search

muchdogesec / stix2arango

stix2arango is a command line tool that takes a group of STIX 2.1 objects in a bundle and inserts them into ArangoDB. It can also handle updates to existing objects in ArangoDB imported in a bundle.
https://www.dogesec.com/
GNU Affero General Public License v3.0
4 stars 0 forks source link

Updated of embedded relationships (_is_ref) are not being aged out correctly #22

Open himynamesdave opened 1 month ago

himynamesdave commented 1 month ago

Discovered in https://github.com/muchdogesec/arango_cti_processor/issues/20

Now covered in test 23

python3 -m unittest tests/test_23-embedded-sro-removed.py

fqrious commented 2 weeks ago

explain how they have to be aged out

himynamesdave commented 1 week ago

It's similar to the aging out of any relationship, just specifically for is_ref

I'll use test 23 to demo

If we import

embedded-ref-object.json

with create embedded relationships enabled

{
    "type": "bundle",
    "id": "bundle--189fdbbf-ea4a-52f1-acfc-9c04416bfd41",
    "objects": [
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--49150a4c-d831-51fa-9f61-aede5570a969",
            "created_by_ref": "identity--efccc0ba-d237-5c9a-ad41-4f8bb6791be4",
            "created": "2021-12-07T00:00:00.000Z",
            "modified": "2023-02-14T00:00:00.000Z",
            "name": "Suspicious Firewall Configuration Discovery Via Netsh.EXE",
            "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. The following false positives can result from this detection; Administrative activity",
            "indicator_types": [
                "malicious-activity",
                "anomalous-activity"
            ],
            "pattern": "{'title': 'Suspicious Firewall Configuration Discovery Via Netsh.EXE', 'id': '0e4164da-94bc-450d-a7be-a4b176179f1f', 'status': 'experimental', 'description': 'Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems', 'references': ['https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules', 'https://ss64.com/nt/netsh.html'], 'author': \"frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'\", 'date': '2021/12/07', 'modified': '2023/02/14', 'tags': ['attack.discovery', 'attack.t1016'], 'logsource': {'category': 'process_creation', 'product': 'windows'}, 'detection': {'selection_img': [{'Image|endswith': '\\\\netsh.exe'}, {'OriginalFileName': 'netsh.exe'}], 'selection_cli': {'CommandLine|contains|all': ['netsh ', 'show ', 'firewall '], 'CommandLine|contains': ['config ', 'state ', 'rule ', 'name=all']}, 'condition': 'all of selection_*'}, 'falsepositives': ['Administrative activity'], 'level': 'low'}",
            "pattern_type": "sigma",
            "valid_from": "2021-12-07T00:00:00Z",
            "labels": [
                "level: low",
                "status: experimental",
                "author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'",
                "license: None",
                "attack.discovery",
                "attack.t1016"
            ],
            "external_references": [
                {
                    "source_name": "rule",
                    "url": "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml"
                },
                {
                    "source_name": "id",
                    "url": "0e4164da-94bc-450d-a7be-a4b176179f1f"
                },
                {
                    "source_name": "reference",
                    "url": "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules"
                },
                {
                    "source_name": "reference",
                    "url": "https://ss64.com/nt/netsh.html"
                }
            ],
            "object_marking_refs": [
                "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
                "marking-definition--efccc0ba-d237-5c9a-ad41-4f8bb6791be4"
            ]
        }
    ]
}

The first file above has 1 object with 3 refs (2 for object_markings, 1 for created_by). In the second update, all these ref properties are removed from the object, so it should have 0 ref relationships.

For the second update we then import embedded-ref-object-removed.json which removes all the refs

{
    "type": "bundle",
    "id": "bundle--4523035c-8871-45ff-8d6f-2f03d9041728",
    "objects": [
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--49150a4c-d831-51fa-9f61-aede5570a969",
            "created": "2021-12-07T00:00:00.000Z",
            "modified": "2024-01-01T00:00:00.000Z",
            "name": "Embedded refs removed -- Suspicious Firewall Configuration Discovery Via Netsh.EXE",
            "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. The following false positives can result from this detection; Administrative activity",
            "indicator_types": [
                "malicious-activity",
                "anomalous-activity"
            ],
            "pattern": "{'title': 'Suspicious Firewall Configuration Discovery Via Netsh.EXE', 'id': '0e4164da-94bc-450d-a7be-a4b176179f1f', 'status': 'experimental', 'description': 'Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems', 'references': ['https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules', 'https://ss64.com/nt/netsh.html'], 'author': \"frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'\", 'date': '2021/12/07', 'modified': '2023/02/14', 'tags': ['attack.discovery', 'attack.t1016'], 'logsource': {'category': 'process_creation', 'product': 'windows'}, 'detection': {'selection_img': [{'Image|endswith': '\\\\netsh.exe'}, {'OriginalFileName': 'netsh.exe'}], 'selection_cli': {'CommandLine|contains|all': ['netsh ', 'show ', 'firewall '], 'CommandLine|contains': ['config ', 'state ', 'rule ', 'name=all']}, 'condition': 'all of selection_*'}, 'falsepositives': ['Administrative activity'], 'level': 'low'}",
            "pattern_type": "sigma",
            "valid_from": "2021-12-07T00:00:00Z",
            "labels": [
                "level: low",
                "status: experimental",
                "author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'",
                "license: None",
                "attack.discovery",
                "attack.t1016"
            ],
            "external_references": [
                {
                    "source_name": "rule",
                    "url": "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml"
                },
                {
                    "source_name": "id",
                    "url": "0e4164da-94bc-450d-a7be-a4b176179f1f"
                },
                {
                    "source_name": "reference",
                    "url": "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules"
                },
                {
                    "source_name": "reference",
                    "url": "https://ss64.com/nt/netsh.html"
                }
            ]
        }
    ]
}

So essentially to do this, for each object we need to check if it has any relationship objects that are _is_latest=true and _is_ref=true. If this is the case, and --ignore-embedded-relationship = false, then the script should first age out all the _is_latest=true and _is_ref=true = true objects linked to this one, and then recreate the latest ones (if they exist -- in this case 0 exist, so no embedded SROS would be is latest = true)

@fqrious