diff --git a/pymisp/api.py b/pymisp/api.py index 3cd68f8..0d01298 100644 --- a/pymisp/api.py +++ b/pymisp/api.py @@ -102,21 +102,24 @@ class PyMISP(object): except Exception as e: raise PyMISPError('Unable to connect to MISP ({}). Please make sure the API key and the URL are correct (http/https is required): {}'.format(self.root_url, e)) - session = self.__prepare_session() - response = session.get(urljoin(self.root_url, 'attributes/describeTypes.json')) - self.describe_types = self._check_response(response) - if self.describe_types.get('error'): - for e in self.describe_types.get('error'): - raise PyMISPError('Failed: {}'.format(e)) + try: + session = self.__prepare_session() + response = session.get(urljoin(self.root_url, 'attributes/describeTypes.json')) + describe_types = self._check_response(response) + if describe_types.get('error'): + for e in describe_types.get('error'): + raise PyMISPError('Failed: {}'.format(e)) + self.describe_types = describe_types['result'] + if not self.describe_types.get('sane_defaults'): + raise PyMISPError('The MISP server your are trying to reach is outdated (<2.4.52). Please use PyMISP v2.4.51.1 (pip install -I PyMISP==v2.4.51.1) and/or contact your administrator.') + except: + describe_types = json.load(open(os.path.join(self.ressources_path, 'describeTypes.json'), 'r')) + self.describe_types = describe_types['result'] - self.categories = self.describe_types['result']['categories'] - self.types = self.describe_types['result']['types'] - self.category_type_mapping = self.describe_types['result']['category_type_mappings'] - if self.describe_types['result'].get('sane_defaults'): - # New in 2.5.52 - self.sane_default = self.describe_types['result']['sane_defaults'] - else: - raise PyMISPError('The MISP server your are trying to reach is outdated (<2.4.52). Please use PyMISP v2.4.51.1 (pip install -I PyMISP==v2.4.51.1) and/or contact your administrator.') + self.categories = self.describe_types['categories'] + self.types = self.describe_types['types'] + self.category_type_mapping = self.describe_types['category_type_mappings'] + self.sane_default = self.describe_types['sane_defaults'] def __prepare_session(self, output='json'): """ @@ -291,7 +294,7 @@ class PyMISP(object): # ############################################## def _prepare_full_event(self, distribution, threat_level_id, analysis, info, date=None, published=False): - misp_event = MISPEvent(self.describe_types['result']) + misp_event = MISPEvent(self.describe_types) misp_event.set_all_values(info=info, distribution=distribution, threat_level_id=threat_level_id, analysis=analysis, date=date) if published: @@ -299,7 +302,7 @@ class PyMISP(object): return misp_event def _prepare_full_attribute(self, category, type_value, value, to_ids, comment=None, distribution=5): - misp_attribute = MISPAttribute(self.describe_types['result']) + misp_attribute = MISPAttribute(self.describe_types) misp_attribute.set_all_values(type=type_value, value=value, category=category, to_ids=to_ids, comment=comment, distribution=distribution) return misp_attribute @@ -323,13 +326,13 @@ class PyMISP(object): def publish(self, event): if event['Event']['published']: return {'error': 'Already published'} - e = MISPEvent(self.describe_types['result']) + e = MISPEvent(self.describe_types) e.load(event) e.publish() return self.update_event(event['Event']['id'], json.dumps(e, cls=EncodeUpdate)) def change_threat_level(self, event, threat_level_id): - e = MISPEvent(self.describe_types['result']) + e = MISPEvent(self.describe_types) e.load(event) e.threat_level_id = threat_level_id return self.update_event(event['Event']['id'], json.dumps(e, cls=EncodeUpdate)) @@ -356,7 +359,7 @@ class PyMISP(object): if proposal: response = self.proposal_add(event['Event']['id'], attributes) else: - e = MISPEvent(self.describe_types['result']) + e = MISPEvent(self.describe_types) e.load(event) e.attributes += attributes response = self.update_event(event['Event']['id'], json.dumps(e, cls=EncodeUpdate)) diff --git a/pymisp/data/describeTypes.json b/pymisp/data/describeTypes.json index 5ac2edd..820341e 100644 --- a/pymisp/data/describeTypes.json +++ b/pymisp/data/describeTypes.json @@ -1 +1,706 @@ -{"result":{"sane_defaults":{"md5":{"default_category":"Payload delivery","to_ids":1},"sha1":{"default_category":"Payload delivery","to_ids":1},"sha256":{"default_category":"Payload delivery","to_ids":1},"filename":{"default_category":"Payload delivery","to_ids":1},"pdb":{"default_category":"Artifacts dropped","to_ids":0},"filename|md5":{"default_category":"Payload delivery","to_ids":1},"filename|sha1":{"default_category":"Payload delivery","to_ids":1},"filename|sha256":{"default_category":"Payload delivery","to_ids":1},"ip-src":{"default_category":"Network activity","to_ids":1},"ip-dst":{"default_category":"Network activity","to_ids":1},"hostname":{"default_category":"Network activity","to_ids":1},"domain":{"default_category":"Network activity","to_ids":1},"domain|ip":{"default_category":"Network activity","to_ids":1},"email-src":{"default_category":"Payload delivery","to_ids":1},"email-dst":{"default_category":"Network activity","to_ids":1},"email-subject":{"default_category":"Payload delivery","to_ids":0},"email-attachment":{"default_category":"Payload delivery","to_ids":1},"url":{"default_category":"External analysis","to_ids":1},"http-method":{"default_category":"Network activity","to_ids":0},"user-agent":{"default_category":"Network activity","to_ids":0},"regkey":{"default_category":"Persistence mechanism","to_ids":1},"regkey|value":{"default_category":"Persistence mechanism","to_ids":1},"AS":{"default_category":"Network activity","to_ids":0},"snort":{"default_category":"Network activity","to_ids":1},"pattern-in-file":{"default_category":"Payload installation","to_ids":1},"pattern-in-traffic":{"default_category":"Network activity","to_ids":1},"pattern-in-memory":{"default_category":"Payload installation","to_ids":1},"yara":{"default_category":"Payload installation","to_ids":1},"vulnerability":{"default_category":"External analysis","to_ids":0},"attachment":{"default_category":"External analysis","to_ids":0},"malware-sample":{"default_category":"Payload delivery","to_ids":1},"link":{"default_category":"External analysis","to_ids":0},"comment":{"default_category":"Other","to_ids":0},"text":{"default_category":"Other","to_ids":0},"other":{"default_category":"Other","to_ids":0},"named pipe":{"default_category":"Artifacts dropped","to_ids":0},"mutex":{"default_category":"Artifacts dropped","to_ids":1},"target-user":{"default_category":"Targeting data","to_ids":0},"target-email":{"default_category":"Targeting data","to_ids":0},"target-machine":{"default_category":"Targeting data","to_ids":0},"target-org":{"default_category":"Targeting data","to_ids":0},"target-location":{"default_category":"Targeting data","to_ids":0},"target-external":{"default_category":"Targeting data","to_ids":0},"btc":{"default_category":"Financial fraud","to_ids":1},"iban":{"default_category":"Financial fraud","to_ids":1},"bic":{"default_category":"Financial fraud","to_ids":1},"bank-account-nr":{"default_category":"Financial fraud","to_ids":1},"aba-rtn":{"default_category":"Financial fraud","to_ids":1},"bin":{"default_category":"Financial fraud","to_ids":1},"cc-number":{"default_category":"Financial fraud","to_ids":1},"prtn":{"default_category":"Financial fraud","to_ids":1},"threat-actor":{"default_category":"Attribution","to_ids":0},"campaign-name":{"default_category":"Attribution","to_ids":0},"campaign-id":{"default_category":"Attribution","to_ids":0},"malware-type":{"default_category":"Payload delivery","to_ids":0},"uri":{"default_category":"Network activity","to_ids":1},"authentihash":{"default_category":"Payload delivery","to_ids":1},"ssdeep":{"default_category":"Payload delivery","to_ids":1},"imphash":{"default_category":"Payload delivery","to_ids":1},"pehash":{"default_category":"Payload delivery","to_ids":1},"sha224":{"default_category":"Payload delivery","to_ids":1},"sha384":{"default_category":"Payload delivery","to_ids":1},"sha512":{"default_category":"Payload delivery","to_ids":1},"sha512\/224":{"default_category":"Payload delivery","to_ids":1},"sha512\/256":{"default_category":"Payload delivery","to_ids":1},"tlsh":{"default_category":"Payload delivery","to_ids":1},"filename|authentihash":{"default_category":"Payload delivery","to_ids":1},"filename|ssdeep":{"default_category":"Payload delivery","to_ids":1},"filename|imphash":{"default_category":"Payload delivery","to_ids":1},"filename|pehash":{"default_category":"Payload delivery","to_ids":1},"filename|sha224":{"default_category":"Payload delivery","to_ids":1},"filename|sha384":{"default_category":"Payload delivery","to_ids":1},"filename|sha512":{"default_category":"Payload delivery","to_ids":1},"filename|sha512\/224":{"default_category":"Payload delivery","to_ids":1},"filename|sha512\/256":{"default_category":"Payload delivery","to_ids":1},"filename|tlsh":{"default_category":"Payload delivery","to_ids":1},"windows-scheduled-task":{"default_category":"Artifacts dropped","to_ids":0},"windows-service-name":{"default_category":"Artifacts dropped","to_ids":0},"windows-service-displayname":{"default_category":"Artifacts dropped","to_ids":0},"whois-registrant-email":{"default_category":"Attribution","to_ids":0},"whois-registrant-phone":{"default_category":"Attribution","to_ids":0},"whois-registrant-name":{"default_category":"Attribution","to_ids":0},"whois-registrar":{"default_category":"Attribution","to_ids":0},"whois-creation-date":{"default_category":"Attribution","to_ids":0},"x509-fingerprint-sha1":{"default_category":"Network activity","to_ids":1}},"types":["md5","sha1","sha256","filename","pdb","filename|md5","filename|sha1","filename|sha256","ip-src","ip-dst","hostname","domain","domain|ip","email-src","email-dst","email-subject","email-attachment","url","http-method","user-agent","regkey","regkey|value","AS","snort","pattern-in-file","pattern-in-traffic","pattern-in-memory","yara","vulnerability","attachment","malware-sample","link","comment","text","other","named pipe","mutex","target-user","target-email","target-machine","target-org","target-location","target-external","btc","iban","bic","bank-account-nr","aba-rtn","bin","cc-number","prtn","threat-actor","campaign-name","campaign-id","malware-type","uri","authentihash","ssdeep","imphash","pehash","sha224","sha384","sha512","sha512\/224","sha512\/256","tlsh","filename|authentihash","filename|ssdeep","filename|imphash","filename|pehash","filename|sha224","filename|sha384","filename|sha512","filename|sha512\/224","filename|sha512\/256","filename|tlsh","windows-scheduled-task","windows-service-name","windows-service-displayname","whois-registrant-email","whois-registrant-phone","whois-registrant-name","whois-registrar","whois-creation-date","x509-fingerprint-sha1"],"categories":["Internal reference","Targeting data","Antivirus detection","Payload delivery","Artifacts dropped","Payload installation","Persistence mechanism","Network activity","Payload type","Attribution","External analysis","Financial fraud","Other"],"category_type_mappings":{"Internal reference":["text","link","comment","other"],"Targeting data":["target-user","target-email","target-machine","target-org","target-location","target-external","comment"],"Antivirus detection":["link","comment","text","attachment","other"],"Payload delivery":["md5","sha1","sha224","sha256","sha384","sha512","sha512\/224","sha512\/256","ssdeep","imphash","authentihash","pehash","tlsh","filename","filename|md5","filename|sha1","filename|sha224","filename|sha256","filename|sha384","filename|sha512","filename|sha512\/224","filename|sha512\/256","filename|authentihash","filename|ssdeep","filename|tlsh","filename|imphash","filename|pehash","ip-src","ip-dst","hostname","domain","email-src","email-dst","email-subject","email-attachment","url","user-agent","AS","pattern-in-file","pattern-in-traffic","yara","attachment","malware-sample","link","malware-type","comment","text","vulnerability","x509-fingerprint-sha1","other"],"Artifacts dropped":["md5","sha1","sha224","sha256","sha384","sha512","sha512\/224","sha512\/256","ssdeep","imphash","authentihash","filename","filename|md5","filename|sha1","filename|sha224","filename|sha256","filename|sha384","filename|sha512","filename|sha512\/224","filename|sha512\/256","filename|authentihash","filename|ssdeep","filename|tlsh","filename|imphash","filename|pehash","regkey","regkey|value","pattern-in-file","pattern-in-memory","pdb","yara","attachment","malware-sample","named pipe","mutex","windows-scheduled-task","windows-service-name","windows-service-displayname","comment","text","x509-fingerprint-sha1","other"],"Payload installation":["md5","sha1","sha224","sha256","sha384","sha512","sha512\/224","sha512\/256","ssdeep","imphash","authentihash","pehash","tlsh","filename","filename|md5","filename|sha1","filename|sha224","filename|sha256","filename|sha384","filename|sha512","filename|sha512\/224","filename|sha512\/256","filename|authentihash","filename|ssdeep","filename|tlsh","filename|imphash","filename|pehash","pattern-in-file","pattern-in-traffic","pattern-in-memory","yara","vulnerability","attachment","malware-sample","malware-type","comment","text","x509-fingerprint-sha1","other"],"Persistence mechanism":["filename","regkey","regkey|value","comment","text","other"],"Network activity":["ip-src","ip-dst","hostname","domain","domain|ip","email-dst","url","uri","user-agent","http-method","AS","snort","pattern-in-file","pattern-in-traffic","attachment","comment","text","x509-fingerprint-sha1","other"],"Payload type":["comment","text","other"],"Attribution":["threat-actor","campaign-name","campaign-id","whois-registrant-phone","whois-registrant-email","whois-registrant-name","whois-registrar","whois-creation-date","comment","text","x509-fingerprint-sha1","other"],"External analysis":["md5","sha1","sha256","filename","filename|md5","filename|sha1","filename|sha256","ip-src","ip-dst","hostname","domain","domain|ip","url","user-agent","regkey","regkey|value","AS","snort","pattern-in-file","pattern-in-traffic","pattern-in-memory","vulnerability","attachment","malware-sample","link","comment","text","x509-fingerprint-sha1","other"],"Financial fraud":["btc","iban","bic","bank-account-nr","aba-rtn","bin","cc-number","prtn","comment","text","other"],"Other":["comment","text","other"]}}} \ No newline at end of file +{ + "result": { + "sane_defaults": { + "md5": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "sha1": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "sha256": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "filename": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "pdb": { + "default_category": "Artifacts dropped", + "to_ids": 0 + }, + "filename|md5": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "filename|sha1": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "filename|sha256": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "ip-src": { + "default_category": "Network activity", + "to_ids": 1 + }, + "ip-dst": { + "default_category": "Network activity", + "to_ids": 1 + }, + "hostname": { + "default_category": "Network activity", + "to_ids": 1 + }, + "domain": { + "default_category": "Network activity", + "to_ids": 1 + }, + "domain|ip": { + "default_category": "Network activity", + "to_ids": 1 + }, + "email-src": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "email-dst": { + "default_category": "Network activity", + "to_ids": 1 + }, + "email-subject": { + "default_category": "Payload delivery", + "to_ids": 0 + }, + "email-attachment": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "url": { + "default_category": "External analysis", + "to_ids": 1 + }, + "http-method": { + "default_category": "Network activity", + "to_ids": 0 + }, + "user-agent": { + "default_category": "Network activity", + "to_ids": 0 + }, + "regkey": { + "default_category": "Persistence mechanism", + "to_ids": 1 + }, + "regkey|value": { + "default_category": "Persistence mechanism", + "to_ids": 1 + }, + "AS": { + "default_category": "Network activity", + "to_ids": 0 + }, + "snort": { + "default_category": "Network activity", + "to_ids": 1 + }, + "pattern-in-file": { + "default_category": "Payload installation", + "to_ids": 1 + }, + "pattern-in-traffic": { + "default_category": "Network activity", + "to_ids": 1 + }, + "pattern-in-memory": { + "default_category": "Payload installation", + "to_ids": 1 + }, + "yara": { + "default_category": "Payload installation", + "to_ids": 1 + }, + "vulnerability": { + "default_category": "External analysis", + "to_ids": 0 + }, + "attachment": { + "default_category": "External analysis", + "to_ids": 0 + }, + "malware-sample": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "link": { + "default_category": "External analysis", + "to_ids": 0 + }, + "comment": { + "default_category": "Other", + "to_ids": 0 + }, + "text": { + "default_category": "Other", + "to_ids": 0 + }, + "other": { + "default_category": "Other", + "to_ids": 0 + }, + "named pipe": { + "default_category": "Artifacts dropped", + "to_ids": 0 + }, + "mutex": { + "default_category": "Artifacts dropped", + "to_ids": 1 + }, + "target-user": { + "default_category": "Targeting data", + "to_ids": 0 + }, + "target-email": { + "default_category": "Targeting data", + "to_ids": 0 + }, + "target-machine": { + "default_category": "Targeting data", + "to_ids": 0 + }, + "target-org": { + "default_category": "Targeting data", + "to_ids": 0 + }, + "target-location": { + "default_category": "Targeting data", + "to_ids": 0 + }, + "target-external": { + "default_category": "Targeting data", + "to_ids": 0 + }, + "btc": { + "default_category": "Financial fraud", + "to_ids": 1 + }, + "iban": { + "default_category": "Financial fraud", + "to_ids": 1 + }, + "bic": { + "default_category": "Financial fraud", + "to_ids": 1 + }, + "bank-account-nr": { + "default_category": "Financial fraud", + "to_ids": 1 + }, + "aba-rtn": { + "default_category": "Financial fraud", + "to_ids": 1 + }, + "bin": { + "default_category": "Financial fraud", + "to_ids": 1 + }, + "cc-number": { + "default_category": "Financial fraud", + "to_ids": 1 + }, + "prtn": { + "default_category": "Financial fraud", + "to_ids": 1 + }, + "threat-actor": { + "default_category": "Attribution", + "to_ids": 0 + }, + "campaign-name": { + "default_category": "Attribution", + "to_ids": 0 + }, + "campaign-id": { + "default_category": "Attribution", + "to_ids": 0 + }, + "malware-type": { + "default_category": "Payload delivery", + "to_ids": 0 + }, + "uri": { + "default_category": "Network activity", + "to_ids": 1 + }, + "authentihash": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "ssdeep": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "imphash": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "pehash": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "sha224": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "sha384": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "sha512": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "sha512/224": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "sha512/256": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "tlsh": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "filename|authentihash": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "filename|ssdeep": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "filename|imphash": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "filename|pehash": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "filename|sha224": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "filename|sha384": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "filename|sha512": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "filename|sha512/224": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "filename|sha512/256": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "filename|tlsh": { + "default_category": "Payload delivery", + "to_ids": 1 + }, + "windows-scheduled-task": { + "default_category": "Artifacts dropped", + "to_ids": 0 + }, + "windows-service-name": { + "default_category": "Artifacts dropped", + "to_ids": 0 + }, + "windows-service-displayname": { + "default_category": "Artifacts dropped", + "to_ids": 0 + }, + "whois-registrant-email": { + "default_category": "Attribution", + "to_ids": 0 + }, + "whois-registrant-phone": { + "default_category": "Attribution", + "to_ids": 0 + }, + "whois-registrant-name": { + "default_category": "Attribution", + "to_ids": 0 + }, + "whois-registrar": { + "default_category": "Attribution", + "to_ids": 0 + }, + "whois-creation-date": { + "default_category": "Attribution", + "to_ids": 0 + }, + "x509-fingerprint-sha1": { + "default_category": "Network activity", + "to_ids": 1 + } + }, + "types": [ + "md5", + "sha1", + "sha256", + "filename", + "pdb", + "filename|md5", + "filename|sha1", + "filename|sha256", + "ip-src", + "ip-dst", + "hostname", + "domain", + "domain|ip", + "email-src", + "email-dst", + "email-subject", + "email-attachment", + "url", + "http-method", + "user-agent", + "regkey", + "regkey|value", + "AS", + "snort", + "pattern-in-file", + "pattern-in-traffic", + "pattern-in-memory", + "yara", + "vulnerability", + "attachment", + "malware-sample", + "link", + "comment", + "text", + "other", + "named pipe", + "mutex", + "target-user", + "target-email", + "target-machine", + "target-org", + "target-location", + "target-external", + "btc", + "iban", + "bic", + "bank-account-nr", + "aba-rtn", + "bin", + "cc-number", + "prtn", + "threat-actor", + "campaign-name", + "campaign-id", + "malware-type", + "uri", + "authentihash", + "ssdeep", + "imphash", + "pehash", + "sha224", + "sha384", + "sha512", + "sha512/224", + "sha512/256", + "tlsh", + "filename|authentihash", + "filename|ssdeep", + "filename|imphash", + "filename|pehash", + "filename|sha224", + "filename|sha384", + "filename|sha512", + "filename|sha512/224", + "filename|sha512/256", + "filename|tlsh", + "windows-scheduled-task", + "windows-service-name", + "windows-service-displayname", + "whois-registrant-email", + "whois-registrant-phone", + "whois-registrant-name", + "whois-registrar", + "whois-creation-date", + "x509-fingerprint-sha1" + ], + "categories": [ + "Internal reference", + "Targeting data", + "Antivirus detection", + "Payload delivery", + "Artifacts dropped", + "Payload installation", + "Persistence mechanism", + "Network activity", + "Payload type", + "Attribution", + "External analysis", + "Financial fraud", + "Other" + ], + "category_type_mappings": { + "Internal reference": [ + "text", + "link", + "comment", + "other" + ], + "Targeting data": [ + "target-user", + "target-email", + "target-machine", + "target-org", + "target-location", + "target-external", + "comment" + ], + "Antivirus detection": [ + "link", + "comment", + "text", + "attachment", + "other" + ], + "Payload delivery": [ + "md5", + "sha1", + "sha224", + "sha256", + "sha384", + "sha512", + "sha512/224", + "sha512/256", + "ssdeep", + "imphash", + "authentihash", + "pehash", + "tlsh", + "filename", + "filename|md5", + "filename|sha1", + "filename|sha224", + "filename|sha256", + "filename|sha384", + "filename|sha512", + "filename|sha512/224", + "filename|sha512/256", + "filename|authentihash", + "filename|ssdeep", + "filename|tlsh", + "filename|imphash", + "filename|pehash", + "ip-src", + "ip-dst", + "hostname", + "domain", + "email-src", + "email-dst", + "email-subject", + "email-attachment", + "url", + "user-agent", + "AS", + "pattern-in-file", + "pattern-in-traffic", + "yara", + "attachment", + "malware-sample", + "link", + "malware-type", + "comment", + "text", + "vulnerability", + "x509-fingerprint-sha1", + "other" + ], + "Artifacts dropped": [ + "md5", + "sha1", + "sha224", + "sha256", + "sha384", + "sha512", + "sha512/224", + "sha512/256", + "ssdeep", + "imphash", + "authentihash", + "filename", + "filename|md5", + "filename|sha1", + "filename|sha224", + "filename|sha256", + "filename|sha384", + "filename|sha512", + "filename|sha512/224", + "filename|sha512/256", + "filename|authentihash", + "filename|ssdeep", + "filename|tlsh", + "filename|imphash", + "filename|pehash", + "regkey", + "regkey|value", + "pattern-in-file", + "pattern-in-memory", + "pdb", + "yara", + "attachment", + "malware-sample", + "named pipe", + "mutex", + "windows-scheduled-task", + "windows-service-name", + "windows-service-displayname", + "comment", + "text", + "x509-fingerprint-sha1", + "other" + ], + "Payload installation": [ + "md5", + "sha1", + "sha224", + "sha256", + "sha384", + "sha512", + "sha512/224", + "sha512/256", + "ssdeep", + "imphash", + "authentihash", + "pehash", + "tlsh", + "filename", + "filename|md5", + "filename|sha1", + "filename|sha224", + "filename|sha256", + "filename|sha384", + "filename|sha512", + "filename|sha512/224", + "filename|sha512/256", + "filename|authentihash", + "filename|ssdeep", + "filename|tlsh", + "filename|imphash", + "filename|pehash", + "pattern-in-file", + "pattern-in-traffic", + "pattern-in-memory", + "yara", + "vulnerability", + "attachment", + "malware-sample", + "malware-type", + "comment", + "text", + "x509-fingerprint-sha1", + "other" + ], + "Persistence mechanism": [ + "filename", + "regkey", + "regkey|value", + "comment", + "text", + "other" + ], + "Network activity": [ + "ip-src", + "ip-dst", + "hostname", + "domain", + "domain|ip", + "email-dst", + "url", + "uri", + "user-agent", + "http-method", + "AS", + "snort", + "pattern-in-file", + "pattern-in-traffic", + "attachment", + "comment", + "text", + "x509-fingerprint-sha1", + "other" + ], + "Payload type": [ + "comment", + "text", + "other" + ], + "Attribution": [ + "threat-actor", + "campaign-name", + "campaign-id", + "whois-registrant-phone", + "whois-registrant-email", + "whois-registrant-name", + "whois-registrar", + "whois-creation-date", + "comment", + "text", + "x509-fingerprint-sha1", + "other" + ], + "External analysis": [ + "md5", + "sha1", + "sha256", + "filename", + "filename|md5", + "filename|sha1", + "filename|sha256", + "ip-src", + "ip-dst", + "hostname", + "domain", + "domain|ip", + "url", + "user-agent", + "regkey", + "regkey|value", + "AS", + "snort", + "pattern-in-file", + "pattern-in-traffic", + "pattern-in-memory", + "vulnerability", + "attachment", + "malware-sample", + "link", + "comment", + "text", + "x509-fingerprint-sha1", + "other" + ], + "Financial fraud": [ + "btc", + "iban", + "bic", + "bank-account-nr", + "aba-rtn", + "bin", + "cc-number", + "prtn", + "comment", + "text", + "other" + ], + "Other": [ + "comment", + "text", + "other" + ] + } + } +}