This project is a work in progress and is not yet ready for use.

We have x/40 objects fully implemented (CLI and TUI):

• 0/19 SDOs
• 0/18 SCOs
• 2/3 CDTs

so we have roughly reached 5% of the project.

After the first 30 objects, we will implement the SRO/Relationship between the objects, and then we will implement the export of the objects in a bundle.

Here is the initial ROADMAP for the project.

At this point, the project will be ready for a v1 release, but i will also add the following features:

• Implement the export of the objects in a feed API REST.
• Implement the export to OpenCTI, through feed or specific connector.

Feel free to post an issue, or contact me by email if you have any question or suggestion.

A lightweight CLI/TUI tool for generating and bundling STIX 2.1 objects.

GenSTIX is a Python-based CLI/TUI tool for generating and bundling STIX 2.1 objects.
It is tailored for researchers, malware analysts, pentesters, and threat intelligence professionals who require quick and offline STIX object creation.

• GenSTIX
  • TL;DR
  • Overview
  • Features
  • Use Cases
  • Installation
    • Prerequisites
    • Installation Steps
  • Usage
    • CLI Mode
    • TUI Mode
    • Exporting Bundles
  • Supported STIX 2.1 Objects
    • STIX Domain Objects (SDOs)
    • STIX Relationship Objects (SROs)
    • STIX Cyber-observable Objects (SCOs)
    • STIX Open Vocabulary Objects (ov)
    • STIX Common Data Types (CDTs)
    • Bundles
    • Enums
    • Open Vocabulary
    • Custom Properties
  • Roadmap
  • Contributing
  • Architecture
    • Clean Architecture
    • BDD (Behavior-Driven Development)
    • TDD (Test-Driven Development)
    • DDD (Domain-Driven Design)
    • Port/Adapter Pattern
    • Builder Pattern
  • Example for a new Feature
  • License
    • Happy STIXing!

GenSTIX is a Python-based CLI/TUI tool designed to simplify the creation of STIX 2.1 objects and bundles.
Whether you're in an air-gapped environment, working on a lightweight Linux server, or simply want a seamless way to create valid STIX objects, GenSTIX provides an intuitive and powerful solution.

• Interactive Object Creation: Intuitive CLI/TUI interface to generate STIX 2.1 objects such as Indicators, Threat Actors, Malware, etc.
• Bundle Support: Easily combine multiple objects into a valid STIX 2.1 bundle.
• Offline-First: Works without an internet connection, perfect for air-gapped environments.
• JSON Export: Export your STIX objects and bundles in JSON format for compatibility with systems like OpenCTI and others.
• Cross-Platform: Compatible with Linux, macOS, and Windows with minimal dependencies.
• Extensibility: Built to support additional STIX objects and custom attributes with ease.
• Create API Feeds: Generate a feed of STIX objects for seamless integration with threat intelligence platforms.
• Open Source: Licensed under MIT, encouraging contributions and modifications.

1. Training & Education: Practice building STIX 2.1 objects interactively to better understand their structure and purpose.
2. Threat Intel Sharing: Quickly create Indicators or Threat Actors for internal or external collaboration.
3. Malware Analysis: Generate and export malware-related STIX objects during investigations in sandboxed or offline environments.
4. Pentesting Reports: Document findings in STIX format to integrate into organizational threat intelligence systems.

• Python 3.13 or later
• pip (Python package installer)
• venv (Python virtual environment)

1. Clone the repository and access the folder:

   git clone https://github.com/kakudou/GenStix.git
   cd GenStix

2. Create and activate a virtual environment:

   python -m venv .venv --prompt=GenSTIX
   source .venv/bin/activate 

3. Install the required dependencies:

   pip install .

4. Run the tool:

   GenSTIX

later on, we will release the package to PyPi for easier installation.

1. Launch the tool and create a new project:

   GenSTIX create-project

2a. Follow the interactive prompts to create STIX objects.

2b. Or you can use the CLI to create objects directly:

GenSTIX create-attack-pattern -p TestStix --name "Phishing" --description "A phishing attack pattern"

but with that method, you will only be able to create object with required attributes, and then you will have to edit it:

GenSTIX update-attack-pattern -p TestStix --name "Phishing" 

You can access the help with the following command:

GenSTIX --help

or the help for a specific command:

GenSTIX create-attack-pattern --help

also a simple usage of the CLI can be shown with the following command:

GenSTIX --usage

1. Launch the tool in TUI mode:

   GenSTIX --tui

2. Navigate through menus to select object types, populate attributes, and manage bundles.

# GenSTIX Help

The usage of this application is simple.
When you highlight an item in the navigation tree on the left, you can use the following:

---

## On a **_Project name_** or **_"GenSTIX"_**:

- '`c`':
    Opens a form to create a new project.
- '`d`':
    Deletes the selected project and all associated data.

---

## On a **_type of STIX_** Object (e.g. 'Kill Chain Phase', 'Attack Pattern', 'MAC Address', etc.):

- '`c`':
    Opens a form to create a new object of the selected type.
- '`d`':
    Deletes all objects of the selected type.
- '`r`' or '`f`':
    Opens a form to search for objects of the selected type and print the results.

---

## On a **_STIX_** Object:

- '`c`':
    Opens a form to create a new object of the same type as the selected object, with the same properties as placeholders.
- '`a`' or 'enter':
    Shows the details of the selected object, along with its JSON representation.
- '`u`':
    Updates the selected object.
- '`d`':
    Deletes the selected object.

---

## General keys

- '`esc`' or '`q`':
    Clears the content part of the screen (the right side).
- '`h`':
    Displays this help screen.
- '`ctrl+c`':
    Exits the application.

After creating objects, you can bundle and export them as JSON for further use in threat intel platforms.

• Attack Pattern
• Campaign
• Course of Action
• Grouping
• Identity
• Indicator
• Infrastructure
• Intrusion Set
• Location
• Malware Analysis
• Malware
• Note
• Observed Data
• Opinion
• Report
• Threat Actor
• Tool
• Vulnerability

• Relationship
• Sighting

• Artifact
• Autonomous System
• Directory
• Domain Name
• Email Address
• Email Message
• File
• IPv4 Address
• IPv6 Address
• MAC Address
• Mutex
• Network Traffic
• Process
• Software
• URL
• User Account
• Windows Registry Key
• X.509 Certificate

• Hashing Algorithm Vocabulary

• External Reference
• Kill Chain Phase

• Bundle

• External Reference CAPEC

• Hashing Algorithm Vocabulary

• Extension Definition

1. Validation: Automate validation for compliance with the STIX 2.1 specification.
2. Enhanced CLI: Build a richer, and more visualy interactive CLI for easier navigation.
3. Enhanced TUI: Build a richer, more interactive TUI for easier navigation.
4. Custom Templates: Enable users to save and reuse common attribute templates.
5. Documentation: Develop comprehensive guides with step-by-step examples.
6. Integration Features: Allow exporting to external threat intel APIs and feeds.

We welcome contributions from the community! Here's how to get involved:

1. Fork the repository and create a feature branch.
2. Make your changes and ensure they align with the project's architecture (see below).
3. Submit a pull request with a detailed description of your changes.
4. Open issues or suggest features in the Issues section.

GenSTIX adheres to modern software development principles to ensure scalability, maintainability, and ease of collaboration.
Below are the core architectural choices:

Clean Architecture organizes software into layers, separating high-level policy (business logic) from low-level implementation details (frameworks, databases, etc.).
Core components are independent of external dependencies, promoting testability, scalability, and adaptability.

BDD emphasizes collaboration between developers, testers, and stakeholders to define behavior and requirements using natural language.
It bridges communication gaps and ensures the software meets business goals by focusing on user-driven scenarios and acceptance criteria.

TDD focuses on writing tests before implementation.
It involves a cycle of writing a failing test, implementing the code to pass the test, and then refactoring.
This ensures code correctness, reduces defects, and improves overall design.

DDD is a design approach centered on the core business domain.
It uses a shared, ubiquitous language between developers and stakeholders, defining clear boundaries between domain logic and other concerns through strategic design patterns.

This pattern decouples the core application logic from external systems (like databases or APIs) through defined interfaces.
Ports represent abstractions of core functionality, while adapters implement these abstractions for specific technologies or use cases.

The Builder Pattern constructs complex objects step by step, separating object creation from its representation.
It provides flexibility and clarity when dealing with optional parameters, validation, or different configurations.

Follow the guide at CONTRIBUTING.md to add a new feature or object to GenSTIX.

This project is licensed under the MIT License. See the LICENSE file for details.