1 CIRCL OSINT Feed CIRCL https://www.circl.lu/doc/misp/feed-osint \N f 3 0 0 t misp f f 0 f f \N network f f \N f 2 The Botvrij.eu Data Botvrij.eu http://www.botvrij.eu/data/feed-osint \N f 3 0 0 t misp f f 0 f f \N network f f \N f 1 /.:.ProgramData./i %ALLUSERSPROFILE%\\\\ ALL 2 /.:.Documents and Settings.All Users./i %ALLUSERSPROFILE%\\\\ ALL 3 /.:.Program Files.Common Files./i %COMMONPROGRAMFILES%\\\\ ALL 4 /.:.Program Files (x86).Common Files./i %COMMONPROGRAMFILES(x86)%\\\\ ALL 5 /.:.Users\\\\(.*?)\\\\AppData.Local.Temp./i %TEMP%\\\\ ALL 6 /.:.ProgramData./i %PROGRAMDATA%\\\\ ALL 7 /.:.Program Files./i %PROGRAMFILES%\\\\ ALL 8 /.:.Program Files (x86)./i %PROGRAMFILES(X86)%\\\\ ALL 9 /.:.Users.Public./i %PUBLIC%\\\\ ALL 10 /.:.Documents and Settings\\\\(.*?)\\\\Local Settings.Temp./i %TEMP%\\\\ ALL 11 /.:.Users\\\\(.*?)\\\\AppData.Local.Temp./i %TEMP%\\\\ ALL 12 /.:.Users\\\\(.*?)\\\\AppData.Local./i %LOCALAPPDATA%\\\\ ALL 13 /.:.Users\\\\(.*?)\\\\AppData.Roaming./i %APPDATA%\\\\ ALL 14 /.:.Users\\\\(.*?)\\\\Application Data./i %APPDATA%\\\\ ALL 15 /.:.Windows\\\\(.*?)\\\\Application Data./i %APPDATA%\\\\ ALL 16 /.:.Users\\\\(.*?)\\\\/i %USERPROFILE%\\\\ ALL 17 /.:.DOCUME~1.\\\\(.*?)\\\\/i %USERPROFILE%\\\\ ALL 18 /.:.Documents and Settings\\\\(.*?)\\\\/i %USERPROFILE%\\\\ ALL 19 /.:.Windows./i %WINDIR%\\\\ ALL 20 /.:.Windows./i %WINDIR%\\\\ ALL 21 /.REGISTRY.USER.S(-[0-9]{1}){2}-[0-9]{2}(-[0-9]{9}){1}(-[0-9]{10}){1}-[0-9]{9}-[0-9]{4}/i HKCU ALL 22 /.REGISTRY.USER.S(-[0-9]{1}){2}-[0-9]{2}(-[0-9]{10}){2}-[0-9]{9}-[0-9]{4}/i HKCU ALL 23 /.REGISTRY.USER.S(-[0-9]{1}){2}-[0-9]{2}(-[0-9]{10}){3}-[0-9]{4}/i HKCU ALL 24 /.REGISTRY.MACHINE./i HKLM\\\\ ALL 25 /.Registry.Machine./i HKLM\\\\ ALL 26 /%USERPROFILE%.Application Data.Microsoft.UProof/i ALL 27 /%USERPROFILE%.Local Settings.History/i ALL 28 /%APPDATA%.Microsoft.UProof/i ALL 29 /%LOCALAPPDATA%.Microsoft.Windows.Temporary Internet Files/i ALL 1 admin 2018-11-27 06:22:00+00 2018-11-27 06:22:00+00 t t t t t t t t t t t t t t t t t t f f t t t 2 Org Admin 2018-11-27 06:22:00+00 2018-11-27 06:22:00+00 t t t t t f t t f t f f t t t t t f f f t t t 3 User 2018-11-27 06:22:00+00 2018-11-27 06:22:00+00 t t t f f f f f f t f f f f f f t f t f f f t 4 Publisher 2018-11-27 06:22:00+00 2018-11-27 06:22:00+00 t t t t t f f f f t f f f f f f t f f f t t t 5 Sync user 2018-11-27 06:22:00+00 2018-11-27 06:22:00+00 t t t t t t f f f t f f f f t f t f f f t t f 6 Read Only 2018-11-27 06:22:00+00 2018-11-27 06:22:00+00 f f f f f f f f f t f f f f f f f f f f f f f Type: TABLE DATA; Schema: public; Owner: - -- COPY public.taxonomies (id, namespace, description, version, enabled) FROM stdin; \. -- -- Data for Name: taxonomy_entries; Type: TABLE DATA; Schema: public; Owner: - -- COPY public.taxonomy_entries (id, taxonomy_predicate_id, value, expanded, colour) FROM stdin; \. -- -- Data for Name: taxonomy_predicates; Type: TABLE DATA; Schema: public; Owner: - -- COPY public.taxonomy_predicates (id, taxonomy_id, value, expanded, colour) FROM stdin; \. -- -- Data for Name: template_element_attributes; Type: TABLE DATA; Schema: public; Owner: - -- COPY public.template_element_attributes (id, template_element_id, name, description, to_ids, category, complex, type, mandatory, batch) FROM stdin; 1 1 From address The source address from which the e-mail was sent. t Payload delivery f email-src t t 2 2 Malicious url The malicious url in the e-mail body. t Payload delivery f url t t 3 4 E-mail subject The subject line of the e-mail. f Payload delivery f email-subject t f 4 6 Spoofed source address If an e-mail address was spoofed, specify which. t Payload delivery f email-src f f 5 7 Source IP The source IP from which the e-mail was sent t Payload delivery f ip-src f t 6 8 X-mailer header It could be useful to capture which application and which version thereof was used to send the message, as described by the X-mailer header. t Payload delivery f text f t 7 12 From address The source address from which the e-mail was sent t Payload delivery f email-src t t 8 15 Spoofed From Address The spoofed source address from which the e-mail appears to be sent. t Payload delivery f email-src f t 9 17 E-mail Source IP The IP address from which the e-mail was sent. t Payload delivery f ip-src f t 10 18 X-mailer header It could be useful to capture which application and which version thereof was used to send the message, as described by the X-mailer header. t Payload delivery f text f f 11 19 Malicious URL in the e-mail If there was a malicious URL (or several), please specify it here t Payload delivery f ip-dst f t 12 20 Exploited vulnerablity The vulnerabilities exploited during the payload delivery. f Payload delivery f vulnerability f t 13 22 C2 information Command and Control information detected during the analysis. t Network activity t CnC f t 14 23 Artifacts dropped (File) Any information about the files dropped during the analysis t Artifacts dropped t File f t 15 24 Artifacts dropped (Registry key) Any registry keys touched during the analysis t Artifacts dropped f regkey f t 16 25 Artifacts dropped (Registry key + value) Any registry keys created or altered together with the value. t Artifacts dropped f regkey|value f t 17 26 Persistance mechanism (filename) Filenames (or filenames with filepaths) used as a persistence mechanism t Persistence mechanism f regkey|value f t 18 27 Persistence mechanism (Registry key) Any registry keys touched as part of the persistence mechanism during the analysis t Persistence mechanism f regkey f t 19 28 Persistence mechanism (Registry key + value) Any registry keys created or modified together with their values used by the persistence mechanism t Persistence mechanism f regkey|value f t 20 34 C2 Information You can drop any urls, domains, hostnames or IP addresses that were detected as the Command and Control during the analysis here. t Network activity t CnC f t 21 35 Other Network Activity Drop any applicable information about other network activity here. The attributes created here will NOT be marked for IDS exports. f Network activity t CnC f t 22 36 Vulnerability The vulnerability or vulnerabilities that the sample exploits f Payload delivery f vulnerability f t 23 37 Artifacts Dropped (File) Insert any data you have on dropped files here. t Artifacts dropped t File f t 24 38 Artifacts dropped (Registry key) Any registry keys touched during the analysis t Artifacts dropped f regkey f t 25 39 Artifacts dropped (Registry key + value) Any registry keys created or altered together with the value. t Artifacts dropped f regkey|value f t 26 42 Persistence mechanism (filename) Insert any filenames used by the persistence mechanism. t Persistence mechanism f filename f t 27 43 Persistence Mechanism (Registry key) Paste any registry keys that were created or modified as part of the persistence mechanism t Persistence mechanism f regkey f t 28 44 Persistence Mechanism (Registry key and value) Paste any registry keys together with the values contained within created or modified by the persistence mechanism t Persistence mechanism f regkey|value f t 29 46 Network Indicators Paste any combination of IP addresses, hostnames, domains or URL t Network activity t CnC f t 30 47 File Indicators Paste any file hashes that you have (MD5, SHA1, SHA256) or filenames below. You can also add filename and hash pairs by using the following syntax for each applicable column: filename|hash t Payload installation t File f t \. -- -- Data for Name: template_element_files; Type: TABLE DATA; Schema: public; Owner: - -- COPY public.template_element_files (id, template_element_id, name, description, category, malware, mandatory, batch) FROM stdin; 1 14 Malicious Attachment The file (or files) that was (were) attached to the e-mail itself. Payload delivery t f t 2 21 Payload installation Payload installation detected during the analysis Payload installation t f t 3 30 Malware sample The sample that the report is based on Payload delivery t f f 4 40 Artifacts dropped (Sample) Upload any files that were dropped during the analysis. Artifacts dropped t f t \. -- -- Data for Name: template_element_texts; Type: TABLE DATA; Schema: public; Owner: - -- COPY public.template_element_texts (id, name, template_element_id, text) FROM stdin; 1 Required fields 3 The fields below are mandatory. 2 Optional information 5 All of the fields below are optional, please fill out anything that's applicable. 4 Required Fields 11 The following fields are mandatory 5 Optional information about the payload delivery 13 All of the fields below are optional, please fill out anything that's applicable. This section describes the payload delivery, including the e-mail itself, the attached file, the vulnerability it is exploiting and any malicious urls in the e-mail. 6 Optional information obtained from analysing the malicious file 16 Information about the analysis of the malware (if applicable). This can include C2 information, artifacts dropped during the analysis, persistance mechanism, etc. 7 Malware Sample 29 If you can, please upload the sample that the report revolves around. 8 Dropped Artifacts 31 Describe any dropped artifacts that you have encountered during your analysis 9 C2 Information 32 The following field deals with Command and Control information obtained during the analysis. All fields are optional. 10 Other Network Activity 33 If any other Network activity (such as an internet connection test) was detected during the analysis, please specify it using the following fields 11 Persistence mechanism 41 The following fields allow you to describe the persistence mechanism used by the malware 12 Indicators 45 Just paste your list of indicators based on type into the appropriate field. All of the fields are optional, so inputting a list of IP addresses into the Network indicator field for example is sufficient to complete this template. \. -- -- Data for Name: template_elements; Type: TABLE DATA; Schema: public; Owner: - -- COPY public.template_elements (id, template_id, "position", element_definition) FROM stdin; 1 1 2 attribute 2 1 3 attribute 3 1 1 text 4 1 4 attribute 5 1 5 text 6 1 6 attribute 7 1 7 attribute 8 1 8 attribute 11 2 1 text 12 2 2 attribute 13 2 3 text 14 2 4 file 15 2 5 attribute 16 2 10 text 17 2 6 attribute 18 2 7 attribute 19 2 8 attribute 20 2 9 attribute 21 2 11 file 22 2 12 attribute 23 2 13 attribute 24 2 14 attribute 25 2 15 attribute 26 2 16 attribute 27 2 17 attribute 28 2 18 attribute 29 3 1 text 30 3 2 file 31 3 4 text 32 3 9 text 33 3 11 text 34 3 10 attribute 35 3 12 attribute 36 3 3 attribute 37 3 5 attribute 38 3 6 attribute 39 3 7 attribute 40 3 8 file 41 3 13 text 42 3 14 attribute 43 3 15 attribute 44 3 16 attribute 45 4 1 text 46 4 2 attribute 47 4 3 attribute \. -- -- Data for Name: template_tags; Type: TABLE DATA; Schema: public; Owner: - -- COPY public.template_tags (id, template_id, tag_id) FROM stdin; \. -- -- Data for Name: templates; Type: TABLE DATA; Schema: public; Owner: - -- COPY public.templates (id, name, description, org, share) FROM stdin; 1 Phishing E-mail Create a MISP event about a Phishing E-mail. MISP t 2 Phishing E-mail with malicious attachment A MISP event based on Spear-phishing containing a malicious attachment. This event can include anything from the description of the e-mail itself, the malicious attachment and its description as well as the results of the analysis done on the malicious f MISP t 3 Malware Report This is a template for a generic malware report. MISP t 4 Indicator List A simple template for indicator lists. 1 High *high* means sophisticated APT malware or 0-day attack Sophisticated APT malware or 0-day attack 2 Medium *medium* means APT malware APT malware 3 Low *low* means mass-malware Mass-malware 4 Undefined *undefined* no risk No risk 