Awesome-claude-skills-for-cybersecurity stix2-generator
Generate STIX 2.1 objects and bundles for threat intelligence sharing. Create indicators, malware descriptions, attack patterns, threat actors, and complete bundles from various input formats including IOC lists, MITRE ATT&CK IDs, and threat reports.
install
source · Clone the upstream repo
git clone https://github.com/davydany/awesome-claude-skills-for-cybersecurity
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/davydany/awesome-claude-skills-for-cybersecurity "$T" && mkdir -p ~/.claude/skills && cp -r "$T/stix2-generator" ~/.claude/skills/davydany-awesome-claude-skills-for-cybersecurity-stix2-generator && rm -rf "$T"
manifest:
stix2-generator/SKILL.mdsource content
STIX 2.1 Generator
Generate valid STIX 2.1 objects and bundles for threat intelligence sharing. This skill helps create properly formatted STIX content from various sources including IOC lists, threat descriptions, and MITRE ATT&CK mappings.
Requirements
Install the STIX library before use:
pip install stix2
Usage
Generate from IOC List
python scripts/generate_stix.py --iocs examples/ioc_list.txt --output bundle.json
Generate from Threat Description
python scripts/generate_stix.py --threat examples/threat_description.json --output bundle.json
Generate from MITRE ATT&CK
python scripts/generate_stix.py --attack-pattern T1055 --output bundle.json
Interactive Mode
python scripts/generate_stix.py --interactive
Batch Processing
python scripts/generate_stix.py --batch examples/batch_input.json --output-dir ./output/
Options
| Option | Description |
|---|---|
| Generate indicators from IOC list file |
| Generate threat actor and campaign from description |
| Generate attack pattern from MITRE ATT&CK ID |
| Generate malware object from description |
| Generate campaign with related objects |
| Specify identity for created_by_ref |
| Add labels to indicators (comma-separated) |
| Specify pattern type (stix, snort, yara) |
| Valid from timestamp (ISO format) |
| Valid until timestamp (ISO format) |
| Confidence level (0-100) |
| Output file (default: stdout) |
| Output format (json, yaml) |
| Validate generated STIX |
| Wrap objects in a bundle |
| Generate relationships between objects |
| Interactive mode for guided creation |
| Batch process multiple objects |
Object Types
Indicators
Generate indicators from various sources:
# From IP addresses python scripts/generate_stix.py --iocs ips.txt --labels malicious-activity # From domain list python scripts/generate_stix.py --iocs domains.txt --labels phishing # From file hashes python scripts/generate_stix.py --iocs hashes.txt --labels malware # Mixed IOCs with auto-detection python scripts/generate_stix.py --iocs mixed_iocs.txt --auto-detect
Malware
Create malware objects:
python scripts/generate_stix.py --malware examples/emotet.json
Input format:
{ "name": "Emotet", "malware_types": ["trojan", "downloader"], "is_family": true, "description": "Emotet is a modular banking trojan", "capabilities": ["captures-credentials", "exfiltrates-data"], "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ] }
Attack Patterns
Generate from MITRE ATT&CK:
# Single technique python scripts/generate_stix.py --attack-pattern T1055 # Multiple techniques python scripts/generate_stix.py --attack-pattern T1055,T1003,T1021.001 # With custom description python scripts/generate_stix.py --attack-pattern T1055 --description "Custom process injection implementation"
Threat Actors
Create threat actor profiles:
python scripts/generate_stix.py --threat examples/apt28.json
Input format:
{ "name": "APT28", "threat_actor_types": ["nation-state"], "description": "Russian threat actor group", "aliases": ["Fancy Bear", "Sofacy"], "roles": ["agent"], "sophistication": "expert", "resource_level": "government", "primary_motivation": "organizational-gain", "goals": ["espionage", "disruption"], "observed_ttps": ["T1055", "T1003"] }
Campaigns
Generate complete campaigns:
python scripts/generate_stix.py --campaign examples/campaign.json --relationships
Output Examples
Simple Indicator Bundle
{ "type": "bundle", "id": "bundle--uuid", "objects": [ { "type": "indicator", "spec_version": "2.1", "id": "indicator--uuid", "created": "2024-01-01T00:00:00.000Z", "modified": "2024-01-01T00:00:00.000Z", "name": "Malicious IP: 192.0.2.1", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.0.2.1']", "pattern_type": "stix", "valid_from": "2024-01-01T00:00:00.000Z", "labels": ["malicious-activity"], "confidence": 90 } ] }
Complex Bundle with Relationships
{ "type": "bundle", "id": "bundle--uuid", "objects": [ { "type": "threat-actor", "id": "threat-actor--uuid", "name": "APT28", "threat_actor_types": ["nation-state"] }, { "type": "attack-pattern", "id": "attack-pattern--uuid", "name": "Process Injection", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1055" } ] }, { "type": "relationship", "id": "relationship--uuid", "relationship_type": "uses", "source_ref": "threat-actor--uuid", "target_ref": "attack-pattern--uuid" } ] }
Batch Processing
Process multiple objects at once:
{ "identity": { "name": "ACME Security", "identity_class": "organization" }, "objects": [ { "type": "indicator", "iocs": ["192.0.2.1", "192.0.2.2"], "labels": ["malicious-activity"] }, { "type": "malware", "name": "BadMalware", "malware_types": ["remote-access-trojan"] }, { "type": "attack-pattern", "mitre_id": "T1055" } ], "relationships": [ { "source": "malware/BadMalware", "relationship": "uses", "target": "attack-pattern/T1055" } ] }
Integration
With STIX Validator
Generate and validate in one command:
python scripts/generate_stix.py --iocs iocs.txt --output bundle.json --validate
With MISP
Export to MISP format:
python scripts/generate_stix.py --iocs iocs.txt --format misp --output event.json
With TAXII
Prepare for TAXII upload:
python scripts/generate_stix.py --iocs iocs.txt --taxii-collection indicators --output bundle.json
Pattern Types
STIX Patterns
Default pattern type for indicators:
[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e'] [domain-name:value = 'evil.com'] [ipv4-addr:value = '192.0.2.1']
SNORT Rules
Generate SNORT-compatible patterns:
python scripts/generate_stix.py --iocs ips.txt --pattern-type snort
YARA Rules
Generate YARA-compatible patterns:
python scripts/generate_stix.py --iocs hashes.txt --pattern-type yara
Best Practices
- Always validate generated STIX using the validator skill
- Use meaningful labels for indicators (malicious-activity, phishing, etc.)
- Include confidence scores when known
- Set appropriate valid_from and valid_until timestamps
- Generate relationships to show connections between objects
- Include external references for MITRE ATT&CK techniques
- Use consistent identities for created_by_ref
- Batch process related objects together
- Document custom extensions if used
Error Handling
The generator validates input and provides clear error messages:
- Invalid IOC format
- Missing required fields
- Invalid MITRE ATT&CK IDs
- Relationship reference errors
- Pattern syntax errors
Security Considerations
- Generated STIX should be validated before sharing
- Sensitive information should be reviewed before distribution
- Use TLP markings when appropriate
- Consider privacy implications of shared indicators
- Validate source authenticity before generating STIX from external data
Performance
- Batch processing is more efficient than individual generation
- Large IOC lists are processed in chunks
- Relationship generation uses efficient graph algorithms
- Memory-efficient for large bundles