2016-10-10 12:24:17 +02:00
|
|
|
{
|
|
|
|
"result": {
|
|
|
|
"sane_defaults": {
|
|
|
|
"md5": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"sha1": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"sha256": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"filename": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"pdb": {
|
|
|
|
"default_category": "Artifacts dropped",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"filename|md5": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"filename|sha1": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"filename|sha256": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"ip-src": {
|
|
|
|
"default_category": "Network activity",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"ip-dst": {
|
|
|
|
"default_category": "Network activity",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"hostname": {
|
|
|
|
"default_category": "Network activity",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"domain": {
|
|
|
|
"default_category": "Network activity",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"domain|ip": {
|
|
|
|
"default_category": "Network activity",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"email-src": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"email-dst": {
|
|
|
|
"default_category": "Network activity",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"email-subject": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"email-attachment": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
2017-07-17 16:49:40 +02:00
|
|
|
"email-body": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
2017-03-12 23:05:13 +01:00
|
|
|
"float": {
|
|
|
|
"default_category": "Other",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
2016-10-10 12:24:17 +02:00
|
|
|
"url": {
|
|
|
|
"default_category": "External analysis",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"http-method": {
|
|
|
|
"default_category": "Network activity",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"user-agent": {
|
|
|
|
"default_category": "Network activity",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"regkey": {
|
|
|
|
"default_category": "Persistence mechanism",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"regkey|value": {
|
|
|
|
"default_category": "Persistence mechanism",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"AS": {
|
|
|
|
"default_category": "Network activity",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"snort": {
|
|
|
|
"default_category": "Network activity",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"pattern-in-file": {
|
|
|
|
"default_category": "Payload installation",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"pattern-in-traffic": {
|
|
|
|
"default_category": "Network activity",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"pattern-in-memory": {
|
|
|
|
"default_category": "Payload installation",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"yara": {
|
|
|
|
"default_category": "Payload installation",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
2017-04-11 15:55:49 +02:00
|
|
|
"sigma": {
|
|
|
|
"default_category": "Payload installation",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
2017-07-21 10:12:32 +02:00
|
|
|
"cookie": {
|
|
|
|
"default_category": "Network activity",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
2016-10-10 12:24:17 +02:00
|
|
|
"vulnerability": {
|
|
|
|
"default_category": "External analysis",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"attachment": {
|
|
|
|
"default_category": "External analysis",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"malware-sample": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"link": {
|
|
|
|
"default_category": "External analysis",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"comment": {
|
|
|
|
"default_category": "Other",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"text": {
|
|
|
|
"default_category": "Other",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
2017-04-11 15:55:49 +02:00
|
|
|
"hex": {
|
|
|
|
"default_category": "Other",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
2016-10-10 12:24:17 +02:00
|
|
|
"other": {
|
|
|
|
"default_category": "Other",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"named pipe": {
|
|
|
|
"default_category": "Artifacts dropped",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"mutex": {
|
|
|
|
"default_category": "Artifacts dropped",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"target-user": {
|
|
|
|
"default_category": "Targeting data",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"target-email": {
|
|
|
|
"default_category": "Targeting data",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"target-machine": {
|
|
|
|
"default_category": "Targeting data",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"target-org": {
|
|
|
|
"default_category": "Targeting data",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"target-location": {
|
|
|
|
"default_category": "Targeting data",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"target-external": {
|
|
|
|
"default_category": "Targeting data",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"btc": {
|
|
|
|
"default_category": "Financial fraud",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"iban": {
|
|
|
|
"default_category": "Financial fraud",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"bic": {
|
|
|
|
"default_category": "Financial fraud",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"bank-account-nr": {
|
|
|
|
"default_category": "Financial fraud",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"aba-rtn": {
|
|
|
|
"default_category": "Financial fraud",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"bin": {
|
|
|
|
"default_category": "Financial fraud",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"cc-number": {
|
|
|
|
"default_category": "Financial fraud",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"prtn": {
|
|
|
|
"default_category": "Financial fraud",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
2017-10-04 10:03:42 +02:00
|
|
|
"phone-number": {
|
|
|
|
"default_category": "Person",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
2016-10-10 12:24:17 +02:00
|
|
|
"threat-actor": {
|
|
|
|
"default_category": "Attribution",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"campaign-name": {
|
|
|
|
"default_category": "Attribution",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"campaign-id": {
|
|
|
|
"default_category": "Attribution",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"malware-type": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"uri": {
|
|
|
|
"default_category": "Network activity",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"authentihash": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"ssdeep": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"imphash": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"pehash": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
2017-04-11 15:55:49 +02:00
|
|
|
"impfuzzy": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
2016-10-10 12:24:17 +02:00
|
|
|
"sha224": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"sha384": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"sha512": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"sha512/224": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"sha512/256": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"tlsh": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"filename|authentihash": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"filename|ssdeep": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"filename|imphash": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
2017-04-11 15:55:49 +02:00
|
|
|
"filename|impfuzzy": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
2016-10-10 12:24:17 +02:00
|
|
|
"filename|pehash": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"filename|sha224": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"filename|sha384": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"filename|sha512": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"filename|sha512/224": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"filename|sha512/256": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"filename|tlsh": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"windows-scheduled-task": {
|
|
|
|
"default_category": "Artifacts dropped",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"windows-service-name": {
|
|
|
|
"default_category": "Artifacts dropped",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"windows-service-displayname": {
|
|
|
|
"default_category": "Artifacts dropped",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"whois-registrant-email": {
|
|
|
|
"default_category": "Attribution",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"whois-registrant-phone": {
|
|
|
|
"default_category": "Attribution",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"whois-registrant-name": {
|
|
|
|
"default_category": "Attribution",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"whois-registrar": {
|
|
|
|
"default_category": "Attribution",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"whois-creation-date": {
|
|
|
|
"default_category": "Attribution",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"x509-fingerprint-sha1": {
|
|
|
|
"default_category": "Network activity",
|
|
|
|
"to_ids": 1
|
2017-02-10 16:57:52 +01:00
|
|
|
},
|
|
|
|
"dns-soa-email": {
|
|
|
|
"default_category": "Attribution",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"size-in-bytes": {
|
|
|
|
"default_category": "Other",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"counter": {
|
|
|
|
"default_category": "Other",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"datetime": {
|
|
|
|
"default_category": "Other",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"cpe": {
|
|
|
|
"default_category": "Other",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"port": {
|
|
|
|
"default_category": "Network activity",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"ip-dst|port": {
|
|
|
|
"default_category": "Network activity",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"ip-src|port": {
|
|
|
|
"default_category": "Network activity",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"hostname|port": {
|
|
|
|
"default_category": "Network activity",
|
|
|
|
"to_ids": 1
|
|
|
|
},
|
|
|
|
"email-dst-display-name": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"email-src-display-name": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"email-header": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"email-reply-to": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"email-x-mailer": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"email-mime-boundary": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"email-thread-index": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"email-message-id": {
|
2017-10-18 08:36:19 +02:00
|
|
|
"default_category": "Payload delivery",
|
2017-02-10 16:57:52 +01:00
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"github-username": {
|
|
|
|
"default_category": "Social network",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"github-repository": {
|
|
|
|
"default_category": "Social network",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"github-organisation": {
|
|
|
|
"default_category": "Social network",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"jabber-id": {
|
|
|
|
"default_category": "Social network",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"twitter-id": {
|
|
|
|
"default_category": "Social network",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"first-name": {
|
|
|
|
"default_category": "Person",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"middle-name": {
|
|
|
|
"default_category": "Person",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"last-name": {
|
|
|
|
"default_category": "Person",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"date-of-birth": {
|
|
|
|
"default_category": "Person",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"place-of-birth": {
|
|
|
|
"default_category": "Person",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"gender": {
|
|
|
|
"default_category": "",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"passport-number": {
|
|
|
|
"default_category": "Person",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"passport-country": {
|
|
|
|
"default_category": "Person",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"passport-expiration": {
|
|
|
|
"default_category": "Person",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"redress-number": {
|
|
|
|
"default_category": "Person",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"nationality": {
|
|
|
|
"default_category": "Person",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"visa-number": {
|
|
|
|
"default_category": "Person",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"issue-date-of-the-visa": {
|
|
|
|
"default_category": "Person",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"primary-residence": {
|
|
|
|
"default_category": "Person",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"country-of-residence": {
|
|
|
|
"default_category": "Person",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"special-service-request": {
|
|
|
|
"default_category": "Person",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"frequent-flyer-number": {
|
|
|
|
"default_category": "Person",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"travel-details": {
|
|
|
|
"default_category": "Person",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"payment-details": {
|
|
|
|
"default_category": "Person",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"place-port-of-original-embarkation": {
|
|
|
|
"default_category": "Person",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"place-port-of-clearance": {
|
|
|
|
"default_category": "Person",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"place-port-of-onward-foreign-destination": {
|
|
|
|
"default_category": "Person",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"passenger-name-record-locator-number": {
|
|
|
|
"default_category": "Person",
|
|
|
|
"to_ids": 0
|
|
|
|
},
|
|
|
|
"mobile-application-id": {
|
|
|
|
"default_category": "Payload delivery",
|
|
|
|
"to_ids": 1
|
2017-07-17 16:49:40 +02:00
|
|
|
},
|
|
|
|
"cortex": {
|
|
|
|
"default_category": "External analysis",
|
|
|
|
"to_ids": 0
|
2016-10-10 12:24:17 +02:00
|
|
|
}
|
|
|
|
},
|
|
|
|
"types": [
|
|
|
|
"md5",
|
|
|
|
"sha1",
|
|
|
|
"sha256",
|
|
|
|
"filename",
|
|
|
|
"pdb",
|
|
|
|
"filename|md5",
|
|
|
|
"filename|sha1",
|
|
|
|
"filename|sha256",
|
|
|
|
"ip-src",
|
|
|
|
"ip-dst",
|
|
|
|
"hostname",
|
|
|
|
"domain",
|
|
|
|
"domain|ip",
|
|
|
|
"email-src",
|
|
|
|
"email-dst",
|
|
|
|
"email-subject",
|
|
|
|
"email-attachment",
|
2017-07-17 16:49:40 +02:00
|
|
|
"email-body",
|
2017-03-12 23:05:13 +01:00
|
|
|
"float",
|
2016-10-10 12:24:17 +02:00
|
|
|
"url",
|
|
|
|
"http-method",
|
|
|
|
"user-agent",
|
|
|
|
"regkey",
|
|
|
|
"regkey|value",
|
|
|
|
"AS",
|
|
|
|
"snort",
|
|
|
|
"pattern-in-file",
|
|
|
|
"pattern-in-traffic",
|
|
|
|
"pattern-in-memory",
|
|
|
|
"yara",
|
2017-04-11 15:55:49 +02:00
|
|
|
"sigma",
|
2017-07-21 10:12:32 +02:00
|
|
|
"cookie",
|
2016-10-10 12:24:17 +02:00
|
|
|
"vulnerability",
|
|
|
|
"attachment",
|
|
|
|
"malware-sample",
|
|
|
|
"link",
|
|
|
|
"comment",
|
|
|
|
"text",
|
2017-04-11 15:55:49 +02:00
|
|
|
"hex",
|
2016-10-10 12:24:17 +02:00
|
|
|
"other",
|
|
|
|
"named pipe",
|
|
|
|
"mutex",
|
|
|
|
"target-user",
|
|
|
|
"target-email",
|
|
|
|
"target-machine",
|
|
|
|
"target-org",
|
|
|
|
"target-location",
|
|
|
|
"target-external",
|
|
|
|
"btc",
|
|
|
|
"iban",
|
|
|
|
"bic",
|
|
|
|
"bank-account-nr",
|
|
|
|
"aba-rtn",
|
|
|
|
"bin",
|
|
|
|
"cc-number",
|
|
|
|
"prtn",
|
2017-10-04 10:03:42 +02:00
|
|
|
"phone-number",
|
2016-10-10 12:24:17 +02:00
|
|
|
"threat-actor",
|
|
|
|
"campaign-name",
|
|
|
|
"campaign-id",
|
|
|
|
"malware-type",
|
|
|
|
"uri",
|
|
|
|
"authentihash",
|
|
|
|
"ssdeep",
|
|
|
|
"imphash",
|
|
|
|
"pehash",
|
2017-04-11 15:55:49 +02:00
|
|
|
"impfuzzy",
|
2016-10-10 12:24:17 +02:00
|
|
|
"sha224",
|
|
|
|
"sha384",
|
|
|
|
"sha512",
|
|
|
|
"sha512/224",
|
|
|
|
"sha512/256",
|
|
|
|
"tlsh",
|
|
|
|
"filename|authentihash",
|
|
|
|
"filename|ssdeep",
|
|
|
|
"filename|imphash",
|
2017-04-11 15:55:49 +02:00
|
|
|
"filename|impfuzzy",
|
2016-10-10 12:24:17 +02:00
|
|
|
"filename|pehash",
|
|
|
|
"filename|sha224",
|
|
|
|
"filename|sha384",
|
|
|
|
"filename|sha512",
|
|
|
|
"filename|sha512/224",
|
|
|
|
"filename|sha512/256",
|
|
|
|
"filename|tlsh",
|
|
|
|
"windows-scheduled-task",
|
|
|
|
"windows-service-name",
|
|
|
|
"windows-service-displayname",
|
|
|
|
"whois-registrant-email",
|
|
|
|
"whois-registrant-phone",
|
|
|
|
"whois-registrant-name",
|
|
|
|
"whois-registrar",
|
|
|
|
"whois-creation-date",
|
2017-02-10 16:57:52 +01:00
|
|
|
"x509-fingerprint-sha1",
|
|
|
|
"dns-soa-email",
|
|
|
|
"size-in-bytes",
|
|
|
|
"counter",
|
|
|
|
"datetime",
|
|
|
|
"cpe",
|
|
|
|
"port",
|
|
|
|
"ip-dst|port",
|
|
|
|
"ip-src|port",
|
|
|
|
"hostname|port",
|
|
|
|
"email-dst-display-name",
|
|
|
|
"email-src-display-name",
|
|
|
|
"email-header",
|
|
|
|
"email-reply-to",
|
|
|
|
"email-x-mailer",
|
|
|
|
"email-mime-boundary",
|
|
|
|
"email-thread-index",
|
|
|
|
"email-message-id",
|
|
|
|
"github-username",
|
|
|
|
"github-repository",
|
|
|
|
"github-organisation",
|
|
|
|
"jabber-id",
|
|
|
|
"twitter-id",
|
|
|
|
"first-name",
|
|
|
|
"middle-name",
|
|
|
|
"last-name",
|
|
|
|
"date-of-birth",
|
|
|
|
"place-of-birth",
|
|
|
|
"gender",
|
|
|
|
"passport-number",
|
|
|
|
"passport-country",
|
|
|
|
"passport-expiration",
|
|
|
|
"redress-number",
|
|
|
|
"nationality",
|
|
|
|
"visa-number",
|
|
|
|
"issue-date-of-the-visa",
|
|
|
|
"primary-residence",
|
|
|
|
"country-of-residence",
|
|
|
|
"special-service-request",
|
|
|
|
"frequent-flyer-number",
|
|
|
|
"travel-details",
|
|
|
|
"payment-details",
|
|
|
|
"place-port-of-original-embarkation",
|
|
|
|
"place-port-of-clearance",
|
|
|
|
"place-port-of-onward-foreign-destination",
|
|
|
|
"passenger-name-record-locator-number",
|
2017-07-17 16:49:40 +02:00
|
|
|
"mobile-application-id",
|
|
|
|
"cortex"
|
2016-10-10 12:24:17 +02:00
|
|
|
],
|
|
|
|
"categories": [
|
|
|
|
"Internal reference",
|
|
|
|
"Targeting data",
|
|
|
|
"Antivirus detection",
|
|
|
|
"Payload delivery",
|
|
|
|
"Artifacts dropped",
|
|
|
|
"Payload installation",
|
|
|
|
"Persistence mechanism",
|
|
|
|
"Network activity",
|
|
|
|
"Payload type",
|
|
|
|
"Attribution",
|
|
|
|
"External analysis",
|
|
|
|
"Financial fraud",
|
2017-02-10 16:57:52 +01:00
|
|
|
"Support Tool",
|
|
|
|
"Social network",
|
|
|
|
"Person",
|
2016-10-10 12:24:17 +02:00
|
|
|
"Other"
|
|
|
|
],
|
|
|
|
"category_type_mappings": {
|
|
|
|
"Internal reference": [
|
|
|
|
"text",
|
|
|
|
"link",
|
|
|
|
"comment",
|
2017-04-11 15:55:49 +02:00
|
|
|
"other",
|
|
|
|
"hex"
|
2016-10-10 12:24:17 +02:00
|
|
|
],
|
|
|
|
"Targeting data": [
|
|
|
|
"target-user",
|
|
|
|
"target-email",
|
|
|
|
"target-machine",
|
|
|
|
"target-org",
|
|
|
|
"target-location",
|
|
|
|
"target-external",
|
|
|
|
"comment"
|
|
|
|
],
|
|
|
|
"Antivirus detection": [
|
|
|
|
"link",
|
|
|
|
"comment",
|
|
|
|
"text",
|
2017-04-11 15:55:49 +02:00
|
|
|
"hex",
|
2016-10-10 12:24:17 +02:00
|
|
|
"attachment",
|
|
|
|
"other"
|
|
|
|
],
|
|
|
|
"Payload delivery": [
|
|
|
|
"md5",
|
|
|
|
"sha1",
|
|
|
|
"sha224",
|
|
|
|
"sha256",
|
|
|
|
"sha384",
|
|
|
|
"sha512",
|
|
|
|
"sha512/224",
|
|
|
|
"sha512/256",
|
|
|
|
"ssdeep",
|
|
|
|
"imphash",
|
2017-04-11 15:55:49 +02:00
|
|
|
"impfuzzy",
|
2016-10-10 12:24:17 +02:00
|
|
|
"authentihash",
|
|
|
|
"pehash",
|
|
|
|
"tlsh",
|
|
|
|
"filename",
|
|
|
|
"filename|md5",
|
|
|
|
"filename|sha1",
|
|
|
|
"filename|sha224",
|
|
|
|
"filename|sha256",
|
|
|
|
"filename|sha384",
|
|
|
|
"filename|sha512",
|
|
|
|
"filename|sha512/224",
|
|
|
|
"filename|sha512/256",
|
|
|
|
"filename|authentihash",
|
|
|
|
"filename|ssdeep",
|
|
|
|
"filename|tlsh",
|
|
|
|
"filename|imphash",
|
2017-04-11 15:55:49 +02:00
|
|
|
"filename|impfuzzy",
|
2016-10-10 12:24:17 +02:00
|
|
|
"filename|pehash",
|
|
|
|
"ip-src",
|
|
|
|
"ip-dst",
|
2017-02-10 16:57:52 +01:00
|
|
|
"ip-dst|port",
|
|
|
|
"ip-src|port",
|
2016-10-10 12:24:17 +02:00
|
|
|
"hostname",
|
|
|
|
"domain",
|
|
|
|
"email-src",
|
|
|
|
"email-dst",
|
|
|
|
"email-subject",
|
|
|
|
"email-attachment",
|
2017-07-17 16:49:40 +02:00
|
|
|
"email-body",
|
2016-10-10 12:24:17 +02:00
|
|
|
"url",
|
|
|
|
"user-agent",
|
|
|
|
"AS",
|
|
|
|
"pattern-in-file",
|
|
|
|
"pattern-in-traffic",
|
|
|
|
"yara",
|
2017-04-11 15:55:49 +02:00
|
|
|
"sigma",
|
2016-10-10 12:24:17 +02:00
|
|
|
"attachment",
|
|
|
|
"malware-sample",
|
|
|
|
"link",
|
|
|
|
"malware-type",
|
|
|
|
"comment",
|
|
|
|
"text",
|
2017-04-11 15:55:49 +02:00
|
|
|
"hex",
|
2016-10-10 12:24:17 +02:00
|
|
|
"vulnerability",
|
|
|
|
"x509-fingerprint-sha1",
|
2017-02-10 16:57:52 +01:00
|
|
|
"other",
|
|
|
|
"hostname|port",
|
|
|
|
"email-dst-display-name",
|
|
|
|
"email-src-display-name",
|
|
|
|
"email-header",
|
|
|
|
"email-reply-to",
|
|
|
|
"email-x-mailer",
|
|
|
|
"email-mime-boundary",
|
|
|
|
"email-thread-index",
|
|
|
|
"email-message-id",
|
2017-10-04 10:03:42 +02:00
|
|
|
"mobile-application-id",
|
|
|
|
"whois-registrant-email"
|
2016-10-10 12:24:17 +02:00
|
|
|
],
|
|
|
|
"Artifacts dropped": [
|
|
|
|
"md5",
|
|
|
|
"sha1",
|
|
|
|
"sha224",
|
|
|
|
"sha256",
|
|
|
|
"sha384",
|
|
|
|
"sha512",
|
|
|
|
"sha512/224",
|
|
|
|
"sha512/256",
|
|
|
|
"ssdeep",
|
|
|
|
"imphash",
|
2017-04-11 15:55:49 +02:00
|
|
|
"impfuzzy",
|
2016-10-10 12:24:17 +02:00
|
|
|
"authentihash",
|
|
|
|
"filename",
|
|
|
|
"filename|md5",
|
|
|
|
"filename|sha1",
|
|
|
|
"filename|sha224",
|
|
|
|
"filename|sha256",
|
|
|
|
"filename|sha384",
|
|
|
|
"filename|sha512",
|
|
|
|
"filename|sha512/224",
|
|
|
|
"filename|sha512/256",
|
|
|
|
"filename|authentihash",
|
|
|
|
"filename|ssdeep",
|
|
|
|
"filename|tlsh",
|
|
|
|
"filename|imphash",
|
2017-04-11 15:55:49 +02:00
|
|
|
"filename|impfuzzy",
|
2016-10-10 12:24:17 +02:00
|
|
|
"filename|pehash",
|
|
|
|
"regkey",
|
|
|
|
"regkey|value",
|
|
|
|
"pattern-in-file",
|
|
|
|
"pattern-in-memory",
|
|
|
|
"pdb",
|
|
|
|
"yara",
|
2017-04-11 15:55:49 +02:00
|
|
|
"sigma",
|
2016-10-10 12:24:17 +02:00
|
|
|
"attachment",
|
|
|
|
"malware-sample",
|
|
|
|
"named pipe",
|
|
|
|
"mutex",
|
|
|
|
"windows-scheduled-task",
|
|
|
|
"windows-service-name",
|
|
|
|
"windows-service-displayname",
|
|
|
|
"comment",
|
|
|
|
"text",
|
2017-04-11 15:55:49 +02:00
|
|
|
"hex",
|
2016-10-10 12:24:17 +02:00
|
|
|
"x509-fingerprint-sha1",
|
2017-07-21 10:12:32 +02:00
|
|
|
"other",
|
|
|
|
"cookie"
|
2016-10-10 12:24:17 +02:00
|
|
|
],
|
|
|
|
"Payload installation": [
|
|
|
|
"md5",
|
|
|
|
"sha1",
|
|
|
|
"sha224",
|
|
|
|
"sha256",
|
|
|
|
"sha384",
|
|
|
|
"sha512",
|
|
|
|
"sha512/224",
|
|
|
|
"sha512/256",
|
|
|
|
"ssdeep",
|
|
|
|
"imphash",
|
2017-04-11 15:55:49 +02:00
|
|
|
"impfuzzy",
|
2016-10-10 12:24:17 +02:00
|
|
|
"authentihash",
|
|
|
|
"pehash",
|
|
|
|
"tlsh",
|
|
|
|
"filename",
|
|
|
|
"filename|md5",
|
|
|
|
"filename|sha1",
|
|
|
|
"filename|sha224",
|
|
|
|
"filename|sha256",
|
|
|
|
"filename|sha384",
|
|
|
|
"filename|sha512",
|
|
|
|
"filename|sha512/224",
|
|
|
|
"filename|sha512/256",
|
|
|
|
"filename|authentihash",
|
|
|
|
"filename|ssdeep",
|
|
|
|
"filename|tlsh",
|
|
|
|
"filename|imphash",
|
2017-04-11 15:55:49 +02:00
|
|
|
"filename|impfuzzy",
|
2016-10-10 12:24:17 +02:00
|
|
|
"filename|pehash",
|
|
|
|
"pattern-in-file",
|
|
|
|
"pattern-in-traffic",
|
|
|
|
"pattern-in-memory",
|
|
|
|
"yara",
|
2017-04-11 15:55:49 +02:00
|
|
|
"sigma",
|
2016-10-10 12:24:17 +02:00
|
|
|
"vulnerability",
|
|
|
|
"attachment",
|
|
|
|
"malware-sample",
|
|
|
|
"malware-type",
|
|
|
|
"comment",
|
|
|
|
"text",
|
2017-04-11 15:55:49 +02:00
|
|
|
"hex",
|
2016-10-10 12:24:17 +02:00
|
|
|
"x509-fingerprint-sha1",
|
2017-02-10 16:57:52 +01:00
|
|
|
"mobile-application-id",
|
2016-10-10 12:24:17 +02:00
|
|
|
"other"
|
|
|
|
],
|
|
|
|
"Persistence mechanism": [
|
|
|
|
"filename",
|
|
|
|
"regkey",
|
|
|
|
"regkey|value",
|
|
|
|
"comment",
|
|
|
|
"text",
|
2017-04-11 15:55:49 +02:00
|
|
|
"other",
|
|
|
|
"hex"
|
2016-10-10 12:24:17 +02:00
|
|
|
],
|
|
|
|
"Network activity": [
|
|
|
|
"ip-src",
|
|
|
|
"ip-dst",
|
2017-02-10 16:57:52 +01:00
|
|
|
"ip-dst|port",
|
|
|
|
"ip-src|port",
|
2017-10-04 10:03:42 +02:00
|
|
|
"port",
|
2016-10-10 12:24:17 +02:00
|
|
|
"hostname",
|
|
|
|
"domain",
|
|
|
|
"domain|ip",
|
|
|
|
"email-dst",
|
|
|
|
"url",
|
|
|
|
"uri",
|
|
|
|
"user-agent",
|
|
|
|
"http-method",
|
|
|
|
"AS",
|
|
|
|
"snort",
|
|
|
|
"pattern-in-file",
|
|
|
|
"pattern-in-traffic",
|
|
|
|
"attachment",
|
|
|
|
"comment",
|
|
|
|
"text",
|
|
|
|
"x509-fingerprint-sha1",
|
2017-04-11 15:55:49 +02:00
|
|
|
"other",
|
2017-07-21 10:12:32 +02:00
|
|
|
"hex",
|
|
|
|
"cookie"
|
2016-10-10 12:24:17 +02:00
|
|
|
],
|
|
|
|
"Payload type": [
|
|
|
|
"comment",
|
|
|
|
"text",
|
|
|
|
"other"
|
|
|
|
],
|
|
|
|
"Attribution": [
|
|
|
|
"threat-actor",
|
|
|
|
"campaign-name",
|
|
|
|
"campaign-id",
|
|
|
|
"whois-registrant-phone",
|
|
|
|
"whois-registrant-email",
|
|
|
|
"whois-registrant-name",
|
|
|
|
"whois-registrar",
|
|
|
|
"whois-creation-date",
|
|
|
|
"comment",
|
|
|
|
"text",
|
|
|
|
"x509-fingerprint-sha1",
|
|
|
|
"other"
|
|
|
|
],
|
|
|
|
"External analysis": [
|
|
|
|
"md5",
|
|
|
|
"sha1",
|
|
|
|
"sha256",
|
|
|
|
"filename",
|
|
|
|
"filename|md5",
|
|
|
|
"filename|sha1",
|
|
|
|
"filename|sha256",
|
|
|
|
"ip-src",
|
|
|
|
"ip-dst",
|
2017-02-10 16:57:52 +01:00
|
|
|
"ip-dst|port",
|
|
|
|
"ip-src|port",
|
2016-10-10 12:24:17 +02:00
|
|
|
"hostname",
|
|
|
|
"domain",
|
|
|
|
"domain|ip",
|
|
|
|
"url",
|
|
|
|
"user-agent",
|
|
|
|
"regkey",
|
|
|
|
"regkey|value",
|
|
|
|
"AS",
|
|
|
|
"snort",
|
|
|
|
"pattern-in-file",
|
|
|
|
"pattern-in-traffic",
|
|
|
|
"pattern-in-memory",
|
|
|
|
"vulnerability",
|
|
|
|
"attachment",
|
|
|
|
"malware-sample",
|
|
|
|
"link",
|
|
|
|
"comment",
|
|
|
|
"text",
|
|
|
|
"x509-fingerprint-sha1",
|
2017-02-10 16:57:52 +01:00
|
|
|
"github-repository",
|
2017-07-17 16:49:40 +02:00
|
|
|
"other",
|
|
|
|
"cortex"
|
2016-10-10 12:24:17 +02:00
|
|
|
],
|
|
|
|
"Financial fraud": [
|
|
|
|
"btc",
|
|
|
|
"iban",
|
|
|
|
"bic",
|
|
|
|
"bank-account-nr",
|
|
|
|
"aba-rtn",
|
|
|
|
"bin",
|
|
|
|
"cc-number",
|
|
|
|
"prtn",
|
2017-10-04 10:03:42 +02:00
|
|
|
"phone-number",
|
2016-10-10 12:24:17 +02:00
|
|
|
"comment",
|
|
|
|
"text",
|
2017-04-11 15:55:49 +02:00
|
|
|
"other",
|
|
|
|
"hex"
|
2016-10-10 12:24:17 +02:00
|
|
|
],
|
2017-02-10 16:57:52 +01:00
|
|
|
"Support Tool": [
|
|
|
|
"link",
|
|
|
|
"text",
|
|
|
|
"attachment",
|
|
|
|
"comment",
|
2017-04-11 15:55:49 +02:00
|
|
|
"other",
|
|
|
|
"hex"
|
2017-02-10 16:57:52 +01:00
|
|
|
],
|
|
|
|
"Social network": [
|
|
|
|
"github-username",
|
|
|
|
"github-repository",
|
|
|
|
"github-organisation",
|
|
|
|
"jabber-id",
|
|
|
|
"twitter-id",
|
|
|
|
"email-src",
|
|
|
|
"email-dst",
|
|
|
|
"comment",
|
|
|
|
"text",
|
2017-10-04 10:03:42 +02:00
|
|
|
"other",
|
|
|
|
"whois-registrant-email"
|
2017-02-10 16:57:52 +01:00
|
|
|
],
|
|
|
|
"Person": [
|
|
|
|
"first-name",
|
|
|
|
"middle-name",
|
|
|
|
"last-name",
|
|
|
|
"date-of-birth",
|
|
|
|
"place-of-birth",
|
|
|
|
"gender",
|
|
|
|
"passport-number",
|
|
|
|
"passport-country",
|
|
|
|
"passport-expiration",
|
|
|
|
"redress-number",
|
|
|
|
"nationality",
|
|
|
|
"visa-number",
|
|
|
|
"issue-date-of-the-visa",
|
|
|
|
"primary-residence",
|
|
|
|
"country-of-residence",
|
|
|
|
"special-service-request",
|
|
|
|
"frequent-flyer-number",
|
|
|
|
"travel-details",
|
|
|
|
"payment-details",
|
|
|
|
"place-port-of-original-embarkation",
|
|
|
|
"place-port-of-clearance",
|
|
|
|
"place-port-of-onward-foreign-destination",
|
|
|
|
"passenger-name-record-locator-number",
|
|
|
|
"comment",
|
|
|
|
"text",
|
2017-10-04 10:03:42 +02:00
|
|
|
"other",
|
|
|
|
"phone-number"
|
2017-02-10 16:57:52 +01:00
|
|
|
],
|
2016-10-10 12:24:17 +02:00
|
|
|
"Other": [
|
2017-03-12 23:05:13 +01:00
|
|
|
"comment",
|
|
|
|
"text",
|
|
|
|
"other",
|
2017-02-10 16:57:52 +01:00
|
|
|
"size-in-bytes",
|
|
|
|
"counter",
|
|
|
|
"datetime",
|
|
|
|
"cpe",
|
|
|
|
"port",
|
2017-04-11 15:55:49 +02:00
|
|
|
"float",
|
2017-10-04 10:03:42 +02:00
|
|
|
"hex",
|
|
|
|
"phone-number"
|
2016-10-10 12:24:17 +02:00
|
|
|
]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|