chg: [stix2 tests] Bumped the latest MISP & STIX2 test files

pull/6022/head
chrisr3d 2020-06-17 13:49:55 +02:00
parent 8f539b26b7
commit 278cb51c07
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
4 changed files with 642 additions and 544 deletions

View File

@ -8,13 +8,13 @@
"info": "STIX indicators test event",
"published": true,
"uuid": "5abb8534-ba9c-48cd-bb63-02480a00020f",
"attribute_count": "179",
"attribute_count": "181",
"analysis": "0",
"timestamp": "1584958664",
"timestamp": "1592393818",
"distribution": "0",
"proposal_email_lock": false,
"locked": true,
"publish_timestamp": "1584958861",
"publish_timestamp": "1592393871",
"sharing_group_id": "0",
"disable_correlation": false,
"extends_uuid": "",
@ -3881,7 +3881,7 @@
"template_version": "17",
"event_id": "1255",
"uuid": "5e384ae7-672c-4250-9cda-3b4da964451a",
"timestamp": "1581330684",
"timestamp": "1592393818",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
@ -3898,7 +3898,7 @@
"uuid": "5e384ae7-8568-4117-aba7-3b4da964451a",
"event_id": "1255",
"distribution": "5",
"timestamp": "1581330684",
"timestamp": "1592393818",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
@ -3920,7 +3920,7 @@
"uuid": "5e384ae7-d460-41cd-88f5-3b4da964451a",
"event_id": "1255",
"distribution": "5",
"timestamp": "1581330684",
"timestamp": "1592393818",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
@ -3941,7 +3941,7 @@
"uuid": "5e384ae7-5630-4fd2-be1f-3b4da964451a",
"event_id": "1255",
"distribution": "5",
"timestamp": "1581330684",
"timestamp": "1592393818",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
@ -3962,7 +3962,7 @@
"uuid": "5e384ae7-3dd0-4902-96a3-3b4da964451a",
"event_id": "1255",
"distribution": "5",
"timestamp": "1581330684",
"timestamp": "1592393818",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
@ -3983,7 +3983,7 @@
"uuid": "5e384ae7-630c-4d1e-9b9c-3b4da964451a",
"event_id": "1255",
"distribution": "5",
"timestamp": "1581330684",
"timestamp": "1592393818",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
@ -4004,7 +4004,7 @@
"uuid": "5e384ae7-b42c-4cf0-8471-3b4da964451a",
"event_id": "1255",
"distribution": "5",
"timestamp": "1581330684",
"timestamp": "1592393818",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
@ -4025,7 +4025,7 @@
"uuid": "5e4130fc-de78-4e9e-ae85-3bcfa964451a",
"event_id": "1255",
"distribution": "5",
"timestamp": "1581330684",
"timestamp": "1592393818",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
@ -4038,6 +4038,48 @@
"Galaxy": [],
"data": "Tm9uLW1hbGljaW91cyBmaWxlCg==",
"ShadowAttribute": []
},
{
"id": "312563",
"type": "text",
"category": "Other",
"to_ids": false,
"uuid": "5eea005a-4004-4772-89bf-54cba964451a",
"event_id": "1255",
"distribution": "5",
"timestamp": "1592393818",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": true,
"object_id": "25311",
"object_relation": "path",
"first_seen": null,
"last_seen": null,
"value": "/var/www/MISP/app/files/scripts/tmp",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "312564",
"type": "text",
"category": "Other",
"to_ids": false,
"uuid": "5eea005a-aa88-4221-aaa9-54cba964451a",
"event_id": "1255",
"distribution": "5",
"timestamp": "1592393818",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": true,
"object_id": "25311",
"object_relation": "file-encoding",
"first_seen": null,
"last_seen": null,
"value": "UTF-8",
"Galaxy": [],
"ShadowAttribute": []
}
]
},

View File

@ -8,13 +8,13 @@
"info": "STIX observables test event",
"published": true,
"uuid": "5ac4db18-0c58-4436-a3fa-01ef0a00020f",
"attribute_count": "179",
"attribute_count": "181",
"analysis": "0",
"timestamp": "1584958730",
"timestamp": "1592393910",
"distribution": "0",
"proposal_email_lock": false,
"locked": true,
"publish_timestamp": "1584958855",
"publish_timestamp": "1592393915",
"sharing_group_id": "0",
"disable_correlation": false,
"extends_uuid": "",
@ -3881,7 +3881,7 @@
"template_version": "17",
"event_id": "1256",
"uuid": "5e384a61-41f4-4345-ab87-3ccda964451a",
"timestamp": "1583512193",
"timestamp": "1592393910",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
@ -3898,7 +3898,7 @@
"uuid": "5e384a61-44d8-448c-9d3e-3ccda964451a",
"event_id": "1256",
"distribution": "5",
"timestamp": "1583512193",
"timestamp": "1592393910",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
@ -3920,7 +3920,7 @@
"uuid": "5e384a61-2ccc-4f39-9511-3ccda964451a",
"event_id": "1256",
"distribution": "5",
"timestamp": "1583512193",
"timestamp": "1592393910",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
@ -3941,7 +3941,7 @@
"uuid": "5e384a61-9acc-4f89-9dd8-3ccda964451a",
"event_id": "1256",
"distribution": "5",
"timestamp": "1583512193",
"timestamp": "1592393910",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
@ -3962,7 +3962,7 @@
"uuid": "5e384a61-de9c-41fe-80bf-3ccda964451a",
"event_id": "1256",
"distribution": "5",
"timestamp": "1583512193",
"timestamp": "1592393910",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
@ -3983,7 +3983,7 @@
"uuid": "5e384a61-a634-4c46-9eb3-3ccda964451a",
"event_id": "1256",
"distribution": "5",
"timestamp": "1583512193",
"timestamp": "1592393910",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
@ -4004,7 +4004,7 @@
"uuid": "5e384a61-825c-4f8b-b9d6-3ccda964451a",
"event_id": "1256",
"distribution": "5",
"timestamp": "1583512193",
"timestamp": "1592393910",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
@ -4025,7 +4025,7 @@
"uuid": "5e627a81-77ac-4eac-a07b-2fd6a964451a",
"event_id": "1256",
"distribution": "5",
"timestamp": "1583512193",
"timestamp": "1592393910",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
@ -4038,6 +4038,48 @@
"Galaxy": [],
"data": "Tm9uLW1hbGljaW91cyBmaWxlCg==",
"ShadowAttribute": []
},
{
"id": "312565",
"type": "text",
"category": "Other",
"to_ids": false,
"uuid": "5eea00b6-3788-47a3-a997-327aa964451a",
"event_id": "1256",
"distribution": "5",
"timestamp": "1592393910",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": true,
"object_id": "25310",
"object_relation": "path",
"first_seen": null,
"last_seen": null,
"value": "/var/www/MISP/app/files/scripts/tmp",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "312566",
"type": "text",
"category": "Other",
"to_ids": false,
"uuid": "5eea00b6-1c18-4606-8d11-327aa964451a",
"event_id": "1256",
"distribution": "5",
"timestamp": "1592393910",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": true,
"object_id": "25310",
"object_relation": "file-encoding",
"first_seen": null,
"last_seen": null,
"value": "UTF-8",
"Galaxy": [],
"ShadowAttribute": []
}
]
},

View File

@ -1,15 +1,15 @@
{
"type": "bundle",
"spec_version": "2.0",
"id": "bundle--5e788d9c-bbe8-4cab-b61c-7539a964451a",
"id": "bundle--5eea00c7-9ba4-41db-a88a-54caa964451a",
"objects": [
{
"type": "identity",
"id": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"name": "ORGNAME_387",
"identity_class": "organization",
"created": "2020-03-23T10:21:17.261Z",
"modified": "2020-03-23T10:21:17.261Z"
"created": "2020-06-17T11:38:47.919Z",
"modified": "2020-06-17T11:38:47.919Z"
},
{
"type": "report",
@ -17,7 +17,8 @@
"name": "STIX indicators test event",
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"created": "2018-03-28T00:00:00.000Z",
"published": "2020-03-23T10:21:01Z",
"published": "2020-06-17T11:37:51Z",
"modified": "2020-06-17T11:36:58.000Z",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
@ -69,7 +70,7 @@
"indicator--5e384ade-e4ac-4648-8676-3c7aa964451a",
"indicator--5ac3379c-3e74-44ba-9160-04120a00020f",
"indicator--5ac337df-e078-4e99-8b17-02550a00020f",
"x-misp-object-x509--5ac3444e-145c-4749-8467-02550a00020f",
"indicator--5ac3444e-145c-4749-8467-02550a00020f",
"indicator--5ac347ca-dac4-4562-9775-04120a00020f",
"indicator--5ac47edc-31e4-4402-a7b6-040d0a00020f",
"indicator--5afacc53-c0b0-4825-a6ee-03c80a00020f",
@ -93,10 +94,9 @@
"course-of-action--a8825ae8-6dea-11e7-8d57-7728f3cfe086",
"threat-actor--7cdff317-a673-4474-84ec-4f1754947823",
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"relationship--3322dedc-eed7-4e07-bda2-5ba1ec80b7c6",
"relationship--6d252983-3544-4803-9f5e-e1b382421cf7"
],
"modified": "2020-03-23T10:21:17.392Z"
"relationship--f4da9363-a17c-4276-a98d-d2f88788d9ab",
"relationship--2dbc7243-37d3-45b0-b465-967a393e8f66"
]
},
{
"id": "indicator--5abb8534-4368-4bb2-adf1-02480a00020f",
@ -112,11 +112,12 @@
"phase_name": "Payload delivery"
}
],
"valid_from": "2018-03-28T00:00:00Z",
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"pattern": "[file:hashes.'md5' = 'b2a5abfeef9e36964281a31e17b57c97']",
"created": "2020-03-23T10:21:17.261Z",
"modified": "2020-03-23T10:21:17.261Z"
"created": "2018-03-28T12:06:12.000Z",
"modified": "2018-03-28T12:06:12.000Z",
"valid_from": "2018-03-28T12:06:12Z",
"valid_until": "2018-03-28T12:06:12Z"
},
{
"id": "indicator--5abb8534-123c-4ed4-8e80-02480a00020f",
@ -132,11 +133,12 @@
"phase_name": "Payload delivery"
}
],
"valid_from": "2018-03-28T00:00:00Z",
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"pattern": "[file:hashes.'sha1' = '5898fc860300e228dcd54c0b1045b5fa0dcda502']",
"created": "2020-03-23T10:21:17.270Z",
"modified": "2020-03-23T10:21:17.270Z"
"created": "2018-06-15T11:10:21.000Z",
"modified": "2018-06-15T11:10:21.000Z",
"valid_from": "2018-06-15T11:10:21Z",
"valid_until": "2018-06-15T11:10:21Z"
},
{
"id": "indicator--5abb8534-1014-4283-a1fc-02480a00020f",
@ -152,11 +154,12 @@
"phase_name": "Payload delivery"
}
],
"valid_from": "2018-03-28T00:00:00Z",
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"pattern": "[file:hashes.'sha256' = '3a3468fa89b2ab7cbfe5400858a8ec0066e9e8defa9a64c993b5f24210244df8']",
"created": "2020-03-23T10:21:17.272Z",
"modified": "2020-03-23T10:21:17.272Z"
"created": "2018-03-28T12:06:12.000Z",
"modified": "2018-03-28T12:06:12.000Z",
"valid_from": "2018-03-28T12:06:12Z",
"valid_until": "2018-03-28T12:06:12Z"
},
{
"id": "indicator--5abb8534-d930-4139-8263-02480a00020f",
@ -172,11 +175,12 @@
"phase_name": "Payload delivery"
}
],
"valid_from": "2018-03-28T00:00:00Z",
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"pattern": "[file:name = 'oui' AND file:hashes.'sha1' = '5898fc860300e228dcd54c0b1045b5fa0dcda502']",
"created": "2020-03-23T10:21:17.273Z",
"modified": "2020-03-23T10:21:17.273Z"
"created": "2018-03-28T12:06:12.000Z",
"modified": "2018-03-28T12:06:12.000Z",
"valid_from": "2018-03-28T12:06:12Z",
"valid_until": "2018-03-28T12:06:12Z"
},
{
"id": "indicator--5abb8534-4840-4087-a16a-02480a00020f",
@ -192,11 +196,12 @@
"phase_name": "Network activity"
}
],
"valid_from": "2018-03-28T00:00:00Z",
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"pattern": "[network-traffic:src_ref.type = 'ipv4-addr' AND network-traffic:src_ref.value = '1.2.3.4']",
"created": "2020-03-23T10:21:17.276Z",
"modified": "2020-03-23T10:21:17.276Z"
"created": "2018-03-28T12:06:12.000Z",
"modified": "2018-03-28T12:06:12.000Z",
"valid_from": "2018-03-28T12:06:12Z",
"valid_until": "2018-03-28T12:06:12Z"
},
{
"id": "indicator--5abb8534-a8d0-4956-812f-02480a00020f",
@ -212,11 +217,12 @@
"phase_name": "Network activity"
}
],
"valid_from": "2018-03-28T00:00:00Z",
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"pattern": "[domain-name:value = 'www.circl.lu']",
"created": "2020-03-23T10:21:17.280Z",
"modified": "2020-03-23T10:21:17.280Z"
"created": "2018-03-28T12:06:12.000Z",
"modified": "2018-03-28T12:06:12.000Z",
"valid_from": "2018-03-28T12:06:12Z",
"valid_until": "2018-03-28T12:06:12Z"
},
{
"id": "indicator--5abb8534-1ab4-4eb2-8056-02480a00020f",
@ -232,11 +238,12 @@
"phase_name": "Network activity"
}
],
"valid_from": "2018-03-28T00:00:00Z",
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"pattern": "[domain-name:value = 'www.circl.lu' AND domain-name:resolves_to_refs[*].value = '1.2.3.4']",
"created": "2020-03-23T10:21:17.282Z",
"modified": "2020-03-23T10:21:17.282Z"
"created": "2018-03-28T12:06:12.000Z",
"modified": "2018-03-28T12:06:12.000Z",
"valid_from": "2018-03-28T12:06:12Z",
"valid_until": "2018-03-28T12:06:12Z"
},
{
"id": "indicator--5abb8534-8b88-4566-983f-02480a00020f",
@ -252,11 +259,12 @@
"phase_name": "Network activity"
}
],
"valid_from": "2018-03-28T00:00:00Z",
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"pattern": "[network-traffic:dst_port = '2510']",
"created": "2020-03-23T10:21:17.285Z",
"modified": "2020-03-23T10:21:17.285Z"
"created": "2018-03-28T12:06:12.000Z",
"modified": "2018-03-28T12:06:12.000Z",
"valid_from": "2018-03-28T12:06:12Z",
"valid_until": "2018-03-28T12:06:12Z"
},
{
"id": "indicator--5abb8534-9e40-467d-b334-02480a00020f",
@ -272,11 +280,12 @@
"phase_name": "Payload delivery"
}
],
"valid_from": "2018-03-28T00:00:00Z",
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"pattern": "[email-message:from_ref = 'src@email.test']",
"created": "2020-03-23T10:21:17.286Z",
"modified": "2020-03-23T10:21:17.286Z"
"pattern": "[email-message:from_ref.value = 'src@email.test']",
"created": "2018-06-15T08:40:38.000Z",
"modified": "2018-06-15T08:40:38.000Z",
"valid_from": "2018-06-15T08:40:38Z",
"valid_until": "2018-06-15T08:40:38Z"
},
{
"id": "indicator--5abb8534-8f7c-4c92-aaec-02480a00020f",
@ -292,11 +301,12 @@
"phase_name": "Payload delivery"
}
],
"valid_from": "2018-03-28T00:00:00Z",
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"pattern": "[email-message:subject = 'Oui']",
"created": "2020-03-23T10:21:17.288Z",
"modified": "2020-03-23T10:21:17.288Z"
"created": "2018-03-28T12:06:12.000Z",
"modified": "2018-03-28T12:06:12.000Z",
"valid_from": "2018-03-28T12:06:12Z",
"valid_until": "2018-03-28T12:06:12Z"
},
{
"id": "indicator--5abb8534-dd0c-4f8f-8f31-02480a00020f",
@ -312,11 +322,12 @@
"phase_name": "External analysis"
}
],
"valid_from": "2018-03-28T00:00:00Z",
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"pattern": "[url:value = 'https://www.circl.lu/team']",
"created": "2020-03-23T10:21:17.289Z",
"modified": "2020-03-23T10:21:17.289Z"
"created": "2018-03-28T12:06:12.000Z",
"modified": "2018-03-28T12:06:12.000Z",
"valid_from": "2018-03-28T12:06:12Z",
"valid_until": "2018-03-28T12:06:12Z"
},
{
"id": "indicator--5abb8534-a800-479d-bb5c-02480a00020f",
@ -332,11 +343,12 @@
"phase_name": "Persistence mechanism"
}
],
"valid_from": "2018-03-28T00:00:00Z",
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"pattern": "[windows-registry-key:key = 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run']",
"created": "2020-03-23T10:21:17.290Z",
"modified": "2020-03-23T10:21:17.290Z"
"created": "2018-03-28T12:06:12.000Z",
"modified": "2018-03-28T12:06:12.000Z",
"valid_from": "2018-03-28T12:06:12Z",
"valid_until": "2018-03-28T12:06:12Z"
},
{
"id": "indicator--5abb8534-e5a8-49ee-8952-02480a00020f",
@ -352,11 +364,12 @@
"phase_name": "Persistence mechanism"
}
],
"valid_from": "2018-03-28T00:00:00Z",
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"pattern": "[windows-registry-key:key = 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run' AND windows-registry-key:values.data = '%TEMP%\\\\seagate.exe']",
"created": "2020-03-23T10:21:17.293Z",
"modified": "2020-03-23T10:21:17.293Z"
"created": "2018-03-28T12:06:12.000Z",
"modified": "2018-03-28T12:06:12.000Z",
"valid_from": "2018-03-28T12:06:12Z",
"valid_until": "2018-03-28T12:06:12Z"
},
{
"id": "indicator--5abb8534-d3c4-40fc-8723-02480a00020f",
@ -372,11 +385,12 @@
"phase_name": "Artifacts dropped"
}
],
"valid_from": "2018-03-28T00:00:00Z",
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"pattern": "[mutex:name = 'no idea']",
"created": "2020-03-23T10:21:17.294Z",
"modified": "2020-03-23T10:21:17.294Z"
"created": "2018-03-28T12:06:12.000Z",
"modified": "2018-03-28T12:06:12.000Z",
"valid_from": "2018-03-28T12:06:12Z",
"valid_until": "2018-03-28T12:06:12Z"
},
{
"id": "indicator--5abb8534-453c-4543-80a6-02480a00020f",
@ -392,11 +406,12 @@
"phase_name": "Payload delivery"
}
],
"valid_from": "2018-03-28T00:00:00Z",
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"pattern": "[file:name = 'oui' AND file:hashes.'ssdeep' = '12288:LLaIgXMVvf2u/n42bDaxGrAz1N4QiqPW44NGMJw3:LLFgXMVvf2cDaxG0N4RPK']",
"created": "2020-03-23T10:21:17.296Z",
"modified": "2020-03-23T10:21:17.296Z"
"created": "2018-03-28T12:06:12.000Z",
"modified": "2018-03-28T12:06:12.000Z",
"valid_from": "2018-03-28T12:06:12Z",
"valid_until": "2018-03-28T12:06:12Z"
},
{
"id": "indicator--5abb8534-5bf8-4072-946b-02480a00020f",
@ -412,11 +427,12 @@
"phase_name": "Network activity"
}
],
"valid_from": "2018-03-28T00:00:00Z",
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"pattern": "[network-traffic:dst_port = '2510' AND network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '12.34.56.78']",
"created": "2020-03-23T10:21:17.298Z",
"modified": "2020-03-23T10:21:17.298Z"
"created": "2018-03-28T12:06:12.000Z",
"modified": "2018-03-28T12:06:12.000Z",
"valid_from": "2018-03-28T12:06:12Z",
"valid_until": "2018-03-28T12:06:12Z"
},
{
"id": "indicator--5abb8534-5d70-47cd-a543-02480a00020f",
@ -432,41 +448,40 @@
"phase_name": "Network activity"
}
],
"valid_from": "2018-03-28T00:00:00Z",
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"pattern": "[mac-addr:value = '5e:ff:56:a2:af:15']",
"created": "2020-03-23T10:21:17.300Z",
"modified": "2020-03-23T10:21:17.300Z"
"created": "2018-03-28T12:06:12.000Z",
"modified": "2018-03-28T12:06:12.000Z",
"valid_from": "2018-03-28T12:06:12Z",
"valid_until": "2018-03-28T12:06:12Z"
},
{
"id": "x-misp-object-comment--5abb8534-5a88-4669-bc80-02480a00020f",
"x_misp_category": "Other",
"created": "2018-06-15T08:49:55.000Z",
"modified": "2018-06-15T08:49:55.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"Other\"",
"misp:to_ids=\"True\""
],
"x_misp_timestamp": "2018-06-15 08:49:55",
"x_misp_value": "It is a comment, indeed",
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"type": "x-misp-object-comment",
"created": "2020-03-23T10:21:17.301Z",
"modified": "2020-03-23T10:21:17.301Z"
"type": "x-misp-object-comment"
},
{
"id": "x-misp-object-other--5abb8534-7d60-4252-ad06-02480a00020f",
"x_misp_category": "Other",
"created": "2018-03-28T12:06:12.000Z",
"modified": "2018-03-28T12:06:12.000Z",
"labels": [
"misp:type=\"other\"",
"misp:category=\"Other\"",
"misp:to_ids=\"True\""
],
"x_misp_timestamp": "2018-03-28 12:06:12",
"x_misp_value": "bla",
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"type": "x-misp-object-other",
"created": "2020-03-23T10:21:17.301Z",
"modified": "2020-03-23T10:21:17.301Z"
"type": "x-misp-object-other"
},
{
"id": "vulnerability--5abb8534-8264-4041-b3e3-02480a00020f",
@ -484,8 +499,8 @@
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
],
"created": "2020-03-23T10:21:17.301Z",
"modified": "2020-03-23T10:21:17.301Z"
"created": "2020-06-17T11:38:47.951Z",
"modified": "2020-06-17T11:38:47.951Z"
},
{
"id": "indicator--5abb8534-0514-48e7-9f3b-02480a00020f",
@ -501,11 +516,12 @@
"phase_name": "Network activity"
}
],
"valid_from": "2018-03-28T00:00:00Z",
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"pattern": "[x509-certificate:hashes.'sha1' = 'fa3d5d670dc1d153b999c3aec7b1d815cc33c4dc']",
"created": "2020-03-23T10:21:17.302Z",
"modified": "2020-03-23T10:21:17.302Z"
"created": "2018-03-28T12:06:12.000Z",
"modified": "2018-03-28T12:06:12.000Z",
"valid_from": "2018-03-28T12:06:12Z",
"valid_until": "2018-03-28T12:06:12Z"
},
{
"id": "indicator--5abb8534-d8c4-4a6f-a58a-02480a00020f",
@ -521,11 +537,12 @@
"phase_name": "Payload delivery"
}
],
"valid_from": "2018-03-28T00:00:00Z",
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"pattern": "[email-message:additional_header_fields.reply_to = 'reply.to@email.test']",
"created": "2020-03-23T10:21:17.303Z",
"modified": "2020-03-23T10:21:17.303Z"
"created": "2018-06-15T08:38:00.000Z",
"modified": "2018-06-15T08:38:00.000Z",
"valid_from": "2018-06-15T08:38:00Z",
"valid_until": "2018-06-15T08:38:00Z"
},
{
"id": "indicator--5b239f8e-20d8-4880-ad38-02740a00020f",
@ -541,26 +558,26 @@
"phase_name": "Network activity"
}
],
"valid_from": "2018-03-28T00:00:00Z",
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"pattern": "[autonomous-system:number = '66642']",
"created": "2020-03-23T10:21:17.304Z",
"modified": "2020-03-23T10:21:17.304Z"
"created": "2019-08-08T13:44:21.000Z",
"modified": "2019-08-08T13:44:21.000Z",
"valid_from": "2019-08-08T13:44:21Z",
"valid_until": "2019-08-08T13:44:21Z"
},
{
"id": "x-misp-object-named-pipe--5d886bd1-136c-4ced-8566-0e42a964451a",
"x_misp_category": "Artifacts dropped",
"created": "2019-09-23T06:53:05.000Z",
"modified": "2019-09-23T06:53:05.000Z",
"labels": [
"misp:type=\"named pipe\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_timestamp": "2019-09-23 06:53:05",
"x_misp_value": "\\\\.\\pipe\\testpipe",
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"type": "x-misp-object-named-pipe",
"created": "2020-03-23T10:21:17.306Z",
"modified": "2020-03-23T10:21:17.306Z"
"type": "x-misp-object-named-pipe"
},
{
"id": "indicator--5e384ade-e4ac-4648-8676-3c7aa964451a",
@ -576,15 +593,15 @@
"phase_name": "Payload delivery"
}
],
"valid_from": "2018-03-28T00:00:00Z",
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"pattern": "[file:name = 'oui.oui' AND artifact:payload_bin = 'ZWNobyAiREFOR0VST1VTIE1BTFdBUkUiIAoK']",
"created": "2020-03-23T10:21:17.306Z",
"modified": "2020-03-23T10:21:17.306Z"
"pattern": "[file:name = 'oui.oui' AND file:content_ref.payload_bin = 'ZWNobyAiREFOR0VST1VTIE1BTFdBUkUiIAoK']",
"created": "2020-02-03T16:32:34.000Z",
"modified": "2020-02-03T16:32:34.000Z",
"valid_from": "2020-02-03T16:32:34Z",
"valid_until": "2020-02-03T16:32:34Z"
},
{
"id": "indicator--5ac3379c-3e74-44ba-9160-04120a00020f",
"valid_from": "2018-03-28T00:00:00Z",
"type": "indicator",
"labels": [
"misp:type=\"registry-key\"",
@ -601,12 +618,13 @@
}
],
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"created": "2020-03-23T10:21:17.307Z",
"modified": "2020-03-23T10:21:17.307Z"
"created": "2018-04-03T08:13:16.000Z",
"modified": "2018-04-03T08:13:16.000Z",
"valid_from": "2018-04-03T08:13:16Z",
"valid_until": "2018-04-03T08:13:16Z"
},
{
"id": "indicator--5ac337df-e078-4e99-8b17-02550a00020f",
"valid_from": "2018-03-28T00:00:00Z",
"type": "indicator",
"labels": [
"misp:type=\"domain-ip\"",
@ -623,35 +641,36 @@
}
],
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"created": "2020-03-23T10:21:17.310Z",
"modified": "2020-03-23T10:21:17.310Z"
"created": "2018-04-03T08:14:23.000Z",
"modified": "2018-04-03T08:14:23.000Z",
"valid_from": "2018-04-03T08:14:23Z",
"valid_until": "2018-04-03T08:14:23Z"
},
{
"id": "x-misp-object-x509--5ac3444e-145c-4749-8467-02550a00020f",
"x_misp_values": {
"x509-fingerprint-md5_x509-fingerprint-md5": "b2a5abfeef9e36964281a31e17b57c97",
"x509-fingerprint-sha1_x509-fingerprint-sha1": "5898fc860300e228dcd54c0b1045b5fa0dcda502",
"text_pubkey-info-algorithm": "oui algo",
"text_issuer": "mr oui",
"text_serial-number": "1234567890",
"text_version": "1"
},
"id": "indicator--5ac3444e-145c-4749-8467-02550a00020f",
"type": "indicator",
"labels": [
"misp:type=\"x509\"",
"misp:category=\"network\"",
"misp:to_ids=\"True\"",
"from_object"
],
"x_misp_category": "network",
"pattern": "[x509-certificate:hashes.'md5' = 'b2a5abfeef9e36964281a31e17b57c97' AND x509-certificate:hashes.'sha1' = '5898fc860300e228dcd54c0b1045b5fa0dcda502' AND x509-certificate:subject_public_key_algorithm = 'oui algo' AND x509-certificate:issuer = 'mr oui' AND x509-certificate:serial_number = '1234567890' AND x509-certificate:version = '1']",
"description": "x509 object describing a X.509 certificate",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"x_misp_timestamp": "2018-04-03 09:08:02",
"type": "x-misp-object-x509",
"created": "2020-03-23T10:21:17.311Z",
"modified": "2020-03-23T10:21:17.311Z"
"created": "2018-04-03T09:08:02.000Z",
"modified": "2018-04-03T09:08:02.000Z",
"valid_from": "2018-04-03T09:08:02Z",
"valid_until": "2018-04-03T09:08:02Z"
},
{
"id": "indicator--5ac347ca-dac4-4562-9775-04120a00020f",
"valid_from": "2018-03-28T00:00:00Z",
"type": "indicator",
"labels": [
"misp:type=\"url\"",
@ -668,12 +687,13 @@
}
],
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"created": "2020-03-23T10:21:17.311Z",
"modified": "2020-03-23T10:21:17.311Z"
"created": "2018-04-03T09:22:18.000Z",
"modified": "2018-04-03T09:22:18.000Z",
"valid_from": "2018-04-03T09:22:18Z",
"valid_until": "2018-04-03T09:22:18Z"
},
{
"id": "indicator--5ac47edc-31e4-4402-a7b6-040d0a00020f",
"valid_from": "2018-03-28T00:00:00Z",
"type": "indicator",
"labels": [
"misp:type=\"ip-port\"",
@ -690,12 +710,13 @@
}
],
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"created": "2020-03-23T10:21:17.313Z",
"modified": "2020-03-23T10:21:17.313Z"
"created": "2018-04-04T07:29:32.000Z",
"modified": "2018-04-04T07:29:32.000Z",
"valid_from": "2018-04-04T07:29:32Z",
"valid_until": "2018-04-04T07:29:32Z"
},
{
"id": "indicator--5afacc53-c0b0-4825-a6ee-03c80a00020f",
"valid_from": "2018-03-28T00:00:00Z",
"type": "indicator",
"labels": [
"misp:type=\"network-connection\"",
@ -712,12 +733,13 @@
}
],
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"created": "2020-03-23T10:21:17.316Z",
"modified": "2020-03-23T10:21:17.316Z"
"created": "2018-05-15T12:02:27.000Z",
"modified": "2018-05-15T12:02:27.000Z",
"valid_from": "2018-05-15T12:02:27Z",
"valid_until": "2018-05-15T12:02:27Z"
},
{
"id": "indicator--5afb3223-0988-4ef1-a920-02070a00020f",
"valid_from": "2018-03-28T00:00:00Z",
"type": "indicator",
"labels": [
"misp:type=\"network-socket\"",
@ -734,8 +756,10 @@
}
],
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"created": "2020-03-23T10:21:17.322Z",
"modified": "2020-03-23T10:21:17.322Z"
"created": "2020-03-02T20:51:39.000Z",
"modified": "2020-03-02T20:51:39.000Z",
"valid_from": "2020-03-02T20:51:39Z",
"valid_until": "2020-03-02T20:51:39Z"
},
{
"id": "x-misp-object-whois--5b0d1b61-6c00-4387-a5fa-04370a00020f",
@ -749,6 +773,8 @@
"domain_domain": "www.circl.lu",
"ip-src_ip-address": "1.2.3.4"
},
"created": "2018-05-29T09:20:33.000Z",
"modified": "2018-05-29T09:20:33.000Z",
"labels": [
"misp:type=\"whois\"",
"misp:category=\"network\"",
@ -757,14 +783,10 @@
],
"x_misp_category": "network",
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"x_misp_timestamp": "2018-05-29 09:20:33",
"type": "x-misp-object-whois",
"created": "2020-03-23T10:21:17.330Z",
"modified": "2020-03-23T10:21:17.330Z"
"type": "x-misp-object-whois"
},
{
"id": "indicator--5b1f9378-46d4-494b-a4c1-044e0a00020f",
"valid_from": "2018-03-28T00:00:00Z",
"type": "indicator",
"labels": [
"misp:type=\"credential\"",
@ -781,12 +803,13 @@
}
],
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"created": "2020-03-23T10:21:17.330Z",
"modified": "2020-03-23T10:21:17.330Z"
"created": "2018-06-12T09:34:08.000Z",
"modified": "2018-06-12T09:34:08.000Z",
"valid_from": "2018-06-12T09:34:08Z",
"valid_until": "2018-06-12T09:34:08Z"
},
{
"id": "indicator--5b23c82b-6508-4bdc-b580-045b0a00020f",
"valid_from": "2018-03-28T00:00:00Z",
"type": "indicator",
"labels": [
"misp:type=\"asn\"",
@ -803,12 +826,13 @@
}
],
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"created": "2020-03-23T10:21:17.335Z",
"modified": "2020-03-23T10:21:17.335Z"
"created": "2020-02-27T10:08:25.000Z",
"modified": "2020-02-27T10:08:25.000Z",
"valid_from": "2020-02-27T10:08:25Z",
"valid_until": "2020-02-27T10:08:25Z"
},
{
"id": "indicator--5d234f25-539c-4d12-bf93-2c46a964451a",
"valid_from": "2018-03-28T00:00:00Z",
"type": "indicator",
"labels": [
"misp:type=\"user-account\"",
@ -825,8 +849,10 @@
}
],
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"created": "2020-03-23T10:21:17.337Z",
"modified": "2020-03-23T10:21:17.337Z"
"created": "2019-07-08T14:15:37.000Z",
"modified": "2019-07-08T14:15:37.000Z",
"valid_from": "2019-07-08T14:15:37Z",
"valid_until": "2019-07-08T14:15:37Z"
},
{
"id": "course-of-action--5d514ff9-ac30-4fb5-b9e7-3eb4a964451a",
@ -845,8 +871,8 @@
"x_misp_text_cost": "Low",
"x_misp_text_impact": "Low",
"x_misp_text_efficacy": "High",
"created": "2020-03-23T10:21:17.343Z",
"modified": "2020-03-23T10:21:17.343Z"
"created": "2020-06-17T11:38:47.987Z",
"modified": "2020-06-17T11:38:47.987Z"
},
{
"id": "x-misp-object-weakness--a1285743-3962-40e3-a824-0f21f10f3e19",
@ -857,6 +883,8 @@
"text_status": "Usable",
"text_weakness-abs": "Class"
},
"created": "2019-08-12T12:16:50.000Z",
"modified": "2019-08-12T12:16:50.000Z",
"labels": [
"misp:type=\"weakness\"",
"misp:category=\"vulnerability\"",
@ -865,10 +893,7 @@
],
"x_misp_category": "vulnerability",
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"x_misp_timestamp": "2019-08-12 12:16:50",
"type": "x-misp-object-weakness",
"created": "2020-03-23T10:21:17.344Z",
"modified": "2020-03-23T10:21:17.344Z"
"type": "x-misp-object-weakness"
},
{
"id": "attack-pattern--7205da54-70de-4fa7-9b34-e14e63fe6787",
@ -900,12 +925,11 @@
"misp:to_ids=\"False\"",
"from_object"
],
"created": "2020-03-23T10:21:17.344Z",
"modified": "2020-03-23T10:21:17.344Z"
"created": "2020-06-17T11:38:47.987Z",
"modified": "2020-06-17T11:38:47.987Z"
},
{
"id": "indicator--5e384ae7-672c-4250-9cda-3b4da964451a",
"valid_from": "2018-03-28T00:00:00Z",
"type": "indicator",
"labels": [
"misp:type=\"file\"",
@ -913,7 +937,7 @@
"misp:to_ids=\"True\"",
"from_object"
],
"pattern": "[file:size = '35' AND file:hashes.'MD5' = '8764605c6f388c89096b534d33565802' AND file:hashes.'SHA-1' = '46aba99aa7158e4609aaa72b50990842fd22ae86' AND file:hashes.'SHA-256' = 'ec5aedf5ecc6bdadd4120932170d1b10f6cfa175cfda22951dfd882928ab279b' AND file:name = 'oui' AND file:parent_directory_ref.path = '/home/chrisr3d/git/' AND file:parent_directory_ref.path = '/home/chrisr3d/git/MISP/cleanMISP/app/files/scripts/stix2' AND artifact:payload_bin = 'Tm9uLW1hbGljaW91cyBmaWxlCg==' AND artifact:x_misp_text_name = 'non' AND file:content_ref.payload_bin = 'UEsDBAoACQAAAPKLQ1AvUbiwLwAAACMAAAAgABwAODc2NDYwNWM2ZjM4OGM4OTA5NmI1MzRkMzM1NjU4MDJVVAkAA+dKOF7nSjhedXgLAAEEIQAAAAQhAAAA7ukeownnAQsmsimPVT3qvMUSCRqPjj3xfZpK3MTLpCrssX1AVtxZoMh3ucu5mCxQSwcIL1G4sC8AAAAjAAAAUEsDBAoACQAAAPKLQ1BAAezaDwAAAAMAAAAtABwAODc2NDYwNWM2ZjM4OGM4OTA5NmI1MzRkMzM1NjU4MDIuZmlsZW5hbWUudHh0VVQJAAPnSjhe50o4XnV4CwABBCEAAAAEIQAAAFHTwHeSOtOjQMWS6+0aN1BLBwhAAezaDwAAAAMAAABQSwECHgMKAAkAAADyi0NQL1G4sC8AAAAjAAAAIAAYAAAAAAABAAAApIEAAAAAODc2NDYwNWM2ZjM4OGM4OTA5NmI1MzRkMzM1NjU4MDJVVAUAA+dKOF51eAsAAQQhAAAABCEAAABQSwECHgMKAAkAAADyi0NQQAHs2g8AAAADAAAALQAYAAAAAAABAAAApIGZAAAAODc2NDYwNWM2ZjM4OGM4OTA5NmI1MzRkMzM1NjU4MDIuZmlsZW5hbWUudHh0VVQFAAPnSjhedXgLAAEEIQAAAAQhAAAAUEsFBgAAAAACAAIA2QAAAB8BAAAAAA==' AND file:content_ref.hashes.'MD5' = '8764605c6f388c89096b534d33565802' AND file:content_ref.name = 'oui']",
"pattern": "[file:size = '35' AND file:name_enc = 'UTF-8' AND file:hashes.'MD5' = '8764605c6f388c89096b534d33565802' AND file:hashes.'SHA-1' = '46aba99aa7158e4609aaa72b50990842fd22ae86' AND file:hashes.'SHA-256' = 'ec5aedf5ecc6bdadd4120932170d1b10f6cfa175cfda22951dfd882928ab279b' AND file:name = 'oui' AND file:parent_directory_ref.path = '/var/www/MISP/app/files/scripts/tmp' AND artifact:payload_bin = 'Tm9uLW1hbGljaW91cyBmaWxlCg==' AND artifact:x_misp_text_name = 'non' AND file:content_ref.payload_bin = 'UEsDBAoACQAAAPKLQ1AvUbiwLwAAACMAAAAgABwAODc2NDYwNWM2ZjM4OGM4OTA5NmI1MzRkMzM1NjU4MDJVVAkAA+dKOF7nSjhedXgLAAEEIQAAAAQhAAAA7ukeownnAQsmsimPVT3qvMUSCRqPjj3xfZpK3MTLpCrssX1AVtxZoMh3ucu5mCxQSwcIL1G4sC8AAAAjAAAAUEsDBAoACQAAAPKLQ1BAAezaDwAAAAMAAAAtABwAODc2NDYwNWM2ZjM4OGM4OTA5NmI1MzRkMzM1NjU4MDIuZmlsZW5hbWUudHh0VVQJAAPnSjhe50o4XnV4CwABBCEAAAAEIQAAAFHTwHeSOtOjQMWS6+0aN1BLBwhAAezaDwAAAAMAAABQSwECHgMKAAkAAADyi0NQL1G4sC8AAAAjAAAAIAAYAAAAAAABAAAApIEAAAAAODc2NDYwNWM2ZjM4OGM4OTA5NmI1MzRkMzM1NjU4MDJVVAUAA+dKOF51eAsAAQQhAAAABCEAAABQSwECHgMKAAkAAADyi0NQQAHs2g8AAAADAAAALQAYAAAAAAABAAAApIGZAAAAODc2NDYwNWM2ZjM4OGM4OTA5NmI1MzRkMzM1NjU4MDIuZmlsZW5hbWUudHh0VVQFAAPnSjhedXgLAAEEIQAAAAQhAAAAUEsFBgAAAAACAAIA2QAAAB8BAAAAAA==' AND file:content_ref.hashes.'MD5' = '8764605c6f388c89096b534d33565802' AND file:content_ref.name = 'oui']",
"description": "File object describing a file with meta-information",
"kill_chain_phases": [
{
@ -922,12 +946,13 @@
}
],
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"created": "2020-03-23T10:21:17.344Z",
"modified": "2020-03-23T10:21:17.344Z"
"created": "2020-06-17T11:36:58.000Z",
"modified": "2020-06-17T11:36:58.000Z",
"valid_from": "2020-06-17T11:36:58Z",
"valid_until": "2020-06-17T11:36:58Z"
},
{
"id": "indicator--5e396622-2a54-4c8d-b61d-159da964451a",
"valid_from": "2018-03-28T00:00:00Z",
"type": "indicator",
"labels": [
"misp:type=\"email\"",
@ -935,7 +960,7 @@
"misp:to_ids=\"True\"",
"from_object"
],
"pattern": "[email-message:additional_header_fields.reply_to = 'oui@reply.com' AND email-message:from_ref = 'oui@source.com' AND email-message:body_multipart[0].body_raw_ref.payload_bin = 'iVBORw0KGgoAAAANSUhEUgAAAGIAAAA2CAYAAAA8ukzvAAAABHNCSVQICAgIfAhkiAAAABl0RVh0U29mdHdhcmUAZ25vbWUtc2NyZWVuc2hvdO8Dvz4AAAtsSURBVHic7ZtPaBtpmoef2VkkGFSnMttIsKRgFolpLGgoX1Q7i2voRaKDNIRUYJD6YJkF6bBSH6zAYucQ5WCZZa0cYl/shbUMiQ3ZyDCxWdqC3sjMRoIhBdORoNuCIdVstwTbFvS0zBIJhm8P/ifZcmJ3ujti0XOyq97v/d7y7/sn+Vc/EUIIhrx1/uJtFzDkgKEQA8JQiAFhKMSA8EohWrvbLKSiREI6mqYTCEWIzyxQtFo/Vn1vFStnMKalKH5v+SKMaSm222fv/eV5jerbKSZv7dCSR9H9UYJOaFoVyoVVbhYK+OdXyOgj31OJQ/oL0S6xPLdD80qYpVwKVTq5lUyaZKJxNuaWMXwzqPbv0m2L+m4dFA+u79T+/x/9lyarjLkPbiPcIwIAkkosMgrNKpVG1/W2xXY2RdQIoGkBQpEUC8U6x7PQzBAYi7JWMclGAvz6w49Yrh7ea+2ymUkettUJRVJkty3OzOALxFk5g7FQlspehbWZKCFdQ9NDRFI5zL2eZFTyGeJGCF3T0AMG8fQalT3O0K6b5GbiGAH9nFzA3kFMJHQYE58hdxy0Rz4+xo3FGnR2uPW3Y4SylZ7mP02n0+kzPe+b5B9+yp8klWvvK5wetD979wPC4au89479YEq1KyxMTnK3/Gd+rhsYfgW79Qn/fr/A/4yG0P/aDo3fcX+rxpefFTDbXoLXglz9pRfXn0ukI//Iv35m5xd/f41r7/8ce+O/2Li/zu9tv+SD90YO+mhdLO6bPzzk4aff8GW5TMefIp2Kce29P/G7+//G/U9lPgi9iwRYa3Em/6XMT9/9O66G3udv7A3MT37LZlXGfxjzzR8e8rD8JZ8V/4Mv39H5jXEVVbIofrxF4Y9Oglc9/Aygnif5m39i478l1IBBUHuHzmefsL76WyrO97nqeYe/8vr4xf/+nv+sKSSW/pl/8LkZkboWJNGXz8W966pQVVWMh6fEvcfPxItv+0cKIcRXDyaEqgbF7addQS+fi/nrqlAnHoivhBDi2azwq6rwTTwQL14eB4nns0Gh+ibEg5OLQohvxdNpv1B9MfHo68vECfFi5bpQVZ+YePCip8Zns36h+qbEk5ddzxd7JL7uinl+Lyz8/inx8bfduVQRnH0mTnr9Vnw8NS5U37R4cvj7k+lxofomxEp3bS8/Fythn1DHp8XTl0f5wkL1TYmPux/hkHNOTR6SS/eY8F2B2g6rd+Lc+JVGIJIknc1T6jk11SkXquA2iGpd65jdS3hmmqmQB1tXtGqEUI6nWI1CuYHNFyakdM87CW0iyJVOhZLZukTcEW5CfqXniWSXDHC4jNmR7IBVorx70s6bXGN7O0ugZzl2Y0TUrlVBwqPIx5loVyiW9nH4ohjdtdk9GBMqtn2TYpXXcu6piRGN5IJGsmVhmialYhGzYmEWlymsZ1Guz3NvRmOEBrsNsKlulFMpXKpBRO2+4kCWu56y3aTehM7OLX41dqtvGVKzdfE4DnPbZOTTe1sPCsHEdTZvbnDnwwCLV7yomo9x3Y+muuhpanOiOE931vVzq0FjH1xehTPbqeLGSZlGvcXZzbaXvkJY2wusVd1EUgEUSUHVFVTdOOnbzBCJzzCnbpINHNb7ym6OsGOzn74C8vg081F33xaSU75UXE/iVzCizZB/bFAsbFHYMTHzixTWF3GMJlhYiuLtbv9dT3aXaNdXiHatyMZ6GSUcQHGdvS+5VRQ2qJZrEJBxybBft6ij0R2+Z+ZZrzjwhwN4+hbqxOmEVseG4vX2jqhWnYrVxGa3XzzuwrTYq7dA8qBHPOgRoF3HXJ8jtbjMYiHIUuiCn5EkJ04H7NYs2vQebFq7Fg0ceF2vng1wzvHVo2s4qbF8Z43dMx+i2+xurmNiw61eARR8vitQXSdndh8k6xQWsqzmq68YGR50zUmnnCO32922RSkbZzK+zEHKi8ZdkFaRWzd+zY254snR1+5C1VVcdGi3OhfPZfeiqw72iznyVlcRbYv8apmOQ0PvP4l76L9HeGOkwybJ9bt8GNrCp4+iyC5sHQurUqZcbWJTp0kdjhpPNMX1wk02khGahoGmgFVcJ1+V8M9P9J8NR11NpAgWZ1idjGAdtq2X8uR3WowmEvhHLhd3ISQf130ObhXmiNssQqpEq2ZSLhapOXzc1vssA+cnQ08mUc057kbjVA0/qtzE3MpTqNnw3U6gH21dNht0ahTy20iqhuY5mSnnbNYSamqNx/48y8ubmOYOZrOFTXLiUlTCsxNEA56TJULSmFlbwbOwSL64TLZpR3aPEp5PEXvd1yAjOum1JbzZo7YgK15CsxliAc/JZLpo3HnYJJyKi4NqRgikl+gsLLJezpEtdLBJMspomNlkjMBldABQDJYeOcndXWZza5liW0LxaCSWpoiqJ8/v0sMEC4sUF+/QCK+geU6G6E+EGP6HbhAYfg0+IAyFGBCGQgwIQyEGhKEQA8JQiAFhKMSAMBRiQBgKMSAMhRgQhkIMCEMhBoShEAPCUIgBYSjEgDAUYkB4YyFa5gJJQ0fToqzVv4+Sflj28nHGxsaI5g/tkKU0+liIUw7IH53zfU0XwiKXWcXET+K2gS6/vsVbxyHjdDqRL+b/+dF4QyGatPZBGjeIBNTXhw8AI4EMm4G3XcVZzl+a2nWKCwfubl3TCUXipPMVjt01uwsYY3E2mtDciDM2FiFnvaqrFpW1NPHIofs6FGUmV6TebYOpZAiMRchVDlzfkZCOHogQT2+y225TL2ZJRkLomk4gkiJnnvL61EvkZqIHrm1NQw8ZxDN5Kt1hZobAWICMeZk/0w9PfyHau+TiEW6uVsEbJJaI4pP3KMxNEpkpsgeghMmsTDPuAMf4NCsrGYKnrYnH1NlM3WDybpG24ieWSGB4obR4k8jNPL1bS5PNuTlMb4z5lTUWYjLW1h0+ikySzMuEMys8WpnG195hcSZL6UjIdoVs8iaLpQ4ef4xUIobfLWFtzJGc2aaP236w6Ofu/vpxTPjUcZF4/FWP8/rZbFCoalDMPz/2WItZvyr8s8/6pTlp+WRajJ/JJ8RXjxNiXB0XU08O7dfPDxzjwfnnXe7rz8V8UBXq+IlL+6hGVQ2LlRdHpcwKv+oTU91B4uWBC3x8WjwV3XF+cVzy09tivOeZ3g59ZkQLs1ChI/uJ+rsNPhJqNMwoDUpF6xJSt6kUSuzLOtFQr2HIFYqiy/uYxVrXVQden7vHfe2UAY/W4+MdkWRstE+WSjXFoydPyPRYuTu0O0AHLuHdeyv02aybNJodULy4T7u2XB7cMhQadTjj/T6PFo3mPjS3iI9t9Y2wNfdoc+TMtPf3sdpsvSayM6ceO5Jtj12zTLViUqnUqFQrfNHsXNQh/Vb5Tqemy44uG8CVILNpg74mOunsW0mXpr5JKj7HTgOcoz58qp+YkUAqp/ko/6bJf3j6CCHjlG1gVai1Q70vK+5Z1JrgPG2BfyUjuJwO2AXJ7e21u9PCqli0HW86ZNuUlrPsNL1MP7rX88LI7oCdjs6jzx4hoepebI0CuUL3WaONubxGFSea/ipb8VlG/RqO/QKr+d7z0d52muhkktXaOQ0vTIdmcx9kN6Pdb+20K2wVv3jT5D8KfZemkWCCcD7O6p0PiZthxr02GqU8+Z0vcPrnmfBerhO7liDlM7lzN0K0auBXXWAVWc+Xsftuk9DedGGS8PpGsZU3uTNjw/C5sbWqFPMFah0HdEzyC9s4Y+e8pzEA9N8j7F6SK2u4FxdYL62zWGgjKx7802lShvfMK0qvx0Vo4QGu3F2WCwWWi03sspvR8DypmN5/33gtNuQrCsrhqqZE5plvzrG4lSdbtON0j6LFlshoLfJzi2yZZRqtwRVi6AYfEIZfgw8IQyEGhKEQA8JQiAFhKMSA8H9WdpPieSOpJAAAAABJRU5ErkJggg==' AND email-message:body_multipart[0].body_raw_ref.name = 'screenshot_of_email.png' AND email-message:subject = 'Le Oui' AND email-message:cc_refs = 'oui1@cc.com' AND email-message:cc_refs = 'oui2@cc.com' AND email-message:to_refs = 'oui@to.lu' AND email-message:body_multipart[1].body_raw_ref.name = 'oui.jpg' AND email-message:body_multipart[2].body_raw_ref.name = 'oui.png' AND email-message:additional_header_fields.x_mailer = 'oui_X-mailer']",
"pattern": "[email-message:additional_header_fields.reply_to = 'oui@reply.com' AND email-message:from_ref.value = 'oui@source.com' AND email-message:body_multipart[0].body_raw_ref.payload_bin = 'iVBORw0KGgoAAAANSUhEUgAAAGIAAAA2CAYAAAA8ukzvAAAABHNCSVQICAgIfAhkiAAAABl0RVh0U29mdHdhcmUAZ25vbWUtc2NyZWVuc2hvdO8Dvz4AAAtsSURBVHic7ZtPaBtpmoef2VkkGFSnMttIsKRgFolpLGgoX1Q7i2voRaKDNIRUYJD6YJkF6bBSH6zAYucQ5WCZZa0cYl/shbUMiQ3ZyDCxWdqC3sjMRoIhBdORoNuCIdVstwTbFvS0zBIJhm8P/ifZcmJ3ujti0XOyq97v/d7y7/sn+Vc/EUIIhrx1/uJtFzDkgKEQA8JQiAFhKMSA8EohWrvbLKSiREI6mqYTCEWIzyxQtFo/Vn1vFStnMKalKH5v+SKMaSm222fv/eV5jerbKSZv7dCSR9H9UYJOaFoVyoVVbhYK+OdXyOgj31OJQ/oL0S6xPLdD80qYpVwKVTq5lUyaZKJxNuaWMXwzqPbv0m2L+m4dFA+u79T+/x/9lyarjLkPbiPcIwIAkkosMgrNKpVG1/W2xXY2RdQIoGkBQpEUC8U6x7PQzBAYi7JWMclGAvz6w49Yrh7ea+2ymUkettUJRVJkty3OzOALxFk5g7FQlspehbWZKCFdQ9NDRFI5zL2eZFTyGeJGCF3T0AMG8fQalT3O0K6b5GbiGAH9nFzA3kFMJHQYE58hdxy0Rz4+xo3FGnR2uPW3Y4SylZ7mP02n0+kzPe+b5B9+yp8klWvvK5wetD979wPC4au89479YEq1KyxMTnK3/Gd+rhsYfgW79Qn/fr/A/4yG0P/aDo3fcX+rxpefFTDbXoLXglz9pRfXn0ukI//Iv35m5xd/f41r7/8ce+O/2Li/zu9tv+SD90YO+mhdLO6bPzzk4aff8GW5TMefIp2Kce29P/G7+//G/U9lPgi9iwRYa3Em/6XMT9/9O66G3udv7A3MT37LZlXGfxjzzR8e8rD8JZ8V/4Mv39H5jXEVVbIofrxF4Y9Oglc9/Aygnif5m39i478l1IBBUHuHzmefsL76WyrO97nqeYe/8vr4xf/+nv+sKSSW/pl/8LkZkboWJNGXz8W966pQVVWMh6fEvcfPxItv+0cKIcRXDyaEqgbF7addQS+fi/nrqlAnHoivhBDi2azwq6rwTTwQL14eB4nns0Gh+ibEg5OLQohvxdNpv1B9MfHo68vECfFi5bpQVZ+YePCip8Zns36h+qbEk5ddzxd7JL7uinl+Lyz8/inx8bfduVQRnH0mTnr9Vnw8NS5U37R4cvj7k+lxofomxEp3bS8/Fythn1DHp8XTl0f5wkL1TYmPux/hkHNOTR6SS/eY8F2B2g6rd+Lc+JVGIJIknc1T6jk11SkXquA2iGpd65jdS3hmmqmQB1tXtGqEUI6nWI1CuYHNFyakdM87CW0iyJVOhZLZukTcEW5CfqXniWSXDHC4jNmR7IBVorx70s6bXGN7O0ugZzl2Y0TUrlVBwqPIx5loVyiW9nH4ohjdtdk9GBMqtn2TYpXXcu6piRGN5IJGsmVhmialYhGzYmEWlymsZ1Guz3NvRmOEBrsNsKlulFMpXKpBRO2+4kCWu56y3aTehM7OLX41dqtvGVKzdfE4DnPbZOTTe1sPCsHEdTZvbnDnwwCLV7yomo9x3Y+muuhpanOiOE931vVzq0FjH1xehTPbqeLGSZlGvcXZzbaXvkJY2wusVd1EUgEUSUHVFVTdOOnbzBCJzzCnbpINHNb7ym6OsGOzn74C8vg081F33xaSU75UXE/iVzCizZB/bFAsbFHYMTHzixTWF3GMJlhYiuLtbv9dT3aXaNdXiHatyMZ6GSUcQHGdvS+5VRQ2qJZrEJBxybBft6ij0R2+Z+ZZrzjwhwN4+hbqxOmEVseG4vX2jqhWnYrVxGa3XzzuwrTYq7dA8qBHPOgRoF3HXJ8jtbjMYiHIUuiCn5EkJ04H7NYs2vQebFq7Fg0ceF2vng1wzvHVo2s4qbF8Z43dMx+i2+xurmNiw61eARR8vitQXSdndh8k6xQWsqzmq68YGR50zUmnnCO32922RSkbZzK+zEHKi8ZdkFaRWzd+zY254snR1+5C1VVcdGi3OhfPZfeiqw72iznyVlcRbYv8apmOQ0PvP4l76L9HeGOkwybJ9bt8GNrCp4+iyC5sHQurUqZcbWJTp0kdjhpPNMX1wk02khGahoGmgFVcJ1+V8M9P9J8NR11NpAgWZ1idjGAdtq2X8uR3WowmEvhHLhd3ISQf130ObhXmiNssQqpEq2ZSLhapOXzc1vssA+cnQ08mUc057kbjVA0/qtzE3MpTqNnw3U6gH21dNht0ahTy20iqhuY5mSnnbNYSamqNx/48y8ubmOYOZrOFTXLiUlTCsxNEA56TJULSmFlbwbOwSL64TLZpR3aPEp5PEXvd1yAjOum1JbzZo7YgK15CsxliAc/JZLpo3HnYJJyKi4NqRgikl+gsLLJezpEtdLBJMspomNlkjMBldABQDJYeOcndXWZza5liW0LxaCSWpoiqJ8/v0sMEC4sUF+/QCK+geU6G6E+EGP6HbhAYfg0+IAyFGBCGQgwIQyEGhKEQA8JQiAFhKMSAMBRiQBgKMSAMhRgQhkIMCEMhBoShEAPCUIgBYSjEgDAUYkB4YyFa5gJJQ0fToqzVv4+Sflj28nHGxsaI5g/tkKU0+liIUw7IH53zfU0XwiKXWcXET+K2gS6/vsVbxyHjdDqRL+b/+dF4QyGatPZBGjeIBNTXhw8AI4EMm4G3XcVZzl+a2nWKCwfubl3TCUXipPMVjt01uwsYY3E2mtDciDM2FiFnvaqrFpW1NPHIofs6FGUmV6TebYOpZAiMRchVDlzfkZCOHogQT2+y225TL2ZJRkLomk4gkiJnnvL61EvkZqIHrm1NQw8ZxDN5Kt1hZobAWICMeZk/0w9PfyHau+TiEW6uVsEbJJaI4pP3KMxNEpkpsgeghMmsTDPuAMf4NCsrGYKnrYnH1NlM3WDybpG24ieWSGB4obR4k8jNPL1bS5PNuTlMb4z5lTUWYjLW1h0+ikySzMuEMys8WpnG195hcSZL6UjIdoVs8iaLpQ4ef4xUIobfLWFtzJGc2aaP236w6Ofu/vpxTPjUcZF4/FWP8/rZbFCoalDMPz/2WItZvyr8s8/6pTlp+WRajJ/JJ8RXjxNiXB0XU08O7dfPDxzjwfnnXe7rz8V8UBXq+IlL+6hGVQ2LlRdHpcwKv+oTU91B4uWBC3x8WjwV3XF+cVzy09tivOeZ3g59ZkQLs1ChI/uJ+rsNPhJqNMwoDUpF6xJSt6kUSuzLOtFQr2HIFYqiy/uYxVrXVQden7vHfe2UAY/W4+MdkWRstE+WSjXFoydPyPRYuTu0O0AHLuHdeyv02aybNJodULy4T7u2XB7cMhQadTjj/T6PFo3mPjS3iI9t9Y2wNfdoc+TMtPf3sdpsvSayM6ceO5Jtj12zTLViUqnUqFQrfNHsXNQh/Vb5Tqemy44uG8CVILNpg74mOunsW0mXpr5JKj7HTgOcoz58qp+YkUAqp/ko/6bJf3j6CCHjlG1gVai1Q70vK+5Z1JrgPG2BfyUjuJwO2AXJ7e21u9PCqli0HW86ZNuUlrPsNL1MP7rX88LI7oCdjs6jzx4hoepebI0CuUL3WaONubxGFSea/ipb8VlG/RqO/QKr+d7z0d52muhkktXaOQ0vTIdmcx9kN6Pdb+20K2wVv3jT5D8KfZemkWCCcD7O6p0PiZthxr02GqU8+Z0vcPrnmfBerhO7liDlM7lzN0K0auBXXWAVWc+Xsftuk9DedGGS8PpGsZU3uTNjw/C5sbWqFPMFah0HdEzyC9s4Y+e8pzEA9N8j7F6SK2u4FxdYL62zWGgjKx7802lShvfMK0qvx0Vo4QGu3F2WCwWWi03sspvR8DypmN5/33gtNuQrCsrhqqZE5plvzrG4lSdbtON0j6LFlshoLfJzi2yZZRqtwRVi6AYfEIZfgw8IQyEGhKEQA8JQiAFhKMSA8H9WdpPieSOpJAAAAABJRU5ErkJggg==' AND email-message:body_multipart[0].body_raw_ref.name = 'screenshot_of_email.png' AND email-message:subject = 'Le Oui' AND email-message:cc_refs[*].value = 'oui1@cc.com' AND email-message:cc_refs[*].value = 'oui2@cc.com' AND email-message:to_refs[*].value = 'oui@to.lu' AND email-message:body_multipart[1].body_raw_ref.name = 'oui.jpg' AND email-message:body_multipart[2].body_raw_ref.name = 'oui.png' AND email-message:additional_header_fields.x_mailer = 'oui_X-mailer']",
"description": "Email object describing an email with meta-information",
"kill_chain_phases": [
{
@ -944,12 +969,13 @@
}
],
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"created": "2020-03-23T10:21:17.353Z",
"modified": "2020-03-23T10:21:17.353Z"
"created": "2020-02-04T12:40:02.000Z",
"modified": "2020-02-04T12:40:02.000Z",
"valid_from": "2020-02-04T12:40:02Z",
"valid_until": "2020-02-04T12:40:02Z"
},
{
"id": "indicator--5e39776a-b284-40b3-8079-22fea964451a",
"valid_from": "2018-03-28T00:00:00Z",
"type": "indicator",
"labels": [
"misp:type=\"process\"",
@ -966,8 +992,10 @@
}
],
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"created": "2020-03-23T10:21:17.367Z",
"modified": "2020-03-23T10:21:17.367Z"
"created": "2020-02-04T13:56:03.000Z",
"modified": "2020-02-04T13:56:03.000Z",
"valid_from": "2020-02-04T13:56:03Z",
"valid_until": "2020-02-04T13:56:03Z"
},
{
"id": "vulnerability--5e579975-e9cc-46c6-a6ad-1611a964451a",
@ -1013,12 +1041,11 @@
"misp:to_ids=\"False\"",
"from_object"
],
"created": "2020-03-23T10:21:17.370Z",
"modified": "2020-03-23T10:21:17.370Z"
"created": "2020-06-17T11:38:48.008Z",
"modified": "2020-06-17T11:38:48.008Z"
},
{
"id": "indicator--5ac47782-e1b8-40b6-96b4-02510a00020f",
"valid_from": "2018-03-28T00:00:00Z",
"type": "indicator",
"labels": [
"misp:type=\"WindowsPEBinaryFile\"",
@ -1026,7 +1053,7 @@
"misp:to_ids=\"True\"",
"from_object"
],
"pattern": "[file:size = '1234' AND file:hashes.'MD5' = 'b2a5abfeef9e36964281a31e17b57c97' AND file:hashes.'SHA-1' = '5898fc860300e228dcd54c0b1045b5fa0dcda502' AND file:hashes.'SHA-256' = '3a3468fa89b2ab7cbfe5400858a8ec0066e9e8defa9a64c993b5f24210244df8' AND file:name = 'oui' AND file:parent_directory_ref.path = '/home/chrisr3d/git/' AND file:parent_directory_ref.path = '/home/chrisr3d/git/MISP/cleanMISP/app/files/scripts/stix2' AND file:extensions.'windows-pebinary-ext'.pe_type = 'exe' AND file:extensions.'windows-pebinary-ext'.x_misp_text_entrypoint_address = '5369222868' AND file:extensions.'windows-pebinary-ext'.x_misp_datetime_compilation_timestamp = '2019-03-16T12:31:22' AND file:extensions.'windows-pebinary-ext'.x_misp_filename_original_filename = 'PuTTY' AND file:extensions.'windows-pebinary-ext'.x_misp_filename_internal_filename = 'PuTTY' AND file:extensions.'windows-pebinary-ext'.x_misp_text_file_description = 'SSH, Telnet and Rlogin client' AND file:extensions.'windows-pebinary-ext'.x_misp_text_file_version = 'Release 0.71 (with embedded help)' AND file:extensions.'windows-pebinary-ext'.x_misp_text_lang_id = '080904B0' AND file:extensions.'windows-pebinary-ext'.x_misp_text_product_name = 'PuTTY suite' AND file:extensions.'windows-pebinary-ext'.x_misp_text_product_version = 'Release 0.71' AND file:extensions.'windows-pebinary-ext'.x_misp_text_company_name = 'Simon Tatham' AND file:extensions.'windows-pebinary-ext'.x_misp_text_legal_copyright = 'Copyright \u00a9 1997-2019 Simon Tatham.' AND file:extensions.'windows-pebinary-ext'.number_of_sections = '8' AND file:extensions.'windows-pebinary-ext'.sections[0].name = '.rsrc' AND file:extensions.'windows-pebinary-ext'.sections[0].size = '305152' AND file:extensions.'windows-pebinary-ext'.sections[0].entropy = '7.836462238824369' AND file:extensions.'windows-pebinary-ext'.sections[0].hashes.'md5' = '8a2a5fc2ce56b3b04d58539a95390600' AND file:extensions.'windows-pebinary-ext'.sections[0].hashes.'sha1' = '0aeb9def096e9f73e9460afe6f8783a32c7eabdf' AND file:extensions.'windows-pebinary-ext'.sections[0].hashes.'sha256' = 'c6b3ac8303a72be90b0e47f69977e6f5665693d4ea0aa93e5c27b5c556c7cf9b' AND file:extensions.'windows-pebinary-ext'.sections[0].hashes.'sha512' = '98fce208e6ed9612db53725fe03b73ab7cb1b487814d521c3c218273cad33891ce832c4f842c6f492d92df1e78414c82a00ddb91a1f8ec7d67325231a597a78f' AND file:extensions.'windows-pebinary-ext'.sections[0].hashes.'ssdeep' = '6144:BvqbV6zoA5yJJ1entjx+UJlVshhKuqMrgyNhahL2uSvhM:BvuVy5UJUtwUJ/UjHSEuSvK']",
"pattern": "[file:size = '1234' AND file:hashes.'MD5' = 'b2a5abfeef9e36964281a31e17b57c97' AND file:hashes.'SHA-1' = '5898fc860300e228dcd54c0b1045b5fa0dcda502' AND file:hashes.'SHA-256' = '3a3468fa89b2ab7cbfe5400858a8ec0066e9e8defa9a64c993b5f24210244df8' AND file:name = 'oui' AND file:extensions.'windows-pebinary-ext'.pe_type = 'exe' AND file:extensions.'windows-pebinary-ext'.x_misp_text_entrypoint_address = '5369222868' AND file:extensions.'windows-pebinary-ext'.x_misp_datetime_compilation_timestamp = '2019-03-16T12:31:22' AND file:extensions.'windows-pebinary-ext'.x_misp_filename_original_filename = 'PuTTY' AND file:extensions.'windows-pebinary-ext'.x_misp_filename_internal_filename = 'PuTTY' AND file:extensions.'windows-pebinary-ext'.x_misp_text_file_description = 'SSH, Telnet and Rlogin client' AND file:extensions.'windows-pebinary-ext'.x_misp_text_file_version = 'Release 0.71 (with embedded help)' AND file:extensions.'windows-pebinary-ext'.x_misp_text_lang_id = '080904B0' AND file:extensions.'windows-pebinary-ext'.x_misp_text_product_name = 'PuTTY suite' AND file:extensions.'windows-pebinary-ext'.x_misp_text_product_version = 'Release 0.71' AND file:extensions.'windows-pebinary-ext'.x_misp_text_company_name = 'Simon Tatham' AND file:extensions.'windows-pebinary-ext'.x_misp_text_legal_copyright = 'Copyright \u00a9 1997-2019 Simon Tatham.' AND file:extensions.'windows-pebinary-ext'.number_of_sections = '8' AND file:extensions.'windows-pebinary-ext'.sections[0].name = '.rsrc' AND file:extensions.'windows-pebinary-ext'.sections[0].size = '305152' AND file:extensions.'windows-pebinary-ext'.sections[0].entropy = '7.836462238824369' AND file:extensions.'windows-pebinary-ext'.sections[0].hashes.'md5' = '8a2a5fc2ce56b3b04d58539a95390600' AND file:extensions.'windows-pebinary-ext'.sections[0].hashes.'sha1' = '0aeb9def096e9f73e9460afe6f8783a32c7eabdf' AND file:extensions.'windows-pebinary-ext'.sections[0].hashes.'sha256' = 'c6b3ac8303a72be90b0e47f69977e6f5665693d4ea0aa93e5c27b5c556c7cf9b' AND file:extensions.'windows-pebinary-ext'.sections[0].hashes.'sha512' = '98fce208e6ed9612db53725fe03b73ab7cb1b487814d521c3c218273cad33891ce832c4f842c6f492d92df1e78414c82a00ddb91a1f8ec7d67325231a597a78f' AND file:extensions.'windows-pebinary-ext'.sections[0].hashes.'ssdeep' = '6144:BvqbV6zoA5yJJ1entjx+UJlVshhKuqMrgyNhahL2uSvhM:BvuVy5UJUtwUJ/UjHSEuSvK']",
"description": "File object describing a file with meta-information",
"kill_chain_phases": [
{
@ -1035,12 +1062,16 @@
}
],
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"created": "2020-03-23T10:21:17.370Z",
"modified": "2020-03-23T10:21:17.370Z"
"created": "2019-09-23T16:22:08.000Z",
"modified": "2019-09-23T16:22:08.000Z",
"valid_from": "2019-09-23T16:22:08Z",
"valid_until": "2019-09-23T16:22:08Z"
},
{
"id": "attack-pattern--dcb864dc-775f-11e7-9fbb-1f41b4996683",
"type": "attack-pattern",
"created": "2018-03-28T00:00:00.000Z",
"modified": "2020-06-17T11:36:58.000Z",
"name": "DLL Search Order Hijacking - T1038",
"description": "ATT&CK Tactic | Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft DLL Search) Adversaries may take advantage of the Windows DLL search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence. \n\nAdversaries may perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft 2269637) Adversaries may use this behavior to cause the program to load a malicious DLL. \n\nAdversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL to maintain persistence or privilege escalation. (Citation: Microsoft DLL Redirection) (Citation: Microsoft Manifests) (Citation: Mandiant Search Order)\n\nIf a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program.\n\nPrograms that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.",
"kill_chain_phases": [
@ -1053,13 +1084,13 @@
"misp:name=\"Attack Pattern\"",
"misp-galaxy:mitre-attack-pattern=\"DLL Search Order Hijacking - T1038\""
],
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"created": "2020-03-23T10:21:17.391Z",
"modified": "2020-03-23T10:21:17.391Z"
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985"
},
{
"id": "intrusion-set--10df003c-7831-11e7-bdb9-971cdd1218df",
"type": "intrusion-set",
"created": "2018-03-28T00:00:00.000Z",
"modified": "2020-06-17T11:36:58.000Z",
"name": "APT16 - G0023",
"description": "Name of ATT&CK Group | [APT16](https://attack.mitre.org/groups/G0023) is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. (Citation: FireEye EPS Awakens Part 2)",
"aliases": [
@ -1069,13 +1100,13 @@
"misp:name=\"Intrusion Set\"",
"misp-galaxy:mitre-intrusion-set=\"APT16 - G0023\""
],
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"created": "2020-03-23T10:21:17.391Z",
"modified": "2020-03-23T10:21:17.391Z"
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985"
},
{
"id": "malware--d752161c-78f6-11e7-a0ea-bfa79b407ce4",
"type": "malware",
"created": "2018-03-28T00:00:00.000Z",
"modified": "2020-06-17T11:36:58.000Z",
"name": "Elise - S0081",
"description": "Name of ATT&CK software | [Elise](https://attack.mitre.org/software/S0081) is a custom backdoor Trojan that appears to be used exclusively by [Lotus Blossom](https://attack.mitre.org/groups/G0030). It is part of a larger group of\ntools referred to as LStudio, ST Group, and APT0LSTU. (Citation: Lotus Blossom Jun 2015)(Citation: Accenture Dragonfish Jan 2018)",
"kill_chain_phases": [
@ -1088,13 +1119,13 @@
"misp:name=\"Malware\"",
"misp-galaxy:mitre-malware=\"Elise - S0081\""
],
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"created": "2020-03-23T10:21:17.391Z",
"modified": "2020-03-23T10:21:17.391Z"
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985"
},
{
"id": "tool--d700dc5c-78f6-11e7-a476-5f748c8e4fe0",
"type": "tool",
"created": "2018-03-28T00:00:00.000Z",
"modified": "2020-06-17T11:36:58.000Z",
"name": "ifconfig - S0101",
"description": "Name of ATT&CK software | [ifconfig](https://attack.mitre.org/software/S0101) is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system. (Citation: Wikipedia Ifconfig)",
"kill_chain_phases": [
@ -1107,26 +1138,26 @@
"misp:name=\"Tool\"",
"misp-galaxy:mitre-tool=\"ifconfig - S0101\""
],
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"created": "2020-03-23T10:21:17.391Z",
"modified": "2020-03-23T10:21:17.391Z"
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985"
},
{
"id": "course-of-action--a8825ae8-6dea-11e7-8d57-7728f3cfe086",
"type": "course-of-action",
"created": "2018-03-28T00:00:00.000Z",
"modified": "2020-06-17T11:36:58.000Z",
"name": "Access Token Manipulation Mitigation - T1134",
"description": "ATT&CK Mitigation | Access tokens are an integral part of the security system within Windows and cannot be turned off. However, an attacker must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require to do their job.\n\nAny user can also spoof access tokens if they have legitimate credentials. Follow mitigation guidelines for preventing adversary use of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. (Citation: Microsoft Create Token) Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token. (Citation: Microsoft Replace Process Token)\n\nAlso limit opportunities for adversaries to increase privileges by limiting Privilege Escalation opportunities.",
"labels": [
"misp:name=\"Course of Action\"",
"misp-galaxy:mitre-course-of-action=\"Access Token Manipulation Mitigation - T1134\""
],
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"created": "2020-03-23T10:21:17.391Z",
"modified": "2020-03-23T10:21:17.391Z"
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985"
},
{
"id": "threat-actor--7cdff317-a673-4474-84ec-4f1754947823",
"type": "threat-actor",
"created": "2018-03-28T00:00:00.000Z",
"modified": "2020-06-17T11:36:58.000Z",
"name": "APT 16",
"description": "Threat actors are characteristics of malicious actors (or adversaries) representing a cyber attack threat including presumed intent and historically observed behaviour. | Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear-phishing attacks targeting Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries. Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader that we refer to as IRONHALO, or a backdoor that we refer to as ELMER.",
"aliases": [
@ -1137,9 +1168,7 @@
"misp:name=\"Threat Actor\"",
"misp-galaxy:threat-actor=\"APT 16\""
],
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985",
"created": "2020-03-23T10:21:17.392Z",
"modified": "2020-03-23T10:21:17.392Z"
"created_by_ref": "identity--5a8e935e-5484-488c-852c-776f7c7cf985"
},
{
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
@ -1152,21 +1181,21 @@
},
{
"type": "relationship",
"id": "relationship--3322dedc-eed7-4e07-bda2-5ba1ec80b7c6",
"created": "2020-03-23T10:21:17.392Z",
"modified": "2020-03-23T10:21:17.392Z",
"id": "relationship--f4da9363-a17c-4276-a98d-d2f88788d9ab",
"created": "2020-06-17T11:38:48.025Z",
"modified": "2020-06-17T11:38:48.025Z",
"source_ref": "vulnerability--5e579975-e9cc-46c6-a6ad-1611a964451a",
"relationship_type": "targeted-by",
"target_ref": "attack-pattern--7205da54-70de-4fa7-9b34-e14e63fe6787"
},
{
"type": "relationship",
"id": "relationship--6d252983-3544-4803-9f5e-e1b382421cf7",
"created": "2020-03-23T10:21:17.392Z",
"modified": "2020-03-23T10:21:17.392Z",
"id": "relationship--2dbc7243-37d3-45b0-b465-967a393e8f66",
"created": "2020-06-17T11:38:48.025Z",
"modified": "2020-06-17T11:38:48.025Z",
"source_ref": "vulnerability--5e579975-e9cc-46c6-a6ad-1611a964451a",
"relationship_type": "weakened-by",
"target_ref": "x-misp-object-weakness--a1285743-3962-40e3-a824-0f21f10f3e19"
}
]
}
}

File diff suppressed because it is too large Load Diff