MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

fix: [stix test] Updated STIX1 test files with the most recent fixes on the export script

pull/5216/head
chrisr3d 2019-09-24 11:11:33 +02:00
parent 8b9a9c1326
commit fdb418de0b
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
2 changed files with 189 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

168
app/files/scripts/stixtest/stix1_indicators_test.xml
View File

@ -49,20 +49,20 @@
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
id="ORGNAME:Package-3e0ef307-bc9a-4034-838f-6541dd31e097" version="1.1.1" timestamp="2019-09-23T11:00:23.194769">
id="ORGNAME:Package-aa5d559a-135f-40e8-a2cd-b39cfe6391fb" version="1.1.1" timestamp="2019-09-24T10:56:20.252310">
<stix:STIX_Header>
<stix:Title>Export from ORGNAME MISP</stix:Title>
<stix:Package_Intent xsi:type="stixVocabs:PackageIntentVocab-1.0">Threat Report</stix:Package_Intent>
</stix:STIX_Header>
<stix:Related_Packages>
<stix:Related_Package>
<stix:Package id="ORGNAME:STIXPackage-5abb8534-ba9c-48cd-bb63-02480a00020f" version="1.1.1" timestamp="2019-09-23T07:43:38">
<stix:Package id="ORGNAME:STIXPackage-5abb8534-ba9c-48cd-bb63-02480a00020f" version="1.1.1" timestamp="2019-09-23T16:22:08">
<stix:STIX_Header>
<stix:Title>Export from ORGNAME MISP</stix:Title>
<stix:Package_Intent xsi:type="stixVocabs:PackageIntentVocab-1.0">Threat Report</stix:Package_Intent>
</stix:STIX_Header>
<stix:TTPs>
<stix:TTP id="ORGNAME:TTP-dcb864dc-775f-11e7-9fbb-1f41b4996683" timestamp="2019-09-23T09:00:23.502661+00:00" xsi:type='ttp:TTPType'>
<stix:TTP id="ORGNAME:TTP-dcb864dc-775f-11e7-9fbb-1f41b4996683" timestamp="2019-09-24T08:56:20.523961+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Attack Pattern: mitre-attack-pattern (MISP GalaxyCluster #7454)</ttp:Title>
<ttp:Behavior>
<ttp:Attack_Patterns>
@ -81,7 +81,7 @@
</ttp:Attack_Patterns>
</ttp:Behavior>
</stix:TTP>
<stix:TTP id="ORGNAME:TTP-d752161c-78f6-11e7-a0ea-bfa79b407ce4" timestamp="2019-09-23T09:00:23.503738+00:00" xsi:type='ttp:TTPType'>
<stix:TTP id="ORGNAME:TTP-d752161c-78f6-11e7-a0ea-bfa79b407ce4" timestamp="2019-09-24T08:56:20.525015+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Malware: mitre-malware (MISP GalaxyCluster #6734)</ttp:Title>
<ttp:Behavior>
<ttp:Malware>
@ -96,7 +96,7 @@
</ttp:Malware>
</ttp:Behavior>
</stix:TTP>
<stix:TTP id="ORGNAME:TTP-d700dc5c-78f6-11e7-a476-5f748c8e4fe0" timestamp="2019-09-23T09:00:23.503981+00:00" xsi:type='ttp:TTPType'>
<stix:TTP id="ORGNAME:TTP-d700dc5c-78f6-11e7-a476-5f748c8e4fe0" timestamp="2019-09-24T08:56:20.525261+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Tool: mitre-tool (MISP GalaxyCluster #7242)</ttp:Title>
<ttp:Resources>
<ttp:Tools>
@ -208,12 +208,12 @@
</stix:TTP>
</stix:TTPs>
<stix:Incidents>
<stix:Incident id="ORGNAME:Incident-5abb8534-ba9c-48cd-bb63-02480a00020f" timestamp="2019-09-23T07:45:03" xsi:type='incident:IncidentType'>
<stix:Incident id="ORGNAME:Incident-5abb8534-ba9c-48cd-bb63-02480a00020f" timestamp="2019-09-23T16:22:29" xsi:type='incident:IncidentType'>
<incident:Title>STIX indicators test event</incident:Title>
<incident:External_ID source="MISP Event">1255</incident:External_ID>
<incident:Time>
<incident:Incident_Discovery precision="second">2018-03-28T00:00:00</incident:Incident_Discovery>
<incident:Incident_Reported precision="second">2019-09-23T07:45:03</incident:Incident_Reported>
<incident:Incident_Reported precision="second">2019-09-23T16:22:29</incident:Incident_Reported>
</incident:Time>
<incident:Reporter>
<stixCommon:Identity>
@ -1213,18 +1213,18 @@
<EmailMessageObj:X_Mailer condition="Equals">oui_X-mailer</EmailMessageObj:X_Mailer>
</EmailMessageObj:Header>
<EmailMessageObj:Attachments>
<EmailMessageObj:File object_reference="ORGNAME:File-93c9985b-b251-4e67-a5aa-d43a61483a11"/>
<EmailMessageObj:File object_reference="ORGNAME:File-95a9edb6-c371-4d50-b50c-10300e211023"/>
<EmailMessageObj:File object_reference="ORGNAME:File-e68798d1-bf3e-4381-bcd1-8f01ea6ef221"/>
<EmailMessageObj:File object_reference="ORGNAME:File-a7d2eef8-2861-441b-a244-5a6ddbd1ef00"/>
</EmailMessageObj:Attachments>
</cybox:Properties>
<cybox:Related_Objects>
<cybox:Related_Object id="ORGNAME:File-93c9985b-b251-4e67-a5aa-d43a61483a11">
<cybox:Related_Object id="ORGNAME:File-e68798d1-bf3e-4381-bcd1-8f01ea6ef221">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File_Name condition="Equals">oui.jpg</FileObj:File_Name>
</cybox:Properties>
<cybox:Relationship xsi:type="cyboxVocabs:ObjectRelationshipVocab-1.1">Contains</cybox:Relationship>
</cybox:Related_Object>
<cybox:Related_Object id="ORGNAME:File-95a9edb6-c371-4d50-b50c-10300e211023">
<cybox:Related_Object id="ORGNAME:File-a7d2eef8-2861-441b-a244-5a6ddbd1ef00">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File_Name condition="Equals">oui.png</FileObj:File_Name>
</cybox:Properties>
@ -1246,48 +1246,6 @@
</indicator:Producer>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>file</stixCommon:Relationship>
<stixCommon:Indicator id="ORGNAME:MISPObject-5ac47782-e1b8-40b6-96b4-02510a00020f" timestamp="2019-08-12T11:28:32" xsi:type='indicator:IndicatorType'>
<indicator:Title>file (MISP Object #13262)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Description>file (MISP Object #13262)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id="ORGNAME:File-5ac47782-e1b8-40b6-96b4-02510a00020f">
<cybox:Object id="ORGNAME:FileObject-5ac47782-e1b8-40b6-96b4-02510a00020f">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File_Name condition="Equals">oui</FileObj:File_Name>
<FileObj:Size_In_Bytes condition="Equals">1234</FileObj:Size_In_Bytes>
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">b2a5abfeef9e36964281a31e17b57c97</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">3a3468fa89b2ab7cbfe5400858a8ec0066e9e8defa9a64c993b5f24210244df8</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA1</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">5898fc860300e228dcd54c0b1045b5fa0dcda502</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Handling>
<marking:Marking>
<marking:Controlled_Structure>../../../descendant-or-self::node()</marking:Controlled_Structure>
<marking:Marking_Structure xsi:type='tlpMarking:TLPMarkingStructureType' color="WHITE"/>
</marking:Marking>
</indicator:Handling>
<indicator:Producer>
<stixCommon:Identity>
<stixCommon:Name>ORGNAME_387</stixCommon:Name>
</stixCommon:Identity>
</indicator:Producer>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>network</stixCommon:Relationship>
<stixCommon:Indicator id="ORGNAME:MISPObject-5ac47edc-31e4-4402-a7b6-040d0a00020f" timestamp="2018-04-04T07:29:32" xsi:type='indicator:IndicatorType'>
@ -1604,30 +1562,110 @@
</indicator:Producer>
</stixCommon:Indicator>
</incident:Related_Indicator>
<incident:Related_Indicator>
<stixCommon:Relationship>file</stixCommon:Relationship>
<stixCommon:Indicator id="ORGNAME:MISPObject-5ac47782-e1b8-40b6-96b4-02510a00020f" timestamp="2019-09-23T16:22:08" xsi:type='indicator:IndicatorType'>
<indicator:Title>file (MISP Object #13262)</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">Malware Artifacts</indicator:Type>
<indicator:Description>file (MISP Object #13262)</indicator:Description>
<indicator:Valid_Time_Position/>
<indicator:Observable id="ORGNAME:WinExecutableFile-5ac47782-e1b8-40b6-96b4-02510a00020f">
<cybox:Object id="ORGNAME:WinExecutableFileObject-5ac47782-e1b8-40b6-96b4-02510a00020f">
<cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType">
<FileObj:File_Name condition="Equals">oui</FileObj:File_Name>
<FileObj:Size_In_Bytes condition="Equals">1234</FileObj:Size_In_Bytes>
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">b2a5abfeef9e36964281a31e17b57c97</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">3a3468fa89b2ab7cbfe5400858a8ec0066e9e8defa9a64c993b5f24210244df8</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA1</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">5898fc860300e228dcd54c0b1045b5fa0dcda502</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
<WinExecutableFileObj:Headers>
<WinExecutableFileObj:File_Header>
<WinExecutableFileObj:Number_Of_Sections>8</WinExecutableFileObj:Number_Of_Sections>
</WinExecutableFileObj:File_Header>
</WinExecutableFileObj:Headers>
<WinExecutableFileObj:Sections>
<WinExecutableFileObj:Section>
<WinExecutableFileObj:Section_Header>
<WinExecutableFileObj:Name>.rsrc</WinExecutableFileObj:Name>
<WinExecutableFileObj:Size_Of_Raw_Data>305152</WinExecutableFileObj:Size_Of_Raw_Data>
</WinExecutableFileObj:Section_Header>
<WinExecutableFileObj:Entropy>
<WinExecutableFileObj:Value>7.836462238824369</WinExecutableFileObj:Value>
</WinExecutableFileObj:Entropy>
<WinExecutableFileObj:Header_Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">8a2a5fc2ce56b3b04d58539a95390600</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA1</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">0aeb9def096e9f73e9460afe6f8783a32c7eabdf</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">c6b3ac8303a72be90b0e47f69977e6f5665693d4ea0aa93e5c27b5c556c7cf9b</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA512</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">98fce208e6ed9612db53725fe03b73ab7cb1b487814d521c3c218273cad33891ce832c4f842c6f492d92df1e78414c82a00ddb91a1f8ec7d67325231a597a78f</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals">Other</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">6144:BvqbV6zoA5yJJ1entjx+UJlVshhKuqMrgyNhahL2uSvhM:BvuVy5UJUtwUJ/UjHSEuSvK</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</WinExecutableFileObj:Header_Hashes>
</WinExecutableFileObj:Section>
</WinExecutableFileObj:Sections>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Handling>
<marking:Marking>
<marking:Controlled_Structure>../../../descendant-or-self::node()</marking:Controlled_Structure>
<marking:Marking_Structure xsi:type='tlpMarking:TLPMarkingStructureType' color="WHITE"/>
</marking:Marking>
</indicator:Handling>
<indicator:Producer>
<stixCommon:Identity>
<stixCommon:Name>ORGNAME_387</stixCommon:Name>
</stixCommon:Identity>
</indicator:Producer>
</stixCommon:Indicator>
</incident:Related_Indicator>
</incident:Related_Indicators>
<incident:Leveraged_TTPs>
<incident:Leveraged_TTP>
<stixCommon:Relationship>Attack Pattern</stixCommon:Relationship>
<stixCommon:TTP idref="ORGNAME:TTP-dcb864dc-775f-11e7-9fbb-1f41b4996683" timestamp="2019-09-23T09:00:23.502661+00:00" xsi:type='ttp:TTPType'/>
<stixCommon:TTP idref="ORGNAME:TTP-dcb864dc-775f-11e7-9fbb-1f41b4996683" timestamp="2019-09-24T08:56:20.523961+00:00" xsi:type='ttp:TTPType'/>
</incident:Leveraged_TTP>
<incident:Leveraged_TTP>
<stixCommon:Relationship>Malware</stixCommon:Relationship>
<stixCommon:TTP idref="ORGNAME:TTP-d752161c-78f6-11e7-a0ea-bfa79b407ce4" timestamp="2019-09-23T09:00:23.503738+00:00" xsi:type='ttp:TTPType'/>
<stixCommon:TTP idref="ORGNAME:TTP-d752161c-78f6-11e7-a0ea-bfa79b407ce4" timestamp="2019-09-24T08:56:20.525015+00:00" xsi:type='ttp:TTPType'/>
</incident:Leveraged_TTP>
<incident:Leveraged_TTP>
<stixCommon:Relationship>Tool</stixCommon:Relationship>
<stixCommon:TTP idref="ORGNAME:TTP-d700dc5c-78f6-11e7-a476-5f748c8e4fe0" timestamp="2019-09-23T09:00:23.503981+00:00" xsi:type='ttp:TTPType'/>
<stixCommon:TTP idref="ORGNAME:TTP-d700dc5c-78f6-11e7-a476-5f748c8e4fe0" timestamp="2019-09-24T08:56:20.525261+00:00" xsi:type='ttp:TTPType'/>
</incident:Leveraged_TTP>
</incident:Leveraged_TTPs>
<incident:Attributed_Threat_Actors>
<incident:Threat_Actor>
<stixCommon:Relationship>ThreatActor</stixCommon:Relationship>
<stixCommon:Threat_Actor idref="ORGNAME:ThreatActor-7cdff317-a673-4474-84ec-4f1754947823" timestamp="2019-09-23T09:00:23.504529+00:00" xsi:type='ta:ThreatActorType'>
<stixCommon:Threat_Actor idref="ORGNAME:ThreatActor-7cdff317-a673-4474-84ec-4f1754947823" timestamp="2019-09-24T08:56:20.525866+00:00" xsi:type='ta:ThreatActorType'>
</stixCommon:Threat_Actor>
</incident:Threat_Actor>
</incident:Attributed_Threat_Actors>
<incident:COA_Taken>
<incident:Course_Of_Action idref="ORGNAME:CourseOfAction-a8825ae8-6dea-11e7-8d57-7728f3cfe086" timestamp="2019-09-23T09:00:23.504274+00:00" xsi:type='coa:CourseOfActionType'/>
<incident:Course_Of_Action idref="ORGNAME:CourseOfAction-a8825ae8-6dea-11e7-8d57-7728f3cfe086" timestamp="2019-09-24T08:56:20.525659+00:00" xsi:type='coa:CourseOfActionType'/>
</incident:COA_Taken>
<incident:History>
<incident:History_Item>
@ -1693,7 +1731,7 @@
</stix:Incident>
</stix:Incidents>
<stix:Courses_Of_Action>
<stix:Course_Of_Action id="ORGNAME:CourseOfAction-a8825ae8-6dea-11e7-8d57-7728f3cfe086" timestamp="2019-09-23T09:00:23.504274+00:00" xsi:type='coa:CourseOfActionType'>
<stix:Course_Of_Action id="ORGNAME:CourseOfAction-a8825ae8-6dea-11e7-8d57-7728f3cfe086" timestamp="2019-09-24T08:56:20.525659+00:00" xsi:type='coa:CourseOfActionType'>
<coa:Title>Course of Action: Access Token Manipulation Mitigation - T1134</coa:Title>
<coa:Description>Access tokens are an integral part of the security system within Windows and cannot be turned off. However, an attacker must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require to do their job.
@ -1701,28 +1739,28 @@
Also limit opportunities for adversaries to increase privileges by limiting Privilege Escalation opportunities.</coa:Description>
</stix:Course_Of_Action>
<stix:Course_Of_Action id="ORGNAME:CourseOfAction-5d514ff9-ac30-4fb5-b9e7-3eb4a964451a" timestamp="2019-09-23T09:00:23.522511+00:00" xsi:type='coa:CourseOfActionType'>
<stix:Course_Of_Action id="ORGNAME:CourseOfAction-5d514ff9-ac30-4fb5-b9e7-3eb4a964451a" timestamp="2019-09-24T08:56:20.543126+00:00" xsi:type='coa:CourseOfActionType'>
<coa:Title>Block traffic to PIVY C2 Server (10.10.10.10)</coa:Title>
<coa:Stage xsi:type="stixVocabs:COAStageVocab-1.0">Response</coa:Stage>
<coa:Objective>
<coa:Description>Block communication between the PIVY agents and the C2 Server</coa:Description>
</coa:Objective>
<coa:Impact timestamp="2019-09-23T09:00:23.522602+00:00">
<coa:Impact timestamp="2019-09-24T08:56:20.543214+00:00">
<stixCommon:Value>Low</stixCommon:Value>
</coa:Impact>
<coa:Cost timestamp="2019-09-23T09:00:23.522583+00:00">
<coa:Cost timestamp="2019-09-24T08:56:20.543196+00:00">
<stixCommon:Value>Low</stixCommon:Value>
</coa:Cost>
<coa:Efficacy timestamp="2019-09-23T09:00:23.522618+00:00">
<coa:Efficacy timestamp="2019-09-24T08:56:20.543229+00:00">
<stixCommon:Value>High</stixCommon:Value>
</coa:Efficacy>
</stix:Course_Of_Action>
</stix:Courses_Of_Action>
<stix:Threat_Actors>
<stix:Threat_Actor id="ORGNAME:ThreatActor-7cdff317-a673-4474-84ec-4f1754947823" timestamp="2019-09-23T09:00:23.504529+00:00" xsi:type='ta:ThreatActorType'>
<stix:Threat_Actor id="ORGNAME:ThreatActor-7cdff317-a673-4474-84ec-4f1754947823" timestamp="2019-09-24T08:56:20.525866+00:00" xsi:type='ta:ThreatActorType'>
<ta:Title>Threat Actor: APT 16</ta:Title>
<ta:Description>Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear-phishing attacks targeting Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries. Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader that we refer to as IRONHALO, or a backdoor that we refer to as ELMER.</ta:Description>
<ta:Intended_Effect timestamp="2019-09-23T09:00:23.505020+00:00">
<ta:Intended_Effect timestamp="2019-09-24T08:56:20.526308+00:00">
<stixCommon:Value>Espionage</stixCommon:Value>
</ta:Intended_Effect>
</stix:Threat_Actor>

134
app/files/scripts/stixtest/stix1_observables_test.xml
View File

@ -49,20 +49,20 @@
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
id="ORGNAME:Package-e21d199c-f7ca-404a-9ea7-0816eca5912c" version="1.1.1" timestamp="2019-09-23T11:01:09.356252">
id="ORGNAME:Package-0e21f8ad-949e-4d51-b81a-d64b8b79a365" version="1.1.1" timestamp="2019-09-24T11:08:05.255008">
<stix:STIX_Header>
<stix:Title>Export from ORGNAME MISP</stix:Title>
<stix:Package_Intent xsi:type="stixVocabs:PackageIntentVocab-1.0">Threat Report</stix:Package_Intent>
</stix:STIX_Header>
<stix:Related_Packages>
<stix:Related_Package>
<stix:Package id="ORGNAME:STIXPackage-5ac4db18-0c58-4436-a3fa-01ef0a00020f" version="1.1.1" timestamp="2019-09-23T08:56:02">
<stix:Package id="ORGNAME:STIXPackage-5ac4db18-0c58-4436-a3fa-01ef0a00020f" version="1.1.1" timestamp="2019-09-23T16:23:16">
<stix:STIX_Header>
<stix:Title>Export from ORGNAME MISP</stix:Title>
<stix:Package_Intent xsi:type="stixVocabs:PackageIntentVocab-1.0">Threat Report</stix:Package_Intent>
</stix:STIX_Header>
<stix:TTPs>
<stix:TTP id="ORGNAME:TTP-dcb864dc-775f-11e7-9fbb-1f41b4996683" timestamp="2019-09-23T09:01:09.625755+00:00" xsi:type='ttp:TTPType'>
<stix:TTP id="ORGNAME:TTP-dcb864dc-775f-11e7-9fbb-1f41b4996683" timestamp="2019-09-24T09:08:05.529834+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Attack Pattern: mitre-attack-pattern (MISP GalaxyCluster #7454)</ttp:Title>
<ttp:Behavior>
<ttp:Attack_Patterns>
@ -81,7 +81,7 @@
</ttp:Attack_Patterns>
</ttp:Behavior>
</stix:TTP>
<stix:TTP id="ORGNAME:TTP-d752161c-78f6-11e7-a0ea-bfa79b407ce4" timestamp="2019-09-23T09:01:09.626793+00:00" xsi:type='ttp:TTPType'>
<stix:TTP id="ORGNAME:TTP-d752161c-78f6-11e7-a0ea-bfa79b407ce4" timestamp="2019-09-24T09:08:05.530979+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Malware: mitre-malware (MISP GalaxyCluster #6734)</ttp:Title>
<ttp:Behavior>
<ttp:Malware>
@ -96,7 +96,7 @@
</ttp:Malware>
</ttp:Behavior>
</stix:TTP>
<stix:TTP id="ORGNAME:TTP-d700dc5c-78f6-11e7-a476-5f748c8e4fe0" timestamp="2019-09-23T09:01:09.627034+00:00" xsi:type='ttp:TTPType'>
<stix:TTP id="ORGNAME:TTP-d700dc5c-78f6-11e7-a476-5f748c8e4fe0" timestamp="2019-09-24T09:08:05.531213+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Tool: mitre-tool (MISP GalaxyCluster #7242)</ttp:Title>
<ttp:Resources>
<ttp:Tools>
@ -208,12 +208,12 @@
</stix:TTP>
</stix:TTPs>
<stix:Incidents>
<stix:Incident id="ORGNAME:Incident-5ac4db18-0c58-4436-a3fa-01ef0a00020f" timestamp="2019-09-23T08:56:15" xsi:type='incident:IncidentType'>
<stix:Incident id="ORGNAME:Incident-5ac4db18-0c58-4436-a3fa-01ef0a00020f" timestamp="2019-09-23T16:23:25" xsi:type='incident:IncidentType'>
<incident:Title>STIX observables test event</incident:Title>
<incident:External_ID source="MISP Event">1256</incident:External_ID>
<incident:Time>
<incident:Incident_Discovery precision="second">2018-03-28T00:00:00</incident:Incident_Discovery>
<incident:Incident_Reported precision="second">2019-09-23T08:56:15</incident:Incident_Reported>
<incident:Incident_Reported precision="second">2019-09-23T16:23:25</incident:Incident_Reported>
</incident:Time>
<incident:Reporter>
<stixCommon:Identity>
@ -637,18 +637,18 @@
<EmailMessageObj:X_Mailer condition="Equals">oui_X-mailer</EmailMessageObj:X_Mailer>
</EmailMessageObj:Header>
<EmailMessageObj:Attachments>
<EmailMessageObj:File object_reference="ORGNAME:File-88a0e475-4dae-463d-b60a-34b6b5bdacd6"/>
<EmailMessageObj:File object_reference="ORGNAME:File-bfbc5a53-9d5f-445f-b9c3-fef5dba129d9"/>
<EmailMessageObj:File object_reference="ORGNAME:File-aaac3122-2010-43fa-b793-b875e1a92623"/>
<EmailMessageObj:File object_reference="ORGNAME:File-5e8dc4f6-b808-423d-be18-65a46a7edcb2"/>
</EmailMessageObj:Attachments>
</cybox:Properties>
<cybox:Related_Objects>
<cybox:Related_Object id="ORGNAME:File-88a0e475-4dae-463d-b60a-34b6b5bdacd6">
<cybox:Related_Object id="ORGNAME:File-aaac3122-2010-43fa-b793-b875e1a92623">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File_Name condition="Equals">oui.jpg</FileObj:File_Name>
</cybox:Properties>
<cybox:Relationship xsi:type="cyboxVocabs:ObjectRelationshipVocab-1.1">Contains</cybox:Relationship>
</cybox:Related_Object>
<cybox:Related_Object id="ORGNAME:File-bfbc5a53-9d5f-445f-b9c3-fef5dba129d9">
<cybox:Related_Object id="ORGNAME:File-5e8dc4f6-b808-423d-be18-65a46a7edcb2">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File_Name condition="Equals">oui.png</FileObj:File_Name>
</cybox:Properties>
@ -658,31 +658,6 @@
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>file</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:File-5ac4db19-c620-4b8d-a5a7-01ef0a00020f">
<cybox:Object id="ORGNAME:FileObject-5ac4db19-c620-4b8d-a5a7-01ef0a00020f">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File_Name condition="Equals">oui</FileObj:File_Name>
<FileObj:Size_In_Bytes condition="Equals">1234</FileObj:Size_In_Bytes>
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">b2a5abfeef9e36964281a31e17b57c97</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">3a3468fa89b2ab7cbfe5400858a8ec0066e9e8defa9a64c993b5f24210244df8</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA1</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">5898fc860300e228dcd54c0b1045b5fa0dcda502</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>network</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:ip-port_ObservableComposition-5ac4db19-f4d0-460f-94c8-01ef0a00020f">
@ -863,30 +838,93 @@
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>file</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:WinExecutableFile-5ac4db19-c620-4b8d-a5a7-01ef0a00020f">
<cybox:Object id="ORGNAME:WinExecutableFileObject-5ac4db19-c620-4b8d-a5a7-01ef0a00020f">
<cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType">
<FileObj:File_Name condition="Equals">oui</FileObj:File_Name>
<FileObj:Size_In_Bytes condition="Equals">1234</FileObj:Size_In_Bytes>
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">b2a5abfeef9e36964281a31e17b57c97</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">3a3468fa89b2ab7cbfe5400858a8ec0066e9e8defa9a64c993b5f24210244df8</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA1</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">5898fc860300e228dcd54c0b1045b5fa0dcda502</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
<WinExecutableFileObj:Headers>
<WinExecutableFileObj:File_Header>
<WinExecutableFileObj:Number_Of_Sections>8</WinExecutableFileObj:Number_Of_Sections>
</WinExecutableFileObj:File_Header>
</WinExecutableFileObj:Headers>
<WinExecutableFileObj:Sections>
<WinExecutableFileObj:Section>
<WinExecutableFileObj:Section_Header>
<WinExecutableFileObj:Name>.rsrc</WinExecutableFileObj:Name>
<WinExecutableFileObj:Size_Of_Raw_Data>305152</WinExecutableFileObj:Size_Of_Raw_Data>
</WinExecutableFileObj:Section_Header>
<WinExecutableFileObj:Entropy>
<WinExecutableFileObj:Value>7.836462238824369</WinExecutableFileObj:Value>
</WinExecutableFileObj:Entropy>
<WinExecutableFileObj:Header_Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">8a2a5fc2ce56b3b04d58539a95390600</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA1</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">0aeb9def096e9f73e9460afe6f8783a32c7eabdf</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">c6b3ac8303a72be90b0e47f69977e6f5665693d4ea0aa93e5c27b5c556c7cf9b</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA512</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">98fce208e6ed9612db53725fe03b73ab7cb1b487814d521c3c218273cad33891ce832c4f842c6f492d92df1e78414c82a00ddb91a1f8ec7d67325231a597a78f</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals">Other</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">6144:BvqbV6zoA5yJJ1entjx+UJlVshhKuqMrgyNhahL2uSvhM:BvuVy5UJUtwUJ/UjHSEuSvK</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</WinExecutableFileObj:Header_Hashes>
</WinExecutableFileObj:Section>
</WinExecutableFileObj:Sections>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
</incident:Related_Observables>
<incident:Leveraged_TTPs>
<incident:Leveraged_TTP>
<stixCommon:Relationship>Attack Pattern</stixCommon:Relationship>
<stixCommon:TTP idref="ORGNAME:TTP-dcb864dc-775f-11e7-9fbb-1f41b4996683" timestamp="2019-09-23T09:01:09.625755+00:00" xsi:type='ttp:TTPType'/>
<stixCommon:TTP idref="ORGNAME:TTP-dcb864dc-775f-11e7-9fbb-1f41b4996683" timestamp="2019-09-24T09:08:05.529834+00:00" xsi:type='ttp:TTPType'/>
</incident:Leveraged_TTP>
<incident:Leveraged_TTP>
<stixCommon:Relationship>Malware</stixCommon:Relationship>
<stixCommon:TTP idref="ORGNAME:TTP-d752161c-78f6-11e7-a0ea-bfa79b407ce4" timestamp="2019-09-23T09:01:09.626793+00:00" xsi:type='ttp:TTPType'/>
<stixCommon:TTP idref="ORGNAME:TTP-d752161c-78f6-11e7-a0ea-bfa79b407ce4" timestamp="2019-09-24T09:08:05.530979+00:00" xsi:type='ttp:TTPType'/>
</incident:Leveraged_TTP>
<incident:Leveraged_TTP>
<stixCommon:Relationship>Tool</stixCommon:Relationship>
<stixCommon:TTP idref="ORGNAME:TTP-d700dc5c-78f6-11e7-a476-5f748c8e4fe0" timestamp="2019-09-23T09:01:09.627034+00:00" xsi:type='ttp:TTPType'/>
<stixCommon:TTP idref="ORGNAME:TTP-d700dc5c-78f6-11e7-a476-5f748c8e4fe0" timestamp="2019-09-24T09:08:05.531213+00:00" xsi:type='ttp:TTPType'/>
</incident:Leveraged_TTP>
</incident:Leveraged_TTPs>
<incident:Attributed_Threat_Actors>
<incident:Threat_Actor>
<stixCommon:Relationship>ThreatActor</stixCommon:Relationship>
<stixCommon:Threat_Actor idref="ORGNAME:ThreatActor-7cdff317-a673-4474-84ec-4f1754947823" timestamp="2019-09-23T09:01:09.627561+00:00" xsi:type='ta:ThreatActorType'>
<stixCommon:Threat_Actor idref="ORGNAME:ThreatActor-7cdff317-a673-4474-84ec-4f1754947823" timestamp="2019-09-24T09:08:05.531710+00:00" xsi:type='ta:ThreatActorType'>
</stixCommon:Threat_Actor>
</incident:Threat_Actor>
</incident:Attributed_Threat_Actors>
<incident:COA_Taken>
<incident:Course_Of_Action idref="ORGNAME:CourseOfAction-a8825ae8-6dea-11e7-8d57-7728f3cfe086" timestamp="2019-09-23T09:01:09.627358+00:00" xsi:type='coa:CourseOfActionType'/>
<incident:Course_Of_Action idref="ORGNAME:CourseOfAction-a8825ae8-6dea-11e7-8d57-7728f3cfe086" timestamp="2019-09-24T09:08:05.531515+00:00" xsi:type='coa:CourseOfActionType'/>
</incident:COA_Taken>
<incident:History>
<incident:History_Item>
@ -952,7 +990,7 @@
</stix:Incident>
</stix:Incidents>
<stix:Courses_Of_Action>
<stix:Course_Of_Action id="ORGNAME:CourseOfAction-a8825ae8-6dea-11e7-8d57-7728f3cfe086" timestamp="2019-09-23T09:01:09.627358+00:00" xsi:type='coa:CourseOfActionType'>
<stix:Course_Of_Action id="ORGNAME:CourseOfAction-a8825ae8-6dea-11e7-8d57-7728f3cfe086" timestamp="2019-09-24T09:08:05.531515+00:00" xsi:type='coa:CourseOfActionType'>
<coa:Title>Course of Action: Access Token Manipulation Mitigation - T1134</coa:Title>
<coa:Description>Access tokens are an integral part of the security system within Windows and cannot be turned off. However, an attacker must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require to do their job.
@ -960,28 +998,28 @@
Also limit opportunities for adversaries to increase privileges by limiting Privilege Escalation opportunities.</coa:Description>
</stix:Course_Of_Action>
<stix:Course_Of_Action id="ORGNAME:CourseOfAction-5d515039-9a68-468b-9c78-3affa964451a" timestamp="2019-09-23T09:01:09.636969+00:00" xsi:type='coa:CourseOfActionType'>
<stix:Course_Of_Action id="ORGNAME:CourseOfAction-5d515039-9a68-468b-9c78-3affa964451a" timestamp="2019-09-24T09:08:05.540804+00:00" xsi:type='coa:CourseOfActionType'>
<coa:Title>Block traffic to PIVY C2 Server (10.10.10.10)</coa:Title>
<coa:Stage xsi:type="stixVocabs:COAStageVocab-1.0">Response</coa:Stage>
<coa:Objective>
<coa:Description>Block communication between the PIVY agents and the C2 Server</coa:Description>
</coa:Objective>
<coa:Impact timestamp="2019-09-23T09:01:09.637058+00:00">
<coa:Impact timestamp="2019-09-24T09:08:05.540895+00:00">
<stixCommon:Value>Low</stixCommon:Value>
</coa:Impact>
<coa:Cost timestamp="2019-09-23T09:01:09.637040+00:00">
<coa:Cost timestamp="2019-09-24T09:08:05.540878+00:00">
<stixCommon:Value>Low</stixCommon:Value>
</coa:Cost>
<coa:Efficacy timestamp="2019-09-23T09:01:09.637073+00:00">
<coa:Efficacy timestamp="2019-09-24T09:08:05.540912+00:00">
<stixCommon:Value>High</stixCommon:Value>
</coa:Efficacy>
</stix:Course_Of_Action>
</stix:Courses_Of_Action>
<stix:Threat_Actors>
<stix:Threat_Actor id="ORGNAME:ThreatActor-7cdff317-a673-4474-84ec-4f1754947823" timestamp="2019-09-23T09:01:09.627561+00:00" xsi:type='ta:ThreatActorType'>
<stix:Threat_Actor id="ORGNAME:ThreatActor-7cdff317-a673-4474-84ec-4f1754947823" timestamp="2019-09-24T09:08:05.531710+00:00" xsi:type='ta:ThreatActorType'>
<ta:Title>Threat Actor: APT 16</ta:Title>
<ta:Description>Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear-phishing attacks targeting Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries. Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader that we refer to as IRONHALO, or a backdoor that we refer to as ELMER.</ta:Description>
<ta:Intended_Effect timestamp="2019-09-23T09:01:09.627977+00:00">
<ta:Intended_Effect timestamp="2019-09-24T09:08:05.532164+00:00">
<stixCommon:Value>Espionage</stixCommon:Value>
</ta:Intended_Effect>
</stix:Threat_Actor>