feat(ttp/stix): add deduped process SCOs for attacker commands

2026-05-09 07:33:30 -04:00
parent 1ee7a4a481
commit f827197cc8
6 changed files with 68 additions and 2 deletions
--- a/decnet/ttp/stix_export.py
+++ b/decnet/ttp/stix_export.py
@@ -156,6 +156,7 @@ def build_attacker_bundle(
    raw_tags: list[dict[str, Any]],
    artifacts: list[dict[str, Any]],
    smtp_targets: list[dict[str, Any]],
+    commands: list[str] | None = None,
 ) -> stix2.Bundle:
    """Assemble a STIX 2.1 Bundle for *attacker*.

@@ -275,6 +276,24 @@ def build_attacker_bundle(
            )
        )

+    # ── Shell commands (process SCOs + observed-data) ────────────────
+    seen_cmds: set[str] = set()
+    for cmd_line in commands or []:
+        if not cmd_line or cmd_line in seen_cmds:
+            continue
+        seen_cmds.add(cmd_line)
+        proc = stix2.Process(command_line=cmd_line, is_hidden=False)
+        objs.append(proc)
+        objs.append(
+            stix2.ObservedData(
+                first_observed=fs or now,
+                last_observed=ls or now,
+                number_observed=1,
+                object_refs=[proc.id],
+                created_by_ref=org.id,
+            )
+        )
+
    # ── Intel note ───────────────────────────────────────────────────
    if intel:
        note = _intel_note(intel, ta.id, org.id)