Malware Used During an Incident

Malware Icon

It’s often useful to identify the pieces of malware that are used to carry out an incident. This can help understand what the impact is, shape courses of action, and help others understand how to avoid similar incidents.

Scenario

The scenario we’ll work with describes an incident in which the PIVY Remote Access Trojan was used to gain remote access. The scenario is specifically focused on representing malware so no other information about the incident will be represented.

Data model

Malware used during an incident

This idiom is represented as a relationship between the Incident component and the TTP component. The incident describes information specific to the incident itself while the TTP contains a very simple description of the malware. The Leveraged TTPs relationship from the incident to the TTP is then used to indicate that the TTP was leveraged to carry out the incident.

Malware Description

This part of the idiom uses a very simple TTP malware instance description. The TTP Behavior field contains, among other things, a list of malware instances that the TTP leverages. Each of those can either represent a simple malware name and type, as here, or a full MAEC characterization. In this case, the scenario just requires a simple description.

The Name field in the malware instance is set to the name of the malware: “Poison Ivy”. The Type field (a controlled vocabulary) is set to a value from the default vocabulary (MalwareTypeVocab-1.0): “Remote Access Trojan”. The Title, Description, and Short Description fields could also be used to describe the malware instance in more detail but in this case just the name and type are used.

Incident

Given the constrained scenario, the incident construct is also fairly limited: it contains a Title to identify the incident and a single Leveraged TTP. That TTP reference is related to the TTP defined above and the relationship is characterized as “Uses Malware” using the Relationship field within Leveraged TTP.

Implementation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<stix:TTPs>
    <stix:TTP id="example:ttp-e610a4f1-9676-eab3-bcc6-b2768d58281a" xsi:type='ttp:TTPType' timestamp="2014-02-20T09:00:00.000000Z">
        <ttp:Title>Poison Ivy</ttp:Title>
        <ttp:Behavior>
            <ttp:Malware>
                <ttp:Malware_Instance id="example:malware-6516102c-b693-11e3-bfd7-0800271e87d2">
                    <ttp:Type xsi:type="stixVocabs:MalwareTypeVocab-1.0">Remote Access Trojan</ttp:Type>
                    <ttp:Name>Poison Ivy</ttp:Name>
                </ttp:Malware_Instance>
            </ttp:Malware>
        </ttp:Behavior>
    </stix:TTP>
</stix:TTPs>
<stix:Incidents>
    <stix:Incident id="example:incident-1b75ee8f-14d6-819a-d729-09ab52c91fdb" xsi:type='incident:IncidentType' timestamp="2014-02-20T09:00:00.000000Z">
        <incident:Title>Detected Poison Ivy beaconing through perimeter firewalls</incident:Title>
        <incident:Leveraged_TTPs>
            <incident:Leveraged_TTP>
                <stixCommon:Relationship>Uses Malware</stixCommon:Relationship>
                <stixCommon:TTP idref="example:ttp-e610a4f1-9676-eab3-bcc6-b2768d58281a"/>
            </incident:Leveraged_TTP>
        </incident:Leveraged_TTPs>
    </stix:Incident>
</stix:Incidents>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
malware = MalwareInstance()
malware.add_name("Poison Ivy")
malware.add_type("Remote Access Trojan")

ttp = TTP(title="Poison Ivy")
ttp.behavior = Behavior()
ttp.behavior.add_malware_instance(malware)

incident = Incident(title="Detected Poison Ivy beaconing through perimeter firewalls")
related_ttp = RelatedTTP(TTP(idref=ttp.id_), relationship="Uses Malware")
incident.leveraged_ttps.append(related_ttp)

stix_package = STIXPackage()
stix_package.add_ttp(ttp)
stix_package.add_incident(incident)

print(stix_package.to_xml(encoding=None))
1
2
3
4
5
6
7
8
9
10
11
12
13
print("== TTP ==")
for thing in pkg.ttps:
    print("TTP: " + thing.title)
    print("Malware: " + str(thing.behavior.malware_instances[0].names[0]))
    print("Type: " + str(thing.behavior.malware_instances[0].types[0]))
print("== INCIDENT ==")

for inc in pkg.incidents:
    
    print("Title: "+ inc.title)

    for relation in inc.leveraged_ttps:
        print("RelatedTTP: "+ str(relation.relationship))
Full XML Python Producer Python Consumer

Further Reading

See the full documentation for the relevant types for further information that may be provided: