundle(
+        attacker=_attacker(),
+        behavior=None, identity=_identity(), intel=None,
+        technique_rollup=[], raw_tags=[], artifacts=[],
+        smtp_targets=[], observations=None,
+    )
+    ta = _get_ta(bundle)
+    ext = ta.extensions[ACTOR_FINGERPRINT_EXT_ID]
+    fp = ext.protocol_fingerprints
+    assert fp["ja3_hashes"] == ["abc123def456"]
+    assert fp["hassh_hashes"] == ["hashhash01"]
+    assert fp["tls_cert_sha256"] == ["a" * 64]
+    c2 = fp["c2_endpoints"]
+    assert isinstance(c2, list) and c2[0]["host"] == "bad.example.com"
+
+
+def test_no_legacy_flat_x_decnet_hash_properties():
+    """Dropped: x_decnet_ja3_hashes / x_decnet_hassh_hashes / x_decnet_c2_endpoints."""
+    bundle = build_attacker_bundle(
+        attacker=_attacker(),
+        behavior=_behavior(), identity=_identity(), intel=None,
+        technique_rollup=[], raw_tags=[], artifacts=[],
+        smtp_targets=[], observations=None,
+    )
+    ta = _get_ta(bundle)
+    for old_prop in ("x_decnet_ja3_hashes", "x_decnet_hassh_hashes", "x_decnet_c2_endpoints"):
+        assert not hasattr(ta, old_prop), f"legacy property {old_prop!r} should not exist"
+
+
+def test_observations_produce_behave_profile_sdo():
+    bundle = build_attacker_bundle(
+        attacker=_attacker(),
+        behavior=None, identity=None, intel=None,
+        technique_rollup=[], raw_tags=[], artifacts=[],
+        smtp_targets=[], observations=_obs(),
+    )
+    ta = _get_ta(bundle)
+    assert hasattr(ta, "x_decnet_behave_profile_ref")
+    profile_sdos = [o for o in bundle.objects if o.type == "x-decnet-behave-profile"]
+    assert len(profile_sdos) == 1
+    profile = profile_sdos[0]
+    assert profile.id == ta.x_decnet_behave_profile_ref
+    assert len(profile.observations) == 2
+    assert profile.observations[0]["primitive"] == "motor.input_modality"
+    assert profile.observations[0]["confidence"] == pytest.approx(0.9)
+    assert profile.observations[0]["window"]["start_ts"] == pytest.approx(1000.0)
+
+
+def test_observations_include_extension_def_sdo():
+    bundle = build_attacker_bundle(
+        attacker=_attacker(),
+        behavior=None, identity=None, intel=None,
+        technique_rollup=[], raw_tags=[], artifacts=[],
+        smtp_targets=[], observations=_obs(),
+    )
+    ext_defs = [o for o in bundle.objects if o.type == "extension-definition"]
+    assert len(ext_defs) == 1
+    assert ext_defs[0].id == ACTOR_FINGERPRINT_EXT_ID
+
+
+def test_kd_digraph_simhash_bytes_input():
+    ident = _identity()
+    ident["kd_digraph_simhash"] = b"\xde\xad\xbe\xef\x12\x34\x56\x78"
+    bundle = build_attacker_bundle(
+        attacker=_attacker(),
+        behavior=None, identity=ident, intel=None,
+        technique_rollup=[], raw_tags=[], artifacts=[],
+        smtp_targets=[], observations=[_obs()[0]],
+    )
+    profile = next(o for o in bundle.objects if o.type == "x-decnet-behave-profile")
+    assert profile.kd_digraph_simhash == "deadbeef12345678"
+
+
+def test_kd_digraph_simhash_base64_input():
+    raw = b"\xca\xfe\xba\xbe\x00\x00\x00\x00"
+    ident = _identity()
+    ident["kd_digraph_simhash"] = base64.b64encode(raw).decode()
+    bundle = build_attacker_bundle(
+        attacker=_attacker(),
+        behavior=None, identity=ident, intel=None,
+        technique_rollup=[], raw_tags=[], artifacts=[],
+        smtp_targets=[], observations=[_obs()[0]],
+    )
+    profile = next(o for o in bundle.objects if o.type == "x-decnet-behave-profile")
+    assert profile.kd_digraph_simhash == raw.hex()
+
+
+def test_inter_decnet_round_trip():
+    """Primary fidelity: stix2.parse restores typed objects, not bare dicts."""
+    ident = _identity()
+    ident["kd_digraph_simhash"] = b"\xde\xad\xbe\xef\x12\x34\x56\x78"
+    bundle = build_attacker_bundle(
+        attacker=_attacker(),
+        behavior=_behavior(), identity=ident, intel=None,
+        technique_rollup=[], raw_tags=[], artifacts=[],
+        smtp_targets=[], observations=_obs(),
+    )
+    parsed = stix2.parse(bundle.serialize(pretty=True, indent=2), allow_custom=True)
+
+    parsed_ta = next(o for o in parsed.objects if o.type == "threat-actor")
+    assert ACTOR_FINGERPRINT_EXT_ID in parsed_ta.extensions
+    parsed_ext = parsed_ta.extensions[ACTOR_FINGERPRINT_EXT_ID]
+    assert type(parsed_ext).__name__ == "DecnetActorFingerprintExt"
+    assert parsed_ext.network_behavior["os_guess"] == "Linux 4.x"
+    assert parsed_ext.protocol_fingerprints["ja3_hashes"] == ["abc123def456"]
+
+    parsed_profile = next(o for o in parsed.objects if o.type == "x-decnet-behave-profile")
+    assert type(parsed_profile).__name__ == "XDecnetBehaveProfile"
+    assert parsed_profile.kd_digraph_simhash == "deadbeef12345678"
+    primitives = {obs["primitive"] for obs in parsed_profile.observations}
+    assert "motor.input_modality" in primitives
+    assert "cognitive.exploration_style" in primitives
--- a/tests/web/test_api_export_attacker_misp.py
+++ b/tests/web/test_api_export_attacker_misp.py
@@ -112,6 +112,7 @@ def _mock_repo(*, attacker=None, intel=None, rollup=None, tags=None,
    m.get_attacker_artifacts = AsyncMock(return_value=artifacts or [])
    m.list_smtp_targets = AsyncMock(return_value=smtp or [])
    m.list_attacker_commands_deduped = AsyncMock(return_value=commands or [])
+    m.list_observations_by_attacker = AsyncMock(return_value=[])
    return m


--- a/tests/web/test_api_export_attacker_stix.py
+++ b/tests/web/test_api_export_attacker_stix.py
@@ -128,6 +128,7 @@ def _mock_repo(*, attacker=None, identity=None, intel=None,
    m.get_attacker_artifacts = AsyncMock(return_value=artifacts or [])
    m.list_smtp_targets = AsyncMock(return_value=smtp or [])
    m.list_attacker_commands_deduped = AsyncMock(return_value=commands or [])
+    m.list_observations_by_attacker = AsyncMock(return_value=[])
    return m


--- a/tests/web/test_api_export_attackers_misp.py
+++ b/tests/web/test_api_export_attackers_misp.py
@@ -51,6 +51,7 @@ def _mock_repo(*, rows=None, ttp_by_attacker=None):
    m = type("M", (), {})()
    m.get_all_attackers_for_export = AsyncMock(return_value=rows or [])
    m.get_all_ttp_rollups_for_export = AsyncMock(return_value=ttp_by_attacker or {})
+    m.get_all_observations_for_export = AsyncMock(return_value={})
    return m


--- a/tests/web/test_api_export_attackers_stix.py
+++ b/tests/web/test_api_export_attackers_stix.py
@@ -52,6 +52,7 @@ def _mock_repo(*, rows=None, ttp_by_attacker=None):
    m = type("M", (), {})()
    m.get_all_attackers_for_export = AsyncMock(return_value=rows or [])
    m.get_all_ttp_rollups_for_export = AsyncMock(return_value=ttp_by_attacker or {})
+    m.get_all_observations_for_export = AsyncMock(return_value={})
    return m